Performance features of FreeRadius
Hy all, I would like to know where I can find information about the performance features of the FreeRadius product. I would like to propose my boss tu use this product because I have been testing it with differents configurations and it is a very good product (congratulations!). But I need that information first. Thank you very much in advance, Marta Lajas LLama Gratis a cualquier PC del Mundo.Llamadas a fijos y móviles desde 1 céntimo por minuto.http://es.voice.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error with dialup admin
Hello all I have installed freeradius 1.1.0 in freebsd 6.0. While clicking on statistic menu of dialup page I got this error. Warning: mktime() expects parameter 1 to be long, string given in /usr/home/httpd/baayu.com.np/baayucom/dialbaayu/lib/functions.php3 on line 83 Warning: mktime() expects parameter 1 to be long, string given in /usr/home/httpd/baayu.com.np/baayucom/dialbaayu/lib/functions.php3 on line 83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius in a production environment
Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Best regards, Susana LLama Gratis a cualquier PC del Mundo.Llamadas a fijos y móviles desde 1 céntimo por minuto.http://es.voice.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication question
Hi everybody,
I'm trying to authenticate users login in a machine using ssh. I have
configured ssh & PAM on that server to autenticate against the radius server
(Redhat Application Server 2.1).
Please find below the debug of the radius server as well as my conf files.
The Free radius server says :
Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port 1500
cli 192.168.xx.xx)
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server and the NAS!
So did I . I checked the secrets on the server and they are *IDENTICAL*...
I used the NTRadPing utility with exactly the same parameters and it works
absolutely fine !
Thank you for your help !
my /etc/raddb/server file : (on the client machine) :
[EMAIL PROTECTED] root]# vi /etc/raddb/server
# pam_radius_auth configuration file. Copy to: /etc/raddb/server
#
# For proper security, this file SHOULD have permissions 0600,
# that is readable by root, and NO ONE else. If anyone other than
# root can read this file, then they can spoof responses from the server!
#
# There are 3 fields per line in this file. There may be multiple
# lines. Blank lines or lines beginning with '#' are treated as
# comments, and are ignored. The fields are:
#
# server[:port] secret [timeout]
#
# the port name or number is optional. The default port name is
# "radius", and is looked up from /etc/services The timeout field is
# optional. The default timeout is 3 seconds.
#
# If multiple RADIUS server lines exist, they are tried in order. The
# first server to return success or failure causes the module to return
# success or failure. Only if a server fails to response is it skipped,
# and the next server in turn is used.
#
# The timeout field controls how many seconds the module waits before
# deciding that the server has failed to respond.
#
# server[:port] shared_secret timeout (s)
loginhost.eudra.org philippe123456 1
#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.
clients.conf :
client us067.eudra.org {
secret = philippe123456
shortname = us067.eudra.org
}
[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
u
Re: Freeradius authentication question
Hello,
[EMAIL PROTECTED] root]# vi /etc/raddb/server ??
the config file will this be ?
correct directory;
#vi /etc/raddb/clients.conf
oke.
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: Freeradius authentication question
> Date: Fri, 20 Jan 2006 11:34:51 -
>
>
>
> Hi everybody,
>
> I'm trying to authenticate users login in a machine using ssh. I
> have configured ssh & PAM on that server to autenticate against the
> radius server (Redhat Application Server 2.1).
>
> Please find below the debug of the radius server as well as my conf files.
>
> The Free radius server says :
>
> Login incorrect: [test/\010\n\INCORRECT] (from client
> us067.eudra.org port 1500 cli 192.168.xx.xx)
>WARNING: Unprintable characters in the password. ? Double-check
> the shared secret on the server and the NAS!
>
> So did I . I checked the secrets on the server and they are *IDENTICAL*...
>
> I used the NTRadPing utility with exactly the same parameters and
> it works absolutely fine !
>
> Thank you for your help !
>
> my /etc/raddb/server file : (on the client machine) :
>
> [EMAIL PROTECTED] root]# vi /etc/raddb/server
> # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> #
> # For proper security, this file SHOULD have permissions 0600,
> # that is readable by root, and NO ONE else. If anyone other than
> # root can read this file, then they can spoof responses from the server!
> #
> # There are 3 fields per line in this file. There may be multiple
> # lines. Blank lines or lines beginning with '#' are treated as
> # comments, and are ignored. The fields are:
> #
> # server[:port] secret [timeout]
> #
> # the port name or number is optional. The default port name is
> # "radius", and is looked up from /etc/services The timeout field is
> # optional. The default timeout is 3 seconds.
> #
> # If multiple RADIUS server lines exist, they are tried in order. The
> # first server to return success or failure causes the module to return
> # success or failure. Only if a server fails to response is it skipped,
> # and the next server in turn is used.
> #
> # The timeout field controls how many seconds the module waits before
> # deciding that the server has failed to respond.
> #
> # server[:port] shared_secret timeout (s)
> loginhost.eudra.org philippe123456 1
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
>
> clients.conf :
>
> client us067.eudra.org {
> secret = philippe123456
> shortname = us067.eudra.org
> }
>
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (e
RE: Freeradius authentication question
The Pam radius configuration file on the client machine should be located here:
/etc/raddb/server (cf pam radius INSTALL)
I can't see why the radius server can not decrypt the password when I know my
shared secret is absolutely identical on the client and on the radius server.
Anyone ?
Philippe
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dius.org]On Behalf Of Kai Geek
Sent: 20 January 2006 12:00
To: FreeRadius users mailing list
Subject: Re: Freeradius authentication question
Hello,
[EMAIL PROTECTED] root]# vi /etc/raddb/server ??
the config file will this be ?
correct directory;
#vi /etc/raddb/clients.conf
oke.
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: Freeradius authentication question
> Date: Fri, 20 Jan 2006 11:34:51 -
>
>
>
> Hi everybody,
>
> I'm trying to authenticate users login in a machine using ssh. I
> have configured ssh & PAM on that server to autenticate against the
> radius server (Redhat Application Server 2.1).
>
> Please find below the debug of the radius server as well as my conf files.
>
> The Free radius server says :
>
> Login incorrect: [test/\010\n\INCORRECT] (from client
> us067.eudra.org port 1500 cli 192.168.xx.xx)
>WARNING: Unprintable characters in the password. ? Double-check
> the shared secret on the server and the NAS!
>
> So did I . I checked the secrets on the server and they are *IDENTICAL*...
>
> I used the NTRadPing utility with exactly the same parameters and
> it works absolutely fine !
>
> Thank you for your help !
>
> my /etc/raddb/server file : (on the client machine) :
>
> [EMAIL PROTECTED] root]# vi /etc/raddb/server
> # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> #
> # For proper security, this file SHOULD have permissions 0600,
> # that is readable by root, and NO ONE else. If anyone other than
> # root can read this file, then they can spoof responses from the server!
> #
> # There are 3 fields per line in this file. There may be multiple
> # lines. Blank lines or lines beginning with '#' are treated as
> # comments, and are ignored. The fields are:
> #
> # server[:port] secret [timeout]
> #
> # the port name or number is optional. The default port name is
> # "radius", and is looked up from /etc/services The timeout field is
> # optional. The default timeout is 3 seconds.
> #
> # If multiple RADIUS server lines exist, they are tried in order. The
> # first server to return success or failure causes the module to return
> # success or failure. Only if a server fails to response is it skipped,
> # and the next server in turn is used.
> #
> # The timeout field controls how many seconds the module waits before
> # deciding that the server has failed to respond.
> #
> # server[:port] shared_secret timeout (s)
> loginhost.eudra.org philippe123456 1
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
>
> clients.conf :
>
> client us067.eudra.org {
> secret = philippe123456
> shortname = us067.eudra.org
> }
>
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_f
RE: FreeRadius in a production environment
HI Susana, before I start telling you life stories, I’ll just tell you to USE IT !!! :D I use one server for VPN Auth, MAC auth etc.. and it is stable and it works pretty well LDAP ( in my case ) Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susana Macias Sent: Freitag, 20. Jänner 2006 12:31 To: freeradius-users@lists.freeradius.org Subject: FreeRadius in a production environment Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Best regards, Susana LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius authentication question
hmm ok
a lot thank you..
regards :)
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: RE: Freeradius authentication question
> Date: Fri, 20 Jan 2006 12:08:59 -
>
>
>
> The Pam radius configuration file on the client machine should be
> located here: /etc/raddb/server (cf pam radius INSTALL)
>
> I can't see why the radius server can not decrypt the password when
> I know my shared secret is absolutely identical on the client and
> on the radius server.
>
> Anyone ?
>
> Philippe
>
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> dius.org]On Behalf Of Kai Geek
> Sent: 20 January 2006 12:00
> To: FreeRadius users mailing list
> Subject: Re: Freeradius authentication question
>
>
> Hello,
> [EMAIL PROTECTED] root]# vi /etc/raddb/server ??
>
> the config file will this be ?
> correct directory;
>
> #vi /etc/raddb/clients.conf
>
> oke.
>
> > - Original Message -
> > From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> > To: "FreeRadius users mailing list"
> > Subject: Freeradius authentication question Date: Fri, 20 Jan
> > 2006 11:34:51 -
> >
> >
> >
> > Hi everybody,
> >
> > I'm trying to authenticate users login in a machine using ssh. I
> > have configured ssh & PAM on that server to autenticate against
> > the radius server (Redhat Application Server 2.1).
> >
> > Please find below the debug of the radius server as well as my conf files.
> >
> > The Free radius server says :
> >
> > Login incorrect: [test/\010\n\INCORRECT] (from client
> > us067.eudra.org port 1500 cli 192.168.xx.xx)
> >WARNING: Unprintable characters in the password. ?
> > Double-check the shared secret on the server and the NAS!
> >
> > So did I . I checked the secrets on the server and they are *IDENTICAL*...
> >
> > I used the NTRadPing utility with exactly the same parameters and
> > it works absolutely fine !
> >
> > Thank you for your help !
> >
> > my /etc/raddb/server file : (on the client machine) :
> >
> > [EMAIL PROTECTED] root]# vi /etc/raddb/server
> > # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> > #
> > # For proper security, this file SHOULD have permissions 0600,
> > # that is readable by root, and NO ONE else. If anyone other than
> > # root can read this file, then they can spoof responses from the server!
> > #
> > # There are 3 fields per line in this file. There may be multiple
> > # lines. Blank lines or lines beginning with '#' are treated as
> > # comments, and are ignored. The fields are:
> > #
> > # server[:port] secret [timeout]
> > #
> > # the port name or number is optional. The default port name is
> > # "radius", and is looked up from /etc/services The timeout field is
> > # optional. The default timeout is 3 seconds.
> > #
> > # If multiple RADIUS server lines exist, they are tried in order. The
> > # first server to return success or failure causes the module to return
> > # success or failure. Only if a server fails to response is it skipped,
> > # and the next server in turn is used.
> > #
> > # The timeout field controls how many seconds the module waits before
> > # deciding that the server has failed to respond.
> > #
> > # server[:port] shared_secret timeout (s)
> > loginhost.eudra.org philippe123456 1
> > #
> > # having localhost in your radius configuration is a Good Thing.
> > #
> > # See the INSTALL file for pam.conf hints.
> >
> >
> > clients.conf :
> >
> > client us067.eudra.org {
> > secret = philippe123456
> > shortname = us067.eudra.org
> > }
> >
> >
> > [EMAIL PROTECTED] raddb]# radiusd -X
> > Starting - reading configuration files ...
> > reread_config: reading radiusd.conf
> > Config: including file: /usr/local/etc/raddb/proxy.conf
> > Config: including file: /usr/local/etc/raddb/clients.conf
> > Config: including file: /usr/local/etc/raddb/snmp.conf
> > Config: including file: /usr/local/etc/raddb/eap.conf
> > Config: including file: /usr/local/etc/raddb/sql.conf
> > main: prefix = "/usr/local"
> > main: localstatedir = "/usr/local/var"
> > main: logdir = "/usr/local/var/log/radius"
> > main: libdir = "/usr/local/lib"
> > main: radacctdir = "/usr/local/var/log/radius/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/usr/local/var/log/radius/radius.log"
> > main: log_auth = yes
> > main: log_auth_badpass = yes
> > main: log_auth_goodpass = yes
> > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> > main: user = "(null)"
> > main: group = "(null)"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> >
How to start a session
Dear All, I have implemented freeradius-1.0.5 in Redhat box. And I have some questions about it. It have searched the web but still can't find a clue or i just missed it :(. Also my questions are: 1. How do we start the session? I have send the request to the server and got access_accepted. And as I know the session is start after we send the accounting_request and get response from the server. The problem is how to do that using command prompt? My Nas is Suse box (that should be fine right?). I use this command to send acct_request echo "User-Name= Anna"| radclient 10.1.0.76 acct -x testing123 Is that right? or is there any place I can refer to use the radclient command? 2. Do I need to write external script to run the command? Because I want to use the session time out but seems still not working.(because I don't know how to start the session) 3. Where should I put the acc_type. Is it in server side or nas side? I really hope someone can help me (please...) Thanks a lot in advance Best Regards, Santy __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS ErrorMessage but working
Hi, i just got ldap in my testenvironment working but can someone tell me what the marked line in the log means? The authentication works fine and i get access to my network?? Or can i ignore this message? Greetings Armin Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/lib/ssl/server_zertifikat.pem" tls: certificate_file = "/usr/lib/ssl/server_zertifikat.pem" tls: CA_file = "/usr/lib/ssl/demoCA/cacert.pem" tls: private_key_password = "XXX" tls: dh_file = "/etc/ssl/certs/dh" tls: random_file = "/etc/ssl/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 10 ldap: timeout = 20 ldap: timelimit = 20 ldap: identity = "cn=freeradius,ou=admins,ou=radius,dc=ak-server,dc=de" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap:
Re: How to start a session
You must use radtest command type radtest at the command prompt and this will give you hints about how to use it Ernesto Freyre RamírezJefe de OperacionesQnetSoluciones TecnológicasJr. Natalio Sánchez 220, Of. 401 - Lima 11Telf.: (511) 431-6565 Anexo 2245Fax: (511) 431-7113 Visítenos en: www.qnet.com.pe- Original Message - From: San To: FreeRadius users mailing list Sent: Friday, January 20, 2006 8:35 AM Subject: How to start a session Dear All,I have implemented freeradius-1.0.5 in Redhat box. AndIhave some questions about it. It have searched the webbut still can't find a clue or i just missed it :(.Also my questions are:1. How do we start the session? I have send therequest to the server and got access_accepted. And asI know the session is start after we send theaccounting_request and get response from the server.The problem is how to do that using command prompt? MyNas is Suse box (that should be fine right?).I use this command to send acct_requestecho "User-Name= Anna"| radclient 10.1.0.76 acct -xtesting123Is that right? or is there any place I can refer touse the radclient command?2. Do I need to write external script to run thecommand? Because I want to use the session time outbut seems still not working.(because I don't know howto start the session)3. Where should I put the acc_type. Is it in serverside or nas side?I really hope someone can help me (please...)Thanks a lot in advanceBest Regards,Santy__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/234 - Release Date: 18/01/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
Susana Macias wrote: Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Using it without issue (besides my own ignorance) for a good while. Using mysql clusters to serve as the backend for two freeradius servers. It has worked very well. Mostly dialup but it also auth's our wireless and hopefully soon our routers and servers as well. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query string
In passing an LDAP search to MS-LDAP I would like FreeRADIUS to pass a query rather than search through the basedn structure. Is this sound? John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius in a production environment
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis Bergman Sent: Friday, January 20, 2006 5:17 PM To: FreeRadius users mailing list Subject: Re: FreeRadius in a production environment Susana Macias wrote: > Hy :-) > > I am interested to know about success stories of people using > FreeRadius in a production environment. > I have read http://www.freeradius.org/testimonials.html but I would > like to obtain a few more experiences. Using FreeRadius as main radius server for our VoIP network. And with own AAA module for FreeRadius and with Oracle as backend. Working fine under heavy load. Best regards, Serg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to allow only one authentication ?
Hello.
sorry to disturb you.
I disable all authentication modules in the authenticate session I left
only:
# kerberos
Auth-Type Kerberos {
krb5
}
eap
in the authorize sezzion of radiusd.conf I disabled everything and I
left only
eap and files
in this way Kerberos authentication + ldap authorization works.
I want ONLY this method to work, but also EAP-TLS with certificates
works,
while I want to disable it for users.
If I remove eap from the authorizatin section, I prefent certificate
authentication to
work but also Kerberos authentication will not work.
in my users file I have the string
DEFAULT Auth-Type = Kerberos
How I can solve this problem ?
I tryed in all possible qays I Cannot disable EAP-TLS with certificates
if I want
EAP-TTLS to work with kerberos and ldap.
might you help me ?
thanks
Rick
Alan DeKok wrote:
"Riccardo.Veraldi" <[EMAIL PROTECTED]> wrote:
I would like only users with kerberos credentials to being able to
authenticate
Then delete everything from the "authenticate" section, except for
"eap" and "krb5". Also, ensure that nothing in the "authorize"
section obtains a clear-text password for the user from a database.
That guarantees:
a) no password by which to authenticate someone
b) therefore they must use kerberos
c) they can't use anything other than kerberos
Everyone else will have no way to get authenticated, and will be
rejected.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance features of FreeRadius
Hy all, I would like to know where I can find information about the performance features of the FreeRadius product. I would like to propose my boss tu use this product because I have been testing it with differents configurations and it is a very good product (congratulations!). But I need that information first. Thank you very much in advance, Marta Lajas I use it for an ISP for authenticating users to dial, dial-isdn, adsl service-selection, wifi, vpn, ftp (homepages), dial accelerator and nntp. We have 3 radius servers to handle the load and average about 80,000 logins per day out of a few hundred thousand users. We use an ldap backend for authentication and mysql for accounting. The machines are freebsd 5.4 hw.machine: i386 hw.model: Intel(R) Xeon(TM) CPU 2.80GHz hw.ncpu: 2 hw.physmem: 1064525824 hw.usermem: 962187264 hw.realmem: 1073479680 They are basically sitting there idle since we've put them in. The traffic isn't enough to push it. # uptime 11:48AM up 98 days, 13:04, 1 user, load averages: 0.03, 0.01, 0.00 I hope I don't jinx myself, but we've never had an outage with freeradius. Using configurable_failover inside freeradius we didn't even notice a burp when one of our ldap servers's motherboard choked and the machine went down hard. Freeradius just kindly switched over to another ldap server. Using radrelay for pushing accounting to our mysql servers, makes the uptime on that sql machine less important, even though it never seems to have issues. I know that's not an "official" number, but perhaps it could help. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
On Fri, 20 Jan 2006, Susana Macias wrote: Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Best regards, Susana Read my most recent reply to "Performance features of FreeRadius" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
We are an ISP that has statewide dialup within California. Our RADIUS is running FreeRADIUS. We have about 2000 customers. Another company I know is running FreeRADIUS with national coverage and recieves proxied requests from an upstream provider that uses FreeRADIUS. Susana Macias wrote: Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Best regards, Susana LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance features of FreeRadius
Marta Lajas <[EMAIL PROTECTED]> wrote: > I would like to know where I can find information about the > performance features of the FreeRadius product. As in how well it performs? That depends on your system and database. The short answer is that FreeRADIUS will always be faster than the database you use to store user configuration. And unless you have a million users, performance of the server isn't really an issue. FreeRADIUS can handle multiple hundreds of thousands of users on a commodity PC without any problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authentication question
"Le Gal Philippe" <[EMAIL PROTECTED]> wrote: > I'm trying to authenticate users login in a machine using ssh. I > have configured ssh & PAM on that server to autenticate against the > radius server (Redhat Application Server 2.1). ... > The Free radius server says : > > Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port > 1500 cli 192.168.xx.xx) If that isn't the password you entered in SSH, then either SSH or PAM is changing the password to that "INCORRECT" string. There's nothing you can do to FreeRADIUS to fix the problem. Instead, find out why SSH or PAM is changing the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS ErrorMessage but working
=?iso-8859-1?Q?Armin_Kr=E4mer?= <[EMAIL PROTECTED]> wrote: > i just got ldap in my testenvironment working but can someone tell me what > the marked line in the log means? Please no HTML to the list. And is it really that hard to cut and paste the one line, rather than sending the whole debug log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Session start
San <[EMAIL PROTECTED]> wrote: > 1. How do we start the session? I have send the > request to the server and got access_accepted. What program is sending the request? > I use this command to send acct_request > echo "User-Name= Anna"| radclient 10.1.0.76 acct -x > testing123 > Is that right? or is there any place I can refer to > use the radclient command? That's a good start. Read the RFC's to see what attributes are required in accounting packets. > 2. Do I need to write external script to run the > command? The same program that sends Access-Request should send Accounting-Request. My suggestion is to buy the O'Reilly RADIUS book and read it. It's a good introduction to RADIUS, which you will need to solve your problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to allow only one authentication ?
"Riccardo.Veraldi" <[EMAIL PROTECTED]> wrote: > I want ONLY this method to work, but also EAP-TLS with certificates works, > while I want to disable it for users. If you haven't made drastic changes to the "authorize" section, the following will work if you put it in the "users" file. #-- DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject #-- If you have made drastic changes to the "authorize" section, my suggestion is "don't". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows XP computer WPA, TKIP, PEAP, EAP-MSCHAP v2 has "No User-Password or CHAP-Password attribute in the request"
My freeradius client is a windows XP SP2 computer running 802.11 WPA, TKIP, PEAP, EAP-MSCHAP v2 and trying to connect to the linux Fedora Core 2 wireless server. I run the freeradius server in debugging mode # radiusd -sfxxyz -l stdout This is the output. How to fix this problem? rad_recv: Access-Request packet from host 127.0.0.1:52001, id=38, length=134 Framed-MTU = 1380 NAS-IP-Address = 0.0.0.0 NAS-Identifier = "wifictrl" User-Name = "test" NAS-Port-Id = ":2:2" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 Called-Station-Id = "00-f0-00-06-67-a8" Calling-Station-Id = "00-20-a6-57-7a-e9" EAP-Message = 0x020100090174657374 Message-Authenticator = 0x737afc3b6c1fb17ad13ee348ca5fbf4b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched test at 90 radius_xlat: 'Hello, test' modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 38 to 127.0.0.1:52001 Reply-Message = "Hello, test" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 38 with timestamp 43d1500d Nothing to do. Sleeping until we see a request. # radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 15 2005 at 11:57:29 # uname -a Linux wifictrl 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i686 i686 i386 GNU/Linux __ Find your next car at http://autos.yahoo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap problems connecting to LDAP server
We have an 802.11 service that uses a captive portal (Vernier) system
authenticating via RADIUS to kerberos. Currently there's no
authorization, except implicitly (i.e. presence of an entry in our
kerberos database). We want to start doing authorization using the
campus LDAP directory.
I'm trying to set this up with rlm_ldap on freeradius 1.0.5, but I'm
having trouble getting it to work. The LDAP server doesn't have any of
the RADIUS attributes in its schema, so I'll have to come up with a
custom mapping, but that's not the problem (yet). Rather, I can't get
rlm_ldap to make an encrypted connection to the LDAP server.
Here's the start of the ldap section in the modules {} part of radiusd.conf:
ldap airbears-ldap {
server = "ldaps://our.ldap.server"
identity =
password =
basedn = "ou=people,dc=berkeley, dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_debug = -1
tls_cacertfile = ${confdir}/certs/ourcertfile.crt
tls_require_cert= "never"
...
}
Everything else in the ldap section is still the default. (That'll have
to change, but I want to get the connection working first). The above
should set up an anonymous bind over an encrypted connection, but it
fails with "TLS: can't connect". (See attached debug snippet).
However, if I change the 'ldaps:' to 'ldap:', the ldap query works.
I've tried various combinations of 'port' (in the ldap section),
'start_tls' and 'tls_mode' but any combination that specifies a TLS
connection fails.
I don't think there's a problem with our openldap or openssl libraries,
because I can do the same query (from the same system) with 'ldapsearch'
without any problems.
The RADIUS server is running FreeBSD 5.4-STABLE, using openssl 0.9.8a,
and openldap 2.2.29, both built from ports. (The freeradius is also
built from ports).
Any ideas on what the problem might be, or where I might look next?
Thanks,
--
George C. Kaplan[EMAIL PROTECTED]
Communication & Network Services510-643-0496
University of California at Berkeley
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = our.radius.server IP address [xxx.xxx.xxx.xxx]
main: user = "access"
main: group = "access"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 0
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (u
