VLAN and SSID
Hallo, I have a problem with the authentication on different VLAN. I write for you my example: I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS). In my users file I have two user: user1Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect? Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Yes, just use the Cisco AV Pair to say user1 Auth-Type := EAP, Cisco-AVPair := SSID=SSID1 user2 Auth-Type := EAP, Cisco-AVPair := SSID=SSID2 That would force user1 to only associate to SSID1 and user2 to only associate to SSID2. You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = SSID=SSIDn back to the AP and if it doesn't match, then it can locally fail to authorize the user. Rgds, Guy On 29/03/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, I have a problem with the authentication on different VLAN. I write for you my example: I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS). In my users file I have two user: user1Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect? Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tipical LDAP Schema
here's a quick one: # test, People, local.loc dn: uid=test,ou=People,dc=local,dc=loc objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: radiusprofile uidNumber: 1500 gidNumber: 100 cn: test sn: test uid: test homeDirectory: /home/users/test loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1 sambaSID: S-1-5-21-252606378-3735400111-1192195845-1500 sambaPrimaryGroupSID: S-1-5-21-252606378-3735400111-1192195845-100 sambaAcctFlags: [U] sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE sambaNTPassword: 0CB6948805F797BF2A82807973B89537 dialupAccess: true userPassword:: e01ENX1DWTlyelVZaDAzUEszazZESmllMDlnPT0= description: test gecos: test displayName: test Luca wrote: Hello, I'm using freeradius with an LDAP Backend to authenticate some users (I'm working in my University' labs). As today, i'm using a clear unencrypted wifi connection authenticating MAC through freeradius, my target is to use WPA (or WPA2) with Radius. What i need is a tipical ldap account ldif layout, 'cause this is the first time i work with ldap and i hope to do my best. The best scenario is a single signon service, so... if you have an ldif with the radiusProfile object plus some samba and other usefull information... please add them too. Thanks in advance. Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- **_** * *André Ventura Lemos** **Software Engineer** **Critical Software, SA** **Webpage:****www.andrelemos.com** **MSN:**[EMAIL PROTECTED] **GSM:****+351916401042** **TLF:****+351239989100** DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
--On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies [EMAIL PROTECTED] wrote: You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = SSID=SSIDn back to the AP and if it doesn't match, then it can locally fail to authorize the user. I don't think 1200's do send the attribute by default in the access-request. To make it do so, use this command: radius-server vsa send authentication Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin ippool administraton
the sqlippool module in cvs does this.. This module sounds interesting - something I haven't take into my considerations keeping the dynamic ippool data in the sql-db, too. And it's obvious to do it this way using a primary and a backup server. But the configuration information like range-start etc. is still stored in the radiusd.conf. My idea was to put these configuration information for each ippool into the mysql-db. Some background information for better understanding :) My task is to migrate from MS-IAS to freeradius. Thus people are used to do administration tasks with a GUI. :) At least normal production administration tasks should be integrated within a GUI. Putting configuration information into a db would save the parsing and editing the radius.conf by dialup-admin scripts. best regards, Olaf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: L2tp and fixed Framed IP Address for ADSL customers
The static IP range is a statically routed subnet to the Cisco NAS We are not using Eigrp we use static routing Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Fraser Sent: mardi 28 mars 2006 20:10 To: freeradius-users@lists.freeradius.org Subject: Re: L2tp and fixed Framed IP Address for ADSL customers On Tue, 2006-28-03 at 12:05 -0500, Alan DeKok wrote: Adil Bikarbass [EMAIL PROTECTED] wrote: My radius is listening on 1645 for auth and 1646 for acct, I can see the auth request coming into my radius box but the IP address is never got from the Framed-IP reply item but assigned from the Cisco pool Any clue about what could be the problem? The NAS. Fight with it some more. I don't think there's anything you can do to FreeRADIUS to fix it. Is the IP address in a valid range configured on the NAS? A Cisco will not assign an IP address that it is not configured to handle. It seems to me we used eigrp to handle the static ip address networks for our NAS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tipical LDAP Schema
Luca wrote: What i need is a tipical ldap account ldif layout, 'cause this is the first time i work with ldap and i hope to do my best. There're LDAP schema examples in the version 1.1.1 tarball under the doc/examples directory. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.1 does not make on 64 bit intel platfrom
Hi all. I am trying to install freeradius 1.1.1 on a 64 bit intel platform. I get the ffg error : rm -fr .libs/rlm_counter.la .libs/rlm_counter.* .libs/rlm_counter-1.1.1.* gcc -shared rlm_counter.lo -Wl,--rpath -Wl,/usr/software/freeradius-1.1.1/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /usr/software/freeradius-1.1.1/src/lib/.libs/libradius.so /usr/lib/libgdbm.so -lnsl -lresolv -lpthread -Wl,-soname -Wl,rlm_counter-1.1.1.so -o .libs/rlm_counter-1.1.1.so /usr/lib/libgdbm.so: could not read symbols: Invalid operation collect2: ld returned 1 exit status gmake[6]: *** [rlm_counter.la] Error 1 Please indicate how to install freeradius 1.1.1 on a 64 bit platform ? \ This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available?
Can you give me an example in SQL please of how I might implement it using this fashion? Is it not just a case of if it passes radcheck, then it will respond with radreply? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 28 March 2006 18:14 To: FreeRadius users mailing list Subject: Re: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available? John Mylchreest [EMAIL PROTECTED] wrote: When you mean key off the NAS-IP-Address, do you mean like I suggested in my previous example, or a cleaner solution? The NAS-IP-Address can be used as a check item, just like anything else. DEFAULT NAS-IP-Address == 1.2.3.4 Reply-Message = Hello you guy from 1.2.3.4 The same config can be applied to SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Having multiple authentication query in sql.conf
thanks peter but can is there any way where i can specify radius to use authetication query a for calls from user a, and query b for users b. -- View this message in context: http://www.nabble.com/Having-multiple-authentication-query-in-sql.conf-t1353830.html#a3647212 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the radius-server vsa send authentication command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting Another question: Where can I find the list of the user attributes for freeradius? Here http://www.freeradius.org/rfc/attributes.html for example I can't find the Cisco-AVPair attribute... Thanks a lot Bye Antonio James J J Hooper ha scritto: --On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies [EMAIL PROTECTED] wrote: You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = SSID=SSIDn back to the AP and if it doesn't match, then it can locally fail to authorize the user. I don't think 1200's do send the attribute by default in the access-request. To make it do so, use this command: radius-server vsa send authentication Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
--On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera [EMAIL PROTECTED] wrote: Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the radius-server vsa send authentication command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting yes, either at the console or go to this url: https://YOUR-ACCESS-POINT-ADDRESS/level/15/configure/-/radius-server/vsa/send/authentication/CR (you may need to use http instead of https) Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
The Cisco-AVPair mechanism is a mutation of the standard VSA mechanism. Cisco uses a single Vendor ID but wanted to use many VSAs. The limit with a single Vendor ID is 255 (IIRC). So, Cisco's Vendor Specific Attribute number 1 is Cisco-AVPair. They then create sub-VSAs within that VSA using the textual syntax Cisco-AVPair=Sub-VSA-name=Sub-VSA-value To get a list of relevant VSAs, you really need to refer to Cisco's documentation. Rgds, Guy On 29/03/06, James J J Hooper [EMAIL PROTECTED] wrote: --On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera [EMAIL PROTECTED] wrote: Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the radius-server vsa send authentication command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting yes, either at the console or go to this url: https://YOUR-ACCESS-POINT-ADDRESS/level/15/configure/-/radius-server/vsa/send/authentication/CR (you may need to use http instead of https) Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another RPM build issue with version 1.1.1
Duane Cox wrote: I noticed this too, that with 1.1.1 the docs are installed to doc/freeradius and not doc/freeradius-1.1.1 It has been discussed on the freeradius-devel mailing list: the libraries and the executables are installed in version-independent directories, therefore it's more consistent to have the docs under share/doc/freeradius. BTW it's also the recommended location in the Debian policy manual. I'm not sure why this change came about, but can't a simple sed script fix it? Then build your RPM. sed -i '[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]' doc/Makefile sed -i '[EMAIL PROTECTED]/freeradius/[EMAIL PROTECTED]/freeradius-1.1.1/[EMAIL PROTECTED]' doc/examples/Makefile sed -i '[EMAIL PROTECTED]/freeradius/[EMAIL PROTECTED]/freeradius-1.1.1/[EMAIL PROTECTED]' doc/rfc/Makefile Perhaps adding this command in freeradius.spec could fix the problem: sed -i [EMAIL PROTECTED]/[EMAIL PROTECTED]/freeradius-%{version}@ doc/Makefile doc/examples/Makefile doc/rfc/Makefile However, I think it'd be more elegant to add an option --docdir to configure and update the makefiles to use that. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile errors in Freeradius-1.1.1
Alan Baker wrote: I am currently trying to compile the new version of FreeRadius 1.1.1. I've used the same configure statement just like in 1.1.0 and for some reason I am receiving a few build errors. Please help. Please no HTML to the list. /home/johnny5/freeradius-1.1.1/libtool --mode=install /home/johnny5/freeradius-1.1.1/install-sh -c -c libradius.la /custom/freeradius-1.1.1/lib For reasons unknown to me libtool --install has the correct destination directory in argument but it results in the following command (which is wrong) when the directory doesn't exist already. /home/johnny5/freeradius-1.1.1/install-sh -c -c .libs/libradius-1.1.1.so /custom/freeradius-1.1.1/libradius-1.1.1.so You can get a patch to work around this in the mailing list archive or checkout the branch_1_1 of the CVS. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installed freeradius v1.1.1 ok but running got Floating point exception?
Albert Lin wrote: My Linux: uname -a Linux ANVL-Workstation 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] etc]# radiusd -X Floating point exception Any help? Thanks! Please no HTML to the list. Run gdb and send us the information as explained here: http://freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with ntlm winbind - No User-Password configured. Cannot create LM-Password
hi my problem is following: ... auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for lehrer with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 5b radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=X --username=USER --challenge=921647d950709696 --nt-response=5882778194e622a6b9da392d2852d62ceb17144f53e7ced2' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=X --username=USER --challenge=921647d950709696 --nt-response=5882778194e622a6b9da392d2852d62ceb17144f53e7ced2 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0xa050d40 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module eap returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 67 to 10.92.124.2:1645 EAP-Message = 0x010900261900170301001b0e5cfcbdba58b6fa4dff4d6d233650499c90b171a8c8a5ea5c7269 Message-Authenticator = 0x State = 0xcd4008f5215934f6b818f5c3915e05b3 Finished request 6 Going to the next request Waking up in 5 seconds... i searched on the web but i found nothing. someone has an idea? thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: v1.1.1 build problems (SSL, EAP)
Bill Roberts wrote: I'm just posting my experiences in building v1.1.1 in case it is of use to anyone else with similar problems. My system is Solaris 10 Sparc, Freeradius v1.1.1, OpenSSL 0.9.8a, Sun compiler version 5.7 (SunStudio 10). Thanks for the report. This ultimately caused compilation errors in rlm_eap_peap.c: ../../libeap/eap_tls.h, line 138: syntax error before or at: SSL ../../libeap/eap_tls.h, line 141: syntax error before or at: BIO ../../libeap/eap_tls.h, line 186: syntax error before or at: SSL ../../libeap/eap_tls.h, line 186: warning: undefined or missing type for: SSL ../../libeap/eap_tls.h, line 187: warning: undefined or missing type for: cons It's a bug: in version 1.1.1 configure in rlm_eap_peap uses a different autoconf test than configure in top level directory. When I investigated by looking at the config.log there was a not found error for libcrypto. It turns out that the configure script has this line in the test for libcrypto section: LIBS=-lcrypto $LIBS In my case, this expands to: -lcrypto -L/usr/local/ssl/lib .other stuff deleted Which means libcrypto is not found because it is listed before the -L directive telling the compiler where it can be found. It's a different bug: we should add the user defined directory to LDFLAGS instead of LIBS. Everything then builds OK until rlm_perl.c when I see: rlm_perl.c, line 165: syntax error before or at: CV This variable type should be defined in the libperl headers, I've no idea why it isn't the case on your system. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in username in rlm_sql
Duane Cox wrote: Appartenly somewhere (rlm_sql ?) the username is being changed possible in an anti-injection function, I don't know. Can someone shed some light on this? For instance, in the debug snip below, the username 'dcoxdcox' is changed to 'dcox=26dcox' which of course fails the sql select statement. It's not a bug, it's a feature. It prevents SQL injection attacks on your backend database. http://www.google.com/search?q=sql+injection+attack As Alan said, you can change the safe-characters option in sql.conf, but only if you know exactly what you are doing. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication agains Domino
Hi! I have a Domino (6.5.4FP3) ldap which I would like to use as a backend for freeradius. My clients (winxp) uses eap-mschapv2, would it be possible for freeradius to match the password from the domino with the one supplied by the client? If it ain't possible what would it take to achieve it? I'm sorry if the question has been asked too many times, but I can't find a answer on the net or in this list Thanks -CP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm winbind - No User-Password configured. Cannot create LM-Password
--On Wednesday, March 29, 2006 15:47:15 +0200 Konne [EMAIL PROTECTED] wrote: hi my problem is following: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=X --username=USER --challenge=921647d950709696 --nt-response=5882778194e622a6b9da392d2852d62ceb17144f53e7ced2 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) change the permissions on /var/cache/samba/winbindd_privileged so that the user radius runs as has access to it. e.g: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hallo, now I have the users configured as follow: user1Auth-Type := EAP Cisco-AVPair := ssid=SSID1, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Cisco-AVPair := ssid=SSID2, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = user1 Framed-MTU = 1400 Called-Station-Id = .. Calling-Station-Id = .. Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module preprocess returns ok for request 53 modcall[authorize]: module mschap returns noop for request 53 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module files returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/no User-Password attribute] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = user1 Finished request 53 The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it. Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID. Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hi Antonio, If you're using the Cisco-AVPair as a check item, it *must* be on the first line of the user entry. e.g. user1Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 ... reply items here, one per line... If you want to configure it as a reply item, it should be... Cisco-AVPair = ssid=SSID1 NOTE: =, not := for the reply item. Rgds, Guy On 29/03/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, now I have the users configured as follow: user1Auth-Type := EAP Cisco-AVPair := ssid=SSID1, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Cisco-AVPair := ssid=SSID2, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = user1 Framed-MTU = 1400 Called-Station-Id = .. Calling-Station-Id = .. Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module preprocess returns ok for request 53 modcall[authorize]: module mschap returns noop for request 53 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module files returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/no User-Password attribute] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = user1 Finished request 53 The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it. Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID. Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Date using Freeradius 1.1.1 and mysql
Good morning all, I would like to be able to begin and expire accounts on certain dates, but I would like to be able to do it by input information into the radius database that I have created using mysql. Also, I appreciate the help you all have given. If I have one bit of information to share with new freeradius people, it is to slow down and do not get ahead of yourself. Once I took it step by step, all the piece feel into place. I get access-accepts using radtest, sql logins and even NTRadPing. So I have come quite far in a week. Thanks again. Dwane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrade Freeradius
Hello. I have a network where wireless users use the freeradius to authenticate via OpenLDAP (in an another box) I recently installed the 1.1.0 version using last version of the SLES for OS and everything worked well. I did the following: ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib --prefix=/usr/local/radius --with-rlm-ldap-lib-dir=/usr/local/openldap/lib/ --with-rlm-ldap-include-dir=/usr/local/openldap/include/ make make install Before, I installed openssl (0.9.8a) like this: ./config --prefix=/usr/local/openssl shared make make install From the radiusd.conf I have: ... ldap { server = 192.168.2.4 port = 636 basedn = ou=users,dc=ual,dc=pt filter = (mail=%{User-Name}) start_tls = no access_attr = radiusClientIPAddress dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 30 timeout = 60 timelimit = 60 net_timeout = 60 } ... It runs perfectly well but when it received a request from a client, I have the following error: Error: rlm_ldap: could not set LDAP_OPT_X_TLS option Success Using clear comunication (ldap://), it works well, so I definitively have a problem with TLS/SSL. I have the same configuration in an another box using freeradius 1.0.5 and it works fine. Any idea? TIA -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi friends! I speak from the tongue of an engineering student in a research group trying to implement a RADIUS proxy system. My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)? I mean, summarizing: Can a request be authenticated/authorized for two times? We want only to accept access if each one of the two servers process the authentication successfully. Thanks in advance for all the support you can give us, hope to hear from you Marc (Nets Research Group [Pompeu Fabra University]) _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius log
Hi, I'm getting this error in my log, Error: rlm_sql: The 'op' field for attribute 'password = ' is NULL, or non-existent. Wed Mar 29 11:43:34 2006 : Error: rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. Wed Mar 29 11:43:39 2006 : Error: Invalid operator for item Password: reverting to '==' Anyone know what it is and how to resolve it ? I'm still able to authenticate while the log is giving me this error message ... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient for ttls?
kevin [EMAIL PROTECTED] wrote: do you know how to configure outer-attributes for eap-ttls in eapol_test? I want to make user-name=anonymous in outer. Edit the config file. See the sample configs that come with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: opening sockets in modules
radhika putty [EMAIL PROTECTED] wrote: Are we allowed to open sockets inside a module and communicate with other programs. If not then how else can we communicate with other network programs.. Yes. The LDAP SQL modules do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Turtiainen, Tero [EMAIL PROTECTED] wrote: From: Natalia Escalera [EMAIL PROTECTED] We tried FR 1.1.1 and we are still having problems with passwords containing special characters like '$' for the LDAP authentication. In FR 1.1.0 the '$' was replaced by a character such as '%24'. That is supposed to happen. For the new version, the symbol '$' is deleted as well as the character that is next to it. That's not LDAP or FreeRADIUS. That's the shell you're using. Command: /usr/local/bin/radtest username test$2006 x.x.x.x 1 test123 Try: /usr/local/bin/radtest username 'test$2006' ... Read the shell documentation to see why it expands shell variables like $2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple attribute instaces and radius variables (xlat)
FreeRAIUS documentation in 1.1.1 mentions a possibility of referencing specific AVPs in case of multiple instances of an attribute (%{Attr-Name[N]}). This is quite useful (and a nice addition!), but it doesn't seem to cover some situations (especially related to logging/accounting) where number of attribute instances is not known in advance. Is it possible to add something like %{Attr-Name[*]} that would expand to all values of an attribute and something like %{Attr-Name[#]} that would expand to number of attribute instances ? The toughest part of the above suggestion is which delimiter to use in case of [*] and if it is possible to make that delimiter configurable. -- Andriy Gapon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Antonio Matera [EMAIL PROTECTED] wrote: the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. So prevent that. The Calling-Station-Id *should* contain the SSID after the MAC address. Run the server in debug mode to see this. Then, use a regular expression to match the SSID. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available?
John Mylchreest [EMAIL PROTECTED] wrote: Can you give me an example in SQL please of how I might implement it using this fashion? You put the attribute name, operator, and value into SQL. Is it not just a case of if it passes radcheck, then it will respond with radreply? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Date using Freeradius 1.1.1 and mysql
Atkins, Dwane P [EMAIL PROTECTED] wrote: I would like to be able to begin and expire accounts on certain dates, but I would like to be able to do it by input information into the radius database that I have created using mysql. Use the Expiration attribute. See the README's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius log
fvt3 [EMAIL PROTECTED] wrote: Anyone know what it is and how to resolve it ? Add a value in the op field, like the error messages suggest? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding 2 or more Framed-Routes
Anyone know the correct way to add more then 1 framed-route? Here is what is setup now and this works. af_user Service-Type = Framed-User, Simultaneous-Use=1Framed-IP-Address = 206.40.yyy.yyy, Framed-Route = 206.40.xxx.xxx/29 206.40.yyy.yyy 1,Do I just need to add a second Frame-Route like this? af_user Service-Type = Framed-User, Simultaneous-Use=1 Framed-IP-Address = 206.40.yyy.yyy, Framed-Route = 206.40.xxx.xxx/29 206.40.yyy.yyy 1,Framed-Route = 206.40.zzz.zzz/29 206.40.yyy.yyy 1,Thanks,Brent-- Yeah, I've Got Gmail!Yeah! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
== error
Radius is up and running and authenticates fine.. But everytimes someone authenticates I get the Error: Invalid operator for item Suffix: reverting to '==' Message in the radius.log This is the error log below. Wed Mar 29 19:35:09 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Wed Mar 29 19:35:09 2006 : Info: Ready to process requests. Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Auth: Login OK: [EMAIL PROTECTED]/test] (from client gw2.domain.com port 0) Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shared secret is wrong, except that it isn't?
Okay, I'm sorta stumped here. I'm getting the exact behavior described for shared secret is wrong, but I am pretty confident that it isn't. FreeRadius 1.1.1, installed on NetBSD 3.0/amd64. Synopsis: No matter how cleverly I try to make sure I have the right shared secret, I get garbage passwords. My clients file says: 127.0.0.1 foobar I'm using radtest: radtest user pw localhost 10 foobar I get: auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [beta1]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! There are no unprintable characters in the password I'm sending. So. The one thing I can think of is the 64-bit environment, because an old version of cistron-radiusd I was skimming once had a comment about assumptions about the size of long and the size of (void *). However, even then, I would expect that a radtest and a radiusd built and running on the same server would, even if they were doing it wrong, do it wrong in precisely compatible ways! So, uhm. Where exactly is this encryption happening? It looks like lib/radius.c is the place where shared secrets are used, but the code seems to be substantially different from the cistron code I vaguely remember from way back when. In particular, I don't remember this MD5 stuff... -s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm winbind - No User-Password configured. Cannot create LM-Password
Konne [EMAIL PROTECTED] wrote: i searched on the web but i found nothing. someone has an idea? READ the debug output you posted to the list: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Maybe that text would be relevant... but you have to READ IT. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is wrong, except that it isn't?
Have you tried putting the secret in clients.conf? I thought the clients file was deprecated. josh. Peter Seebach wrote: Okay, I'm sorta stumped here. I'm getting the exact behavior described for shared secret is wrong, but I am pretty confident that it isn't. FreeRadius 1.1.1, installed on NetBSD 3.0/amd64. Synopsis: No matter how cleverly I try to make sure I have the right shared secret, I get garbage passwords. My clients file says: 127.0.0.1 foobar I'm using radtest: radtest user pw localhost 10 foobar I get: auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [beta1]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! There are no unprintable characters in the password I'm sending. So. The one thing I can think of is the 64-bit environment, because an old version of cistron-radiusd I was skimming once had a comment about assumptions about the size of long and the size of (void *). However, even then, I would expect that a radtest and a radiusd built and running on the same server would, even if they were doing it wrong, do it wrong in precisely compatible ways! So, uhm. Where exactly is this encryption happening? It looks like lib/radius.c is the place where shared secrets are used, but the code seems to be substantially different from the cistron code I vaguely remember from way back when. In particular, I don't remember this MD5 stuff... -s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is wrong, except that it isn't?
In message [EMAIL PROTECTED], Josh Howlett writes: Have you tried putting the secret in clients.conf? I thought the clients file was deprecated. I haven't, and you're probably right that it is. I'll have a look at that. -s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: == error
On Wednesday 29 March 2006 14:37, Cris Boisvert wrote: Radius is up and running and authenticates fine.. But everytimes someone authenticates I get the Error: Invalid operator for item Suffix: reverting to '==' Message in the radius.log This is the error log below. Wed Mar 29 19:35:09 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Wed Mar 29 19:35:09 2006 : Info: Ready to process requests. Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Error: Invalid operator for item Suffix: reverting to '==' Wed Mar 29 19:35:12 2006 : Auth: Login OK: [EMAIL PROTECTED]/test] (from client gw2.domain.com port 0) Thanx Run in debug mode, try to authenticate, and post the debug log to the list. Other than that, there isn't much we can suggest other than search through your configs + MySQL tables for the Suffix attribute and verify the operator being used. Kevin Bonner pgp3798dmYAjk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Shared secret is wrong, except that it isn't?
Hi Peter, I had same issue on Suse 9.1/64bit version. Some stupid library was broken ( I think the LIBLTDL = /usr/lib64/libltdl.so was wrong ). That had the whole stuff messed up. Since I am not familiar with NetBSD, maybe you should consider asking the same question on their mailing list about this lib and linking with freeradius. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Peter Seebach Sent: Mittwoch, 29. März 2006 21:49 To: freeradius-users@lists.freeradius.org Subject: Shared secret is wrong, except that it isn't? Okay, I'm sorta stumped here. I'm getting the exact behavior described for shared secret is wrong, but I am pretty confident that it isn't. FreeRadius 1.1.1, installed on NetBSD 3.0/amd64. Synopsis: No matter how cleverly I try to make sure I have the right shared secret, I get garbage passwords. My clients file says: 127.0.0.1 foobar I'm using radtest: radtest user pw localhost 10 foobar I get: auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [beta1]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! There are no unprintable characters in the password I'm sending. So. The one thing I can think of is the 64-bit environment, because an old version of cistron-radiusd I was skimming once had a comment about assumptions about the size of long and the size of (void *). However, even then, I would expect that a radtest and a radiusd built and running on the same server would, even if they were doing it wrong, do it wrong in precisely compatible ways! So, uhm. Where exactly is this encryption happening? It looks like lib/radius.c is the place where shared secrets are used, but the code seems to be substantially different from the cistron code I vaguely remember from way back when. In particular, I don't remember this MD5 stuff... -s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: == error
This is the debug [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf Config: including file: /etc/raddb/sql2.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 216.236.246.21 sql: port = sql: login = radius2 sql: password = sausage sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = yes sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
PsionTeklogix 9150
Hello, i would like to use freeradius authentication for psionteklogix 9150, instead of local authentication. Has sombody an experience with such client? thks, daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: == error
Cris Boisvert [EMAIL PROTECTED] wrote: Radius is up and running and authenticates fine.. But everytimes someone authenticates I get the Error: Invalid operator for item Suffix: reverting to '==' Message in the radius.log It's a problem with the default hints file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Date using Freeradius 1.1.1 and mysql
I appreciate the input, I am looking for the README that will tell me how to use the Expiration attribute in the Users file, but how does one correlate it to the mysql database? Is there field in the radius database tables? Can I do a bulk add with dates that will allow me to do this? Thanks Dwane Dwane Atkins TN 210-567-0158 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding 2 or more Framed-Routes
On Wednesday 29 March 2006 21:15, Brent wrote: Anyone know the correct way to add more then 1 framed-route? Here is what is setup now and this works. af_user Service-Type = Framed-User, Simultaneous-Use=1 Framed-IP-Address = 206.40.yyy.yyy, Framed-Route = 206.40.xxx.xxx/29 206.40.yyy.yyy 1, Do I just need to add a second Frame-Route like this? af_user Service-Type = Framed-User, Simultaneous-Use=1 Framed-IP-Address = 206.40.yyy.yyy, Framed-Route = 206.40.xxx.xxx/29 206.40.yyy.yyy 1, Framed-Route = 206.40.zzz.zzz/29 206.40.yyy.yyy 1, Use += as operator for attributes of the same type. -- GeraldAX/TC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need to free string returned by cf_section_value_find ?
jasonatx0001 [EMAIL PROTECTED] wrote: Is the caller responsible for freeing the memory pointed to by the return value from cf_section_value_find ? Or does this just point to the memory owned by the conf_section which free radius will free on its own ? It returns a pointer to the data owned by the configuration file reader. Freeing it will be bad... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authentication agains Domino
Christoffer Dahl Petersen [EMAIL PROTECTED] wrote: My clients (winxp) uses eap-mschapv2, would it be possible for freeradius to match the password from the domino with the one supplied by the client? If the domino server supplies a clear-text password, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Natalia Escalera [EMAIL PROTECTED] wrote: Command: /usr/local/bin/radtest username test$2006 x.x.x.x 1 test123 Output: Sending Access-Request of id 215 to x.x.x.x port 1812 User-Name = username User-Password = test006#- No dollar sign, no number 2 $2 is a Unix shell variable. This has nothing to do with FreeRADIUS. /usr/local/bin/radtest username 'test$2006' x.x.x.x 1 test123 will work. Note SINGLE quotes, not DOUBLE quotes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm winbind - No User-Password configured. Cannot create LM-Password
Hi, thx... now its running... :-) but i dont know if this error is something special. or isnt it an error? its that log ok? modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 * rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password.* rlm_mschap: Told to do MS-CHAPv2 for Lehrer with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: cb radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' if i like to distinguish admin vlan and user-vlan, how i can do it. i have no idea. has someone any idea? thx konne J ames J J Hooper schrieb: --On Wednesday, March 29, 2006 15:47:15 +0200 Konne [EMAIL PROTECTED] wrote: hi my problem is following: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=X --username=USER --challenge=921647d950709696 --nt-response=5882778194e622a6b9da392d2852d62ceb17144f53e7ced2 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) change the permissions on /var/cache/samba/winbindd_privileged so that the user radius runs as has access to it. e.g: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html