Re: PEAP error with 1.1.0
Nicolas Baradakis a écrit : [EMAIL PROTECTED] wrote: I'm trying to get Freeradius 1.1.0 running on a Debian Sarge box. I compiled and built the deb packages from the tarball according to the FAQ instructions. [...] rlm_eap: Failed to link EAP-Type/peap: rlm_eap_peap.so: cannot open shared object file: No such file or directory It's a known problem. Nobody has managed to build the modules rlm_eap_peap and rlm_eap_ttls on Debian. See bug #335890 on the Debian BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335890 It will be fixed in version 1.1.1. In the meantime, you might use a CVS snapshot, and it will work. I know, it is not a good solution but i removed the patch in the debian's directory, build te package and that's works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP error with 1.1.0
Nicolas Baradakis a écrit : [EMAIL PROTECTED] wrote: I'm trying to get Freeradius 1.1.0 running on a Debian Sarge box. I compiled and built the deb packages from the tarball according to the FAQ instructions. [...] rlm_eap: Failed to link EAP-Type/peap: rlm_eap_peap.so: cannot open shared object file: No such file or directory It's a known problem. Nobody has managed to build the modules rlm_eap_peap and rlm_eap_ttls on Debian. See bug #335890 on the Debian BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335890 It will be fixed in version 1.1.1. In the meantime, you might use a CVS snapshot, and it will work. oops in fact when i try to authenticate, the server broken so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in sending PAP Authentication with radclient
Hello We have set PAP scheme to MD5 in "radius.conf". Now we can't authenticate users using "radclient". When configuration changes from 'MD5' to 'Clear text', every thing is good. What should we do if we want send password using MD5 method? If "radclient" doesn't support this, can you suggest an open source radius client which can do this? Thanks. Yahoo! Photos Got holiday prints? See all the ways to get quality prints in your hands ASAP.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: I don't see libeap.so in the output of ldd. Something is wrong here, because rlm_eap depends on libeap. You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. I have found similar problem in the Internet: = Adding -leap -L../../libeap to the RLM_LIBS line in src/modules/rlm_eap/types/rlm_eap_ttls/Makefile fixed that, but I'm almost positive that's not the right solution. It means rlm_eap_ttls.so shows rlm_eap.so in its ldd output. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg03597.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze [EMAIL PROTECTED] writes: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Is it replaced by a new zombie the next time you send an accounting packet, or do the zombies add up? The way I read rad_fork(), it will call reap_children() every time it is called. But there's not necessarily anything calling reap_children() inbetween. This means that zombies will only live forever on servers without traffic. You should probably read the comment in front of reap_children() in src/main/threads.c. I believe it explains why this design was chosen. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libeap.so
Hm... Warning: Linking the executable radeapclient against the loadable module libeap.so is not portable! [EMAIL PROTECTED] root]# ls /usr/lib/freeradius/libeap.so /usr/lib/freeradius/libeap.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Bjørn Mork wrote: George Chelidze [EMAIL PROTECTED] writes: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Is it replaced by a new zombie the next time you send an accounting packet, or do the zombies add up? Zombies add up even when I recompile without --without-threads option. The way I read rad_fork(), it will call reap_children() every time it is called. But there's not necessarily anything calling reap_children() inbetween. This means that zombies will only live forever on servers without traffic. You should probably read the comment in front of reap_children() in src/main/threads.c. I believe it explains why this design was chosen. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? I am not against compiling it with threads support, but unfortunately I get something like this: 18439 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 18440 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18441 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18460 ?Z 0:00 | \_ [test.pl] defunct 18492 ?Z 0:00 | \_ [test.pl] defunct 18442 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18480 ?Z 0:00 | \_ [test.pl] defunct 18443 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18483 ?Z 0:00 | \_ [test.pl] defunct 18444 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18486 ?Z 0:00 | \_ [test.pl] defunct 18445 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18489 ?Z 0:00 \_ [test.pl] defunct Bjørn Thanks a lot for your reply - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Anton Gorlov wrote: You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. Then you could try to build FreeRADIUS from a CVS snapshot: the build process of rlm_eap and libeap should work better. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. Then you could try to build FreeRADIUS from a CVS snapshot: the build process of rlm_eap and libeap should work better. freenibs not build from cvs. configure: warning: CC=gcc: invalid host type configure: warning: CFLAGS=-pipe -Wall -O2 -march=i686: invalid host type configure: error: can only configure for one host and one target at a time configure: error: /bin/sh './configure' failed for src/modules/rlm_nibs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Did you try version 1.0.1 indeed? I had this problem several monthes ago with versions 1.0.4 and 1.0.5, but in case of 1.0.1 it works. As I know version 1.0.1 hasn't this problem. My server configuration is similar with yours: Debian 3.1 (Sarge) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 2006-01-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Assertion failed in request_list.c, line 1119
i'm using freeradius-snapshot-20060115 i have error --Tue Jan 17 19:56:34 2006 : Error: rlm_sql: Failed to create the pair: Unknown attribute 1Tue Jan 17 19:56:34 2006 : Error: rlm_sql (sql): Error getting data from databas eTue Jan 17 19:56:34 2006 : Error: rlm_sql (sql): SQL query error; rejecting userTue Jan 17 20:00:16 2006 : Info: Ready to process requests.Tue Jan 17 20:00:55 2006 : Error: Assertion failed in request_list.c, line 1119 i dont understan with code request_list.c ???plz... How to debug this problem ?-- ~_|[]~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Rashad Rustamoff wrote: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Did you try version 1.0.1 indeed? I had this problem several monthes ago with versions 1.0.4 and 1.0.5, but in case of 1.0.1 it works. As I know version 1.0.1 hasn't this problem. My server configuration is similar with yours: Debian 3.1 (Sarge) Rashad, Seems 1.0.1 really works when compiled with --with-threads=yes (default). However it doesn't with --with-threads=no flag. 1.0.5 doesn't in both cases, neither does 1.1.0. At least I found a working version - 1.0.1 which is not broken. Thanks. Best Regards to all who helped to eliminate this problem and whole freeradius team. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP
We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end. Here is our config file: ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname TESTAP ! enable secret 5 $1$tQu6$CiVTpfiU2yIuDBoQveZtM1 ! ip subnet-zero ! ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server tacacs+ tac_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa group server radius rad_eap1 server 172.31.1.25 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login eap_methods1 group rad_eap1 aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all ! aaa session-id common ! dot11 ssid TESTAP authentication open eap eap_methods1 authentication network-eap eap_methods1 guest-mode ! ! ! username Cisco password 7 047802150C2E ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode wep mandatory ! ssid TESTAP ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 172.31.1.79 255.255.255.0 no ip route-cache ! ip default-gateway 172.31.1.250 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! radius-server local no authentication eapfast no authentication mac eapfast server-key primary 7 C10D5BA1B105987DEA7DE22F1E2A3D7094 nas 172.31.1.79 key 7 040A59555B74 user testrad nthash 7 06255C771F6A5F412735372D5B560F7B720E6B657A46544F2051000B0E77005F57 ! radius-server attribute 32 include-in-access-req format %h radius-server host 172.31.1.25 auth-port 1812 acct-port 1813 key 7 101F5B4A5142 radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! ! line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all ! end here is the error message we get: rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131 User-Name = testrad Framed-MTU = 1400 Called-Station-Id = 0015.f947.8560 Calling-Station-Id = 0012.f0e3.7896 Service-Type = Login-User Message-Authenticator = 0xa00609077f82a3396080dcdcc8019804 EAP-Message = 0x0201000c0174657374726164 NAS-Port-Type = Wireless-802.11 NAS-Port = 466 NAS-IP-Address = 172.31.1.79 NAS-Identifier = TESTAP modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_realm: No '@' in User-Name = testrad, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testrad radius_xlat: '(uid=testrad)' radius_xlat: 'o=Village' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Village, with filter (uid=testrad) rlm_ldap: checking if remote access for testrad is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testrad authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [testrad/no User-Password attribute] (from client testap port 466 cli 0012.f0e3.7896)
FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?
Hi, I am currently trying to create a new auth system for our WPA 802.1x WiFi network. Thus far I have the server authenticating using PEAP(MSCHAPv2) against a users file containing a simple test user/pass pair. What I would now like to do is use MySQL to contain user data such as the VLAN to be assigned to that user and which LDAP server their account exists on, then use LDAP to verify the credentials. The idea being that a PEAP request comes in, tunnel gets built etc, the user gets looked up in the MySQL database, the credentials are then authenticated against the correct LDAP (or RADIUS) server, then on success an access-accept along with the user's VLAN is passed back to the NAS. The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL to interact in this way? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP
John Peebles [EMAIL PROTECTED] wrote: We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end. I suggest you upgrade to 1.1.0. It has a *lot* of security fixes, and eDir integration, too. here is the error message we get: rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131 ... The debug log shows that you deleted the eap module from the authorize section. Don't do that. Please, upgrade to 1.1.0 and it should just work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze [EMAIL PROTECTED] wrote: Zombies add up even when I recompile without --without-threads option. That sounds like a serious problem. Looking at the source, I don't see why, though. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? No. See radiusd.c, look for waitpid(). That code reaps the zombies when there are no threads. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in sending PAP Authentication with radclient
Hamzeh Motahari [EMAIL PROTECTED] wrote: What should we do if we want send password using MD5 method? RADIUS doesn't support sending MD5 passwords in a packet. If radclient doesn't support this, can you suggest an open source radius client which can do this? No RADIUS client can do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
Notice the first request that comes from the 10.2.0.69...It is using the test aaa-server from the PIX itself. The other 2 are when I am connecting to the VPN client and trying to authenicate. It says Auth Type unknown. Any ideas Alan? Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: ../etc/raddb/proxy.conf Config: including file: ../etc/raddb/clients.conf Config: including file: ../etc/raddb/snmp.conf Config: including file: ../etc/raddb/eap.conf Config: including file: ../etc/raddb/sql.conf main: prefix = .. main: localstatedir = ../var main: logdir = ../var/log/radius main: libdir = ../lib main: radacctdir = ../var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = ../var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = ../var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = ../bin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is ../lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = ../var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem tls: certificate_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt tls: CA_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Root.crt tls: private_key_password = demo tls: dh_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh tls: random_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = %{User-Name} rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = ../etc/raddb/huntgroups preprocess: hints = ../etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile =
Re: FreeRADIUS and OpenLDAP
Michael Schwartzkopff [EMAIL PROTECTED] wrote: If I use OpenLDAP to authorize / authenticate my users, what kinds of passwords can I store in LDAP? In 1.1.0, only one kind of password. I suggest clear. Is this controlled by the password_header configuation or does this only strip the header of the password? In 1.1.0, only the 'clear header works very well. The others don't. Is there any difference if use the EAP module? EAP is not a database. LDAP is a database. If you're using EAP and getting passwords from LDAP, then the only password format that will always work is clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CIsco Pix and FreeRadius....
Sills, Tripp [EMAIL PROTECTED] wrote: Notice the first request that comes from the 10.2.0.69...It is using the test aaa-server from the PIX itself. The other 2 are when I am connecting to the VPN client and trying to authenicate. It says Auth Type unknown. Any ideas Alan? The only differences is in which entries it matches in the users file. Read those entries to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dummy newbie question
Hy! I have a dummy question... running radtest, i get a Accept-Accept, and everything seems ok, but the database radacct table doesn't get updated, in fact the table is blank after many tests. Is it normal? Or i've mistaken something? Thanks for the help Fernando S. SanInternet Systems www.saninternet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dummy newbie question
The radacct will be empty, because your not working with accounting packets using radtest, only Auth packets. Fernando wrote: Hy! I have a dummy question... running radtest, i get a Accept-Accept, and everything seems ok, but the database radacct table doesn't get updated, in fact the table is blank after many tests. Is it normal? Or i've mistaken something? Thanks for the help Fernando S. SanInternet Systems www.saninternet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?
Palmer J.D.F. wrote: Hi, I am currently trying to create a new auth system for our WPA 802.1x WiFi network. Thus far I have the server authenticating using PEAP(MSCHAPv2) against a users file containing a simple test user/pass pair. What I would now like to do is use MySQL to contain user data such as the VLAN to be assigned to that user and which LDAP server their account Assuming you know how to make the VLAN assignment work at all, then this is trivial. Assigning a completely dynamic LDAP server might be a little more tricky. If you know what set of LDAP server(s) you want to use in advance, then you could do this: modules { ldap ldap1 { # config here } ldap ldap2 { # config here } } authorize { preprocess mysql mschap eap Autz-Type Ldap1 { ldap1 } Autz-Type Ldap2 { ldap2 } } The mysql module/tables will need to set Autz-Type on the requests, at which point the authorize stanza will be run *again* executing the conditional sections. ...however making this work correctly in the presence of eap/ms-chapv2 will not be straightforward, and in any event you have the other issue... exists on, then use LDAP to verify the credentials. The only verification LDAP can do of credentials is to proxy PAP requests to LDAP simple binds. You cannot check MS-CHAP against an LDAP server. However using LDAP as a database, as it was intendended, then *if* the LDAP server contains either plaintext password or the NT/LM hashes, the radius server can read them, and the ldap module is configured to get them from LDAP, then FreeRadius can perform the MS-CHAP inside itself. The idea being that a PEAP request comes in, tunnel gets built etc, the user gets looked up in the MySQL database, the credentials are then authenticated against the correct LDAP (or RADIUS) server, then on success an access-accept along with the user's VLAN is passed back to the NAS. This seems extremely hard work. Why would you use both MySQL and LDAP? The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL to interact in this way? Your question is not precise enough for me to be sure exactly what you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and proxy radius
It's possible configure Freeradius to request two eap authentication? For example, the supplicant starts the eap-tls and the authentication is ok. But the server radius don't send Access Accept but it requests a new authentication (for example eap-md5). If also eap-md5 is ok, the supplicant is authenticated. authentication supplicant = (authentication eap-tls) (authentication eap-md5) If the first answer is Yes. It's possible that the first authentication is forwarded to remote radius server and the second one is resolved locally? authentication supplicant = (authentication eap-tls on remote radius server) (authentication eap-md5 on proxy radius server) Many thanks, Matteo Paoli -- Matteo Paoli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.1.0 + oracle + fedora
I'm running Fedora (FC4) with the Oracle Instantclient 10g rpms (basic,devel,sqlplus,jdbc) and I'm trying to compile freeradius 1.1.0 with oracle support but the oracle module doesn't compile at all. It seem like the rlm_sql_oracle configure and makefile are buggy as hell or they only support an Oracle8 installation. It look like the with-oracle-home-dir and with-oracle-include-dir and with-oracle-lib-dir configure switches are useless because even when I set them up properly it doesn't seem to be using them and it doesn't compile. At first it was complaining about some missing oci.h even if it's there. So after reading the config.log I created some soft link so that it's finding it but then it was complaining about some other missing stuff so I did some other soft links. So now I'm at something like four soft link all around my system and it still doesn't compile :) I tried to edit the configure.in and the makefile files (I'm a newbie when it come to makefile and configure and autoconf stuff) and it still doesn't work. So I don't know what to do next. I'm very close to scrap the whole oracle plan and switch to mysql or to flat raddb file. Is there anyone that successfully compile the rlm_sql_oracle module in FC4 (or any fedora for that matter)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and proxy radius
Matteo Paoli [EMAIL PROTECTED] wrote: For example, the supplicant starts the eap-tls and the authentication is ok. But the server radius don't send Access Accept but it requests a new authentication (for example eap-md5). If also eap-md5 is ok, the supplicant is authenticated. No. EAP doesn't work like that. If that's what you want, I suggest PEAP with client certificates. It's possible that the first authentication is forwarded to remote radius server and the second one is resolved locally? RADIUS doesn't work like that. I have no idea what you're trying to do, but your proposed implementation doesn't match how supplicants, EAP, or RADIUS works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in request_list.c, line 1119
i'm using freeradius-snapshot-20060115 i have error --Tue Jan 17 19:56:34 2006 : Error: rlm_sql: Failed to create the pair: Unknown attribute 1Tue Jan 17 19:56:34 2006 : Error: rlm_sql (sql): Error getting data from databas eTue Jan 17 19:56:34 2006 : Error: rlm_sql (sql): SQL query error; rejecting userTue Jan 17 20:00:16 2006 : Info: Ready to process requests.Tue Jan 17 20:00:55 2006 : Error: Assertion failed in request_list.c, line 1119 i dont understan with code request_list.c ???plz... How to debug this problem ?-- ~_|[]~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html