errors in radius.log
Hi! I have a freeradius 0.9.3 with Solaris 8. I got all the time these error messages: Thu Apr 28 07:21:55 2005 : Error: rlm_radutmp: Logout entry for NAS 1.1.1.1 port 1610613128 has wrong ID Thu Apr 28 07:22:05 2005 : Error: rlm_radutmp: Logout entry for NAS 1.1.1.1 port 1610613218 has wrong ID Thu Apr 28 07:22:13 2005 : Error: rlm_radutmp: Logout entry for NAS 1.1.1.1 port 1610612888 has wrong ID The NAS is a juniper dslam. I've searched the mailinglist, but I did't find anything which could explain this error. Can anyone tell me what this error means amd how can I get rid of this ? regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
providing IP address depending NAS origin
Hi everybody, We are deploying a GPRS Edge architecture with one router in a DMZ area with 4 permanent IPSEC tunnels through our operator. When the user is connecting, he should authenticate on the Freeradius server. But the Radius have to provide an IP in a different subnet depending which NAS (a GGSN) have emited the request for the client. Eg; If the Auth request comes from GGSN-A, IP address should be in 192.168.200.0/24 If the Auth request comes from GGSN-B, IP address should be in 192.168.201.0/24 And, if the ip address could be statically provided depending the username, that would be very cool. Eg: If the Auth request comes from GGSN-A for user Joe, IP address should be 192.168.200.X (X is the Joe's one) If the Auth request comes from GGSN-A for user Joe, IP address should be 192.168.201.Y (Y is the Toto's one) We are using the latest available version of Freeradius, v1.0.2 So, is it possible ? Can you explain me how i can do it, or do you have a link to something that can help me ? Thank you in advance, Ben. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac os x with TLS or TTLs problems
Hello, I am using mac os X supplicant with freeradius. The authentication with EAP-TLS or EAP-TTLS succeeds and goes perfectly. the problem is that the mac os X supplicant keeps tring to re-authenticate every 6 seconds endlessly... and this happens aftert succesfull previous authentication. I cannot understand why. I can avoid this behaviour deleting the radius server certificate from the Keychain utility. Then it prompts me to accept this certificate and I Acccept all and it works. But the next time I Reconnect to the same wireless network the internet connect client will keep authenticating endlessly if I do not remove the radius server certificate again. How come this happens ? This is happening since the freeradius server certificate changed and was renewed. But with windows XP supplicants I have no problems. Any ideas ? Thank you very much Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: providing IP address depending NAS origin
Le Vendredi 29 Avril 2005 11:08, Bram a écrit : I don't think it is possible by default... Oh :-( And what exactly do you mean with 'statically provided' IP? As in, I see two possible explenations: * if the user connect he should always get the same static IP (no matter what NAS he is using) * if user connects via NAS-A he should get 192.168.200.100, if he connects via NAS-B he should get 192.168.201.100, ... Which of the two do you want? The second. Your sum up is very clear ;-) Here are some things you can do: * change include/radius.h: Change the line #define PW_POOL_NAME 1073 to: #define PW_POOL_NAME 4 (4 is the id of the NAS-IP-Address attribute, but you can set it to whatever you want) Hum.. Why not, even though i don't understand how it can modify the behaviour of the radius by giving PW_POOL_NAME the same value than PW_NAS_IP_ADDRESS. What rules will i have to put in my config file to assume this mods in Radius sources ? * another thing you can do is wait a few days, then I might have my patch ready which does that (and some other things)... (I need to re-check some things before I make it public) I can do it too. (PS: I assume the second example you gave in your mail isn't 100% correct, can you check?) Sorry, i've translated this messages from french, Toto is the same people thant Joe. And i've put X and Y prefix, because i don't care if the IP address prefix is not the same between the 2 differents subnets. Thank you very much for your help. Ben. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: providing IP address depending NAS origin
The second. Your sum up is very clear ;-) AFAIK there is no easy way for the second... if it would be one static ip per use then it would be no problem, but if you want the static ip to depend on the NAS via which he is connecting, then there is a problem... Hum.. Why not, even though i don't understand how it can modify the behaviour of the radius by giving PW_POOL_NAME the same value than PW_NAS_IP_ADDRESS. Oops, I should have re-checked rlm_ippool... it checks config_itmes by default, which is not correct, you need the request packet... so you will need to change the source :/ (sorry about that) Changing the radius.h file isn't enough... you need to modify rlm_ippool.c: Change /src/modules/rlm_ippool/rlm_ippool.c: From: if ((vp = pairfind(request-config_items, PW_POOL_NAME)) != NULL){ To: if ((vp = pairfind(request-packet-vps, PW_NAS_IP_ADDRESS)) != NULL) (instead of PW_NAS_IP_ADDRESS you could set it to PW_POOL_NAME/another name and define it in radius.h) What rules will i have to put in my config file to assume this mods in Radius sources ? All you should do is set the pool-name name in the config file to the NAS-IP-Address (or the attribute you set) * another thing you can do is wait a few days, then I might have my patch ready which does that (and some other things)... (I need to re-check some things before I make it public) I can do it too. Yes, but mine does some other things too... (one of those is allow you to set the attribute that should be checked in the config, but this doesn't seem the right place to describe it in detail) Bram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: group table changes
Stephan Jaeger wrote: For rejecting every user that has no matching group profile i guess my best bet is now to use a DEFAULT profile with Auth-Type := Reject in the db? Yes, that should work. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sql: group table changes
Hmm... That's a good point. I've updated the rlm_sql module in CVS to handle this situation so that it more closely matches the users file methodology (if there are no check pairs, then the section is automatically matched). Thats great! It gives much more flexibility now where it works like the users file. For rejecting every user that has no matching group profile i guess my best bet is now to use a DEFAULT profile with Auth-Type := Reject in the db? I've been reading all related to tables and radcheck, radreply, etc, etc ... and got to the conclusion that the best and useful way of handling users and reply atributes is by using stored-procedures, and let the storedprocedure return a table based on what you want to do. I'm doing it that way and find it really comfortable and versatile. Do you agree ?? I mean ... you could for example do some scripting with your procedure and if you want to reject a user, just do your code and build a table and return Auth-Type := Reject. In that way you do not need to have a table full of reply attributes for each user or eache group. Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 29/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: providing IP address depending NAS origin
Hi everybody, We are deploying a GPRS Edge architecture with one router in a DMZ area with 4 permanent IPSEC tunnels through our operator. When the user is connecting, he should authenticate on the Freeradius server. But the Radius have to provide an IP in a different subnet depending which NAS (a GGSN) have emited the request for the client. Eg; If the Auth request comes from GGSN-A, IP address should be in 192.168.200.0/24 If the Auth request comes from GGSN-B, IP address should be in 192.168.201.0/24 And, if the ip address could be statically provided depending the username, that would be very cool. Eg: If the Auth request comes from GGSN-A for user Joe, IP address should be 192.168.200.X (X is the Joe's one) If the Auth request comes from GGSN-A for user Joe, IP address should be 192.168.201.Y (Y is the Toto's one) So, is it possible ? Can you explain me how i can do it, or do you have a link to something that can help me ? Thank you in advance, Ben. Ben, I think you can do the following: You can allways receive the IP-Address ot the NAS in the NAS-IP-Address Attribute. You can ( because I've done it ) build an stored procedure on your sql engine and do some if-else structure where you validate your IP Address. If your NAS-IP-Address attribute is IP-A, you return IP address in 192.168.201.0/24. If IP-B, then 192.168.200.0/24. It is easy, believe me. Of course you need to know how to build an stored procedure ... but is piece of cake. for example in my mssql.conf I have authorize_check_query = rad_authorize_check_query '%{Stripped-User-Name:-%{User-Name}}' rad_authorize_check_query is an stored procedure. I only provide the username, but inside the storedprocedure I make lots of checks do you follow me Hope it helps! Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 29/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: providing IP address depending NAS origin
would this work? users Joe NAS-IP-Address =~ ^192.168.200. Framed-IP-Address = X, Fallthrough = yes Joe NAS-IP-Address =~ ^192.168.201. Framed-IP-Address = Y, Fallthrough = yes On Fri, 2005-04-29 at 04:03, Bram wrote: The second. Your sum up is very clear ;-) AFAIK there is no easy way for the second... if it would be one static ip per use then it would be no problem, but if you want the static ip to depend on the NAS via which he is connecting, then there is a problem... Hum.. Why not, even though i don't understand how it can modify the behaviour of the radius by giving PW_POOL_NAME the same value than PW_NAS_IP_ADDRESS. Oops, I should have re-checked rlm_ippool... it checks config_itmes by default, which is not correct, you need the request packet... so you will need to change the source :/ (sorry about that) Changing the radius.h file isn't enough... you need to modify rlm_ippool.c: Change /src/modules/rlm_ippool/rlm_ippool.c: From: if ((vp = pairfind(request-config_items, PW_POOL_NAME)) != NULL){ To: if ((vp = pairfind(request-packet-vps, PW_NAS_IP_ADDRESS)) != NULL) (instead of PW_NAS_IP_ADDRESS you could set it to PW_POOL_NAME/another name and define it in radius.h) What rules will i have to put in my config file to assume this mods in Radius sources ? All you should do is set the pool-name name in the config file to the NAS-IP-Address (or the attribute you set) * another thing you can do is wait a few days, then I might have my patch ready which does that (and some other things)... (I need to re-check some things before I make it public) I can do it too. Yes, but mine does some other things too... (one of those is allow you to set the attribute that should be checked in the config, but this doesn't seem the right place to describe it in detail) Bram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = @ } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this [EMAIL PROTECTED]. I think use attr_rewrite to change the request from this [EMAIL PROTECTED] to windowsdomain\username, but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: providing IP address depending NAS origin
Hi Lucas, Le Vendredi 29 Avril 2005 16:50, Lucas Aimaretto a crit: You can allways receive the IP-Address ot the NAS in the NAS-IP-Address Attribute. You can ( because I've done it ) build an stored procedure on your sql engine and do some if-else structure where you validate your IP Address. If your NAS-IP-Address attribute is IP-A, you return IP address in 192.168.201.0/24. If IP-B, then 192.168.200.0/24. Stored procedure is a nice tweak. Indeed, i have my users in a mysql database. for example in my mssql.conf I have authorize_check_query = rad_authorize_check_query '%{Stripped-User-Name:-%{User-Name}}' rad_authorize_check_query is an stored procedure. I only provide the username, but inside the storedprocedure I make lots of checks do you follow me Yes, but how can you verify the username against the NAS-IP-Address, if you only provide the username to your stored procedure ? (That's what i understand...) Thanks a lot. I am progressing.. I didn't know that FreeRadius could do so much ! Ben. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using user-defined attributes and radreply
I am new to freeradius,and i was wondering if anyone could help with a basic problem i am having creating user-defined attributes.I have set upa dictionary file with the following entries. ATTRIBUTE myattrib 340 string ATTRIBUTE myattrib2341 integer VALUE myattrib2 value0 0 VALUE myattrib2 value1 1 VALUE myattrib2 value2 2 Now im not entirely sure whether this is right. Using the limited documentation, it appearsthat values 340 341 are currently unused and seem to correct ones to usefor the required reply (I have alsotried other unused values in other free ranges, e.g.2000 2001). Now invoking this withthe following radreply db entries (postgress), using user4 and the correct password and secret key:- id | username | attribute | op | value +--+--++--- 1 | user4 | myattrib | = | hello 3 | user4 | myattrib2 | = | 1 2 | user4 | service-type | = | 1 Results ina response:- ---25/04/2005 14:02:25 Test started [MYTASK]- Info:Sending Access-Request of id 0 to 10.101.2.5:1812 User-Name = "user4" Password = "user3" Info: Access-Accept packet from host 10.101.2.5:1812, id=0, length=26 Service-Type = Login-User 25/04/2005 14:02:25 Test finished [MYTASK]- That is, only the system defined attribute is returned (login-user), not the other two. As a test, if I change 340, 341 to values that are already defined by system, say, 245 246. Then the response is. 25/04/2005 11:56:08 Test started [MYTASK]- Info:Sending Access-Request of id 0 to 10.101.2.5:1812 User-Name = "user4" Password = "user3" Info: Access-Accept packet from host 10.101.2.5:1812, id=0, length=39 X-Ascend-Preempt-Limit = 0x68656c6c6f Service-Type = Login-User X-Ascend-Callback = 1 25/04/2005 11:56:08 Test finished [MYTASK]- Here you can see three results including, X-Ascend-Preempt-Limit and X-Ascend-Callback Corresponding to the duplicate values defined in the system dictionary file. As these essentially overwrite my attributes, but the service-type entry still works, which suggest that though the db is working correctly and my attributes are being read, they are being ignored. Thus, what i think must be happening is that either Im missing some part of the configuration indicating the values I use (345 346) may be used as return values, or the attribute values are not setup properly. Does anyone know what im doing wrong? Ive looked at all the other configuration files nothing is obvious. Any suggestions? regards, Arun Mundray.
RE: providing IP address depending NAS origin
Hi Lucas, Stored procedure is a nice tweak. Indeed, i have my users in a mysql database. for example in my mssql.conf I have authorize_check_query = rad_authorize_check_query '%{Stripped-User-Name:-%{User-Name}}' rad_authorize_check_query is an stored procedure. I only provide the username, but inside the storedprocedure I make lots of checks do you follow me Yes, but how can you verify the username against the NAS-IP-Address, if you only provide the username to your stored procedure ? (That's what i understand...) :-) ... I'm only providing User-Name, because it is my own stored-procedure. Build your own one and provide the Attributes you need ... for example the NAS-IP-Address ... and make YOUR stored procedure to do what you need ... it will certainly work. Best Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 29/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
It will break inside the EAP code, since the EAP code does a sanity check to make sure the EAP Identity matches the User-Name sent by the NAS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Luis Daniel Lucio Quiroz wrote: why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = @ } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this [EMAIL PROTECTED]. I think use attr_rewrite to change the request from this [EMAIL PROTECTED] to windowsdomain\username, but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mod_auth_radius v1.4.2 problem
Hello all. I've been having a very strange problem with mod_auth_radius. I have it configured like so: IfModule mod_auth_radius.c AddRadiusAuthx.x.x.x password AddRadiusCookieValid 5 /IfModule Location /test-radiusAllowOverride Noneorder allow,denyallow from all AuthName "RRS Radius test"AuthType BasicAuthAuthoritative offKrbAuthoritative offAuthRadiusAuthoritative onAuthRadiusCookieValid 60require valid-user/Location The above part is in both non-ssl and ssl configurations. The weird part is this works fine when using HTTP. HTTPS breaks, and gives this error: [Fri Apr 29 12:02:10 2005] [crit] [client X.X.X.X] configuration error: couldn't check user. No user file?: /test-radius/auth.cgi Allother authentication methods on this box have worked fine for bothHTTP and HTTPS: LDAP, Kerberos, NTLM. apache 1.3.33 Thanks for any help, Jason
Re: help - PEAP authentication
I will put the test server UP, then I send the configurations files. Thanks for help me. Michael Griego wrote: It will break inside the EAP code, since the EAP code does a sanity check to make sure the EAP Identity matches the User-Name sent by the NAS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Luis Daniel Lucio Quiroz wrote: why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = @ } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this [EMAIL PROTECTED]. I think use attr_rewrite to change the request from this [EMAIL PROTECTED] to windowsdomain\username, but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using user-defined attributes and radreply
Hi, ATTRIBUTE myattrib 340 string ATTRIBUTE myattrib2 341 integer VALUE myattrib2 value0 0 VALUE myattrib2 value1 1 VALUE myattrib2 value2 2 Now im not entirely sure whether this is right. Using the limited documentation, it appears that values 340 341 are currently unused and seem to correct ones to use for the required reply (I have also tried other unused values in other free ranges, e.g. 2000 2001). IIRC, RADIUS defines attributes to be just one byte, i.e. the value must be less than 256. Everything with a larger value is either for server's internal use only (and since it just can't be transmitted according to protocol specs, that's a nice trick to mark those) or maybe a somewhat strange representation for a vendor specific attribute (those are the way to get around that limitation of 256 attributes). I'd recommend to read a bit about vendor specific attributes, and use those for your own attributes. Essentially, just additionally define a new Vendor ID and then define attributes for that new vendor, using 1,2,... instead of 340,341, ... HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don't want to proxy Alive records
I am currently proxying authorization and accounting to many many different radius servers (my customers). I have also recently set up my NASes to send Alive accounting packets at a certain interval. These in turn are creating Alive records in my detail files as well as proxying this information to all of my customers servers. Only certain ones want to get the alive information...the rest are just being bogged down with it. I don't think it is possible, but is there a way to limit what accounting gets proxied (i.e. not send the Alive information to certain servers) or does freeradius just send all accounting packets along regardless. I proxy some by dnis and others by realm. I have been searching for this solution but can't find any answers. If someone could point me in the right direction I would be grateful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't want to proxy Alive records
Scott B. Lowe [EMAIL PROTECTED] wrote: I don't think it is possible, but is there a way to limit what accounting gets proxied (i.e. not send the Alive information to certain servers) or does freeradius just send all accounting packets along regardless. I proxy some by dnis and others by realm. Use acct_users. DEFAULT Realm == foo.com, Acct-Status-Type == Alive, Proxy-To-Realm := LOCAL ... etc. Alan deKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html