Re: Stale sessions problem
Alan DeKok wrote: Georgi Alexandrov [EMAIL PROTECTED] wrote: If a user that somehow failed network connectivity and failed to tell the server account stop tries to reconnect back it won't let him because his previous session is stalled. I need a mechanism that will do a check upon connection if the session is stalled, delete it and let the user in or if there is already a real user logged in deny the connecting one. I read from the mailing lists that radzap should do the job but i can't seem to figure out how to integrate it in that setup (the man page explains only the syntax). radzap calls radwho to query radutmp and generates an accounting stop message. You can query your SQL database and generate accounting stop messages, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ehlo Alan, how could one know from the database (radacct i suppose) if a user session i stalled or he's actually online? -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newbie question re. dictionary files.
Even I have the same problem.
Debug output is here.
[EMAIL PROTECTED] raddb]# radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.164.123:1176, id=64,
length=57
User-Name = image
User-Password = image123
Service-Type =
Assigning ip address through 802.1x
Hello everybody, Please tell me, do we have any attribute in Free RADIUS to send the ip address to the 802.1x client after the successfull authentication. I know we can do it with the dhcp server but I want to know the attribute in RADIUS server(if any). Thanks for your help. Regards Manuj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
This is just a quess.. Since you are doing a sql look-up, I will bet it does the select * from xxx where username like btest. It returns both records, but only processes the first record, the passwords don't match and fails. I'll bet if you only have a single encrypted entry that will work. This is just a guess on my part but give it a shot. Gerry At 12:25 AM 2/25/2006, you wrote: Please anybody help me... I am reposting this message, since I am hitting the dead end with this issue Thanks in advance... Hi to all... Does anyone have any idea why placing the following two lines into users file works perfectly with both PAP and CHAP users btest User-Password == Master1 btest Crypt-Password == $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 whereas placing the same two records into radcheck table doesn't work for PAP it does however work for CHAP? username | att| op |val --+-++--- btest| User-Password | == | Master1 btest| Crypt-Password | == | $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 It seems that rlm_sql is hitting the unencrypted password only, whereas encryption-scheme in radiusd.conf is defined crypt... Am I missing something? Any help will be appreciated Alex Savguira radius -X (version 1.0.4 ) says rad_recv: Access-Request packet from host 192.168.0.8:4544, id=47, length=45 User-Name = btest User-Password = Master1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = btest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 173 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'btest' rlm_sql (sql): sql_set_user escaped user -- 'btest' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'btest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'btest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall[authorize]: module domainmschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by btest with password Master1 rlm_pap: Using password Master1 for user btest authentication. rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [btest/Master1] (from client rasdata port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 47 to 192.168.0.8:4544 Waking up in 4 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
Kinda depends on what he is connected to. If you get a START record and a STOP record after the authentication from the device they are connected to you can check there. If you use sql for accounting, there will be a record created with a unique session id for the customer, and it will have a start time, but the stop time will be blank. This only is valid if the device they are connecting to supplies stop and start records when they logon and off or timeout. Gerry At 02:40 AM 2/25/2006, you wrote: Alan DeKok wrote: Georgi Alexandrov [EMAIL PROTECTED] wrote: If a user that somehow failed network connectivity and failed to tell the server account stop tries to reconnect back it won't let him because his previous session is stalled. I need a mechanism that will do a check upon connection if the session is stalled, delete it and let the user in or if there is already a real user logged in deny the connecting one. I read from the mailing lists that radzap should do the job but i can't seem to figure out how to integrate it in that setup (the man page explains only the syntax). radzap calls radwho to query radutmp and generates an accounting stop message. You can query your SQL database and generate accounting stop messages, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ehlo Alan, how could one know from the database (radacct i suppose) if a user session i stalled or he's actually online? -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Hi, Gerry. Thanks for an answer... I'll bet if you only have a single encrypted entry that will work. This is just a guess on my part but give it a shot. Gerry Of course it works if I only have a single encrypted problem. This is exactly where my problem is. I do run a bunch of services onsite, some using the PAP passwords (CRYPT form) and some using the MS-CHAPv2 (partly internal and partly accessing the ADS via NTLM). I want the single logon for all services. If say PPPoe is PAP and IPSEC is MS-CHAPv2 I need two entries one with the CRYP-ted password for PAP and one plain or NT-hash for MS-CHAPv2. Everything works when using users file. PAP doesn't work when using the mysql backend and there is plain-text record in a database as well. It looks like freeradius does indeed only process first record (by the way I've tried playing with the SQL query for authentication in pursuit of making it to return the crypted password first, but alas it doesn't help). Do you by any chance know WHY it only processes one record and how to make it process two instead? Thanks Alex. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Of course it works if I only have a single encrypted problem Drat! I mean only a single encrypted password record in a database of course - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alex Savguira [EMAIL PROTECTED] wrote: Does anyone have any idea why placing the following two lines into users file works perfectly with both PAP and CHAP users btest User-Password == Master1 You want to use :=, not ==, both here and in SQL. That will make it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
Georgi Alexandrov [EMAIL PROTECTED] wrote: how could one know from the database (radacct i suppose) if a user session i stalled or he's actually online? The SQL module is supposed to do this by calling checkrad. Have you listed sql in the session section? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning ip address through 802.1x
Manuj [EMAIL PROTECTED] wrote: Please tell me, do we have any attribute in Free RADIUS to send the ip address to the 802.1x client after the successfull authentication. I know we can do it with the dhcp server but I want to know the attribute in RADIUS server(if any). No. It's impossibl, because even if you did send an IP address, the access point would ignore it, and not send it to the 802.1x client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Microsoft Active Directory
Hello, I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user. Also, what is 3D used for? (Example: server =3D your.ad.server.org ...) Thank you in advance, Nataly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Help needed with MS-CHAP
I am sorry. I just want to know what happens when Radius receives a request with a MS-CHAP password, how it authenticates the user? Thank you, Charles - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, February 24, 2006 10:52 AM Subject: Re: Help needed with MS-CHAP Charles Blake [EMAIL PROTECTED] wrote: I just want to authenticate MS-CHAPv2 passwords. My question is: Where do I have those passwords in my Linux server? I've been trying to say you don't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
Alan DeKok wrote: Georgi Alexandrov [EMAIL PROTECTED] wrote: how could one know from the database (radacct i suppose) if a user session i stalled or he's actually online? The SQL module is supposed to do this by calling checkrad. Have you listed sql in the session section? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sql is listed in the session section, yes. -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
Gerry Dalton wrote: Kinda depends on what he is connected to. If you get a START record and a STOP record after the authentication from the device they are connected to you can check there. If you use sql for accounting, there will be a record created with a unique session id for the customer, and it will have a start time, but the stop time will be blank. This only is valid if the device they are connecting to supplies stop and start records when they logon and off or timeout. it's rp-pppoe linux server on the same machine. -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Help needed with MS-CHAP
Charles Blake [EMAIL PROTECTED] wrote: I just want to know what happens when Radius receives a request with a MS-CHAP password, how it authenticates the user? It doesn't. How many times do I have to say it's impossible before you will believe me? It's impossible. Stop trying to make it work, and stop asking questions about it. It's impossible. Honestly, it's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
Georgi Alexandrov [EMAIL PROTECTED] wrote: sql is listed in the session section, yes. Then it should clean up stale sessions when the user logs in the second time, if the first session doesn't exist on the NAS. IF... checkrad can talk to the NAS. If not, you have to clean them up by hand. And the server has NO way of knowing if the session is still alive or not, so it's very difficult for the server to do this cleanup automatically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Natalia Escalera [EMAIL PROTECTED] wrote: I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user. If the RADIUS packets have clear-text passwords, then the normal LDAP module should work. If you're using PEAP or MS-CHAP, read radiusd.conf,m and use ntlm_auth. Also, what is 3D used for? (Example: server =3D your.ad.server.org ...) Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alex Savguira [EMAIL PROTECTED] wrote: Of course it works if I only have a single encrypted problem. This is exactly where my problem is. I do run a bunch of services onsite, some using the PAP passwords (CRYPT form) and some using the MS-CHAPv2 (partly internal and partly accessing the ADS via NTLM). I want the single logon for all services. The use clear-text passwords. Also storing crypt'd passwords is a waste of time and gains nothing except additional headaches. If say PPPoe is PAP and IPSEC is MS-CHAPv2 I need two entries one with the CRYP-ted password for PAP and one plain or NT-hash for MS-CHAPv2. No. Absolutely not. The PAP authentication can use the clear-text password, too. Everything works when using users file. PAP doesn't work when using the mysql backend Use ':=', not '=='. Do you by any chance know WHY it only processes one record and how to make it process two instead? Did you read previous responses to your questions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding A
I'm trying to add Ascend-Data-Filter to mysql using either phpmyadmin or dialup administrator, but it doesn't seem to work. It works fine in users text file as in: username Auth-Type := Local, User-Password == xxx, Simultaneous-Use := 2 Service-Type = Framed-User, Framed-Protocol = MP, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.b.c.0/20, Ascend-Data-Filter += ip in forward tcp dstport = 25, Ascend-Data-Filter += ip in forward, Framed-Compression = Van-Jacobsen-TCP-IP But the dialup administrator allow me to add only one Ascend-Data-Filter item. If I try to add using myphpadmin ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello Mr. DeKok
Thank you for the fast response. The password is clear-text. We are
using ethereal to debug why we are getting Operations Error on the
Search Result. The Operation Errors comment is the following:
In order to perform this operation a successful bind must be completed.
The search request on ethereal from Freeradius to the active directory
gives the following:
Message Type: Search Request
Message Length: 96
Response In: 469
Base DN: dc=test, dc=prt
Scope: subtree (0x02)
Derefence: Never (0x00)
Size Limit: 0
Time Limit: 4
Attributes only: False
Filter: ((objectclass=person)(sAMAccountName=%u))
Attribute: uid we are not sending this attribute and we do not
know where it is specified on Freeradius
Here are the settings given for LDAP module on radius.conf and user file:
#radius.conf
ldap {
server=xxx.xx.xxx.xxx
identity = # If this is suppose to be the bind dn???
password = mypassword
basedn =dc=test,dc=prt
#filter = (uid=%{Stripped-User-Name:-%{User-Name}})
filter =((objectclass=person) (sAMAccountName=%u))
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =5
timelimit =4
net_timeout =2
compare_check_items = yes
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Can you please tell us if there is something wrong or if we are
missing something on the configuration files?
Thanks in advance,
Nataly
On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote:
Natalia Escalera [EMAIL PROTECTED] wrote:
I am setting up freeradius with Microsoft Active Directory. So far, I
am able to connect to the server but not to authenticate a user. Can
you please give me a hint of how the configuration files need to be
set in order to authenticate the user.
If the RADIUS packets have clear-text passwords, then the normal
LDAP module should work. If you're using PEAP or MS-CHAP, read
radiusd.conf,m and use ntlm_auth.
Also, what is 3D used for? (Example: server =3D your.ad.server.org ...)
Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello,
your password crypt key is used. not become in this ethereal can't recognize.
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
you must show the full and state this in the file
#ls /etc/raddact
#vi radius.conf
#vi clients.conf
best regards,
--
Ozgur Karatas
CCNA Network Engineer
Linux System Administrator
ozgur (at) ozgurkaratas dot com
- Original Message -
From: Natalia Escalera [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Freeradius + Microsoft Active Directory
Date: Sat, 25 Feb 2006 11:53:20 -0600
Hello Mr. DeKok
Thank you for the fast response. The password is clear-text. We are
using ethereal to debug why we are getting Operations Error on the
Search Result. The Operation Errors comment is the following:
In order to perform this operation a successful bind must be completed.
The search request on ethereal from Freeradius to the active directory
gives the following:
Message Type: Search Request
Message Length: 96
Response In: 469
Base DN: dc=test, dc=prt
Scope: subtree (0x02)
Derefence: Never (0x00)
Size Limit: 0
Time Limit: 4
Attributes only: False
Filter: ((objectclass=person)(sAMAccountName=%u))
Attribute: uid we are not sending this attribute and we do not
know where it is specified on Freeradius
Here are the settings given for LDAP module on radius.conf and user file:
#radius.conf
ldap {
server=xxx.xx.xxx.xxx
identity = # If this is suppose to be the bind dn???
password = mypassword
basedn =dc=test,dc=prt
#filter = (uid=%{Stripped-User-Name:-%{User-Name}})
filter =((objectclass=person) (sAMAccountName=%u))
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =5
timelimit =4
net_timeout =2
compare_check_items = yes
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Can you please tell us if there is something wrong or if we are
missing something on the configuration files?
Thanks in advance,
Nataly
On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote:
Natalia Escalera [EMAIL PROTECTED] wrote:
I am setting up freeradius with Microsoft Active Directory. So far, I
am able to connect to the server but not to authenticate a user. Can
you please give me a hint of how the configuration files need to be
set in order to authenticate the user.
If the RADIUS packets have clear-text passwords, then the normal
LDAP module should work. If you're using PEAP or MS-CHAP, read
radiusd.conf,m and use ntlm_auth.
Also, what is 3D used for? (Example: server =3D your.ad.server.org ...)
Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send
Re: Adding Ascend-Data-Filter to MySQL
Sorry, I meant to save as draft, and accidently sent the below message. I got the Ascend-Data-Filter to work on old Livingston-style 'users' text file by adding lines blow. But I can't get it to work in MySQL. The dialup_admin won't let me add it, so used PHPMyAdmin to add those Ascend-Data-Filter lines. But not getting the usual attribute responses: vendor Ascend Ascend-VSA-Data-Filter=\0x01\0x01\0x01 .. ... etc.. What am I missing? I'm trying to add Ascend-Data-Filter to mysql using either phpmyadmin or dialup administrator, but it doesn't seem to work. It works fine in users text file as in: username Auth-Type := Local, User-Password == xxx, Simultaneous-Use := 2 Service-Type = Framed-User, Framed-Protocol = MP, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.b.c.0/20, Ascend-Data-Filter += ip in forward tcp dstport = 25, Ascend-Data-Filter += ip in forward, Framed-Compression = Van-Jacobsen-TCP-IP But the dialup administrator allow me to add only one Ascend-Data-Filter item. If I try to add using myphpadmin ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Natalia Escalera [EMAIL PROTECTED] wrote: Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting Operations Error on the Search Result. See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeBSD and freeRADIUS with mySQL
We've been trying to get freeradius, freebsd and mysql to all work together now for a week... If anyone has figured out how to do this - please let me know. There are literally hundreds of posts on various forums I found by googleing the errors and all are having the same issues... the ports for freeradius don't seem to install correctly, and when we build from lates binaries there is errors when trying to load mysql... In the mandrake 10.2 system I had - all I did was install mysqlxx-dev development extensions, and all was good... I can't find any support for freebsd. -grateful for any links or how-to's... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Ascend-Data-Filter to MySQL
[EMAIL PROTECTED] wrote: The dialup_admin won't let me add it, so used PHPMyAdmin to add those Ascend-Data-Filter lines. But not getting the usual attribute responses: vendor Ascend Ascend-VSA-Data-Filter=\0x01\0x01\0x01 .. ... etc.. What am I missing? You're not saying which NAS you're using. If the NAS doesn't understand Ascend data filters, it will print them as they appear on the wire, which is hex. NOT text. It appears that your NAS doesn't understand the attribute, OR you're using another tool to look at the RADIUS packets, and it doesn't understand the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Dear Alan! You want to use :=, not ==, both here and in SQL. That will make it work. Alan DeKok. I've tried that already. Same result... DOES NOT work... (AND it works with both == and := when I use users file instead)... With SQL it produces the very same debugging output with both == and := A bug perhaps? Shouldn't users file and radchek table perform the very same way? As for your offer for storing the clear-text for PAP it is not an option for me, since I already have 450 users stored in CRYPT form (for a simple reason of preventing the administration power abuse as much as possible - yes that is, I do not want admin to know and use user passwords). I hate using the clear text passwords for MS-CHAPv2 as well, but I haven't yet figured out how to generete NT-hash for storing the NT-Password instead. Changing passwords for 450 users is a pain, which I want to avoid... By the way, how does one generate this hash? I am running heavily modified by me version of dialup-admin, and I haven't yet implemented the CRYPT function for NT-Hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Ascend-Data-Filter to MySQL
I'm using NTRadPing v1.5 to test. It gets proper reply in hex for users in livingston style user file in text, but not for users in mysql. [EMAIL PROTECTED] wrote: The dialup_admin won't let me add it, so used PHPMyAdmin to add those Ascend-Data-Filter lines. But not getting the usual attribute responses: vendor Ascend Ascend-VSA-Data-Filter=\0x01\0x01\0x01 .. ... etc.. What am I missing? You're not saying which NAS you're using. If the NAS doesn't understand Ascend data filters, it will print them as they appear on the wire, which is hex. NOT text. It appears that your NAS doesn't understand the attribute, OR you're using another tool to look at the RADIUS packets, and it doesn't understand the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alex Savguira [EMAIL PROTECTED] wrote: I've tried that already. Same result... DOES NOT work See the FAQ about pointless statements like it doesn't work. If you're going to make people on the list play twenty questions to get the information they need to help you, no one is going to respond to your questions. With SQL it produces the very same debugging output with both == and := A bug perhaps? Maybe you could try reading the debug output. Or failing that, posting it here. As for your offer for storing the clear-text for PAP it is not an option for me, since I already have 450 users stored in CRYPT form Then those users can't do MS-CHAP. For everyone else, if you have the clear-text password, you don't need to store crypt'd passwords. It's useless, and a waste of time. Stop trying to get both clear crypted passwords to work for the same user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeBSD and freeRADIUS with mySQL
On 2/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We've been trying to get freeradius, freebsd and mysql to all work together now for a week... If anyone has figured out how to do this - please let me know. There are literally hundreds of posts on various forums I found by googleing the errors and all are having the same issues... the ports for freeradius don't seem to install correctly, and when we build from lates binaries there is errors when trying to load mysql... In the mandrake 10.2 system I had - all I did was install mysqlxx-dev development extensions, and all was good... I can't find any support for freebsd. -grateful for any links or how-to's... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've never had a problem installing freeradius w/ mysql on freebsd. I've heard of others having issues when they install mysql with linux threads, such as WITH_LINUXTHREADS=yes on a port install. I'd try first installing mysql 50 server from the ports collection, without using linux threads. I usually just do a make install clean w/out any additional arguments. Then install freeradius from the ports collection. That's always worked for me. What version of freebsd are you using? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Ascend-Data-Filter to MySQL
[EMAIL PROTECTED] wrote: I'm using NTRadPing v1.5 to test. It gets proper reply in hex for users in livingston style user file in text, but not for users in mysql. I really don't know what you mean by that. Can you supply examples? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeBSD and freeRADIUS with mySQL
[EMAIL PROTECTED] wrote: the ports for freeradius don't seem to install correctly, and when we build from lates binaries there is errors when trying to load mysql... In the mandrake 10.2 system I had - all I did was install mysqlxx-dev development extensions, and all was good... I can't find any support for freebsd. I suggest asking on the freebsd ports list, asking the maintainer, or looking through the freebsd bug list. I don't know any developer who uses FreeBSD, so that makes it difficult to track down the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Dear Alan! See the FAQ about pointless statements like it doesn't work. Alan, please, you asked me to try := instead of == . I did and it does not work. Somehow I needed to inform you it did not. Maybe you could try reading the debug output. Or failing that, posting it here. I did in my first post. Would you please explain me, why freeradius only process one record, when it does process both while using users file? Is it possible perhaps to make the PAP module understand both CRYPT and plaintext passwords (perhaps by defining two instances of module)? I can in this case keep one record per user, and it will be cleartext for PAP and MS-CHAPv2 when the user is granted services requiring MS-CHAPv2 and CRYPT for all existing users otherwise. Then those users can't do MS-CHAP. C'mon. This is not an answer... I can't just ignore all of my existing users and I can't make all of them to change their passwords and, as far as I know, I can't extract their passwords from the crypt hash. I really do not want to start hacking freeradius code, but on the other side I really do need to make the new services available to these users. Stop trying to get both clear crypted passwords to work for the same user. Why does it work perfectly as expected when I am doing it in users file? Should not the SQL module perform the same? I am reposting the debug output here, just in case rad_recv: Access-Request packet from host 192.168.0.8:1061, id=7, length=45 User-Name = atest User-Password = Master1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = atest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 173 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'atest' rlm_sql (sql): sql_set_user escaped user -- 'atest' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'atest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'atest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'atest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'atest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall[authorize]: module domainmschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by atest with password Master1 rlm_pap: Using password Master1 for user atest authentication. rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [atest/Master1] (from client rasdata port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 7 to 192.168.0.8:1061 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 7 with timestamp 4400b816 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Dear All!
I wonder is somebody has tried to make PAP understand both plaintext
and crypted passwords via multiple instances for example?
Would this make sense:
pap {
encryption_scheme = clear
}
pap papcrypt {
encryption_scheme = crypt
}
in modules configuration and then
Auth-Type PAP {
pap
papcrypt
}
in authenticate section?
Regards
Alex.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeBSD and freeRADIUS with mySQL
[EMAIL PROTECTED] wrote: We've been trying to get freeradius, freebsd and mysql to all work together now for a week... If anyone has figured out how to do this - please let me know. There are literally hundreds of posts on various forums I found by googleing the errors and all are having the same issues... the ports for freeradius don't seem to install correctly, and when we build from lates binaries there is errors when trying to load mysql... In the mandrake 10.2 system I had - all I did was install mysqlxx-dev development extensions, and all was good... I can't find any support for freebsd. -grateful for any links or how-to's... Hi Eric, I build MySQL on FreeBSD boxes which act as RADIUS servers without linux-threads or pthreads. Regards --jm -- Jacques Marneweck http://www.powertrip.co.za/blog/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CentOS
I am using CentOS 4 with FreeRadius 1.0.5 and I just upgraded to 1.1.0 and it works fine so far. I did not use RPM's, but instead did a fresh compile. Pretty straight forward and no errors. Gunther -Original Message- From: Italo Morellato Sent: Friday, February 24, 2006 6:22 AM To: freeradius-users@lists.freeradius.org Subject: CentOS Freeradius 1.1.0 RPM for CentOS 4.2 (smeserver) is possible? Thanks in advance. Italo Morellato - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alex Savguira [EMAIL PROTECTED] wrote: Alan, please, you asked me to try := instead of == . I did and it does not work. Somehow I needed to inform you it did not. You need to post the debug log of it using the users file entry after you changed == to :=/ I did in my first post. Would you please explain me, why freeradius only process one record, when it does process both while using users file? I have no idea. And the debug log you posted was BEFORE you made the change, so it's not that helpful. Is it possible perhaps to make the PAP module understand both CRYPT and plaintext passwords (perhaps by defining two instances of module)? The server already handles crypt'd passwords. You shouldn't have to do anything. I can in this case keep one record per user, and it will be cleartext for PAP and MS-CHAPv2 when the user is granted services requiring MS-CHAPv2 and CRYPT for all existing users otherwise. That's what I've been trying to say. A number of times. DO THAT. Then those users can't do MS-CHAP. C'mon. This is not an answer... I can't just ignore all of my existing users and I can't make all of them to change their passwords and, as far as I know, I can't extract their passwords from the crypt hash. Yes, I understand. However, it's IMPOSSIBLE to use crypted passwords with MS-CHAP. If you have a crypt'd password, then the user can't do MS-CHAP. For pete's sake, what do I have to do to convince people that it's impossible? Stop arguing and accept it. Yes, it's unfriendly to your users. Tough. You shouldn't have stored the passwords in crypt'd form in the first place. That choice made MS-CHAP impossible for those users. Don't complain to me about it. I didn't create your local config, the crypt algorithm or the MS-CHAP algorithm. I really do not want to start hacking freeradius code, but on the other side I really do need to make the new services available to these users. Great. I'll give you a million dollars if you can make FreeRADIUS authenticate MS-CHAP when it has nothing more than the crypt'd password. Did I mention it was impossible? Why does it work perfectly as expected when I am doing it in users file? Should not the SQL module perform the same? No. The users file is processed to bottom. The SQL module grabs the first matching entry. Didn't you read the previous response that explained this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Natalia Escalera [EMAIL PROTECTED] wrote: Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting Operations Error on the Search Result. See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello, How can we specify the bindn on radius.conf so we do not search as an anonymous user? Thank you, Nataly On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Natalia Escalera [EMAIL PROTECTED] wrote: Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting Operations Error on the Search Result. See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
I mean binddn... On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: Hello, How can we specify the bindn on radius.conf so we do not search as an anonymous user? Thank you, Nataly On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Natalia Escalera [EMAIL PROTECTED] wrote: Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting Operations Error on the Search Result. See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
I have another question, how can we avoid referrals coming from AD Ldap server? How can we specify those settings? Thanks, Nataly On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: I mean binddn... On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: Hello, How can we specify the bindn on radius.conf so we do not search as an anonymous user? Thank you, Nataly On 2/25/06, Natalia Escalera [EMAIL PROTECTED] wrote: Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Natalia Escalera [EMAIL PROTECTED] wrote: Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting Operations Error on the Search Result. See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Ascend-Data-Filter to MySQL
In Livingston-style 'users' text file, I can enter below: username Auth-Type := Local, User-Password == xxx Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.b.c.0/20, Ascend-Data-Filter += ip in forward tcp dstport = 25, Ascend-Data-Filter += ip in forward, Framed-Compression = Van-Jacobsen-TCP-IP The above works. Testing with NTRadPing utility, I do get successful login with the attributes. Attribute dump gives me the hex numbers such as Ascend-VSA-Data-Filter=\0x01\0x01\0x01 But when I add the same Ascend-Data-Filter information above into mysql database file (radgroupcheck table), although authenticates fine, I don't get Ascend-VSA-Data-Filter=\0x01\0x01\0x01 in attribute dump. Below is what is added to the table: GroupName Attribute op Value Dialup Auth-Type := LOCAL Dialup Service-Type = Framed-User Dialup Framed-Protocol = PPP Dialup Framed-Compression = Van-Jacobsen-TCP-IP Dialup Ascend-Data-Filter += ip in forward tcp est Dialup Ascend-Data-Filter += ip in forward dstip a.b.c.0/20 Dialup Ascend-Data-Filter += ip in forward tcp dstport = 25 Dialup Ascend-Data-Filter += ip in forward [EMAIL PROTECTED] wrote: I'm using NTRadPing v1.5 to test. It gets proper reply in hex for users in livingston style user file in text, but not for users in mysql. I really don't know what you mean by that. Can you supply examples? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Hi, Alan! Thanks for answering... First of all I never intended to use CRYPT passwords for MS-CHAPv2. C'mon, I know that much about MS-CHAP. ;-) Not all my users need access to new services, as I wrote, I was planning to expose the cleartext password for those who need (perhaps NT-Password in the future) and to continue using CRYPT for those who do not need the new services. If you say SQL doesn't like having two passwords in radcheck and only grabs the first one - let it be... What I wrote about hacking the code was about trying to fix this perhaps, shouldn't SQL take all check records found?... Actually I've found my around the problem... I've made a second instance of pap using clear text passwords in radiusd and I'll only change password attributes to clear text in radcheck to those who use MS-CHAP as well (placing them into group which does Auth-Type := papplain). This however leaves me without NT-Password (which is NT-Hash). An ideal situation for me would be something like this in radcheck: username | att| op |val --+-++--- btest| NT-Password | == | NT-hashbla-bla-bla^@0-3443 btest| Crypt-Password | == | $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 This however will not work because PAP burps on Crypt-Password this way. Here is the dump of having both, it was stupid of me not to include one, I admit: btest User-Password == Master1 btest Crypt-Password == $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 Authentication PAP Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.8:1248, id=5, length=45 User-Name = btest User-Password = Master1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = btest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry btest at line 69 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'btest' rlm_sql (sql): sql_set_user escaped user -- 'btest' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'btest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User btest not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User btest not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module domainmschap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [btest] (from client rasdata port 0) Sending Access-Accept of id 5 to 192.168.0.8:1248 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... - Authentication CHAP rad_recv: Access-Request packet from host 192.168.0.8:1271, id=11, length=46 User-Name = btest CHAP-Password = 0xd2bf262017f2f6812bc00cbd077aed9b55 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = btest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry btest at line 69 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'btest' rlm_sql (sql): sql_set_user escaped user -- 'btest' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'btest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User btest not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName =
Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Please ignore... Found the answer already... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
