Re: How to specify multiple values for Called-Station-Id (checkval)
This is a very interesting question because I am looking for a solution for enable/forbitten NAS. From: Mike Jakubik <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: How to specify multiple values for Called-Station-Id (checkval) Date: Thu, 25 May 2006 14:01:09 -0400 Kostas Kalevras wrote: On Wed, 24 May 2006, Mike Jakubik wrote: Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify "restricted Called-Station-Id := number", it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and "number, number, number" and "number", "number" but none of those seem to work. Could someone please tell me how this can be accomplished? You just need to add more attribute/value pairs, one for each number you wantto allow. You can also use a regular expression if you use the =~ operator. I have tried that, but it does not work either. I have also tried using regexp, while it seems to function, it no longer seems to use the checkval module and throws the following notice: Info: rlm_sql (sql): No matching entry in the database for request from user [user] But the checkval module shows: Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user) Whats the point of this checkval module if it can only check a single value? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql issue
On Thu, May 25, 2006 at 05:20:03PM -0400, Alan DeKok wrote:
> andy <[EMAIL PROTECTED]> wrote:
> > MySQL clusters require an auto-incrementing field to be the primary key.
> > Within the default table definitions for freeradius, which I have used, in
> > the table radius.radius_radacct there is an
> > auto-incrementing field that is not defined as a primary key.
>
> In 1.1.1 the RadAcctID field is auto-increment, and PRIMARY KEY.
> See doc/examples/mysql.sql.
>
> Which version are you looking at?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
The version im looking at is freeradius from ports:
dhcp1# radiusd -v
radiusd: FreeRADIUS Version 1.1.1, for host , built on May 18 2006 at 18:06:18
I have re-imported the radacct table from this source and the error is slightly
different but is still happening:
rlm_sql (primary): Reserving sql socket id: 89
rlm_sql_mysql: query: INSERT into RADIUS_RADACCT (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('030078001E5D-4476C727',
'52213596cf7e22f9', '00:0a:e4:56:e2:7c', '', '62.231.32.50', '67174400',
'Virtual', '2006-05-26 10:15:19', '0', '0',
'RADIUS', '', '', '0', '0', '', '', '', 'Dialout-Framed-User', '', '', '', '0')
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (primary): Attempting to connect rlm_sql_mysql #89
rlm_sql_mysql: Starting connect to MySQL server for #89
rlm_sql (primary): Connected new DB handle, #89
rlm_sql_mysql: query: INSERT into RADIUS_RADACCT (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('030078001E5D-4476C727',
'52213596cf7e22f9', '00:0a:e4:56:e2:7c', '', '62.231.32.50', '67174400',
'Virtual', '2006-05-26 10:15:19', '0', '0',
'RADIUS', '', '', '0', '0', '', '', '', 'Dialout-Framed-User', '', '', '', '0')
rlm_sql (primary): Released sql socket id: 89
It now doesnt move onto the next socket, but retries the current connection.
I have also updated the default queries from sql.conf.example so everything is
default.
cheers
--
andy[EMAIL PROTECTED]
---
Never argue with an idiot. They drag you down
to their level, then beat you with experience.
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Inserting Cisco AVPairs from accounting request into database
Hello all
I want to insert cisco AV Pairs from accounting request packet into
database. Here is the accounting request packet for a single leg.
Acct-Session-Id = "0B93"
Calling-Station-Id = "216"
Called-Station-Id = "9833515315"
Cisco-AVPair = "[EMAIL PROTECTED]"
h323-setup-time = "h323-setup-time=*14:42:31.708 PCTime Fri May
26 2006"
h323-conf-id = "h323-conf-id=989CA2C5 EBCE11DA 81EF9672
750B1B97"
h323-call-type = "h323-call-type=VoIP"
Cisco-AVPair = "h323-incoming-conf-id=989CA2C5 EBCE11DA 81EF9672
750B1B97"
Cisco-AVPair = "session-protocol=sipv2"
h323-connect-time = "h323-connect-time=*14:42:34.904 PCTime Fri
May 26 2006"
Acct-Session-Time = 4
h323-disconnect-time = "h323-disconnect-time=*14:42:39.020
PCTime Fri May 26 2006"
h323-disconnect-cause = "h323-disconnect-cause=10"
h323-remote-address = "h323-remote-address=202.80.61.42"
h323-voice-quality = "h323-voice-quality=0"
Cisco-AVPair = "remote-media-address=202.80.61.42"
Cisco-AVPair = "gw-rxd-cgn=ton:0,npi:0,pi:0,si:0,#:216"
User-Name = "202.80.61.42"
Acct-Status-Type = Stop
Service-Type = Login-User
NAS-IP-Address = 202.80.61.1
Acct-Delay-Time = 0
I changed the default table structure to include the extra columns. Also
made changes in sql.conf to add values in the respective columns.
Here is my problem. I insert h323-remote-address by adding
'%{h323-remote-address}' in the insert query
But I get the value as h323-remote-address=202.80.61.42 whereas I wanted
only the ip address not the complete string after the '=' sign.
Also I want to insert other fields like callid, remote-media-address
both of which are Cisco AVPair. So how do I include them into my
database coz I cant refer them direcly by their attribute name like
'%{remote-media-address}. I tried that but it doesn't return any value.
So how do I insert all these values.
Thanks
Vignesh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
On Thu, 25 May 2006, Mike Jakubik wrote: Kostas Kalevras wrote: On Wed, 24 May 2006, Mike Jakubik wrote: Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify "restricted Called-Station-Id := number", it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and "number, number, number" and "number", "number" but none of those seem to work. Could someone please tell me how this can be accomplished? You just need to add more attribute/value pairs, one for each number you wantto allow. You can also use a regular expression if you use the =~ operator. I have tried that, but it does not work either. I have also tried using regexp, while it seems to function, it no longer seems to use the checkval module and throws the following notice: Info: rlm_sql (sql): No matching entry in the database for request from user [user] But the checkval module shows: Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user) Whats the point of this checkval module if it can only check a single value? As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authing clients !!!
Pessoal, i have a server linux running slackware 10.1, with freeradius 1.1.1 with auth eap/tls/ttls + openssl-0.97d + mysql. My freeradius client is a ap wl-5460AP. When i try to authenticate any user on my freeradius, in logs appear this messages: Fri May 26 09:06:07 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Fri May 26 09:06:07 2006 : Info: Ready to process requests. Fri May 26 09:10:56 2006 : Info: rlm_eap_md5: Issuing Challenge Fri May 26 09:10:56 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Fri May 26 09:10:56 2006 : Error: TLS Alert read:fatal:unknown CA Fri May 26 09:10:56 2006 : Error: TLS_accept:failed in SSLv3 read client certificate A Fri May 26 09:10:56 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Fri May 26 09:10:56 2006 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. Fri May 26 09:10:56 2006 : Auth: Login incorrect: [mobile/] (from client mslink-radius port 0 cli 0014a53c478d) Fri May 26 09:35:44 2006 : Auth: Login incorrect: [joao/] (from client mslink-radius port 0 cli 0014a53c478d) what it can be ? thanks... Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dict_addvalue: Duplicate value name
I am trying to compile Freeradius Version 1.1.0 on a Sunfire 20z running RH3 enterprise 3 (AMD x86_64 Architecture). I am stumped in result of many errors I cannot find a fix for. Are there any special environment configurations or compile options to use before compiling FreeRadius on a 64 bit machine? Please advise. ~Alan dict_addvalue: Duplicate value name Route-IPX-No for attribute X-Ascend Route-IPX dict_addvalue: Duplicate value name Local for attribute Post-Auth-Type dict_addvalue: Duplicate value name PAP for attribute Auth-Type dict_addvalue: Duplicate value name LAC-Only for attribute Tunnel-Function dict_addvalue: Duplicate value name unix for attribute Auth-Type dict_addvalue: Duplicate value name MS-CHAP for attribute Auth-Type - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank Password and Recommeded RFC standard
Alan DeKok wrote: The RFC requirements aren't absolute. You're free to break them in your local system, but doing so may cause catastrophic problems. In this case, what are you trying to do? I am working with a vendor product that has implemented their own Radius and when trying to authenticate to their product they say that when using Challenge based authentication they handle blank passwords according to the RFC. After reading the RFC I don't fully understand why blank passwords seemed to be acceptable. Ultimately I don't understand why radius RFC has a provision to ask for a password if the original request is empty when doing two factor authentication. It would seem to me that if the User-Password field is empty (or what ever attribute is used with two-factor authentication) that Radius should interpret that with an Access-Reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addvalue: Duplicate value name
"Alan" <[EMAIL PROTECTED]> wrote: > I am trying to compile Freeradius Version 1.1.0 Why? Version 1.1.1 has been out for a long time now. The bug you've run into was fixed in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank Password and Recommeded RFC standard
"Craig T. Hancock" <[EMAIL PROTECTED]> wrote: > I am working with a vendor product that has implemented their own > Radius and when trying to authenticate to their product they say > that when using Challenge based authentication they handle blank > passwords according to the RFC. Nonsense. The RFC doesn't say you *have* to send a challenge. Please ask them to quote the text they think is relevant, and explain why. > After reading the RFC I don't fully understand why blank passwords > seemed to be acceptable. It could be construed as a bug in the original specification. > Ultimately I don't understand why radius RFC has a provision to ask > for a password if the original request is empty when doing two > factor authentication. Because some authentication systems work by sending an identity first, the server responds with a challenge, and the client responds with a per-session password. See X9.9 token cards. > It would seem to me that if the User-Password field is empty (or > what ever attribute is used with two-factor authentication) that > Radius should interpret that with an Access-Reject. No. I *think* you're referring to: Example: The NAS sends an Access-Request packet to the RADIUS Server with NAS-Identifier, NAS-Port, User-Name, User-Password (which may just be a fixed string like "challenge" or ignored). The server sends back an Access-Challenge packet ... So the User-Password doesn't have to be empty, it can have any value, including a fixed string. The RFC *allows* for X9.9 challenge-response systems to start off with a fixed or blank password. It doesn't *require* the server to respond to an empty User-Password with an Access-Challenge. If the server doesn't support X9.9 systems, then responding to an empty User-Password with an Access-Challenge would be a waste of time. 99% of clients would treat it as Access-Reject, because they don't expect a challenge. So ask the vendor what part of the RFC they think they're following, and why. Ask them *why* they're doing it, and what benefit they think it has. Odds are the sections of the RFC they quote won't say what they think it says, and their whole reason for doing it is not because it make sense, but "because the RFC says so". FreeRADIUS breaks a number of RFC suggestions for a number of good reasons. In some cases, the RFC's are plain wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with TTLS-MSCHAPV2 authentication
"sumi thra" <[EMAIL PROTECTED]> wrote: > Does freeradius-1.1.1 version with TTLS-MSCHAPV2 & odyssey client - > 3.00.0.976 configured to use the same authentication works ? I don't see why not. Try it. If it doesn't work, post the debug output, and complain to odyssey tech support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authing clients !!!
emerson <[EMAIL PROTECTED]> wrote: > My freeradius client is a ap wl-5460AP. When i try to authenticate > any user on my freeradius, in logs appear this messages: Don't post the output of "radius.log", post the output of debug mode, as suggested in the FAQ, README, INSTALL, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.11 AP Access-Accept problem
We have a working freeradius install authenticating clients via a Proxim/Orinoco AP-700 access point. The AP is configured to do EAP authentication via the radius server. No problem with that. Freeradius is authenticating users as per our requirements, and is and sending Access-Accept to the AP. rad_recv: Access-Request packet from host W.X.Y.Z:6001, id=3, length=154 User-Name = "testuser" NAS-IP-Address = W.X.Y.Z Called-Station-Id = "00-20-a6-5d-9c-d1:ourSSID" Calling-Station-Id = "00-06-25-2f-8c-4e" NAS-Identifier = "ORiNOCO-AP-700-5d-9c-d1" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000c01746573746f6e65 Message-Authenticator = 0x75e8339aab77b394dab2beef5e9228dd Sending Access-Accept of id 3 to W.X.Y.Z port 6001 Problem is, the AP isn't getting the accepts. The EAP request counter increments on the AP when we attempt a connection. The EAP reject counter increments on the AP when we connect with bad credentials. The EAP accept counter never increments even with successful authentication. The Windows client is left in "Validating Identity" state. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dict_addvalue: Duplicate value name
I remember when 1.1.1 was released and I was confronted with the makefile bug. Should I download the sources directly from the public releases link on the site or should I download directly from the CVS head. ~Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, May 26, 2006 11:03 AM To: FreeRadius users mailing list Subject: Re: dict_addvalue: Duplicate value name "Alan" <[EMAIL PROTECTED]> wrote: > I am trying to compile Freeradius Version 1.1.0 Why? Version 1.1.1 has been out for a long time now. The bug you've run into was fixed in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.11 AP Access-Accept problem
Drew Linsalata <[EMAIL PROTECTED]> wrote: > Freeradius is authenticating users as per our requirements, and is and > sending Access-Accept to the AP. ... > Sending Access-Accept of id 3 to W.X.Y.Z port 6001 > With no contents, apparently. That would explain why the AP is ignoring it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addvalue: Duplicate value name
"Alan" <[EMAIL PROTECTED]> wrote: > I remember when 1.1.1 was released and I was confronted with the makefile > bug. Should I download the sources directly from the public releases link on > the site or should I download directly from the CVS head. Download 1.1.0 and 1.1.1, and look at the differences in src/lib/dict.c. Apply the changes to 1.1.0, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.11 AP Access-Accept problem
Alan DeKok wrote: Drew Linsalata <[EMAIL PROTECTED]> wrote: Freeradius is authenticating users as per our requirements, and is and sending Access-Accept to the AP. ... Sending Access-Accept of id 3 to W.X.Y.Z port 6001 With no contents, apparently. That would explain why the AP is ignoring it. No, even sending the rest of the goodies the AP ignores it. I shouldn't have been so quick in truncating the log output. (-: -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
May be of interest to some (or many)?
I found these two links while digging for something else.They are both pertinent to [free]RADIUS and someone may find them useful for their environment: http://www.pgina.org/ https://wpsynch.dev.java.net/ Cheers, Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authing clients - Debug Mode !!!!
Pessoal, i have a server linux running slackware 10.1, with freeradius 1.1.1 with auth eap/tls/ttls + openssl-0.97d + mysql. My freeradius client is a ap wl-5460AP. When i try to authenticate any user on my freeradius, in debug MODE appear this messages: I'm can not to stabilished connections. Message-Authenticator = 0x59373d130f801019b116e042690ff3e1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 radius_xlat: 'mobile' rlm_sql (sql): sql_set_user escaped user --> 'mobile' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'mobile' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mobile' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'mobile' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mobile' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b1], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 112 to 10.254.0.2 port 2048 Password == "teste" Framed-Protocol := PPP EAP-Message = 0x0103040a0dc0079e160301004a02460301447767ef3e6132404c0c6c02a315774554397970ac027074a9f45e5248c032e820822e232b79be2b75ef379cf751e7d12d6b25d4b841b1c2655efa85382cc1e66000350016030106940b0006968d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b3009060355040613024341311130
authing clients - Debug Mode - More Output!!!!
Ready to process requests. rad_recv: Access-Request packet from host 10.254.0.2:2048, id=115, length=165 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "joao" NAS-IP-Address = 10.254.0.2 NAS-Port = 0 Called-Station-Id = "004f6207b40c" Calling-Station-Id = "0014a53c478d" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209016a6f616f Message-Authenticator = 0xdcc560812d6c0bad0bc665744157e53a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'joao' rlm_sql (sql): sql_set_user escaped user --> 'joao' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'joao' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'joao' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'joao' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'joao' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [joao/] (from client mslink-radius port 0 cli 0014a53c478d) Delaying request 0 for 1 seconds Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authing clients - Debug Mode !!!!
hi, have you got this working with the credentials simply held in the users file? if not, I would check that all is okay with your setup before migrating to mysql. we see, every week, someone whose setup is not working and its a trivial thing - buried away because they've jumped straight into holding all details in SQL tables alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.1.2 has been released
FreeRADIUS 1.1.2 has been released. See: http://www.freeradius.org We expect that this will be the last release in the 1.1.x architecture. 1.2.0 will follow from 1.1.2, and will contain updated libtool, libltdl, and configure scripts. These changes will allow 1.2.0 to build more easily on many architectures. The changes from 1.1.1 to 1.1.2 are as follows: Feature improvements * Allow tagged VSA's for Juniper. Closes bugs #367 and #368. * Allow Ascend "abinary" format to be specified as octets, (e.g. Ascend-Data-Filter = 0x010203...) * Added "cipher_list" configuration to the EAP-TLS module. See "eap.conf" and "man 1 cipher" for details. * Added "check_cert_issuer" configuration to the EAP-TLS module. See "eap.conf" for details. (closes: #346) * Added "suppress" configuration entry to rlm_detail, to suppress certain attributes (e.g. User-Password). This closes bug #359. * More dictionary updates * Write SSL errors to log file, rather than stderr. This closes bug #347. * Allow a core dump on uid change on Linux (closes: #361) Bug fixes * Return better error codes in SQL IODBC module. Closes bug #341. * Corrected list of EAP handlers. * Initialize variable in rlm_ldap.c. This fixes RedHat bug #136468. * Escape more ldap strings, so configuration entries that have magic LDAP characters don't break LDAP. This closes bug #360. * Updated doc/rlm_ldap. This closes bug #353. * Updated redhat/freeradius.spec. This closes bug #330. * Don't forcibly over-write Auth-Type in the mschap module. This prevents an earlier module from forcing reject. * Use the correct module reference in the authenticate section, where Auth-Type wasn't explicitely specified. * If there are typos in a subsection in radiusd.conf, exit after printing an error, rather than continuing. * Print Ascend "abinary" format as text rather than octets when we receive it. * Silently drop packets with bad Message-Authenticators, as per RFC3579 * Unbreak ./configure --disable-static (closes: #350) * Unbreak ./configure --prefix (closes: #354) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
