Re: EAP-TTLS - FreeRadius - Ldap - Edirectory -Enterasys - 802.1x
Thank you for your response. We test EAP-TTLS with enterasys swithes with supplicant odyssey client and FUNK steelbelted radius server. it works. So the Enterasys switches support EAP-TTLS. But we cant buy odyssey at this point. so we had to enable EAP-TTLS on windows XP client with securew2 But securew2 didnt work with FUNK steel-belted radius server(I am not sure). I found that securew2 works with freeradius. that is what we are trying to do. ldap server on edirectory only support PAP. That is why we have to use EAP-TTLS PAP . NOT: I can not do EAP-MD5 authentication also with Freeradius server. Thanks, Taylan [EMAIL PROTECTED] 3/10/2005 2:36:53 AM TAYLAN KIRAN wrote: We are trying to auhtenticate our XP users with EAP-TTLS. we enabled EAP-TTLS support with securew2 product. our users are on Edirectory via ldap. We have enterasys switches. when switches authenticate users they should receive the following string to set port policy. Filter-Id = Enterasys:version=1:mgmt=su:Policy=cit this string is stored in Filter-Id field on edirectory. when user authenticate ldap servers should return value of this field and freeradius server should send this string to switch. what should we do. I search all mail list but I cant find any information that is valuable for us. At this point I have two question. How can we return the required field from Edirectory by using ldap. second one is about certificate. From what I know Enterasys supports EAP-MD5 only on their switches. I have it working with OpenLDAP and by adding following radiusFilterId attribute ie. radiusFilterId: Enterasys:version=1:policy=Enterprise User In ldap.attrmap you need to have something like Filter-Id radiusFilterId I wrote a HOWTO how I did it. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
Try this : Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 13, It works on my FreeRADIUS Horschtel a crit : Hi my situation is freeradius give the switch wrong attribute parameters. The users config file says: Username Auth-Type == EAP, User-Password == xxx Framed-Type = Framed, Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 13 . on freeradius debuging I can see: .. Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Tunnel-Private-Group-Id = 13 and thats the problem. I think the Tunnel-Private-Group-Id is not more an Integer The Switch Radius Debug 04:57:06: Attribute 65 6 0106 04:57:06: Attribute 64 6 010D 04:57:06: Attribute 81 5 0131334F Attribute 65 and 64 are ok but Attribute 81 is the problem Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
forward CDR problem
Hi, it's possible to setup freeradius to forward (for a specific realm oldradius) an Accounting-Request to another radius server and not store it locally? scenario: In a transition phase I've some records on my new freeradius and others on an other old radius server... in radiusd.conf (authorize section): group { # new records sql { fail = 1 ok = return } # default in old radius files { fail = 1 ok = return } } my proxy.conf: realm oldradius { type= radius authhost= x.y.z.k:1645 accthost= x.y.z.k:1646 secret = X nostrip } and my file users: DEFAULT Proxy-To-Realm := oldradius This works correctly, but if freeradius forwards a Access-Request to oldradius (proxy mode), the CDR is stored in local DB not in oldradius... I've already tried to find this thing on ML, but I've not found the answer... someone can help me, please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with mssql support
Hi all, I just started with freeradius, due I saw it should be possible to use mssql as database backend. A look into the files talks about drivers in src/modules/rlm_sql/drivers/rlm_sql_freetds/db_mssql.sql but in the src distri I got there is no file ... can anyone help me in installing freeradius with mssql support, or is there any howto or doc I dont saw now ? btw: freeradius is already installed on that server. additional question: is it possible to run the dialup_admin with mssql instead of mysql ? thx 4 yr help, Achim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring radius to not respond
Hello, I'm running freeradius 1.0.2 using the rlm_ldap module which interfaces an openldap 2.2.23 ldap database with a berkely db 4.3.27 backend. The OS is FreeBSD 5.3-release. We're using freeradius as a means for our NAS equipment (Cisco's) to authenticate dialup users in an ldap database. We're looking for a way to have radius failover in a very specific fashion if it has problems contacting the ldap database (ie the ldap module fails). I've read the documentation about configurable failovers and having redundant ldap modules in radiusd.conf, but this isn't the most desirable failover for us. The Cisco's have the ability to fail over to a different radius server when the radius server is completely unresponsive. This is the most desirable failover for us for a variety of reasons. This is cleanest and safest failover for us. Put another way, when the ldap module in radius fails to communicate with the configured ldap server, is there any way for radius to pretend as though its dead or actually die (rather than returning an access-reject packet) so the Cisco's fail over to our other radius servers? Thanks in advance! Chris Carver Pennswoods.net Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About client web authentication
I have no idea what you are talking about. If you mean that WLAN users will be able to talk to eachother after authentication then yes, that's the whole point of opening the network. You need to describe your network first. On Thu, 10 Mar 2005 15:56:36 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Tq 4 ur response But if I do this, wlan user still can access each other. How to protect that? Is that mod_auth_radius that I'm looking for? TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Wednesday, March 09, 2005 6:31 PM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication You need some kind of hotspot server like routeros or staros. Or you can do that with Squid and custom firewalling rules to open connections from i.e. PPTP authenticated users. On Thu, 10 Mar 2005 09:28:01 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Hi everyone., Can anyone explain how to deploy client web authentication. I'm using freeradius to authenticate wireless user. For the time being I'm just installed Aegis or 802.1X built in windows to be supplicant. Anyone, plz help me . TQ very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About client web authentication
Nurul probably means client isolation. Nurul, your issues are not really related to freeradius. You can authenticate over whatever you want to freeradius. However, that's not your point. For what you want to do, you need to setup the access controller which is just another NAS in AAA slang. WLAN client isolation is a purely NAS internal functionality. You have to do that at the access point (a L3 firewall can not achieve that since the packets are forwarded on L2). So, take a look at hotspot-like access controllers which provide captive portal functionality. There is nocat e.g. but a lot of others do the same. There are also a lot of commercial products. hope that helps. if you need more help, try to ask offline. ciao artur Marcin Jessa wrote: I have no idea what you are talking about. If you mean that WLAN users will be able to talk to eachother after authentication then yes, that's the whole point of opening the network. You need to describe your network first. On Thu, 10 Mar 2005 15:56:36 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Tq 4 ur response But if I do this, wlan user still can access each other. How to protect that? Is that mod_auth_radius that I'm looking for? TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Wednesday, March 09, 2005 6:31 PM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication You need some kind of hotspot server like routeros or staros. Or you can do that with Squid and custom firewalling rules to open connections from i.e. PPTP authenticated users. On Thu, 10 Mar 2005 09:28:01 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Hi everyone., Can anyone explain how to deploy client web authentication. I'm using freeradius to authenticate wireless user. For the time being I'm just installed Aegis or 802.1X built in windows to be supplicant. Anyone, plz help me . TQ very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: About client web authentication
It depends on the Authenticator. If you have a Hotspot gateway model with unauthenticated association, then yes, two wireless users could use your infrastructure to talk to each other without first authenticating. Some switch vendors (wireless and wired) offer web based authentication that requires a user to associate into a walled garden with no access to anything other than the authenticator. The authenticator then performs the hotspot gateway function (usually somewhat more constrained functionality than the commercial gateway products) doing a web capture. Once the user has entered their credentials and been authenticated and authorized, they are moved into a different VLAN, given a new IP and get full access from there. The added benefit of this model is that *all* communications from user A to user B go through the switch. In a traditional gateway model, without any policy routing on the APs to force traffic in and out of the gateway, traffic from user A to user B will go direct so cannot be accounted. Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: 10 March 2005 11:31 To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication I have no idea what you are talking about. If you mean that WLAN users will be able to talk to eachother after authentication then yes, that's the whole point of opening the network. You need to describe your network first. On Thu, 10 Mar 2005 15:56:36 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Tq 4 ur response But if I do this, wlan user still can access each other. How to protect that? Is that mod_auth_radius that I'm looking for? TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Wednesday, March 09, 2005 6:31 PM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication You need some kind of hotspot server like routeros or staros. Or you can do that with Squid and custom firewalling rules to open connections from i.e. PPTP authenticated users. On Thu, 10 Mar 2005 09:28:01 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Hi everyone., Can anyone explain how to deploy client web authentication. I'm using freeradius to authenticate wireless user. For the time being I'm just installed Aegis or 802.1X built in windows to be supplicant. Anyone, plz help me . TQ very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
does a proxied radius reponse return via the proxy?
just a quick question about proxying radius. when a radius proxy forward a request onto the target radius servers, does the response ncessarily return via the proxy server/device? i ask this because if i want to post-process replies from a radius server (the target of the proxying) i need to be sure that the reply packet will in fact be returning via the proxying server. the other possibility is that a proxied packet can have it target address rewritten to the target radius server but the reply is directly to the radius client (the source address is not rewriiten). this is not entirely unlikely as radius is not a connection-oritented TCP protocol. advice / comments welcome. tariq ps - it is possible to do this post-processing in freeradius? this like adding attributes, sanity checking some attributes? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with mssql support
On Thu, 10 Mar 2005 12:10:40 +0100, Achim Schmidt [EMAIL PROTECTED] wrote: Hi all, I just started with freeradius, due I saw it should be possible to use mssql as database backend. A look into the files talks about drivers in src/modules/rlm_sql/drivers/rlm_sql_freetds/db_mssql.sql but in the src distri I got there is no file ... can anyone help me in installing freeradius with mssql support, or is there any howto or doc I dont saw now ? btw: freeradius is already installed on that server. additional question: is it possible to run the dialup_admin with mssql instead of mysql ? thx 4 yr help, Achim Professor Google shows me this: http://lists.cistron.nl/pipermail/freeradius-users/2002-October/012938.html Searched using: freeradius dialup admin mssql As for your missing files, you are either running something old, or incomplete. In any case, a fresh download of the current version should put you in order. Don't be afraid to crack that tarball open and read the README's and the stuff on the freeradius site. I'm no radius expert, but I followed the docs, and had it up and running in a hour or two. (and just last time I set it up, it only took 20 mins) Enjoy your homework. You can let us know if you get stuck, but try to solve it anyway, you never know when you may have to fix it all by yourself. =) Thank you, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message not copied from Tunnel to outside?
Hi, since no one answers I'll answer myself :-) in my setup I use TTLS-PAP to authenticate users (which works perfectly). Now I have setup a test user to enable some keepalive checking for the server. I use MySQL as backend and have put a Reply-Message attribute in radreply. It gets picked up alright in the tunneled user check and I have set use_tunneled_reply in eap.conf. So I'd expect to see that Reply-Message gets copied to the outside request upon returning the request. But this doesn't happen. [snip...] Shouldn't the Reply-Message be copied to the outside when use_tunneled_reply is on? I found that the behaviour is as expected (Reply-Message gets copied) when the user is authenticated, i.e. in Access-Accept messages. Out of curiosity, I looked into the source code in ttls.c and discovered that the copying is actually only done when the authentication is successful. Are there any security reasons for this? If not, a consistent behaviour would be preferable and I'd consider the current situation being a bug in either a) just the documentation: the comments in eap.conf should clearly state that use_tunneled_reply only copies the attributes _upon success_ or b) in the source, because it leads to an inconsistent behaviour when it shouldn't. I'd be happy to provide a (trivial) patch to this problem in the case of b). Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
I try but it doesn't work. I try another radius server and it failed also. I the properties of the Attribute 81 I see should be a string. So I think I did a mistake on the switch configuration. I post the configuration here : Current configuration : 3985 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname rum34 ! aaa new-model aaa authentication login default line enable aaa authentication dot1x default group radius enable secret 5 . enable password 7 ! ip subnet-zero ip domain-name mms-dresden.de ! ! spanning-tree extend system-id no spanning-tree vlan 65 no spanning-tree vlan 255 ! ! interface FastEthernet0/1 switchport mode trunk no ip address ! interface FastEthernet0/2 switchport access vlan dynamic switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/3 switchport mode access no ip address ! interface FastEthernet0/4 no ip address ! interface FastEthernet0/5 no ip address shutdown ! interface FastEthernet0/6 no ip address ! interface FastEthernet0/7 no ip address ! interface FastEthernet0/8 no ip address ! interface FastEthernet0/9 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/10 no ip address ! interface FastEthernet0/11 no ip address ! interface FastEthernet0/12 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 ip address xxx.xxx.xxx.209 255.255.255.0 no ip route-cache ! ip default-gateway xxx.xxx.xxx.1 ip http server ! snmp-server engineID local 8009030BBE855001 snmp-server group grp_snmp v3 auth snmp-server community xxx RO snmp-server enable traps snmp linkdown linkup snmp-server host xxx.xxx.xxx.101 version 2c pub radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx radius-server retransmit 3 ! line con 0 ip netmask-format decimal line vty 0 4 password 7 x line vty 5 15 password 7xx ! ntp clock-period 17179903 ntp server xxx.xxx.xxx.196 end -- Original Message -- From: David ROUMANET [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org Date: Thu, 10 Mar 2005 10:27:28 +0100 Try this : Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 13, It works on my FreeRADIUS Horschtel a écrit : Hi my situation is freeradius give the switch wrong attribute parameters. The users config file says: Username Auth-Type == EAP, User-Password == xxx Framed-Type = Framed, Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 13 . on freeradius debuging I can see: .. Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Tunnel-Private-Group-Id = 13 and thats the problem. I think the Tunnel-Private-Group-Id is not more an Integer The Switch Radius Debug 04:57:06: Attribute 65 6 0106 04:57:06: Attribute 64 6 010D 04:57:06: Attribute 81 5 0131334F Attribute 65 and 64 are ok but Attribute 81 is the problem Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Remove User-password from detail log
Hi, I'm using freeradius 1.0.1 for LDAP-EAP/TTLS authentication, works fine. I would like to know if it's possible to remove the user-pawword line from detail log without external script. Regards Rija Rasolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
Since I'm using the version of dialup_admin from the 1.0.2 release of freeradius (with freeradius 1.0.1), would you suggest updating the whole thing to the latest CVS? I'm also curious, why is naslist.conf used, instead of reading the information from the nas table in sql? On Wed, 2005-03-09 at 15:57, Kostas Kalevras wrote: On Wed, 9 Mar 2005, Nick Bright wrote: I have a rather large naslist.conf file, all configured to use finger_type database. However, snmpfinger insists upon querying each and every one as a cisco nas (they aren't, and i don't even have SNMP priviledges on most of them). Yes, there's a bug in user_finger.php3. Please do a cvs update on the file and things should work. Or you can just set general_finger_type to whatever value (apart from snmp) and still get the same results. Thanks for noting that. My naslist.conf file is generated by manipulating some spreadsheet stuff, so the lines for each nas aren't grouped together. I don't know if that is causing a problem or not. However, my configuration for each nas is something like this: nasX_name: nameofnas.%{general_domain} nasX_model: Useful Description nasX_type: other nasX_port_num: 4096 nasX_community: rocomm nasX_finger_type: database The only variable here is the nasX_type field, which could be: other, usrhiper, or lucent The port_num field is appropriate for the NAS, or 4096 if it's a proxy provider (outsourced dialup) All nases are set for finger_type database, so they shouldn't even be firing off snmpfinger at all . . . -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Thu, 2005-03-10 at 08:33, Nick Bright wrote: Since I'm using the version of dialup_admin from the 1.0.2 release of freeradius (with freeradius 1.0.1), would you suggest updating the whole thing to the latest CVS? Clarification of my own email (hehe), I mean update dialup_admin to the latest CVS, not the whole freeradius package. I'm also curious, why is naslist.conf used, instead of reading the information from the nas table in sql? On Wed, 2005-03-09 at 15:57, Kostas Kalevras wrote: On Wed, 9 Mar 2005, Nick Bright wrote: I have a rather large naslist.conf file, all configured to use finger_type database. However, snmpfinger insists upon querying each and every one as a cisco nas (they aren't, and i don't even have SNMP priviledges on most of them). Yes, there's a bug in user_finger.php3. Please do a cvs update on the file and things should work. Or you can just set general_finger_type to whatever value (apart from snmp) and still get the same results. Thanks for noting that. My naslist.conf file is generated by manipulating some spreadsheet stuff, so the lines for each nas aren't grouped together. I don't know if that is causing a problem or not. However, my configuration for each nas is something like this: nasX_name: nameofnas.%{general_domain} nasX_model: Useful Description nasX_type: other nasX_port_num: 4096 nasX_community: rocomm nasX_finger_type: database The only variable here is the nasX_type field, which could be: other, usrhiper, or lucent The port_num field is appropriate for the NAS, or 4096 if it's a proxy provider (outsourced dialup) All nases are set for finger_type database, so they shouldn't even be firing off snmpfinger at all . . . -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql _alt query - when?
I'm happily running FreeRadius with SQL for storing users - etc... In the accounting sections - there are entries for :- accounting_update_query -and- accounting_update_query_alt Under what conditions does Radius run the '_alt' version of the SQL query?? (Where is it documented?) I ask because I ave added a second instance of sql - to capture IP addresses.. I have accounting_start_query and accounting_start_query_alt The accounting_start_query sometimes gets errors - but the _alt version never seems to run... In radius.log - I get.. Error: rlm_sql (sql_catch_ip): Couldn't insert SQL accounting START record - Duplicate entry 'acars' for key 2 sql_catch_ip is the name I've given to the second sql instance.. -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Thu, 10 Mar 2005, Nick Bright wrote: On Thu, 2005-03-10 at 08:33, Nick Bright wrote: Since I'm using the version of dialup_admin from the 1.0.2 release of freeradius (with freeradius 1.0.1), would you suggest updating the whole thing to the latest CVS? You can probably just update the user_finger.php3. But it's much better to just update the whole dialupadmin Clarification of my own email (hehe), I mean update dialup_admin to the latest CVS, not the whole freeradius package. I'm also curious, why is naslist.conf used, instead of reading the information from the nas table in sql? In recent versions of dialupadmin the nas table is also used if it is set. If you find a lib/sql/nas_list.php3 file then you have such a version. On Wed, 2005-03-09 at 15:57, Kostas Kalevras wrote: On Wed, 9 Mar 2005, Nick Bright wrote: I have a rather large naslist.conf file, all configured to use finger_type database. However, snmpfinger insists upon querying each and every one as a cisco nas (they aren't, and i don't even have SNMP priviledges on most of them). Yes, there's a bug in user_finger.php3. Please do a cvs update on the file and things should work. Or you can just set general_finger_type to whatever value (apart from snmp) and still get the same results. Thanks for noting that. My naslist.conf file is generated by manipulating some spreadsheet stuff, so the lines for each nas aren't grouped together. I don't know if that is causing a problem or not. However, my configuration for each nas is something like this: nasX_name: nameofnas.%{general_domain} nasX_model: Useful Description nasX_type: other nasX_port_num: 4096 nasX_community: rocomm nasX_finger_type: database The only variable here is the nasX_type field, which could be: other, usrhiper, or lucent The port_num field is appropriate for the NAS, or 4096 if it's a proxy provider (outsourced dialup) All nases are set for finger_type database, so they shouldn't even be firing off snmpfinger at all . . . -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-Auth-Typeq REJECT and sql
I'm sure Kostas Kalevras pointed me to a file - which included the section -- In the following example, 2 different sql modules are used to store accepted requests and rejected requests. post-auth { my_sql_accept Post-Auth-Type REJECT { my_sql_reject } } -- I think this means - set up two extra instances of sql (in sql.conf) - using the names my_sql_accept and my_sql_reject. So in these instances - what should the names of the queries be called? Will this be an accounting query - such as accounting_update_query??? What Variables will give me info like Login incorrect (rlm_pap: User password not available) ??? Would some kind soul point me in the right direction? -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
I updated to the latest CVS of dialup_admin, and am getting this error when I click on statistics: Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 120 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 123 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 132 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 133 Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 134 Warning: Division by zero in /usr/local/dialup_admin/htdocs/stats.php3 on line 136 Warning: Division by zero in /usr/local/dialup_admin/htdocs/stats.php3 on line 137 Warning: Division by zero in /usr/local/dialup_admin/htdocs/stats.php3 on line 138 I'll try to figure it out, but I thought I'd send it over in case it was a bug or something. - Nick On Thu, 2005-03-10 at 08:50, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: On Thu, 2005-03-10 at 08:33, Nick Bright wrote: Since I'm using the version of dialup_admin from the 1.0.2 release of freeradius (with freeradius 1.0.1), would you suggest updating the whole thing to the latest CVS? You can probably just update the user_finger.php3. But it's much better to just update the whole dialupadmin Clarification of my own email (hehe), I mean update dialup_admin to the latest CVS, not the whole freeradius package. I'm also curious, why is naslist.conf used, instead of reading the information from the nas table in sql? In recent versions of dialupadmin the nas table is also used if it is set. If you find a lib/sql/nas_list.php3 file then you have such a version. On Wed, 2005-03-09 at 15:57, Kostas Kalevras wrote: On Wed, 9 Mar 2005, Nick Bright wrote: I have a rather large naslist.conf file, all configured to use finger_type database. However, snmpfinger insists upon querying each and every one as a cisco nas (they aren't, and i don't even have SNMP priviledges on most of them). Yes, there's a bug in user_finger.php3. Please do a cvs update on the file and things should work. Or you can just set general_finger_type to whatever value (apart from snmp) and still get the same results.
RE: About client web authentication
You need a WLAN Access Point that can isolate/block inter-client traffic. Regards. --- Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Tq 4 ur response But if I do this, wlan user still can access each other. How to protect that? Is that mod_auth_radius that I'm looking for? TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Wednesday, March 09, 2005 6:31 PM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication You need some kind of hotspot server like routeros or staros. Or you can do that with Squid and custom firewalling rules to open connections from i.e. PPTP authenticated users. On Thu, 10 Mar 2005 09:28:01 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Hi everyone., Can anyone explain how to deploy client web authentication. I'm using freeradius to authenticate wireless user. For the time being I'm just installed Aegis or 802.1X built in windows to be supplicant. Anyone, plz help me . TQ very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(dialupadmin) snmpfinger NAS support
I'd like to start working on adding usrhiper support to snmpfinger, since I'm going to be using a rather large USR Total Control. What exactly is the snmpfinger command after? Usernames only? Other information? From running the snmpwalk command out of the file against one of my max units, it seems like it's just after usernames; but if I can return more information than that, should I? I'd like to set it up to return the maximum amount of usable information. If there's a document I should read, please point me to it, or just poop me up on this particular facet of things :) -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(dialupadmin) user edit not showing passwords
I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) user edit not showing passwords
Nick, I had the same problem. I'm using MySql and the column is named User-Password The file user_edit.attrs in your dialup_admin/conf directory. add to the file above the line Auth-Type User-PasswordUsers Password That should do it. Joel - Original Message - From: Nick Bright [EMAIL PROTECTED] To: freeradius-users freeradius-users@lists.freeradius.org Sent: Thursday, March 10, 2005 10:55 AM Subject: (dialupadmin) user edit not showing passwords I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) snmpfinger NAS support
On Thu, 10 Mar 2005, Nick Bright wrote: I'd like to start working on adding usrhiper support to snmpfinger, since I'm going to be using a rather large USR Total Control. What exactly is the snmpfinger command after? Usernames only? Other information? From running the snmpwalk command out of the file against one of my max units, it seems like it's just after usernames; but if I can return more information than that, should I? I'd like to set it up to return the maximum amount of usable information. If there's a document I should read, please point me to it, or just poop me up on this particular facet of things :) snmpfinger is designed to return minimal information. It's purpose is to return the actual list of online users by querying the nas so that we can then use the list to query the accounting table for all the relevant information. It should return the list in the form 'user1',user2','user3' so that it can be used in a: SELECT * FROM radacct WHERE UserName IN ($user_list); -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) user edit not showing passwords
On Thu, 10 Mar 2005, Nick Bright wrote: I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Hmm, the comments in admin.conf should be updated. The idea is just to be able to see if a user password exists (hence the corresponding comment in the user edit page) and to reset the value if needed. I strongly disagree with being able to see and edit the user password in clear text (for various reasons) so the above behaviour is not likely to change. If you need to see the actual clear text password value you can do what was suggested and add a corresponding line in the user_edit.attrs file. Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
Horschtel [EMAIL PROTECTED] wrote: Tunnel-Private-Group-Id = 13 and that's the problem. I think the Tunnel-Private-Group-Id is not more an Integer The RFC's define it to be string. Some switch vendors, however, implemented it as integer, which causes problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring radius to not respond
Chris Carver [EMAIL PROTECTED] wrote: Put another way, when the ldap module in radius fails to communicate with the configured ldap server, is there any way for radius to pretend as though its dead or actually die (rather than returning an access-reject packet) so the Cisco's fail over to our other radius servers? Thanks in advance! Not really. FreeRADIUS always responds to a request. To make it NOT respond, you'd have to edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remove User-password from detail log
Rija Rasolo [EMAIL PROTECTED] wrote: I'm using freeradius 1.0.1 for LDAP-EAP/TTLS authentication, works fine. I would like to know if it's possible to remove the user-pawword line from detail log without external script. If it's in the detail file, it's because the NAS is sending it in an Accounting-Request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: does a proxied radius reponse return via the proxy?
Tariq Rashid [EMAIL PROTECTED] wrote: when a radius proxy forward a request onto the target radius servers, does the response ncessarily return via the proxy server/device? Yes. i ask this because if i want to post-process replies from a radius server (the target of the proxying) i need to be sure that the reply packet will in fact be returning via the proxying server. RADIUS replies always go to the device that sent the RADIUS request. ps - it is possible to do this post-processing in freeradius? this like adding attributes, sanity checking some attributes? Yes. That's what post-proxy is for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth-Typeq REJECT and sql
Mark Elkins [EMAIL PROTECTED] wrote: I think this means - set up two extra instances of sql (in sql.conf) - using the names my_sql_accept and my_sql_reject. Yes. So in these instances - what should the names of the queries be called? The names won't change. You're running SQL in post-auth, so the post-auth queries will be used. What Variables will give me info like Login incorrect (rlm_pap: User password not available) ??? Module-Message, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) user edit not showing passwords
I would have to agree with the idea of passwords not being visable. However, in our situation and maybe even Nick's, if we have a customer call in with issues connecting we typically make sure the ID is correct and have them retype their password. It is nice to be able to see what it is, without having to create a new one every time they would call. It's not an issue for us as there is only two of us that have access to the information. Just my 2 cents. Joel - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users freeradius-users@lists.freeradius.org Sent: Thursday, March 10, 2005 12:18 PM Subject: Re: (dialupadmin) user edit not showing passwords On Thu, 10 Mar 2005, Nick Bright wrote: I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Hmm, the comments in admin.conf should be updated. The idea is just to be able to see if a user password exists (hence the corresponding comment in the user edit page) and to reset the value if needed. I strongly disagree with being able to see and edit the user password in clear text (for various reasons) so the above behaviour is not likely to change. If you need to see the actual clear text password value you can do what was suggested and add a corresponding line in the user_edit.attrs file. Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) user edit not showing passwords
On Thu, 2005-03-10 at 12:18, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Hmm, the comments in admin.conf should be updated. The idea is just to be able to see if a user password exists (hence the corresponding comment in the user edit page) and to reset the value if needed. I strongly disagree with being able to see and edit the user password in clear text (for various reasons) so the above behaviour is not likely to change. Regardless of if you agree with it, it should be an option (though defaulting to off is definately reasonable). We currently work with two different systems - one where the passwords are visible, and one where they aren't. I'm constantly listening to my techs complain about how much more of a pain in the ass it is to support the accounts that we can't view the passwords for. In short, it makes our lives as tech support people a lot easier to be able to see that password. If you need to see the actual clear text password value you can do what was suggested and add a corresponding line in the user_edit.attrs file. I guess I'll hack something in ;) Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) snmpfinger NAS support
I've never made a diff before, or anything like that, but the code I added in is pretty trivial, so I'll put it here: elsif ($type eq 'usrhiper'){ $walk = `$snmpwalkcmd .iso.org.dod.internet.private.enterprises.429.4.10.1.1.18`; } My only modification was to add the elsif for usrhiper below the lucent, I tested it with both of my TC's and it spat out a list of users just like what the ascend spits out. For example, the output of my USR (some information changed to protect the innocent): [EMAIL PROTECTED] bin]# ./snmpfinger 64.254.50.132 ROCOMMUNITY usrhiper '[EMAIL PROTECTED]','jcrist','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','dlholmes','[EMAIL PROTECTED]','adennis','bisrael','[EMAIL PROTECTED]','phowey','[EMAIL PROTECTED]','ckgwin','jfmiller','rzastrow','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','[EMAIL PROTECTED]','aneckan','aprilogden' However, there are some notes about USR's. They behave differently based on different versions of software, so this MAY NOT WORK WITH ALL USR CHASSIS!! My HiPer ARC Software version is V5.3.2/Non-Encr as returned by: snmpget -v 1 -c ROCOMM NAS_HOSTNAME .iso.org.dod.internet.private.enterprises.429.4.1.14.0 I don't have any other USR's to test on with older software, so take that for what it's worth. YMMV and all that :) On Thu, 2005-03-10 at 12:05, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: I'd like to start working on adding usrhiper support to snmpfinger, since I'm going to be using a rather large USR Total Control. What exactly is the snmpfinger command after? Usernames only? Other information? From running the snmpwalk command out of the file against one of my max units, it seems like it's just after usernames; but if I can return more information than that, should I? I'd like to set it up to return the maximum amount of usable information. If there's a document I should read, please point me to it, or just poop me up on this particular facet of things :) snmpfinger is designed to return minimal information. It's purpose is to return the actual list of online users by querying the nas so that we can then use the list to query the accounting table for all the relevant information. It should return the list in the form 'user1',user2','user3' so that it can be used in a: SELECT * FROM radacct WHERE UserName IN ($user_list); -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) user edit not showing passwords
On Thu, 10 Mar 2005, Nick Bright wrote: On Thu, 2005-03-10 at 12:18, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: I'm storing passwords in plain text, to ease troubleshooting, and even though I have general_show_user_password: yes in my admin.conf file, the dialup_admin pages don't show the users' password anywhere (though I can reset the password properly). Hmm, the comments in admin.conf should be updated. The idea is just to be able to see if a user password exists (hence the corresponding comment in the user edit page) and to reset the value if needed. I strongly disagree with being able to see and edit the user password in clear text (for various reasons) so the above behaviour is not likely to change. Regardless of if you agree with it, it should be an option (though defaulting to off is definately reasonable). You can edit user_edit.attrs to match your needs. You can add the password attribute in the file and set general_show_user_password to no to get the behaviour you want. So i don't see why anthing needs to be changed. The user password attribute is handled specially because it is shown specially (with a password and not a text html field). You can always disable that and configure the user edit page to show the clear text user password. We currently work with two different systems - one where the passwords are visible, and one where they aren't. I'm constantly listening to my techs complain about how much more of a pain in the ass it is to support the accounts that we can't view the passwords for. In short, it makes our lives as tech support people a lot easier to be able to see that password. If you need to see the actual clear text password value you can do what was suggested and add a corresponding line in the user_edit.attrs file. I guess I'll hack something in ;) Ideally I think it should be on the show page only, my thought is to put another row on the table in the Check Password area that would show the password as in the database - leaving the check form, so that a test could still be done. If it /should/ be working, please advise what to check for as I've been poking around for a bit, and don't see anything that would be causing it not to work. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? On Thu, 2005-03-10 at 08:50, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: On Thu, 2005-03-10 at 08:33, Nick Bright wrote: Since I'm using the version of dialup_admin from the 1.0.2 release of freeradius (with freeradius 1.0.1), would you suggest updating the whole thing to the latest CVS? You can probably just update the user_finger.php3. But it's much better to just update the whole dialupadmin Clarification of my own email (hehe), I mean update dialup_admin to the latest CVS, not the whole freeradius package. I'm also curious, why is naslist.conf used, instead of reading the information from the nas table in sql? In recent versions of dialupadmin the nas table is also used if it is set. If you find a lib/sql/nas_list.php3 file then you have such a version. On Wed, 2005-03-09 at 15:57, Kostas Kalevras wrote: On Wed, 9 Mar 2005, Nick Bright wrote: I have a rather large naslist.conf file, all configured to use finger_type database. However, snmpfinger insists upon querying each and every one as a cisco nas (they aren't, and i don't even have SNMP priviledges on most of them). Yes, there's a bug in user_finger.php3. Please do a cvs update on the file and things should work. Or you can just set general_finger_type to whatever value (apart from snmp) and still get the same results. Thanks for noting that. My naslist.conf file is generated by manipulating some spreadsheet stuff, so the lines for each nas aren't grouped together. I don't know if that is causing a problem or not. However, my configuration for each nas is something like this: nasX_name: nameofnas.%{general_domain} nasX_model: Useful Description nasX_type: other nasX_port_num: 4096 nasX_community: rocomm nasX_finger_type: database The only variable here is the nasX_type field, which could be: other, usrhiper, or lucent The port_num field is appropriate for the NAS, or 4096 if it's a proxy provider (outsourced dialup) All nases are set for finger_type database, so they shouldn't even be firing off snmpfinger at all . . . -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialupadmin) snmpfinger NAS support
On Thu, 10 Mar 2005, Nick Bright wrote: I've never made a diff before, or anything like that, but the code I added in is pretty trivial, so I'll put it here: elsif ($type eq 'usrhiper'){ $walk = `$snmpwalkcmd .iso.org.dod.internet.private.enterprises.429.4.10.1.1.18`; } Added in CVS, thanks -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with safe characters directive in mssql.conf
HI all, I copy the directive de sql.conf a mssql.conf but no work,someone can help me. Thanks a lot, VicenteLas mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: Haz clic aquí... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile problem
Admin [EMAIL PROTECTED] wrote: Thank you very much. I'll update or edit by myself net-snmp module to resolve this problem. So, why I don't need threads. The practice shows me that threading are not so beauty as it can imagine. Due my usage of rlm_perl module I see memory leaks when it works in threading mode, however all ok when perl and FreeRadius are compiled in non-threads mode. Those problems have been addressed in the current CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
On Thu, Mar 10, 2005 at 11:31:48AM -0900, Terry J Fike Jr wrote: I'm wondering if it is possible to set up an ippool for a single user? Right now our users are flatfiled in the users file. anyone with a static has the info with their username, all the rest of the users get their ip assigned by the NAS device they are logging in through. From what i've read of the documentation, it seems the ippool set up is for all users in all NAS devices (or did i read this wrong?) At this point i believe the pool will be for us by the user no matter what NAS device they are coming from (which i think is how it is supposed to work anyways right?) It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kill sessions
Hey all, I got a bit of a problem. The setup we have here is a bit strange (I think). I dont have any access to any of the NAS's. Instead I got given a list of IP addresses of other radius servers , that was added to my clients.conf file. These servers then passes everything on to my server (Now that I think of it, this is probably a proxy setup ?) Anyways, my problem is as follows: Our internet connection went down for about 3 hours yesterday. I had quite a few customers connected during this time, which means that they disconnected while my freeradius box was inaccessible. As a result, I am sitting with quite a few entries that never received account stop packages (i think) and now those users cant get access again, because I have similtanious use set to 1. As a work around - I have just inccreasedthe similtanious use to 2. Now, finally my question: Is there a way to close all open connections ? Or at leastfake the account stop packages ? Maybe a SQL query to run to close all open session in the database ? I dont know ? Anybody got any ideas how I would do this ? Thanks, Jacqueco Peenz
Re: Kill sessions
Just update the mysql accounting table and set AcctStopTime = now() -- Chris. - Original Message - From: Hyperlink Admin To: freeradius-users@lists.freeradius.org Sent: Friday, March 11, 2005 12:00 AM Subject: Kill sessions Hey all, I got a bit of a problem. The setup we have here is a bit strange (I think). I dont have any access to any of the NAS's. Instead I got given a list of IP addresses of other radius servers , that was added to my clients.conf file. These servers then passes everything on to my server (Now that I think of it, this is probably a proxy setup ?) Anyways, my problem is as follows: Our internet connection went down for about 3 hours yesterday. I had quite a few customers connected during this time, which means that they disconnected while my freeradius box was inaccessible. As a result, I am sitting with quite a few entries that never received account stop packages (i think) and now those users cant get access again, because I have similtanious use set to 1. As a work around - I have just inccreasedthe similtanious use to 2. Now, finally my question: Is there a way to close all open connections ? Or at leastfake the account stop packages ? Maybe a SQL query to run to close all open session in the database ? I dont know ? Anybody got any ideas how I would do this ? Thanks, Jacqueco Peenz
Re: how to enable EAP-TTLS inner PAP
TAYLAN KIRAN [EMAIL PROTECTED] wrote: in eap.conf ttls section default_eap_type = md5. but I need to use EAP-TTLS inner PAP. when I set default_eap_type=pap or PAP it does not accept. How can I enable PAP. Once you configure EAP-TTLS, inner PAP works. And no, PAP is not an EAP type, so setting default_eap_type = pap doesn't make sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can somebody explain the errors?
Sirs, Here what I received: Wed Mar 9 22:47:34 2005 : Info: Ready to process requests. Thu Mar 10 10:17:30 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 71 due to unfinished request 48567 Thu Mar 10 12:52:57 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 89 due to unfinished request 81227 Thu Mar 10 14:12:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 128 due to unfinished request 101178 Thu Mar 10 17:17:30 2005 : Error: Discarding duplicate request from client apk1:1813 - ID: 253 due to unfinished request 152382 Thu Mar 10 20:08:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 92 due to unfinished request 209934 Can somebody explain the errors I've got. What should I change in radiusd.conf to elliminate these errors? About duplicate request I know. I've got to change: cleanup_delay++ and max_requests--; What about the conflicting packet? What does it mean? Best regards, Serg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Radgroup questions
Hello List :) I've been thrust into the role of administering our companies Radius server. I have spent a few hours searching on the net and in the O'Reilly Radius book for an answer to the following question but it eludes me. I am migrating my dial-up base to a new vendor and ran into a problem with some of the current radius attributes causing the new vendors NAS's to choke and not complete the authentication process. To get around this I created a second radgroup and stripped it down to the minimum attributes required for the new vendors network. In testing this fixed the above problem, but has created a new one. If I don't have these attributes for the current vendor then my customers will be unable to send email via my mail servers, etc. I want the migration to the new vendor to be as seamless as possible. Is there a way to specify which group attributes are used in the reply, based on which radius peer is forwarding the authentication request? I if this is possible then I could make the users members of both radgroups and reply with the corresponding radgroup of the asking vendor. I am currently using freeRadius 0.8.1 w/MySQL. _ -J Morgan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. Okay, i see in the radiusd.conf where to set the pools, but where do define them as a per NAS? (ie: pool 1.2.3.0/24 to NAS1 and 1.2.4.0/24 to NAS2) then in the user's info just add Pool-name := poolname right? what is the Group == poolname part for in the DEFAULT?? would that be for the fallthroughs? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello Radgroup questions
J Morgan [EMAIL PROTECTED] wrote: I am migrating my dial-up base to a new vendor and ran into a problem with some of the current radius attributes causing the new vendors NAS's to choke and not complete the authentication process. That's... weird. It shouldn't be happening. I want the migration to the new vendor to be as seamless as possible. Is there a way to specify which group attributes are used in the reply, based on which radius peer is forwarding the authentication request? Use the Client-Ip-Address attribute to select which RADIUS client has sent the request. You can then reply with per-client attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can somebody explain the errors?
Serg Shipaev [EMAIL PROTECTED] wrote: Thu Mar 10 20:08:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 92 due to unfinished request 209934 Can somebody explain the errors I've got. What should I change in radiusd.conf to elliminate these errors? You don't. You find out why your RADIUS server is taking forever to respond, and fix the problem. About duplicate request I know. I've got to change: cleanup_delay++ and max_requests--; I don't see why. What about the conflicting packet? What does it mean? It means that the RADIUS server is taking so long to respond that the NAS has given up, and sent another RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: About client web authentication
mmm... I understand now. That's mean I need to do something with AP / Switch not to my server TQ very much to everyone.. TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Hecker Sent: Thursday, March 10, 2005 3:47 AM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication Nurul probably means client isolation. Nurul, your issues are not really related to freeradius. You can authenticate over whatever you want to freeradius. However, that's not your point. For what you want to do, you need to setup the access controller which is just another NAS in AAA slang. WLAN client isolation is a purely NAS internal functionality. You have to do that at the access point (a L3 firewall can not achieve that since the packets are forwarded on L2). So, take a look at hotspot-like access controllers which provide captive portal functionality. There is nocat e.g. but a lot of others do the same. There are also a lot of commercial products. hope that helps. if you need more help, try to ask offline. ciao artur Marcin Jessa wrote: I have no idea what you are talking about. If you mean that WLAN users will be able to talk to eachother after authentication then yes, that's the whole point of opening the network. You need to describe your network first. On Thu, 10 Mar 2005 15:56:36 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Tq 4 ur response But if I do this, wlan user still can access each other. How to protect that? Is that mod_auth_radius that I'm looking for? TQ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Wednesday, March 09, 2005 6:31 PM To: freeradius-users@lists.freeradius.org Subject: Re: About client web authentication You need some kind of hotspot server like routeros or staros. Or you can do that with Squid and custom firewalling rules to open connections from i.e. PPTP authenticated users. On Thu, 10 Mar 2005 09:28:01 -0800 Nurul Faizal M.Shukeri [EMAIL PROTECTED] wrote: Hi everyone., Can anyone explain how to deploy client web authentication. I'm using freeradius to authenticate wireless user. For the time being I'm just installed Aegis or 802.1X built in windows to be supplicant. Anyone, plz help me . TQ very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can somebody explain the errors?
I see the same thing with trying to set up realms, but haven't received any response to my question. Are you running realms setup? Bob Serg Shipaev wrote: Sirs, Here what I received: Wed Mar 9 22:47:34 2005 : Info: Ready to process requests. Thu Mar 10 10:17:30 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 71 due to unfinished request 48567 Thu Mar 10 12:52:57 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 89 due to unfinished request 81227 Thu Mar 10 14:12:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 128 due to unfinished request 101178 Thu Mar 10 17:17:30 2005 : Error: Discarding duplicate request from client apk1:1813 - ID: 253 due to unfinished request 152382 Thu Mar 10 20:08:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 92 due to unfinished request 209934 Can somebody explain the errors I've got. What should I change in radiusd.conf to elliminate these errors? About duplicate request I know. I've got to change: cleanup_delay++ and max_requests--; What about the conflicting packet? What does it mean? Best regards, Serg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
On Thu, Mar 10, 2005 at 03:45:24PM -0900, Terry J Fike Jr wrote: It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. Okay, i see in the radiusd.conf where to set the pools, but where do define them as a per NAS? (ie: pool 1.2.3.0/24 to NAS1 and 1.2.4.0/24 to NAS2) then in the user's info just add Pool-name := poolname right? what is the Group == poolname part for in the DEFAULT?? would that be for the fallthroughs? I'd use Post-Auth-Type along with Huntgroups or something similar to set the Pool-Name correctly. It's not something _built_ in, it's just something you can do with the framework. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can somebody explain the errors?
Thank you, Alan. I think I know where the mistake is... Best regards, Serg Shipaev -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, March 11, 2005 04:02 To: freeradius-users@lists.freeradius.org Subject: Re: Can somebody explain the errors? Serg Shipaev [EMAIL PROTECTED] wrote: Thu Mar 10 20:08:03 2005 : Error: Dropping conflicting packet from client apk1:1813 - ID: 92 due to unfinished request 209934 Can somebody explain the errors I've got. What should I change in radiusd.conf to elliminate these errors? You don't. You find out why your RADIUS server is taking forever to respond, and fix the problem. About duplicate request I know. I've got to change: cleanup_delay++ and max_requests--; I don't see why. What about the conflicting packet? What does it mean? It means that the RADIUS server is taking so long to respond that the NAS has given up, and sent another RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius daemon
Hi All Running on MacOS X panther, I cannot run freeradius as a daemon. I am forced to run in debugging mode. Log files are also not updated. Any inputs are welcome. Thanks in advance Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap...
Sure does. We use it from time to time, when our wholesale connections don't send a good disconnect. radzap IP-Address S:port [EMAIL PROTECTED] Chan Min Wai wrote: Hello all, I found that this script isn't working for me, so wonder if this script is still working? What does this script check anyway? did this scrip need checkrad to work? Just wonder anyone have the guide to patch checkrad to work with another oid with snmp way? regards. Thank You Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable EAP-TTLS inner PAP
You say You we only need to enable EAP-TTLS but it does not work. You can find debug log as following. client is configured with securew2 and EAP-TTLS PAP authentication. Thanks, rad_recv: Access-Request packet from host 172.18.3.95:10259, id=34, length=83 Message-Authenticator = 0x26e67364164d339189a6d8397987beb4 User-Name = deneme NAS-IP-Address = 172.18.3.95 NAS-Port = 16 NAS-Port-Type = Ethernet EAP-Message = 0x0203000b0164656e656d65 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = deneme, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 3 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry deneme at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 34 to 172.18.3.95:10259 Filter-Id = Enterasys:version=1:mgmt=su:policy=cit EAP-Message = 0x010400061520 Message-Authenticator = 0x State = 0x3394e1c67521780c15407ecbe828f4aa Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.18.3.95:10259, id=35, length=150 Message-Authenticator = 0x6da3a4d41eee55fd1a0713b4d8278012 User-Name = deneme State = 0x3394e1c67521780c15407ecbe828f4aa NAS-IP-Address = 172.18.3.95 NAS-Port = 16 NAS-Port-Type = Ethernet Framed-MTU = 1000 EAP-Message = 0x0204003c15800032160301002d0129030141000200fa84d3bfe32d29f240eac06d23ba47e16e21e5758c9f2c99278d446802000a0100 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = deneme, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 4 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry deneme at line 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 35 to 172.18.3.95:10259 Filter-Id = Enterasys:version=1:mgmt=su:policy=cit EAP-Message =