PEAP + local = OK, same config + LDAP failed
Hi,
still fighting with ldap :-)
If I authenticate the user local without an ldap-entry in the
radiusd.conf everything works fine,
but if I uncomment the ldap-entry, nothing works anymore!
I thought the users file is inspected first?
my log:
see attachment
Thanks
Florian
--
--
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 600
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dh
tls: random_file = /usr/local/etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded LDAP
ldap: server = 131.188.3.53
ldap: port = 400
ldap: net_timeout = 1
ldap: timeout = 24
ldap: timelimit = 23
ldap: identity = cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet
Erlangen-Nuernberg,c=DE
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE
ldap: filter = (Userid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap:
Re: PEAP + RADIUS + local-Auth + LDAP
Alan DeKok wrote: Florian Prester [EMAIL PROTECTED] wrote: authorize: If I place the users-word before anything else, the authorization should take place by the users-file, which means if an user exists in the users-file it is authoized? correct? It means that the users file is processed before anything else. You don't need to move it, though. The default configuration works. authenticate: If the password matches cleartext/crypt the users is authenticated? correct? Yes. 2.) If I try to uses PEAP and LDAP I need cleartext-passwords!? correct? Or NT-Password. Who can I control, which Password should be used? If I add ldap after the users-wordin the authorize-section ldap should only be used, if the user cannot be found in the users-file? No. See doc/configurable_failover If I add password_attribute = sn thr user is authenticated, if the password-hash-challenge is matching the sn-hash-challenge, meaning the sn-attribute is taken as password? correct? Yes. 3.) What means the Groupe-authenticate/authorize if I am using ldap? I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
executing external program
Hi all! I have a huge problem. When executing an external script I get strange error messages and my server shuts down. I find this strange because the script is tested a side and it works. Plus I have other similar scripts running and they run perfectly. I get this in the log (radiusd.log) : /Tue Jun 14 09:52:48 2005 : Error: Exec-Program: Abnormal child exit: Interrupted system call Tue Jun 14 09:52:48 2005 : Error: rlm_exec (getaccounting): External script failed/ And this in the debug mode : /radius_xlat: '/home/vicky/finalprog/compAttrs Accounting-Request' Exec-Program: /home/vicky/finalprog/compAttrs Accounting-Request MASTER: Child PID 1842 failed to catch signal 11: killing all active servers./ Has anyone encountered the same problem or has anyone any idea what may be causing this? Thanks a lot in advance! -- Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Thank you Dustin this works!! I'll be making a detailled description on how it works now. Maybe it can be posted? if not just send me an email and I will send it to anyone who wants it. Maybe I can contribute back this way Thanks again!!! Martial From: Dustin Doris [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: RE: restricting access for users Date: Mon, 13 Jun 2005 09:49:00 -0400 (EDT) Try this. huntgroups diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x brusselsNAS-IP-Address == 10.2.x.x users file #note: there is no default auth-type = system here DEFAULT Group == NOC, Auth-Type := System replyattrs = replyvalues bob Huntgroup-Name == diegem, Auth-Type := System replyattrs = replyvalues... somebrusselluserHuntgroup-Name == brussells, Auth-Type := System reply attrs DEFAULT Auth-Type := Reject That means: If user is in group NOC, match here and authorize the user using system If user bob is coming from huntgroup diegam, match here and authorize user If user somebrusselluser is coming from huntgroup brussells, match If no matches on above, reject the user I suspect that your DEFAULT Auth-Type = system entry is at the top of your users file. Then you have some matching rules. You have a user that comes in but won't match any of your matching rules, so it will default to the auth-type = system entry that it matched at first and simply authorize the user with system. What I have above, specifies to use system when it matches each user entry or the group entry. If there is no match, then it tells you to reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP NT-Password vs. Cleartext-Password
Hi, How can I controll if the radius should take the nt-Password or the cleartext-Password? I mapped an cleartext-Entry in ldap to the User-Password radius entry in ldap.attrmap. The request is looking in the directory for the checkItem: User-Password -- found! But for authentication it wants to do MS-CHAPv2 with the NT-Password!!??!! modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: Told to do MS-CHAPv2 for unrz148 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 MSCHAP Success modcall[authenticate]: module eap returns handled for request 7 modcall: group authenticate returns handled for request 7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 64 to 131.188.4.191:20001 but later: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrz148) rlm_ldap: checking if remote access for unrz148 is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding fauUserid as User-Password, value unrz148 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user unrz148 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 rlm_realm: No '@' in User-Name = unrz148, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 modcall[authorize]: module files returns notfound for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 --- What means this? rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. --- Login incorrect: [unrz148/no User-Password attribute] (from client airbrush port 0 cli 00-90-4B-8F-B7-3B) Delaying request 8 for 1 seconds Finished request 8 I am sorry I do not get it, here is my complete log-Output: see attachment Thanks Florian -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is
hints and PPTP/MPPE
Hi All, I'm trying to get hints and huntgroups working with PPTP using MPPE MSCHAPv2. I want users to be able to login with uname or uname.suffix. When logging in with uname.suffix, the suffix is stripped and a hint is set using the hints file. They are also set in a huntgroup. The users file as a DEFAULT entry for that hint and huntgroup. This *works* when users connect a certain way (ipsec using clear text passwords), but fails on PPTP connections using MPPE. When connecting via PPTP, the DEFAULT entry does not get hit and it falls through to the DEFAULT entry with Auth-Type := Reject. The correct entry is hit when connecting via IPSEC. Despite this, it still sends an Access-Accept (albeit with the Reply-Message in the Reject). My suspicion is that MS Windows is generating MPPE keys based on the username with the suffix, and freeradius is correctly authenticating against the system (SMBPASSWD file) without the suffix, but generating MPPE responses also without the SUFFIX, therefore windows drops the connection. Version is 1.0.3. Any ideas? Regs, Dave -- - David Batterham Information Systems Services Manager Department of Electrical Electronic Engineering The University of Melbourne, Victoria 3010 Email: [EMAIL PROTECTED] Phone: +61 3 8344 3366 Fax: +61 3 8344 6678 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius no longer accepts Crypt-Password after upgrade
Hello group, Due to a recent catastrophic hardware failure on one of our radius servers I've had to install a new machine. In the process we also upgraded freeradius from 0.9.3 to 1.0.2-4, and somehow the radius server now refuses to accept anything other than a User-Password attribute -- it keeps failing to log in users that have a Crypt-Password set. I've attached a -xxx debug log below, minus passwords and usernames. The literal same configuration works fine on another machine running 0.9.3 and retrieving its data from the same database server. Can anyone suggest what I might be missing? -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc Tue Jun 14 11:52:19 2005 : Debug: Thread 1 handling request 5, (2 handled so far) User-Name = --- User-Password = --- Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = -- NAS-Port = 14 NAS-Port-Type = ISDN Tue Jun 14 11:52:19 2005 : Debug: Processing the authorize section of radiusd.conf Tue Jun 14 11:52:19 2005 : Debug: modcall: entering group authorize for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module chap returns noop for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Tue Jun 14 11:52:19 2005 : Debug: rlm_realm: No '@' in User-Name = ---, looking up realm NULL Tue Jun 14 11:52:19 2005 : Debug: rlm_realm: No such realm NULL Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module suffix returns noop for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 5 Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: '---' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): sql_set_user escaped user -- '---' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '---' ORDER BY id' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '---' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '---' ORDER BY id' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '---' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): Released sql socket id: 4 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module sql returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall: group authorize returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: rad_check_password: Found Auth-Type Local Tue Jun 14 11:52:19 2005 : Debug: auth: type Local Tue Jun 14 11:52:19 2005 : Debug: auth: user supplied User-Password does NOT match local User-Password Tue Jun 14 11:52:19 2005 : Debug: auth: Failed to validate the user. Tue Jun 14 11:52:19 2005 : Auth: Login incorrect: [---/--] (from client sisr port 14) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
I use Cisco AP 1230 and I set on the authentication for MAC and EAP authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Thanks. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 14, 2005 01:03 Subject: Re: MAC+EAP authentication Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'authorize' module
still fighting with test configuration.. I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm? My aim is to make it so that if the last mentioned returns wrong, the whole request is wrong. Please assist me with ideas. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mutliple Authentication REALMS
Title: Mutliple Authentication REALMS
Hi,
Its been a long time, as the freeRADIUS software Ive being using for the last 3 years hasnt needed looking at since installation.
So a big thank you to the development team J
However, as with most things its so good Ive now got to redesign and re-implement to encompass more of our infrastructure, and Im having problems.
I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM.
i.e.
DEFAULT Called-Station-Id == a telephone number, Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULT Called-Station-Id == another telephone number, Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULT Called-Station-Id == yet another number, Proxy-To-Realm := SPECIAL
Fall-Through = Yes
Now, the NULL realm is defined in the proxy.conf file as:
realm NULL {
type = radius
authhost = radiusserver.some.domain:1645
accthost = radiusserver.some.domain:1646
Secret = radiussecret
}
This works and actually points to a MS IAS server going against an NT4 Domain.
Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the SPECIAL realm, which I have set as follows in proxy.conf:
realm SPECIAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
My plan was for this to then use the local radius server, which has an _ldap_ module configure, which from what I can make out is working:
ldap {
server = 127.0.0.1
basedn = dc=some,dc=domain,dc=co,dc=uk
filter = (uid=%u)
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
And then in the authorize and authenticate sections simply include _ldap_
authorize {
preprocess
chap
eap
ldap
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type {
mschap
}
unix
ldap
eap
}
Now all I see when using NTRadping, and sending the additional _Called_Station_Id_ attribute set to the required number is the following in my _radius.log_
Error: Dropping packet from client Dave_Test:2328 ID: 2 due to dead request 5018
When I run the radiusd with the X flag (bearing in mind its an Production Service) I can make out the call being made to my LDAP server and a rlm_ldap authorize, but then the request just finishes without giving me and Access-Accept packet, and the relevant settings from the _radreply_ table in the Postgres Database?
rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4, length=62
User-Name = unextest20
User-Password = nexus
Called-Station-Id = xx
rad_lowerpair: User-Name now 'unextest20'
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
modcall[authorize]: module chap returns noop for request 14
modcall[authorize]: module eap returns noop for request 14
rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = unextest20
rlm_realm: Proxying request from user unextest20 to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 14
radius_xlat: 'unextest20'
rlm_sql (sql): sql_set_user escaped user -- 'unextest20'
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute,
SQL based Simultaneous-Use troubles
I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad You can go to http://www.tnics.com/raddb/ to see my entire etc/raddb directory (with the clients file, passwords, secrets, and other sensitive bits removed). Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! --Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
Hi @all, i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) thx for hints Michael L. -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden testen ++ http://www.gmx.net/de/go/promail ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging SQL queries to logfile
Hi all, Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? I can see the following in the radius.log file ... Tue Jun 14 00:53:53 2005 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - HY019 [unixODBC][FreeTDS][SQL Se rver]Arithmetic overflow error converting numeric to data type numeric. ... but I do not know which values in the accounting_stop_query made this happen. I know I can run radiusd with the -X, but I'd like to run it at background. Best regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.1 - Release Date: 13/06/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + local = OK, same config + LDAP failed
Never used EAP, but perhaps this will be helpful. rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 6 That looks pretty clear to me that either this user does not exist in your ldap directory. Perhaps you have the search filter incorrect? Or, the user you are binding with does not have access to read that users entry. rlm_ldap: bind as cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE/zope148FP to 131.188.3.53:400 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful What happens if you do an ldapsearch from command line? # ldapsearch -D cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE -w zope148FP -b ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE (Userid=unrzwlan1) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Authentication REALMS - I hope in Plain Text
Hi,
It's been a long time, as the freeRADIUS software I've being using for
the last 3 years hasn't needed looking at since installation.
So a big thank you to the development team J
However, as with most things it's so good I've now got to redesign and
re-implement to encompass more of our infrastructure, and I'm having
problems.
I have a number of settings in the _users_ file that are based on the
_Called_Station_ID_ then proxy the requests to a specified REALM.
i.e.
DEFAULT Called-Station-Id == a telephone number,
Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULTCalled-Station-Id == another telephone number,
Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULTCalled-Station-Id == yet another number,
Proxy-To-Realm := SPECIAL
Fall-Through = Yes
Now, the NULL realm is defined in the proxy.conf file as:
realm NULL {
type= radius
authhost= radiusserver.some.domain:1645
accthost= radiusserver.some.domain:1646
Secret = radiussecret
}
This works and actually points to a MS IAS server going against an NT4
Domain.
Now I need to authenticate a different set of users (who dial a
different number) against an LDAP repository, so as you can see from my
_users_ file I direct them at the SPECIAL realm, which I have set as
follows in proxy.conf:
realm SPECIAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
My plan was for this to then use the local radius server, which has an
_ldap_ module configure, which from what I can make out is working:
ldap {
server = 127.0.0.1
basedn = dc=some,dc=domain,dc=co,dc=uk
filter = (uid=%u)
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
And then in the authorize and authenticate sections simply include
_ldap_
authorize {
preprocess
chap
eap
ldap
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type {
mschap
}
unix
ldap
eap
}
Now all I see when using NTRadping, and sending the additional
_Called_Station_Id_ attribute set to the required number is the
following in my _radius.log_
Error: Dropping packet from client Dave_Test:2328 - ID: 2 due to
dead request 5018
When I run the radiusd with the -X flag (bearing in mind it's an
Production Service) I can make out the call being made to my LDAP server
and a rlm_ldap authorize, but then the request just finishes without
giving me and Access-Accept packet, and the relevant settings from the
_radreply_ table in the Postgres Database?
rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4,
length=62
User-Name = unextest20
User-Password = nexus
Called-Station-Id = xx
rad_lowerpair: User-Name now 'unextest20'
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
modcall[authorize]: module chap returns noop for request 14
modcall[authorize]: module eap returns noop for request 14
rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = unextest20
rlm_realm: Proxying request from user unextest20 to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 14
radius_xlat: 'unextest20'
rlm_sql (sql): sql_set_user escaped user -- 'unextest20'
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username
PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
HI, I am trying to setup pam_radius_auth on my RHEL WS v4. I followed the direction from the pam_radius_app pkg which I downloaded from freeradius.org. I copy the appropriate files in the right location. I configured the pam_radius_auth.conf in /etc/raddb/server folder to talk to radius server which is running on a MS Windows environment. The next problem is that I am not able to configure the PAM modules appropriately to work with pam_radius_auth.so. I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server If someone has had a similar problem and know a fix around this, please help me. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging SQL queries to logfile
Lucas Aimaretto wrote: Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? Read rlm_sql(5) manpage and search for the sqltrace option. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR eap-ttls , winxp client configuration
Hi, i want to change my current setup (eap-tls) to eap-ttls so that i don't need the client certificates. I really not understanding how to use the options and if should i use them: copy_request_to_tunnel = no use_tunneled_reply = no Can somebody give some hints on configuring Win XP with SecureW2 in this scenario? thanks, B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxim AP-4000 MAC Auth w/multi VLAN assignment support
You can't do RADIUS-assigned VLANs unless you're doing EAP authentication. It won't work with MAC authentication. --Mike Matthew Sweet wrote: Hello, I am looking at setting up a group of Proxim AP-4000 wireless gateways. I want to be able to authenticate via the MAC address of each user's laptop WiFi NIC. I am trying to find the raddb tags required to send / receive the information to make this work. Can someone point me in the right direction as far as this goes? Much appreciated to all. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple Authentication REALMS - I hope in Plain Text
From what you've provided, I believe what is happening is that your
requests that you *want* to go to local LDAP are still being proxied to
your IAS server, and for some reason IAS isn't sending an Access-Reject
so you get that error about a dead request.
Realm NULL is a special realm that means there is no realm as part of
the username as per any definitions of the realm module in
radiusd.conf. It appears from your debug output that you have the realm
for @ defined (suffix realm, anything after an @ symbol is the realm).
Since your new Called-Station-Id still has a user with no realm, it's
proxied to NULL as your debug shows:
rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = unextest20
rlm_realm: Proxying request from user unextest20 to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
I *believe* the behaviour you truly want is something more like this:
DEFAULT Called-Station-Id == a telephone
number,Proxy-To-Realm := msias
Fall-Through = Yes
DEFAULTCalled-Station-Id == another telephone
number,Proxy-To-Realm := msias
Fall-Through = Yes
DEFAULTCalled-Station-Id == yet another
number,Proxy-To-Realm := localldap
Fall-Through = Yes
And in proxy.conf:
realm msias {
type= radius
authhost= radiusserver.some.domain:1645
accthost= radiusserver.some.domain:1646
Secret = radiussecret
}
realm localldap {
type = radius
authhost = LOCAL
accthost = LOCAL
}
Also, I'd just make sure what line in your users file is being matched.
Your debug output says a DEFAULT entry at line 90.
Check your IAS event log to see if it's getting proxied requests. I
usually run radiusd with -Xxx for extra debuging when a request gets
proxied, you should see something like this:
Fri Jun 10 15:02:47 2005 : Debug: proxy: creating 0d02a8c0:1812
Fri Jun 10 15:02:47 2005 : Debug: proxy: allocating 0d02a8c0:1812 0
Sending Access-Request of id 0 to a.b.c.d:1812
And a list of attributes.
Hope this helps.
-Shawn
~
Shawn O'Shea
Network Engineer
Airpath Wireless, Inc.
Clearing the Way
781-250-3500-office
781-250-3535-direct
781-250-3503-fax
[EMAIL PROTECTED]
http://www.airpath.com
~
CONFIDENTIALITY STATEMENT
This electronic message contains information from Airpath Wireless,
Inc., and may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are
not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this message is prohibited. If
you have received this electronic message in error, please notify the
sender immediately by reply e-mail [EMAIL PROTECTED] or telephone at
(781) 250-3500.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Shepherd, Dave
Sent: Tuesday, June 14, 2005 9:49 AM
To: freeradius-users@lists.freeradius.org
Subject: Multiple Authentication REALMS - I hope in Plain Text
Hi,
It's been a long time, as the freeRADIUS software I've
being using for the last 3 years hasn't needed looking at
since installation.
So a big thank you to the development team J
However, as with most things it's so good I've now got to
redesign and re-implement to encompass more of our
infrastructure, and I'm having problems.
I have a number of settings in the _users_ file that are
based on the _Called_Station_ID_ then proxy the requests to a
specified REALM.
i.e.
DEFAULT Called-Station-Id == a telephone number,
Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULTCalled-Station-Id == another telephone number,
Proxy-To-Realm := NULL
Fall-Through = Yes
DEFAULTCalled-Station-Id == yet another number,
Proxy-To-Realm := SPECIAL
Fall-Through = Yes
Now, the NULL realm is defined in the proxy.conf file as:
realm NULL {
type= radius
authhost= radiusserver.some.domain:1645
accthost= radiusserver.some.domain:1646
Secret = radiussecret
}
This works and actually points to a MS IAS server going
against an NT4 Domain.
Now I need to authenticate a different set of users (who dial
a different number) against an LDAP repository, so as you can
see from my _users_ file I direct them at the SPECIAL
realm, which I have set as follows in proxy.conf:
realm SPECIAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
My plan was for this to then use the local radius server,
which has an _ldap_ module configure, which
Re: MAC+EAP authentication
Jefri bin Dahari [EMAIL PROTECTED] wrote: authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Read your NAS documentation. There's nothing you can do to FreeRADIUS to get the NAS to behave differently. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
Edgars Klavinskis [EMAIL PROTECTED] wrote: I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm? Read the debug log. My aim is to make it so that if the last mentioned returns wrong, the whole request is wrong. Read doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. That should work. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad So Simultaneous-Use *is* working. You now have to figure out why checkrad is taking so long. Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! Checkrad is called because the server may not have received accounting data. You can turn it off by making the client type = other Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging SQL queries to logfile
Lucas Aimaretto [EMAIL PROTECTED] wrote: Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? There's the sqltrace file. rver]Arithmetic overflow error converting numeric to data type numeric. ... but I do not know which values in the accounting_stop_query made this happen. Run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server So... what's the content of that file? Does it even exist? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Link error (invalid ELF header) in freeradius 1.0.3
Hello, I am getting the following error when running freeradius -X: radiusd.conf[2] Failed to link to module 'rlm_sqlcounter': /usr/lib/freeradius/rlm_sqlcounter.a: invalid ELF header Anyone can help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 11:16 AM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server So... what's the content of that file? Does it even exist? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I receive
the following error:
rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
My ldap config is as follows. If I change the basedn to where the user is
located (ou=cs,ou=srvc,o=wheaton) then it works.
ldap test-ldap{
server = ldapserver.wheaton.edu
identity = cn=admin,o=wheaton
password = password
basedn = o=wheaton
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64
tls_require_cert= demand
access_attr = cn
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
matt...
Is it possible to specify the basedn above where the users are actually
located and have freeradius find the user in a subcontext? For instance
if my ldap is setup as ou=users1,ou=loc1,o=org and
ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users
in both users1 and users2?
Thanks.
I think so, is it not working for you?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Alan, well, unfortunately not really. and most importantly: it does not assure the users use the known SOFTware to access the net. imho, hardware has never ever represented a problem so far. ciao artur On 6/14/05, Alan DeKok [EMAIL PROTECTED] wrote: Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module
I have downloaded the latest CVS snapshot (the 12th of June) and am running it on Redhat 9 with Postgresql. I have configured the expiration module and added an entry in the radgroupcheck table. If I send a radius request to my server for a valid user and the expiration date is set to later than now() - the server issues an access-accept but if the expiration date/time has been reached - the server traps this - but NO reply message is sent. Is there something I am missing? Attached the part of the debug log showing what happens: rlm_expiration: Checking Expiration time: '13 Jun 2005' rlm_expiration: Account has expired radius_xlat: 'Your account has expired, jacotest ' modcall[authorize]: module expiration returns userlock for request 1 modcall: leaving group authorize (returns userlock) for request 1 Invalid user (Account has expired [Expiration 13 Jun 2005]): [jacotest/jjtest] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Any help will be appreciated Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 Either you've edited it so much as to be useless, or you're using that file as-is. Either way, I have no idea what the ACTUAL contents of the file is, and therefore I have no way to help you. If you don't know how to fix the problem on your own, any editing of the configuration files you do before posting them here is guaranteed to make those files useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I
receive the following error:
rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
My ldap config is as follows. If I change the basedn to where the user is
located (ou=cs,ou=srvc,o=wheaton) then it works.
ldap test-ldap{
server = ldapserver.wheaton.edu
identity = cn=admin,o=wheaton
password = password
basedn = o=wheaton
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64
tls_require_cert= demand
access_attr = cn
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
matt...
Is it possible to specify the basedn above where the users are actually
located and have freeradius find the user in a subcontext? For instance
if my ldap is setup as ou=users1,ou=loc1,o=org and
ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users
in both users1 and users2?
Hmmm, I thought it did a subtree search, maybe not. You could use
configurable_failover to search both trees.
in radiusd.conf make two ldap instances with the same config except the
basedn.
ldap ldap1 {
config with one basedn
}
ldap ldap2 {
config with other basedn
}
in authorize section define them as a group
authorize {
group {
ldap1
ldap2
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module
Jaco van Tonder [EMAIL PROTECTED] wrote: if the expiration date/time has been reached - the server traps this - but NO reply message is sent. ... Delaying request 1 for 1 seconds So... is it delayed for 1 second, or is it *never* sent? My tests show it's only delayed for reject_delay time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Authentication REALMS - I hope in Plain Text
Shepherd, Dave [EMAIL PROTECTED] wrote:
realm SPECIAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
In the latest versions, this is realm LOCAL, but that doesn't make
too much difference.
Auth-Type {
mschap
}
Are you sure? How about Auth-Type mschap { ...
modcall: group authorize returns updated for request 14
Finished request 14
Hmm... something is marking the request as done, without calling the
authenticate section. I have no idea why, and I don't recall ever
seeing anything like that.
If one of you guys has had to do something similar, or can see any
glaring omissions in my config (which I seem to think there is) could
you please point me in the right direction.
As always, start with the default configuration: it works.
Then, gradually add your edits, testing after every edit, to be sure
that it still works. Once you're done, you should have your local
configuration , and it should still work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP basedn context
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dustin Doris
Sent: Tuesday, June 14, 2005 12:51 PM
To: FreeRadius users mailing list
Subject: Re:LDAP basedn context
Correct, it is unable to find the user. When set at a
higher context I receive the following error:
rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
My ldap config is as follows. If I change the basedn to
where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
ldap test-ldap{
server = ldapserver.wheaton.edu
identity = cn=admin,o=wheaton
password = password
basedn = o=wheaton
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile =
/etc/raddb/certs/wheatonCA/wheatonca.b64
tls_require_cert= demand
access_attr = cn
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
matt...
Is it possible to specify the basedn above where the
users are actually
located and have freeradius find the user in a
subcontext? For instance
if my ldap is setup as ou=users1,ou=loc1,o=org and
ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org
and find users
in both users1 and users2?
Hmmm, I thought it did a subtree search, maybe not. You could use
configurable_failover to search both trees.
FWIW, I am taking advantage of subtree search and it works fine. I don't
see anything in his setup that would prevent it from happening.
in radiusd.conf make two ldap instances with the same config
except the
basedn.
ldap ldap1 {
config with one basedn
}
ldap ldap2 {
config with other basedn
}
in authorize section define them as a group
authorize {
group {
ldap1
ldap2
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius no longer accepts Crypt-Password after upgrade
[EMAIL PROTECTED] (Rens Houben) wrote: The literal same configuration works fine on another machine running 0.9.3 and retrieving its data from the same database server. Can anyone suggest what I might be missing? It should work. Are you using the 1.0.2 dictionary files, or the 0.9.3 ones? If you're using the 0.9.3 ones, switch the server to using the new ones. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Sorry about that, Here is the full content of the file. # cat pam_radius_auth.conf # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # radius, and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 12:48 PM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 Either you've edited it so much as to be useless, or you're using that file as-is. Either way, I have no idea what the ACTUAL contents of the file is, and therefore I have no way to help you. If you don't know how to fix the problem on your own, any editing of the configuration files you do before posting them here is guaranteed to make those files useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the full content of the file. ... IP Address XXX.XXX.XXX.XXX Secret_Key3 That line is NONSENSE. If it's actually in your configuration file, it WON'T WORK. You have to list the IP address, not the text IP Address. See the line just above this one, which gives an example ot what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP basedn context
Correct, it is unable to find the user. When set at a
higher context I receive the following error:
rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
My ldap config is as follows. If I change the basedn to
where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
ldap test-ldap{
server = ldapserver.wheaton.edu
identity = cn=admin,o=wheaton
password = password
basedn = o=wheaton
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile =
/etc/raddb/certs/wheatonCA/wheatonca.b64
tls_require_cert= demand
access_attr = cn
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
matt...
Is it possible to specify the basedn above where the
users are actually
located and have freeradius find the user in a
subcontext? For instance
if my ldap is setup as ou=users1,ou=loc1,o=org and
ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org
and find users
in both users1 and users2?
Hmmm, I thought it did a subtree search, maybe not. You could use
configurable_failover to search both trees.
FWIW, I am taking advantage of subtree search and it works fine. I don't
see anything in his setup that would prevent it from happening.
I thought you could do subtree.
Matt,
Although that looks like an admin type of user (perhaps even rootdn). If
not, does the user you are binding with have proper permissions to do
subtree searches? What does your ACL on the ldap server look like?
What does a search from the command line give you?
$ ldapsearch -D cn=admin,o=wheaton -w password -b o=wheaton
(cn=testacct)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Well ok, would it be possible to see some examples of some pam file setting for RH environment? I think I am not setting the right pam modules. Thanks, __ Puneet Talwar Contractor/CIPS UNIX Administrator 301-451-9971 ( c ) 301-252-5366 Disclaimer: The information in this e-mail and any of its attachments is confidential and may contain sensitive information. It should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage devices. The National Institute of Allergy and Infectious Diseases (NIAID) shall not accept liability for any statement made that are the sender's own and not expressly made on behalf of the NIAID by one of its representatives. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 2:57 PM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the full content of the file. ... IP Address XXX.XXX.XXX.XXX Secret_Key3 That line is NONSENSE. If it's actually in your configuration file, it WON'T WORK. You have to list the IP address, not the text IP Address. See the line just above this one, which gives an example ot what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Thanks for the help! --Aaron Alan DeKok wrote: Aaron Paetznick [EMAIL PROTECTED] wrote: I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. That should work. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad So Simultaneous-Use *is* working. You now have to figure out why checkrad is taking so long. Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! Checkrad is called because the server may not have received accounting data. You can turn it off by making the client type = other Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Simultaneous-Use results in checkrad being called, for radutmp and sql session checking. The nas type is used by checkrad to determine what else to do, independent of radutmp/sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timer...
Hello erveryone J Anyone can help-me setting freeradius to count(continuous time) and disable wireless access for users? For example: User1 just allowed for 1hour, and then account disabled User2 just allowed for 1hour, and then account disabled Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Timer...
synackrst [EMAIL PROTECTED] wrote: Anyone can help-me setting freeradius to count(continuous time) and disable wireless access for users? For example: User1 - just allowed for 1hour, and then account disabled rlm_counter Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
So even though I'm trying to do pure SQL-based Simultaneous-Use checking, it's going to spawn an external process each time? I wanted to use SQL like this to avoid the overhead of spawning an external process in the first place. Hrm... --Aaron Alan DeKok wrote: Aaron Paetznick [EMAIL PROTECTED] wrote: That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Simultaneous-Use results in checkrad being called, for radutmp and sql session checking. The nas type is used by checkrad to determine what else to do, independent of radutmp/sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: So even though I'm trying to do pure SQL-based Simultaneous-Use checking, it's going to spawn an external process each time? If you tell it to. I wanted to use SQL like this to avoid the overhead of spawning an external process in the first place. Hrm... So make your clients type=other, and checkrad won't run. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration - my experiences and a partial solution
Hi,
I spent a few days working on a freeradius solution in which I want to
be able to create users whose logins expire 24 hours after their first
login. Since I noticed that many people have been asking for similar
things on this list, I thought I'd explain the solution I have ended up
using.
NOTE: This solution is far from perfect. First of all, it is a hack, and
not too elegant, secondly it does not do exactly what it is supposed to
do, but it works well enough for my purposes, and perhaps other people
can use this as inspiration for an improved solution.
WARNING: I am far from proficient at freeradius, having spent only the
past week trying to get an understanding of how it works. This solution
was hacked together from various comments and ideas on this
mailing-list. So anything I say and do should be considered risky :-)
What I wanted was to be able to create a number of users, printed on
cards, that I could hand out to users at an event to let them access the
network for 24 hours after the first time they logged in. i.e. if they
log in at 15:31 on tuesday their account should expire at 15:31 on
wednesday no matter how much time they have spent on-line.
I am using chillispot and freeradius with mysql, all on one central
gateway server, as this is a small setup with a limited number of
users.
I had understood from comments by Kostas Kalevras and Alan DeKok
(thanks) that the way to do this in freeradius/mysql was to use a
post-auth query that executed whenever a user has successfully logged
into the system. In that post-auth query I would set an Attribute/Value
pair Expiration := 25 May 2005 15:31 or equivalent in the radcheck
table of the database. Since I didn't want this to apply to all users (I
like to
keep a permanent login for myself), I needed some way to distinguish
users that should be timed out from other users.
I came up with the following hack.
When I generate the usernames (using a adapted version of phpMyPrepaid
http://www.jabali.net/~carl/?link=2) I add an Attribute called
Expiration with a value well in the future. In this case Expiration:='1
Jan 2005'.
When a user logs in I check if there is an Expiration attribute with
that particular value, and if so, I change the Date to exactly 24 hours
from Now. I do this in sql.conf by adding the following query:
postauth_query = UPDATE ${authcheck_table} SET
Value=DATE_FORMAT(DATE_ADD(NOW(),INTERVAL ${expire} HOUR),'%%e %%b %%Y %
%T') WHERE UserName='%{SQL-User-Name}' AND Attribute='Expiration' AND
Value='${expiration_dummy}'
At the top of the file, I have defined the following
# Added by tkrag (support for Expiration)
# The dummy expiration value used when creating new
# users
expiration_dummy = 1 Jan 2099
# How many hours an account lasts from first login
expire = 24
This has the effect of changing the Expiration date only the first time
a user logs in.
Unfortunately as Joachim Bloche pointed out in a mail Session-Timeout
not set with pending Expiration on this list, it seems that Freeradius
does NOT set the Session-Timeout based on an Expiration date in the
future.
I have confirmed this behaviour using freeradius 1.0.1 (from the ubuntu
package, but recompiled to support the rlm_sqlcounter module).
This effectively means that a user who logs in at 13:30 on tuesday and
logs in again at 13:29 on wednesday can then stay on-line after the
Expiration time, but cannot log back in again after that time.
In my situation I have handled this by also using an sqlcounter with an
Attribute Max-All-Session := 86400 which then limits the user to a
total of 24 hours on-line. i.e. a user could login at 13:30 on tuesday
and immediately log out, after which she could relogin at 13:29 on
wednesaday and stay connected for another 24 hours until 13:29 on
thursday. In my case this is not a deal-breaker, as we are not selling
access, but mostly
trying to protect ourselves against ongoing abuse of bandwidth, but in
other scenarios it might not work well.
If I read the documentation correctly the current CVS version of
freeradius contains a new module called rlm_expiration which apparently
moves the Expiration support into a separate module, and will hopefully
support returning the correct Session-Timeout attribute.
I hope this helps someone out there.
Regards
/tomas
wire.less.dk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: How to get Hint to match in users file
-Original Message- From: Matt Cobb Sent: Tuesday, June 14, 2005 2:07 PM To: '[EMAIL PROTECTED]' Subject: How to get Hint to match in users file What syntax do you use to get Hint to match in the users file? In Hint I have: DEFAULT Prefix == LOCKDOWN\\, Strip-User-Name = Yes Hint = LDAP1 DEFAULT Prefix == testlab\\, Strip-User-Name = Yes Hint = LDAP2 And in the users file: DEFAULT Hint == LDAP1, Auth-Type := LDAP1, Autz-Type := LDAP1 DEFAULT Hint == LDAP2, Auth-Type := LDAP2, Autz-Type := LDAP2 The user name gets stripped before going into the users section, but no Auth-Type is set. From freeradius 1.0.2... rad_recv: Access-Request packet from host 127.0.0.1:1026, id=16, length=105 User-Name = testlab\\tester User-Password = xyz Service-Type = Authenticate-Only NAS-Identifier = localhost.localdomain NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 192.168.10.100 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = tester, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 16 to 127.0.0.1:1026 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 16 with timestamp 42af5799 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem TTLS-LDAP
Hi, everybody!
I have a problem on having tried to use TTLS with
LDAP. I have seen solutions to this problem in this
mailing list, but I have not had success.
In the following line it seems that ldap realizes
correctly the comparison:
rlm_ldap: user prueba authorized to use remote access
but after that error comes:
rlm_ldap: Attribute User-Password is required for
authentication.
modcall[authenticate]: module ldap returns invalid
for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Please, if someone have an idea to solve it, I will be
grateful very much.
I attach my configuration files and the complete
result of the execution.
Thanks
Alfonso Celestino
DGSCA, UNAM
___
Do You Yahoo!?
La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes.
http://net.yahoo.com.mx
Radius.conf File:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
unix
eap
}
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
ldap {
server = xxx.xxx.xxx.xxx
identity = cn=redes,ou=admins,ou=radius,dc=mydomain,dc=com
password = secret
basedn = ou=users,ou=radius,dc=mydomain,dc=com
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
password_attribute = userPassword
ssword_attribute = userPassword
authtype = ldap
start_tls = no
tls_cacertfile =
/usr/local/radius/etc/raddb/certs/demoCA/cacert.pem
tls_cacertdir = /usr/local/radius/etc/raddb/certs
tls_certfile =
/usr/local/radius/etc/raddb/certs/server.pem
tls_keyfile=
/usr/local/radius/etc/raddb/certs/demoCA/private/cakey.pem
tls_randfile =
/usr/local/radius/etc/raddb/certs/random
tls_require_cert = demand
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
eap.conf file
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
tls {
private_key_password = secretpasswd
private_key_file = ${raddbdir}/certs/server.pem
certificate_file = ${raddbdir}/certs/server.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
users file:
DEFAULT Auth-Type := LDAP
Fall-Through = No
And I add to ldap.attrmap file the next:
checkItem User-Password userPassword
checkItem LM-Password sambaLMPassword
checkItem NT-Password sambaNTPassword
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = /usr/local/radius
main: localstatedir = /usr/local/radius/var
main: logdir = /usr/local/radius/var/log/radius
main: libdir = /usr/local/radius/lib
main: radacctdir = /usr/local/radius/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/radius/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main:
FreeRadius and PostgreSQL configuration question
Dear Gurus! We try to install Freeradius with PostgreSQL but got question We expect about 100 concurrent calls and our switch sent 3 requests to radius: Authorization, accounting start and accounting stop or update. How much max_connections we should configure in a postgresql.conf file? Normally at the same time we will get about 1-30 calls. But we are not sure How much it will be. Is there some other or special recommendation for correct configuring of PostgreSQL and FreeRadius. Please, who had installed and configured that, send this information ASAP, it's really necessary. Best regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem TTLS-LDAP
alfonso celestino [EMAIL PROTECTED] wrote: rlm_ldap: Attribute User-Password is required for authentication. ... users file: DEFAULT Auth-Type := LDAP Fall-Through = No Don't do that. Read eap.conf. LDAP servers don't do EAP authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization failed
Dear list, I am using free radius, for authorizing, authenticating and accounting dial-up connection. I use sql for authorization, but users cannot be authorized Here what the log files produced Info: rlm_sql (sql): No matching entry in the database for request from user [swan] Any idea, what's wrong ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration Module
It is never sent. I use radtest and get no replyradtest simply sends the request again and again... Regards Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 14 June 2005 07:07 PM To: FreeRadius users mailing list Subject: Re: Expiration Module Jaco van Tonder [EMAIL PROTECTED] wrote: if the expiration date/time has been reached - the server traps this - but NO reply message is sent. ... Delaying request 1 for 1 seconds So... is it delayed for 1 second, or is it *never* sent? My tests show it's only delayed for reject_delay time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
