Re: TTLS-PAP only option for LDAP backend?
Cian Phillips wrote: Thanks to Alan, Thor and Vladmir for getting me this far. grin I have TTLS-PAP working and authenticating against our OSX LDAP server. I was wondering if anyone has had any success getting Microsoft clients to use TTLS-PAP without installing additional software as suggested in this tutorial. http://vuksan.com/linux/dot1x/wpa-client-config.html#Windows_XP Is there a simpler way to accomplish the same thing? No -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi
Hi all I am new to the freeRadius and wish to study the code of the server. Please tell me abt the code structure so as to be able to study and understand the code properly. Thanks Shruti Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE!http://in.mail.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest test
All, I am using freeradiusd 1.0.4 on RedHat Linux 9 and have just run the digest test suggested in the doc area through radclient. As it stands, I receive a code 3 reply (Access-Reject). The instruction for the test tells me to do the following: 1. In the /etc/raddb/users file insert entry as below :- test Auth-Type := Digest, User-Password = test Reply-Message = Hello, test with Digest 2. Initiate radclient with a file called digest (i.e. radclient -f digest localhost auth testing123) User-Name = test, Digest-Response = 631d6d73147add2f9e437f59bbc3aeb7, Digest-Realm = testrealm, Digest-Nonce = 1234abcd, Digest-Method = INVITE, Digest-URI = sip:[EMAIL PROTECTED], Digest-Algorithm = MD5, Digest-User-Name = test The command line holds the shared secret as defined in clients.conf file. However for this test to work, I had to insert a User-Password = (where is the actual password), into the digest file. After this I get a code 2 reply (Access-Accept). A radiusd -X dump shows freerad trying to do a unix authentication via the rlm_unix module. I've tried to comment out any instances of unix authentication from the radiusd.conf file but with the same results. Is there a way to tell freerad not to check user-password ? Ian Davies {02476 564662} Internal (x740 4662) IMS-SIPAC Software Development Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding FreeRadius-1.0.4 support for linux log in
Greetings!!! I'm new to freeradius. I have installed freeradius-1.0.4 on my machine and it responds back for the packets sent through radclient. Now my requirement is: I have a linux box whose user profiles are maintained by the RADIUS server. When I use ssh/rlogin/telnet etc it should give me the prompt, get the user name and password from the prompt and authorise it with the RADIUS server. If authorized, then a shell prompt should be provided else should give a login incorrect message. How can this be done I would also like to know about how can i include my own protocol instead of ssh/rlogin/telnet for logging in??? Thanks In Advance Nisha P Kurur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
urgent:problem with shared secret
Hello, I am using free radius server for sending accounting request packets and receive accounting response packets.However it displays shared secret is incorrect.Could you let me know howto configured the free radius server for radius accounting or any special configuration has to be done apart from the naslist file and clients.conf file. Please let me know as soon as possible. Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: concurrent TTLS and PEAP usage
Hi, what you are saying is that I should do something like this: user_ttls EAP-Type != PEAP that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same). Yes, however you said yourself, that you do _not_ want to only enable TTLS for this specific user since you also obviously need to enable the inner protocol used inside the tunnel... Maybe something like if EAP-TYPE isn't EAP-TTLS and FreeRadius-Proxied-To is not set for user_ttls,t then reject as a first rule and as a second rule something like if FreeRadius-Proxied-To is set and AuthType isn't PAP then reject. And similar rules for user_peap. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
How can I add this OID to my machine certs ? using CA.certs script and xpextensions file ? Regards, Jeremy Ben Walding ben.walding at gmail.com wrote: I also found using machine certificates to be hit and miss (some machines they'd be picked up, others they wouldn't - all XP SP2 with appropriate patches). And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully. I shook my fist at Microsoft that day! Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple VSA pairs
Hello I'm using FreeRADIUS with MySQL for accounting and authentication. From a Cisco 2651XM router, I have multiple Cisco-AVPair attributes send in accounting packets: rad_recv: Accounting-Request packet from host 192.168.167.14:1646, id=186, length=201 Acct-Session-Id = 9E13 Cisco-AVPair = isakmp-group-id=cg-ectvpn Framed-IP-Address = 172.16.33.119 Cisco-AVPair = isakmp-initator-ip=82.104.97.16 User-Name = pwh Cisco-AVPair = connect-progress=Auth Open Acct-Authentic = RADIUS Acct-Status-Type = Start Cisco-NAS-Port = FastEthernet0/1 NAS-Port = 1 NAS-IP-Address = 192.168.167.14 Acct-Delay-Time = 0 When trying to refer to these in a SQL INSERT statement for accounting (where if the AVPair is 'isakmp-initiator-ip', it gets stripped and the address inserted), the AVPairs overwrite each other. Is there a workaround for this, or is the behaviour of a Cisco IOS router 'broken' for sending the same attribute twice in the same packet? Best wishes, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ? Regards, Jeremy Alan DeKok aland at ox.org http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote: / / / / That OID is added by the cert creation script in the scripts / /directory, but it should be made more prominent in eap.conf, too. / / / / Alan DeKok. / / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different behaviour with LDAP
I am authorizing wireless network cards in users file with radius server (old cistron radius) and that is working fine entry like: 121212-232323 Auth-Type = Accept Only network card matching abov entry get access Now I am building new radius server with FreeRadius and users information and passwords are kept in Open-LDAP I have following entry in my users file DEFAULT Huntgroup-Name == wireless, Service-Type == Framed-User, Autz-Type:=zldap-macaddr, Auth-Type := Accept Fall-Through = No and this is in radiusd.conf ldap ldap-macaddr { server = localhost identity = cn=manager,dc=skrin,dc=local password = kept_secret basedn = ou=users,ou=internet,dc=skrin,dc=local filter = ((macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless)) base_filter = (objectclass=radiusprofile) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # password_attribute = userPassword # # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes } I have also different sections for different huntgroups of the LDAP entry in radiusd.conf for other services and they work fine. The behaviour of the radius server is like that - authorize the client/user (match against huntgroup and ldap attribute search) then authenticate the user (trying to log into ldap server with user/password), but I have Auth-Type= accept, that I understand is allowing everyone that matces the authorize section. This breaks, it allows everyone that matches huntgroup but fails authorize. Is this normal or not? Þórður Ívarsson Skrín ehf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
check this out Jeremy http://www.linuxjournal.com/article/8095 On Wed, 2005-08-31 at 14:22 +0200, Jérémy Cluzel wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ? Regards, Jeremy Alan DeKok aland at ox.org http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote: / / / / That OID is added by the cert creation script in the scripts / /directory, but it should be made more prominent in eap.conf, too. / / / / Alan DeKok. / / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: concurrent TTLS and PEAP usage
hi Alan hi Stefan thanks for your help. I think I understand the idea. however my problems are on the implementation level. two things are still not clear to me. 1. we use 'sql' and not 'files' (my fault i didn't mention it previously) and thus I don't see how I can add the line below to my user profile who already has things like User-Password ==..., etc. I tried adding user user_ttls into group TTLS and then using radgroupcheck like this: radgroupcheck: id UserAttribute op Value 2 user_ttls EAP-Type!= TTLS 3 user_ttls Auth-Type := Reject but then user_ttls gets rejected. how do I implement it with SQL? 2. we experimented with EAP-Type, but at least for PEAP as soon as we specify it somewhere in radcheck, PEAP breaks with a server error message saying that the client has sent a TLV rejecting the connection. Alan: like Stefan proposed I also thought about something like FreeRadius-Proxied-To, because i think that you proposal might not work as soon as the internal method starts for the user. Or don't external methods use EAP-Type? (still I am not sure how to define conditions in sql tables: if EAP-Type not this value, then add Auth-Type=...) ciao artur Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: user_ttls EAP-Type != PEAP that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same). user_ttls EAP-Type != TTLS, Auth-Type := Reject See the dictionaries for EAP-Type names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
krb5 documentation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I want to do user authentication by Kerberos 5. Therefore I was happy to see that FreeRADIUS contains the krb5 module. But I wasn't able to find the documentation for this module. Can somebody give me a link or an example on how to use this module? Thanks, Joachim - -- B. Sc. Joachim Selke Universität Hannover, Fachgebiet Theoretische Informatik Appelstraße 4, 30167 Hannover, Germany Web: http://www.thi.uni-hannover.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDFbdiq7fYj4TsIUwRAlgaAKC0ES/ZQodcsti6rVH17bSGHP3hRgCgt9Ji a3CQ0y4yfff4Wc8LW/W0kxg= =fUZH -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New checkItem from LDAP
Joe H [EMAIL PROTECTED] wrote: lines. lines 2 and 11 are other DEFAULT entries in the users file with fall-through set to yes. It skips right over the SNS-Enable checkItem. Ah. The users file isn't set up to do comparisons on check items. So I don't think it will work. Alan DeKok. That's basically the conclusion I came to, which is why I asked. Is there a way to add another attribute to the ldap module in the radiusd.conf. Something similar to the groupname_attribute? I've found that adding a fake second module to this file and setting groupname_attribute = radiusSNSEnable works if I do something like the following in the users file: DEFAULT sns-test-Ldap-Group != 1 USR-Framed_IP_Address_Pool_Name = BLACKHOLE1, Idle-Timeout := 120, Fall-Through = Yes where sns-test is my module name. This way works but I think it's messy since I'm creating a module for just one attribute to be called. Plus if I ever need to add new attributes, that's a lot of modules. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hi
shruti kukkar [EMAIL PROTECTED] wrote: I am new to the freeRadius and wish to study the code of the server. Please tell me abt the code structure so as to be able to study and understand the code properly. The code structure is documented in the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest test
Iandc Davies [EMAIL PROTECTED] wrote: The instruction for the test tells me to do the following: 1. In the /etc/raddb/users file insert entry as below :- test Auth-Type := Digest, User-Password = test That should be ... User-Password := test. The users file isn't really set up for modern deployments. It's design goes back to 1993, when all the fancy authentication methods didn't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding FreeRadius-1.0.4 support for linux log in
Nisha P Kurur [EMAIL PROTECTED] wrote: I have a linux box whose user profiles are maintained by the RADIUS server. When I use ssh/rlogin/telnet etc it should give me the prompt, get the user name and password from the prompt and authorise it with the RADIUS server. If authorized, then a shell prompt should be provided else should give a login incorrect message. See the PAM module on www.freeradius.org Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
GPL
I told my colleagues about the advantages of FREERADIUS+ORACLE. BUT, they say, that it is GPL violation. IS that true? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple VSA pairs
Peter Hicks [EMAIL PROTECTED] wrote: When trying to refer to these in a SQL INSERT statement for accounting (where if the AVPair is 'isakmp-initiator-ip', it gets stripped and the address inserted), the AVPairs overwrite each other. Is there a workaround for this, or is the behaviour of a Cisco IOS router 'broken' for sending the same attribute twice in the same packet? The Cisco is OK. The %{} code in FreeRADIUS doesn't deal well with multiple attributes. The CVS snapshot handles this better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest test
Is there a way to tell freerad not to check user-password ? Ian Davies {02476 564662} Internal (x740 4662) IMS-SIPAC Software Development Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-Use-NTLM-Auth = No
Hi, I'm trying to have a local user in my users file called guest password guest. If the user is not guest forward on the user to domain authentication. I'm having trouble when authenticating guest when it comes to the mchap authentication, although I have the MS-CHAP-Use-NTLM-Auth = No, it still runs the ntlm_auth command against my domain controllers, which I don't have a guest account, and I don't want a guest account on my dc's, so it automatically rejects because I dont have a guest account on my domain. If I comment out the ntlm_auth command in radiusd.conf, it works fine, but of course my domain authentication doesn't work now. Any help is appreciated!!! Thanks, jamie guest User-Password == guest, MS-CHAP-Use-NTLM-Auth = No, Filter-Id =Filter-Id =enterasys:version=1:policy=guest_basic DEFAULT Auth-Type = System Filter-Id = enterasys:version=1:policy=faculty_staff, Fall-Through = 1 Redhat AS4 Freeradius 1.0.4 Supplicants XP SP1,SP2 PEAP NT4 DOMAINS Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest test
Iandc Davies [EMAIL PROTECTED] wrote: Is there a way to tell freerad not to check user-password ? Use :=, as per my previous message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GPL
Velikanov [EMAIL PROTECTED] wrote: I told my colleagues about the advantages of FREERADIUS+ORACLE. BUT, they say, that it is GPL violation. IS that true? No. If you *distribute* a binary with Oracle, it could be. But if you just use it yourself, it's not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: krb5 documentation
Joachim Selke [EMAIL PROTECTED] wrote: I want to do user authentication by Kerberos 5. Therefore I was happy to see that FreeRADIUS contains the krb5 module. But I wasn't able to find the documentation for this module. Can somebody give me a link or an example on how to use this module? The only docs appear to be in the rlm_krb5 directory. The source code includes a list of configuration items it takes. Look for CONF_PARSER. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius different authorization and authentication methods
Alan DeKok wrote: Jason Carr [EMAIL PROTECTED] wrote: I grepped for local in the raddb directory, and I'm not seeing anything related to Auth-Type := Local in any config file. Did you set it in the SQL database? I saw that I'm not supposed to explicitly define Auth-Type := EAP, but perhaps this is what I want? No. It's almost always wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Against recommendations, I've added DEFAULT Auth-Type := EAP and the server still says it's trying to use local authentication. Does the server fall back to local if it doesn't know which method to use or if there's an error? - Jason -- Jason Carr Carnegie Mellon University Network Development - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using AND logic instead of OR logic with authorization?
Hello- I'd like to authorize users based on their Calling-Station-Id via a local users file and authenticate/authorize (simple access allowed flag) via an ldap server. The reason I need to double authorize is because I do not have rights to add/edit any data in the remote ldap server. I need the authorization to essentially be an AND (ie, I need both authorizations to return true in order to accept the user). Is this possible? I've tried doing this within a single radius instance, and I've also tried having the ldap interaction happen via a radius proxy without success. Here is my users file DEFAULT Calling-Station-Id =~ ^144\.92\. Service-Type = NAS-Prompt-User Here is what a debug looks like rad_recv: Access-Request packet from host 144.92.44.114:4447, id=30, length=123 User-Name = mdhare User-Password = mypass NAS-Port = 2905 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 144.92.44.114 Calling-Station-Id = 128.104.19.106 Tunnel-Client-Endpoint:0 = 128.104.19.106 NAS-IP-Address = 144.92.44.114 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 rlm_realm: No '@' in User-Name = mdhare, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = mdhare rlm_realm: Proxying request from user mdhare to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 it as at this point I'd like authorization to stop, but it continues. What am I doing wrong? modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 144.92.254.243:1812 ... ... rad_recv: Access-Accept packet from host 144.92.254.243:1812, id=0, length=30 Service-Type = NAS-Prompt-User Proxy-State = 0x3330 I'd be happy to provide configuration and output that I have now for testing, but there's no sense in being verbose if this isn't possible in general. Thanks- -Michael -- ===W=== Michael Hare UW-Madison + WiscNet Network Engineering Desk: 608-262-5236 24 Hr Noc: 608-263-4188 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius different authorization and authentication methods
Jason Carr [EMAIL PROTECTED] wrote: Against recommendations, I've added DEFAULT Auth-Type := EAP and the server still says it's trying to use local authentication. Does the server fall back to local if it doesn't know which method to use or if there's an error? It uses Auth-Type = Local in one of two situations: a) There is a User-Password in the packet, AND there is a known good User-Password found in the configuration b) A configuration file tells it to use Auth-Type = Local. As I said in a previous message, the default configuration of the server DOES NOT use Auth-Type = Local for EAP. The ONLY reason it's happening is that your local configuration is telling it to. This is doubly true, now that you've forced Auth-Type to EAP, and it *still* doesn't work. The server does not have magic code inside of it to force Auth-Type = Local. YOU are setting it somewhere in a configuration. Go back, and read your configuration. Odds are that one of the things you put into SQL was Auth-Type = Local. If you still don't believe me, delete sql from the authorize section, and add a user password to the users file. If you've configured EAP, then EAP *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: concurrent TTLS and PEAP usage
Alan, Stefan replying to myself: using 'files' I've managed to make it work. the correct (working) configuration is: user_ttls FreeRadius-Proxied-To == 127.0.0.1, User-Password == test_ttls Session-Timeout = 3600 user_ttls EAP-Type != EAP-TTLS Auth-Type := Reject user_peap FreeRadius-Proxied-To == 127.0.0.1, User-Password == test_peap Session-Timeout = 3600 user_peap EAP-Type != PEAP Auth-Type := Reject that does exactly what I wanted. works like a charm for both PEAP and TTLS users. could somebody explain me how I can translate it into an SQL config? ciao artur Artur Hecker wrote: hi Alan hi Stefan thanks for your help. I think I understand the idea. however my problems are on the implementation level. two things are still not clear to me. 1. we use 'sql' and not 'files' (my fault i didn't mention it previously) and thus I don't see how I can add the line below to my user profile who already has things like User-Password ==..., etc. I tried adding user user_ttls into group TTLS and then using radgroupcheck like this: radgroupcheck: idUserAttributeopValue 2 user_ttls EAP-Type != TTLS 3 user_ttls Auth-Type:=Reject but then user_ttls gets rejected. how do I implement it with SQL? 2. we experimented with EAP-Type, but at least for PEAP as soon as we specify it somewhere in radcheck, PEAP breaks with a server error message saying that the client has sent a TLV rejecting the connection. Alan: like Stefan proposed I also thought about something like FreeRadius-Proxied-To, because i think that you proposal might not work as soon as the internal method starts for the user. Or don't external methods use EAP-Type? (still I am not sure how to define conditions in sql tables: if EAP-Type not this value, then add Auth-Type=...) ciao artur Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: user_ttlsEAP-Type != PEAP that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same). user_ttls EAP-Type != TTLS, Auth-Type := Reject See the dictionaries for EAP-Type names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP, Freeradius and Cisco AP 350
Having some trouble setting up PEAP with a windows XP workstation, a Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP Client to set things up. Many moons ago I had LEAP working great, the hard drive on this linux machine failed and it was time to reinstall. Not sure why i'm having such trouble with this. Mousing over the icon in my task bar Status: Validating Identity is all it ever says while trying to associate. I do however get prompted for my user name and password. Any advice/help would be much appreciated. ./radiusd -A -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/freeradius/etc/raddb/proxy.confConfig: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.confConfig: including file: /usr/local/freeradius/etc/raddb/eap.confConfig: including file: /usr/local/freeradius/etc/raddb/sql.confmain: prefix = /usr/local/freeradius main: localstatedir = /usr/local/freeradius/varmain: logdir = /usr/local/freeradius/var/log/radiusmain: libdir = /usr/local/freeradius/libmain: radacctdir = /usr/local/freeradius/var/log/radius/radacct main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no main: log_file = /usr/local/freeradius/var/log/radius/radius.logmain: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no main: checkrad = /usr/local/freeradius/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120 proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionary read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setup Module: Library search path is /usr/local/freeradius/libModule: Loaded execexec: wait = yesexec: program = (null)exec: input_pairs = requestexec: output_pairs = (null) exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAP pap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = yes mschap: require_strong = yesmschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = (null)Module: Instantiated mschap (mschap) Module: Loaded Systemunix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/freeradius/var/log/radius/radwtmp unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eapeap: default_eap_type = peapeap: timer_expire = 60eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = yesrlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = (null)tls: pem_file_type = yestls: private_key_file = /usr/local/freeradius/etc/raddb/certs/cert- srv.pemtls: certificate_file = /usr/local/freeradius/etc/raddb/certs/cert-srv.pemtls: CA_file = /usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pemtls: private_key_password = whatever tls: dh_file = /usr/local/freeradius/etc/raddb/certs/dhtls: random_file = /usr/local/freeradius/etc/raddb/certs/randomtls: fragment_size = 1024tls: include_length = yestls: check_crl = no tls: check_cert_cn = (null)rlm_eap: Loaded and initialized type tlspeap: default_eap_type = mschapv2peap: copy_request_to_tunnel = nopeap: use_tunneled_reply = nopeap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peapmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap)Module: Loaded preprocesspreprocess: huntgroups = /usr/local/freeradius/etc/raddb/huntgroups preprocess: hints = /usr/local/freeradius/etc/raddb/hintspreprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess
Re: PEAP, Freeradius and Cisco AP 350
hi J Zakhar wrote: Having some trouble setting up PEAP with a windows XP workstation, a Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP Client to set things up. Many moons ago I had LEAP working great, the hard drive on this linux machine failed and it was time to reinstall. Not sure why i'm having such trouble with this. Mousing over the icon in my task bar Status: Validating Identity is all it ever says while trying to associate. I do however get prompted for my user name and password. Any advice/help would be much appreciated. unfortunately, imho Windows XP prompts for those before it starts the exchanges. from your log it seems that there is no error on the Freeradius side. FR sends out the Challenge, but the second message from the client (id = 36) looks to me as a repeat of the original Request (id 35). the contents of the EAP-Message are the same. thus it seems that your Windows client is not answering the challenge. Or the access point does not relay the challenge to the Windows client. difficult to say more from what you've given so far. you could try the following: - are you sure that you posted the complete log? - if yes, deactivate Server Validation in the Windows XP PEAP client (only for testing, activate it later) and re-start. see if the authentication gets to a further point. - if that does not change anything, take a look at the Ken Rosner's TLS FAQ (see www.freeradius.org). he describes how you activate EAP debug on Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2 and see what happens - if it relays messages to the user machine. ciao artur ./radiusd -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius/etc/raddb/eap.conf Config: including file: /usr/local/freeradius/etc/raddb/sql.conf main: prefix = /usr/local/freeradius main: localstatedir = /usr/local/freeradius/var main: logdir = /usr/local/freeradius/var/log/radius main: libdir = /usr/local/freeradius/lib main: radacctdir = /usr/local/freeradius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/freeradius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/freeradius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/freeradius/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = yes rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls:
Re: PEAP, Freeradius and Cisco AP 350
I managed to get it working, the machine here running freeradius has 2 ip addresses. I had noticed in another message on the list, that can be problematic. I set freeradius to bind to a specific IP and it light right up, go figure heh. I do appreciate the respone though. I spent a good 5 1/2 hours before posting to this list I am kind of embaressed to find out it was a simple IP address problem, sorry for the bogus posting. On 8/31/05, Artur Hecker [EMAIL PROTECTED] wrote: hiJ Zakhar wrote: Having some trouble setting up PEAP with a windows XP workstation, a Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP Client to set things up. Many moons ago I had LEAP working great, the hard drive on this linux machine failed and it was time to reinstall. Not sure why i'm having such trouble with this. Mousing over the icon in my task bar Status: Validating Identity is all it ever says while trying to associate. I do however get prompted for my user name and password. Any advice/help would be much appreciated.unfortunately, imho Windows XP prompts for those before it starts theexchanges.from your log it seems that there is no error on the Freeradius side. FR sends out the Challenge, but the second message from the client (id =36) looks to me as a repeat of the original Request (id 35). thecontents of the EAP-Message are the same.thus it seems that your Windows client is not answering the challenge. Or the access point does not relay the challenge to the Windows client.difficult to say more from what you've given so far. you could try thefollowing:- are you sure that you posted the complete log? - if yes, deactivate Server Validation in the Windows XP PEAP client(only for testing, activate it later) and re-start. see if theauthentication gets to a further point.- if that does not change anything, take a look at the Ken Rosner's TLS FAQ (see www.freeradius.org). he describes how you activate EAP debug onCisco 350 APs. log in into your cisco, activate the EAP Debug level 2and see what happens - if it relays messages to the user machine. ciaoartur ./radiusd -A -X Starting - reading configuration files ... reread_config:reading radiusd.conf Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius/etc/raddb/eap.conf Config: including file: /usr/local/freeradius/etc/raddb/sql.confmain: prefix = /usr/local/freeradiusmain: localstatedir = /usr/local/freeradius/varmain: logdir = /usr/local/freeradius/var/log/radius main: libdir = /usr/local/freeradius/libmain: radacctdir = /usr/local/freeradius/var/log/radius/radacctmain: hostname_lookups = nomain: max_request_time = 30 main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = /usr/local/freeradius/var/log/radius/radius.log main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pidmain: user = (null) main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no main: checkrad = /usr/local/freeradius/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yes proxy: dead_time = 120proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = no main: debug_level = 0 read_config_files:reading dictionary read_config_files:reading naslist Using deprecated naslist file.Support for this will go away soon. read_config_files:reading clients read_config_files:reading realms radiusd:entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded execexec: wait = yesexec: program = (null) exec: input_pairs = requestexec: output_pairs = (null)exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAPpap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = yesmschap: with_ntdomain_hack = no mschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded Systemunix: cache = no unix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/freeradius/var/log/radius/radwtmpunix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eapeap: default_eap_type = peapeap: timer_expire = 60eap: ignore_unknown_eap_types =
Fw: copy from LDAP after map new attributes
Dear all, How can i copy data from LDAP after mapping new attributes... as below:- thanks.. --haizam - Original Message - From: haizam [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 29, 2005 12:13 Subject: Re: usage of exec to get LDAP value.. I just add in /usr/local/etc/raddb/dictionary as below:- ATTRIBUTE Haizam-PSTN 3003integer ATTRIBUTE Haizam-ISDN 3004integer and in ldap.attrmap replyItem Haizam-PSTN TimeoutPSTN replyItem Haizam-ISDN TimeoutISDN But problem with assigned those value to Session-Timeout... Is below users entry correct? DEFAULT NAS-Port-Type == Sync, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = %{Haizam-ISDN} --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, August 27, 2005 07:44 Subject: Re: usage of exec to get LDAP value.. haizam [EMAIL PROTECTED] wrote: I've tried to map new attributes in ldap.attrmap but for every match in users file.. it will return both new attributes but the sessiontimeout still ruturn no value.. Yes. Did you read the rest of my response? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html