Re: Re[2]: radiusd.sh
On Mon 21 Aug 2006 03:22, KES wrote: Здравствуйте, Peter. Вы писали 18 августа 2006 г., 15:07:11: PN On Fri 18 Aug 2006 13:08, KES wrote: Hello, freeradius-users. Patch for radiusd.sh #!/bin/sh # PROVIDE: radiusd -# REQUIRE: NETWORKING SERVERS -# BEFORE: DAEMON +# REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown radiusd must start after DBServers(mysql) do because of some problems with some rlm_sql* modules (rlm_nibs - can't connect to MySQL) so I have added # REQUIRE: NETWORKING SERVERS mysql adding mysql is case for loop dependency of 'rcorder' so I have removed -# BEFORE: DAEMON Does any have such problems? PN Yes. This is in-fact incorrect as it will force people who are not using mysql PN to start it. The correct thing to do is simply add the line: PN # Should-Start: $time postgresql mysql ldap But I am using FreeBSD v6.1#2 and I have not such options I have only ``REQUIRE'' ``PROVIDE'', ``BEFORE'' and ``KEYWORD'' lines Any have a clue for FreeBSD? Ahh. I was wondering why I could not find your radiusd.sh anywhere in the source... I suppose your solution is fine for you, as I dont have any better solution for FreeBSD. I have however committed my solution to the linux startup scripts in the source tree. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius microsoft sql server configuration help
Alle 17:16, domenica 20 agosto 2006, Albis Nunez ha scritto: Hello Freeradius users, I need help to configure the freeradius to work with my Microsoft sql server, if someone can help or provide me some sample configuration I'll really appreciate it. I'm new in this business. Thanks in advance. See this howto http://it.reinhardt.edu/dave/radius-mssql-howto.html It works! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius microsoft sql server configuration help
hi free radius users. i asked u before if any one can help me and send the configuration or steps of configuration of free radius over linux and really i'll appreciate u. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth to LDAP via two mechanisms
Alan DeKok wrote: Rob Shepherd [EMAIL PROTECTED] wrote: I'll use PAP (ldap auth) Please don't. It makes everything harder. OK. LDAP is a database, not an authentication server. Have the server read the clear-text password from LDAP, and the server will figure out how to authenticate the user. Remove ldap from the authenticate section. It's just not necessary. No clear-text is stored in LDAP. I have MD5 in userPassword and the two samba hashes. The cisco kit, VPN concentrator and switches etc, supply a clear text password at radius. I figured my only option was to PAP-to-LDAP. Is there an alternative for this situation? from the VPN concentrator but mschapv2 from the wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM hashes already in the LDAP, I just need to extract them... And how I get the nt/lm hashes from ldap and do mschapv2.. ldap.attrmap, and the server will figure out what to do. Thanks. -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Problem with character Ä in usernam e/password
Alan, Sorry for the misunderstanding. We are using the mod_auth_radius, the RADIUS authentication module for the Apache webserver version 1.5.2 for apache 1.3 that you have developed. --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: [EMAIL PROTECTED] www.ubizen.com - www.cybertrust.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, August 18, 2006 6:30 PM To: FreeRadius users mailing list Subject: Re: RE: Problem with character Ä in username/password Velusamy, Vinodh [EMAIL PROTECTED] wrote: Thanks for your response. I am using the radius server to authenticate a web-application using browser usernam/password authentication. Here is the debug info when trying to authenticate an ordinary user Vinodh/vinodh which works perfectly!! : So... you didn't answer my question, and instead talked about something else that doesn't have a problem. How you you expect me to help you? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory/freeradius/enterasys - combination
hello, we are testing the 802.1x authentication in a small test network. (http://www.enterasys.com/products/whitepapers/secure-networks-wp.pdf) The user management works via an active directory on a Windows 2003 server, a Freeradius on a Linux machine, and the switch is an Enterasys Matrix-series. Windows 2003 (AD) --- Freeradius --- Enterasys switch --- Linux/MS-Client The user is able to authenticate with PEAP and MD5 from a Linux and a Windows Client. Active Directory and Freeradius (ntlm_auth) give the OK as well. The Enterasys switch is dynamically configured with the Policy Manager. Therefore it is possible to define rules for various user groups, and in the AD different user groups are defined. Now the switch needs the group to user information from the AD with the filter ID, which normally looks like this: Filter-Id = Enterasys:version=1:mgmt=su:policy=adminrole If I define the users on the Radius with the help of the users file it is no problem and it works perfectly, but how can I use the information from the AD? The problem is that the users are correctly authenticated, but the switch doesn't have information what to do with these users and they get an invalid role and furthermore they don't get access to the network (they are assigned to the default role which is a blocking role)! We made the first tests with the IAS from Microsoft where we created different Remote Access Policies, and there we added the different user groups from the AD. I've not found anything in the Internet concerning this very matter, so I hope someone of you can give me more information how this can be realized. Thanks! mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No memory
Hi Hasan I don't personally have experience with the Sybase OSBC drivers, nor have I setup FreeRADIUS with MSSQL before (We have plenty of MySQL, Postgresql and Oracle installs though). I have however used MSSQL from perl before via FreeTDS. The howto I wrote is at: http://wiki.suntel.com.tr/index.php/Using_MS_SQL_server_from_Linux_with_Perl_DBI You should be able to follow a similar procedure for FreeRADIUS. There is another howto specifically for FreeRADIUS at: http://it.reinhardt.edu/dave/radius-mssql-howto.html Saygılar İyi Çalışmalar Peter On Fri 18 Aug 2006 18:09, Hasan Ovuc wrote: FC5 kernel-smp-2.6.15-1.2054_FC5 Additional info: Sybase ODBC-12_5 odbc drivers Which db connection type do you suggest to connect SYBASE database ? Rlm_unixodbc, rlm_iodbc or rlm_perl -Original Message- From: Peter Nixon [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 3:22 PM To: freeradius-users@lists.freeradius.org Cc: Hasan Ovuc Subject: Re: No memory On Fri 18 Aug 2006 14:39, Hasan Ovuc wrote: Dear Members, I am trying to use freeradius-snapshot-20060817 unixODBC-2.2.11 ODBC-12_5 Radiusd successfully started, after first sql query it dies with no memory error. Which Linux version? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc Bu e-posta mesaji ve ekleri sadece gonderildigi kisi veya kuruma ozeldir. Eger dogru kisiye ulasmadigini dusunuyorsaniz, bu mesajin yonlendirilmesi, kopyalanmasi veya herhangi bir sekilde kullanilmasi yasaktir.Mesaj iceriginde bulunan fikir ve yorumlar, SUPERONLINE'a degil sadece gondericiye aittir. Bu mesaj bilinen tum viruslere karsi test edilmistir. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are hereby notified that any dissemination, copying or use of the information is prohibited. The opinions expressed in this message belong to sender alone. There is no implied endorsement by SUPERONLINE.This e-mail has been scanned for all known computer viruses. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpoOuTUm6vv0.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type Config Clarification
Nathan L. Cable wrote:
I'm setting up a Radius environment which covers several physical sites.
Usernames and passwords come from an Active Directory server via ntlm_auth.
Each site has a group in the NT domain. So, it would be nice to have
multiple auth-types for each area.
You don't want and probably shouldn't use multiple auth-types. You want,
as per your subject line, multiple Autz-Types. The behaviour of the
mschap module can be controlled by setting variables based on Autz-Type
then using them later on.
For clarification, I've tested my server without the Autz-type arguments
(ie, only using the one mschap instance), and everything works fine.
Everything also works great if I declare multiple instances of mschap, and
just have the radius server search through them in order - however, this
seems to be a rather inefficient way of doing things.
It's also not guaranteed to work I think.
The debug output of radiusd indicates that my modules are being loaded, but
when the client authenticates, it's not done so against an auth-type.
Any thoughts as to why this is not working?
Here are the relevant portions of my config files:
# radiusd.conf:
.
.
.
modules {
.
.
.
mschap group1 {
authtype = group1
...some config stuff...
}
mschap group2 {
authtype = group2
...some config stuff...
}
}
.
.
.
authorize {
preprocess
files
Autz-Type group1 {
group1
}
Autz-Type group2 {
group2 {
}
eap
}
authenticate {
Auth-Type group1 {
group1
}
Auth-Type group2 {
group2 {
}
eap
}
.
.
.
# users
DEFAULT Called-Station-Id == 00-11-22-33-44-55-66,Autz-Type := group1
DEFAULT Autz-Type = group2
What precisely are you trying to do here?
You may be better off using the ldap module against the AD to pull the
groups into the radius server and make decisions there, which is
*separate* from the running of the authentication algorithm.
Failing that, you could do this:
DEFAULT Called-Station-Id == 00-11-22-33-44-55
Tmp-String-1 = group1
DEFAULT
Tmp-String-1 = group2
...then have:
modules {
mschap {
ntlm_auth = ntlm_auth
--require-membership-of=%{reply:Tmp-String-1:-Domain Users --other-options
}
}
authorize {
preprocess
files
mschap
eap
}
authenticate {
Auth-Type MSCHAP {
mschap
}
}
If you are on an older version of the server you may need to define the
Tmp-String-1 attributes like so in dictionary:
ATTRIBUTE Tmp-String-13000string
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth to LDAP via two mechanisms
Rob Shepherd wrote:
No clear-text is stored in LDAP. I have MD5 in userPassword and the two
samba hashes.
The cisco kit, VPN concentrator and switches etc, supply a clear text
password at radius. I figured my only option was to PAP-to-LDAP.
Is there an alternative for this situation?
Use an instance of the pap module with encryption_scheme = nt
modules {
pap nthashpap {
encryption_scheme = nt
}
}
authorize {
preprocess
files
}
authenticate {
Auth-Type PAP {
nthashpap
}
}
...however, you will need:
DEFAULT Auth-Type := PAP
...somewhere, since the PAP module in 1.1.0 (and I think all non-CVS
versions?) does not (irritatingly) set Auth-Type to PAP, and cannot even
run in the authorize section.
Newer versions of the server (CVS) will both auto-detect {type}hash
type prefixes in values *and* set the auth-type so you can just do:
modules {
pap {
auto_header = yes
}
}
authorize {
preprocess
pap
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_proxy problems
The patch applies to 1.1.0, but neither the patched 1.1.0 or a patched 1.1.2 fixes the problem. On the concentrator, successful auths look like: 36557 08/21/2006 08:16:24.270 SEV=4 IKE/52 RPT=42919 68.100.177.222 Group [OFFICE] User [hockingmr] User (hockingmr) authenticated. 36562 08/21/2006 08:16:25.230 SEV=4 IKE/119 RPT=62782 68.100.177.222 Group [OFFICE] User [hockingmr] PHASE 1 COMPLETED where the failures look like: 36141 08/21/2006 08:13:10.640 SEV=3 AUTH/5 RPT=30061 69.175.180.60 Authentication rejected: Reason = Unspecified handle = 6, server = 205.188.136.151, user = suzannebd, domain = not specified although I see the same effect when using radclient: Sending Access-Request of id 106 to 127.0.0.1 port 1645 User-Name = bob User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=106, length=43 Account-Flags = 587300864 Connect-Info = OFFICE then: Sending Access-Request of id 121 to 127.0.0.1 port 1645 User-Name = bob User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=121, length=2 I'm at a loss, and without being able to proxy auth to another server, my entire infrastructure is useless. The worst part of this is that I haven't been able to re-create it except in a production environment... for whatever reason, just running a half dozen simultaneous auths with radclient doesn't seem to cause this. Ideas? Thanks. Alan DeKok wrote: Geoff Silver [EMAIL PROTECTED] wrote: Red Hat Enterprise Linux 3.0. Also has the same build issues on my RedHat EL4.0 dev system. Weird. It works for me on FC4, and many other OSes. We were previously using FreeRADIUS 1.1.0, which built fine. IIRC, the problem surfaced in 1.1.1, which is why we're still using 1.1.0 (was hoping it would be fixed in 1.1.2...) Maybe 1.1.3. So... does the patch in the bug apply to 1.1.0, and does it solve the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth logging
I would like to only log failed auth attempts not successful. Does anyone know a way to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory/freeradius/enterasys - combination
Michael Messner wrote: If I define the users on the Radius with the help of the users file it is no problem and it works perfectly, but how can I use the information from the AD? Use the ldap module to query AD and add attributes to the reply dynamically. For example: DEFAULT Ldap-Group == cn=students,dc=domain,dc=com Filter-Id = Enterasys:version=1:mgmt=su:policy=userrole ...or similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius configuration
Have you tried the documentation supplied with the freeradius package? It's not bad... If you need more, try the book RADIUS by Jonothan Hassell, published by O'Reilly. affora deeb wrote: hi free radius users. i asked u before if any one can help me and send the configuration or steps of configuration of free radius over linux and really i'll appreciate u. thanks -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_proxy problems
Geoff Silver [EMAIL PROTECTED] wrote: rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=121, length=2 You're getting a *reject* and not any other issue? Oh... That sounds to me like the home server is simply not responding to the proxy server. This *should* be mentioned in the log file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
After I made the certificate and installed in the client I tried to
request an authentication but the output show me an error:
rad_recv: Access-Request packet from host 192.168.1.5:1217, id=17,
length=139
User-Name = marcello
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = 00-40-05-30-C5-86
Calling-Station-Id = 00-0C-F1-15-17-59
NAS-Identifier = DLink-900AP+
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020d000d016d617263656c6c6f
Message-Authenticator = 0x5cf6d0c113ea537193f632be5324ddac
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module preprocess returns ok for request 8
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821
modcall[authorize]: module auth_log returns ok for request 8
rlm_eap: EAP packet type response id 13 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 8
users: Matched entry DEFAULT at line 152
users: Matched entry marcello at line 219
modcall[authorize]: module files returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 8
modcall: leaving group authenticate (returns handled) for request 8
Sending Access-Challenge of id 17 to 192.168.1.5 port 1217
EAP-Message = 0x010e00060d20
Message-Authenticator = 0x
State = 0xf07c05d2e094204483f4809fce1d0c28
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.5:1217, id=18,
length=224
User-Name = marcello
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = 00-40-05-30-C5-86
Calling-Station-Id = 00-0C-F1-15-17-59
NAS-Identifier = DLink-900AP+
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020e00500d8000461603010041013d030144e9b43485e72b29db6f1029820e8626f3358dc31aacc52a129ce61689ebe58f1600040005000a000900640062000300060013001200630100
State = 0xf07c05d2e094204483f4809fce1d0c28
Message-Authenticator = 0x975a5fb5db9745857a408bd7f840d26b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821
modcall[authorize]: module auth_log returns ok for request 9
rlm_eap: EAP packet type response id 14 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 9
users: Matched entry DEFAULT at line 152
users: Matched entry marcello at line 219
modcall[authorize]: module files returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: TLS 1.0 Handshake [length 063f], Certificate
Ascend-Send-Secret problem
Hello, i'm new to freeradius and i tried to install it so that i could use cdrtool, openser and freeradius together to make a Call Data Recorder. Unfortunately, i haven't been able to make it work even once because of this error : ERROR: Ascend-Send-Secret attribute in request: Cannot decrypt it. Here's an output example with freeradius -xxyz -l stdout : 1 rad_recv: Accounting-Request packet from host 127.0.0.1:42631, id=142, length=428 2 --- Walking the entire request list --- 3 Waking up in 31 seconds... 4 Threads: total/active/spare threads = 5/0/5 5 Thread 1 got semaphore 6 Thread 1 handling request 0, (1 handled so far) 7 Acct-Status-Type = Failed 8 Service-Type = IAPP-Register 9 Attr-102 = 0x01e6 10 Error-Cause = 1 11 User-Name = [EMAIL PROTECTED] 12 Calling-Station-Id = sip:[EMAIL PROTECTED] 13 Called-Station-Id = sip:[EMAIL PROTECTED] 14 Attr-107 = 0x7369703a6a616d403139322e3136382e37302e37303a35303630 15 Acct-Session-Id = [EMAIL PROTECTED] 16 Attr-104 = 0x3832393436343731393436323038303033 17 Attr-105 = 0x3832393436313631333537333735373638 18 Attr-103 = 0x31 19 X-Ascend-Third-Prompt = n/a 20 ERROR: Ascend-Send-Secret attribute in request: Cannot decrypt it. 21 Server rejecting request 0. 22 Finished request 0 23 Going to the next request 24 Thread 1 waiting to be assigned a request 25 rad_recv: Accounting-Request packet from host 127.0.0.1:42631, id=142, length=428 26 Discarding duplicate request from client localhost:42631 - ID: 142 Best regards, -- Jean-Michel Foucher OpenWengo, the free and multiplatform VoIP client http://dev.openwengo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Send-Secret problem
Jean-Michel Foucher [EMAIL PROTECTED] wrote: Here's an output example with freeradius -xxyz -l stdout : ... 14 Attr-107 = 0x7369703a6a616d403139322e3136382e37302e37303a35303630 That attribute is defined in the default dictionaries. It looks like you're not using the dictionaries that are included with FreeRADIUS, or you've edited them. 20 ERROR: Ascend-Send-Secret attribute in request: Cannot decrypt it. It looks like the dictionaries you have are broken. The wrong attribute is marked as being encrypted with the Ascend-Send-Secret. Does this happen with radius -X? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_proxy problems
Alan DeKok wrote: Geoff Silver [EMAIL PROTECTED] wrote: rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=121, length=2 You're getting a *reject* and not any other issue? Oh... Am I? I'm not entirely sure. Usually I see the client send me an Access-Request message. I then see *me* send an Access-Request to the backend server, and finally see an Access-Accept or Access-Reject message (not sure if this last one comes from the backend to me or from me to the requesting client). In the failure case, I'm seeing only one Access-Request, and then eventually an Access-Reject that appears to be generated by me. I can't tell if I've actually sent the second request to the backend server and not logged it, or not even sent it. That sounds to me like the home server is simply not responding to the proxy server. This *should* be mentioned in the log file. I don't see anything in the logs about it, unfortunately. I'll fire up radiusd -AX and see if I can't get our VPN group to send some traffic to recreate the problem again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius microsoft sql server configuration help
Alle 17:16, domenica 20 agosto 2006, Albis Nunez ha scritto: Hello Freeradius users, I need help to configure the freeradius to work with my Microsoft sql server, if someone can help or provide me some sample configuration I'll really appreciate it. I'm new in this business. Thanks in advance. See this howto http://it.reinhardt.edu/dave/radius-mssql-howto.html Good write-up! Great section on FreeTDS testing. It works! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to rewrite and replicate accounting?
I want to take all accounting packets received and either rewrite received attributes or append new attributes using a custom dictionary and then replicate the rewritten packets to multiple radius servers. Freeradius documentation seems to indicate this should be doable, but I can't seem to find any specific examples. Looks like I need some combination of the rlm_attr_rewrite, rlm_preprocess, and rlm_proxy modules? Is this correct? Thanks in advance. -jc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group
cn=vpnusers,ou=group,dc=mydomain,dc=com
listed as memberUids
In radiusd.conf I have the following
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
(((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = vpnusers
It doesn't seem to work, no sign of searching for vpnusers in LDAP
server logs and users that are not in this group are still able to log in.
I may be missing something... Hints of where to look would be highly
appreciated.
Cheers,
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type Config Clarification
Thank you very much for that! That was exactly the solution I was looking
for. Now, I only have one instance of mschap, and the physical location of
the wireless access points defines which group mschap looks for users in.
Unfortunately, Windows Server 2003's LDAP server was not an option at my
site because the passwords are not stored in the database. So, mschap was
the next choice.
Thank you very much for that solution - it's much more elegant than anything
I've managed to come up with so far!
Nathan
PS. For anyone wanting to use Apple wireless points with their network,
used the Calling-Station-ID attribute to identify your base stations, not
the Called-Station-ID. The latter does not work for my particular setup.
From: Phil Mayers [EMAIL PROTECTED]
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Date: Mon, 21 Aug 2006 12:40:42 +0100
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Autz-Type Config Clarification
Nathan L. Cable wrote:
I'm setting up a Radius environment which covers several physical sites.
Usernames and passwords come from an Active Directory server via ntlm_auth.
Each site has a group in the NT domain. So, it would be nice to have
multiple auth-types for each area.
You don't want and probably shouldn't use multiple auth-types. You want,
as per your subject line, multiple Autz-Types. The behaviour of the
mschap module can be controlled by setting variables based on Autz-Type
then using them later on.
For clarification, I've tested my server without the Autz-type arguments
(ie, only using the one mschap instance), and everything works fine.
Everything also works great if I declare multiple instances of mschap, and
just have the radius server search through them in order - however, this
seems to be a rather inefficient way of doing things.
It's also not guaranteed to work I think.
The debug output of radiusd indicates that my modules are being loaded, but
when the client authenticates, it's not done so against an auth-type.
Any thoughts as to why this is not working?
Here are the relevant portions of my config files:
# radiusd.conf:
.
.
.
modules {
.
.
.
mschap group1 {
authtype = group1
...some config stuff...
}
mschap group2 {
authtype = group2
...some config stuff...
}
}
.
.
.
authorize {
preprocess
files
Autz-Type group1 {
group1
}
Autz-Type group2 {
group2 {
}
eap
}
authenticate {
Auth-Type group1 {
group1
}
Auth-Type group2 {
group2 {
}
eap
}
.
.
.
# users
DEFAULT Called-Station-Id == 00-11-22-33-44-55-66,Autz-Type := group1
DEFAULT Autz-Type = group2
What precisely are you trying to do here?
You may be better off using the ldap module against the AD to pull the
groups into the radius server and make decisions there, which is
*separate* from the running of the authentication algorithm.
Failing that, you could do this:
DEFAULT Called-Station-Id == 00-11-22-33-44-55
Tmp-String-1 = group1
DEFAULT
Tmp-String-1 = group2
...then have:
modules {
mschap {
ntlm_auth = ntlm_auth
--require-membership-of=%{reply:Tmp-String-1:-Domain Users --other-options
}
}
authorize {
preprocess
files
mschap
eap
}
authenticate {
Auth-Type MSCHAP {
mschap
}
}
If you are on an older version of the server you may need to define the
Tmp-String-1 attributes like so in dictionary:
ATTRIBUTE Tmp-String-1 3000 string
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
