Re: rlm_sql_mysql make error for 1.0.4 and snapshot-20050718
Paul Hampson wrote: > On Mon, Jul 18, 2005 at 05:22:51PM +0200, Thor Spruyt wrote: >> Hi, >> `/home/thor/freeradius-1.0.4/src/modules/rlm_sql/drivers/rlm_sql_mysql' >> gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS >> -DOPENSSL_NO_KRB5 -Wal l -D_GNU_SOURCE -DNDEBUG -I../.. >> -I../../../../include -I'/usr/include/mysq l' >> -I/home/thor/freeradius-1.0.4/libltdl -c sql_mysql.c -o sql_mysql.o >> sql_mysql.c:39:20: errmsg.h: No such file or directory >> sql_mysql.c:40:19: mysql.h: No such file or directory > > The build process didn't find your mySQL headers. I installed mysql-devel rpm and it works now. Strange... for other modules when the devel is not there, they're skipped... for mysql an error is the result. Anyway... I have now successfully compiled 1.0.4 with support for postgresql (which I will use) and mysql (which I won't use). -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Searching Subcontexts in eDir
Hi, If you are getting a reply with ldapsearch then you should be able to authenticate as that user. One of the possible causes of the -669 error is an invalid password. So check the password and make sure you are able to log in as that user. -Sayantan >>> [EMAIL PROTECTED] 07/20/05 3:00 AM >>> I have not setup Universal Passwords as this is not an option because of the complexities of the tree. As of right now, the LDAP Group in eDirectory does not require TLS, so I am therefore not requiring it in radiusd.conf either. I want to get it to work over cleartext for now, and then setup TLS later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping services - LDAP
Hi all,
Using Freeradius 1.0.4 (FB 4.11)
I want to grouping between dialup & adsl...
refer to users file below by if if Ldap-Group ==ADSL is found, should
authenticate/authorize by "ldapadsl" and if not found, assuming dialup user
and should authenticate/authorize by "ldap1/ldap2" (DIALUP)
But the problem, referring to debug log.. doesn't
matter whether Ldap-Group=ADSL is found or not, it still check at both
ldap1/ldap2 & ldapadsl i.e checking "adslAccess & dialAcess"
atttribute.
What i want is that.. If Ldap-Group ==ADSL is
found, it should be handled by "ldapadsl" and not checking
"ldap1/ldap2" and same goes when not found, it will be handled by "ldap1/ldap2"
and not checking "ldapadsl"
anyone can help.?? thanks
--haizam
##
users file:
DEFAULT Ldap-Group ==
"ADSL", Auth-Type := ADSL
DEFAULT Auth-Type :=
LDAP
#3
Debug:-
rlm_ldap: performing search in
ou=RADIUS,ou=People,dc=jaring,dc=my, with filter
(&(jaringConnectionType=ADSL)(&(uid=organza)(objectclass=radiusprofile)))rlm_ldap:
object not found or got ambiguous search resultrlm_ldap: ldap_release_conn:
Release Id: 0rlm_ldap::ldap_groupcmp: Group ADSL not found or user is not a
member. users: Matched entry DEFAULT at line
147.
.
.
rlm_ldap: checking if remote access for organza is
allowed by dialupAccess
.
..
rlm_ldap: no adslAccess attribute - access
denied by default
authenticate
{
Auth-Type LDAP
{
redundant
{
ldap1
ldap2
} }
Auth-Type ADSL
{
ldapadsl }
}
#
authorize {
redundant
{
ldap1
ldap2
} ldapadsl}
#
ldap ldap1
{
server =
"10.1.1.1"
basedn =
"ou=RADIUS,ou=People,dc=jaring,dc=my"
access_attr =
"dialupAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
ldap ldap2
{
server =
"10.1.1.2"
basedn =
"ou=RADIUS,ou=People,dc=jaring,dc=my"
access_attr =
"dialupAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
ldap adsl
{
server =
"10.1.1.3"
basedn =
"ou=ADSL,ou=People,dc=jaring,dc=my"
access_attr =
"adslAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Caching results of Exec-Program-Wait
Norman Elton <[EMAIL PROTECTED]> wrote: > Is there a way to cache the results of the called program, so that if > I get 5 requests in X number of seconds, the program is only called > once? Not really. I'd suggest writing a C module which does that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql make error for 1.0.4 and snapshot-20050718
On Mon, Jul 18, 2005 at 05:22:51PM +0200, Thor Spruyt wrote: > Hi, > `/home/thor/freeradius-1.0.4/src/modules/rlm_sql/drivers/rlm_sql_mysql' > gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wal > l -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I'/usr/include/mysq > l' -I/home/thor/freeradius-1.0.4/libltdl -c sql_mysql.c -o sql_mysql.o > sql_mysql.c:39:20: errmsg.h: No such file or directory > sql_mysql.c:40:19: mysql.h: No such file or directory The build process didn't find your mySQL headers. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Caching results of Exec-Program-Wait
I'm using Exec-Program-Wait for authentication requests. The called program returns some attributes. Is there a way to cache the results of the called program, so that if I get 5 requests in X number of seconds, the program is only called once? Thanks for any advice, Norman Elton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Searching Subcontexts in eDir
We're using Universal Passwords so the setup is a bit different.
The documentation on rlm_ldap says that if password_attribute is set to NULL no
password is sent.
# default: NULL - don't add password
Have you tried it with password_attribute = "userPassword" ?
I'm assuming that you've tried to login to that account?
Can you get a reply using:
ldapsearch -h 10.254.8.25 -D cn=gwaccessPO1,ou=GW,o=Services -w
"cn=gwaccessPO1"
That's all my best guesses for today.
Mearl
>>> <[EMAIL PROTECTED]> 7/19/2005 4:30:12 PM >>>
I have not setup Universal Passwords as this is not an option because of the
complexities of the tree. As of right now, the LDAP Group in eDirectory does
not require TLS, so I am therefore not requiring it in radiusd.conf either. I
want to get it to work over cleartext for now, and then setup TLS later.
Here is the entire debug of an unsuccessful attempt to authenticate a user in
ou=GW,o=Services:
-snip-
episd44# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server = "10.254.8.25"
ldap: port = 389
ldap: net_timeout = 20
ldap: timeout = 20
ldap: timelimit = 20
ldap: identity = "cn=raduser,o=services"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "o=services"
ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = no
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Fr
re: Searching Subcontexts in eDir
I have not setup Universal Passwords as this is not an option because of the
complexities of the tree. As of right now, the LDAP Group in eDirectory does
not require TLS, so I am therefore not requiring it in radiusd.conf either. I
want to get it to work over cleartext for now, and then setup TLS later.
Here is the entire debug of an unsuccessful attempt to authenticate a user in
ou=GW,o=Services:
-snip-
episd44# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server = "10.254.8.25"
ldap: port = 389
ldap: net_timeout = 20
ldap: timeout = 20
ldap: timelimit = 20
ldap: identity = "cn=raduser,o=services"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "o=services"
ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = no
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_l
Re: linux requirements
Well Rh 7.3 is indeed a bit outdated ;) Now in fact there is several distributions that already do ship freeradius as package. So you needn't compile it so far. Examples are: Debian Sarge or SuSE. Now if u wanna set up freeradius on a server I'd suggest using Debian Sarge. U could install it via network or download a debian netinstall iso that installs thebase system und apt-get install the packages u need. We use Debian on our radius servers and it works quite fine! So now u have one suggestion/opinion... cheers Sebastian Lucas Aimaretto wrote: Hi all, I'm willing to install Freeradius. I'm using red hat 7.3 in a lab enviroment. I now it is outdated so, which linux distribution do you recomend for installing it ? I've heard that gcc is something critical ... Any opinion ? Thanks Regards, Lucas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linux requirements
Hi all, I'm willing to install Freeradius. I'm using red hat 7.3 in a lab enviroment. I now it is outdated so, which linux distribution do you recomend for installing it ? I've heard that gcc is something critical ... Any opinion ? Thanks Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.1/51 - Release Date: 18/07/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Searching Subcontexts in eDir
Are you trying to use Universal Password to authenticate? I don't see the TLS
negotiation required for the admin to read the Universal Password.
Why don't you post the entire debug log? Then we can see all the setup info as
the radius server reads it.
Mearl
>>> [EMAIL PROTECTED] 7/19/2005 3:11:05 PM >>>
Ok, I'm now one step closer. Mearl's solution worked somewhat. Here is the
output from the debug:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat: '(cn=gwaccesspo1)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gwaccesspo1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 3
rlm_ldap: - authenticate
rlm_ldap: login attempt by "gwaccesspo1" with password ""
rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: NDS error: failed authentication (-669)
-snip-
To contrast, here is the output from debug when I attempt to authenticate a user
in the root context:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zentest
radius_xlat: '(cn=zentest)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=zentest)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user zentest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zentest" with password ""
rlm_ldap: user DN: cn=zentest,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=zentest,o=Services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zentest authenticated succesfully
-snip-
Thanks in advance,
Josh
On Tuesday, July 19th, Mearl said:
> Check the filter statement in the ldap portion of radiusd.conf. It's searching
> on "uid" which in eDirectory is an integer field and isn't populated by
> default.
>
> Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and
> try
> it. That will get you past the "object not found" message. It will then be
> able
> to return the fully qualified DN of the user.
>
> You can search on "cn" or any other ldap field that contains a unique ID.
> We're
> probably going to use uniqueID - the newer user creation API's populate it by
> default - in our environment because iPrint requires it.
>
> Mearl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on Fedora Core 1
Also note that if you're using /etc/passwd, you have to make /etc/passwd and /etc/shadow readable by the radiusd process. Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Searching Subcontexts in eDir
Ok, I'm now one step closer. Mearl's solution worked somewhat. Here is the
output from the debug:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat: '(cn=gwaccesspo1)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gwaccesspo1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 3
rlm_ldap: - authenticate
rlm_ldap: login attempt by "gwaccesspo1" with password ""
rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: NDS error: failed authentication (-669)
-snip-
To contrast, here is the output from debug when I attempt to authenticate a user
in the root context:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zentest
radius_xlat: '(cn=zentest)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=zentest)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user zentest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zentest" with password ""
rlm_ldap: user DN: cn=zentest,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=zentest,o=Services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zentest authenticated succesfully
-snip-
Thanks in advance,
Josh
On Tuesday, July 19th, Mearl said:
> Check the filter statement in the ldap portion of radiusd.conf. It's searching
> on "uid" which in eDirectory is an integer field and isn't populated by
> default.
>
> Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and
> try
> it. That will get you past the "object not found" message. It will then be
> able
> to return the fully qualified DN of the user.
>
> You can search on "cn" or any other ldap field that contains a unique ID.
> We're
> probably going to use uniqueID - the newer user creation API's populate it by
> default - in our environment because iPrint requires it.
>
> Mearl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use Problem...Excuseme
Hi, I need your help I want to limit the number of times one user account can login; I have next in the user file: wireless User-Password == "wireless", Simultaneous-Use := 1 Aruba-User-Role = "STAFF" But de user "wireless" can login more of one times How can i solve this problem? Thanks in advance!! Advertencia: el mensaje reenviado fue incluido como archivo adjunto. Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx --- Begin Message --- Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx --- End Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use Problem
Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: TTLS and PAP
<[EMAIL PROTECTED]> wrote: > I'm trying to get TTLS/PAP working using freeradius 1.0.4. I must have > it configured incorrectly because its giving a Segmentation fault just > before giving the Access-Accept & EAP-Success back to the switch. I > have searched the archives for a solution but not found help to sort my > problem out. See doc/bugs > I don't understand is why the modcall[authorise] appear often in request > processing before modcall[authenticate]. I thought the order was to > authenticate a user and then once we are sure they are who they say they > are then we authorise them to use the network. Due to historical issues, FreeRADIUS has pre-authenticate, authenticate, and post-authenticate. The pre-authenticate is called "authorize". The sections could just as easily be called "foo", "bar", and "baz". It makes no difference to the operation of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Searching Subcontexts in eDir
Check the filter statement in the ldap portion of radiusd.conf. It's searching
on "uid" which in eDirectory is an integer field and isn't populated by default.
Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and
try it. That will get you past the "object not found" message. It will then be
able to return the fully qualified DN of the user.
You can search on "cn" or any other ldap field that contains a unique ID. We're
probably going to use uniqueID - the newer user creation API's populate it by
default - in our environment because iPrint requires it.
Mearl
>>> [EMAIL PROTECTED] 7/19/2005 1:10:08 PM >>>
I am running FreeRADIUS 1.0.4 on FreeBSD 4.11 authenticate/authorize users via
LDAP on a NetWare 6.5 server/tree.
I can successfully authenticate and authorize users if they reside in the root
context (o=), but authorize fails if the user is in an ou in the
root context. The "identity" user in the ldap modules section is an admin
equivalent.
Also, if I change the basedn to the subcontext
(ou=,o=), it still fails.
Relevant info from radtest:
-snip-
radtest gwaccesspo1 localhost 10 testing123
-snip-
The gwaccesspo1 user's context is as follows:
cn=gwacesspo1,ou=gw,o=services
Relevant info from radiusd.conf:
-snip-
server = "10.254.8.25"
identity = "cn=raduser,o=services"
password = ""
basedn = "o=services"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
-snip-
raduser.services is an admin equivalent.
Relevant info from debug:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat: '(uid=gwaccesspo1)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: bind as cn=raduser,o=services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=services, with filter (uid=gwaccesspo1)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
-snip-
The "gwaccesspo1" user above resides in ou=gw,o=services. As mentioned above,
even if I set the basedn to ou=gw,o=services, I still get the "object not found"
error.
Thanks in advance for any suggestions.
Josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Searching Subcontexts in eDir
I am running FreeRADIUS 1.0.4 on FreeBSD 4.11 authenticate/authorize users via
LDAP on a NetWare 6.5 server/tree.
I can successfully authenticate and authorize users if they reside in the root
context (o=), but authorize fails if the user is in an ou in the
root context. The "identity" user in the ldap modules section is an admin
equivalent.
Also, if I change the basedn to the subcontext
(ou=,o=), it still fails.
Relevant info from radtest:
-snip-
radtest gwaccesspo1 localhost 10 testing123
-snip-
The gwaccesspo1 user's context is as follows:
cn=gwacesspo1,ou=gw,o=services
Relevant info from radiusd.conf:
-snip-
server = "10.254.8.25"
identity = "cn=raduser,o=services"
password = ""
basedn = "o=services"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
-snip-
raduser.services is an admin equivalent.
Relevant info from debug:
-snip-
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat: '(uid=gwaccesspo1)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: bind as cn=raduser,o=services/ to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=services, with filter (uid=gwaccesspo1)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
-snip-
The "gwaccesspo1" user above resides in ou=gw,o=services. As mentioned above,
even if I set the basedn to ou=gw,o=services, I still get the "object not found"
error.
Thanks in advance for any suggestions.
Josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config problem: ntlm_auth works outside of freeradius, but not in
"Ken George" <[EMAIL PROTECTED]> wrote: > The ntlm_auth command works from the command line, but not within > freeradius (1.0.1) on RHEL 3.0 update 4 There's really no difference between the command-line invocation & FreeRADIUS running it. The ntlm_auth program *is* being executed, because you see an error message from it. My suggestion would be to run winbindd in debug mode, to see what it's getting from ntlm_auth, and why it's returning an error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and clients.conf?
"Will Carter" <[EMAIL PROTECTED]> wrote: > It seems that when I start radius in debug mode, it is correctly reading my > clients.conf file, but when I start it normally, it is not recognizing my > nas device. Its as if it's not reading the correct clients.conf. Any ideas > why this would be? File permissions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Difference between dictionary and RFC 2865 for Attribute Class
Andreas Engler <[EMAIL PROTECTED]> wrote: > i wonder why the entry for Attribute Class in the dictionary file is octets. Because it's not a text string. The RFC's used "string" for all variable length data, so that's what most servers used in the dictionaries. FreeRADIUS added "octets" for non-printable strings, and then the RFC's were updated to say "text" for text, and "string" for undistinguished octets. > The definition in RFC says that the Value of Class should be string. Keep reading the RFC: string1-253 octets containing binary data (values 0 through 255 decimal, inclusive). The Class attribute is NOT an ASCII string. > Because Alan always warn to not edit the dictionary file, i would like > to know which kind of trouble i would face in changing octets to string > in dictionary file. Nothing. > Will the value be changed in future or do i have to do it on my own and > on my own risk? The dictionary will NOT be updated to say that an attribute containing binary data is an ASCII string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
Bryan Beronilla <[EMAIL PROTECTED]> wrote: > 1. How will I configure the conf files in order to authenticate > different users to different passwd and shadow files based on their > domain names? You don't. You configure the "passwd" module to read passwords from the different files. The server will then use the password to authenticate the user. To select which passwd module to use, and which passwd file to read, see doc/Autz-Type. > 2. What is the most elegant way of accessing the passwd files on the > second server? Should I set up another radius server on the second > box and pass on the request? Or is there a better alternative. I would suggest copying the passwd files between the servers, unless there's some other interaction I'm not aware of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config problem: ntlm_auth works outside of freeradius, but not in
The ntlm_auth command works from the
command line, but not within freeradius (1.0.1) on RHEL 3.0 update 4
Below is my ntlm_auth command from within
radiusd.conf and the debug output and the successful command line run of the
ntlm_auth program.
Where do I look for what I have
misconfigured? I’m happy that I configured the client section
correctly and my 3005 is now talking to freeradius, but I’ll be happier
when it can actually authorize.
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so
far)
User-Name = "ken george"
User-Password = "262144"
Vendor-3076-Attr-32 = 0x0015
NAS-IP-Address = 10.10.61.5
NAS-Port-Type = Virtual
rad_lowerpair: User-Name now 'ken
george'
Processing the authorize section of
radiusd.conf
modcall: entering group authorize for
request 1
modcall[authorize]: module
"preprocess" returns ok for request 1
modcall[authorize]: module
"chap" returns noop for request 1
modcall[authorize]: module
"mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "ken
george", looking up realm NULL
rlm_realm: No such
realm "NULL"
modcall[authorize]: module
"suffix" returns noop for request 1
rlm_realm: No '\' in
User-Name = "ken george", looking up realm NULL
rlm_realm: No such
realm "NULL"
modcall[authorize]: module
"ntdomain" returns noop for request 1
rlm_eap: No EAP-Message, not doing
EAP
modcall[authorize]: module
"eap" returns noop for request 1
users: Matched DEFAULT
at 204
modcall[authorize]: module
"files" returns ok for request 1
modcall: group authorize returns ok for
request 1
rad_check_password: Found
Auth-Type win_domain
auth: type "win_domain"
Processing the authenticate section
of radiusd.conf
modcall: entering group Auth-Type for
request 1
radius_xlat: '/usr/bin/ntlm_auth
--username="ken george" --password="xx"
--domain=usmisgnet'
Exec-Program: /usr/bin/ntlm_auth
--username="ken george" --password=" xx "
--domain=usmisgnet
Exec-Program output:
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext:
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
rlm_exec (win_domain): External script
failed
modcall[authenticate]: module
"win_domain" returns fail for request 1
modcall: group Auth-Type returns fail for
request 1
auth: Failed to validate the user.
Login incorrect: [ken george] (from client
VPN3005_Pri port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
rad_recv: Access-Request packet from host
10.10.61.5:1045, id=2, length=74
Sending Access-Reject of id 2 to 10.10.61.5:1045
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 2 with timestamp
42dd17f4
Nothing to do. Sleeping until we see
a request.
[EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth
--username="ken george" --password=" xx "
--domain=usmisgnet
NT_STATUS_OK: Success (0x0)
Thanks!
Ken George
Systems and
Network Engineering
Mi Services
Group, Inc.
+1 610-230-2500
x129
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authorization & different VLAN
> Hi, > > I have made a system of authorization with freeradius 1.0.4 based on > LDAP attribute radiusGroupName and it works perfectly! > > Now I have this problem: > > I have on my access points two VLAN named data and students. I want to > create different group for the authorization to access to this VLANs. > Example, I want that who have the attribute radiusGroupName = WLANdata > can access to the VLAN "data"; and who have the attribute > radiusGroupName=WLANstudents can access to the VLAN "students". > > How I can configure the huntgroups file? or I need to configure the > users file? > > Thanks and excuse me for my english, > Felice I'm assuming you mean that if someone has radiusgroupname=WLANStudents, then you want to assign them to that VLAN. Is that correct? If so, you need to find out what radius attributes you need to send back to the access point to assign them to that VLAN. Then you can use the users file to set that up. For example. DEFAULT Ldap-Group == WLANstudents SomeAttribute = SomeValue DEFAULT Ldap-Group == WLANdata SomeAttribute = OtherValue Make sense? The SomeAttribute is some radius attribute that your NAS expects back that will assign them to a VLAN. The SomeValue and OtherValue are the values you would return that would specify which VLAN they should be in. You'll have to check the documentation of your AccessPoint to figure out what that attribute/value pair should be. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and clients.conf?
It seems that when I start radius in debug mode, it is correctly reading my clients.conf file, but when I start it normally, it is not recognizing my nas device. Its as if it's not reading the correct clients.conf. Any ideas why this would be? -will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proble with an Accounting query
Hi people,
I am using freeradius with mysql support for two years. I installed the last version of freeradius 1.0.4 and a Postgres DB. My Radius server authorize well, however it can not account.
When I debug with radius -X in the inictial mesages appear this query:
INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ??ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) ??values('8060014b', 'cf3ead15f9af8ca7', '22107', '', '192.168.0.51', ??'2153775435', 'Cable', (now() - '0'::interval), '', '', ??'hs-eth1', '00:08:02:D2:72:0F', '', '', ??NULLIF('10.5.0.16', '')::inet, '0')'
In postgres.conf file I only modify host, user and passwd. So, why do double question mark appear???Acepta el reto MSN Premium: Envía hasta 500 megas diarios de fotos desde Hotmail. Descárgalo y pruébalo 2 meses gratis.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Authorization & different VLAN
Hi, I have made a system of authorization with freeradius 1.0.4 based on LDAP attribute radiusGroupName and it works perfectly! Now I have this problem: I have on my access points two VLAN named data and students. I want to create different group for the authorization to access to this VLANs. Example, I want that who have the attribute radiusGroupName = WLANdata can access to the VLAN "data"; and who have the attribute radiusGroupName=WLANstudents can access to the VLAN "students". How I can configure the huntgroups file? or I need to configure the users file? Thanks and excuse me for my english, Felice -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: aziendeinaffari.it: la risposta per tutte le esigenze delle industrie. Vieni a conoscere le 2000 imprese che ne fanno parte * Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3610&d=19-7 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on Fedora Core 1
Hi, > I'm a newbie on freeradius, currently I'm trying to configure i ton a box > running Fedora Core 1. > > Since it comes when the box was set I chose to installed everything. So it > is already installed on the box. I would advise you not to use the one that comes with Fedora > Q1. Where is the dialupadmin? IIRC its not included > Q2. How to configure it? the FC version throws its config into the usual place. /etc/radiusd is a good place to start > Q3. Is there any howto configuring it using MySQL? you cant. the version that comes with FC isnt compiled to use MySQL ..its far far easier and better to simply compile your own, with the features you want. first remove the freeradius you've installed, then, when in future you yum update, you wont be doing yourself over alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in Dialup Admin's online users page
Hi, there's a mistake in user_admin.php3 of dialup_admin. Right now, it's displaying the Download value twice on the Online Users page. Once as human-readable value under Upload and once as raw bytes under Download. I found the glitch on line 196. if ($lastlog_input) $lastlog_input = bytes2str($lastlog_input); else $lastlog_input = 'not available'; if ($lastlog_output) $lastlog_input = bytes2str($lastlog_output); else $lastlog_output = 'not available'; Of course it's got to be $lastlog_output. cheers, tobias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Port-Type quesiton
> Hi guys, > > I use freeradius with poptop, just a question that im trying to figure > out, My radius server sees the NAS-Port-Type as Async whenever a vpn > connectio is made, is there anyway to change this to let radius see for > example as a "vpn" nas-port-type .Must this port-type come from my vpn > server? > > Thanks > > J Radius Attribute/Value pairs come from the NAS. Perhaps if you describe what it is you are trying to do, we can help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius on Fedora Core 1
Hi, I’m a newbie on freeradius, currently I’m trying to configure i ton a box running Fedora Core 1. Since it comes when the box was set I chose to installed everything. So it is already installed on the box. Q1. Where is the dialupadmin? Q2. How to configure it? Q3. Is there any howto configuring it using MySQL? Thanks. Luis Matos Systems & Network Manager Acelera Networks, Puerto Rico TEL. 787.622.2666 Email: [EMAIL PROTECTED] Web: www.acelerapr.com “I never think of the future. It comes soon enough.” Albert Einstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: TTLS and PAP
Folks,
I'm trying to get TTLS/PAP working using freeradius 1.0.4. I must have
it configured incorrectly because its giving a Segmentation fault just
before giving the Access-Accept & EAP-Success back to the switch. I
have searched the archives for a solution but not found help to sort my
problem out.
I have played around with the configuration but don't fully understand
what I'm doing. Could someone point me to a place where I can read and
understand how the authenticate and autorize sections work. The
explanation in the radiusd.conf file don't seem to click with me.
I don't understand is why the modcall[authorise] appear often in request
processing before modcall[authenticate]. I thought the order was to
authenticate a user and then once we are sure they are who they say they
are then we authorise them to use the network.
Thanks for any help,
Martin.
radiusd.conf
authenticate {
Auth-Type PAP {
pap
}
eap
}
authorize {
preprocess
eap
files
}
Users file..
"Client certificate" Auth-Type := Local, User-Password == "bradley"
Service-Type = Framed-User,
Framed-Compression = Van-Jacobsen-TCP-IP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
users: Matched entry DEFAULT at line 162
modcall[authorize]: module "files" returns ok for request 3
rlm_eap: EAP packet type response id 34 length 200
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type System
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'anonymous'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
TLS_accept: SSLv3 read client key exchange A
TLS_accept: SSLv3 read finished A
TLS_accept: SSLv3 write change cipher spec A
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 34 to 10.230.199.248:1126
EAP-Message =
0x0123003d1580003314030100010116030100288b7a33f454f760f4cddff2f95941
b215a6f3d73b5e422d1744b2201bee31448f10dc78f33f354476
Message-Authenticator = 0x
State = 0x49b28c5e2307f384db00487f11336474
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.230.199.248:1126, id=35,
length=248
User-Name = "anonymous"
NAS-IP-Address = 10.230.199.248
NAS-Port = 2
State = 0x49b28c5e2307f384db00487f11336474
Calling-Station-Id = "00:06:5b:d6:ff:24"
NAS-Identifier = "radius-netgear"
NAS-Port-Type = Ethernet
EAP-Message =
0x02230078150017030100189e2c7d7fea093fe36d2ad301f92cc2ef4cba50563b00a0a8
1703010050b5955c43a5cd51375cebde00ed386a2f4273385aa3f6b0b2c6f7e15b73a75e
e8f64e15abdca0a875fd3408d3ce811a76580cee45fc540215f84bcc2f99a95cc5199a36
da952c0a76243f7f7645f4327b
Message-Authenticator = 0x3ddd5d8d65f10f4a26c7db7ab52a96db
X-Ascend-Token-Idle = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
users: Matched entry DEFAULT at line 162
modcall[authorize]: module "files" returns ok for request 4
rlm_eap: EAP packet type response id 35 length 120
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type System
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'anonymous'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for
Re: Script to encrypt/decrypt User-Password
* Tore Anderson > If only my C was a little less rusty than what it actually is, it > might have been. :-( I'll see what I can do, though. Thanks for the > tip. I gave up, but fortunately found a Perl module which helped out. I'm attaching the script I wrote here in case someone else needs such a script one day. Regards -- Tore Anderson radiuspwd Description: Perl program - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Difference between dictionary and RFC 2865 for Attribute Class
Hello, i wonder why the entry for Attribute Class in the dictionary file is octets. I think that is the reason why the Value of Class will be stored as hex string in detail file and sql. So i have to convert it back to ASCII to read the contents. The definition in RFC says that the Value of Class should be string. Because Alan always warn to not edit the dictionary file, i would like to know which kind of trouble i would face in changing octets to string in dictionary file. Will the value be changed in future or do i have to do it on my own and on my own risk? Thank you for response Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a binary null to a value using attr_rewrite
* Alan DeKok > Submit a bug on bugs.freeradius.org, sayign "Seimens NAS product X" > is broken. Maybe public shame will push them to fix it. I will, if I can conclude that this is indeed the problem. Right now it's only a suspicion. I need to check out another loose end about how it's interpreting the encryption of User-Password as well. * Tore Anderson > Adding that null-byte to the replacewith string doesn't seem to work, > unfortunately. At least not in any way I've tried - but the RFC > mandate that a server implementation should handle null-bytes, so I > would think there has to be /some/ way of doing it? * Alan DeKok > Yes. But it's a little complicated, because you're now trying to > treat "Class" as *both* a text string, and a sequence of binary bytes, > and the server isn't really set up to do that easily. Nevermind me, I have this tendency to run into strange setups that can't possibly work.. :-) > Hmmm... I'll have to think about that. I've *never* heard of this > problem before, so it's not immediately obvious how to solve it. Well, if I could add "\0" to the string and have that be interpreted as a zero-byte in the string instead of its terminator, it would be the easiest for me. Of course, that probably causes other problems under the hood that I don't really know anything about.. Thanks for your patience with me, I'll try some more to figure it out. Kind regards -- Tore Anderson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius cisco-avpair problem
Hello I have y problem with the cisco-avpairs and a 525 cisco pix. After the pix has gotten the avpairs and created the access-list (e.g. AAA-user-test), the logging-table says that he needs an authorization. But radius and authorization? No really! Here is the line from the logging-table: "Authorization denied (acl= AAA-user-test) for user 'test' from 10.10.10.23/1369 to xx.xx.xx.xx/53 on interface inside". My avpair looks like: "ip:inacl#1=permit tcp host 10.10.10.23 any ". Where is my mistake? Either on the pix or at my kind of avpairs? Muchas gracias, Matthias Wolf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Script to encrypt/decrypt User-Password
* Alan DeKok > See src/lib/radius.c > > It should be a matter of a few minutes to add a wrapper around that. If only my C was a little less rusty than what it actually is, it might have been. :-( I'll see what I can do, though. Thanks for the tip. Regards -- Tore Anderson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple realm proxying based on huntgroup.
Roy D. Hockett wrote: >>> I am trying to figure out a way to have different groups of realm proxies >>> for different NAS/huntgroups. For example, for a VPN resouces I don't >>> want realms, but for wireless/wired 802.1x I want to be able to forward >>> to other realms. >> >> In the "users" file: >> >> DEFAULT Huntgroup-Name == wireless, Proxy-To-Realm := other.com > > I don't understand your response. Are you saying on a per users > basis set this? Please read the users(5) manpage. The keyword "DEFAULT" matches any usernames. In this case it's the "Huntgroup-Name" variable which is used to match the incoming request. DEFAULT Huntgroup-Name == wired, Proxy-To-Realm := realm1.net DEFAULT Huntgroup-Name == wireless, Proxy-To-Realm := realm2.com The hungroups have to be defined in /etc/raddb/huntgroups and the realm servers in /etc/raddb/proxy.conf. Nicolas Baradakis -- A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen to multiple ports on a single server?
Hi Erling,
you can do something like that :
--- radiusd.conf ---
# SERVER CONFIGURATION
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
listen {
ipaddr = *
port = 1645
type = auth
}
listen {
ipaddr = *
port = 1646
type = acct
}
listen {
ipaddr = *
port = 2045
type = auth
}
listen {
ipaddr = *
port = 2046
type = acct
}
--- end ---
Regards,
Thomas MARCHESSEAU
Erling Paulsen wrote:
On Mon, Jul 18, 2005 at 11:36:05AM -0400,Kevin Bonner, The Induhvidual,
scrabbled:
On Monday 18 July 2005 10:10, Marcin Jessa wrote:
On Mon, 18 Jul 2005 15:12:00 +0200 Erling Paulsen <[EMAIL PROTECTED]>
wrote:
Hello.
Right now I'm running multiple servers for listening to multiple ports,
for having the option of accomadating both NAS'es that use the old 1645
port and the ones using the newer 1812 port for requests.
Is there a possibillity to have one radiusd listen to more ports, or do I
have to reconfigure/tell all the old external participants to use the new
1812 port?
From what I can read from the docs, I guess it's not possible!
Running v.1.0.4
- Erling Paulsen
May I ask why do you want to do such a thing?
You can have freeradius running on both the old and new ports, then cutover
your equipment and external radius clients as you please.
The listen directive in raddb.conf can do what you want.
Kevin Bonner
Thanks for the help.
That did the trick!
I think that perhaps I asked this question a little fast. Haven't seen the
'listen' section in the .conf before - as I was upgrading multiple servers
from v.0.93.
Excellent feature :)
- Erling
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password with comma fail with LDAP
Hi, > We have FreeRADIUS 0.9.3 using LDAP for authorisation. We now have a > problem that for example password with certain characters is cut. For > example password "test,ing" is cut to "test". This is caused by the > gettoken function in src/lib/token.c which is used by the rlm_ldap > module. Google search seems to indicate that the same problem has been > with the SQL-module which also uses gettoken. > > This kind of behaviour is of course quite evil. Is our problem unique? > I made a quick test fix by replacing all occurences of gettoken in > src/modules/rlm_ldap/rlm_ldap.c with getbareword-function (also in > src/lib/token.c) which does not care about the tokens I have looked at this a little bit more and I still don't get it. Why does the LDAP-module use the gettoken() function? I have thought that the authorisation data stored in LDAP should be usually taken "as is", but in the LDAP/gettoken case it seems that there could also be some special handling. But in our case this breaks the password handling if the password contains some of those delimiters (like ,=> etc...). Storing the passwords in MD5 or some other one-way encryption is not a solution as CHAP is used for authentication. And the gettoken also breaks other attributes, not just passwords. Is there something that I don't understand or is this a bug in the LDAP-module? Replacing gettoken with getbareword in the rlm_ldap.c seemed to fix this, but this may brake a lot of other things... :) Or should this be discussed in freeradius-devel? -- Tero Turtiainen Telecom, Media & Entertainment Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas-Port-Type quesiton
Hi guys, I use freeradius with poptop, just a question that im trying to figure out, My radius server sees the NAS-Port-Type as Async whenever a vpn connectio is made, is there anyway to change this to let radius see for example as a "vpn" nas-port-type .Must this port-type come from my vpn server? Thanks J -- Regards Jandre "Some people are alive only because it is illegal to kill them." _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen to multiple ports on a single server?
On Mon, Jul 18, 2005 at 11:36:05AM -0400,Kevin Bonner, The Induhvidual, scrabbled: > On Monday 18 July 2005 10:10, Marcin Jessa wrote: > > On Mon, 18 Jul 2005 15:12:00 +0200 Erling Paulsen <[EMAIL PROTECTED]> > wrote: > > > Hello. > > > > > > Right now I'm running multiple servers for listening to multiple ports, > > > for having the option of accomadating both NAS'es that use the old 1645 > > > port and the ones using the newer 1812 port for requests. > > > > > > Is there a possibillity to have one radiusd listen to more ports, or do I > > > have to reconfigure/tell all the old external participants to use the new > > > 1812 port? > > > > > > >From what I can read from the docs, I guess it's not possible! > > > > > > Running v.1.0.4 > > > > > > - Erling Paulsen > > > > May I ask why do you want to do such a thing? > > You can have freeradius running on both the old and new ports, then cutover > your equipment and external radius clients as you please. > > The listen directive in raddb.conf can do what you want. > > Kevin Bonner Thanks for the help. That did the trick! I think that perhaps I asked this question a little fast. Haven't seen the 'listen' section in the .conf before - as I was upgrading multiple servers from v.0.93. Excellent feature :) - Erling -- |sig|--- [EMAIL PROTECTED] Nettseksjonen, ITavd UiT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Passwd Files on Different Servers
I'm relatively new to the radius universe and I'd like to ask your help regarding my freeradius concerns. We're trying to configure freeradius to read from different passwd files based on their domains. We have around 20 virtual domains spanning 2 servers. Now my question is two-fold: 1. How will I configure the conf files in order to authenticate different users to different passwd and shadow files based on their domain names? Do I go the configurable failover route? If so, can anyone give me tips or forward me a good link on how to set this up? 2. What is the most elegant way of accessing the passwd files on the second server? Should I set up another radius server on the second box and pass on the request? Or is there a better alternative. Thank you very much for any help you might be able to pass along. Barok Beronilla - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
