Re: rlm_tcl module
On Thu, Apr 14, 2005 at 12:52:32PM -0400, Alan DeKok wrote: Date: Thu, 14 Apr 2005 12:52:32 -0400 From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: rlm_tcl module Alexei Chetroi [EMAIL PROTECTED] wrote: Is there rlm_tcl module available anywhere? No. I'm not sure I'd want to include one, even if it existed. Any reasons to not include? beside that rlm_perl and rlm_python exists. Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with pptp / freeradius / ppp / pam...
Ok, I have the following files available here: http://xhost.ath.cx:81/list/ [ ] dictionary 15-Apr-2005 02:07 7.5K [ ] dictionary.microsoft14-Apr-2005 23:07 2.6K [ ] options.pptpd 14-Apr-2005 23:07 178 [ ] radiusd.conf14-Apr-2005 23:07 56K [ ] users 14-Apr-2005 23:07 6.8K I am trying to setup either pam authentication, or just regular plain text authentication. Ok, let's start with the problems with pam first. I added a user test via adduser test. Then I changed the password to testpass. Now let me test it with radtest: [EMAIL PROTECTED] ppp-2.4.3]# radtest test testpass localhost 1873 testing123 Sending Access-Request of id 239 to 127.0.0.1:1812 User-Name = test User-Password = testpass NAS-IP-Address = rickp4a.inscyber.net NAS-Port = 1873 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=239, length=20 Ok, cool, now let me try it from my windows xp box and the built in vpn client.. doesn't work: In radiusd -X I get: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. And in /var/log/messages I get: Apr 15 14:13:39 rickp4a pppd[12286]: Peer test failed CHAP authentication (that's the only bad line I see) And on the windows xp client I get this: Verifying username and password... Access was denied because the username and/or password was invalid on the domain. Ok, now that doesn't work.. ultimately I'd like to use that, but if I had to use clear text I wouldn't mind either. Now I am going to try bob/bob. You can see the entry I added in users... [EMAIL PROTECTED] ppp-2.4.3]# cat /etc/raddb/users | head -n 4 bob Password == bob Reply-Message = Hello, bob Let's test it with radtest to make sure it works: [EMAIL PROTECTED] root]# radtest bob bob localhost 1873 testing123 Sending Access-Request of id 40 to 127.0.0.1:1812 User-Name = bob User-Password = bob NAS-IP-Address = rickp4a.inscyber.net NAS-Port = 1873 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40, length=32 Reply-Message = Hello, bob Cool, it works. Now let me try it from my windows xp vpn client... here is the results: Here is a snippet from /var/log/messages first that doesn't look right... Apr 15 14:27:06 rickp4a pppd[12342]: MPPE required, but keys are not available. Possible plugin problem? ... Apr 15 14:27:06 rickp4a pptpd[12341]: GRE: read(fd=6,buffer=804eb00,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs And here is radiusd -X: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: Told to do MS-CHAPv2 for bob with NT-Password modcall[authenticate]: module mschap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 radius_xlat: 'Hello, bob' Sending Access-Accept of id 77 to 127.0.0.1:32825 Reply-Message = Hello, bob MS-CHAP2-Success = 0xa0533d31463232414342304538354230364334363238463030324232323245313645463943434143413838 And now the windows xp vpn client says: Verifying username and password... The PPP link control protocol was terminated Ok, so it looks like it works with radtest (locally) but not remotely? Is ppp not talking to radiusd correctly? Here are some version numbers: pppd version 2.4.3 Poptop v1.2.1 radiusd: FreeRADIUS Version 1.0.1, for host , built on Oct 28 2004 at 09:38:42 I've been as verbose as possible... any comments/advice is appreciated. Thank you, Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with pptp / freeradius / ppp / pam...
Hello! I added a user test via adduser test. Then I changed the password to testpass. Ok, cool, now let me try it from my windows xp box and the built in vpn client.. doesn't work: In radiusd -X I get: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. And in /var/log/messages I get: Apr 15 14:13:39 rickp4a pppd[12286]: Peer test failed CHAP authentication (that's the only bad line I see) This has probably been said a hundred times already: CHAP and one-way crypted passwords CONCEPTUALLY DO NOT WORK TOGETHER. This is because none of the two sides has a means to compare the other side's input. CHAP computes a one-way hash of the password, which means that the plain-text password cannot be retrieved from it. passwd crypt() (or MD5, for that matter) does a similar thing, and the password cannot be retrieved either. So, both ends of the connection end up with incompatible hashes that are not comparable. That's why at least one side needs a plain-text password. And this is exactly what the radiusd server said: rlm_unix: Attribute User-Password is required for authentication. Pretty clear if you understand the workings of CHAP and crypt(). Here is a snippet from /var/log/messages first that doesn't look right... Apr 15 14:27:06 rickp4a pppd[12342]: MPPE required, but keys are not available. Possible plugin problem? Sending Access-Accept of id 77 to 127.0.0.1:32825 Reply-Message = Hello, bob MS-CHAP2-Success = 0xa0533d3146323241434230453835423036433436323846303032423232324531364546394 3434143413838 pppd requested keying material (which is usually transferred in attributes named like MS-CHAP-MPPE-...), but the server doesn't send any. You could probably fix that (either by turning encryption off or convincing the radiusd server to send the attributes also when plain text authentication ist done), but since the overall process you want to achieve is to use CHAP, there probably is no point in doing so. Rather use plain-text passwords in your backend, then your original goal of using CHAP will work, and the radiusd server can _easily_ be configured to send the keying material with CHAP. I've been as verbose as possible... any comments/advice is appreciated. Me too. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
issues with proxy to same ip address but different port
is there an issue with freeradius proxying to a home radius server which is in fact on the same IP address that the proxy is listening on, but on a different port. that is the proxy and backend servers are on the same hardware listening on the same interface. the proxy (using a realm in proxy.conf, specifying ip and ports) works fine if the target is elsewhere but no traffic appears when the target is the same ip as it is listening on. tcpdump shows no traffic on the interface, nor the loopback lo0. this is running on freebsd 4.10. perhaps its an OS issue? i say this because when i use a test client to query the listening target directly, the traffic actually is sent over lo0, despite being specified as the address of the interface. google of archives didn't help. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication.
On Thu, Apr 14, 2005, Bob Mancker wrote: I am currently working on a vpn server, and I use pptpd with freeradius and trying to get pam authentication working. I want to setup freeradius with pam authentication because I want to limit simulatenous logins per user to 1. The two odd things I notice are this in /var/log/messages: Apr 15 11:12:30 server pppd[11599]: rc_avpair_new: unknown attribute 11 Apr 15 11:12:30 server pppd[11599]: rc_avpair_new: unknown attribute 25 I've already faced this problem ; it's not linked with freeradius, but with the libradius (radius client), whose dictionnaries don't implement Microsoft's VSA by default. You must add a dictionary.microsoft file in your libradius dir (usually /etc/radiusclient) and add the INCLUDE /etc/radiusclient/dictionary.microsoft in your /etc/radiusclient/dictionary file You can't copy directly freeradius'dictionary.microsoft file to /etc/radiusclient : the formats are similar but not exactly the same. I spent a little time figuring out the differences between the two formats and adapting FR's dictionnary.microsoft to be used by libradius ; you can get my adapted file at http://ramiel/~endy/dictionary.microsoft The format may depend of libradius'version, so i don't guarantee anything. It's really a pain that there is no standard format (yet ?) for dictionnary files. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS not tunneled inside TLS
Hello, I am using Secure W2 trying to use TTLS. Everything went fine and smooth using TLS with XP default supplicant. I configured Secure W2 properly and TTLS has problems. here is my tls and ttls configuration: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no md5 { } tls { private_key_password = whatever private_key_file = /etc/ssl/private/tino.key certificate_file = /etc/ssl/tino.pem CA_file = /etc/ssl/ca.pem dh_file = /dev/arandom random_file = /dev/arandom fragment_size = 1024 } ttls { default_eap_type = md5 use_tunneled_reply = yes } } Here is the error logs any hints ? thank you very much Rick Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 17 modcall: group authenticate returns handled for request 17 TTLS: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 17 modcall: group authenticate returns handled for request 17 Sending Access-Challenge of id 147 to 172.27.7.250:1645 EAP-Message = 0x010700641580005a17030100182a73a6f398bd9c0c6c0c483836199014d8b1beb14c1182df170301003868ee91731498202e5c9c0ff30ec0629b2f142d94506069effe7aa906f44573c0db8abefe7f44284d9a518f61d8950e2776a7a01d084866d5 Message-Authenticator = 0x State = 0xa8b47008890857708e4ab6f5ad62db63 Finished request 17 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 172.27.7.250:1645, id=148, length=227 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0012.438a.e520 Calling-Station-Id = 0002.2d69.a5ca Service-Type = Login-User Message-Authenticator = 0x9b7e085047fd7f2c94dcd48061ac5fe6 EAP-Message = 0x0207004f1580004517030100408fa443f528c7ea4250954791c25244d9adf9194a02b7a1932610618f2df56151623f949a5f38eadb23d28d1e00c03ffe8a1b0bbe62efd3164435ed62f9d518e7 NAS-Port-Type = Wireless-802.11 NAS-Port = 596 State = 0xa8b47008890857708e4ab6f5ad62db63 NAS-IP-Address = 172.27.7.250 NAS-Identifier = ap-172-27-7-250 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module chap returns noop for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 7 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 18 modcall: group authorize returns updated for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Adding old state with 3f 5e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module chap returns noop for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = Riccardo Veraldi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 18 modcall: group authorize returns updated for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request
Re: [Serusers] Strange problems
sorry for the question, but i have ser 0.8.14 freeradius-1.0.2 it's require radiusclient-ng-5.0 Thanks for help. On 4/14/05, Klaus Darilion [EMAIL PROTECTED] wrote: http://mail.iptel.org/pipermail/serdev/2005-March/004040.html Klaus Darilion wrote: AFAIK new ser requires new radiusclient-ng regards, klaus Alex wrote: Hi guys thanks for any help, i got a lot of useful information from this list. I will try to explain my problem. i have 2 linux servers : 1- server Red Hat Linux release 9 ser + freeradius 0.9.3 + radius client 2-server Red Hat Enterprise Linux AS release 3 ser + freeradius 1.2 + radius client 4.8 I trying to register my ip phone through ser + radius . On the 1 server it's working fine i receiving register requests, i can see that in the logs, and the request is going through the authentication process. On the 2 server i receiving register requests, but it's not going to the radius authentication, i don't see anything inside the radius logs. Here is the ngrep on port 5060: from the 2 server - U telephoneip:10739 - xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:1;branch=z9hG4bK98514c3b052d7df6..From: Test Alex sip:[EMAIL PROTECTED];user=phone;tag=50673f1baca1958c..To: sip:[EMAIL PROTECTED];user=phone..Contact: sip :[EMAIL PROTECTED]:1;user=phone..Call-ID: [EMAIL PROTECTED]: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0 # U xxx.xxx.xxx.xxx:5060 - telephoneip:1 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:1;branch=z9hG4bK98514c3b052d7df6..From: Test Alex sip:[EMAIL PROTECTED];user=phone;tag=50673f1baca1958c..To: sip:[EMAIL PROTECTED];user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: [EMAIL PROTECTED]: 106 REGISTER..WWW-Authenticate: Digest realm=xxx.xxx.xxx.xxx, nonc e=425e3ac34dc9509392435c11fb260f41420049c7..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 Noisy feedback tells: pid=1912 req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1 # U telephoneip:10740 - xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:1;branch=z9hG4bK98514c3b052d7df6..From: Test Alex sip:[EMAIL PROTECTED];user=phone;tag=50673f1baca1958c..To: sip:[EMAIL PROTECTED];user=phone..Contact: sip :[EMAIL PROTECTED]:1;user=phone..Call-ID: [EMAIL PROTECTED]: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0 # U xxx.xxx.xxx.xxx:5060 - telephoneip:1 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:1;branch=z9hG4bK98514c3b052d7df6..From: Test Alex sip:[EMAIL PROTECTED];user=phone;tag=50673f1baca1958c..To: sip:[EMAIL PROTECTED];user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: [EMAIL PROTECTED]: 106 REGISTER..WWW-Authenticate: Digest realm=xxx.xxx.xxx.xxx, nonc e=425e3acb812b5b2e8aa023e3fcffc618dc4cf661..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 Noisy feedback tells: pid=1885 req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1 # here is the debug from ser : - 14(1036) parse_headers: flags=-1 14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1) 14(1036) DEBUG:destroy_avp_list: destroing list (nil) 14(1036) receive_msg: cleaning up 9(1012) SIP Request: 9(1012) method: REGISTER 9(1012) uri: sip:xxx.xxx.xxx.xxx 9(1012) version: SIP/2.0 9(1012) parse_headers: flags=1 9(1012) Found param type 232, branch = z9hG4bKfc5751413c832e6d; state=16 9(1012) end of header reached, state=5 9(1012) parse_headers: Via found, flags=1 9(1012) parse_headers: this is the first via 9(1012) After parse_msg... 9(1012) preparing to run routing scripts... 9(1012) REGISTER: Authenticating user 9(1012) parse_headers: flags=4 9(1012) end of header reached, state=9 9(1012) DEBUG: get_hdr_field: To [45]; uri=[sip:[EMAIL PROTECTED];user=phone] 9(1012) DEBUG: to body [sip:[EMAIL PROTECTED];user=phone ] 9(1012) parse_headers: flags=4096 9(1012) get_hdr_field: cseq CSeq: 103 REGISTER 9(1012) DEBUG: get_hdr_body : content_length=0 9(1012) found end of header 9(1012) pre_auth(): Credentials with given realm not found 9(1012) REGISTER: challenging user 9(1012)
Radius performance
I'm runing freeradius 1.0.2 (on Debian) with chillispot 1.0rc3 (on WRT54G) and I have some performance question. To help authorize users I use my own scripts with sql module: 1) to set sql_user_name (it map username from database table) sql_user_name = %{exec:/etc/freeradius/scripts/UserRealName} 2) to choose auth table. authcheck_table = %{exec:/etc/freeradius/scripts/AuthTable} Time to run every script from command line is about 0.5s (my comp is slow), sometime more... So radius every time run this scripts wait in it. It is possible tu run this scripts as biuldin like rlm_perl, to just run some method... not run it every time? If I make scripts in PHP it is possible to use pconnect? How to optimize it? -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan attribute through proxy
hi i have two questions on vlan attribute with proxy we are proxying request with realms and the remote radius server send vlan attribute stored in an openldap first : how can we prevent this server to give vlan attribute it is not allowed to use ( we don t manager this remote server ) second if the vlan is not on the access point the laptop is connecting how can we affect the default vlan ( first use vlan number i but if it doesn t work ( the laptop reauthenticate ) take vlan j ) maybe it is to the AP to di this thanks -- bmathieu [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The usual: Could not find clear text password for user .....
Hello All, Just a bit of a preamble... We have a Cisco NAS device sending CHAP auth requests from DSL devices to our radius server. We currently auth fine using Steel-Belted Radius but wish to migrate to FreeRadius. I cannot for the life of me successfully authenticate the devices using Freeradius / CHAP. PAP using radtest is fine. I feel I should stress the following: - I have read the contents of the /doc folder. - I have read the FAQ. - I have gone through every config file. - I have tried v1.0.1 and v1.0.2 The out-of-the-box config has been changed in the following way: clients.conf = client 62.6.36.111 { secret = shortname = BT-1 nastype = cisco } = users = [EMAIL PROTECTED] User-Password == USER1-BLAH Framed-IP-Address = 172.31.42.2, Framed-Protocol = PPP, Service-Type = Framed-User, Cisco-AVPAIR = ip = proxy.conf = realm DEFAULT { authhost= LOCAL accthost= LOCAL nostrip } = Output of radiusd -X -- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 62.6.36.111:44167, id=4, length=115 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x4f199a6b0e0f5f61ea00e3431ea06d91e6 NAS-IP-Address = 217.41.208.202 NAS-Port = 501 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x42543030326436336366643134 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: Looking up realm TESTDOMAIN.COM for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user USER1-BLAH to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 175 users: Matched entry DEFAULT at line 187 modcall[authorize]: module files returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password rlm_chap: Could not find clear text password for user [EMAIL PROTECTED] modcall[authenticate]: module chap returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Obviously it seems that radiusd cannot read the user information from the users file and I can only assume this is due to a configuration error on my part. I have made innumerable changes to the config to try to get around this but always seem to come back to this issue. After much reading / searching for similar problems / solutions the only thing I have discovered is that the overriding response from this list is: Read the FAQ. I can assure you all that I have done... If anyone has any ideas / suggestions / hints / observations / pointers they would be greatly appreciated. Kind Regards and thankyou in advance for your time, SM -- Equinox Converged Solutions Tel: +44 (0)1252 405 600 http://www.equinoxsolutions.com Equinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE: This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. --- - List info/subscribe/unsubscribe? See
Re: SNMP with net-snmp
On Thu, 14 Apr 2005, Kevin Bonner wrote: You're using Net-SNMP in RHAS4. FreeRADIUS 1.0.2 doesn't have the net-snmp compatibility fix. You can find the patch at http://lists.freeradius.org/archives/freeradius-users/2004/10/frm00210.html Thanks Kevin, it worked. After applying the patch the snmp module is working fine. [...] Module: Loaded detail Module: Instantiated detail (detail) SMUX initialization Registering MIB: mibII/radius-acc-server Registering MIB: mibII/radius-auth-server SMUX start Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test new installation
hi guys , I installed radiusclient-ng-0.5.0 with freeradius-1.0.2 i trying to test the setup by running this command: radclient -f digest localhost auth testing123 I receiving this error: radclient:No token read where we expected an attribute name any help will be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR: No Digest-Nonce Cannot perform Digest authentication
I have installed freeradius 1.0.2 and radiusclient-ng.0.5.0 after the installation i am trying to run the test : radtest test test localhost 1649 testing123 User-Name = test User-Password = test NAS-IP-Address = MAINSIP NAS-Port = 1649 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=134, length=45 Reply-Message = Hello, test with digest I have file digest: --- User-Name = test, Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7, Digest-Realm = testrealm, Digest-Nonce = 1234abcd , Digest-Method = INVITE, Digest-URI = sip:[EMAIL PROTECTED], Digest-Algorithm = MD5, Digest-User-Name = test in the debug of the radius server i receive that error: -- rad_recv: Access-Request packet from host 127.0.0.1:32842, id=115, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1649 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop modcall[authorize]: module digest returns noop rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched test at 215 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Digest auth: type digest modcall: entering group authenticate **ERROR: No Digest-Nonce: Cannot perform Digest authentication** modcall[authenticate]: module digest returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Thanks for the help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The usual: Could not find clear text password for user .....
Many thanks Scott... H - Good point about PAP / CHAP. I'll look into it. I thought that my user config was wrong or not being associated with the incoming user request correctly. Does the config look OK to you? Yes - plaintext secret key. validate makes me again think it's not reached the auth phase and is still looking to match user info. You can see: modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 175 users: Matched entry DEFAULT at line 187 modcall[authorize]: module files returns ok for request 3 users matched line above do not include the entry for the test user which again suggests the same as above. I'd like to see a radiusd -X output for a working connection and then I'd be able to see what's different and try to home in on the issue! Thanks again - I'll keep trying. I'm at the point where trying to get an infinite amount of monkeys and typewriters together in a big room to write the config is becoming a serious consideration... Haha SM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Edwards Sent: 15 April 2005 16:53 To: freeradius-users@lists.freeradius.org Subject: Re: The usual: Could not find clear text password for user . On 4/15/05, [EMAIL PROTECTED] wrote: Hello All, Just a bit of a preamble... We have a Cisco NAS device sending CHAP auth requests from DSL devices to our radius server. We currently auth fine using Steel-Belted Radius but wish to migrate to FreeRadius. Any idea if/how CHAP differs between these two? There's only so many ways to do chap, right? Can the dsl devices to PAP? Maybe you'll get to see the plain text password submitted on the wire. [snip] clients.conf = client 62.6.36.111 { secret = shortname = BT-1 nastype = cisco } = I assume the password masked above is in plain text, right? [snip] modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password rlm_chap: Could not find clear text password for user [EMAIL PROTECTED] modcall[authenticate]: module chap returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. [snip] validate or authenticate? Those are the best hints I can offer at present. Thanks, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Equinox Converged Solutions Tel: +44 (0)1252 405 600 http://www.equinoxsolutions.com Equinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE: This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_tcl module
Alexei Chetroi [EMAIL PROTECTED] wrote: Any reasons to not include? beside that rlm_perl and rlm_python exists. Unless you're careful, TCL has memory leaks. That's a terrible thing to do to a RADIUS server. Memory leaks don't matter when you're running TCL as a separate process. When it's part of another program that runs for months without exiting, TCL is a bad, bad, bad, choice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with pptp / freeradius / ppp / pam...
Bob Mancker [EMAIL PROTECTED] wrote: Ok, cool, now let me try it from my windows xp box and the built in vpn client.. doesn't work: In radiusd -X I get: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. You're very carefully posting enough information to show that something's wrong, but not why. Unless a miracle is occuring, the XP box is sending a DIFFERENT radius packet than radtest. As a result, the response of the radius server will be (no surprise) different. In order to see why, READ THE DEBUG LOG, and see what the XP client is sending. And in /var/log/messages I get: Apr 15 14:13:39 rickp4a pppd[12286]: Peer test failed CHAP authentication Unix CHAP: see the FAQ. Sending Access-Accept of id 77 to 127.0.0.1:32825 Reply-Message =3D Hello, bob MS-CHAP2-Success =3D 0xa0533d3146323241434230453835423036433436323846303032423232324531364546394= 3434143413838 You can configure the MSCHAP module to send MPPE keys. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with proxy to same ip address but different port
Tariq Rashid [EMAIL PROTECTED] wrote: is there an issue with freeradius proxying to a home radius server which is in fact on the same IP address that the proxy is listening on, but on a different port. I do it all of the time. It's one of my testing scenarios. tcpdump shows no traffic on the interface, nor the loopback lo0. That's because the traffic probably doesn't go out the interface. It's short-circuited inside of the kernel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The usual: Could not find clear text password for user .....
Thanks Alan... You're right - the user entry is not on the named lines I'll keep looking. Cheers SM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 15 April 2005 17:33 To: freeradius-users@lists.freeradius.org Subject: Re: The usual: Could not find clear text password for user . [EMAIL PROTECTED] wrote: I feel I should stress the following: - I have read the contents of the /doc folder. ... g That's a good start, but often not enough. users [EMAIL PROTECTED] User-Password == USER1-BLAH Which line is that entry on? Output of radiusd -X ... users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 175 users: Matched entry DEFAULT at line 187 I'll bet $$ that the entry for that user is NOT on line 155, 175, or on 187. So the answer is that CHAP is't working because it doesn't know the clear-text password. It doesn't know the clear-text password because that entry of the users file wasn't matched. That entry of the users file wasn't matched for reasons which aren't clear in the debug log. My suggestion is to simplify the test even more. Avoid realms entirely. Use just a plain user named user, with password user. If that works for CHAP (and it should), then make the test more complicated until it breaks. You'll then know what is causing the problem, which goes a long way to fixing it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Equinox Converged Solutions Tel: +44 (0)1252 405 600 http://www.equinoxsolutions.com Equinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE: This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new installation of freeradius.1.0.2
Hi all Hi Alan , i have hard time to get freeradius work properly with authentication of ser/sip users. i have new installation of freeradius-1.0.2 radiusclient-ng.0.5.0 i trying to check the installation and i am receiving this error: radclient -f digest localhost 1645 auth testing123 radclient:No token read where we expected an attribute name Any suggestions will be appreciated. Furhtermore i tried different installations of the freeradius. Also i read your replies for digest authentications, and i done it the same like you explained. for some reason i don't know what's the problem i am trying to authenticate same ip phone to 2 different radius servers. on first one it's working correctly but on the 2-nd nothing happens, don't see any authentication requests. on the first server i have freeradius-0.9.3 i tried to search on the google some solutions and i can't find them. Like i understand the ser users use Digest Authentication. radtest test test localhost 1649 testing123 Sending Access-Request of id 154 to 127.0.0.1:1812 User-Name = test User-Password = test NAS-IP-Address = MAINSIP NAS-Port = 1649 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=154, length=20 in the debug logs: - rad_recv: Access-Request packet from host 127.0.0.1:32842, id=164, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1649 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop modcall[authorize]: module digest returns noop rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No Digest-Nonce Cannot perform Digest authentication
Alex [EMAIL PROTECTED] wrote: I have file digest: --- User-Name = test, Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7... ... in the debug of the radius server i receive that error: -- rad_recv: Access-Request packet from host 127.0.0.1:32842, id=115, length=56 User-Name = test User-Password = test Ok... you have the file digest WITHOUT a User-Pasword attribute in it, but the RADIUS server receives a RADIUS request WITH a User-Password attribute. Either something very weird is happening, or you're not sending the digest file to the server. rad_check_password: Found Auth-Type Digest auth: type digest modcall: entering group authenticate **ERROR: No Digest-Nonce: Cannot perform Digest authentication** You set Auth-Type := Digest for a packet which had no digest attributes in it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No Digest-Nonce Cannot perform Digest authentication
Alan thanks for fast replies. I installed again freeradius-0.9.3 radiusclient -4.8 i have created file digest: inside this file i have : User-Name = test, Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7, Digest-Realm = testrealm, Digest-Nonce = 1234abcd , Digest-Method = INVITE, Digest-URI = sip:[EMAIL PROTECTED], Digest-Algorithm = MD5, Digest-User-Name = test inside raddb/users i have : test Auth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest I am running just installation test: radclient -f digest localhost 1645 auth testing123 radclient:No token read where we expected an attribute name what it can be ?? If there any way i can remove totally the installations of all radiusclients and freeradiuses, and reinstall them ?? On 4/15/05, Alan DeKok [EMAIL PROTECTED] wrote: Alex [EMAIL PROTECTED] wrote: I have file digest: --- User-Name = test, Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7... ... in the debug of the radius server i receive that error: -- rad_recv: Access-Request packet from host 127.0.0.1:32842, id=115, length=56 User-Name = test User-Password = test Ok... you have the file digest WITHOUT a User-Pasword attribute in it, but the RADIUS server receives a RADIUS request WITH a User-Password attribute. Either something very weird is happening, or you're not sending the digest file to the server. rad_check_password: Found Auth-Type Digest auth: type digest modcall: entering group authenticate **ERROR: No Digest-Nonce: Cannot perform Digest authentication** You set Auth-Type := Digest for a packet which had no digest attributes in it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No Digest-Nonce Cannot perform Digest authentication
Alex [EMAIL PROTECTED] wrote: inside raddb/users i have : test Auth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest DO NOT SET Auth-Type. I am running just installation test: radclient -f digest localhost 1645 auth testing123 radclient:No token read where we expected an attribute name what it can be ?? Can you answer the questions I asked in my previous responses? If there any way i can remove totally the installations of all radiusclients and freeradiuses, and reinstall them ?? Yes. rm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No Digest-Nonce Cannot perform Digest authentication
Yes Alan i am using the same dictionary files which coming with the installation, i also add to the end of the dictionary file dictionary.sip file and another dictionary.ser file which include another attributes. totaly i have original dictionary + dictionary.sip + dictionary.ser btw i have the radclient working now radclient -f digest localhost auth testing123 Received response ID 101, code 2, length = 45 Reply-Message = Hello, test with digest I just need to figure out how to authenticate ser users through the radius. on one server it's working fine and i installed it, and never had these problems, but here on the 2 server i can not figure the problem out. my ser server running and sending authentication to the radius server and i don't see anything on the radius logs. now here is the problem the register request coming on the 5060 port and the ser server sending to authenticate the user with radiusclient. for some reason it's not working i don't see anything in the radius logs. here is my debug which ser sending to radius: 9(16198) SIP Request: 9(16198) method: REGISTER 9(16198) uri: sip:xxx.xxx.xxx.xxx 9(16198) version: SIP/2.0 9(16198) parse_headers: flags=1 9(16198) Found param type 232, branch = z9hG4bK8347cac54f37811f; state=16 9(16198) end of header reached, state=5 9(16198) parse_headers: Via found, flags=1 9(16198) parse_headers: this is the first via 9(16198) After parse_msg... 9(16198) preparing to run routing scripts... 9(16198) REGISTER: Authenticating user 9(16198) parse_headers: flags=4096 9(16198) end of header reached, state=9 9(16198) DEBUG: get_hdr_field: To [34]; uri=[sip:[EMAIL PROTECTED] 9(16198) DEBUG: to body [sip:[EMAIL PROTECTED] ] 9(16198) get_hdr_field: cseq CSeq: 100 REGISTER 9(16198) DEBUG: get_hdr_body : content_length=0 9(16198) found end of header 9(16198) pre_auth(): Credentials with given realm not found 9(16198) REGISTER: challenging user 9(16198) build_auth_hf(): 'WWW-Authenticate: Digest realm=ip of the server, nonce=426027c596c98d33f4f2e26cd277527bfaed7b1b ' 9(16198) parse_headers: flags=-1 9(16198) check_via_address(62.219.160.40, 62.219.160.40, 1) 9(16198) DEBUG:destroy_avp_list: destroing list (nil) 9(16198) receive_msg: cleaning up Thanks Alan for any help. On 4/15/05, Alan DeKok [EMAIL PROTECTED] wrote: Alex [EMAIL PROTECTED] wrote: inside raddb/users i have : test Auth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest DO NOT SET Auth-Type. I am running just installation test: radclient -f digest localhost 1645 auth testing123 radclient:No token read where we expected an attribute name what it can be ?? Can you answer the questions I asked in my previous responses? If there any way i can remove totally the installations of all radiusclients and freeradiuses, and reinstall them ?? Yes. rm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No Digest-Nonce Cannot perform Digest authentication
Alan when i am running radclient -f digest localhost auth testing123 this is the debug from the radius. rad_recv: Access-Request packet from host 127.0.0.1:32843, id=101, length=140 User-Name = test Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7 Digest-Attributes = \001\013testrealm Digest-Attributes = \002\n1234abcd Digest-Attributes = \003\010INVITE Digest-Attributes = \004\034sip:[EMAIL PROTECTED] Digest-Attributes = \006\005MD5 Digest-Attributes = \n\006test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 25 modcall[authorize]: module preprocess returns ok for request 25 modcall[authorize]: module chap returns noop for request 25 modcall[authorize]: module mschap returns noop for request 25 rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = testrealm Digest-Nonce = 1234abcd Digest-Method = INVITE Digest-URI = sip:[EMAIL PROTECTED] Digest-Algorithm = MD5 Digest-User-Name = test rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module digest returns ok for request 25 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 25 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 25 users: Matched entry DEFAULT at line 152 users: Matched entry test at line 215 modcall[authorize]: module files returns ok for request 25 modcall: group authorize returns ok for request 25 rad_check_password: Found Auth-Type Digest auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 25 A1 = test:testrealm:test A2 = INVITE:sip:[EMAIL PROTECTED] KD = 1e00d6dbd30441265df6064b9d9b7da9:1234abcd:675b8c827b388805aa252ea38bfb6804 modcall[authenticate]: module digest returns ok for request 25 modcall: group authenticate returns ok for request 25 radius_xlat: 'Hello, test with digest' Sending Access-Accept of id 101 to 127.0.0.1:32843 Reply-Message = Hello, test with digest Finished request 25 but when the ser sending request to the radius i don't see anything in the logs. what it can be ? on the other server it's working fine. On 4/15/05, Alan DeKok [EMAIL PROTECTED] wrote: Alex [EMAIL PROTECTED] wrote: inside raddb/users i have : test Auth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest DO NOT SET Auth-Type. I am running just installation test: radclient -f digest localhost 1645 auth testing123 radclient:No token read where we expected an attribute name what it can be ?? Can you answer the questions I asked in my previous responses? If there any way i can remove totally the installations of all radiusclients and freeradiuses, and reinstall them ?? Yes. rm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting file
Hi Someone can tell me if thre is a accounting file to registrer all sessions ? Thanks Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISCO-AVPairs
All, Forgive me if this has been addressed before. I searched the archive and only found similar questions, but no answers so here it goes again. I would like to parse CISCO-AVPairs and insert them into MySql. I am getting voip vsa from cisco and would like to append them into my sql table. I understand that I have to modify the queries in sql.conf to insert them, but how do access the value of them. I am running on FreeRadius1.0.2 on RH Linux. Example Acct-Session-Id = 00128EF0 Called-Station-Id = XXX h323-setup-time = h323-setup-time=18:12:44.192 EST Fri Apr 15 2005 h323-gw-id = h323-conf-id = h323-conf-id=5350F4BC AD3211D9 AF4CCC70 FC19EAE4 h323-call-origin = h323-call-origin=answer h323-call-type = h323-call-type=Telephony Cisco-AVPair = h323-incoming-conf-id=5350F4BC AD3211D9 AF4CCC70 FC19EAE4 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = gw-rxd-cdn=ton:0,npi:1,#: h323-connect-time = h323-connect-time=18:13:00.968 EST Fri Apr 15 2005 Acct-Input-Octets = 26668 Acct-Output-Octets = 16294 Acct-Input-Packets = 1014 Acct-Output-Packets = 699 Acct-Session-Time = 53 h323-disconnect-time = h323-disconnect-time=18:13:54.186 EST Fri Apr 15 2005 h323-disconnect-cause = h323-disconnect-cause=10 Cisco-AVPair = h323-ivr-out=Tariff:Unknown Cisco-AVPair = release-source=1 h323-voice-quality = h323-voice-quality=0 Cisco-AVPair = charged-units=0 Cisco-AVPair = disconnect-text=normal call clearing (16) Cisco-AVPair = info-type=speech Cisco-AVPair = peer-id=900 So how would I access the value of Cisco-AVPAIR=disconnect-text=D. I tried just using '%{disconnect-text} in sql query or '%{Cisco-AVPAIR-disconnect-text}' but it did not work. Anyone did this before? Can you share config files or reference me to the instruction page? Thanks in advance, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Certificate Failure with CMC Emulation Engine
Background: I am utilizing CMCs Emulation Engine to perform multi-client testing on a wireless access point, which is configured for WPA 802.1x. I am running EAP-TLS on FreeRADIUS 1.0.0-5 and OpenSSL 0.9.7d-25 on SuSE Linux Professional 9.2. Before testing the access point with the Emulation Engine I verified the FreeRADIUS configuration with Windows XP SP2 clients, which allowed me to successfully associate, authenticate and transfer data through the access point. Problem: FreeRADIUS reports fatal bad_certificate when I try to associate and authenticate the Emulation Engine with the access point. However, this is the same client certificate I successfully used on the Windows clients. My contact at CMC built FreeRADIUS on a Redhat platform and tried to troubleshoot the problem. Initially, he was unable to associate and authenticate via the access point when running the Emulation Engine. He eventually rebuilt his installation with the following configurations: OpenSSL: --no-shared FreeRADIUS: --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib --disable-shared After he rebuilt his installation he was able to successfully use my certificates with the Emulation Engine. Questions: What did his rebuild configurations change? Can anyone provide insight into my FreeRADIUS errors captured below? - Thanks, Adam Gibson rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:5501, id=23, length=202 Message-Authenticator = 0xd9e136bede727a18ffebbe5029428d2a Service-Type = Framed-User User-Name = laptop Framed-MTU = 1488 State = 0xb9a81d87e3edf4ae5692cb71c2d3f34d Called-Station-Id = :xx--xxx-xx Calling-Station-Id = NAS-Identifier = NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020200060d00 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 2 NAS-Port-Id = STA port # 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module preprocess returns ok for request 10 modcall[authorize]: module chap returns noop for request 10 modcall[authorize]: module mschap returns noop for request 10 rlm_realm: No '@' in User-Name = laptop, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 10 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 10 users: Matched laptop at 97 modcall[authorize]: module files returns ok for request 10 modcall: group authorize returns updated for request 10 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 10 modcall: group authenticate returns handled for request 10 Sending Access-Challenge of id 23 to xxx.xxx.xxx.xxx:5501 EAP-Message = 0x010303200d800716273025060355040a131e4c657669746f6e20566f69636520616e6420446174612044697669736f6e31133011060355040b130a416374697665204c6162311430120603550403130b4164616d20476962736f6e312b302906092a864886f70d010901161c61676962736f6e406c657669746f6e766f696365646174612e636f6d305c300d06092a864886f70d0101010500034b003048024100b9eb33f79f3aff24f1613023530ee0b512c4aec11c11840087e9798f9da02446ff83854cf201fab7e2486a12f1e7fd406b1c34e7c38c29497d62765fae0ff48f0203010001a382011630820112301d0603551d0e041604143143 EAP-Message = 0x009a0e958f0e4adccbc9e9e757ea7eb7d7173081e20603551d230481da3081d780143143009a0e958f0e4adccbc9e9e757ea7eb7d717a181bba481b83081b5310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e06035504071307426f7468656c6c31273025060355040a131e4c657669746f6e20566f69636520616e6420446174612044697669736f6e31133011060355040b130a416374697665204c6162311430120603550403130b4164616d20476962736f6e312b302906092a864886f70d010901161c61676962736f6e406c657669746f6e766f696365646174612e636f6d820100300c0603551d EAP-Message =
Re: EAP-TLS Certificate Failure with CMC Emulation Engine
Did you sign your certificates with OID extensions for user and server use? Le Vendredi 15 Avril 2005 20:14, Adam Gibson a écrit : Background: I am utilizing CMCs Emulation Engine to perform multi-client testing on a wireless access point, which is configured for WPA 802.1x. I am running EAP-TLS on FreeRADIUS 1.0.0-5 and OpenSSL 0.9.7d-25 on SuSE Linux Professional 9.2. Before testing the access point with the Emulation Engine I verified the FreeRADIUS configuration with Windows XP SP2 clients, which allowed me to successfully associate, authenticate and transfer data through the access point. Problem: FreeRADIUS reports fatal bad_certificate when I try to associate and authenticate the Emulation Engine with the access point. However, this is the same client certificate I successfully used on the Windows clients. My contact at CMC built FreeRADIUS on a Redhat platform and tried to troubleshoot the problem. Initially, he was unable to associate and authenticate via the access point when running the Emulation Engine. He eventually rebuilt his installation with the following configurations: OpenSSL: --no-shared FreeRADIUS: --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib --disable-shared After he rebuilt his installation he was able to successfully use my certificates with the Emulation Engine. Questions: What did his rebuild configurations change? Can anyone provide insight into my FreeRADIUS errors captured below? - Thanks, Adam Gibson rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:5501, id=23, length=202 Message-Authenticator = 0xd9e136bede727a18ffebbe5029428d2a Service-Type = Framed-User User-Name = laptop Framed-MTU = 1488 State = 0xb9a81d87e3edf4ae5692cb71c2d3f34d Called-Station-Id = :xx--xxx-xx Calling-Station-Id = NAS-Identifier = NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020200060d00 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 2 NAS-Port-Id = STA port # 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module preprocess returns ok for request 10 modcall[authorize]: module chap returns noop for request 10 modcall[authorize]: module mschap returns noop for request 10 rlm_realm: No '@' in User-Name = laptop, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 10 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 10 users: Matched laptop at 97 modcall[authorize]: module files returns ok for request 10 modcall: group authorize returns updated for request 10 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 10 modcall: group authenticate returns handled for request 10 Sending Access-Challenge of id 23 to xxx.xxx.xxx.xxx:5501 EAP-Message = 0x010303200d800716273025060355040a131e4c657669746f6e20566f69636520616e6 420446174612044697669736f6e31133011060355040b130a416374697665204c61623114301 20603550403130b4164616d20476962736f6e312b302906092a864886f70d010901161c61676 962736f6e406c657669746f6e766f696365646174612e636f6d305c300d06092a864886f70d0 101010500034b003048024100b9eb33f79f3aff24f1613023530ee0b512c4aec11c11840087e 9798f9da02446ff83854cf201fab7e2486a12f1e7fd406b1c34e7c38c29497d62765fae0ff48 f0203010001a382011630820112301d0603551d0e041604143143 EAP-Message = 0x009a0e958f0e4adccbc9e9e757ea7eb7d7173081e20603551d230481da3081d7801431430 09a0e958f0e4adccbc9e9e757ea7eb7d717a181bba481b83081b5310b3009060355040613025 553311330110603550408130a57617368696e67746f6e3110300e06035504071307426f74686 56c6c31273025060355040a131e4c657669746f6e20566f69636520616e64204461746120446 97669736f6e31133011060355040b130a416374697665204c6162311430120603550403130b4 164616d20476962736f6e312b302906092a864886f70d010901161c61676962736f6e406c657 669746f6e766f696365646174612e636f6d820100300c0603551d EAP-Message = 0x13040530030101ff300d06092a864886f70d0101040500034100231a3fc1240f10a93cd3f 132f6cbf975c522812bc4e1b0cc22fdd1b4ac76740234669d8e14047244f473111ce10a6fc91
Re: Problems with pptp / freeradius / ppp / pam...
Ok, here is my output from radiusd -X when I try to connect to it from win xp client: rad_recv: Access-Request packet from host 127.0.0.1:32849, id=100, length=145 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0xbe0ccac162ef57c475e1f90b70130fa0 MS-CHAP2-Response = 0x18005082b0b6e32caa6498ca24b465860431f71793453cd6a89e0cfa9e8fcc4d1abb75a6cd4c05554bdf Calling-Station-Id = 68.68.53.12 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 modcall[authorize]: module chap returns noop for request 9 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module mschap returns ok for request 9 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 9 users: Matched test at 1 modcall[authorize]: module files returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 9 rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 9 modcall: group Auth-Type returns reject for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 100 to 127.0.0.1:32849 Reply-Message = Hello, bob MS-CHAP-Error = \030E=691 R=1 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 100 with timestamp 426087d1 Nothing to do. Sleeping until we see a request. Any idea what's wrong there? I have two XP clients, one works, one throws that error. The connection settings are both exactly the same. I don't get what's going on. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html