help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53 Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14 Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP" Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2 Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm _mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault on solaris,unable to call modules
Hi All, installing freeradius on Solaris is already a big headache, afterwards i encountered Segmentation fault as well. i am using Freeradius-1.0.5 seems the problem is that it is not able to call any of the modules in radiusd.conf, if i commend up all the modules under 'Authorize' (files, preprocess, ldap, prefix, etc. ) in radiuad.conf, there won't be segmentation faults. and this configuration is able to work for freeradius-0.8 on solaris or freeradius-1.0.5 on debian. pls advise. thanks in advance. below is what the debug mode shows: *** Wed Dec 14 10:15:31 2005 : Info: Starting - reading configuration files ... Wed Dec 14 10:15:31 2005 : Debug: reread_config: reading radiusd.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/proxy.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/clients.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/snmp.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/sql.conf Wed Dec 14 10:15:31 2005 : Debug: main: prefix = "/usr/local/radius5" Wed Dec 14 10:15:31 2005 : Debug: main: localstatedir = "/usr/local/radius5/var" Wed Dec 14 10:15:31 2005 : Debug: main: logdir = "/usr/local/radius5/log" Wed Dec 14 10:15:31 2005 : Debug: main: libdir = "/usr/local/radius5/lib" Wed Dec 14 10:15:31 2005 : Debug: main: radacctdir = "/usr/local/radius5/radacct" Wed Dec 14 10:15:31 2005 : Debug: main: hostname_lookups = no Wed Dec 14 10:15:31 2005 : Debug: main: max_request_time = 40 Wed Dec 14 10:15:31 2005 : Debug: main: cleanup_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: main: max_requests = 5120 Wed Dec 14 10:15:31 2005 : Debug: main: delete_blocked_requests = 0 Wed Dec 14 10:15:31 2005 : Debug: main: port = 1645 Wed Dec 14 10:15:31 2005 : Debug: main: allow_core_dumps = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_stripped_names = no Wed Dec 14 10:15:31 2005 : Debug: main: log_file = "/usr/local/radius5/log/radius.log" Wed Dec 14 10:15:31 2005 : Debug: main: log_auth = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_badpass = no Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_goodpass = no Wed Dec 14 10:15:31 2005 : Debug: main: pidfile = "/usr/local/radius5/var/run/radiusd.pid" Wed Dec 14 10:15:31 2005 : Debug: main: user = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: group = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: usercollide = no Wed Dec 14 10:15:31 2005 : Debug: main: lower_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: lower_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: checkrad = "/usr/local/radius5/sbin/checkrad" Wed Dec 14 10:15:31 2005 : Debug: main: proxy_requests = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_count = 3 Wed Dec 14 10:15:31 2005 : Debug: proxy: synchronous = no Wed Dec 14 10:15:31 2005 : Debug: proxy: default_fallback = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: dead_time = 120 Wed Dec 14 10:15:31 2005 : Debug: proxy: post_proxy_authorize = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: wake_all_if_all_dead = no Wed Dec 14 10:15:31 2005 : Debug: security: max_attributes = 200 Wed Dec 14 10:15:31 2005 : Debug: security: reject_delay = 0 Wed Dec 14 10:15:31 2005 : Debug: security: status_server = no Wed Dec 14 10:15:31 2005 : Debug: main: debug_level = 0 Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading dictionary Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading naslist Wed Dec 14 10:15:31 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading clients Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading realms Wed Dec 14 10:15:31 2005 : Debug: radiusd: entering modules setup Wed Dec 14 10:15:31 2005 : Debug: Module: Library search path is /usr/local/radius5/lib Segmentation Fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault on solaris,unable to call modules
Hi All, installing freeradius on Solaris is already a big headache, afterwards i encountered Segmentation fault as well. i am using Freeradius-1.0.5 seems the problem is that it is not able to call any of the modules in radiusd.conf, if i commend up all the modules under 'Authorize' (files, preprocess, ldap, prefix, etc. ) in radiuad.conf, there won't be segmentation faults. and this configuration is able to work for freeradius-0.8 on solaris or freeradius-1.0.5 on debian. pls advise. thanks in advance. below is what the debug mode shows: *** Wed Dec 14 10:15:31 2005 : Info: Starting - reading configuration files ... Wed Dec 14 10:15:31 2005 : Debug: reread_config: reading radiusd.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/proxy.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/clients.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/snmp.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/sql.conf Wed Dec 14 10:15:31 2005 : Debug: main: prefix = "/usr/local/radius5" Wed Dec 14 10:15:31 2005 : Debug: main: localstatedir = "/usr/local/radius5/var" Wed Dec 14 10:15:31 2005 : Debug: main: logdir = "/usr/local/radius5/log" Wed Dec 14 10:15:31 2005 : Debug: main: libdir = "/usr/local/radius5/lib" Wed Dec 14 10:15:31 2005 : Debug: main: radacctdir = "/usr/local/radius5/radacct" Wed Dec 14 10:15:31 2005 : Debug: main: hostname_lookups = no Wed Dec 14 10:15:31 2005 : Debug: main: max_request_time = 40 Wed Dec 14 10:15:31 2005 : Debug: main: cleanup_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: main: max_requests = 5120 Wed Dec 14 10:15:31 2005 : Debug: main: delete_blocked_requests = 0 Wed Dec 14 10:15:31 2005 : Debug: main: port = 1645 Wed Dec 14 10:15:31 2005 : Debug: main: allow_core_dumps = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_stripped_names = no Wed Dec 14 10:15:31 2005 : Debug: main: log_file = "/usr/local/radius5/log/radius.log" Wed Dec 14 10:15:31 2005 : Debug: main: log_auth = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_badpass = no Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_goodpass = no Wed Dec 14 10:15:31 2005 : Debug: main: pidfile = "/usr/local/radius5/var/run/radiusd.pid" Wed Dec 14 10:15:31 2005 : Debug: main: user = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: group = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: usercollide = no Wed Dec 14 10:15:31 2005 : Debug: main: lower_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: lower_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: checkrad = "/usr/local/radius5/sbin/checkrad" Wed Dec 14 10:15:31 2005 : Debug: main: proxy_requests = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_count = 3 Wed Dec 14 10:15:31 2005 : Debug: proxy: synchronous = no Wed Dec 14 10:15:31 2005 : Debug: proxy: default_fallback = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: dead_time = 120 Wed Dec 14 10:15:31 2005 : Debug: proxy: post_proxy_authorize = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: wake_all_if_all_dead = no Wed Dec 14 10:15:31 2005 : Debug: security: max_attributes = 200 Wed Dec 14 10:15:31 2005 : Debug: security: reject_delay = 0 Wed Dec 14 10:15:31 2005 : Debug: security: status_server = no Wed Dec 14 10:15:31 2005 : Debug: main: debug_level = 0 Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading dictionary Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading naslist Wed Dec 14 10:15:31 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading clients Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading realms Wed Dec 14 10:15:31 2005 : Debug: radiusd: entering modules setup Wed Dec 14 10:15:31 2005 : Debug: Module: Library search path is /usr/local/radius5/lib Segmentation Fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Memory big problem
And to you thanks. Can i offer small patch for realization of comparison
(!~) in rlm_checkval?
--- rlm_checkval.c 2005-12-14 03:38:08.0 +1000
+++ rlm_checkval.c.patched 2005-12-14 10:15:59.0 +1000
@@ -208,6 +208,7 @@
VALUE_PAIR *chk_vp, *item_vp;
VALUE_PAIR *tmp;
char found = 0;
+ int opflag = T_OP_REG_EQ;
/* quiet the compiler */
instance = instance;
@@ -244,6 +245,9 @@
* Check if item != check
*/
found = 1;
+
+ opflag = chk_vp->operator;
+
if (data->dat_type == PW_TYPE_STRING ||
data->dat_type == PW_TYPE_OCTETS) {
if (item_vp->length != chk_vp->length)
@@ -266,12 +270,18 @@
}
#ifdef HAVE_REGEX_H
if (ret == RLM_MODULE_REJECT &&
- chk_vp->operator == T_OP_REG_EQ) {
+ (chk_vp->operator == T_OP_REG_EQ ||
+chk_vp->operator == T_OP_REG_NE)) {
regex_t reg;
int err;
char err_msg[MAX_STRING_LEN];
- DEBUG("rlm_checkval: Doing regex");
+ if (opflag == T_OP_REG_EQ) {
+ DEBUG("rlm_checkval: Doing regex (=~)");
+ } else {
+ DEBUG("rlm_checkval: Doing regex (!~)");
+ }
+
err = regcomp(®, (char *)chk_vp->vp_strvalue,
REG_EXTENDED|REG_NOSUB);
if (err){
regerror(err, ®,err_msg, MAX_STRING_LEN);
@@ -289,6 +299,14 @@
} while (ret == RLM_MODULE_REJECT &&
tmp != NULL);
+ if (opflag == T_OP_REG_NE) {
+ if (ret == RLM_MODULE_OK)
+ ret = RLM_MODULE_REJECT;
+ else
+ if (ret == RLM_MODULE_REJECT)
+ ret = RLM_MODULE_OK;
+ }
+
if (ret == RLM_MODULE_REJECT) {
if (!item_vp && data->notfound_reject){
char module_fmsg[MAX_STRING_LEN];
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" User-Name := "[EMAIL PROTECTED]" Well, take a look at the docs and there is an explination of the variables you can play with. I don't know what adding an @in the username would do to a linux password file but my guess would be nothing spectacular. Running radiusd -X will give you what the cisco is passing and you can use that to decide what to check attribute to manipulate. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault on solaris
Hi All, installing freeradius on Solaris is already a big headache, afterwards i encountered Segmentation fault as well. i am using Freeradius-1.0.5 i guess there should be someth to do with radiusd.conf since the segmentation fault only raise after i replaced the original radiusd.conf with the one we are going to use. but this radiusd.conf is able to work for freeradius-0.8 on solaris or freeradius-1.0.5 on debian. pls advise. thanks in advance. below is what the debug mode shows: *** Wed Dec 14 10:15:31 2005 : Info: Starting - reading configuration files ... Wed Dec 14 10:15:31 2005 : Debug: reread_config: reading radiusd.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/proxy.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/clients.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/snmp.conf Wed Dec 14 10:15:31 2005 : Debug: Config: including file: /usr/local/radius5/raddb/sql.conf Wed Dec 14 10:15:31 2005 : Debug: main: prefix = "/usr/local/radius5" Wed Dec 14 10:15:31 2005 : Debug: main: localstatedir = "/usr/local/radius5/var" Wed Dec 14 10:15:31 2005 : Debug: main: logdir = "/usr/local/radius5/log" Wed Dec 14 10:15:31 2005 : Debug: main: libdir = "/usr/local/radius5/lib" Wed Dec 14 10:15:31 2005 : Debug: main: radacctdir = "/usr/local/radius5/radacct" Wed Dec 14 10:15:31 2005 : Debug: main: hostname_lookups = no Wed Dec 14 10:15:31 2005 : Debug: main: max_request_time = 40 Wed Dec 14 10:15:31 2005 : Debug: main: cleanup_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: main: max_requests = 5120 Wed Dec 14 10:15:31 2005 : Debug: main: delete_blocked_requests = 0 Wed Dec 14 10:15:31 2005 : Debug: main: port = 1645 Wed Dec 14 10:15:31 2005 : Debug: main: allow_core_dumps = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_stripped_names = no Wed Dec 14 10:15:31 2005 : Debug: main: log_file = "/usr/local/radius5/log/radius.log" Wed Dec 14 10:15:31 2005 : Debug: main: log_auth = yes Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_badpass = no Wed Dec 14 10:15:31 2005 : Debug: main: log_auth_goodpass = no Wed Dec 14 10:15:31 2005 : Debug: main: pidfile = "/usr/local/radius5/var/run/radiusd.pid" Wed Dec 14 10:15:31 2005 : Debug: main: user = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: group = "radius" Wed Dec 14 10:15:31 2005 : Debug: main: usercollide = no Wed Dec 14 10:15:31 2005 : Debug: main: lower_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: lower_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_user = "no" Wed Dec 14 10:15:31 2005 : Debug: main: nospace_pass = "no" Wed Dec 14 10:15:31 2005 : Debug: main: checkrad = "/usr/local/radius5/sbin/checkrad" Wed Dec 14 10:15:31 2005 : Debug: main: proxy_requests = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_delay = 5 Wed Dec 14 10:15:31 2005 : Debug: proxy: retry_count = 3 Wed Dec 14 10:15:31 2005 : Debug: proxy: synchronous = no Wed Dec 14 10:15:31 2005 : Debug: proxy: default_fallback = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: dead_time = 120 Wed Dec 14 10:15:31 2005 : Debug: proxy: post_proxy_authorize = yes Wed Dec 14 10:15:31 2005 : Debug: proxy: wake_all_if_all_dead = no Wed Dec 14 10:15:31 2005 : Debug: security: max_attributes = 200 Wed Dec 14 10:15:31 2005 : Debug: security: reject_delay = 0 Wed Dec 14 10:15:31 2005 : Debug: security: status_server = no Wed Dec 14 10:15:31 2005 : Debug: main: debug_level = 0 Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading dictionary Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading naslist Wed Dec 14 10:15:31 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading clients Wed Dec 14 10:15:31 2005 : Debug: read_config_files: reading realms Wed Dec 14 10:15:31 2005 : Debug: radiusd: entering modules setup Wed Dec 14 10:15:31 2005 : Debug: Module: Library search path is /usr/local/radius5/lib Segmentation Fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP"Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Excellent! Thanks. Alan DeKok wrote: > Client-IP-Address. > > >>and approve or reject it based on that per user. > > > bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject > Reply-Message = "go away, bob" > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote: > Mark Tunnell wrote: > >> Suppose I have two Cisco routers both configured to authenticate to >> the same radius server. How do I allow a particular user access to >> one router but not the other? Is there a place in the clients.conf or >> users file to configure this? >> > Oh yea, Alan gave me a trick with the hints file that adds a realm to a > client if one is not present that could also help. > DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" > User-Name := "[EMAIL PROTECTED]" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell <[EMAIL PROTECTED]> wrote: > I'm using the local Linux system passwords for authentication. I > guess I'm wondering if there is any way to identify where the > authentication request is coming from Client-IP-Address. > and approve or reject it based on that per user. bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject Reply-Message = "go away, bob" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-Route ignored
Thank you very much. I will make one alteration for any future viewers. ip-up requires the full path of any executables. So, route should be /sbin/route or the path to route. Thank you even though it is clearly a pppd issue as I understand now. Arthur -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Tuesday, December 13, 2005 2:10 PM To: FreeRadius users mailing list Subject: Re: Framed-Route ignored Arthur wrote: > I have been trying to get this to work for a few days now with no > success. I have set up poptop (PPTP) and it uses the > /etc/ppp/options.pptp file which has a plugin for radius. plugin radius.so > > This isn't a FreeRadius question, so it would be better to ask on the pppd mailing list, but that said: > > Radius will authenticate with my users fine, but I can't seem to get the > Framed-Route option to do anything. > > I am trying to set a route for a mask and not just the single IP to > device ppp connection. > > > > Does ppp just ignore the route and this option just doesn't work with > ppp or pptp? Is there a workaround? Yes, ppp ignores this option. You would have to patch pppd to do what you want directly. However, there is also a "radattr" plugin, which puts the AVPs in /var/run/radattr.pppN in the following format: Framed-Route 10.0.0.0/24 0.0.0.0 1 ...so you could use the "ip-up" script to do this: #!/bin/sh # ip-up script knows about framed-route IFNAME=$1 PEERIP=$5 AVP_PATH=/var/run/radattr egrep -i '^Framed-Route ' $AVP_PATH.$IFNAME | while read attr val1 valN do route add -net $val1 gw $PEERIP done ...or something similar. You just need to have: plugin radius.so plugin radattr.so ...in your options file. Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Thanks. I'm using the local Linux system passwords for authentication. I guess I'm wondering if there is any way to identify where the authentication request is coming from and approve or reject it based on that per user. The comments in the user file mention "comm server name" but none of the examples in that file or the man page mention how this would be used. Mark Lewis Bergman wrote: > Mark Tunnell wrote: > >> Suppose I have two Cisco routers both configured to authenticate to >> the same radius server. How do I allow a particular user access to >> one router but not the other? Is there a place in the clients.conf or >> users file to configure this? >> > realms might be one way in adition to the obvious different password for > the same username. I am assuming that the usernames ae the same since > you asked the question. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: -LAN clients -> was (no subject)
debik wrote: Isit posible to authenicate users on LAN with freeradius, without any Access Point ? Any radius client will work as long as it is properly configured and in the docs as supported. You might want to browse the config files and doc files. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" User-Name := "[EMAIL PROTECTED]" -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Isit posible to authenicate users on LAN with freeradius, without any Access Point ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory big problem
"Dmitry V. Pleganoff" <[EMAIL PROTECTED]> wrote: > Thanks for corrections, valgrind has shown MUCH less losses. > > ==9603== 21 bytes in 1 blocks are definitely lost in loss record 27 of 124 > ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) > ==9603==by 0x1D1A8E1F: ldap_instantiate (rlm_ldap.c:429) Fixed. > ==9603== 45 bytes in 6 blocks are definitely lost in loss record 44 of 124 > ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) > ==9603==by 0x1BB4708F: strdup (in /lib/tls/libc-2.3.2.so) > ==9603==by 0x804ECF2: cf_item_parse (conffile.c:747) Fixed. > ==9603== 492 (108 direct, 384 indirect) bytes in 3 blocks are definitely > lost in loss record 64 of 124 > ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) > ==9603==by 0x1BBB6EE6: (within /lib/tls/libc-2.3.2.so) > ==9603==by 0x1BBB6788: __nss_database_lookup (in /lib/tls/libc-2.3.2.so) > ==9603==by 0x1BE0A797: ??? > ==9603==by 0x1BB76A4B: getgrnam_r (in /lib/tls/libc-2.3.2.so) Can't fix. > ==9603== 340 bytes in 5 blocks are possibly lost in loss record 81 of 124 > ==9603==at 0x1B906F75: calloc (vg_replace_malloc.c:175) > ==9603==by 0x1B8F2678: (within /lib/ld-2.3.2.so) > ==9603==by 0x1B8F294B: _dl_allocate_tls (in /lib/ld-2.3.2.so) > ==9603==by 0x1B93E24A: allocate_stack (in /lib/tls/libpthread-0.60.so) > ==9603==by 0x1B93DC54: pthread_create@@GLIBC_2.1 (in Can't fix. Thanks for the report. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Memory big problem
Thanks for corrections, valgrind has shown MUCH less losses. ==9603== 21 bytes in 1 blocks are definitely lost in loss record 27 of 124 ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) ==9603==by 0x1D1A8E1F: ldap_instantiate (rlm_ldap.c:429) ==9603==by 0x80568A6: find_module_instance (modules.c:314) ==9603==by 0x8057192: setup_modules (modules.c:888) ==9603==by 0x80560A0: read_mainconfig (mainconfig.c:1088) ==9603==by 0x805976F: main (radiusd.c:281) ==9603== ==9603== ==9603== 45 bytes in 6 blocks are definitely lost in loss record 44 of 124 ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) ==9603==by 0x1BB4708F: strdup (in /lib/tls/libc-2.3.2.so) ==9603==by 0x804ECF2: cf_item_parse (conffile.c:747) ==9603==by 0x80562AF: read_mainconfig (mainconfig.c:884) ==9603==by 0x805976F: main (radiusd.c:281) ==9603== ==9603== ==9603== 492 (108 direct, 384 indirect) bytes in 3 blocks are definitely lost in loss record 64 of 124 ==9603==at 0x1B90659D: malloc (vg_replace_malloc.c:130) ==9603==by 0x1BBB6EE6: (within /lib/tls/libc-2.3.2.so) ==9603==by 0x1BBB6788: __nss_database_lookup (in /lib/tls/libc-2.3.2.so) ==9603==by 0x1BE0A797: ??? ==9603==by 0x1BB76A4B: getgrnam_r (in /lib/tls/libc-2.3.2.so) ==9603==by 0x1BB76170: getgrnam (in /lib/tls/libc-2.3.2.so) ==9603==by 0x80554AA: switch_users (mainconfig.c:501) ==9603==by 0x8055FDC: read_mainconfig (mainconfig.c:1016) ==9603==by 0x805976F: main (radiusd.c:281) ==9603== ==9603== ==9603== 340 bytes in 5 blocks are possibly lost in loss record 81 of 124 ==9603==at 0x1B906F75: calloc (vg_replace_malloc.c:175) ==9603==by 0x1B8F2678: (within /lib/ld-2.3.2.so) ==9603==by 0x1B8F294B: _dl_allocate_tls (in /lib/ld-2.3.2.so) ==9603==by 0x1B93E24A: allocate_stack (in /lib/tls/libpthread-0.60.so) ==9603==by 0x1B93DC54: pthread_create@@GLIBC_2.1 (in /lib/tls/libpthread-0.60.so) ==9603==by 0x805CD6C: spawn_thread (threads.c:703) ==9603==by 0x805CFDD: thread_pool_init (threads.c:878) ==9603==by 0x80597EB: main (radiusd.c:391) ==9603== ==9603== LEAK SUMMARY: ==9603==definitely lost: 174 bytes in 10 blocks. ==9603==indirectly lost: 384 bytes in 32 blocks. ==9603== possibly lost: 340 bytes in 5 blocks. ==9603==still reachable: 1554785 bytes in 25099 blocks. ==9603== suppressed: 0 bytes in 0 blocks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting & lost trafic
did you just start using mysql with this? Check in you log location for the IP address of the log information. I created a sym link off our IPs to write to only one detail file. - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 3:22 PM Subject: accounting & lost trafic Hi, freeradius-users. TEll me please : when i use standart config - my accounting save ONLY AFTER SESSION CLOSE. If user have session 19 hours and server hang up or some thing else - i lost users trafic! I try use Acct-Interim-Interval like http://lists.cistron.nl/pipermail/freeradius-users/2005-April/042710.html but in to my sql table i do not see any changes. (i use freeradius-mysql) PLEASE HELP -- Best Regards, Andreas Wednesday, December 14, 2005 1:05:05 AM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two routers using the same Radius server?
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary files for HP Procurve switch?
Mark Tunnell <[EMAIL PROTECTED]> wrote: > Can anyone point me to dictionary file for an HP ProCurve 2650 switch? Ask HP. I've never used one of those switches, or seen an HP dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting & lost trafic
Hi, freeradius-users. TEll me please : when i use standart config - my accounting save ONLY AFTER SESSION CLOSE. If user have session 19 hours and server hang up or some thing else - i lost users trafic! I try use Acct-Interim-Interval like http://lists.cistron.nl/pipermail/freeradius-users/2005-April/042710.html but in to my sql table i do not see any changes. (i use freeradius-mysql) PLEASE HELP -- Best Regards, Andreas Wednesday, December 14, 2005 1:05:05 AM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: Variables in "identity" setting
Derrick Woo wrote:
Hello Phil,
Thanks for your response. However as I had mentioned in my post, this
particular LDAP server uses a person's username and password for
binding. There is no service account and anonymous binds are not
allowed. Commenting out identity and password did not work.
Am I out of luck here?
Ah, you don't want to search *at all*. Remove "ldap" from the authorize
section, leave it in the "authenticate" section, and set:
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
...in the users file. (Adding the Ldap-UserDN is basically what the ldap
module *does* in the authorize section). This is documented in doc/rlm_ldap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary files for HP Procurve switch?
Can anyone point me to dictionary file for an HP ProCurve 2650 switch? I've got basic authentication functioning but I don't have the information I need to get the privilege level working. Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-Route ignored (repost in TXT)
I have been trying to get this to work for a few days now with no success. I have set up poptop (PPTP) and it uses the /etc/ppp/options.pptp file which has a plugin for radius. plugin radius.so Radius will authenticate with my users fine, but I can't seem to get the Framed-Route option to do anything. I am trying to set a route for a mask and not just the single IP to device ppp connection. Does ppp just ignore the route and this option just doesn't work with ppp or pptp? Is there a workaround? Thank you, Arthur I am also using a SQL connection so the information will be left in that format. radius=# select * from radgroupcheck; id | groupname | attribute | op | value +---+---++- 1 | static| Auth-Type | := | MS-CHAP radius=# select * from radgroupreply; id | groupname | attribute | op |value +---+++- 1 | static| Framed-Protocol| := | PPP 2 | static| Service-Type | := | Framed-user 3 | static| Framed-Compression | := | Van-Jacobsen-TCP-IP radius=# select * from radreply; id | username | attribute | op | value +--+---++--- 1 | arthur | Framed-IP-Address | := | 10.0.0.4 3 | arthur | Framed-Routing | := | None 2 | arthur | Framed-IP-Netmask | := | 255.255.255.0 4 | arthur | Framed-Route | := | 10.0.0.0/24 0.0.0.0 1 The options file contains: plugin radius.so lock mtu 1490 mru 1490 multilink #proxyarp auth ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 +mschap-v2 mppe required nopcomp noaccomp pptpd.conf localip 191.168.4.1 - VERSIONS OF THINGS pptpd-1.2.3 pppd version 2.4.3 FreeRadius 1.05 RADIUS output snippet Framed-IP-Address := 10.0.0.4 Framed-IP-Netmask := 255.255.255.0 Framed-Routing := None Framed-Route := "10.0.0.0/24 0.0.0.0 1" Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP MS-CHAP2-Success = * MS-MPPE-Recv-Key = * MS-MPPE-Send-Key = * MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 rad_recv: Accounting-Request packet from host 127.0.0.1:32798, id=114, length=112 Acct-Session-Id = "439E72E33A2C00" User-Name = "arthur" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "**.**.**.**" Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 10.0.0.4 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 10.0.0.4* 255.255.255.255 UH0 00 ppp0 192.168.3.0 * 255.255.255.0 U 0 00 eth2 192.168.2.0 * 255.255.255.0 U 0 00 eth0 192.168.1.0 * 255.255.255.0 U 0 00 eth1 loopback* 255.0.0.0 U 0 00 lo default 192.168.2.1 0.0.0.0 UG0 00 eth0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: Variables in "identity" setting
Hello Phil,
Thanks for your response. However as I had mentioned in my post,
this particular LDAP server uses a person's username and password for
binding. There is no service account and anonymous binds are not
allowed. Commenting out identity and password did not work.
Am I out of luck here?On 12/13/05, Phil Mayers <[EMAIL PROTECTED]> wrote:
Derrick Woo wrote:> The LDAP server we have set up is used to authenticate users based on their> username and password. If I were to query from the (Linux) command line> using ldapsearch, the query would appear as follows:
>> ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D uid=XXX,ou=it,o=> domain.com -w 'YYY'
>> Where XXX is a person's username and YYY is their password. That means a> person can only query their own information and not anyone elses (unless, of> course, they have someone else's username and password).
>>>From what I can see, it doesn't appear as though the %{User-Name} variable> can be used within the "identity" setting in freeRADIUS 1.0.1. If that's> correct, does it mean freeRadius won't be able to be used for this
> particular set up? If I hardcode a test username and password in the> configuration as follows:>> server = "ldap.domain.com"> identity = "uid=XXX,ou=it,o=
domain.com"> password = 'YYY'> basedn = "ou=ldap,o=domain.com">> it binds correctly. However, for our particular setup, both the username
> and password's used to bind to the server need to be variable at run time."identity" and "password" are the DN and password of a user representingthe *server*, e.g.identity = "uid=freeRadiusServiceAccount,o=
domain.com"...the LDAP module first binds as identity, searches using the given"basedn" and "filter", then re-binds as the user, or returns accessdenied / not found.
If you don't have a service account and allow anonymous binds (eek) justcomment identity and password out.
>> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route ignored
Arthur Sigel wrote: I have been trying to get this to work for a few days now with no success. I have set up poptop (PPTP) and it uses the /etc/ppp/options.pptp file which has a plugin for radius. plugin radius.so This isn't a FreeRadius question, so it would be better to ask on the pppd mailing list, but that said: Radius will authenticate with my users fine, but I can’t seem to get the Framed-Route option to do anything. I am trying to set a route for a mask and not just the single IP to device ppp connection. Does ppp just ignore the route and this option just doesn’t work with ppp or pptp? Is there a workaround? Yes, ppp ignores this option. You would have to patch pppd to do what you want directly. However, there is also a "radattr" plugin, which puts the AVPs in /var/run/radattr.pppN in the following format: Framed-Route 10.0.0.0/24 0.0.0.0 1 ...so you could use the "ip-up" script to do this: #!/bin/sh # ip-up script knows about framed-route IFNAME=$1 PEERIP=$5 AVP_PATH=/var/run/radattr egrep -i '^Framed-Route ' $AVP_PATH.$IFNAME | while read attr val1 valN do route add -net $val1 gw $PEERIP done ...or something similar. You just need to have: plugin radius.so plugin radattr.so ...in your options file. Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parsing certificate fields ?
Done; submitted patch as bug 300. Thanks, Walter On 12/10/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Walter Goulet <[EMAIL PROTECTED]> wrote: > > I wonder about this actually; I submitted a patch to pam_radius_auth and > > didn't get any comments or feedback of any kind. Maybe the diff was too > > big or something, but I would have expected to get at least a gruff > > 'your patch sucks' if that was the case... > > Or, people are too busy to answer every message. > > Patches should be submitted on bugs.freeradius.org, so they're > public, and not lost in someone's inbox. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-Route ignored
I have been trying to get this to work for a few days now with no success. I have set up poptop (PPTP) and it uses the /etc/ppp/options.pptp file which has a plugin for radius. plugin radius.so Radius will authenticate with my users fine, but I can’t seem to get the Framed-Route option to do anything. I am trying to set a route for a mask and not just the single IP to device ppp connection. Does ppp just ignore the route and this option just doesn’t work with ppp or pptp? Is there a workaround? Thank you, Arthur I am also using a SQL connection so the information will be left in that format. radius=# select * from radgroupcheck; id | groupname | attribute | op | value +---+---++- 1 | static | Auth-Type | := | MS-CHAP radius=# select * from radgroupreply; id | groupname | attribute | op | value +---+++- 1 | static | Framed-Protocol | := | PPP 2 | static | Service-Type | := | Framed-user 3 | static | Framed-Compression | := | Van-Jacobsen-TCP-IP id | username | attribute | op | value +--+---++--- 1 | arthur | Framed-IP-Address | := | 10.0.0.4 3 | arthur | Framed-Routing | := | None 2 | arthur | Framed-IP-Netmask | := | 255.255.255.0 4 | arthur | Framed-Route | := | 10.0.0.0/24 0.0.0.0 1 The options file contains: plugin radius.so lock mtu 1490 mru 1490 multilink #proxyarp auth ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 +mschap-v2 mppe required nopcomp noaccomp pptpd.conf localip 191.168.4.1 - VERSIONS OF THINGS pptpd-1.2.3 pppd version 2.4.3 FreeRadius 1.05 RADIUS output snippet Framed-IP-Address := 10.0.0.4 Framed-IP-Netmask := 255.255.255.0 Framed-Routing := None Framed-Route := "10.0.0.0/24 0.0.0.0 1" Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP MS-CHAP2-Success = * MS-MPPE-Recv-Key = * MS-MPPE-Send-Key = * MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 rad_recv: Accounting-Request packet from host 127.0.0.1:32798, id=114, length=112 Acct-Session-Id = "439E72E33A2C00" User-Name = "arthur" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "**.**.**.**" Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 10.0.0.4 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 Routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.4 * 255.255.255.255 UH 0 0 0 ppp0 192.168.3.0 * 255.255.255.0 U 0 0 0 eth2 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: Variables in "identity" setting
Derrick Woo wrote:
The LDAP server we have set up is used to authenticate users based on their
username and password. If I were to query from the (Linux) command line
using ldapsearch, the query would appear as follows:
ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D uid=XXX,ou=it,o=
domain.com -w 'YYY'
Where XXX is a person's username and YYY is their password. That means a
person can only query their own information and not anyone elses (unless, of
course, they have someone else's username and password).
From what I can see, it doesn't appear as though the %{User-Name} variable
can be used within the "identity" setting in freeRADIUS 1.0.1. If that's
correct, does it mean freeRadius won't be able to be used for this
particular set up? If I hardcode a test username and password in the
configuration as follows:
server = "ldap.domain.com"
identity = "uid=XXX,ou=it,o=domain.com"
password = 'YYY'
basedn = "ou=ldap,o=domain.com"
it binds correctly. However, for our particular setup, both the username
and password's used to bind to the server need to be variable at run time.
"identity" and "password" are the DN and password of a user representing
the *server*, e.g.
identity = "uid=freeRadiusServiceAccount,o=domain.com"
...the LDAP module first binds as identity, searches using the given
"basedn" and "filter", then re-binds as the user, or returns access
denied / not found.
If you don't have a service account and allow anonymous binds (eek) just
comment identity and password out.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with LDAP authentication?
Konne <[EMAIL PROTECTED]> wrote: > is it possible to do EAP-TTLS with LDAP authentication or what is the > best and secure way? It depends on the authentication method inside of EAP-TTLS. > i have an AP cisco aironet 1242, Debian with Freeradius and a W2k3 > Server with the Active Directory. Ugh. Active Directory isn't really an LDAP server. Your choices for the tunneled authentication method are PAP and MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory big problem
"Dmitry V. Pleganoff" <[EMAIL PROTECTED]> wrote: > By the way, rlm_checkval meets in most cases losses Please re-run valgrind after re-building, and post any leaks. They should be fixed, too. I've run valgrind on the CVS head, but I don't have every possible code path tested, so I can't find all of the leaks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory big problem
"Dmitry V. Pleganoff" <[EMAIL PROTECTED]> wrote: > Thanks, I have tried Valgrind. Valgrind have given out as a result of 20 > losses and possible losses of memory. Basically from several bytes up to 200 > kbytes for 30 seconds of work. The largest following. There was a missing "regfree" in rlm_checkval. Do a 'cvs update', re-build, and re-install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authenticate & Proxying
[EMAIL PROTECTED] wrote: > I want to use the sql authentication module to provide a list of users. The SQL module doesn't do authentication. The "authorise" section can check the DB for the existense of a usrr. > Everyone in this list should be proxied. However, if you aren't in the > table, then you should immediately be rejected. Configure everyone in the list to be proxied via Proxy-To-Realm attribute. Then, don't have any authentication methods for anyone else. The default behavior of the server is to reject users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allowed characters in User-Password?
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > At first sight everything worked fine but after following the > log for a while it turns out that (too) many users were rejected. > > All the rejected accounts have a "%" sign in the User-Password. See doc/variables.txt > How can I get around this problem? There are a few thousand > dialin accounts, out of them about 300 have a "%" in the password > so I can't simply call them and solve that directly, not speaking > about other chars that might make trouble, too. Escape the % via \%. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: disable filter setting?
I tried searching for it, but haven't come up with any solution.
Is there a way to disable the filter rule in the LDAP section
freeRADIUS 1.0.1? If I comment out the filter setting in the
radiusd.conf, it seems to default to (uid=%{User-Name}) according to
the logs.
I ask because the server I am trying to bind to has not implemented filters.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: Variables in "identity" setting
The LDAP server we have set up is used to authenticate users based on
their username and password. If I were to query from the (Linux)
command line using ldapsearch, the query would appear as follows:
ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D uid=XXX,ou=it,o=domain.com -w 'YYY'
Where XXX is a person's username and YYY is their password. That
means a person can only query their own information and not anyone
elses (unless, of course, they have someone else's username and
password).
>From what I can see, it doesn't appear as though the %{User-Name}
variable can be used within the "identity" setting in freeRADIUS
1.0.1. If that's correct, does it mean freeRadius won't be able
to be used for this particular set up? If I hardcode a test
username and password in the configuration as follows:
server = "ldap.domain.com"
identity = "uid=XXX,ou=it,o=domain.com"
password = 'YYY'
basedn = "ou=ldap,o=domain.com"
it binds correctly. However, for our particular setup, both the
username and password's used to bind to the server need to be variable
at run time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
allowed characters in User-Password?
I tried to replace a very old Livingston RADIUS installation by FreeRadius 1.0.1 (using the Solaris pkg from Blastwave). I used the "compat = cistron" directive to simply continue with the existing users file for a first test. At first sight everything worked fine but after following the log for a while it turns out that (too) many users were rejected. All the rejected accounts have a "%" sign in the User-Password. Are there any restrictions on the character set used for the User-Password attribute? Which special chars are forbidden? Where can I find information on that subject? How can I get around this problem? There are a few thousand dialin accounts, out of them about 300 have a "%" in the password so I can't simply call them and solve that directly, not speaking about other chars that might make trouble, too. Thanks for help! nhk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration question
At a switch we do 802.1x authentication with freeradius via EAP-TLS. We take the User-Name from the certificate and check against AD, whether a valid account belongs to that machine. If so, different data are returned from AD. Among others the primaryGroupID. This group id shall be assigned as vlan-id to the switch, if - and only if - this vlan-id is known by the switch, if not, a default vlan should be setup. I want to store the vlans a switch knows about, in a database and start a query, using the primaryGroupID from AD to get the information, whether the switch knows this vlan. If not, a default vlan id shall be assigned. As I did not yet succeed in the last part, my question is: Is this at all possible? How can I refer to the primaryGroupID, when querying the database? Is there a much better solution for that problem? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation on Group Locking using FreeRADIUS/AD/Cisco VPN Concentrator
Alhagie Puye wrote: Hello all, I have spent a few bit of time trying to get FreeRADIUS/Active Directory/Cisco VPN Concentrator 3005 to lock users into group using the class attribute. Dusty Doris gave me a hand too. It has been tested and it works as expected. http://www.cisco.com/warp/public/471/altigagroup.html This feature is very, very neat and flexible. I would now like to write up a step-by-step document on how to make these work together. I don't have a public web site to host this page. I'm looking for suggestions on how to make it readily available to other users since the VPN Concentrator is gaining popularity. Is the wiki page mentioned here a while back going to materialize? Or should I write up a text document so that it could be added to doc/ directory in the source code? wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Test the radius server
[EMAIL PROTECTED] wrote: Hello all, Is there any scripts or tools I could use to stress test our radius server? I need to test so to see if the server we have configured would be able to handle 5000 connections trying to login in a few seconds. The server can handle they without question, If you are using a db that might be you week point. At least some tweaking might be necessary to allow enough connections to the backend. We use the redundant config onto a mysql cluster and is nicely handles our load. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authenticate & Proxying
[EMAIL PROTECTED] wrote: I'm looking to implement a type of double check authentication using freeradius. I want to use the sql authentication module to provide a list of users. Everyone in this list should be proxied. However, if you aren't in the table, then you should immediately be rejected. I don't have control of the home radius server, so I can't make any modifications there. Generally, I just want to allow a controlled sub-group of users to access the system. At this point the sql module seems to be working (it is accounting and in debug mode I do see if run queries), however, it proxies the request regardless if the user is in the usergroup table. Thanks Fall-Through := Yes DEFAULT Auth-Type := Reject The above might work, Having never tried this before I can't say. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Test the radius server
[EMAIL PROTECTED] wrote: > Is there any scripts or tools I could use to stress test our radius > server? I need to test so to see if the server we have configured would > be able to handle 5000 connections trying to login in a few seconds. You may use radclient with the -p option (from a CVS snapshot of FreeRADIUS). -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS with LDAP authentication?
hi is it possible to do EAP-TTLS with LDAP authentication or what is the best and secure way? i have an AP cisco aironet 1242, Debian with Freeradius and a W2k3 Server with the Active Directory. what do you suggest? thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
