How to configure the Radius in SSH (22)
Hi Users, I Want to create the radius (AAA) for remote accessing By using the putty in "SSH"Can anyone Give the clues to me on That or any url or documentation .. plz for me in English... .. -- Thanks and Regards with cheersSunkara Ravi Prakash (LAMP programming)Hyperion TechnologyKondapur, Hi-tech city,Hyderabad. www.hyperion-tech.com+91-9985077535 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding using strcmp instead of memcmp
Hi this is where the error is occurring in UMR & ABR in the
following files, While running with purify.
Command-line: radiusd -X
UMR: Uninitialized memory read (3 times)
This is occurring while in:
memcmp [rtlib.o]
cf_expand_variables [conffile.c:369]
p += strlen(p);
ptr = end + 1;
=> } else if (memcmp(ptr,
"$ENV{", 5) == 0) {
char *env;
ptr += 5;
cf_section_read [conffile.c:785]
/*
* Handle variable substitution via
${foo}
*/
=> value = cf_expand_variables(cf, lineno,
cs, buf, buf3);
if (!value) {
cf_section_free(&cs);
return NULL;
conf_read [conffile.c:834]
return NULL;
}
=> if(parent) {
cs = cf_section_read(conffile, &lineno,
fp, NULL, NULL, parent);
} else {
cs = cf_section_read(conffile, &lineno,
fp, NULL, NULL, NULL);
read_radius_conf_file [mainconfig.c:1145]
radlog(L_ERR|L_CONS, "radius_dir :
%s",radius_dir);
if ((cs = conf_read(NULL, 0, buffer, NULL)) ==
NULL) {
=> return NULL;
}
/*
read_mainconfig [mainconfig.c:1190]
/* First read radiusd.conf */
DEBUG2("reread_config: reading
radiusd.conf");
if ((cs = read_radius_conf_file()) == NULL) {
=> if (debug_flag || (radlog_dir ==
NULL))
{
radlog(L_ERR|L_CONS,
"Errors reading radiusd.conf");
} else {
Reading 5 bytes from 0xffbe51d0 on the stack (1 byte at
0xffbe51d4 uninit).
Address 0xffbe51d0 is 68 bytes past start of local variable
"cs" in function cf_section_read.
And the ABR error as below
ABR: Array bounds read
This is occurring while in:
memcmp [rtlib.o]
rad_respond [radiusd.c:1744]
pairfind(request->packet->vps,
PW_PASSWORD));
reprocess = 1;
}
=> if (strcmp(mainconfig.do_nospace_user,
"after") == 0) {
rad_rmspace_pair(request,
request->username);
reprocess = 1;
}
main [radiusd.c:1502]
}
} else
#endif
=> rad_respond(request,
fun);
} /* loop over listening sockets*/
#ifdef WITH_SNMP
_start [crt1.o]
Reading 6 bytes from 0xc5c20 in the heap (3 bytes at 0xc5c23
illegal).
Address 0xc5c20 is at the beginning of a malloc'd block of 3
bytes.
This block was allocated from:
malloc [rtlib.o]
strdup [libc.so.1]
cf_section_parse [conffile.c:527]
cs->name1,
variables[i].name,
value ? value :
"(null)");
=> *q = value ? strdup(value) :
NULL;
break;
case PW_TYPE_IPADDR:
read_radius_conf_file [mainconfig.c:1153]
* radiusd.conf, the other configuration
files exist.
*/
cf_section_parse(cs, NULL, server_config);
Thanks & Regards
Ravi
Tech Mahindra, formerly Mahindra-British Telecom.
Disclaimer:
This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra.
=
RE: Query to know radius disconnect request and Ack is supported infreeradius
Hi Alan, Thanks for replying, sorry for the inconvenience caused. Regards Shankar ganesh -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org]On Behalf Of Alan DeKok Sent: Thursday, August 17, 2006 8:30 PM To: FreeRadius users mailing list Subject: Re: Query to know radius disconnect request and Ack is supported infreeradius Shankar Ganesh C <[EMAIL PROTECTED]> wrote many times: > Could some body help me to know whether Radius disconnect and Ack messages > are supported in free radius as defined in RFC 2822 ? It's RFC 3576, not 2822. And FreeRADIUS doesn't support receiving them, but radclient will send them. And do NOT send the same message many times, to both the users & the devel list. It's unfriendly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP/mysql/crypt stuff
After working on this off and on for the last few days I believe I have gotten authentication working using a Crypt'd password stored in mysql but want to run this by to make sure I did it right. I setup a user in radcheck: tester | Crypt-Password | == | gmxwp4dfOcHAI In radgroupreply: admin | Service-Type | := | Administrative-User In radgroupcheck: admin | Auth-Type | := | PAP Then when I telnet to the NAS, I can login using tester with the right password and get a NAS prompt. I have to move one of our T1's to this test NAS to test PPP, but it seems to for now, be working using PAP authentication with the encrypted password stored in mysql. Is this the correct way to do this? Thanks for any info. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Just managed to try ur 2nd suggestion... but giving below error in debug
logs.. refer debug logs.
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action
modules {
ldap ldap1 {
basedn = "ou=RADIUS.."
set_auth_type = yes
}
ldap ldapdialup1 {
basedn = "ou=DIALUP.."
set_auth_type = yes
}
authorize {
Autz-Type LDAP {
ldap1
}
Autz-Type DIALUP {
ldapdialup1
}
}
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldapdialup1 {
ldapdialup1
}
}
DEFAULT ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP
DEFAULT Autz-Type := LDAP
#
lm_ldap: performing user authorization for bacang
radius_xlat: '(uid=bacang)'
radius_xlat: 'ou=RADIUS,ou=People,.'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,./x to
xxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,..., with filter
(uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by attrRoaming
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns ok for request 0
modcall: group Autz-Type returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Login incorrect: [bacang] (from client sysadmin port 0)
- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = "%{reply:Tmp-String-1}"
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
users_wireless:
DEFAULT
Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in "dictionary"
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = "ou=wireless,dc=domain,dc=com"
set_auth_type = yes
}
ldap vpn_ldap {
basedn = "ou=vpn,dc=example,dc=org"
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap"
5. authenticate run, appropriate LDAP module run
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory Users
"Mohammad Abohelal" <[EMAIL PROTECTED]> wrote: > No ldap? Why? The active directory services based LDAP. Yes, for everything but passwords. Active directory does not supply passwords through LDAP. There is nothing you can do to mak eit supply passwords through LDAP. Use ntlm_auth. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory Users
No ldap? Why? The active directory services
based LDAP.
Sorry I don’t understand why... :-)
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Domingo Antonio
Sent: Thursday, August 17, 2006
9:58 PM
To: 'FreeRadius users mailing list'
Subject: RES: Active Directory
Users
no ldap..
you need to use ntlm authentication
you need to configure your samba as ADS security
mode, add samba to AD and start winbind service...
De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Em nome de Mohammad
Abohelal
Enviada em: quinta-feira, 17 de agosto
de 2006 17:45
Para:
freeradius-users@lists.freeradius.org
Assunto: Active Directory Users
Hi all
I need
help with simple configuration to authenticate windows active directory users
via free radius.
I have a
domain controller, Cisco vpdn router , and free radius UNIX
environment ( FreeBSD )
Active
directory group: VPDN, user name's have allow dialin on user option
Radiusd.conf
ldap configuration:
ldap {
server
= "ad.xxx.yyy"
identity
= "CN=radiusd,OU=External_Object,DC=xxxl,DC=yyy"
password
= radiusd111
basedn
= "OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy"
filter
= "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter
= "(objectclass=radiusprofile)"
When I
try to connect via l2tp dialer I get error: (auth: Failed to validate the
user
(
modcall:
leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth:
type "LDAP"
Processing the authenticate section of radiusd.conf
modcall:
entering group LDAP for request 0
rlm_ldap:
- authenticate
rlm_ldap:
login attempt by "vpdn1" with password ""
radius_xlat:
'(uid=vpdn1)'
radius_xlat:
'OU=VPDN_USERS,OU=External_Object,DC=xxxl,DC=yyy'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
attempting LDAP reconnection
rlm_ldap:
(re)connect to ad.xxx.yyy:389, authentication 0
rlm_ldap:
bind as CN=radiusd,OU=External_Object,DC=xxx,DC=yyy/radiusd111 to
ad.xxx.yyy:389
rlm_ldap:
waiting for bind result ...
rlm_ldap:
Bind was successful
rlm_ldap:
performing search in OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy, with
filter (uid=vpdn1)
rlm_ldap:
object not found or got ambiguous search result
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns
notfound for request 0
modcall:
leaving group LDAP (returns notfound) for request 0
auth:
Failed to validate the user.
Login
incorrect (rlm_ldap: User not found): [vpdn1/ (from client wan-gw1 port 25)
Delaying
request 0 for 1 seconds
Finished
request 0
Going to
the next request
Thread 1
waiting to be assigned a request
rad_recv:
Access-Request packet from host 194.90.143.73:1645, id=20, length=102
Sending
Access-Reject of id 20 to 194.90.143.73 port 1645
--- Walking the entire request list ---
Waking up
in 1 seconds...
--- Walking the entire request list ---
Cleaning
up request 0 ID 20 with timestamp 44e4c472
Nothing
to do. Sleeping until we see a request.
Thank you
Mohammad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_proxy problems
Alan DeKok wrote: Geoff Silver <[EMAIL PROTECTED]> wrote: Red Hat Enterprise Linux 3.0. Also has the same build issues on my RedHat EL4.0 dev system. Weird. It works for me on FC4, and many other OSes. We were previously using FreeRADIUS 1.1.0, which built fine. IIRC, the problem surfaced in 1.1.1, which is why we're still using 1.1.0 (was hoping it would be fixed in 1.1.2...) Maybe 1.1.3. So... does the patch in the bug apply to 1.1.0, and does it solve the problem? As I can only reproduce it in production, we've slated an install for Monday morning. I'll be watching it very closely and will let you know Monday afternoon whether or not it helped. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
Ah ok. So it appears the network guys are doing something non-compliant with the RFCs around here. I hate that, but I'm not going to be able to change it either, so I'll just maintain a small patch for our environment. Thanks for clearing that up. Alan DeKok wrote: Geoff Silver <[EMAIL PROTECTED]> wrote: As a side note, I had to change the Class attribute in dictionary.rfc2865 to be a string, *not* octets. I changed: to make it work (and be readable), though I can't tell if that's just an oddity of the Cisco VPN 3000 and the way it was previously implemented here or what. According to the RFC: The dictionaries are solely for internal server purposes. The reason Class is "octets" in the FreeRADIUS dictionaries is that it can contain binary data. String The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. The original RFC's had "string" type for both printable & binary data. FreeRADIUS moved to "string" and "octets", and the RFC's moved to "text" and "string". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
Geoff Silver <[EMAIL PROTECTED]> wrote: > As a side note, I had to change the Class attribute in dictionary.rfc2865 to > be a string, *not* octets. I changed: > to make it work (and be readable), though I can't tell if that's just an > oddity of the Cisco VPN 3000 and the way it was previously implemented here > or > what. According to the RFC: The dictionaries are solely for internal server purposes. The reason Class is "octets" in the FreeRADIUS dictionaries is that it can contain binary data. > String > >The String field is one or more octets. The actual format of the >information is site or application specific, and a robust >implementation SHOULD support the field as undistinguished octets. The original RFC's had "string" type for both printable & binary data. FreeRADIUS moved to "string" and "octets", and the RFC's moved to "text" and "string". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
Stefan Winter wrote: It works for me, so my guess is that something else in your configuration is setting Class to that value. Okay, I'll bite - so what on earth might be causing that? I'm not doing any rewriting, and both the Filter-Id and the Split-Tunnel-List attributes come back as strings. I thought maybe it was getting confused on the Class since it contains an =, but changing that to an _ doesn't help. Is this perhaps coming back from the proxy server, and if so, is there a way to use my local Class attribute instead? Well, you can use := instead of = , this overwrites any Class attribute that a proxy may have sent. See if that helps. Stefan Setting Proxy-to-Realm=UAS doesn't seem to work... not sure why. Nevertheless, configuring attr_filter to only use attributes I care about from the proxy seems to work just fine. As a side note, I had to change the Class attribute in dictionary.rfc2865 to be a string, *not* octets. I changed: ATTRIBUTE Class 25 octets to ATTRIBUTE Class 25 string to make it work (and be readable), though I can't tell if that's just an oddity of the Cisco VPN 3000 and the way it was previously implemented here or what. According to the RFC: 5.25. Class Description This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally. A summary of the Class Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type |Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 25 for Class. Length >= 3 String The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Active Directory Users
http://samba.org/ftp/unpacked/lorikeet/pppd/final-report.pdf#search=%22freeradius%20net%20join%20ads%22
De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Em nome de Domingo AntonioEnviada em: quinta-feira, 17 de
agosto de 2006 16:58Para: 'FreeRadius users mailing
list'Assunto: RES: Active Directory Users
no ldap..
you need to use ntlm authentication
you need to configure your samba as ADS security mode, add
samba to AD and start winbind service...
De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Em nome de Mohammad AbohelalEnviada em: quinta-feira, 17 de
agosto de 2006 17:45Para:
freeradius-users@lists.freeradius.orgAssunto: Active Directory
Users
Hi
all
I need help with simple
configuration to authenticate windows active directory users via free
radius.
I have a domain
controller, Cisco vpdn router , and free radius UNIX environment (
FreeBSD )
Active directory group:
VPDN, user name's have allow dialin on user option
Radiusd.conf ldap
configuration:
ldap
{
server = "ad.xxx.yyy"
identity = "CN=radiusd,OU=External_Object,DC=xxxl,DC=yyy"
password = radiusd111
basedn = "OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
When I try to connect
via l2tp dialer I get error: (auth: Failed to validate the
user
(
modcall: leaving group
authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type
"LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group
LDAP for request 0
rlm_ldap: -
authenticate
rlm_ldap: login attempt
by "vpdn1" with password ""
radius_xlat:
'(uid=vpdn1)'
radius_xlat:
'OU=VPDN_USERS,OU=External_Object,DC=xxxl,DC=yyy'
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn:
Got Id: 0
rlm_ldap: attempting
LDAP reconnection
rlm_ldap: (re)connect to
ad.xxx.yyy:389, authentication 0
rlm_ldap: bind as
CN=radiusd,OU=External_Object,DC=xxx,DC=yyy/radiusd111 to
ad.xxx.yyy:389
rlm_ldap: waiting for
bind result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing
search in OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy, with filter
(uid=vpdn1)
rlm_ldap: object not
found or got ambiguous search result
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request
0
modcall: leaving group
LDAP (returns notfound) for request 0
auth: Failed to validate
the user.
Login incorrect
(rlm_ldap: User not found): [vpdn1/ (from client wan-gw1 port
25)
Delaying request 0 for 1
seconds
Finished request
0
Going to the next
request
Thread 1 waiting to be
assigned a request
rad_recv: Access-Request
packet from host 194.90.143.73:1645, id=20, length=102
Sending Access-Reject of
id 20 to 194.90.143.73 port 1645
---
Walking the entire request list ---
Waking up in 1
seconds...
---
Walking the entire request list ---
Cleaning up request 0 ID
20 with timestamp 44e4c472
Nothing to do.
Sleeping until we see a request.
Thank you
Mohammad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Active Directory Users
no ldap..
you need to use ntlm authentication
you need to configure your samba as ADS security mode, add
samba to AD and start winbind service...
De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Em nome de Mohammad AbohelalEnviada em: quinta-feira, 17 de
agosto de 2006 17:45Para:
freeradius-users@lists.freeradius.orgAssunto: Active Directory
Users
Hi
all
I need help with simple
configuration to authenticate windows active directory users via free
radius.
I have a domain
controller, Cisco vpdn router , and free radius UNIX environment (
FreeBSD )
Active directory group:
VPDN, user name's have allow dialin on user option
Radiusd.conf ldap
configuration:
ldap
{
server = "ad.xxx.yyy"
identity = "CN=radiusd,OU=External_Object,DC=xxxl,DC=yyy"
password = radiusd111
basedn = "OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
When I try to connect
via l2tp dialer I get error: (auth: Failed to validate the
user
(
modcall: leaving group
authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type
"LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group
LDAP for request 0
rlm_ldap: -
authenticate
rlm_ldap: login attempt
by "vpdn1" with password ""
radius_xlat:
'(uid=vpdn1)'
radius_xlat:
'OU=VPDN_USERS,OU=External_Object,DC=xxxl,DC=yyy'
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn:
Got Id: 0
rlm_ldap: attempting
LDAP reconnection
rlm_ldap: (re)connect to
ad.xxx.yyy:389, authentication 0
rlm_ldap: bind as
CN=radiusd,OU=External_Object,DC=xxx,DC=yyy/radiusd111 to
ad.xxx.yyy:389
rlm_ldap: waiting for
bind result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing
search in OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy, with filter
(uid=vpdn1)
rlm_ldap: object not
found or got ambiguous search result
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request
0
modcall: leaving group
LDAP (returns notfound) for request 0
auth: Failed to validate
the user.
Login incorrect
(rlm_ldap: User not found): [vpdn1/ (from client wan-gw1 port
25)
Delaying request 0 for 1
seconds
Finished request
0
Going to the next
request
Thread 1 waiting to be
assigned a request
rad_recv: Access-Request
packet from host 194.90.143.73:1645, id=20, length=102
Sending Access-Reject of
id 20 to 194.90.143.73 port 1645
---
Walking the entire request list ---
Waking up in 1
seconds...
---
Walking the entire request list ---
Cleaning up request 0 ID
20 with timestamp 44e4c472
Nothing to do.
Sleeping until we see a request.
Thank you
Mohammad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory Users
Hi all
I need
help with simple configuration to authenticate windows active directory users
via free radius.
I have a
domain controller, Cisco vpdn router , and free radius UNIX environment ( FreeBSD )
Active
directory group: VPDN, user name's have allow dialin on user option
Radiusd.conf
ldap configuration:
ldap {
server = "ad.xxx.yyy"
identity = "CN=radiusd,OU=External_Object,DC=xxxl,DC=yyy"
password = radiusd111
basedn = "OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
When I
try to connect via l2tp dialer I get error: (auth: Failed to validate the user (
modcall: leaving
group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type
"LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering
group LDAP for request 0
rlm_ldap:
- authenticate
rlm_ldap:
login attempt by "vpdn1" with password ""
radius_xlat:
'(uid=vpdn1)'
radius_xlat:
'OU=VPDN_USERS,OU=External_Object,DC=xxxl,DC=yyy'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
attempting LDAP reconnection
rlm_ldap:
(re)connect to ad.xxx.yyy:389, authentication 0
rlm_ldap:
bind as CN=radiusd,OU=External_Object,DC=xxx,DC=yyy/radiusd111 to ad.xxx.yyy:389
rlm_ldap:
waiting for bind result ...
rlm_ldap:
Bind was successful
rlm_ldap:
performing search in OU=VPDN_USERS,OU=External_Object,DC=xxx,DC=yyy, with
filter (uid=vpdn1)
rlm_ldap:
object not found or got ambiguous search result
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound
for request 0
modcall: leaving
group LDAP (returns notfound) for request 0
auth: Failed
to validate the user.
Login
incorrect (rlm_ldap: User not found): [vpdn1/ (from client wan-gw1 port 25)
Delaying
request 0 for 1 seconds
Finished
request 0
Going to
the next request
Thread 1 waiting
to be assigned a request
rad_recv:
Access-Request packet from host 194.90.143.73:1645, id=20, length=102
Sending
Access-Reject of id 20 to 194.90.143.73 port 1645
--- Walking the entire request list ---
Waking up
in 1 seconds...
--- Walking the entire request list ---
Cleaning
up request 0 ID 20 with timestamp 44e4c472
Nothing
to do. Sleeping until we see a request.
Thank you
Mohammad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
> > It works for me, so my guess is that something else in your > > configuration is setting Class to that value. > > Okay, I'll bite - so what on earth might be causing that? I'm not doing > any rewriting, and both the Filter-Id and the Split-Tunnel-List attributes > come back as strings. I thought maybe it was getting confused on the Class > since it contains an =, but changing that to an _ doesn't help. Is this > perhaps coming back from the proxy server, and if so, is there a way to use > my local Class attribute instead? Well, you can use := instead of = , this overwrites any Class attribute that a proxy may have sent. See if that helps. Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
I always hate replying to my own problem, but I just figured this out. Turns out that we're proxying auth to a backend server, which was returning a garbled Class attribute, therefore *my* Class attribute wasn't being returned. I configured $confdir/attrs to filter it and it appears to work now. Still need to test the proxy load patch this afternoon, but I'm one step closer... ;-) Alan DeKok wrote: Geoff Silver <[EMAIL PROTECTED]> wrote: I have a bunch of users which should have a class attribute returned upon successful authentication. Their entries look something like: bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST" What they're actually getting back is: Packet-Type = Access-Accept User-Name = "bob" Class = 0x3739774831423272375053516a71424143444358434979507544493d Which is '79...' It works for me, so my guess is that something else in your configuration is setting Class to that value. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
Alan DeKok wrote:
Geoff Silver <[EMAIL PROTECTED]> wrote:
I have a bunch of users which should have a class attribute returned upon
successful authentication. Their entries look something like:
bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept
Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O",
Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST"
What they're actually getting back is:
Packet-Type = Access-Accept
User-Name = "bob"
Class = 0x3739774831423272375053516a71424143444358434979507544493d
Which is '79...'
*nod*.
It works for me, so my guess is that something else in your
configuration is setting Class to that value.
Okay, I'll bite - so what on earth might be causing that? I'm not doing any
rewriting, and both the Filter-Id and the Split-Tunnel-List attributes come
back as strings. I thought maybe it was getting confused on the Class since
it contains an =, but changing that to an _ doesn't help. Is this perhaps
coming back from the proxy server, and if so, is there a way to use my local
Class attribute instead?
My users file has a whole bunch of entries that look like the above, mostly
like:
bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash, Proxy-To-Realm:=UAS
Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O",
Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST"
My hints file looks like:
DEFAULT User-Password =~ ".*/.*"
Hint = HasSlash
My proxy.conf looks like:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 1
dead_time = 300
default_fallback = yes
post_proxy_authorize = yes
}
realm UAS {
type= radius
authhost= radius.domain.com:1812
secret = MySecretKey
}
And my radiusd.conf looks uninterestingly like the following (note that the
syslog sections are part of rlm_syslog which I submitted a while back):
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
prefix = /opt/radius
exec_prefix = ${prefix}
sysconfdir = /opt/radius/etc
localstatedir = /var
sbindir = /opt/radius/sbin
logdir = /var/log/radius
raddbdir = /opt/radius/etc
radacctdir = /var/log/radius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
checkrad = ${sbindir}/checkrad
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
listen {
ipaddr = *
port = 1645
type = auth
}
listen {
ipaddr = *
port = 1646
type = acct
}
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = yes
lower_pass = no
nospace_user = before
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
snmp= no
#$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
}
files {
usersfile = ${confdir}/users
compat = no
}
uas {
}
syslog acct_log {
loglevel = "info"
logfacility = "local3"
logname = "radiusd-acct"
}
syslog auth_log {
hidepasswd = yes
loglevel = "info"
logfacility = "local3"
logname = "radiusd-auth"
}
syslog reply_log {
hidepasswd = yes
# Some of this may be redundant, but it pretty much ensures
# we get a unique identifier in every reply log message
logextra = "User-Name = %{User-Name},Client-IP-Address =
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}"
loglevel = "info"
logfacility = "local3"
logname = "radiusd-auth"
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
Re: Pretty easy question, I think? :D
"Drew Weaver" <[EMAIL PROTECTED]> wrote:
> Thu Aug 17 11:06:51 2006 : Debug: rad_check_password: Found Auth-Type
> System
> Thu Aug 17 11:06:51 2006 : Debug: auth: type "System"
> Thu Aug 17 11:06:51 2006 : Debug: ERROR: Unknown value specified for
> Auth-Type. Cannot perform requested action.
That happens only if you edited the default config to break it.
> This is my module configuration:
>
> unix {
> cache = no
> cache_reload = 600
> passwd = /etc/passwd
> group = /etc/group
You probably don't want to un-comment the passwd, etc. lines.
They're commented out in th edefault config for a reason.
Please, the "unix" module is listed *elsewhere* in radiusd.conf, in
the "authorize" and "authenticate" sections. You've probably deleted
it from both. Don't do that.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding using strcmp instead of memcmp
"Ravi S M" <[EMAIL PROTECTED]> wrote: > I am trying to run free radius code with purify , it is giving errors as > > UMR: Uninitialized memory read (13 times) in memcmp=0D > > Reading 5 bytes from 0xffbdd108 on the stack (1 byte at 0xffbdd10c > uninit). > > Address 0xffbdd108 is4 bytes past start of local variable > "cs" in function ... which function? It's nice that there's a bug report, but you haven't given us any information that will let us fix it. > So can I use strcmp instead of memcmp . because if I use strcmp instead > of memcmp the error is not coming That's nice... do you have a patch? > Please I would be grateful if u can provide some useful information > regarding this What would you have us say? It looks like you found a bug, but until you tell us where, we can't do a thing to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user specific settings in users file overwritten by DEFAULTsettings?
Hi, > Can anyone tell me why the radius server is ignoring the isdn entry in > the users file and instead returning the DEFAULT entry? All of your entries specify Fall-Through = 1 / Yes (which is the same, AFAIK). So, the entries of isdn get read, but then overwritten by the later DEFAULT matches. If you don't want that to happen, remove the Fall-Through line in the isdn user. Then processing will stop directly after isdn has matched, and its contents will be used. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user specific settings in users file overwritten by DEFAULT settings?
"Drew Weaver" <[EMAIL PROTECTED]> wrote: > Can anyone tell me why the radius server is ignoring the isdn entry in > the users file and instead returning the DEFAULT entry? It's not. The debug output you posted shows it IS matching the isdn entry, but that it is ALSO matching the later DEFAULT entries. So the later entries over-ride the values you set earlier. The most likely solution is for you to remove the 'Fall-Through = 1' from the isdn entry. That way it won't continue. See the "man" page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbled class attribute?
Geoff Silver <[EMAIL PROTECTED]> wrote: > I have a bunch of users which should have a class attribute returned upon > successful authentication. Their entries look something like: > > bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept >Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", > Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST" > > What they're actually getting back is: > > Packet-Type = Access-Accept > User-Name = "bob" > Class = 0x3739774831423272375053516a71424143444358434979507544493d Which is '79...' It works for me, so my guess is that something else in your configuration is setting Class to that value. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with character Ä in username/passwor d
"Velusamy, Vinodh" <[EMAIL PROTECTED]> wrote: > There seems to be a problem if the username/password contain the character Ä, > when trying to authenticate via freeradius. No, go back and read the output again: > rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 > User-Name = > "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" > User-Password = > "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210" That's the real contents of the packet. The '?' is printed simply because it replaces a non-ASCII character. Are you sending the server UTF-8 strings in the User-Name? What client are you using? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user specific settings in users file overwritten by DEFAULT settings?
I have a user specified in my users file like this: isdn Auth-Type = System Service-Type = Framed, Framed-Protocol = MPP, Framed-Routing = None, Ascend-Maximum-Time = 18000, Ascend-Idle-Limit = 900, Ascend-Assign-IP-Pool = 0, Ascend-Maximum-Channels = 2, Fall-Through = "1" Then at the bottom of the file I have: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Time = 18000, Idle-Timeout = 900 When I authenticate as this user, I see: Thu Aug 17 13:18:26 2006 : Debug: users: Matched isdn at 21 Thu Aug 17 13:18:26 2006 : Debug: users: Matched DEFAULT at 133 Thu Aug 17 13:18:26 2006 : Debug: users: Matched DEFAULT at 135 Thu Aug 17 13:18:26 2006 : Debug: users: Matched DEFAULT at 140 Thu Aug 17 13:18:26 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Thu Aug 17 13:18:26 2006 : Debug: modcall[authorize]: module "files" returns ok for request 5 Thu Aug 17 13:18:26 2006 : Debug: modcall: group authorize returns ok for request 5 Thu Aug 17 13:18:26 2006 : Debug: rad_check_password: Found Auth-Type System Thu Aug 17 13:18:26 2006 : Debug: auth: type "System" Thu Aug 17 13:18:26 2006 : Debug: Processing the authenticate section of radiusd.conf Thu Aug 17 13:18:26 2006 : Debug: modcall: entering group authenticate for request 5 Thu Aug 17 13:18:26 2006 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 5 Thu Aug 17 13:18:26 2006 : Debug: HASH: user isdn found in hashtable bucket 59493 Thu Aug 17 13:18:26 2006 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 5 Thu Aug 17 13:18:26 2006 : Debug: modcall[authenticate]: module "unix" returns ok for request 5 Thu Aug 17 13:18:26 2006 : Debug: modcall: group authenticate returns ok for request 5 Thu Aug 17 13:18:26 2006 : Auth: Login OK: [isdn/8293] (from client 192.168.0.3 port 1060 cli 6143677963) Sending Access-Accept of id 2 to 192.168.0.3:7010 Service-Type = Framed-User Framed-Routing = None Ascend-Maximum-Time = 18000 Ascend-Idle-Limit = 900 Ascend-Assign-IP-Pool = 0 Ascend-Maximum-Channels = 2 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 900 Can anyone tell me why the radius server is ignoring the isdn entry in the users file and instead returning the DEFAULT entry? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: question about an output
Agreed, it is clear and it does make sense, but did it warrant such a tactless reply? Anyways, I'm feeding the troll so I'll not be reading anymore of the thread. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Winter Sent: 17 August 2006 15:33 To: FreeRadius users mailing list Subject: Re: question about an output > /etc/raddb/users[154]: Syntax error: Previous line is missing a trailing > comma for entry DEFAULT > > Basically, it is something in the config file, but is there a way to locate > the error in this configuration file? How could this message be any more clear? What do you *think* you have to chack, after reading this output, word by word? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with character Ä in username/password
Hi, There seems to be a problem if the username/password contain the character Ä, when trying to authenticate via freeradius. rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 User-Name = "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" User-Password = "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: [EMAIL PROTECTED]: invalid password modcall[authenticate]: module "unix" returns reject for request 1 modcall: leaving group authenticate (returns reject) for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- I am using version 1.1.0 on Ubuntu Does anyone know of a workaround or solution to this. Thanks in advance. V~ --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: [EMAIL PROTECTED] www.ubizen.com - www.cybertrust.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Garbled class attribute?
I should note that when I set Class to be a string in the dictionary.rfc2865 file instead of a octets, I get: Class = "79wH1B2r7PSQjqBACDCXCIyPuDI=" Which looks equally wrong to me. Original Message Subject: Garbled class attribute? Date: Thu, 17 Aug 2006 11:40:50 -0400 From: Geoff Silver <[EMAIL PROTECTED]> To: FreeRadius users mailing list I have a bunch of users which should have a class attribute returned upon successful authentication. Their entries look something like: bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST" What they're actually getting back is: Packet-Type = Access-Accept User-Name = "bob" Class = 0x3739774831423272375053516a71424143444358434979507544493d Filter-Id = "SPCCOLO_O" Split-Tunneling-Policy = 1 Split-Tunnel-List = "SPCCOLO_ST" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Garbled class attribute?
I have a bunch of users which should have a class attribute returned upon successful authentication. Their entries look something like: bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST" What they're actually getting back is: Packet-Type = Access-Accept User-Name = "bob" Class = 0x3739774831423272375053516a71424143444358434979507544493d Filter-Id = "SPCCOLO_O" Split-Tunneling-Policy = 1 Split-Tunnel-List = "SPCCOLO_ST" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding using strcmp instead of memcmp
Hi I am trying to run free radius code with purify , it is giving errors as UMR: Uninitialized memory read (13 times) in memcmp Reading 5 bytes from 0xffbdd108 on the stack (1 byte at 0xffbdd10c uninit). Address 0xffbdd108 is 4 bytes past start of local variable "cs" in function So can I use strcmp instead of memcmp . because if I use strcmp instead of memcmp the error is not coming Please I would be grateful if u can provide some useful information regarding this Thanks & regards Ravi Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help!
Shankar Ganesh C <[EMAIL PROTECTED]> wrote: > 2) Based on the call back function or any other interface from external > program the free radius should send a Accounting response message back based > on the attributes value retrived from the other function. No attributes may be sent in an Accounting-Response packet. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown user or bad password while using Free RADIUS PAM
"Shteinberg-hirik, Jenny \(Jenny\)" <[EMAIL PROTECTED]> wrote: > We use Free Radius PAM_RADIUS_AUTH (version 1.3.16) intergrated into > Linux from WindRiver distribution based on kernel 2.6.10 > As Radius Server we use Internet Authentication Server from Win2000 > Server. Ugh. > Both Radius clients ( for Linux and for VmWare) are configured > absolutely identical on the Radius Server. The same user, same password > and the same shared secret are used.=20 > What can be the problem? If the RADIUS server responds with different values it is because the client is sending different attributes. Check the attributes sent in the Access-Request from each client. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pretty easy question, I think? :D
I'm setting up a new AAA server here using freeradius.
I am just attempting to get it to authenticate using /etc/passwd (unix
style) and I am getting this error:
Thu Aug 17 11:06:51 2006 : Debug: rad_check_password: Found Auth-Type
System
Thu Aug 17 11:06:51 2006 : Debug: auth: type "System"
Thu Aug 17 11:06:51 2006 : Debug: ERROR: Unknown value specified for
Auth-Type. Cannot perform requested action.
Thu Aug 17 11:06:51 2006 : Debug: auth: Failed to validate the user.
This is my module configuration:
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
group = /etc/group
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
Anyone have any advice for me?
Thanks,
Andrew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query to know radius disconnect request and Ack is supported in freeradius
Shankar Ganesh C <[EMAIL PROTECTED]> wrote many times: > Could some body help me to know whether Radius disconnect and Ack messages > are supported in free radius as defined in RFC 2822 ? It's RFC 3576, not 2822. And FreeRADIUS doesn't support receiving them, but radclient will send them. And do NOT send the same message many times, to both the users & the devel list. It's unfriendly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AcctSessionTime is inserting Null
On Thu 17 Aug 2006 17:34, raviprakash sunkara wrote: > Hi peter , > Thanks for replying ... > > The NAS value is MY radius server ip... > > Really i don't Know that... What NAS value should take . You need to check the detail files (usually under /var/log/radius/radacct/x.x.x.x/) and see if there is an AcctSessionTime line being sent by your NAS or not. If not then you need to talk to your NAS vendor. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp8AsnDIcBQY.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 16, Issue 66
Hi peter , Thanks for replying ...The NAS value is MY radius server ip... Really i don't Know that... What NAS value should take .ByweOn 8/17/06,
[EMAIL PROTECTED] <[EMAIL PROTECTED]
> wrote:Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visithttp://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at
[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."
Today's Topics: 1. Unknown user or bad password while using Free RADIUS PAM (Shteinberg-hirik, Jenny (Jenny)) 2. Re: Oracle is not supported by radsqlrelay? (Nicolas Baradakis) 3. AcctSessionTime is inserting Null (raviprakash sunkara)
4. Help! (Shankar Ganesh C) 5. Re: AcctSessionTime is inserting Null (Peter Nixon)--Message: 1Date: Thu, 17 Aug 2006 14:16:04 +0300
From: "Shteinberg-hirik, Jenny \(Jenny\)" <[EMAIL PROTECTED]>Subject: Unknown user or bad password while using Free RADIUS PAMTo: <
freeradius-users@lists.freeradius.org>Message-ID:<[EMAIL PROTECTED]
>Content-Type: text/plain; charset="us-ascii"Hi,We use Free Radius PAM_RADIUS_AUTH (version 1.3.16) intergrated intoLinux from WindRiver distribution based on kernel 2.6.10
As Radius Server we use Internet Authentication Server from Win2000Server.We can not receive authentication for user defined on the Radius Server.Here the Warning that is logged on the Radius Server for this event:
User slb was denied access. Fully-Qualified-User-Name = KERNEL\slb NAS-IP-Address = 127.0.0.1 NAS-Identifier = check Called-Station-Identifier =
Calling-Station-Identifier = 135.64.103.49 Client-Friendly-Name = 149.49.76.121 Client-IP-Address = 149.49.76.121
NAS-Port-Type = Virtual NAS-Port = 16015 Policy-Name = Authentication-Type = PAP EAP-Type = Reason-Code = 16 Reason = There was an authentication failure because of an unknown user
name or a bad password.Using the same PAM_RADIUS_AUTH installed on VMware Player (version1.0.1) enables us receive authentication for the same user. Here theInformation that is loggedon the Radius Server for this event:
User slb was granted access. Fully-Qualified-User-Name = KERNEL\slb NAS-IP-Address = 127.0.0.1 NAS-Identifier = check Client-Friendly-Name =
135.64.102.130 Client-IP-Address = 135.64.102.130 NAS-Port-Type = Virtual NAS-Port = 24935 Policy-Name = GAdmin Authentication-Type = PAP EAP-Type =
Both Radius clients ( for Linux and for VmWare) are configuredabsolutely identical on the Radius Server. The same user, same passwordand the same shared secret are used.What can be the problem?
Thank you,Jenny-- next part --An HTML attachment was scrubbed...URL:
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060817/c9230d5e/attachment-0001.html--Message: 2Date: Thu, 17 Aug 2006 14:26:32 +0200From: Nicolas Baradakis <
[EMAIL PROTECTED]>Subject: Re: Oracle is not supported by radsqlrelay?To: FreeRadius users mailing list<
freeradius-users@lists.freeradius.org>Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=us-ascii
Alexander Serkin wrote:> Nicolas Baradakis wrote:>> > Please create a patch with "diff -u radsqlrelay.orig radsqlrelay"> > and post it to the list. I'll add it in version
1.1.3.>> Here it is:>> --- radsqlrelay.orig2006-08-16 15:40:58.220277000 +0400> +++ radsqlrelay 2006-08-16 17:53:20.151452000 +0400> @@ -156,6 +156,8 @@> $data_source = "DBI:mysql:database=$args{b};host=$args{h}";
> } elsif (lc($args{d}) eq 'pg') {> $data_source = "DBI:Pg:dbname=$args{b};host=$args{h}";> +} elsif (lc($args{d}) eq 'oracle') {> +$data_source = "DBI:Oracle:$args{b}";
> } else {> print STDERR "error: SQL driver not supported yet: $args{d}\n";> exit 1;Added, thanks.> whith "-b db.domain.tld" i give the database description stored in
> $TNS_ADMIN/tnsnames.ora:>> db.domain.tld => (DESCRIPTION => (ADDRESS_LIST => (ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521))> )> (CONNECT_DATA =
> (SERVICE_NAME = )> )> )I've added this to the radsqlrelay(8) manpage, too.--Nicolas Baradakis--Message: 3
Date: Thu, 17 Aug 2006 18:30:34 +0530From: "raviprakash sunkara" <[EMAIL PROTECTED]>Subject: AcctSessionTime is inserting Null
To: freeradius-users@lists.freeradius.orgMessage-ID:<[EMAIL PRO
Re: question about an output
> /etc/raddb/users[154]: Syntax error: Previous line is missing a trailing > comma for entry DEFAULT > > Basically, it is something in the config file, but is there a way to locate > the error in this configuration file? How could this message be any more clear? What do you *think* you have to chack, after reading this output, word by word? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpn3MYLQy28O.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about an output
Hi; I have used this command to check the errors: Radiusd –X –A I had a list of outputs, but my question is the following: Do these outputs mean that the check up is passing on it, or there’s an error on it? And I’ve got this error: /etc/raddb/users[154]: Syntax error: Previous line is missing a trailing comma for entry DEFAULT Errors reading /etc/raddb/users Basically, it is something in the config file, but is there a way to locate the error in this configuration file? Thanks guys Elie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AcctSessionTime is inserting Null
On Thu 17 Aug 2006 16:00, raviprakash sunkara wrote: > Hi Users, > > So long back I'm mailing ... > Now install Radius Server and client Freshly > Actual My problem is THat ... > In Accounting Part in . When I radius server recieve the > Acc-status-type is Stop , AcctSessionTime is inserting NULL i.e " 0 > ".. > > That is my problem > Plz give hint to resolve it What value is your NAS sending for AcctSessionTime? Some NAS doe not send AcctSessionTime... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpAkCfWsoSal.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help!
Hi, Could some body help on my requirments.? Below are my requirments. 1) When the radius server recives a accounitng start , accounting stop and Accounitng Intermediate update the free radius should pass on its attributes to another external funciton. 2) Based on the call back function or any other interface from external program the free radius should send a Accounting response message back based on the attributes value retrived from the other function. For the first requirment i have a understaning to follow the below Using the acct_users file based on the acct_status_type using Exec_program attributes values could be passed as command line arguments. The varibales for the same can be defined in variables.txt. For the second requitment i do not have any clues , how to achive that. It whould be great help if any inputs given on the above requirments. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AcctSessionTime is inserting Null
Hi Users, So long back I'm mailing ... Now install Radius Server and client Freshly Actual My problem is THat ... In Accounting Part in . When I radius server recieve the Acc-status-type is Stop , AcctSessionTime is inserting NULL i.e " 0 ".. That is my problem Plz give hint to resolve it Cheers & Bye --Thanks and Regards with cheersSunkara Ravi Prakash Hyperion TechnologyKondapur, Hi-tech city,Hyderabad.www.hyperion-tech.com+91-9985077535 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle is not supported by radsqlrelay?
Alexander Serkin wrote:
> Nicolas Baradakis wrote:
>
> > Please create a patch with "diff -u radsqlrelay.orig radsqlrelay"
> > and post it to the list. I'll add it in version 1.1.3.
>
> Here it is:
>
> --- radsqlrelay.orig2006-08-16 15:40:58.220277000 +0400
> +++ radsqlrelay 2006-08-16 17:53:20.151452000 +0400
> @@ -156,6 +156,8 @@
> $data_source = "DBI:mysql:database=$args{b};host=$args{h}";
> } elsif (lc($args{d}) eq 'pg') {
> $data_source = "DBI:Pg:dbname=$args{b};host=$args{h}";
> +} elsif (lc($args{d}) eq 'oracle') {
> +$data_source = "DBI:Oracle:$args{b}";
> } else {
> print STDERR "error: SQL driver not supported yet: $args{d}\n";
> exit 1;
Added, thanks.
> whith "-b db.domain.tld" i give the database description stored in
> $TNS_ADMIN/tnsnames.ora:
>
> db.domain.tld =
> (DESCRIPTION =
> (ADDRESS_LIST =
> (ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521))
> )
> (CONNECT_DATA =
> (SERVICE_NAME = )
> )
> )
I've added this to the radsqlrelay(8) manpage, too.
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown user or bad password while using Free RADIUS PAM
Hi, We use Free Radius PAM_RADIUS_AUTH (version 1.3.16) intergrated into Linux from WindRiver distribution based on kernel 2.6.10 As Radius Server we use Internet Authentication Server from Win2000 Server. We can not receive authentication for user defined on the Radius Server. Here the Warning that is logged on the Radius Server for this event: User slb was denied access. Fully-Qualified-User-Name = KERNEL\slb NAS-IP-Address = 127.0.0.1 NAS-Identifier = check Called-Station-Identifier = Calling-Station-Identifier = 135.64.103.49 Client-Friendly-Name = 149.49.76.121 Client-IP-Address = 149.49.76.121 NAS-Port-Type = Virtual NAS-Port = 16015 Policy-Name = Authentication-Type = PAP EAP-Type = Reason-Code = 16 Reason = There was an authentication failure because of an unknown user name or a bad password. Using the same PAM_RADIUS_AUTH installed on VMware Player (version 1.0.1) enables us receive authentication for the same user. Here the Information that is logged on the Radius Server for this event: User slb was granted access. Fully-Qualified-User-Name = KERNEL\slb NAS-IP-Address = 127.0.0.1 NAS-Identifier = check Client-Friendly-Name = 135.64.102.130 Client-IP-Address = 135.64.102.130 NAS-Port-Type = Virtual NAS-Port = 24935 Policy-Name = GAdmin Authentication-Type = PAP EAP-Type = Both Radius clients ( for Linux and for VmWare) are configured absolutely identical on the Radius Server. The same user, same password and the same shared secret are used. What can be the problem? Thank you, Jenny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Wednesday 16 August 2006 18:09, Alex French wrote:
> Boina,
>
> That works fine for me (patching against a clean 1.1.2 tree) I've only
> tested == and := operators but they seem fine.
>
> Only one point to note; if you do not include an element in the hash with
> the same name as the attribute ( e.g. due to a typo or just a
> misconfiguration), the server hangs completely the first time something
> gets passed through the perl module and needs a kill -9 to stop it. I know
> you can't protect people against their own configuration errors, but
> perhaps it would be nicer to log an error (or just ignore the attribute).
Thanks for suggestion i will correct this matter.
>
> Anyway, thanks very much for the patch!
>
> Thanks,
>
> On 15/08/06, Boian Jordanov <[EMAIL PROTECTED]> wrote:
> > On Monday 14 August 2006 21:27, Alex French wrote:
> > > Boian,
> > >
> > > Thanks, if you have a patch that actually implements the hash for the
> > > operator etc, that would be great (in fact, why not just submit it as a
> > > feature). If it's just to change the operator hardcoded in rlm_perl.c,
> > > that's fine, I have that recompiled and installed at the moment,
> >
> > Yep, i have the patch that implements the operator with hash ref.
> > Test it and if you like it i will submit it in CVS HEAD.
> >
> > For example to change Operator for Framed-MTU
> >
> > $hash{'Framed-MTU'} = "100";
> > $hash{'Operator'} = "==";
> > $RAD_REPLY{'Framed-MTU'} = \%hash;
> >
> >
> > --
> > Best Regards,
> > Boian Jordanov
> > SNE
> > Orbitel - Next Generation Telecom
> > tel. +359 2 4004 723
> > tel. +359 2 4004 002
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
