Re: FR and Pgsql - null acctstoptime
Paul, SELECT * FROM radacct WHERE acctstoptime IS NULL; On Wed, 16 Nov 2005 14:45:21 -0500 Paul Khavkine <[EMAIL PROTECTED]> wrote: > (...) > When a Start record gets written to radacct table, AcctStopTime is not > being set to anything. The field is empty. Since AcctStopTime is > of type "timestamp with time zone" it does not seem to equal to NULL or > '0' or anything at all. > (...) > How do you buidl a query to fetch a list of sessions without > AcctStopTime (sessions in progress for example) ? -- Humberto Diógenes Diginet Brasil -- Esta mensagem foi verificada pelo sistema de anti-virus e acredita-se estar livre de perigo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: "Pool-Name" check item causes Access-Reject
Try putting the Pool-Name attribute in the radgroupcheck table. That's how I have it in mine and it works fine there. Daniel Russell Lead Technician In-House IT Services PH (03) 50210044 FX (03) 50210066 > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Gerret Apelt > Sent: Wednesday, 16 November 2005 11:23 PM > To: FreeRadius users mailing list > Subject: "Pool-Name" check item causes Access-Reject > > Hi List, > > My setup: Debian Sarge (2.6.8) > Debian package freeradius-mysql 1.0.5-2 > FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at 11:56:56 > > I am successfully authentiating dialup users with Freeradius; the > users live in a MySQL db. Their IP addresses are assigned by a Patton > RAS's internal pool. I want to take this task away from the RAS and > have Freeradius ippool take over. Associating a pool with a user is > causing that user's access request to be rejected wher it worked > before. > > Following the docs, I have the files db.ipindex and db.ippol set up, > and the main_pool is configured in radiusd.conf. user 'gerret' is the > gunea pig with the following radcheck table entries: > > | 1354 | gerret | User-Password | == | testpw | > | 1491 | gerret | Pool-Name | == | main_pool | > > Now here's the tail of two "radtest gerret testpw localhost 0 testing123" > runs: > > 1) With row 1491 not present: > > modcall[authorize]: module "sql" returns ok for request 2 > modcall: group authorize returns ok for request 2 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: user supplied User-Password matches local User-Password > Login OK: [gerret] (from client localhost port 0) > > > 2) with boths rows present: > > rlm_sql (sql): No matching entry in the database for request from user > [gerret] > rlm_sql (sql): Released sql socket id: 3 > modcall[authorize]: module "sql" returns notfound for request 1 > modcall: group authorize returns ok for request 1 > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > Login incorrect: [gerret/testpw] (from client localhost port 0) > Delaying request 1 for 1 seconds > Finished request 1 > > I have tried setting explicit "Auth-Type = Local" in an additional > radcheck item to no avail. All mysql queries return the same data in > both cases. > > *cry for help* > > thanks guys > > Gerret > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expired system passwords are still authenticating
I've set up a Cisco router to authenticate against a freeradius server on a Linux box using the local system account. Everything looked great until I expired the password. If I log into that account on the Linux box it tells me the password has expired and I need to change it. However, if I log into the router it continues to authenticate that password just fine. What am I missing? Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help request on the EAP-TTLS V1 in freeradius
Title: Help request on the EAP-TTLS V1 in freeradius Hello, Currently we try to use the freeradius to simulate AAA server in our lab, we had succeeded in using the EAP-TTLS V0 before. Now we want to introduce the EAP-TTLS V1 in the next step, but I didn't find any new information from the web. Is there any expert can answer me?? Yours, Matthew - Life is in Mine - Let us love, not in word or speech, but in truth and action - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
generic x99 DES parity question
I am still trying to get the rlm_x99_token to work. I am now testing
with a SecureNet Key token (A "generic" in the x99passwd file). This
token I know how to manually program, so I can guarantee that I know the
DES key and have entered it properly in the x99passwd file.
The user interface is, I enter my username and the pseudo-password
"challenge" into the VPN client's authentication dialog box. A new box
is presented containing the 8-digit challenge. I enter this challenge
into the token and enter the response into the Password field of the
dialog box. This is properly transmitted back to freeradius, but
freeradius denies access each time. I think I'm pretty close, but I
can't figure out what I'm doing wrong.
I have used the "crcalc" program that comes with the rlm_x99_token
module to verify that the calculated response to the challenge, which
requires entering the DES key as stored in the x99passwd file, matches
the one generated by the token and the one in the freeradius debug
output, so I can rule out typing the response incorrectly. The
freeradius logs do show that the correct response is presented, but
access is still denied.
Here is the x99.conf file (with comments stripped):
x99_token {
pwdfile = /etc/x99passwd
syncdir = /etc/x99sync.d
challenge_prompt = "Challenge: %s\n Response: "
challenge_length = 8
challenge_delay = 180
softfail = 5
hardfail = 0
allow_sync = yes
fast_sync = yes
allow_async = yes
challenge_req = "challenge"
resync_req = "resync"
ewindow_size = 5
ewindow2_size = 5
ewindow2_delay = 60
}
Here are the logs produced by the x99 module code. I am wondering if the
"incorrect parity" message is why this isn't working (I've tried a
number of randomly-generated keys and they all get the parity
complaint). "crcalc" also complains about the parity but nevertheless
calculates the correct response. Or is there something in my config file
that I'm missing?
Module: Instantiated x99_token (x99_token)
modcall[authorize]: module "x99_token" returns noop for request 0
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: Sending Access-Challenge.
modcall[authorize]: module "x99_token" returns handled for request 1
rlm_x99_token: autz: Found response to access challenge
modcall[authorize]: module "x99_token" returns ok for request 2
rad_check_password: Found Auth-Type x99_token
auth: type "x99_token"
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: x99_mac: DES key has incorrect parity
rlm_x99_token: auth: unable to calculate async response for [woods], to
challenge DISABLED
modcall[authenticate]: module "x99_token" returns fail for request 2
Login incorrect (rlm_x99_token): [woods/cf229d55] (from client vpn-spare
port 1051 cli 128.117.8.131)
modcall[authorize]: module "x99_token" returns noop for request 3
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: Sending Access-Challenge.
modcall[authorize]: module "x99_token" returns handled for request 4
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR and Pgsql
Hi Folks. I'm setting up FreeRADIUS with Postgres for accounting and there's one thing i can't seem to figure out. When a Start record gets written to radacct table, AcctStopTime is not being set to anything. The field is empty. Since AcctStopTime is of type "timestamp with time zone" it does not seem to equal to NULL or '0' or anything at all. radius=# select * from radacct where acctstoptime = NULL; radacctid | acctsessionid | acctuniqueid | username | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay ---+---+--+--+---+--+---+-+---+--+-+---+---+--+-+--+-+--++-++-++--- (0 rows) radius=# select * from radacct where acctstoptime = 0; radacctid | acctsessionid | acctuniqueid | username | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay ---+---+--+--+---+--+---+-+---+--+-+---+---+--+-+--+-+--++-++-++--- (0 rows) How do you buidl a query to fetch a list of sessions without AcctStopTime (sessions in progress for example) ? This is on PgSQL 8.1.0. Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: FreeRadius EAP-TLS issue
I used OpenSSL, what are the special attributes that you mention? is it
OID?
Thanks.
Hamid.
Guy Davies wrote:
>Hi Hamid,
>
>What CA did you use to create the client certs? If it was OpenSSL, did
>you ensure that you included the special attributes that the MS
>supplicant expects? There are a few HOWTO's around and they pretty much
>all reference this special value.
>
>If you used the M$ Certificate Services, it is automatically added.
>
>Rgds,
>
>Guy
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of
>Brian A. Seklecki
>Sent: 16 November 2005 17:02
>To: Hamid Salim
>Cc: freeradius-users@lists.freeradius.org
>Subject: Re: FreeRadius EAP-TLS issue
>
>
>If it was regular TLS, i'd tell you to "openssl s_client -connect
>foo:123 -cacert /blah".
>
>Are you sure that you have imported and "trusted" your CA's cetificate
>on both the client and the server?
>
>This is when I let the other guys make suggestions.
>
>I was just curious of EAP-TLS with client certificates was simply a way
>of delivering the username to the client, letting the client
>authenticate the server and the server authenticate the identity of the
>client, and then providing for another password based mechanism.
>
>Or if certificate TLS handshake was sufficient for authorization and
>authentication...
>
>For example, Apache SSL can be told to verify client certificates, but
>htaccess would still be required.
>
>With SMTP, client and server SSL verification can be compelled, but for
>SMTP AUTH for relay, username/password authentication would still be
>required.
>
>
>~BAS
>
>On Wed, 16 Nov 2005, Hamid Salim wrote:
>
>> It should not be asking/expecting any userid/password pair. I have
>> installed the certificates on the supplicant machine which should be
>> sufficient to authenticate without any password requirements. I am not
>
>> sure why the certs are not working???
>>
>>
>> Brian A. Seklecki wrote:
>>
>>
>>>
>>> rlm_eap_tls: Received unexpected tunneled data after successful
>>> handshake.
>>>
>>> ...that's what I get when I try an invalid password in my EAP + Cisco
>> 1200
>>> + LDAP + PEAP/MS-CHAPv2 configuration.
>>>
>>> Let me ask...how is the client certificate method supposed to work?
>>>
>>> Is the username embeded the CN/CommonName attribute of the
>>> certificate
>> and
>>> the user is prompted for a password which you setup in authenticate
>{} ?
>>>
>>> Is that any more secure than using PEAP/MS-CHAPv2 ?
>>>
>>> ~BAS
>>>
>>>
>>> On Wed, 16 Nov 2005, Hamid Salim wrote:
>>>
Hi,
I am just wondering if anyone has encountered the same issue. I have
>
set up my enviornment for EAP-TLS, with windows XP SP2 as a
>supplicant.
For some reason I am getting:
auth: Failed to validate the user.
Login incorrect: [radiustst/] (from
client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL
session is created successfully, then why FreeRadius is expecting a
userid/password?
Any help will be appreciated.
Thanks
Hamid.
= Complete Listing = Going to the next
request Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
User-Name = "radiustst"
NAS-IP-Address = 129.10.56.156
Called-Station-Id = "00-20-a6-4a-12-21"
Calling-Station-Id = "00-10-c6-38-af-7b"
NAS-Identifier = "APtest3"
State = 0xb9a67433435733a42f7cbd528aa6ae7a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
>> 0x020504510d80044716030104170b000307000304000301308202fd30820266a0
>> 03
>> 020102020102300d06092a864886f70d01010405003054310b30090603550406130255
>> 53
>> 310b3009060355040813024d413120301e060355040a13174e6f727468656173746572
>> 6e
>> 20556e6976657273697479311630140603550403130d45434541757468536572766572
>> 30
>> 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b
>> 30
>> 09060355040613025553310b3009060355040813024d413120301e060355040a13174e
>> 6f
>> 7274686561737465726e20556e69766572736974793112301006035504031309726164
>> 69
7573
EAP-Message =
>> 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b998
>> 3d
>> b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399
>> c3
>> 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d
>> 76
>> 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175
>> a0
>> 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d13
>> 04
>> 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e65726174
>> 65
>> 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f8281
>> 57
2f5e
EAP-Message =
>> 0x335321
RE: FreeRadius EAP-TLS issue
Hi Hamid,
What CA did you use to create the client certs? If it was OpenSSL, did
you ensure that you included the special attributes that the MS
supplicant expects? There are a few HOWTO's around and they pretty much
all reference this special value.
If you used the M$ Certificate Services, it is automatically added.
Rgds,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Brian A. Seklecki
Sent: 16 November 2005 17:02
To: Hamid Salim
Cc: freeradius-users@lists.freeradius.org
Subject: Re: FreeRadius EAP-TLS issue
If it was regular TLS, i'd tell you to "openssl s_client -connect
foo:123 -cacert /blah".
Are you sure that you have imported and "trusted" your CA's cetificate
on both the client and the server?
This is when I let the other guys make suggestions.
I was just curious of EAP-TLS with client certificates was simply a way
of delivering the username to the client, letting the client
authenticate the server and the server authenticate the identity of the
client, and then providing for another password based mechanism.
Or if certificate TLS handshake was sufficient for authorization and
authentication...
For example, Apache SSL can be told to verify client certificates, but
htaccess would still be required.
With SMTP, client and server SSL verification can be compelled, but for
SMTP AUTH for relay, username/password authentication would still be
required.
~BAS
On Wed, 16 Nov 2005, Hamid Salim wrote:
> It should not be asking/expecting any userid/password pair. I have
> installed the certificates on the supplicant machine which should be
> sufficient to authenticate without any password requirements. I am not
> sure why the certs are not working???
>
>
> Brian A. Seklecki wrote:
>
>
>>
>> rlm_eap_tls: Received unexpected tunneled data after successful
>> handshake.
>>
>> ...that's what I get when I try an invalid password in my EAP + Cisco
> 1200
>> + LDAP + PEAP/MS-CHAPv2 configuration.
>>
>> Let me ask...how is the client certificate method supposed to work?
>>
>> Is the username embeded the CN/CommonName attribute of the
>> certificate
> and
>> the user is prompted for a password which you setup in authenticate
{} ?
>>
>> Is that any more secure than using PEAP/MS-CHAPv2 ?
>>
>> ~BAS
>>
>>
>> On Wed, 16 Nov 2005, Hamid Salim wrote:
>>
>>> Hi,
>>> I am just wondering if anyone has encountered the same issue. I have
>>> set up my enviornment for EAP-TLS, with windows XP SP2 as a
supplicant.
>>> For some reason I am getting:
>>>
>>> auth: Failed to validate the user.
>>> Login incorrect: [radiustst/] (from
>>> client
>>> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>>>
>>> complete listing is attached. I am using certificates and SSL
>>> session is created successfully, then why FreeRadius is expecting a
>>> userid/password?
>>>
>>> Any help will be appreciated.
>>>
>>> Thanks
>>> Hamid.
>>>
>>> = Complete Listing = Going to the next
>>> request Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
>>> length=1247
>>>User-Name = "radiustst"
>>>NAS-IP-Address = 129.10.56.156
>>>Called-Station-Id = "00-20-a6-4a-12-21"
>>>Calling-Station-Id = "00-10-c6-38-af-7b"
>>>NAS-Identifier = "APtest3"
>>>State = 0xb9a67433435733a42f7cbd528aa6ae7a
>>>Framed-MTU = 1400
>>>NAS-Port-Type = Wireless-802.11
>>>EAP-Message =
>>>
> 0x020504510d80044716030104170b000307000304000301308202fd30820266a0
> 03
>>>
> 020102020102300d06092a864886f70d01010405003054310b30090603550406130255
> 53
>>>
> 310b3009060355040813024d413120301e060355040a13174e6f727468656173746572
> 6e
>>>
> 20556e6976657273697479311630140603550403130d45434541757468536572766572
> 30
>>>
> 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b
> 30
>>>
> 09060355040613025553310b3009060355040813024d413120301e060355040a13174e
> 6f
>>>
> 7274686561737465726e20556e69766572736974793112301006035504031309726164
> 69
>>> 7573
>>>EAP-Message =
>>>
> 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b998
> 3d
>>>
> b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399
> c3
>>>
> 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d
> 76
>>>
> 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175
> a0
>>>
> 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d13
> 04
>>>
> 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e65726174
> 65
>>>
> 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f8281
> 57
>>> 2f5e
>>>EAP-Message =
>>>
> 0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf37
> 43
>>>
> 0ee64b68e9a158a4563054310b3009060355040613025553310b300906035504081302
> 4d
>>>
> 413120301e060355040a13174e6f7274686561737465726e20556e6976657273697479
> 31
>>>
> 1630140603550403130d454345417574685365727665
Re: FreeRadius EAP-TLS issue
I am not sure if I completly follow:
">If it was regular TLS, i'd tell you to "openssl s_client -connect
foo:123
>-cacert /blah".
>
>Are you sure that you have imported and "trusted" your CA's cetificate
on
>both the client and the server?"
But I used 'how to EAP/TLS' from the FreeRadius web site. It is my
understanding (which may be incorrect) that I do not need a passoword.
It is something real simple that i have overlooked, but ofcourse
challenging to discover!
Any comments/help appreciated.
Hamid.
Brian A. Seklecki wrote:
>
>If it was regular TLS, i'd tell you to "openssl s_client -connect
foo:123
>-cacert /blah".
>
>Are you sure that you have imported and "trusted" your CA's cetificate
on
>both the client and the server?
>
>This is when I let the other guys make suggestions.
>
>I was just curious of EAP-TLS with client certificates was simply a way
of
>delivering the username to the client, letting the client authenticate
the
>server and the server authenticate the identity of the client, and then
>providing for another password based mechanism.
>
>Or if certificate TLS handshake was sufficient for authorization and
>authentication...
>
>For example, Apache SSL can be told to verify client certificates, but
>htaccess would still be required.
>
>With SMTP, client and server SSL verification can be compelled, but for
>SMTP AUTH for relay, username/password authentication would still be
>required.
>
>
>~BAS
>
>On Wed, 16 Nov 2005, Hamid Salim wrote:
>
>> It should not be asking/expecting any userid/password pair. I have
>> installed the certificates on the supplicant machine which should be
>> sufficient to authenticate without any password requirements. I am not
>> sure why the certs are not working???
>>
>>
>> Brian A. Seklecki wrote:
>>
>>
>>>
>>> rlm_eap_tls: Received unexpected tunneled data after successful
>>> handshake.
>>>
>>> ...that's what I get when I try an invalid password in my EAP + Cisco
>> 1200
>>> + LDAP + PEAP/MS-CHAPv2 configuration.
>>>
>>> Let me ask...how is the client certificate method supposed to work?
>>>
>>> Is the username embeded the CN/CommonName attribute of the certificate
>> and
>>> the user is prompted for a password which you setup in authenticate {}
?
>>>
>>> Is that any more secure than using PEAP/MS-CHAPv2 ?
>>>
>>> ~BAS
>>>
>>>
>>> On Wed, 16 Nov 2005, Hamid Salim wrote:
>>>
Hi,
I am just wondering if anyone has encountered the same issue. I have
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
For some reason I am getting:
auth: Failed to validate the user.
Login incorrect: [radiustst/] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL session
is created successfully, then why FreeRadius is expecting a
userid/password?
Any help will be appreciated.
Thanks
Hamid.
= Complete Listing =
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
User-Name = "radiustst"
NAS-IP-Address = 129.10.56.156
Called-Station-Id = "00-20-a6-4a-12-21"
Calling-Station-Id = "00-10-c6-38-af-7b"
NAS-Identifier = "APtest3"
State = 0xb9a67433435733a42f7cbd528aa6ae7a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
>>
0x020504510d80044716030104170b000307000304000301308202fd30820266a003
>>
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
>>
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
>>
20556e6976657273697479311630140603550403130d4543454175746853657276657230
>>
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
>>
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
>>
7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
EAP-Message =
>>
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
>>
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
>>
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
>>
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
>>
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
>>
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
>>
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
EAP-Message =
>>
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
>>
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
>>
413120301e060355040a13174e6f7274686561737465726e2055
Re: FreeRadius EAP-TLS issue
If it was regular TLS, i'd tell you to "openssl s_client -connect foo:123
-cacert /blah".
Are you sure that you have imported and "trusted" your CA's cetificate on
both the client and the server?
This is when I let the other guys make suggestions.
I was just curious of EAP-TLS with client certificates was simply a way of
delivering the username to the client, letting the client authenticate the
server and the server authenticate the identity of the client, and then
providing for another password based mechanism.
Or if certificate TLS handshake was sufficient for authorization and
authentication...
For example, Apache SSL can be told to verify client certificates, but
htaccess would still be required.
With SMTP, client and server SSL verification can be compelled, but for
SMTP AUTH for relay, username/password authentication would still be
required.
~BAS
On Wed, 16 Nov 2005, Hamid Salim wrote:
It should not be asking/expecting any userid/password pair. I have
installed the certificates on the supplicant machine which should be
sufficient to authenticate without any password requirements. I am not
sure why the certs are not working???
Brian A. Seklecki wrote:
rlm_eap_tls: Received unexpected tunneled data after successful
handshake.
...that's what I get when I try an invalid password in my EAP + Cisco
1200
+ LDAP + PEAP/MS-CHAPv2 configuration.
Let me ask...how is the client certificate method supposed to work?
Is the username embeded the CN/CommonName attribute of the certificate
and
the user is prompted for a password which you setup in authenticate {} ?
Is that any more secure than using PEAP/MS-CHAPv2 ?
~BAS
On Wed, 16 Nov 2005, Hamid Salim wrote:
Hi,
I am just wondering if anyone has encountered the same issue. I have
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
For some reason I am getting:
auth: Failed to validate the user.
Login incorrect: [radiustst/] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL session
is created successfully, then why FreeRadius is expecting a
userid/password?
Any help will be appreciated.
Thanks
Hamid.
= Complete Listing =
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
User-Name = "radiustst"
NAS-IP-Address = 129.10.56.156
Called-Station-Id = "00-20-a6-4a-12-21"
Calling-Station-Id = "00-10-c6-38-af-7b"
NAS-Identifier = "APtest3"
State = 0xb9a67433435733a42f7cbd528aa6ae7a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020504510d80044716030104170b000307000304000301308202fd30820266a003
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
20556e6976657273697479311630140603550403130d4543454175746853657276657230
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
EAP-Message =
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
EAP-Message =
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
c423
EAP-Message =
0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
108200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f820080131f2e69
99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
8f7c
EAP-Message =
0x1272df4226eb2805f9268ae2a2
Attribute question
Hi, is there an attribute for limit the numbers of connections of one user? and after the last connection no longer the user can connect thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unique dictionary entries
1. Radiusd version: [EMAIL PROTECTED] sbin]$ radiusd -v radiusd: RADIUS version 1.6.7 21-Jul-2003 Compilation flags: USE_SYSLOG ATTRIB_NMC COMPAT_1543 linux 2. Users File [EMAIL PROTECTED] sbin]$ cat /etc/raddb/users joe Ens-Auth-Type = "user", Ens-Auth-Password = "rad" Ens-Auth-Command = "shell", Ens-Auth-Acl = "1" [EMAIL PROTECTED] sbin]$ 3. Debug output [EMAIL PROTECTED] sbin]$ sudo radiusd -fx Starting - reading configuration files ... Ready to process requests. radrecv: Packet from host 192.168.2.137 code=1, id=27, length=55 User-Name = "joe" Service-Type = Login-User Ens-Auth-Type = "\001" Tunnel-Server-Auth-Id:1 = "" Ens-Auth-Command = "\001" Ens-Auth-Acl = "\001" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 NO SUCH USER FOUND: "joe" Unknown user: [joe] (from nas local/S0) Sending Reject of id 27 to 192.168.2.137 4. Problem. I've got my Radius server to support special dictionary entries. you can see the 'Ens-' entries. When my client tries to grab information from the Radius server the server does not see 'joe' in the users file. At one time I had this working about 2 years ago and now I need to use it again. Can anyone tell my what I've done wrong in my users file that would make radiusd not see the user 'joe'? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS issue
rlm_eap_tls: Received unexpected tunneled data after successful
handshake.
...that's what I get when I try an invalid password in my EAP + Cisco 1200
+ LDAP + PEAP/MS-CHAPv2 configuration.
Let me ask...how is the client certificate method supposed to work?
Is the username embeded the CN/CommonName attribute of the certificate and
the user is prompted for a password which you setup in authenticate {} ?
Is that any more secure than using PEAP/MS-CHAPv2 ?
~BAS
On Wed, 16 Nov 2005, Hamid Salim wrote:
Hi,
I am just wondering if anyone has encountered the same issue. I have
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
For some reason I am getting:
auth: Failed to validate the user.
Login incorrect: [radiustst/] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL session
is created successfully, then why FreeRadius is expecting a
userid/password?
Any help will be appreciated.
Thanks
Hamid.
= Complete Listing =
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
User-Name = "radiustst"
NAS-IP-Address = 129.10.56.156
Called-Station-Id = "00-20-a6-4a-12-21"
Calling-Station-Id = "00-10-c6-38-af-7b"
NAS-Identifier = "APtest3"
State = 0xb9a67433435733a42f7cbd528aa6ae7a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020504510d80044716030104170b000307000304000301308202fd30820266a003
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
20556e6976657273697479311630140603550403130d4543454175746853657276657230
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
EAP-Message =
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
EAP-Message =
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
c423
EAP-Message =
0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
108200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f820080131f2e69
99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
8f7c
EAP-Message =
0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
11a6916269516c4e5b6bf006d943609a71740a4d3a60
Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail:
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
modcall[authorize]: module "auth_log" returns ok for request 8
rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry radiustst at line 54
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Process
FreeRadius EAP-TLS issue
Hi,
I am just wondering if anyone has encountered the same issue. I have
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
For some reason I am getting:
auth: Failed to validate the user.
Login incorrect: [radiustst/] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL session
is created successfully, then why FreeRadius is expecting a
userid/password?
Any help will be appreciated.
Thanks
Hamid.
= Complete Listing =
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
User-Name = "radiustst"
NAS-IP-Address = 129.10.56.156
Called-Station-Id = "00-20-a6-4a-12-21"
Calling-Station-Id = "00-10-c6-38-af-7b"
NAS-Identifier = "APtest3"
State = 0xb9a67433435733a42f7cbd528aa6ae7a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020504510d80044716030104170b000307000304000301308202fd30820266a003
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
20556e6976657273697479311630140603550403130d4543454175746853657276657230
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
EAP-Message =
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
EAP-Message =
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
c423
EAP-Message =
0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
108200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f820080131f2e69
99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
8f7c
EAP-Message =
0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
11a6916269516c4e5b6bf006d943609a71740a4d3a60
Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail:
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
modcall[authorize]: module "auth_log" returns ok for request 8
rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry radiustst at line 54
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
chain-depth=1,
error=0
--> User-Name = radiustst
--> BUF-Name = ECEAuthServer
--> subject = /C=US/ST=
Re: Segfault while sending Access-Accept
On Wed, 16 Nov 2005, Luca Corti wrote: > > There is (or was) also an option in radiusd.conf that says > > "allow_core_dumps = no". You may need to set this to "yes," but I'm > > not sure that applies to debug mode. > > As I said I set allow_core_dumps to yes and tried running freeradius > both in debugging and non-debugging mode. My apologies -- I must have missed that. Erm. Maybe Alan knows? I know that in the log past, "make install" would also strip debugging symbols so the core dumps didn't do much good, but I don't know why it wouldn't core dump to a findable file at all. Sorry. :-( Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Pool-Name" check item causes Access-Reject
Following the docs, I have the files db.ipindex and db.ippol set up, and the main_pool is configured in radiusd.conf. user 'gerret' is the gunea pig with the following radcheck table entries: | 1354 | gerret | User-Password | == | testpw | | 1491 | gerret | Pool-Name | == | main_pool | Try setting the operator on Pool-name to := instead of ==. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd problem (FreeRadius 1.0.5 / MSSQL 2000 / Fedora Core 3)
For anyone else having this problem. We had to roll back our FREETDS install from 0.63 to 0.62.3. I'm not sure why the new version of FREETDS has an issue, but I know I was advised of this with asterisk as well. On 11/15/05, Matt <[EMAIL PROTECTED]> wrote: > We have the exact same configuration working on another system, but > have been unable to get it to work correctly on this Fedora Core 3 > system. We are using rlm_sql to have FreeRadius talk to our MSSQL > 2000 database. That works. > > The odd part is on the Fedora Core 3 system it seems to be having > issues reading the shared secret. > > When I start the server in debug mode I get: > > rlm_sql (sql: Read entry > nasname=216.240.101.102,shortname=auth1.virtdom.com,secret=8Y > > Well this is all good, but the secret is not "8Y". In fact it's more > something like cP83ufJu32 > > The fields are all nvarchar in the database (ip, shortname, secret)... > yet ip and shortname display correctly. > > If I go into the C code for the rlm_sql module and put row[8] in place > of row[5] in the debug I get the same thing, even though row[8] has > the description of the NAS. > > If I use tsql to connect to the database and do a select * from my NAS > table, all the data comes out right. It seems like something in > freeradius is mangeling the sharedsecret. > > Can anyone shed light on this? > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] client configuration with max6000
- Original Message -
From: "Danny Zenzano" <[EMAIL PROTECTED]>
To: "Freeradius-Users (E-mail)"
Sent: Wednesday, November 16, 2005 7:47 AM
Subject: [radius] client configuration with max6000
i m working with the max6000-lucent and the freeradius 1.0.0-5 but in the
client file i can see a list of NAS:
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
which of the options I must choose?
i configure something like this:
client 192.1.1.1 {
# secret and password are mapped through the "secrets" file.
secret = secret
shortname = Ras
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous usage checks
nastype = other
#login = RasViva
#password= vivaMMS
}
Use other. I have used max40XX before and it worked fine but I am now using
"other".
I have two max6000's that have been running with FR for 3 years using MySql
backend.
Documentation is pretty clear on how to use the database, if you get stuck
on something I would be glad to help, but I am not going to build it all for
you. Dont have the time.
First thing to do is setup your clients file, then goto radius.conf and
configure it there for using the database for auth. import the database
tables that you want to use, there are sql files in the distro for it.
If you get in there and get stuck on something email me and I will help you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client configuration with max6000
i m working with the max6000-lucent and the freeradius 1.0.0-5 but in the
client file i can see a list of NAS:
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
which of the options I must choose?
i configure something like this:
client 192.1.1.1 {
# secret and password are mapped through the "secrets" file.
secret = secret
shortname = Ras
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous usage checks
nastype = other
#login = RasViva
#password= vivaMMS
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [radius] Re: Login incorrect- RAS autentication
now I am using the user file, but I want to use the information of the database, but i dont know how. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Nick Marino Enviado el: miércoles, 16 de noviembre de 2005 0:51 Para: FreeRadius users mailing list Asunto: Re: [radius] Re: Login incorrect- RAS autentication You using a Database backend or user file? Nick Marino - IT Solutions - Original Message - From: "Dave Weis" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, November 15, 2005 8:42 PM Subject: [radius] Re: Login incorrect- RAS autentication > > Why did you send this three times? It's normal for the TNT line to try and > download configuration settings via radius unless you have turned it off. > I don't remember the name of the setting but it's listed in the > documentation and google can find it. > > On Tue, 15 Nov 2005, Danny Zenzano wrote: > >> hi, >> >> I am trying to make work an RAS(lucent-max6000) with the freeRADIUS,I >> configure the MAX6000, and the radius obtains an authentication order >> from >> the RAS, but as result I obtain a login error message. > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Pool-Name" check item causes Access-Reject
Hi List, My setup: Debian Sarge (2.6.8) Debian package freeradius-mysql 1.0.5-2 FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at 11:56:56 I am successfully authentiating dialup users with Freeradius; the users live in a MySQL db. Their IP addresses are assigned by a Patton RAS's internal pool. I want to take this task away from the RAS and have Freeradius ippool take over. Associating a pool with a user is causing that user's access request to be rejected wher it worked before. Following the docs, I have the files db.ipindex and db.ippol set up, and the main_pool is configured in radiusd.conf. user 'gerret' is the gunea pig with the following radcheck table entries: | 1354 | gerret | User-Password | == | testpw | | 1491 | gerret | Pool-Name | == | main_pool | Now here's the tail of two "radtest gerret testpw localhost 0 testing123" runs: 1) With row 1491 not present: modcall[authorize]: module "sql" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [gerret] (from client localhost port 0) 2) with boths rows present: rlm_sql (sql): No matching entry in the database for request from user [gerret] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 1 modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [gerret/testpw] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 I have tried setting explicit "Auth-Type = Local" in an additional radcheck item to no avail. All mysql queries return the same data in both cases. *cry for help* thanks guys Gerret - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ading NAS to MySQL DB
I am very keen on knowing how I can replace my clients.conf file by a SQL query. From: "Alex M" <[EMAIL PROTECTED]>Reply-To: FreeRadius users mailing list To: "'FreeRadius users mailing list'" Subject: Ading NAS to MySQL DBDate: Tue, 25 Oct 2005 00:58:49 -0400 Hi, Im keeping playing around with mysql manipulation, and im having trouble to force radius to obtain list of authorized clients (NASes) from SQL DB, I assume I have to enter NAS info in NAS table (im using suggested schema that was created automatically by script that came with distribution) but I not really sure what data should go where and if it is right table for clients info? Please help! >->List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Qué hacer en tu ciudad por la tarde y por la noche. No te lo pierdas en MSN Entretenimiento - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap runtime link failure on FreeRADIUS 1.0.5 under Cygwin
I have a problem using Freeradius 1.0.5 under CygwinI have a problem with rlm_eap module, I've configured with:./configure --disabled-sharedbut it don't work...I found this message in the mailing list and I'm in the same situation (except for the freeradius version)... but I can't find slution..>I've been able to configure, make and install the product with little to
>no problem. However, execution aborts when rlm_eap is loaded:
>...
>Module: Instantiated mschap (mschap)
>Module: Loaded System
> unix: cache =3D no
> unix: passwd =3D "(null)"
> unix: shadow =3D "(null)"
> unix: group =3D "(null)"
> unix: radwtmp =3D "/usr/local/var/log/radius/radwtmp"
> unix: usegroup =3D no
> unix: cache_reload =3D 600
>Module: Instantiated unix (unix)
>radiusd.conf[9] Failed to link to module 'rlm_eap': unknown error
>
>Line 9 (of eap.conf) is where the eap module is loaded:
>
>...
> eap {
>... I hope someone have solution
Ing. Nicola IottiNetwork Managermailto: [EMAIL PROTECTED] Guglielmo S.r.l. Sede legale: Via Martiri di Minozzo, 12 Sede operativa: Via Sante Vincenzi , 2 / D
42100 Reggio Emilia ITALIA Tel.: +39-0522 - 40 63 67
Fax: +39-0522 - 54 08 16 Cell: +39-320 61 90 072
internet website: http://www.guglielmo.biz mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setup freeradius for intranet desktop client
On Tue, 2005-11-15 at 22:59, mahesh luhar wrote: > Dear All, > > I have installed radius server Version 1.0.5 on linux 9. I would like to > use feeradius server following usage. > > (1) Intranet desktop client authentication for internet access with limited > no of ports as outgoing destination ports. If By this you mean TCP/UDP ports, then you'll need to somehow integrate with a layer 3 firewall. You'll probably want to ditch "Linux 9" (we can only assume that you mean Redhat 9...please be careful not to correlate Redhat with GNU/Linux) in favor of OpenBSD PFAUTH, at least for your firewall, for pfauth: http://www.openbsd.org/faq/pf/authpf.html Or you could do 802.1x on managed switches and cram users into VLANs which have specific policies. > (2) Few users on cable modem. Can i setup radius functionality for such > users. That's a bit ambiguous. Please expound. > > Please guide > > Regards, > > Mahesh Luhar > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault while sending Access-Accept
On Tue, 2005-11-15 at 11:54 -0800, Kristina Pfaff-Harris wrote: > Luca, are you on a Linux/Unixish type system? If so, and if worst comes to Yes, I'm on Debian GNU/Linux. > worst, you may be able to find it with: > > find / -name '*core*' -print Already tried to do a find, it lists quite a lot of files, but they all seem to be system files (/proc stuff, kernel modules, xml dtds, etc.). > If you're running Windows, I don't know how it does core dumps or even if > it does. :-) That's not the case. > There is (or was) also an option in radiusd.conf that says > "allow_core_dumps = no". You may need to set this to "yes," but I'm not > sure that applies to debug mode. As I said I set allow_core_dumps to yes and tried running freeradius both in debugging and non-debugging mode. thanks Luca -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: Too much radiation coming from the soil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
