users who are listed in /usr/local/etc/raddb/users cannot authenticate.
I have a number of users whom are listed in my /usr/local/etc/raddb/users file in this format: User1 password="4978" fall-through="1" user2 password="knjy500" fall-through="1" user3 password="8556" fall-through="1" user4 password="8556" fall-through="1" user5 password="rocky" fall-through="1" none of them are able to authenticate. These users are both listed in /usr/local/etc/raddb & in the local system's password file (for chap purposes) if I remove the listing from the users file they can authenticate via PAP. Thanks, -Drew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest and MD5
"Iandc Davies" <[EMAIL PROTECTED]> wrote: > For the Digest, the MD5 hashed response is, as far as I can make out, > generated as follows :- See doc/rfc/draft-sterman-aaa-sip-00.txt > All info apart from the Password come from the incoming VAS AVP packet. > The Password seems to be sourced from a structure called REQUEST defined in > libradius.h, in a specific pointer VALUE_PAIR element called config_items. > > Where and when does this element get populated and with data from where ? It gets populated by another module, like the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DIGEST-MD5 and LDAP Backend
Daniel Corbe <[EMAIL PROTECTED]> wrote: > I'm passing a Digest auth request from my SIP server to my Radius > server and then to my LDAP back-end. > > The only way I can get it to work is if I store the userPassword > attribute on the LDAP server in plain text. Ideally I'd like to be > able to store them in MD5 It's impossible, and designed to be impossible by the people who created the algorithms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Moving a freeradius installation
> > I know I can configure which directories radusd uses in > radiusd.conf, but is there any way to make radiusd look in > /usr/radius/etc for radiusd.conf without rebuilding? > radiusd -d /usr/radius/etc/raddb You could have trouble with the radius module libraries though. I see there is a configuration item for that in radiusd.conf though, so you should be fine. Just be aware of it, and you may have to set your LD_LIBRARY_PATH to include /usr/radius/lib. Good luck! Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Script to process authentications & accounting
[EMAIL PROTECTED] wrote: > Is there any information about using a script with freeradius to > process authentications? rlm_exec rlm_perl (not stable) rlm_python (not stable) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't start freeradius - auth bind error
NECTIS NetVoice Sales wrote: > can not start freeradius: > > Starting RADIUS server: Tue Sep 6 13:08:47 2005 : Info: Starting - reading > configuration files ... > auth bind: Address already in use > [FAILED] It looks like there is another instance of FreeRADIUS already running, or another program using the same port as FreeRADIUS. PS: HTML is forbidden on the list. Please follow the rules here: http://www.freeradius.org/list/users.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Script to process authentications & accounting
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 2:56 PM To: freeradius-users@lists.freeradius.org Subject: Script to process authentications & accounting Is there any information about using a script with freeradius to process authentications? TIA what is your objective of using the script for? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Script to process authentications & accounting
Is there any information about using a script with freeradius to process authentications? TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication using LDAP on port 636
Hi, I installed freeradius 1.0.1 for RHEL4 from RedHat network. As an ldap server I have Sun Directory server 5.2 patch3 with SSL enabled. I have plenty of applications using port 636 to access LDAP (ypldapd from padl, /etc/ldap.conf on linux, Mozilla address book, etc..) . With freeradius as long as I use standard port 389 I don't have problems to use LDAP, but I have problems to use port 636 (Can't contact LDAP server). Or I missed something but I seem to be unable to find a procedure how to setup freeradius using SSL. Any help would be appriciated Thanks, Dany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require realm suffix
On Tue, 2005-09-06 at 10:49 +0200, Nicolas Baradakis wrote: > Ben Thompson wrote: > > > I have set up FreeRADIUS so that I am using the relam format > > [EMAIL PROTECTED] I have succesfully got this working by adding the > > relevent realm to proxy.conf and setting authhost and acchost to LOCAL. > > Currently when someone logs without specifying a realm, they are still > > authenticated and I would like to know if it is possible to change this > > behavoir so that users must specify the realm suffix. > > Perhaps you could uncomment the realm "NULL" in proxy.conf and add in > the users file: > > DEFAULT Realm == "NULL", Auth-Type := Reject Hi That worked perfectly. Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't start freeradius - auth bind error
Title: Can't start freeradius - auth bind error Hi, can not start freeradius: Starting RADIUS server: Tue Sep 6 13:08:47 2005 : Info: Starting - reading configuration files ... auth bind: Address already in use [FAILED] What is it? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Moving a freeradius installation
Hi, I have built freeradius-1.04 from source and installed it to the default directories (for example, /usr/local/etc/raddb for the configuration files). I now wish to move the whole installation to /usr/radius so that it will be possible to tar the directory and copy it to other severs. I know I can configure which directories radusd uses in radiusd.conf, but is there any way to make radiusd look in /usr/radius/etc for radiusd.conf without rebuilding? If I do need to do a fresh build and install is there anyway of cleanly uninstalling what is currently there? Thanks in advance, Ben Dowling __ 1Mb Tiscali Broadband for £14.99. Offer ends 30th June 2005 http://www.tiscali.co.uk/products/broadband - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I add extra fields to the radius accounting database?
Thanks Nicolas,
I've changed %{Tunnel-Type}, I also had another mistake. I changed
everything and it works perfect.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating between a Cisco 3640 and radius server
I setup free radius on a linux box and am trying to authenticate a user from a cisco 3640 router. Below is the output I am receiving when using radiusd -xxyz -l stdout. The router will not let me login, so something isn't working properly. Any suggestions??? I set the radius server up to use port 1645, so it resembles the cisco settings. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.82.50:1645, id=3, length=74 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) NAS-IP-Address = 192.168.82.50 NAS-Port = 131 NAS-Port-Type = Virtual User-Name = "cisco" Calling-Station-Id = "10.0.1.19" User-Password = "harley" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cisco", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched cisco at 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [cisco] (from client spare_3640 port 131 cli 10.0.1.19) Sending Access-Accept of id 3 to 192.168.82.50:1645 Service-Type = Login-User Login-Service = Telnet Finished request 0 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.82.50:1645, id=3, length=74 Sending duplicate reply to client spare_3640:1645 - ID: 3 Re-sending Access-Accept of id 3 to 192.168.82.50:1645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 3 with timestamp 43171770 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.82.50:1645, id=3, length=74 --- Walking the entire request list --- Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) NAS-IP-Address = 192.168.82.50 NAS-Port = 131 NAS-Port-Type = Virtual User-Name = "cisco" Calling-Station-Id = "10.0.1.19" User-Password = "harley" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "cisco", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched cisco at 152 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [cisco] (from client spare_3640 port 131 cli 10.0.1.19) Sending Access-Accept of id 3 to 192.168.82.50:1645 Service-Type = Login-User Login-Service = Telnet Finished request 1 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.82.50:1645, id=3, length=74 Sending duplicate reply to client spare_3640:1645 - ID: 3 Re-sending Access-Accept of id 3 to 192.168.82.50:1645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 3 with timestamp 4317177a Nothing to do. Sleeping until we see a request. -- Amos Cottrill Assistant Network Coordinator - SEOVEC [EMAIL PROTECTED] Ph:(740) 594-7663 ext 119 Fax:(740) 592-6251 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest test
All,
Have run the test as suggested in the doc/rlm_digest file and have got an
odd output message from freeradius saying it can't find the Digest-Nonce
element.
In the radiusd.conf file I'm authenticating but not authorizing digest.
Users file has the following:
#---
testAuth-Type := Digest, User-Password := "test"
Reply-Message = "Hello, reply with digest."
#---
Any ideas ?
I've enabled debug on radclient with the following output.
==
./client.sh
Sending Access-Request of id 178 to 127.0.0.1:1812
User-Name = "test"
Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
Digest-Realm = "\001\013testrealm"
Digest-Nonce = "\002\n1234abcd"
Digest-Method = "\003\010INVITE"
Digest-URI = "\004\034sip:[EMAIL PROTECTED]"
Digest-Algorithm = "\006\005MD5"
Digest-User-Name = "\n\006test"
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=178, length=47
Reply-Message = "Hello, reply with digest."
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32943, id=178,
length=140
User-Name = "test"
Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
Digest-Attributes = 0x010b746573747265616c6d
Digest-Attributes = 0x020a3132333461626364
Digest-Attributes = 0x0308494e56495445
Digest-Attributes =
0x041c7369703a35353535353531323132406578616d706c652e636f6d
Digest-Attributes = 0x06054d4435
Digest-Attributes = 0x0a0674657374
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry test at line 19
modcall[authorize]: module "files" returns ok for request 0
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
modcall[authorize]: module "checkval" returns notfound for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 178 to 127.0.0.1:32943
Reply-Message = "Hello, reply with digest."
Waking up in 4 seconds...
=
Ian Davies {02476 564662}
Internal (x740 4662)
IMS-SIPAC
Software Development Engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linux newby attempts freeradius (unsuxesfull)
Hi, > Rather that tell me what I an doing wrong (apart from attempting this) can > someone point me to where I can find out what I need to know. > > Scenario: > Debian sarge installed (no probs or errors) on i386 machine. > Attempting to install freeradius-1.0.4.tar.gz > > will not ./configure without errors. As I don't know what I am ment to be > looking for, I can't find what I am doing wrong. > > Trying to be smart, I went to the debian site and downloaded > freeradius_1.0.4-2_i386.deb from > http://packages.debian.org/testing/net/freeradius > I can't find documentation for this, so don't know what to do with it now I > have it. > > Given I am NOT familiar with linux at all, and have ventured into this > reluctently, can someone point me to some really bullet proof documentation > that doesn't assume people already have an extensive knowledge of linux > before they start. > > I have been working on this for 3 weeks now, searched gallaxies far away for > info, god is now refusing to take my calls, and my wife has threatened to > lock me in my room so she doesn't have to put up with me. I have also > learned some very colorful words. > > Someone please save me. for a basic start, I'd recommend that you install the freeradius package supplied to you by apt-get (or aptitude, dselect etc - choose your poison ;-) ), then you can read many online sources - or the nice OReilly FreeRADIUS book (linked recommendation removed as i dont want to make personal profits). you'll want to start looking at the basic config - which will usually live in /etc/raddb or /usr/local/etc/raddb (depending on how package is compiled for Debian). now - what do you want to do with RADIUS - at this point things become interesting.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest and MD5
All,
For the Digest, the MD5 hashed response is, as far as I can make out,
generated as follows :-
A1 = H[Digest-User-Name:Realm:Password]
A2 = H[Digest-Method:URI]
KD1 = H[Hexdump(A1):Nonce]
KD2 = H[KD1:Hexdump(A2)]
KD = H[KD2] - - Which should match the final received Digest-Reponse
element.
Right... The question.
All info apart from the Password come from the incoming VAS AVP packet.
The Password seems to be sourced from a structure called REQUEST defined in
libradius.h, in a specific pointer VALUE_PAIR element called config_items.
Where and when does this element get populated and with data from where ?
Ian Davies {02476 564662}
Internal (x740 4662)
IMS-SIPAC
Software Development Engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-mysql-clid
Sam Njenga wrote: > I have downloaded the latest freeradius and compiled ok. I have tested > it and it works fine. I would like to authenticate calls based on > Caller-Id. What do I have to have in the tables. A small example will be > highly appreciated. These links may help: http://www.freeradius.org/radiusd/doc/rlm_sql http://www.frontios.com/freeradius.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I add extra fields to the radius accounting database?
Miguel Angel Quiles wrote:
> I've got freeradius 1.0.2 on a SUSE 9.3. I was thinking if I
> could add a new field to the radius accounting. I'm using mysql.
> I already added the field to the radacct table in the radius
> database. And I've tried to modify the sql.conf file in the raddb
> directory. When I restart the service the freeradius won't start
> because off an error.
Posting the error messages would help a lot.
> I've created the field "TunnelType", and I added the values in the
> different queries, such as:
>
> accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId,
> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
> AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
> AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
> ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, TunnelType)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
> %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}',
> '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '0', '%{Tunnel-Type:0}')"
^^
Did you try %{Tunnel-Type} ? (without the digit for the tag)
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require realm suffix
Ben Thompson wrote: > I have set up FreeRADIUS so that I am using the relam format > [EMAIL PROTECTED] I have succesfully got this working by adding the > relevent realm to proxy.conf and setting authhost and acchost to LOCAL. > Currently when someone logs without specifying a realm, they are still > authenticated and I would like to know if it is possible to change this > behavoir so that users must specify the realm suffix. Perhaps you could uncomment the realm "NULL" in proxy.conf and add in the users file: DEFAULT Realm == "NULL", Auth-Type := Reject -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP TLS establishment and certificates
Hi everyone, I would like to configure a freeradius 1.0.4 with PEAP protocol and OpenSSL certificates. My first question is where should I place the generated certificates with Openssl? As I am developing a client's interface, can anybody tell me how to "create" the Client_Hello packet? Thank you very much!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linux newby attempts freeradius (unsuxesfull)
Fred Zinsli wrote: > Rather that tell me what I an doing wrong (apart from attempting this) can > someone point me to where I can find out what I need to know. Firstly, HTML is forbidden on the list. Did you read the rules before subscribing? http://www.freeradius.org/list/users.html > Scenario: > Debian sarge installed (no probs or errors) on i386 machine. If you're using Debian, the quickest way is to install the Debian package of FreeRADIUS. As root, run the following command: # apt-get install freeradius > Given I am NOT familiar with linux at all, and have ventured into this > reluctently, can someone point me to some really bullet proof documentation > that doesn't assume people already have an extensive knowledge of linux > before they start. The FreeRADIUS mailing list isn't the appropriate place to ask general questions about Linux. For example, you could start reading the documentation from Debian http://www.debian.org/doc/ and ask questions on http://lists.debian.org/debian-user/ Nicolas Baradakis -- A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
