RFC3576
Hi, Uhm, any support for RFC3576, added or planned? Regards, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-MSCHAPv2 authentication failure
Thanks. That helps. It is working now. Regards, -Sayantan. >>> On Mon, Jan 23, 2006 at 5:45 pm, in message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > Sayantan Bhowmick wrote: >> Hi , >> I am trying to do PEAP MSCHAPv2 authentication. I am using >> FreeRADIUS version 1.1.0 on Suse 9.0 and WinXP as the Suplicant. When I >> select "Automatically use my Windows Logon name and password >> (and domain if any)" in the network properties, WinXP tries to login as >> domain- name\\user- name. I have enabled the "realm ntdomain" option in >> radiusd.conf and have created an entry in the proxy.conf file. However >> the authentication still fails. I am using eDirectory as my user store >> and (I cannot use the ntlm_auth option as I do not have a AD setup). The >> debug log is as follows. Can anyone please tell me how to get this >> working? >> > > I realise there's a lot of data, but careful examination of the end of > the logfile shows? > >> rlm_mschap: NT Domain delimeter found, should we have enabled >> with_ntdomain_hack? > > Yes, you should have enabled that. > >> rlm_mschap: Told to do MS- CHAPv2 for NOVELL- QT5M8B08\radiususer with >> NT- Password >> rlm_mschap: FAILED: MS- CHAP2- Response is incorrect > > ...because you need to enable the with_ntdomain_hack > > Hope that helps. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Correction to: AD ldap search works with 1.01, fails with 1.04
Hi Folks
Correction to previous email:
We can bind to the server, when the time comes to search it fails;
radiusd -X -A
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 192.148.xxx.xxx:389, authentication 0
rlm_ldap: bind as
cn=,cn=users,dc=student,dc=acu,dc=edu,dc=au/ to
192.148.223.125:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=student,dc=acu,dc=edu,dc=au, with filter
(samaccountname=testuser)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
Stephen Walsh
<[EMAIL PROTECTED]
.acu.edu.au> To
Sent by: [EMAIL PROTECTED]
freeradius-users- rg
bounces+s.walsh=s cc
ignadou.acu.edu.a
[EMAIL PROTECTED] Subject
s.org AD ldap bind works with 1.01, fails
with 1.04
24/01/2006 04:28
PM
Please respond to
FreeRadius users
mailing list
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=x,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "x"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
suffix
eap
staff
student
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
student
staff
AD ldap bind works with 1.01, fails with 1.04
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=x,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "x"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
suffix
eap
staff
student
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
student
staff
}
eap
}
many thanks
Stephen Walsh
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows XP computer WPA, TKIP, PEAP, EAP-MSCHAP v2 has "No User-Password or CHAP-Password attribute in the request"
PoWah Wong <[EMAIL PROTECTED]> wrote: > rlm_eap: EAP-NAK asked for EAP-Type/peap > rlm_eap: No such EAP type peap Did you try reading eap.conf, and configuring PEAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IC radius question
"Jake Messinger" <[EMAIL PROTECTED]> wrote: > I know this is the freeradius forum but I thought Id ask here. > I have a customer using icradius and they say that they cant easily > switch to freeradius because of several python scripts written to work > with icradius. They can switch to FreeRADIUS, which has a python module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug 314..
Which file i should fix? and what to add? According to Frank "For 6.0, I'll fix it by unconditionally including sys/un.h in cryptocard.c" thanks.. --haizam - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, January 24, 2006 02:09 Subject: Re: Bug 314.. "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 It's trivial to fix by hand in 1.1.0. It will be fixed permanently in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
username is blank in RadAcct table (ICRADIUS)
Dear all, I know that this is FreeRadius forum, but since ICRadius forum is almost dead i thought someone can help me, here. It turns out this morning that I have over 1,800,000 records in my RadAcct table with blank username. Probably I am under attack. The record is so much different than regular user records authenticated through NAS server. In each record AcctSessionTime=1 Attack Regular NASIPAddress A.B.C.D A.B.C.D NASPortType Virtual Async AcctAuthentic local Radius CalledStationId first 10 char of A.B.C.D Regular phone number AcctTerminateCause Lost-Carrier Usually User-Request Service-Type NAS-Prompt-User Framed-User NASPortId 122, 123 * Can anyone tell me, what is going on? How can I stop this attacker? BR, Baynaa. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm and users file.
I'm sure someone can give me a quick answer to this problem. I have one
radius server that handles request in the form:
username
[EMAIL PROTECTED]
[EMAIL PROTECTED]
We this setup in our proxy.conf file:
realm domain1.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm domain2.net {
type= radius
authhost= server.domain2.net:1645
accthost= LOCAL
secret = **
}
And uses the "users" file for local stuff
Everything works fine except when the username at the realm domain2.net
server matches a name in the "users" file on the domain1.com server. We
have usernames on the domain1.com "users" file that reject:
uername Auth-Type := Reject
These users have DSL access but no phone line access and belong to the
domain1.com server. But once in a while they will have the same username
on each system.
The result is domain2.net will Auth OK them but they cannot get on line
because domain1.com will reject them because of the "users" file.
How do I fix this problem?
Thanks!
Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IC radius question
I know this is the freeradius forum but I thought Id ask here. I have a customer using icradius and they say that they cant easily switch to freeradius because of several python scripts written to work with icradius. So, there problem. They are seeing THIS error in their radius logs: Check list does not match request list [USER] (from nas access-2#2/S99 cli 5094441590)It only happens with S99 and only with this 2nd Lucent Portmaster 4 they recently installed. The first pm4 and 2 other pm3's never get this error. They ARE using the NAS-PORT-TYPE attribute if that has possibly anything to do with it. Im wondering why, its coming from S99? There is no port s99 on a Portmaster 4. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~Jake Messinger, VP. ph:713-772-6690 Visit: portmasters.comAMS, Inc. fx:713-774-3498 advmed.com8300 Bissonnet #400 [EMAIL PROTECTED] profjake.comHouston, Texas 77074 http://jakes.org homestarrunner.com ICQ# 4403734 YAHOO: prof_jake AIM: profjake MSN: [EMAIL PROTECTED] Adjunct Professor University of Houston, CBA [EMAIL PROTECTED]~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-address == "10.1.2.0/24" allowed?
Hi, Again, newbie question that I failed to find the anwser from FAQ or wiki. I would like to restrict user login by NAS-IP-address or fqdn if possible. Therefore I can restrict user to login a group of devices. user1 Auth-Type := Local, User-Password == "sceret", NAS-IP-address =="10.1.2.0/24" ... It works if NAS-IP-address == "10.1.2.3", but that will require ~250 entries in users file. Can it be group into /24 or is NAS-Network-address exist? How about using DNS name, something like user1 Auth-Type := Local, User-Password == "sceret", NAS-fqdn =~ /*.(core|edge).domain/ ... Thanks a lot, Min <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db
=?ISO-8859-1?Q?Evan_Borgstr=F6m?= <[EMAIL PROTECTED]> wrote: > I've been spending my day trying to get rlm_digest to work with > encrypted passwords in a MySQL database. It won't work. Digest requires access to the clear-text passwords, OR the Digest-HA1 form of the password. > When I use the User-Password > attribute with a plain text password then digest authentication works > fine, however when I change the attribute to MD5-Password I get the > following on the console when running radiusd -X; If you're trying to use the straight MD5 hashed version of the password, it won't work. Ever. The protocol was designed to make it impossible. The PW_MD5_PASSWORD stuff in 1.1.0 is commented out for a number of reasons, at least one of which is the hashed password should be called Digest-HA1, and not MD5-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows XP computer WPA, TKIP, PEAP, EAP-MSCHAP v2 has "No User-Password or CHAP-Password attribute in the request"
"users" file is changed to: testAuth-Type = Local, User-Password := "testing" However, still has problem. Debug output is: rad_recv: Access-Request packet from host 127.0.0.1:52001, id=42, length=149 Framed-MTU = 1380 NAS-IP-Address = 0.0.0.0 NAS-Identifier = "wifictrl" User-Name = "test" NAS-Port-Id = ":2:2" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 Called-Station-Id = "00-f0-00-06-67-c0" Calling-Station-Id = "00-20-a6-57-7a-d1" State = 0x41653c6968055aecfa354aa7a6ed95a0 EAP-Message = 0x020200060319 Message-Authenticator = 0x6b63991cc7c8d008d37a418927f261a4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched test at 90 radius_xlat: 'Hello, test' modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 2 modcall: group authenticate returns invalid for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 41 with timestamp 43d55f0d Sending Access-Reject of id 42 to 127.0.0.1:52001 EAP-Message = 0x04020004 Message-Authenticator = 0x Reply-Message = "Hello, test" Cleaning up request 2 ID 42 with timestamp 43d55f0d Nothing to do. Sleeping until we see a request. --- Alan DeKok <[EMAIL PROTECTED]> wrote: > PoWah Wong <[EMAIL PROTECTED]> wrote: > > I configure /etc/raddb/users as follows: > > testAuth-Type := Local, User-Password == > "testing" > > That should be > > testAuth-Type = Local, User-Password := > "testing" > > See the "man" page for the "users" file, and other > posts to this list. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Find your next car at http://autos.yahoo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db
Hi Evan, I don't have much experience with the FR 'sql' module. I know it is possible to achieve what you want using LDAP as a backend database. In this case, the password is mapped to an LDAP attribute (ex. userPassword), which value is pulled out during the 'authorize' process. I don't know whether a similar operation can be expected with 'sql', maybe someone else has an answer. On 1/23/06, Evan Borgström <[EMAIL PROTECTED]> wrote: > Hey All, > >I've been spending my day trying to get rlm_digest to work with > encrypted passwords in a MySQL database. When I use the User-Password > attribute with a plain text password then digest authentication works > fine, however when I change the attribute to MD5-Password I get the > following on the console when running radiusd -X; > > rlm_digest: Configuration item "User-Password" or MD5-Password is > required for authentication. > Just for testing purpose, have you tried using the 'users' file? >So, how do I get encrypted password storage to work? Does anyone have > any pointers on where to go from here? > The following URL might help : http://wiki.freeradius.org/index.php/Digest Regards, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
On Friday 20 January 2006 06:31, Susana Macias wrote: > Hy :-) > > I am interested to know about success stories of people using FreeRadius > in a production environment. I have read > http://www.freeradius.org/testimonials.html but I would like to obtain a > few more experiences. > > Best regards, Susana We use FreeRADIUS for dialup/DSL, NAS ip pool definitions for Ascend Max-TNT, and NAS/router administration access. Our backend data is stored on replicated MySQL servers. After 5+ years of use, we're still pleased with the superb software that has developed over the years. Kevin Bonner pgp4LU27VU3QF.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
dark0s dark0s schrieb: > Do I have to use wpa_supplicant even if I don't use > WPA? > Because probably I will use only WEP > Yes when you will use EPA-TLS, because the supplicant that comes with the driver is completely broken. But when you have Windows XP SP2 and the extra WPA update you can try to use the build in supplicant of Windows. But I don't have test this. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
Do I have to use wpa_supplicant even if I don't use WPA? Because probably I will use only WEP ___ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db
Hey All, I've been spending my day trying to get rlm_digest to work with encrypted passwords in a MySQL database. When I use the User-Password attribute with a plain text password then digest authentication works fine, however when I change the attribute to MD5-Password I get the following on the console when running radiusd -X; rlm_digest: Configuration item "User-Password" or MD5-Password is required for authentication. Looking through the rlm_digest.c file I found that PW_MD5_PASSWORD needs to be defined before the module will look for the MD5-Password attribute and following how PW_PASSWORD is defined I added -DPW_MD5_PASSWORD=1095 to the compile options and still got the same message. I defined the same value in radiusd.h and again got the same message. So, how do I get encrypted password storage to work? Does anyone have any pointers on where to go from here? Thanks, Evan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup-admin problem
I've installed freeradius 1.1.0, went through all the tests and everything
(the tests) seems to be working fine there. My platform is:
Fedora Core 4
Sendmail 8.13.4
Apache 2.0.54
MySQL 4.1.16
PHP 5.0.5-2.1
Freeradius 1.1.0
I've also followed the instructions for the dialup-admin, and have run into
a problem. When I view servername.com/dialup-admin, I can see the first
page just fine, but when I click on any link on the left, the right side
just turns white - nothing displays. The "home" link brings me back to the
"A web based administration interface for the freeradius radius server "
page, but no other links seem to bring anyting up.
Here's what I did:
1. Copied the directory dialup-admin to the /user/local/ directory
2. In /var/www/html I created a simlink /user/local/dialup-admin/htdocs
named dialup-admin
ln -s /usr/local/dialup-admin/htdocs /var/www/html/dialup-admin
3. Edited httpd.conf to the following
# Scott Added for freeradius dialup-admin
#LoadModule php4_module libexec/libphp4.so
#AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
I had to comment out the fist two lines, because httpd kept failing and
producing the error: Apache 1.3 configuration directives found please read
/usr/share/doc/httpd-2.0.54/migration.html
4. I did not do: [1.3.2.2] Creating a more secure web interface. - wanting
to make it work first, then will start securing it.
5. Created the 4 additional MySQL Databases according to the instructions
and all look fine.
6. I then went through the general configuraiton options. I commented out
all LDAP options, and fixed the following:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
#general_decode_normal_attributes: yes
general_base_dir: /usr/local/dialup-admin
general_radiusd_base_dir: /usr/local/radiusd
general_use_session: no
general_most_recent_fl: 30
#general_strip_realms : yes
general_realm_delimiter: @
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: %{general_radiusd_base_dir}/etc/raddb
general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
#general_clients_conf: %{general_raddb_dir}/clients.conf
general_clients_conf: /usr/local/etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_lib_type: sql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
#general_ld_library_path: /usr/local/snmpd/lib
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
general_test_account_login: test
general_test_account_password: testpass
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: pap
general_radius_server_secret: commented-out
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: crypt
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
#ldap_server: ldap.%{general_domain}
#ldap_write_server: master.%{general_domain}
#ldap_base: dc=company,dc=com
#ldap_binddn: cn=Directory Manager
#ldap_bindpw: XXX
#ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
#ldap_default_dn: uid=default-dialup,%{ldap_base}
#ldap_regular_profile_attr: dialupregularprofile
#ldap_use_http_credentials: yes
#ldap_directory_manager: cn=Directory Manager
#ldap_map_to_directory_manager: admin
#ldap_debug: true
# Allow for defining the ldap filter used when searching for a user
# Variables supported:
# %u: username
# %U: username provided though http authentication
# %mu: mappings for userdb
# %ma: mappings for accounting
#ldap_filter: (uid=%u)
#ldap_userdn: uid=%u,%{ldap_base}
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: xxx
sql_password: xxx
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
sql_command: /usr/local/bin/mysql
general_snmp_type: net
general_snmpwalk_command: /usr/local/bin/snmpwalk
general_snmpget_command: /usr/local/bin/snmpget
sql_debug: true
#sql_use_http_credentials: yes
#sql_accounting_extra_query: %ma
sql_use_user_info_table: true
sql_use_operators: true
#sql_default_user_profile: DEFAULT
sql_password_attribute: User-Password
sql_date_form
bandwitch
Have you got some papers about radius+pppoe+bandwith (htb). I have got something from this page: http://underlinux.com.br/modules.php?name=News&file=print&sid=4447 But that isn't it what i wont. Thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows XP computer WPA, TKIP, PEAP, EAP-MSCHAP v2 has "No User-Password or CHAP-Password attribute in the request"
PoWah Wong <[EMAIL PROTECTED]> wrote: > I configure /etc/raddb/users as follows: > testAuth-Type := Local, User-Password == "testing" That should be testAuth-Type = Local, User-Password := "testing" See the "man" page for the "users" file, and other posts to this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug 314..
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: > Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 It's trivial to fix by hand in 1.1.0. It will be fixed permanently in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignore the authentication request
It's possible to ignore the authentication request instead to answering with reject if the user doesn't exist? I'm using the freeradius to authenticate users in a cisco vpn concentrator and I need to have some users in the vpn internal database but I can only use the internal database if the radius server is down. Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius can't connect to LDAP
We are running FreeRADIUS v. 1.0.2 2x load-balanced LDAP servers - Sun ONE DS 5.2 on W2k3 Ent. with network load balancing. One of the LDAPs is the primary and is handling the auth traffic. Here is the issue we're seeing: Approximately 10-20 times per day users are unable to authenticate - despite using correct credentials. The radius server reports bind failed because it "Can't contact LDAP server" The LDAP logs show the bind, search, and reply for the "does this user exist" request. Sometimes this search is repeated a couple of times. However, there is no follow-up bind as this user for checking the creds. If the user tries again in 30secs or more, they succeed - with the same creds as before. Any ideas? Thanks for any help! Below are excerpts from the logs: Radius log entry rlm_ldap: - authorize rlm_ldap: performing user authorization for someuser radius_xlat: '(uid=someuser)' radius_xlat: 'ou=people,dc=uttyler,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=uttyler,dc=edu, with filter (uid=someuser) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ldap.uttyler.edu:389, authentication 0 rlm_ldap: bind as uid=radiususer,ou=special users,dc=uttyler,dc=edu/radius_password to ldap.uttyler.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=uttyler,dc=edu, with filter (uid=someuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user someuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 987 modcall: group authorize returns ok for request 987 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 987 rlm_ldap: - authenticate rlm_ldap: login attempt by "someuser" with password "04191987" rlm_ldap: user DN: uid=someuser,ou=People,dc=uttyler,dc=edu rlm_ldap: (re)connect to ldap.uttyler.edu:389, authentication 1 rlm_ldap: bind as uid=someuser,ou=People,dc=uttyler,dc=edu/04191987 to ldap.uttyler.edu:389 rlm_ldap: uid=someuser,ou=People,dc=uttyler,dc=edu bind to ldap.uttyler.edu:389 failed: Can't contact LDAP server rlm_ldap: ldap_connect() failed modcall[authenticate]: module "ldap" returns fail for request 987 modcall: group Auth-Type returns fail for request 987 auth: Failed to validate the user. Login incorrect: [someuser/04191987] (from client AireSpace port 0 cli 10.3.1.72) Delaying request 987 for 1 seconds Finished request 987 Going to the next request LDAP Log -- [23/Jan/2006:07:47:13 -0600] conn=886 op=1 msgId=2 - SRCH base="ou=people,dc=uttyler,dc=edu" scope=2 filter="(uid=someuser)" attrs="radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem" [23/Jan/2006:07:47:13 -0600] conn=886 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2006:07:47:24 -0600] conn=886 op=2 msgId=3 - SRCH base="ou=people,dc=uttyler,dc=edu" scope=2 filter="(uid=someuser)" attrs="radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem" [23/Jan/2006:07:47:24 -0600] conn=886 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2006:07:47:25 -0600] conn=887 op=-1 msgId=-1 - fd=1132 slot=1132 LDAP connection from 198.213.57.20 to 198.213.56.5 [23/Jan/2006:07:47:25 -0600]
RE: MS-CHAP and Local Authentication
Great, it's working now. Thanks Antonio -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Phil Mayers Sent: segunda-feira, 23 de Janeiro de 2006 12:27 To: FreeRadius users mailing list Subject: Re: MS-CHAP and Local Authentication ALMEIDA Antonio Jose wrote: > Hello, > Can someone tell me how can I configure the users file (with the default > configuration - I'm just starting to use freeradius) to permit the same > user to be authenticated by MS-CHAP and Local? Now I have something link > this: > > User1 Auth-Type := Local, Password == "password" > > User2 Auth-Type := MS-CHAP, Password == " password " > > I need to make User1 and User2 the same. Firstly, "Password" is a configure item and should really be set with := uncondtionally. Secondly, you're setting Auth-Type with := which overwrites whatever is there, which is probably why MS-CHAP isn't working (Local will be overwriting it) Assuming you have the server otherwise setup with the defaults, which have mschap BEFORE files in authorize, this will work: user Auth-Type = Local, Password := "password" Because (in the default config) mschap runs before files, therefore Auth-Type will already be set to MS-CHAP and the "=" won't overwrite it, but will set it if it's otherwise unset. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows XP computer WPA, TKIP, PEAP, EAP-MSCHAP v2 has "No User-Password or CHAP-Password attribute in the request"
Now I used # radiusd -X I configure /etc/raddb/users as follows: testAuth-Type := Local, User-Password == "testing" Reply-Message = "Hello, %u" I authenticate at my windows xp wireless computer by entering this data as follows: User name: test Password: testing Logon domain: This is the radius debug output: rad_recv: Access-Request packet from host 127.0.0.1:52001, id=40, length=134 Framed-MTU = 1380 NAS-IP-Address = 0.0.0.0 NAS-Identifier = "wifictrl" User-Name = "test" NAS-Port-Id = ":2:2" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 Called-Station-Id = "00-f0-00-06-67-a8" Calling-Station-Id = "00-20-a6-57-7a-e9" EAP-Message = 0x020100090174657374 Message-Authenticator = 0x3157a2bead5a4a286220ffe87a7b7842 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched test at 90 radius_xlat: 'Hello, test' modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 40 to 127.0.0.1:52001 Reply-Message = "Hello, test" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 43d4f7e2 Nothing to do. Sleeping until we see a request. --- [EMAIL PROTECTED] wrote: > Hi, > > > My freeradius client is a windows XP SP2 computer > > running 802.11 WPA, TKIP, PEAP, EAP-MSCHAP v2 and > > trying to connect to the linux Fedora Core 2 > wireless > > server. > > > > I run the freeradius server in debugging mode > > # radiusd -sfxxyz -l stdout > > why not radiusd -X ? > > > rad_check_password: Found Auth-Type Local > > auth: type Local > > auth: No User-Password or CHAP-Password attribute > in > > the request > > auth: Failed to validate the user. > > do you have this user listed in the Users file? how > exactly > are you trying to authenticate them? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Find your next car at http://autos.yahoo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL PROBLE
Hy all,
I installed FR 1.0.5 in a Solaris 8
machine:
$ ./configure --localstatedir=/var
--sysconfdir=/etc --with-openssl-libraries=/usr/local/ssl/lib
--with-openssl-includes=/usr/local/ssl/include
$ make
# make install
and all seemed to be OK.
But when I tried to test the ippool module I
obtained a segmentation fault when I run radiusd.
Module: Loaded radutmp radutmp:
filename = "/var/log/radius/radutmp" radutmp: username =
"%{User-Name}" radutmp: case_sensitive = yes radutmp:
check_with_nas = yes radutmp: perm = 384 radutmp: callerid =
yesModule: Instantiated radutmp (radutmp) Segmentation Fault - core
dumped
In my rlm_ippool directory I have:
#
pwd.../freeradius-1.0.5/src/modules/rlm_ippool
#
lsacconfig.h
config.log
configure.in
Makefile.in
rlm_ippool_tool.cconfig.h
config.status
CVS
rlm_ippool.c
rlm_ippool_tool.podconfig.h.in
configure
Makefile
rlm_ippool_tool.8#
Has the rlm_ippool module compiled well?
How can I resolve the problem?
Thank you very much
Rafa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP and Local Authentication
ALMEIDA Antonio Jose wrote: Hello, Can someone tell me how can I configure the users file (with the default configuration - I'm just starting to use freeradius) to permit the same user to be authenticated by MS-CHAP and Local? Now I have something link this: User1 Auth-Type := Local, Password == "password" User2 Auth-Type := MS-CHAP, Password == " password " I need to make User1 and User2 the same. Firstly, "Password" is a configure item and should really be set with := uncondtionally. Secondly, you're setting Auth-Type with := which overwrites whatever is there, which is probably why MS-CHAP isn't working (Local will be overwriting it) Assuming you have the server otherwise setup with the defaults, which have mschap BEFORE files in authorize, this will work: user Auth-Type = Local, Password := "password" Because (in the default config) mschap runs before files, therefore Auth-Type will already be set to MS-CHAP and the "=" won't overwrite it, but will set it if it's otherwise unset. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-MSCHAPv2 authentication failure
Sayantan Bhowmick wrote: Hi , I am trying to do PEAP MSCHAPv2 authentication. I am using FreeRADIUS version 1.1.0 on Suse 9.0 and WinXP as the Suplicant. When I select "Automatically use my Windows Logon name and password (and domain if any)" in the network properties, WinXP tries to login as domain-name\\user-name. I have enabled the "realm ntdomain" option in radiusd.conf and have created an entry in the proxy.conf file. However the authentication still fails. I am using eDirectory as my user store and (I cannot use the ntlm_auth option as I do not have a AD setup). The debug log is as follows. Can anyone please tell me how to get this working? I realise there's a lot of data, but careful examination of the end of the logfile shows? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? Yes, you should have enabled that. rlm_mschap: Told to do MS-CHAPv2 for NOVELL-QT5M8B08\radiususer with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ...because you need to enable the with_ntdomain_hack Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP and Local Authentication
Hello, Can someone tell me how can I configure the users file (with the default configuration - I'm just starting to use freeradius) to permit the same user to be authenticated by MS-CHAP and Local? Now I have something link this: User1 Auth-Type := Local, Password == "password" User2 Auth-Type := MS-CHAP, Password == " password " I need to make User1 and User2 the same. Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS table
I have wondered about this for a wile now as well. Would be most interested to know the status of it and what backends are supported. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago Balaguer García Sent: 23 January 2006 08:47 To: freeradius-users@lists.freeradius.org Subject: NAS table Hi people, I am using freeradius as authentication service for two years. I use freeradius 1.0.4 in a Debian servers. My quiestion is I use clients.conf file for mu nas clients, however I read in the freeradius doc that this file can be supported in an database ( it is very useful for me because I have an administration web for control my radius accounts). I detect that I put 'readclients=yes ' in my postgres.conf file perhaps it works, but it is not works. So, What do I have to write in order to have all nas information in my database? Thanks, Santiago Éxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP-MSCHAPv2 authentication failure
Hi , I am trying to do PEAP MSCHAPv2 authentication. I am using FreeRADIUS version 1.1.0 on Suse 9.0 and WinXP as the Suplicant. When I select "Automatically use my Windows Logon name and password (and domain if any)" in the network properties, WinXP tries to login as domain-name\\user-name. I have enabled the "realm ntdomain" option in radiusd.conf and have created an entry in the proxy.conf file. However the authentication still fails. I am using eDirectory as my user store and (I cannot use the ntlm_auth option as I do not have a AD setup). The debug log is as follows. Can anyone please tell me how to get this working? rad_recv: Access-Request packet from host 10.0.0.1:21647, id=96, length=190 Sending Access-Reject of id 96 to 10.0.0.1 port 21647 EAP-Message = 0x04070004 Message-Authenticator = 0x --- Walking the entire request list --- Cleaning up request 29 ID 90 with timestamp 43cde14f Cleaning up request 30 ID 91 with timestamp 43cde14f Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.0.0.1:21647, id=97, length=165 User-Name = "NOVELL-QT5M8B08\\radiususer" Framed-MTU = 1400 Called-Station-Id = "0040.96a3.2e04" Calling-Station-Id = "0002.2da4.e20e" Message-Authenticator = 0xc0e1ca5411e453f15a1eb6bd2ee27743 EAP-Message = 0x0201001f014e4f56454c4c2d5154354d384230385c72616469757375736572 NAS-Port-Type = Wireless-802.11 NAS-Port = 400 Service-Type = Framed-User NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 36 modcall[authorize]: module "preprocess" returns ok for request 36 modcall[authorize]: module "chap" returns noop for request 36 modcall[authorize]: module "mschap" returns noop for request 36 rlm_realm: No '@' in User-Name = "NOVELL-QT5M8B08\radiususer", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 36 rlm_realm: Looking up realm "NOVELL-QT5M8B08" for User-Name = "NOVELL-QT5M8B08\radiususer" rlm_realm: Found realm "NOVELL-QT5M8B08" rlm_realm: Adding Stripped-User-Name = "radiususer" rlm_realm: Proxying request from user radiususer to realm NOVELL-QT5M8B08 rlm_realm: Adding Realm = "NOVELL-QT5M8B08" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 36 rlm_eap: EAP packet type response id 1 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 36 modcall[authorize]: module "files" returns notfound for request 36 rlm_ldap: - authorize rlm_ldap: performing user authorization for radiususer radius_xlat: '(cn=radiususer)' radius_xlat: 'o=novell' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=novell, with filter (cn=radiususer) rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user radiususer authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 36 modcall: leaving group authorize (returns updated) for request 36 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 36 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 36 modcall: leaving group authenticate (returns handled) for request 36 Sending Access-Challenge of id 97 to 10.0.0.1 port 21647 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x30170192891d3d63f0d026f17eb0b65e Finished request 36 Going to the next request --- Walking the entire request list --- Cleaning up request 31 ID 92 with timestamp 43cde150 Cleaning up request 32 ID 93 with timestamp 43cde150 Cleaning up request 33 ID 94 with timestamp 43cde150 Cleaning up request 34 ID 95 with timestamp 43cde150 Cleaning up request 35 ID 96 with timestamp 43cde150 Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.1:21647, id=98, length=264 User-Name = "NOVELL-QT5M8B08\\radiususer" Framed-MTU = 1400 Called-Station-Id = "0040.96a3.2e04" Calling-Station-Id = "0002.2da4.e20e" Message-Authenticator = 0xbae42c51a49613f3780756f23a9426a4 EAP-Message = 0x02020070198000661603010061015d030143cde01037e38d07b56687db452982f13b38491004de1d3e5e7ebd2d8c38d2852098cad41ce7d8a49d186a5bda5eb7564b59c7983e162adbac1cca703d6138ad96001600040005000a0009006400620003000600130012006301
NAS table
Hi people, I am using freeradius as authentication service for two years. I use freeradius 1.0.4 in a Debian servers. My quiestion is I use clients.conf file for mu nas clients, however I read in the freeradius doc that this file can be supported in an database ( it is very useful for me because I have an administration web for control my radius accounts). I detect that I put 'readclients=yes ' in my postgres.conf file perhaps it works, but it is not works. So, What do I have to write in order to have all nas information in my database? Thanks, SantiagoÉxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
