Re: PEAP short question
Thanks Stefan I thought it was like you said but wasn't sure. Now I'll try to find which part of the code do it 2006/7/21, Stefan Winter [EMAIL PROTECTED]:Hi, I've been watching the logs and my question is why localhost takes part in the process.Inner workings of FreeRADIUS. The inner authentication (within the EAP TLStunnel) counts as a new request, coming from localhost.Stefan Winter--Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et dela Recherche - Ingénieur de recherche6, rue Richard Coudenhove-KalergiL-1359 Luxembourg-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP utilities--urgent
hi, all I need some help from group. I want to start free radius that only has EAP utilities. no proxy,nothing else then diff.. eap types. Which files can i take from free radius that i can independently use for eap / wireless authentication. In short my free-radius has only files replated to eap no xtra. Rgds Darshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Elie Hani wrote: Hi; I want to bind the FreeRadius to the DHCP, is there a way to do that? What do you mean? Do you mean - I want FreeRadius to assign IPs, and DHCP to hand them out? In which case, no there is no way to do that. You could *make* something that did it, e.g. using ISC DHCPd and their omapi, but you would have to make it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP doest work with Cisco Catalyst 2950?
Hi all, I'm new to this list. I have spent hours searching Google but still cant not find the solution for my problem so I decide it's time for the first post. I follow instructions from http://www.linuxjournal.com/article/8017 with the following configuration (instead of WLAN, I'm going to secure my LAN so no access point here) : - Authentication server: Freeradius 1.1.2 + OpenSSL 0.9.8a. The server is my laptop running Ubuntu 6.06. The IP address is 192.168.22.180 - Authenticator: Cisco Catalyst 2950 whose IP is 192.168.22.23 - Suppliant: WinXP service pack 2 This setup never works as expected. WinXP kept complaining Unable to join to the network. I could not figure out what was the problem. There were no clue in freeradiusd's logfile and ethereal's dumpfile. Or maybe I'm no expert on this subject to see the clue. Please help. You can grab all of my freeradius's configuration, logfile and ethernet's dumpfile from http://innology.com.vn/8021x.tar.gz. Please take a look at it. TIA, Thai Duong. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Binding FreeRadius to the DHCP Server
What I mean is the following: I have a patton RAS, when a dial up user connects to this server, he should get a faked IP and he will be redirected to a site where he should enter all the necessary information. First of all, I have configured the FreeRadius and it's working great with this RAS, but the pool of Ips that the dial up user is configured on the Patton RAS, where only one pool can be configured, and this RAS doens not support DHCP in it. So I have to configure a DHCP server and bind it to the FreeRadius in a manner that when the user dials in to the RAS for the first time, he will be using a common username and password (user: guest pass: guest for example), he will get a fake IP from a pool configured on the DHCP server. Once he enteres all the necessary informations, he will reconnect using the desired authentication entered previousely, and he will get a real IP from another pool also configured on the DHCP. What I want to do is to bind the freeradius and the DHCP server so this process takes place. Thanks in advance Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Tuesday, July 25, 2006 10:27 AM To: FreeRadius users mailing list Subject: Re: Binding FreeRadius to the DHCP Server Elie Hani wrote: Hi; I want to bind the FreeRadius to the DHCP, is there a way to do that? What do you mean? Do you mean - I want FreeRadius to assign IPs, and DHCP to hand them out? In which case, no there is no way to do that. You could *make* something that did it, e.g. using ISC DHCPd and their omapi, but you would have to make it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with radius internet release
Hello everyone, Guys please i need a help, I have my freebsd 6.1 internet gateway up and running We need to share this internet connection release based on auth and time. Means. whoever will surf the web and he is on our LAN, a web (or whatever) authintication required for the user to browse the world. They told me freeradius will do this option for me, and will manage the users, Anyone would help, and give me hints please? I dunt know where to start. Marwan _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
Thai Duong [EMAIL PROTECTED] wrote: This setup never works as expected. WinXP kept complaining Unable to join to the network. I could not figure out what was the problem. There were no clue in freeradiusd's logfile and ethereal's dumpfile. Read the debug log to see what's going on. You *do* have the Microsoft OID's in the certificates? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Elie Hani [EMAIL PROTECTED] wrote: I have a patton RAS, when a dial up user connects to this server, he should get a faked IP and he will be redirected to a site where he should enter all the necessary information. Sounds like a captive portal to me. So I have to configure a DHCP server and bind it to the FreeRadius in a manner that when the user dials in to the RAS for the first time, he will be using a common username and password (user: guest pass: guest for example), he will get a fake IP from a pool configured on the DHCP server. Write a script. The server doesn't normally interact with DHCP. Once he enteres all the necessary informations, he will reconnect using the desired authentication entered previousely, and he will get a real IP from another pool also configured on the DHCP. What you're saying is a very convoluted way of: a) some users get IP's from pool X b) other users get IP's from pool Y Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while running log_badlogins scripts
Hello,
I have installed Freeradius 1.1.2 in FreeBSD 6.0. Everything is running
well except log_badlogins script. When I run log_badlogins scripts it
gives me the error
ERROR: Date::Manip unable to determine TimeZone.
at /usr/local/lib/perl5/site_perl/5.8.7/Date/Manip.pm line 3635
Date::Manip::Date_TimeZone called at
/usr/local/lib/perl5/site_perl/5.8.7/Date/Manip.pm line 676
Date::Manip::Date_Init() called at
/usr/local/lib/perl5/site_perl/5.8.7/Date/Manip.pm line 1446
Date::Manip::ParseDate('Tue Jul 25 16:15:44 2006') called at
./log_badlogins line 150
I have re-installed the perl modules Date::Manip.pm too but didn't work.
Looks like log_badlogins script is unable to parse the Unix date format.
Can anyone correct the script for freebsd use.
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still cannot get ldap_r to be linked
Roger Thomas [EMAIL PROTECTED] wrote: # ./configure creating cache ./config.cache ... checking for ldap_init in -lldap_r... no That's why the LDAP module isn't building. There's some additional dependency that the configure script isn't finding. See if there's a config.log file in src/modules/rlm_ldap. If so, it should say what went wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
Okay, thanks now it works quite well with the mschap module :-)
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Im Auftrag von Phil Mayers
Gesendet: Montag, 24. Juli 2006 12:28
An: FreeRadius users mailing list
Betreff: Re: AW: Since 2 Month noone any idea how to do this ? Stripping
Username Question *important*
James J J Hooper wrote:
In your LDAP section of radiusd.conf, replace this:
%{Stripped-User-Name:-%{User-Name}}
with this:
%{Stripped-User-Name:-%{mschap:User-Name}}
Regards,
James
Sorry, what i suggested may only work in the mschap section, not in the
LDAP bit... :(
No, it should work anywhere, but he does need to have the mschap module
configured, and I think it needs to be *before* the ldap module in
authorize.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still cannot get ldap_r to be linked
Hi. It's not compiling ok since you have: configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. If you have openladp well installed, try to put some environment variables into the shell before running configure or use: ./configure --with-rlm-ldap-lib-dir=PATH_TO_LDAP/lib/ --with-rlm-ldap-include-dir=PATH_TO_LDAP/include/ Roger Thomas wrote: I am attempting to configure FreeRadius to use our LDAP directory for authentication and have made the necessary modifications to radiusd.conf, but get the following error when starting radiusd with: # /usr/local/sbin/radiusd -X -A --- start of text --- ... ... radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[738] Failed to link to module 'rlm_ldap': file not found radiusd.conf[1917] Unknown module ldap. radiusd.conf[1917] Failed to parse ldap entry. --- end of text --- If I were to go to ~/freeradius-1.1.2/src/modules/rlm_ldap and do a ./configure, I would get these: --- start of text --- # ./configure creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking for pthread_create in -lpthread... yes checking for ldap_init in -lldap_r... no checking for ldap.h... yes configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. updating cache ./config.cache creating ./config.status creating Makefile # --- end of text --- and # ls -l /usr/local/lib/libldap_r* lrwxrwxrwx1 root root 22 Jul 26 2004 /usr/local/lib/libldap_r-2.2.so.7 - libldap_r-2.2.so.7.0.6 -rw-r--r--1 root root 2255178 Jul 26 2004 /usr/local/lib/libldap_r-2.2.so.7.0.6 -rw-r--r--1 root root 2241358 Sep 9 2005 /usr/local/lib/libldap_r.a -rw-r--r--1 root root 759 Sep 9 2005 /usr/local/lib/libldap_r.la lrwxrwxrwx1 root root 19 Sep 9 2005 /usr/local/lib/libldap_r.so - libldap_r.so.2.0.16 lrwxrwxrwx1 root root 19 Sep 9 2005 /usr/local/lib/libldap_r.so.2 - libldap_r.so.2.0.16 -rw-r--r--1 root root 2073246 Sep 9 2005 /usr/local/lib/libldap_r.so.2.0.16 -- I'm using freeradius-1.1.2 on Redhat Linux 9 and openldap-2.0.25, everything appeared to compile okay. I'm no C programmer. So please go slow. Any suggestions would be most appreciated. Regards Roger Thomas --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
Hi Alan, --- Alan DeKok [EMAIL PROTECTED] wrote: Read the debug log to see what's going on. You *do* have the Microsoft OID's in the certificates? Alan DeKok. yes of course. I follow the instruction from http://www.linuxjournal.com/node/8095/print to generate certificates for the CA, the server and the client. When I looked at the debug log, I saw something like below: - The client sent a Access-Request. - The server replied with a Access-Challenge and then went to sleep. - They started over again with a Access-Request from the client. There was no Accept-Accept or anything but just a Access-request followed by a Access-Challenge. If you take a look at the ethereal dump file, you'll see that the client sent a lot of Client Hello packet but the server didnt response. I dont know why. Please help. TIA, Thai Duong. PS: You can download all dump files from http://innology.com.vn/8021x.tar.gz. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS MD5 hashed Passwords in MySQL Database for WPA-802.1x auth
Hello,
I'm trying to setup a System to authenticate WLAN users via EAP-TTLS with
md5 crypted passwords, stored in a sql database.
I'm using MySQL as the Backend and it works great when the passwords are
stored in cleartext or UNIX crypt. When i convert the password from crypt to
md5 and change pap encryption_scheme to md5 it doen't work anymore. As I
have to use the SQL attribute field with 'Crypt-Password' in it, it seems
that it wants to use crypt passwords and not md5. I tried to change it to
'md5-password' but well ... that wasn't the answer.
Here is the error:
-
modcall: entering group PAP for request 4
rlm_pap: login attempt by foo with password bar
rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT
modcall[authenticate]: module pap returns fail for request 4
modcall: leaving group PAP (returns fail) for request 4
auth: Failed to validate the user.
TTLS: Got tunneled reply RADIUS code 3
TTLS: Got tunneled Access-Reject
-
Anyone has an Idea how to use the MD5 hashed Passwords in the Database with
EAP-TTLS for authentication? I appended my radius configuration. Thanks.
--- CONFIG
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
leap {
}
tls {
private_key_file = /etc/ssl/rad.pem
certificate_file = /etc/ssl/rad.pem
CA_file = /etc/ssl/ca.pem
dh_file = /etc/ssl/rad.dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
modules {
pap {
encryption_scheme = md5
}
}
authorize {
preprocess
suffix
eap
files
sql
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
users-file
DEFAULT Auth-Type = PAP
Fall-Through = 0
END OF CONFIG -
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory (Win2003) rlm_ldap
Sorry Alan, didn't mean to be antagonistic. Your were dead on about the solution.thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still cannot get ldap_r to be linked
On Tue, Jul 25, 2006 at 05:13:41PM +0800, Roger Thomas said: # ls -l /usr/local/lib/libldap_r* lrwxrwxrwx1 root root 22 Jul 26 2004 /usr/local/lib/libldap_r-2.2.so.7 - libldap_r-2.2.so.7.0.6 -rw-r--r--1 root root 2255178 Jul 26 2004 /usr/local/lib/libldap_r-2.2.so.7.0.6 -rw-r--r--1 root root 2241358 Sep 9 2005 /usr/local/lib/libldap_r.a -rw-r--r--1 root root 759 Sep 9 2005 /usr/local/lib/libldap_r.la lrwxrwxrwx1 root root 19 Sep 9 2005 /usr/local/lib/libldap_r.so - libldap_r.so.2.0.16 lrwxrwxrwx1 root root 19 Sep 9 2005 /usr/local/lib/libldap_r.so.2 - libldap_r.so.2.0.16 -rw-r--r--1 root root 2073246 Sep 9 2005 /usr/local/lib/libldap_r.so.2.0.16 There are tonnes of error in ~/freeradius-1.1.2/src/modules/rlm_ldap/config.log ! I think they are connected to my ldap libraries? But my slapd is running fine. I am running Horde's webmail. And Horde authenticate to ldap with no problem. There must be something else :( The problem is apparently with your install of ldap. The output above suggests you have two versions of libldap_r installed, but you have the libldap_r.so link (and perhaps the header) only from the older one. Take care, -- -- | Stephen Gran | A No uttered from deepest conviction | | [EMAIL PROTECTED] | is better and greater than a Yes | | http://www.lobefin.net/~steve | merely uttered to please, or what is| || worse, to avoid trouble. -- Mahatma | || Gandhi | -- signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post_proxy_authorize option
Hi folks,
I noticed in the included raddb/proxy.conf file, the post_proxy_authorize
option notes that it's deprecated and will be removed in the future. I'm
using that feature right now, so I'd like to find out if there's a better way
to handle the authorization step, or else if this option can be left in the
code. I *presume* the right way is to add something to post-proxy {}, but
when I tried to duplicate my authorize section, I get nothing but errors when
trying to start radiusd. For reference, my authorize section looks like:
authorize {
preprocess
auth_log
files
}
My authorization step can go in either the pre-proxy or post-proxy section -
the important thing is that the proxy server can handle authentication, but I
need to use the users file to do authorization. Ideas on how to do this right
are appreciated. Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to reply Session-Timeout without password
Dear all, does anyone here use *bubua with Freeradius? I notice that when *bubua want to get the Session-Timeout values, *bubua will send the following message to radius servers(Here I use Freeradius): rad_recv: Access-Request packet from host 59.64.180.238:33150, id=57, length=246 Cisco-Call-Type = VoIP Calling-Station-Id = 005001 Called-Station-Id = 005000 Cisco-NAS-Port = SIP/59.64.141.26-b7b13d20 Cisco-AVPair = call-codec=ulaw;useragent=X-Lite release 1105x; h323-call-origin = originate User-Name = 005001 NAS-Identifier = Asterisk Framed-IP-Address = 59.64.141.26 NAS-IP-Address = 59.64.180.238 NAS-Port = 5060 h323-conf-id = [EMAIL PROTECTED] Here is the problem: the message didnt contain any password information (in fact *bubua wont send the password), and then Freeradius will reject the request because of lack of password. The Freeradius debug information is: auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. My question is how to make the radius server accept the request which do not contain the password and reply the Session-Timeout to the *b2bua? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Binding FreeRadius to the DHCP Server
On Tue, 25 Jul 2006 at 13:46 (+0200), Elie Hani wrote:
EH As a matter of fact, for the first login, the users will have an IP from a
EH certain pool X, once the informations are entered, and after redialing, the
EH users will get the new IP from the second pool Y.
EH
EH All I want to know is if it's possible to bind the radius to a DHCP server,
EH if yes how it can be done? Otherwise, is there any other pssible method to
EH configure 2 pools of Ips X and Y and relay it to the DHCP?
I think you could do this without involving a DHCP server (can a PPP
connection even use DHCP??). Their is a module rlm_ippool which looks
like it would do what you want. I haven't used this since I haven't
needed multiple pools, but it looks like it would work.
In radiusd.conf something like:
ippool fake {
range-start = 192.168.1.1 # I assume you are meaning
range-stop = 192.168.1.254 # RFC1918 space when you
netmask = 255.255.255.0 # say faked.
cache-size = 254
session-db = ${raddbdir}/db.ippool-fake
ip-index = ${raddbdir}/db.ipindex-fake
override = yes
maximum-timeout = 0
}
ippool real {
range-start = 10.10.10.1
range-stop = 10.10.10.254
netmask = 255.255.255.0
cache-size = 254
session-db = ${raddbdir}/db.ippool-real
ip-index = ${raddbdir}/db.ipindex-real
override = no
maximum-timeout = 0
}
And in users something like:
guest User-Password := guest, Pool-Name := fake
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Auth-Type := System, Pool-Name := real
Service-Type = Framed-User,
Framed-Protocol = PPP
I have not tested any of this, it may cause Bad Things(tm) to happen,
adjust accordingly to use the correct IP ranges, etc.
#include standard-disclaimer.h
Michael
--
Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED]
Hartwick Communications Consulting (519) 396-7719
Kincardine, ON, CA http://www.hartwick.com
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
Thai Duong [EMAIL PROTECTED] wrote: - The server replied with a Access-Challenge and then went to sleep. That is exactly what happens when the certificate doesn't have the proper OID's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS MD5 hashed Passwords in MySQL Database for WPA-802.1x auth
Christian Poessinger [EMAIL PROTECTED] wrote: As I have to use the SQL attribute field with 'Crypt-Password' in it Why? Why not just change that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still cannot get ldap_r to be linked
Roger Thomas [EMAIL PROTECTED] wrote: The following is output from config.log; it's about 200 lines. Sorry. It's not linking with -lber for some reason. I think you have an older version of LDAP. I know the server *used* to try -lber, too, but that caused problems... Try: $ LIBS=-lber ./configure That may work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post_proxy_authorize option
Geoff Silver [EMAIL PROTECTED] wrote:
I noticed in the included raddb/proxy.conf file, the
post_proxy_authorize option notes that it's deprecated and will be
removed in the future. I'm using that feature right now, so I'd
like to find out if there's a better way to handle the authorization
step, or else if this option can be left in the code. I *presume*
the right way is to add something to post-proxy {},
Yes.
but when I tried to duplicate my authorize section, I get nothing
but errors when trying to start radiusd.
Probably because you're trying to reproduce the authorize stage
exactly, which isn't necessary.
My authorization step can go in either the pre-proxy or post-proxy
section - the important thing is that the proxy server can handle
authentication, but I need to use the users file to do
authorization. Ideas on how to do this right are appreciated.
Thanks.
If you don't say what the errors are, it's a little difficult to
help you.
My guess: you're putting preprocess in post-proxy. The simplest
thing to do is to not do that...
Also, the files module doesn't have a post-proxy section in
1.1.x. It *does* have that in the CVS head.
For now, you can probably leave post_proxy_authorize = yes
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reply Session-Timeout without password
Hi, My question is how to make the radius server accept the request which do not contain the password and reply the Session-Timeout to the *b2bua? I have not the faintest idea about *b2bua (WTF?) but if you just want to accept everyone without any checks for your *b2bua NASes, you can achieve it in the users file with NAS-IP-Address == your-b2bua-ns, Auth-Type := Accept Session-Timeout := whatever Do keep in mind that everyone who is authenticating via this IP address is *always* *accepted* Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: EAP-TTLS MD5 hashed Passwords in MySQL Database for WPA-802.1xauth
Christian Poessinger [EMAIL PROTECTED] wrote: Well, changing it to MD5-Password results in In 1.1.x, use User-Password Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
Thai Duong [EMAIL PROTECTED] wrote: I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID OpenSSL? It displays information about the certificate. Is it correct? I doubt maybe the problem remains in the OpenSSL library bunlded with Ubuntu 6.06. Do you think so? Please advise. I have no idea. All I know is that the symptoms you're seeing almost always have the same cause. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TTLS MD5 hashed Passwords in MySQL Database forWPA-802.1xauth
[EMAIL PROTECTED] wrote: Christian Poessinger [EMAIL PROTECTED] wrote: Well, changing it to MD5-Password results in In 1.1.x, use User-Password Changed the content of the SQL Attribute field to 'User-Password' but I still get the same error. --- modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 4 rlm_pap: login attempt by Username with password Password rlm_pap: No password (or empty password) to check against for for user Username modcall[authenticate]: module pap returns invalid for request 4 modcall: leaving group PAP (returns invalid) for request 4 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject -CP smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls.so won't build.
Hello, I'm new to freeradius and open source in general, so please bear with me. I'm having a problem with the rlm_eap_tls.so module not compiling, or installing, depending on whether I'm compiling from source, or apt-geting the package. The complaint is that Openssl is missing, however I have installed openssl and libssl0.9.6 and libssl-dev. All to no avail. As you can see, I'm using freeradius 1.1.2. Any help much appreciated. debian:/usr/src/freeradius-1.1.2/src/modules/rlm_eap/types/rlm_eap_tls# ./configure loading cache ./config.cache checking for OpenSSL support... no configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: OpenSSL. creating ./config.status creating Makefile creating config.h config.h is unchanged debian:/usr/src/freeradius-1.1.2/src/modules/rlm_eap/types/rlm_eap_tls# debian:/usr/src/freeradius-1.1.2/src/modules/rlm_eap/types/rlm_eap_tls# openssl version OpenSSL 0.9.7e 25 Oct 2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls.so won't build.
Lyle Tollefsen [EMAIL PROTECTED] wrote: debian:/usr/src/freeradius-1.1.2/src/modules/rlm_eap/types/rlm_eap_tls# ./configure Don't run configure from a sub-directory. And since you're on debian, you can build the server using the debian packaging scripts in the top-level debian directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius_1.1.2 + ldap
Alright...I figured it out...I ran ldconfig and then the missing file liblber was linked to rlm_ldap. Hooray for beer --- Damon McDougald [EMAIL PROTECTED] wrote: Hello to all, I am encountering a problem when I start my radius server: radiusd -X Failed to link to module 'rlm_ldap': liblber-2.3.so.0: cannot open shared object file: No such file or directory when I ldd rlm_ldap I receive the following: linux-gate.so.1 = (0xe000) libradius-1.1.2.so = /usr/local/lib/libradius-1.1.2.so (0xb7fd7000) libldap_r-2.3.so.0 = /usr/local/lib/libldap_r-2.3.so.0 (0xb7f9b000) libnsl.so.1 = /lib/libnsl.so.1 (0xb7f81000) libresolv.so.2 = /lib/libresolv.so.2 (0xb7f6e000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0xb7f5c000) libc.so.6 = /lib/tls/libc.so.6 (0xb7e42000) libcrypt.so.1 = /lib/libcrypt.so.1 (0xb7e13000) liblber-2.3.so.0 = not found libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0xb7de2000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0xb7ce1000) /lib/ld-linux.so.2 (0x8000) libdl.so.2 = /lib/libdl.so.2 (0xb7cdd000) It is obvious I do not have liblber-2.3.so.0 or it is not linked. When compiling openldap and/or freeradius is their something special I need during the .configure? Here is what I used to compile freeradius: ./configure --with-rlm-ldap-include=/usr/local/include --with-rlm-ldap-include=/usr/local/lib --enable-ltdg-install --enable-ltdl-install Here is what I used to compile openldap: ./confiugre --disable-slapd --disable-slurpd --disable-ldbm Anything I am missing or am blind to? Thanks, Damon __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius_1.1.2 + ldap
Damon McDougald [EMAIL PROTECTED] wrote: liblber-2.3.so.0 = not found Your dynamic linker can't find that library. Update it's configuration so that it can find the LDAP libraries, wherever you installed them. Here is what I used to compile openldap: ./confiugre --disable-slapd --disable-slurpd --disable-ldbm And... where did it install the libraries? Is that location different from the location you passed for rlm_ldap in the FreeRADIUS configure script? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TTLS MD5 hashed Passwords in MySQL DatabaseforWPA-802.1xauth
[EMAIL PROTECTED] wrote: Please read the EARLIER messages in the debug log. It's obvious that the password was NOT read from SQL, so authentication will not work. Get the server to read the password from SQL. Debug log WILL SAY when the appropriate user entry is matched. Alan DeKok. Well, but why does it work with unix crypt passwords then? And also plaintext passwords? -CP smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls.so won't build.
Lyle Tollefsen [EMAIL PROTECTED] wrote: My guess is you were refering to the options pasted below. Do I simply run ./configure --build=debian No. I mean there is a directory called debian included with the server. That directory contains scripts to build a debian package of FreeRADIUS. Those scripts will run configure, etc. for you, with the right options. See the list archives for additional details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New email address web site
I have a new email address: [EMAIL PROTECTED] And a new web site: http://deployingradius.com There isn't much content there now (a blog), but it's pretty. I plan on adding more content over time, including chapter exerpts, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to execute TWO OR MORE Sql statement?
Oh, my have another question about Freeradius. I see when the Freeradius receives whatever a request, Freeradius will execute ONE SQL statement which is defined in the sql.conf. My question is how to make Freeradius to execute TOW OR MORE SQL statement when Freeradius receives a request. I am new to Freeradius and apologize for asking simple question. -Original Message- From: Stefan Winter [mailto:[EMAIL PROTECTED] Sent: 2006年7月26日 1:03 To: FreeRadius users mailing list Subject: Re: How to reply Session-Timeout without password Hi, My question is how to make the radius server accept the request which do not contain the password and reply the Session-Timeout to the *b2bua? I have not the faintest idea about *b2bua (WTF?) but if you just want to accept everyone without any checks for your *b2bua NASes, you can achieve it in the users file with NAS-IP-Address == your-b2bua-ns, Auth-Type := Accept Session-Timeout := whatever Do keep in mind that everyone who is authenticating via this IP address is *always* *accepted* Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to reply Session-Timeout without password
Thanks for your reply. I now know how to do it. PS: *b2bua is short for Asterisk+b2bua. It is a prepaid billing solution for VoIP system. -Original Message- From: Stefan Winter [mailto:[EMAIL PROTECTED] Sent: 2006年7月26日 1:03 To: FreeRadius users mailing list Subject: Re: How to reply Session-Timeout without password Hi, My question is how to make the radius server accept the request which do not contain the password and reply the Session-Timeout to the *b2bua? I have not the faintest idea about *b2bua (WTF?) but if you just want to accept everyone without any checks for your *b2bua NASes, you can achieve it in the users file with NAS-IP-Address == your-b2bua-ns, Auth-Type := Accept Session-Timeout := whatever Do keep in mind that everyone who is authenticating via this IP address is *always* *accepted* Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql libraries are there BUT not found
I received warnings about the unavailability of mysql libraries when I ran configure with -- start of text --- ... ... configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. configure: warning: sql submodule 'mysql' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled ... ... -- end of text -- Running configure with # ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/mysql made no difference. In /usr/local/mysql/lib/mysql I have: -rw-r--r--1 root mysql 11866 May 15 10:56 libdbug.a -rw-r--r--1 root mysql 40304 May 15 10:56 libheap.a -rw-r--r--1 root mysql 13536 May 15 10:56 libmerge.a -rw-r--r--1 root mysql 313312 May 15 10:56 libmyisam.a -rw-r--r--1 root mysql 24982 May 15 10:56 libmyisammrg.a -rw-r--r--1 root mysql 480038 May 15 10:57 libmysqlclient.a -rwxr-xr-x1 root mysql 879 May 15 10:57 libmysqlclient.la lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so - libmysqlclient.so.14.0.0 lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so.14 - libmysqlclient.so.14.0.0 -rwxr-xr-x1 root mysql 409020 May 15 10:57 libmysqlclient.so.14.0.0 -rw-r--r--1 root mysql 240636 May 15 10:56 libmystrings.a -rw-r--r--1 root mysql 256614 May 15 10:56 libmysys.a -rw-r--r--1 root mysql 97536 May 15 10:56 libnisam.a -rw-r--r--1 root mysql5576 May 15 10:56 libvio.a What I have done wrong? Please advise. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to execute TWO OR MORE Sql statement?
王世彦 wrote: Oh, my have another question about Freeradius. I see when the Freeradius receives whatever a request, Freeradius will execute ONE SQL statement which is defined in the sql.conf. My question is how to make Freeradius to execute TOW OR MORE SQL statement when Freeradius receives a request. I am new to Freeradius and apologize for asking simple question. Create a stored procedure in the database that contains all of the SQL queries necessary. Then call that stored procedure via sql.conf. This works fine with Postgres. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown module
I have compiled and install freeradius but when I ran # /usr/local/sbin/radiusd -X -A I got these error messages: ... ... Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[738] Failed to link to module 'rlm_ldap': file not found radiusd.conf[1917] Unknown module ldap. radiusd.conf[1917] Failed to parse ldap entry. # I have the rlm_ldap libraries in /usr/local/lib/rlm_ldap: # ll /usr/local/lib/rlm_ldap* lrwxrwxrwx1 root root 11 Jul 26 12:33 /usr/local/lib/rlm_ldap-1.1.2.la - rlm_ldap.la -rwxr-xr-x1 root root89103 Jul 26 12:33 /usr/local/lib/rlm_ldap-1.1.2.so -rw-r--r--1 root root99154 Jul 26 12:33 /usr/local/lib/rlm_ldap.a -rwxr-xr-x1 root root 916 Jul 26 12:33 /usr/local/lib/rlm_ldap.la lrwxrwxrwx1 root root 17 Jul 26 12:33 /usr/local/lib/rlm_ldap.so - rlm_ldap-1.1.2.so # and ldd on rlm_ldap.so gave: # ldd /usr/local/lib/rlm_ldap.so libradius-1.1.2.so = /usr/local/lib/libradius-1.1.2.so (0x4000b000) libldap_r-2.2.so.7 = /root/ldapx/lib/libldap_r-2.2.so.7 (0x4002) libnsl.so.1 = /lib/libnsl.so.1 (0x4012d000) libresolv.so.2 = /lib/libresolv.so.2 (0x40142000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x40154000) libc.so.6 = /lib/tls/libc.so.6 (0x4200) libcrypt.so.1 = /lib/libcrypt.so.1 (0x40162000) liblber-2.2.so.7 = /root/ldapx/lib/liblber-2.2.so.7 (0x4018f000) libsasl2.so.2 = /usr/local/lib/libsasl2.so.2 (0x4019b000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) libdl.so.2 = /lib/libdl.so.2 (0x401ae000) What else could be wrong? HELP! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
