Re: how to enable EAP-TTLS inner PAP
Try this (i don't know if it is the right way, but it works): Terminate the outer-user in hints: DEFAULT Prefix == anonymous, Strip-User-Name = No Realm = LOCAL Then the inside-user is proceeded as usal and you don`t need Auth-Type:= EAP. regards Helmut What should I wite instead of EAP. When I write Local or System it didnt work. I have one more question. When I add user named test in users file as following, test Auth-Type := EAP, User-Password == 11 Filter-Id = Enterasys:version=1:mgmt=su:policy=cit 802.1x authentication is successful. But I need to authenticate users on edirectory via LDAP. Ldap servwer vi have field postoffice box which Enterasys:version=1:mgmt=su:policy=cit field is stored. We want that freeradius will get postofficebox vlaue of user and send to NAS it as Filter-Id = Enterasys:version=1:mgmt=su:policy=cit. But this authentication should be in EAP-TTLS inner PAP method. We can do ot in Steel-Belted radius server. But securew2 didnt work with steel-belted. How can I do it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP attributes
Im desperately trying to get LDAP attributes sent back to NAS without any
success...
I've add RADIUS-LDAPv3.schema to my LDAP schema, and set radiusClass
attribute for my test user.
I can do successful authentication but the value of this attribute is never
sent back by freeradius to the NAS ...
In radius.conf:
ldap {
server = xxx
port = 389
identity = xxx
password = xxx
#basedn = o=My Org,c=UA
basedn = xxx
#filter = (uid=%{Stripped-User-Name:-%{User-Name}})
filter = (login=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#profile_attribute = radiusProfileDn
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = {clear}
#
# The server can usually figure this out on its own, and
pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with 0x, such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading 0x, NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-User
Dn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Please help ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes
Hi Did you uncomment ldap in the authorize and authenticate section? Do you really have an access_attr dialupAccess which is TRUE or FALSE? hth peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Dear All, Kindly be informed that we are using Freeradius-0.9.3 and Oracle 9i as DB. We have many of errors which appear in the log file, some of them cause the service to stop. The errors can be summarized below: - Out of memeory - Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. - Error: rlm_sql: Stop packet with zero session length. (user '', nas 'xxx.xxx.xxx.xxx') - Info: rlm_radutmp: Login entry for NAS xxx port 689 duplicate - Error: rlm_radutmp: Logout entry for NAS XXX port 509 has wrong ID - Error: WARNING: Unresponsive child (id 114696) for request 430091 - Error: radiusd.conf[10]: sql: Module instantiation failed. - Info: Using deprecated naslist file. Support for this will go away soon. - Error: rlm_sql (sql): Could not link driver rlm_sql_oracle: file not found -Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Hence, if you have any comments regarding these errors, kindly I will appreciate your assistance. Thanks, Jemy * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. [EMAIL PROTECTED]. * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes
Please help ... As per the FAQ, README, various other documents, and many responses to questions on this list, please run the server in debug mode (radiusd -X) to see what it is doing, and why it is not doing what you expect. If you still can't work it out, post the output back to the list and someone can try to help you... regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
It's really obvious... - Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. ^^ Increase your DB Handles to a higher value. - Info: Using deprecated naslist file. Support for this will go away soon. ^^ I'd suggest fixing and using clients.conf as well. - Error: rlm_sql (sql): Could not link driver rlm_sql_oracle: file not found ^ There's your biggest problem IMHO. Just my 2c. -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP attributes
As you suggest I have already search on the Web for an answer to my trouble, anyway there wasn't... I've also used radiusd -XA to see what was happening and I saw the server getting the request, bind to the LDAP server to validate password and sending back accept packet ... By the way the answer came to me by the user guest01 (thanks to him), cause I didn't have uncommented ldap from the authorize section of my radiusd.conf, but only in authenticate... What has confused me was that freeradius was able to validate the user... My first use of the ldap module was when I've used it with EAP-TTLS and at this time I've followed the indication given in the list and elsewhere on the WEB and it was working fine with this configuration. It is a fact that this list is too verbose but I think, Michael, that you're not helping to solve that this way. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Michael Mitchell Sent: Monday, March 14, 2005 10:50 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP attributes Please help ... As per the FAQ, README, various other documents, and many responses to questions on this list, please run the server in debug mode (radiusd -X) to see what it is doing, and why it is not doing what you expect. If you still can't work it out, post the output back to the list and someone can try to help you... regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature
Re: LDAP attributes
Benoît Bianchi wrote: As you suggest I have already search on the Web for an answer to my trouble, anyway there wasn't... I never told you to go away and search for the answer yourself... I told you that if you run the server in DEBUG mode you'll see what it is doing, and hopefully where the results differ from what you expect. I've also used radiusd -XA to see what was happening and I saw the server getting the request, bind to the LDAP server to validate password and sending back accept packet ... You didn't tell us that - you just gave us part of your configuration and said it doesn't work. We can't read your mind dude, thats why the documentation and the list continue to tell people to run the server in debug mode and post the results to the list if they are still having trouble... it really is the simplest way to see what is going wrong... It is a fact that this list is too verbose but I think, Michael, that you're not helping to solve that this way. Sorry you feel that way. I believe the best way to help people is to teach them how to help themselves. Give a man a fish and he'll eat for a day, teach a man how to fish and he'll buy an ugly hat... Learning how freeRADIUS works goes a long way to solving problems with the server when they arise. Running the server in DEBUG mode is one of the fastest ways of discovering what processing the server performs on the requests it receives... It is also by far the fastest way of diagnosing problems - especially when you're asking the list for help... Glad to hear you got it working. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Windows XP Authentication
Hi, Thanks for the reply The version of XP im using is service pack 2. So,stil need the driver and patches? Can u point me out the source? thanks.Zoltan Ori [EMAIL PROTECTED] wrote: On Sunday 13 March 2005 13:47, chiam kuosiang wrote: When i tried to lauch peap authentication with the windows xp client, the radius snippet keep on showing "Sending Access-Challenge". In D-Link DWL-900AP+, log show EAP-Failure modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 54 to 192.168.0.50:1206 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x621660927c5033dae390af4ffc09dfc5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list ---Your supplicant is not responding to the challenge. The conversation between it and the NAS may not be taking place properly. Check config on supplicant and NAS to make sure they agree. Do you have the latest drivers and patches on XP?-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Make Yahoo! your home page
Re: LDAP attributes
On Mon, 14 Mar 2005, [iso-8859-1] Benoît Bianchi wrote: Im desperately trying to get LDAP attributes sent back to NAS without any success... I've add RADIUS-LDAPv3.schema to my LDAP schema, and set radiusClass attribute for my test user. I can do successful authentication but the value of this attribute is never sent back by freeradius to the NAS ... radiusd -X output would be helpful so we can see what is happening. But, did you have that value in ldap.attrmap, such as? replyItem Class radiusClass Then in ldap you would have dn: uid=user... radiusClass: someclass or in the Cisco VPN world, they like it like this radiusClass: OU=somedomain.com; Please post radiusd -X output, along with an example ldif of your user and your ldap.attrmap setting showing that you are setting radiusclass as a reply item. Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes
Michael Mitchell [EMAIL PROTECTED] wrote: Running the server in DEBUG mode is one of the fastest ways of discovering what processing the server performs on the requests it receives... It's also what the developers do. To put it another way: The people who understand FreeRADIUS best ALWAYS use debugging mode to solve their problems. If you know less about FreeRADIUS than the developers, it's even MORE important for you to use debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Locking user accounts
Title: Locking user accounts Hi list, I'm looking for a solution to lock user accounts if more than let's say 3 failed auth requests have been received. The lock should be automatically be reset after a specific time period (15 min or like that). I've been searching with google for a while but I've found nothing. I thought about using the expr module - or is that the wrong way? For now, I'm just using a plain users text file, but I could change to database (I've read about a possible solution with sql data storage). I've read that it might be a better solution to the locking in the front end, but I'm using freeradius as backend for a one time password application that might be used by different front ends. One more general question: how can I extend freeradius with shell scripts etc.? What config directives do I have to set to run an script after a failed auth? Thanks for your help! Daniel
Re: how to enable EAP-TTLS inner PAP
TAYLAN KIRAN [EMAIL PROTECTED] wrote: What should I wite instead of EAP. When I write Local or System it didnt work. So... don't do that. But I need to authenticate users on edirectory via LDAP. Try the latest CVS snapshot, which has eDirectory support. Ldap servwer vi have field postoffice box which Enterasys:version=1:mgmt=su:policy=cit field is stored. We want that freeradius will get postofficebox vlaue of user and send to NAS it as Filter-Id = Enterasys:version=1:mgmt=su:policy=cit. See raddb/ldap.attrmap, where you can control how LDAP data gets mapped to RADIUS data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: forward CDR problem
no answer... why? it's in the documentation? I have not found it. Sorry... :-( the problem is: for NULL realm freedadius check user locally, if not present, freeradius proxy request to oldradius. Good! the accounting-request instead is recorded always locally. Not Good... I want: If the Access-Accept packet answer comes from the oldradius, the account record must forwarded on the old one, not locally stored. (I hope that my english is understood) Any ideas/suggestions? Thank's for advice! CC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking user accounts
Fiederling, Daniel [EMAIL PROTECTED] wrote: One more general question: how can I extend freeradius with shell scripts etc.? See radiusd.conf, look for the 'exec' module. What config directives do I have to set to run an scripta after a failed auth? Run the 'exec' module in the 'Reject' subsection of 'postauth'. This may only work in the CVS snapshot, I don't recall if it's in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius ldap authentication sql authorization help!!
If you're authorizing via SQL, your LDAP schema shouldn't need changes. Alan DeKok. Alan, thanks for the response!!! But if I'm authorizing through SQL, do I have to have the users password in the database. I was hoping to use the db kind of like the users file. I have nas port numbers with allowed users with only their username for authorization, if their username isnt in the first port it falls through and so on, and if the user isnt authorized for any of the ports, the user is denied access. Is this possible? thanks, jamie [EMAIL PROTECTED] 03/13/05 08:10PM Jamie Crawford [EMAIL PROTECTED] wrote: I'm wondering if anyone has setup freeradius to authenticate through ldap and authorize through a postgress db. Yes. I haven't done it myself, but FreeRADIUS is *designed* to have that kind of flexibility. All the documentation that I have read says that I need the users username and password in the database, or that I need to modify my ldap schema. If you're authorizing via SQL, your LDAP schema shouldn't need changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mod_auth_radius
Anyone get mod_aut_Radius runing on Fedora Core 3 without recompliling Apache.. Seeing as they don't send you the source compile info... Their the apxs install won't work? Thanx Cris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
Wow, WTF. I downloaded the latest CVS and _everything_ is all jacked up. I'm pretty sure I'm not doing something correctly (I don't use CVS much). . . I did: shell cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login * When prompted for a password simply press the Enter Key shell cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin The resulting version is missing files, doesn't contain many of the default configuration files, and just basically doesn't work. wtf? Is this not the right way to get the CVS? Should I be getting the CVS of freeradius and taking the dialup_admin directory out of there? - Nick Bright Terraworld, Inc On Mon, 2005-03-14 at 05:58, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users file caching?
Ever since using freeradius on our FreeBSD machine, we have had problems with what appears to be a caching issue with the users file. For example. #put on hold for non-payment. 12/7/04 user1 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user17 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user86 Auth-Type := Reject Once a user makes a payment, we typically remove the line from the radius file and restart the daemon, (this is not the most effective way to be sure, but it is the procedure we have been using for some time). The problem arises at apparently random times-but once a user is removed from the users file they will show back up! As if the file had never been edited, however the timestamps reflect the current date/time and not that of when the edit took place. Are there any known issues with freeradius chaching users file? Is it possible there is a corrupt cache? We cannot seem to pinpoint the exactness of the error-as it seems using comments returns the same results: #put on hold for non-payment. 12/7/04 #user1 Auth-Type := Reject #put on hold for non-payment. 12/7/04 #user17 Auth-Type := Reject #put on hold for non-payment. 12/7/04 #user86 Auth-Type := Reject etc. -- Keep it real! Fakin the funk is not an option - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting users to login to specific Cisco router
I am trying to understand how I can seutp a specific user to allow login to specific routers. I am using freeradius 1.0.0. I defined the client and shared secret in the clients.conf file and the user id in the users file with Service-Type = Shell-User and Cisco-AVPair =shell:Priv-lvl=7. The login works, but I need to restrict what clients it can login to. Is there a way to do this. I am just starting to learn Radius and Google isn't finding me an answer for this. Thanks. Henry === NOTICE === This e-mail message is intended only for the named recipient(s) above. It may contain confidential information that is privileged or that constitutes confidential work product. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you. == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users file caching?
On Mon, 14 Mar 2005, Jeff wrote: Ever since using freeradius on our FreeBSD machine, we have had problems with what appears to be a caching issue with the users file. For example. #put on hold for non-payment. 12/7/04 user1 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user17 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user86 Auth-Type := Reject Once a user makes a payment, we typically remove the line from the radius file and restart the daemon, (this is not the most effective way to be sure, but it is the procedure we have been using for some time). The problem arises at apparently random times-but once a user is removed from the users file they will show back up! As if the file had never been edited, however the timestamps reflect the current date/time and not that of when the edit took place. Are you sure you don't have that file using some sort of revision control and some people aren't using it? Such as RCS or CVS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Mon, 14 Mar 2005, Nick Bright wrote: Wow, WTF. I downloaded the latest CVS and _everything_ is all jacked up. I'm pretty sure I'm not doing something correctly (I don't use CVS much). . . I did: shell cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login * When prompted for a password simply press the Enter Key shell cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin The resulting version is missing files, doesn't contain many of the default configuration files, and just basically doesn't work. wtf? Is this not the right way to get the CVS? Should I be getting the CVS of freeradius and taking the dialup_admin directory out of there? Downloading through cvs is clearly described in http://www.freeradius.org/development.html#cvs There's no module dialup_admin and i don't think there's a /cvsroot/dialup-admin So please read that page and try again. dialup_admin is included in the radiusd module. - Nick Bright Terraworld, Inc On Mon, 2005-03-14 at 05:58, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users file caching?
It appears that the issue is with the server not properly being restarted. I will work on our automated scripts that are supposed to restart the daemon as it appears they are not. Thank you for the clear and concise response! Jeff On Mon, 14 Mar 2005 17:41:00 -0500 (EST), Dustin Doris [EMAIL PROTECTED] wrote: On Mon, 14 Mar 2005, Jeff wrote: Ever since using freeradius on our FreeBSD machine, we have had problems with what appears to be a caching issue with the users file. For example. #put on hold for non-payment. 12/7/04 user1 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user17 Auth-Type := Reject #put on hold for non-payment. 12/7/04 user86 Auth-Type := Reject Once a user makes a payment, we typically remove the line from the radius file and restart the daemon, (this is not the most effective way to be sure, but it is the procedure we have been using for some time). The problem arises at apparently random times-but once a user is removed from the users file they will show back up! As if the file had never been edited, however the timestamps reflect the current date/time and not that of when the edit took place. Are you sure you don't have that file using some sort of revision control and some people aren't using it? Such as RCS or CVS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Keep it real! Fakin the funk is not an option - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: limiting client certs to a select group
I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and TLS (mostly), but I found that with EAP-TLS, I can use any client certificate I want, and freeradius will allow the client through. This presents a major security hole in my configuration, and I can't seem to figure out how to lock it down. Is there a way to configure freeradius to only accept client certs issued by a specific CA? Either that or only allow a specific set of certs (say, copies of the certs in a directory, for example), either way would be fine for my purposes. -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade problems.
Anyone? *** REPLY SEPARATOR *** On 9/03/2005 at 10:13 AM Peter Nitschke wrote: I have an old Freeradius 0.8.1-1 server on RH 7.2 which I wish to upgrade to 1.02 on Whitebox EL3.1 Freeradius is just being used as a proxy, the setup on 0.8 seems quite simple, but using similar settings with 1.02 it keeps reporting an error with huntgroups which exists but is the default file. I can't see anything in the changelog that suggests I now have to have entries in huntgroups. Any help appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Mon, 2005-03-14 at 16:43, Kostas Kalevras wrote: On Mon, 14 Mar 2005, Nick Bright wrote: Wow, WTF. I downloaded the latest CVS and _everything_ is all jacked up. I'm pretty sure I'm not doing something correctly (I don't use CVS much). . . I did: shell cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login * When prompted for a password simply press the Enter Key shell cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin The resulting version is missing files, doesn't contain many of the default configuration files, and just basically doesn't work. wtf? Is this not the right way to get the CVS? Should I be getting the CVS of freeradius and taking the dialup_admin directory out of there? Downloading through cvs is clearly described in http://www.freeradius.org/development.html#cvs There's no module dialup_admin and i don't think there's a /cvsroot/dialup-admin So please read that page and try again. dialup_admin is included in the radiusd module. Yeah, that's weird. I was able to get stuff by executing the commands above (which I got from a mailing list post, by the way). . . Anyways, the method in the URL above worked fine. Thanks. - Nick Bright Terraworld, Inc On Mon, 2005-03-14 at 05:58, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
Kostas Kalevras [EMAIL PROTECTED] wrote: Downloading through cvs is clearly described in http://www.freeradius.org/development.html#cvs There's no module dialup_admin and i don't think there's a /cvsroot/dialup-admin It's still on sourceforge. But that hasn't been used for dialup_admin in a number of years. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade problems.
Peter Nitschke [EMAIL PROTECTED] wrote: Freeradius is just being used as a proxy, the setup on 0.8 seems quite simple, but using similar settings with 1.02 it keeps reporting an error with huntgroups which exists but is the default file. Don't worry about it. It's a minor nitpick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade problems.
Post radiusd -X On Tue, 15 Mar 2005, Peter Nitschke wrote: Anyone? *** REPLY SEPARATOR *** On 9/03/2005 at 10:13 AM Peter Nitschke wrote: I have an old Freeradius 0.8.1-1 server on RH 7.2 which I wish to upgrade to 1.02 on Whitebox EL3.1 Freeradius is just being used as a proxy, the setup on 0.8 seems quite simple, but using similar settings with 1.02 it keeps reporting an error with huntgroups which exists but is the default file. I can't see anything in the changelog that suggests I now have to have entries in huntgroups. Any help appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVPair
Mike Chamberlain [EMAIL PROTECTED] wrote: Thanks for your help with this. One last question: the NAS is sending through multiple AVPair attributes (I can see they are getting added by looking at the log file), but I only ever seem to be able to access the final one added. I'm not sure why that's happening. It should be the first one. Is there a way to access all the AVPair attributes using FreeRadius? In the latest CVS snapshot, see doc/variables.txt That functionality is not in 1.0.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with PEAP
Hi, I need help to configure Freeradius to authenticate Windows XP users with PEAP + MSCHAPV2. I need authenticate users using the username + password + domain. There is someone that run this that can help me?? Very thanks, Israel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with PEAP
Hi,
If I do tests without domain, the authentication run OK.
If I do tests with user + password + domain, occur the information bellow:
tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \)
19:41:06.403013 172.22.2.32.2064 172.22.2.150.1812: [udp sum ok]
rad-access-req 98 [id 99] Attr[ [EMAIL PROTECTED] EAP_msg{..}
NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0}
NAS_port_type{Ethernet} Message_auth{Y[ZLFIb..'.} ] (ttl 30, id
38919, len 126)
0x 4500 007e 9807 1e11 a785 ac16 0220E..~
0x0010 ac16 0296 0810 0714 006a 1477 0163 0062.j.w.c.b
0x0020 0ce1 0e32 7afc 2694...2..z
0x0030 010e 6973 7261 656c 4054 4553 5445 4f13[EMAIL PROTECTED]
0x0040 0206 0011 0154 4553 5445 5c69 7372 6165.TESTE\israe
0x0050 6c04 06ac 1602 2006 0600 011f 0930l..0
0x0060 2e30 2e30 2e30 3d06 000f 5012 595b.0.0.0=.P.Y[
0x0070 dea3 eef7 5a4c 4649 62ef 8327 083c ZLFIb..'.
19:41:06.410197 172.22.2.150.1812 172.22.2.32.2064: [udp sum ok]
rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48)
0x 4500 0030 4000 4011 ddda ac16 0296[EMAIL PROTECTED]@...
0x0010 ac16 0220 0714 0810 001c 446d 0363 0014..Dm.c..
0x0020 8e98 4517 d1fc ace0 55b2 f401 e0da ceae..E.U...
/usr/local/radius/sbin/radiusd -X -A
Ready to process requests.
rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86, length=98
User-Name = [EMAIL PROTECTED]
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = 0.0.0.0
NAS-Port-Type = Ethernet
Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm TESTE for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm TESTE
rlm_realm: Adding Stripped-User-Name = israel
rlm_realm: Proxying request from user israel to realm TESTE
rlm_realm: Adding Realm = TESTE
rlm_realm: Preparing to proxy authentication request to realm TESTE
modcall[authorize]: module TESTE returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
modcall[authorize]: module eap returns noop for request 0
users: Matched entry israel at line 216
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314
modcall[pre-proxy]: module pre_proxy_log returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 0 to 127.0.0.1:1812
User-Name = israel
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = 0.0.0.0
NAS-Port-Type = Ethernet
Message-Authenticator = 0x
Proxy-State = 0x3836
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96
User-Name = israel
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = 0.0.0.0
NAS-Port-Type = Ethernet
Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1
Proxy-State = 0x3836
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = israel, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module TESTE returns noop for request 1
rlm_eap: EAP packet type response id 7 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry israel at line 216
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns updated for request 1
Rejecting Request
Rejecting request 86445 due to lack of any response from home server What could be causing this, tell me what to post and I will, I just didnt want to spam the list with all my confs and radiusd X, though Ive looked through debug and nothing makes sense as to what is causing this.
RE: Rejecting Request
It appears that your RADIUS server is proxying the request to a "home" server, which hasn't responded... is this what you're intending? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson RinesmithSent: Tuesday, 15 March 2005 2:30 PMTo: freeradius-users@lists.freeradius.orgSubject: Rejecting Request Rejecting request 86445 due to lack of any response from home server What could be causing this, tell me what to post and I will, I just didnt want to spam the list with all my confs and radiusd X, though Ive looked through debug and nothing makes sense as to what is causing this.
RE: Rejecting Request
These are coming from my central proxy server. But all tests using utilities built into the APX-8000 and ntRadTest all go through successfully to their respective servers and return with the correct Reply. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitchell, Michael J Sent: Monday, March 14, 2005 9:39 PM To: freeradius-users@lists.freeradius.org Subject: RE: Rejecting Request It appears that your RADIUS server is proxying the request to a home server, which hasn't responded... is this what you're intending? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson Rinesmith Sent: Tuesday, 15 March 2005 2:30 PM To: freeradius-users@lists.freeradius.org Subject: Rejecting Request Rejecting request 86445 due to lack of any response from home server What could be causing this, tell me what to post and I will, I just didnt want to spam the list with all my confs and radiusd X, though Ive looked through debug and nothing makes sense as to what is causing this.
Re: EAP-TLS: limiting client certs to a select group
I tried using my own hand-generated SSL certs, as well as a set generated by the certs.sh script, and get the same type of problem. Question: if the CA_file certificate contains a private key, would this cause my problem? I don't think it has one, but can't say with certainty until I get in to work tomorrow and check it out. One clue I've been seeing is if I check_crl = yes, no certificate gets validated at all; set it to no and any client cert will allow the client into my network. Thanks! On Tue, 15 Mar 2005 00:21:19 +0100, Michael Riviera [EMAIL PROTECTED] wrote: Use this in eap.conf: CA_file = /path/to/certs/ca-cert.pem ca-cert.pem should contain the certificate, but not private key, of your CA. Michael Jon Franklin wrote: I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and TLS (mostly), but I found that with EAP-TLS, I can use any client certificate I want, and freeradius will allow the client through. This presents a major security hole in my configuration, and I can't seem to figure out how to lock it down. Is there a way to configure freeradius to only accept client certs issued by a specific CA? Either that or only allow a specific set of certs (say, copies of the certs in a directory, for example), either way would be fine for my purposes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
