configure options
I installed openLDAP in /prefix/ldap. How would l tell configure where to look for the ldap lib and header files? Doing a configure --help doesn't tell much. Please help. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP password format
The password for my users are kept in the SHA format in my LDAP. Does that means that I have to tell radius.conf to use password_header = "{sha}" ? Please advise. -- roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql libraries are there BUT not found
Quoting Nicolas Baradakis <[EMAIL PROTECTED]>: > Roger Thomas wrote: > > > In /usr/local/mysql/lib/mysql I have: > > > > -rw-r--r--1 root mysql 11866 May 15 10:56 libdbug.a > > -rw-r--r--1 root mysql 40304 May 15 10:56 libheap.a > > -rw-r--r--1 root mysql 13536 May 15 10:56 libmerge.a > > -rw-r--r--1 root mysql 313312 May 15 10:56 > libmyisam.a > > -rw-r--r--1 root mysql 24982 May 15 10:56 > libmyisammrg.a > > -rw-r--r--1 root mysql 480038 May 15 10:57 > libmysqlclient.a > > -rwxr-xr-x1 root mysql 879 May 15 10:57 > libmysqlclient.la > > lrwxrwxrwx1 root mysql 24 May 15 10:57 > libmysqlclient.so -> libmysqlclient.so.14.0.0 > > lrwxrwxrwx1 root mysql 24 May 15 10:57 > libmysqlclient.so.14 -> libmysqlclient.so.14.0.0 > > -rwxr-xr-x1 root mysql 409020 May 15 10:57 > libmysqlclient.so.14.0.0 > > -rw-r--r--1 root mysql 240636 May 15 10:56 > libmystrings.a > > -rw-r--r--1 root mysql 256614 May 15 10:56 libmysys.a > > -rw-r--r--1 root mysql 97536 May 15 10:56 libnisam.a > > -rw-r--r--1 root mysql5576 May 15 10:56 libvio.a > > > > What I have done wrong? Please advise. > > It looks like you don't have libmysqlclient_r.so, the thread safe > version of the client library. > > Either configure MySQL with --enable-thread-safe-client, or > configure > FreeRADIUS with --without-threads. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you so much Nicolas. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
--- Josh Howlett <[EMAIL PROTECTED]> wrote: > Is there a RADIUS or EAP timer set on the switch? > > If it's set too low, the switch might be ignoring > the Access- > Challenge from the server. > > best regards, josh. Yup there're some timers on the switch but as far as I know they have no effect on the communication between the switch and the server. Is there anybody here had used Catalyst 2950 with freeradius before? Searching Google reveals that people seems only configure EAP/TLS to protect wireless LAN, not wired LAN. Where can I find a sucessful EAP/TLS setup with details about hardware/software components? TIA, Thai Duong. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with peap + tlv part 1
I have gotten this to work with ntradping and radtest...just not windows ce client. It is an issue with mschapv2 and ntlmv2. --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Damon McDougald <[EMAIL PROTECTED]> wrote: > > Yes, I have read the earlier debug message stating > > failure in mschapv2. > > That is the problem, not the message saying "the > authentication was > rejected earlier in the session". > > > I have tried not using mschapv2 and various > other configs, but > > with no luck. I see this is a common issue that > many people have > > encoutered but with vague answers and references. > > Nonsense. The answers are consistent and clear: > follow the > documentation and it will work. > > In your case, you didn't tell the server what the > *correct* password > was for the user. So it's impossible to > authenticate the user, > because the server has no idea if the password they > entered matches > the correct one. > > > Has anyone put together an faq that is more > descriptive or does > > anyone have a more descriptive answer beside look > in the debug > > trace? > > Configure a password for the user, and it WILL > work. > > In your case, it matches a "DEFAULT" entry in the > users file, which > doesn't have the users password. And you haven't > configured the > server to get the password from a database, either. > > Alan DeKok. > -- > http://deployingradius.com - The web site of > the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with peap + tlv part 1
Damon McDougald <[EMAIL PROTECTED]> wrote: > Yes, I have read the earlier debug message stating > failure in mschapv2. That is the problem, not the message saying "the authentication was rejected earlier in the session". > I have tried not using mschapv2 and various other configs, but > with no luck. I see this is a common issue that many people have > encoutered but with vague answers and references. Nonsense. The answers are consistent and clear: follow the documentation and it will work. In your case, you didn't tell the server what the *correct* password was for the user. So it's impossible to authenticate the user, because the server has no idea if the password they entered matches the correct one. > Has anyone put together an faq that is more descriptive or does > anyone have a more descriptive answer beside look in the debug > trace? Configure a password for the user, and it WILL work. In your case, it matches a "DEFAULT" entry in the users file, which doesn't have the users password. And you haven't configured the server to get the password from a database, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with peap + tlv part 1
Yes, I have read the earlier debug message stating failure in mschapv2. I have tried not using mschapv2 and various other configs, but with no luck. I see this is a common issue that many people have encoutered but with vague answers and references. Has anyone put together an faq that is more descriptive or does anyone have a more descriptive answer beside look in the debug trace? --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Damon McDougald <[EMAIL PROTECTED]> wrote: > > Here is my dillema: > > rlm_eap_peap: EAPTLS_OK > > rlm_eap_peap: Session established. Decoding > > tunneled attributes. > > rlm_eap_peap: Received EAP-TLV response. > > rlm_eap_peap: Tunneled data is valid. > > rlm_eap_peap: Had sent TLV failure. User was > > rejcted rejected earlier in this session. > > I suggest reading the *earlier* messages in the > debug log. They > tell you when the user was rejected, and why. > > Alan DeKok. > -- > http://deployingradius.com - The web site of > the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with peap + tlv part 1
Damon McDougald <[EMAIL PROTECTED]> wrote: > Here is my dillema: > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding > tunneled attributes. > rlm_eap_peap: Received EAP-TLV response. > rlm_eap_peap: Tunneled data is valid. > rlm_eap_peap: Had sent TLV failure. User was > rejcted rejected earlier in this session. I suggest reading the *earlier* messages in the debug log. They tell you when the user was rejected, and why. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ATTRIBUTE has invalid number (larger than 255)
"Steven Stanek" <[EMAIL PROTECTED]> wrote: > Thanks for the help with this one... Yes, we have a two byte VSA field for > the equipment I am working on. That should be possible to manage, which an appropriate modification to the dictionary. Can you email the dictionary to the list? We'll get it added to the next version of the server... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls.so won't build.
Thank you, Alan and Nicolas, this is just what I needed. Lyle. Nicolas Baradakis wrote: Lyle Tollefsen wrote: I'm new to freeradius and open source in general, so please bear with me. I'm having a problem with the rlm_eap_tls.so module not compiling, or installing, depending on whether I'm compiling from source, or apt-geting the package. The complaint is that Openssl is missing, however I have installed openssl and libssl0.9.6 and libssl-dev. All to no avail. As you can see, I'm using freeradius 1.1.2. Any help much appreciated. The instructions to build a Debian package from sources are in the FAQ. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius stop automatically
After upgrading freeradius 1.0.5 to version 1.1.2 on Freebsd 6 my radius server stop automatically with the following error essage. Wed Jul 26 01:30:08 2006 : Error: Discarding duplicate request from client pppoe-bhw:61882 - ID: 137 due to unfinished request 61 Wed Jul 26 01:30:08 2006 : Error: WARNING: Unresponsive child (id 135672320) for request 31 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ATTRIBUTE has invalid number (larger than 255)
Hi, Thanks for the help with this one... Yes, we have a two byte VSA field for the equipment I am working on. -steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: Monday, July 24, 2006 3:09 PM To: FreeRadius users mailing list Subject: Re: ATTRIBUTE has invalid number (larger than 255) "Steven Stanek" <[EMAIL PROTECTED]> wrote: > I am a FreeRadius newbie. I have installed FreeRADIUS Version 1.1.2. I > was able to install without any errors. But when I start the server I > get an odd message about a dictionary file (see below. I have a > Solaris machine running > -> SunOS aureb01f 5.8 Generic_117000-03 sun4u sparc SUNW,Ultra-60. ... > /usr/local/etc/raddb/AlcatelAccess.dct[25]: dict_addattr: ATTRIBUTE > has invalid number (larger than 255). That dictionary isn't included in the default install, so I presume it's something you added locally. The default encoding for RADIUS VSA's is one octet for the attribute field, which means values 0..255. Does Alcatel use a different format for their attributes? If so, what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
"Elie Hani" <[EMAIL PROTECTED]> wrote: > I'm not one of them, but I'm a ccie certificated and it was an insult. You asked the same question. Repeatedly. You ignored every answer, and asked the same question again. And again. Every time someone on this list (including me) tried to help you, you didn't respond to what they said. Instead, you used their answer as a reason to ask the same question again. If you're not going to read the responses on this list, then there's no reason to ask questions here, either. The people here told you it was impossible in the current configuration, and you made it clear that you thought they were lying to you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Josh Howlett <[EMAIL PROTECTED]> wrote: > I'm sure I've seen at least a couple of other similar DHCP queries in > the last couple of weeks. I wonder how difficult it would be to add a > simple DHCP client to FreeRADIUS? Perl modules exist to do 99% of that work. > OTOH, I think these queries have been in the context of 802.1x in > which case this doesn't help (or else we need an EAP-DHCP :-) No, we need a RADIUS server that does DHCP, too. I don't think it's that hard, especially with the recent 2-octet "type" support for VSA's. i.e. ISC DHCPd is huge, complex, and doesn't support leases in a DB. FreeRADIUS already has a multi-threaded UDP server core with a generic policy engine, that back-ends to multiple DB's. The CVS head already has sql_ippool. It's not hard... really. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to execute TWO OR MORE Sql statement?
Alan Lumb wrote: Create a stored procedure in the database that contains all of the SQL queries necessary. Then call that stored procedure via sql.conf. This works fine with Postgres. MySQL 5 supports stored proceedures and functions, however I know that mysql proceedures can cause problems as they can/will return multiple data sets that can cause some apps problems (not sure about freeradius and its support for mysql). Stored procedures have to be designed to return one or more rows. Here's an example. I have heartbeat monitor running against Freeradius to monitor authorization on a regular basis. I do not want these heartbeat authentications written into the 'radpostauth' table. The username 'TylerDurden' is filtered out prior to inserting the postauth record. Here is the Postgres stored procedure in the RADIUS database: CREATE FUNCTION filtered_insert_radpostauth(text, text, text) RETURNS integer AS $_$ DECLARE _new_filtered_insert_radpostauth_id integer; BEGIN IF ( $1 = 'TylerDurden') THEN RETURN 0; END IF; INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( $1, $2, $3, NOW() ); IF FOUND THEN SELECT INTO _new_filtered_insert_radpostauth_id MAX(id) FROM radpostauth; RETURN _new_filtered_insert_radpostauth_id; END IF; return -1; END $_$ LANGUAGE plpgsql; ALTER FUNCTION public.filtered_insert_radpostauth(text, text, text) OWNER TO postgres; and the line in postgresql.conf looks like (it's wrapped here): postauth_query = "SELECT filtered_insert_radpostauth( '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}' )" Everyone but TylerDurden gets logged because he doesn't really exist anyway. Good luck! Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to execute TWO OR MORE Sql statement?
Im using stored procs to do a series of queries even with IF THEN ELSE structires, with variables being the result of a query and being used in other queries. Works like a charm for me with mysql5 and freeradius 1.1.2 In the sql.conf I just use as query something like "call storedproc1(var1,var2,var3)" Regards, Jurgen -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alan Lumb Verzonden: woensdag 26 juli 2006 14:08 Aan: FreeRadius users mailing list Onderwerp: Re: How to execute TWO OR MORE Sql statement? > Create a stored procedure in the database that contains all of the SQL > queries necessary. Then call that stored procedure via sql.conf. This > works fine with Postgres. MySQL 5 supports stored proceedures and functions, however I know that mysql proceedures can cause problems as they can/will return multiple data sets that can cause some apps problems (not sure about freeradius and its support for mysql). I gave up on such a method and moved to rlm_perl. Now I have a perl handling script that performs as many queries as I need and can put lots of logic in the script, strip bits out of usernames and whatnot. Also it can look for certain flags in the database and if present send AV Pairs or VSA's to the NAS to configure them differently. my only issue has been getting rlm_perl to compile properly on suse x86_64, and sometimes have had to goto the extreme of recompiling perl and manually linking DynaLoader into rlm_perl.so So in answer to the original question I recommend rlm_perl if you have the time and patience to get around the setup problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating based on Nas-Port-Id
hi, i been using freeradius fastuser based authentication for several thousand adsl customers for the last year or so now and it has proved extremely reliable. in order to simplify customer setup and minimise lost password support etc id like to start authenticating users based on NAS-Port-Id rather than User-Name. (the dslams/basen we use support populating NAS-Port-Id with the dslam/frame/slot/port). i am also working on migrating to a mysql authentication backend. so, does anyone have any tips on setting up NAS-Port-Id based authentication with users/fastusers/sql? i hope to permit the user to use any username/password combination. thanks for your help and an excellent radius server, colm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use multiple radiusCallingStationId attribute
Hello I'm setting radiusCallingStationId attribute to perform some MAC-Address based controls. The schema tells that this attribute is multivalued but when i try to add more then one of this attribute i get this error : entry failed schema check: attribute 'radiusCallingStationId' cannot have multiple values conn=0 op=5 RESULT tag=103 err=19 text=attribute 'radiusCallingStationId' cannot have multiple values For each user i need to store multiple radiusCallingStationId to make the control on user ID with MAC-Address in user authentication. Thanks in advance Luigi Natalino a.k.a. Bill Wood _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAPv2 - Novell eDir
Hi Josh, LDAP section appended: ldap { server = "ldapsvr.nottingham.ac.uk" port = 636 identity = "cn=RADIUSadmin,o=university" password = x basedn = "o=university" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections # start_tls = yes tls_cacertfile = /etc/raddb/certs/UONLDAP-CA-SelfSignedCert.b64 # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd tls_require_cert= "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = nspmPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(membe r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap -UserDn} )))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } > Hi Catriona, > > If this is for the JRS, you can also get support (from me or Alan > Buxey, who is also on this list!) from [EMAIL PROTECTED] > > Anyway, could you please post the ldap { } section in radiusd.conf? > (please obfuscate any passwords, etc). > > josh. > This message has been checked for viruses but the contents of an attachment may still contain software viruses, which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reply Session-Timeout without password
Hi! > Now I am a little confused. > > For user 005001, I not only want to check the Session-Timeout for > accounting, but also want to check its password for authorization. > > Before you tell me the "auth by IP address" method, my conf is like this: > > 005001 Auth-Type := Digest, Password == "005001" > > Now my question is: How can I make radius server to use Password for normal > authorization and then use the "auth by IP address" method for *b2bua > request? You can use Fall-Through: first the entries with the NAS-IP-Address, but adding a Fall-Through = Yes, and later your other, sepcial, user. Altogether it will look like that: NAS-IP-Address == your-b2bua-ns, Auth-Type := Accept Session-Timeout := whatever, Fall-Through = Yes 005001 Auth-Type := Digest, Password == "005001" All users whose user name is *not* 005001 are caught with the first expression and not with the second. User 005001 is first caught with the first expression, but later overridden with the second one and thus needs to authenticate. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp6hZxbPRFC7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to reply Session-Timeout without password
Hi, Now I am a little confused. For user 005001, I not only want to check the Session-Timeout for accounting, but also want to check its password for authorization. Before you tell me the "auth by IP address" method, my conf is like this: 005001 Auth-Type := Digest, Password == "005001" Now my question is: How can I make radius server to use Password for normal authorization and then use the "auth by IP address" method for *b2bua request? -Original Message- From: Stefan Winter [mailto:[EMAIL PROTECTED] Sent: 2006年7月26日 1:03 To: FreeRadius users mailing list Subject: Re: How to reply Session-Timeout without password Hi, > My question is how to make the radius server accept the request which do > not contain the password and reply the Session-Timeout to the *b2bua? I have not the faintest idea about *b2bua (WTF?) but if you just want to accept everyone without any checks for your *b2bua NASes, you can achieve it in the "users" file with NAS-IP-Address == your-b2bua-ns, Auth-Type := Accept Session-Timeout := whatever Do keep in mind that everyone who is authenticating via this IP address is *always* *accepted* Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to execute TWO OR MORE Sql statement?
> Create a stored procedure in the database that contains all of the SQL > queries necessary. Then call that stored procedure via sql.conf. This > works fine with Postgres. MySQL 5 supports stored proceedures and functions, however I know that mysql proceedures can cause problems as they can/will return multiple data sets that can cause some apps problems (not sure about freeradius and its support for mysql). I gave up on such a method and moved to rlm_perl. Now I have a perl handling script that performs as many queries as I need and can put lots of logic in the script, strip bits out of usernames and whatnot. Also it can look for certain flags in the database and if present send AV Pairs or VSA's to the NAS to configure them differently. my only issue has been getting rlm_perl to compile properly on suse x86_64, and sometimes have had to goto the extreme of recompiling perl and manually linking DynaLoader into rlm_perl.so So in answer to the original question I recommend rlm_perl if you have the time and patience to get around the setup problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
On 26 Jul 2006, at 12:11, Thai Duong wrote: As you advise, I turned tracing on and found that the SSL handshake was not completed, the client kept sending "Client Hello" packet but got no response from the server. But when looking at Ethereal's dump file, I saw that the server actually sent its certificate in the Access-Challenge packet. I even unchecked "Validate server certificate" in the client setting but still no luck. What am I supposed to do now? I'm gonna be crazy please help. Is there a RADIUS or EAP timer set on the switch? If it's set too low, the switch might be ignoring the Access- Challenge from the server. best regards, josh. Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | internal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
--- Phil Mayers <[EMAIL PROTECTED]> wrote: > openssl x509 -noout -text -in theserver.crt > > ...will show things like: > > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication > > ...the latter being the one you're looking for. > > As Alan says, it's almost certainly oids, but > regardless the problem is > not at the FreeRadius side - you should look to the > debugging on the > cisco switch and/or the windows client ("netsh * set > tracing on" and > logfiles somewhere under c:\windows) The output of my server certificate contains: X509v3 Extended Key Usage: TLS Web Server Authentication As you advise, I turned tracing on and found that the SSL handshake was not completed, the client kept sending "Client Hello" packet but got no response from the server. But when looking at Ethereal's dump file, I saw that the server actually sent its certificate in the Access-Challenge packet. I even unchecked "Validate server certificate" in the client setting but still no luck. What am I supposed to do now? I'm gonna be crazy please help. TIA, Thai Duong. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Hi Josh, > I'm sure I've seen at least a couple of other similar DHCP queries in > the last couple of weeks. I wonder how difficult it would be to add a > simple DHCP client to FreeRADIUS? Thanks for the on-topic question, I was already fearing a flamewar coming up. I guess if you really want to this, you could use rlm_perl or Exec-Program-Wait, write a script that uses the client's MAC address to generate a fake DHCP query (assumption: the DHCP server or a relay is on the FR server's LAN), listen to the DHCP server's response, encapsulate this answer back into the Framed-IP-Address attribute and that's it (leaving out all the really painful stuff with expiring leases, renewals and whatnot; it would be a non-trivial task). The remaining question really is: Why on earth would you _want_ to do that? rlm_ippool exists and works. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpo0jm9KYxD8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql libraries are there BUT not found
Roger Thomas wrote: > In /usr/local/mysql/lib/mysql I have: > > -rw-r--r--1 root mysql 11866 May 15 10:56 libdbug.a > -rw-r--r--1 root mysql 40304 May 15 10:56 libheap.a > -rw-r--r--1 root mysql 13536 May 15 10:56 libmerge.a > -rw-r--r--1 root mysql 313312 May 15 10:56 libmyisam.a > -rw-r--r--1 root mysql 24982 May 15 10:56 libmyisammrg.a > -rw-r--r--1 root mysql 480038 May 15 10:57 libmysqlclient.a > -rwxr-xr-x1 root mysql 879 May 15 10:57 libmysqlclient.la > lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so -> > libmysqlclient.so.14.0.0 > lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so.14 > -> libmysqlclient.so.14.0.0 > -rwxr-xr-x1 root mysql 409020 May 15 10:57 > libmysqlclient.so.14.0.0 > -rw-r--r--1 root mysql 240636 May 15 10:56 libmystrings.a > -rw-r--r--1 root mysql 256614 May 15 10:56 libmysys.a > -rw-r--r--1 root mysql 97536 May 15 10:56 libnisam.a > -rw-r--r--1 root mysql5576 May 15 10:56 libvio.a > > What I have done wrong? Please advise. It looks like you don't have libmysqlclient_r.so, the thread safe version of the client library. Either configure MySQL with --enable-thread-safe-client, or configure FreeRADIUS with --without-threads. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls.so won't build.
Lyle Tollefsen wrote: > I'm new to freeradius and open source in general, so please bear with > me. I'm having a problem with the rlm_eap_tls.so module not compiling, > or installing, depending on whether I'm compiling from source, or > apt-geting the package. The complaint is that Openssl is missing, > however I have installed openssl and libssl0.9.6 and libssl-dev. All to > no avail. As you can see, I'm using freeradius 1.1.2. Any help much > appreciated. The instructions to build a Debian package from sources are in the FAQ. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
On 26 Jul 2006, at 10:27, Stefan Winter wrote: The RADIUS protocol doesn't interact with DHCP. FreeRADIUS doesn't do it. There is no place to configure any such thing. I'm sure I've seen at least a couple of other similar DHCP queries in the last couple of weeks. I wonder how difficult it would be to add a simple DHCP client to FreeRADIUS? OTOH, I think these queries have been in the context of 802.1x in which case this doesn't help (or else we need an EAP-DHCP :-) josh. Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | internal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Binding FreeRadius to the DHCP Server
Thanks Stephan, I really appreciate it. As a matter of fact, if anyone in here has the full knowledge of the Radius, he wouldnt be registered in this list. I'm not one of them, but I'm a ccie certificated and it was an insult. Anyways, thanks again Stephan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Winter Sent: Wednesday, July 26, 2006 11:28 AM To: FreeRadius users mailing list Subject: Re: Binding FreeRadius to the DHCP Server Hi, >> > Thanks Michal,I will try this one, but still one more thing. To for >> > the Freeradius to talk to the DHCP, there's a place where I should >> > configure the DHCP's address. Where should I configure the DHCP >> > address on the radius so the last one will use the DHCP's Ips. >> >> What part of "no there is no way to do that" did you not understand? > Wel Phil, since ur not talking in a profession way, and since you feel > that you are the expert in here, you don't have the right to answer me > like that. If you know how to read, what part of this you did not understand " > Thanks Michal,I will try this one, but still one more thing". > If you were so genius, you would read between the lines and therefore > recognize that this mail is not destined to you. The RADIUS protocol doesn't interact with DHCP. FreeRADIUS doesn't do it. There is no place to configure any such thing. You probably are confused about how stuff works. This was the verbose version of what Phil answered. And to my best knowledge, he is completely right with it. Greetings, Stefan Winter (hoping that I have the right to answer to you, wherever your definition of having the right to answer you comes from) -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Hi, >> > Thanks Michal,I will try this one, but still one more thing. To for >> > the Freeradius to talk to the DHCP, there's a place where I should >> > configure the DHCP's address. Where should I configure the DHCP >> > address on the radius so the last one will use the DHCP's Ips. >> >> What part of "no there is no way to do that" did you not understand? > Wel Phil, since ur not talking in a profession way, and since you feel that > you are the expert in here, you don't have the right to answer me like > that. If you know how to read, what part of this you did not understand " > Thanks Michal,I will try this one, but still one more thing". > If you were so genius, you would read between the lines and therefore > recognize that this mail is not destined to you. The RADIUS protocol doesn't interact with DHCP. FreeRADIUS doesn't do it. There is no place to configure any such thing. You probably are confused about how stuff works. This was the verbose version of what Phil answered. And to my best knowledge, he is completely right with it. Greetings, Stefan Winter (hoping that I have the right to answer to you, wherever your definition of having the right to answer you comes from) -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpOpQoJbIifR.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TTLS MD5 hashed Passwords in MySQLDatabaseforWPA-802.1xauth
[EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] > wrote: >> >> Please read the EARLIER messages in the debug log. It's obvious >> that the password was NOT read from SQL, so authentication will not >> work. >> >> Get the server to read the password from SQL. Debug log WILL SAY >> when the appropriate user entry is matched. >> >> Alan DeKok. > > Well, but why does it work with unix crypt passwords then? And also > plaintext passwords? > > -CP It generally seems to me to be more an EAP problem. When i to on the shell 'radtest user radiusserver 0 secret' it works fine. When changing arround the Atrribute field i get wrong Atrribute errors. But with the User-Password attribute i get that strange modcall: leaving group authorize (returns ok) for request 5 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject error when doing EAP. With radtest it works fine. -CP smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Binding FreeRadius to the DHCP Server
Wel Phil, since ur not talking in a profession way, and since you feel that you are the expert in here, you don't have the right to answer me like that. If you know how to read, what part of this you did not understand " Thanks Michal,I will try this one, but still one more thing". If you were so genius, you would read between the lines and therefore recognize that this mail is not destined to you. Anyway, I will not low my answers to your level more than that. So cheer up. Regards Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, July 26, 2006 10:46 AM To: FreeRadius users mailing list Subject: Re: Binding FreeRadius to the DHCP Server Elie Hani wrote: > Thanks Michal,I will try this one, but still one more thing. To for > the Freeradius to talk to the DHCP, there's a place where I should > configure the DHCP's address. Where should I configure the DHCP > address on the radius so the last one will use the DHCP's Ips. > What part of "no there is no way to do that" did you not understand? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP doest work with Cisco Catalyst 2950?
Thai Duong wrote: I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID but here is openssl x509 -noout -text -in theserver.crt ...will show things like: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication ...the latter being the one you're looking for. As Alan says, it's almost certainly oids, but regardless the problem is not at the FreeRadius side - you should look to the debugging on the cisco switch and/or the windows client ("netsh * set tracing on" and logfiles somewhere under c:\windows) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Binding FreeRadius to the DHCP Server
Elie Hani wrote: Thanks Michal,I will try this one, but still one more thing. To for the Freeradius to talk to the DHCP, there's a place where I should configure the DHCP's address. Where should I configure the DHCP address on the radius so the last one will use the DHCP's Ips. What part of "no there is no way to do that" did you not understand? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql libraries are there BUT not found
Roger Thomas wrote: What I have done wrong? Please advise. -- Roger I just used --with-mysql-dir=/usr/local/mysql-5.0.21 and it worked. -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UPDATE RADACCT problem
Hi, > radius_xlat: 'UPDATE radacct SET AcctStopTime = '2006-07-26 09:39:57', > AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', > AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE > AcctSessionId = '[EMAIL PROTECTED]' AND UserName = ' > [EMAIL PROTECTED]' AND NASIPAddress = '127.0.0.1'' > > > here i need to UPDATE radacct only with WHERE acctsessionid= " " AND > NASIPAddress=" " but not with Username > > so can any body please tell me where i have to change in Freeradius > > this is very urgent issue for me so please give me reply as soon as > possible,. sql.conf contains the queries to be executed. Modify them to your liking. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp8iJli1VoQs.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UPDATE RADACCT problem
Hi all I am using Freeradius-1.1.2 with SER for Accounting purpose every thing is going good til now, here i need some help regarding FreeRadius :- when acctstarts the radius server is writing the acctstart time stamp in radact table and when acct stops it again update radacct table by writing the acctstop time to the radacct table.. So,here when updating the radacct table its looks like this radius_xlat: 'UPDATE radacct SET AcctStopTime = '2006-07-26 09:39:57', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '[EMAIL PROTECTED]' AND UserName = ' [EMAIL PROTECTED]' AND NASIPAddress = '127.0.0.1'' here i need to UPDATE radacct only with WHERE acctsessionid= " " AND NASIPAddress=" " but not with Username so can any body please tell me where i have to change in Freeradius this is very urgent issue for me so please give me reply as soon as possible,. Thank You, Regards, Ravi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html