Difference between Auth-type=System and Auth type=Local

2006-08-30 Thread ys.hsia



HI:
    I amm a beginner of Radius and use NTRadPing 
to test . 
    I am confiused with what is the difference between 
setting of user in user_conf of
    Auth-type:=System and Auth-type:=Local.
 
    If I set a user  
with 
Auth-Type :=  Local  in user_conf,   Radiusd  it will 
    reply with Access-Accept.
    If I set a user with  Auth-Type :=  System in 
user_conf , Radius will reply with
    Access-reject.
    Why ? any \one can help ?
    Best regards, 
Hsia
 

  
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Wohoo it works now :D Clear text password in LDAP worked like a charm now  (dunno why i had problems with it in the past) :P  Thank you all guys 10x!!! 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to configure free radius to make it listen to different udpports?

2006-08-30 Thread Mike Mitchell
Shankar Ganesh wrote:
>
>   How can i make freeradius listen to different UDP ports? 
 

Hi Shankar,
 
This is very clearly explained in the radiusd.conf configuration file.
Search for "listen"
 
regards,
Mike

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: How to configure free radius to make it listen to different udp ports?

2006-08-30 Thread James Wakefield
On Thu, 2006-08-31 at 10:34 +0530, Shankar Ganesh C wrote:
> Hi,
>  
> How can i make freeradius listen to different UDP ports? 
>  
> Thanks and regards
> Shankar ganesh
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

http://wiki.freeradius.org/index.php/Radiusd.conf

look for the listen { } section.

-- 
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Generic info rqrd...

2006-08-30 Thread rgopalan



Hi All,

I need some general info on Free Radius.

1)Does it support 64-bit compilers?
2)Does it has support for both Solaris and HP-Unix.
3)Is it Multi Threaded safe.

Thanks in advance,

Ram.




Tech Mahindra, formerly Mahindra-British Telecom.
 
Disclaimer:

This message and the information contained herein is proprietary and 
confidential and subject to the Tech Mahindra policy statement, you may review 
at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html
 externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html
 internally within Tech Mahindra.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


How to configure free radius to make it listen to different udp ports?

2006-08-30 Thread Shankar Ganesh C



Hi,
 
How can i make 
freeradius listen to different UDP ports? 
 
Thanks and 
regards
Shankar 
ganesh
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool auth-type error

2006-08-30 Thread Sascha Djuric
SORRY NOW WITH PROPER SUBJECT :D

hello all

im new to radius, but i got freeradius configured with mysql. radtest is 
working fine for my test user.

now i configured an ippool, which get successfully loaded on startup.

again radtest works fine, only new thing is the following trace:

rlm_ippool: enter postauth
rlm_ippool: Could not find Pool-Name attribute.

the enter postauth trace was added by me.

now i added the Pool-Name to radcheck for my user. after that what happens is:


>>

rad_recv: Access-Request packet from host 127.0.0.1:34065, id=125, length=55
User-Name = "SVD"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "SVD", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
radius_xlat:  'SVD'
rlm_sql (sql): sql_set_user escaped user --> 'SVD'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'SVD'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'SVD' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'SVD'   ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'SVD' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user [SVD]
  modcall[authorize]: module "sql" returns notfound for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [SVD/secret] (from client localhost port 0)
<,

funny thing is, i dont even see the ippool trace again.


i can post more details, but maybe this is a common error.

thx in advance for your help
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


(no subject)

2006-08-30 Thread Sascha Djuric
hello all

im new to radius, but i got freeradius configured with mysql. radtest is 
working fine for my test user.

now i configured an ippool, which get successfully loaded on startup.

again radtest works fine, only new thing is the following trace:

rlm_ippool: enter postauth
rlm_ippool: Could not find Pool-Name attribute.

the enter postauth trace was added by me.

now i added the Pool-Name to radcheck for my user. after that what happens is:


>>

rad_recv: Access-Request packet from host 127.0.0.1:34065, id=125, length=55
User-Name = "SVD"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "SVD", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
radius_xlat:  'SVD'
rlm_sql (sql): sql_set_user escaped user --> 'SVD'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'SVD'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'SVD' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'SVD'   ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'SVD' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user [SVD]
  modcall[authorize]: module "sql" returns notfound for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [SVD/secret] (from client localhost port 0)
<,

funny thing is, i dont even see the ippool trace again.


i can post more details, but maybe this is a common error.

thx in advance for your help
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: FreeRADIUS crashes after EAP/PEAP authentication

2006-08-30 Thread Nick Larsen
Cool,Thanks, I'll try FreeRADIUS 1.1.3, let hope it solves my problems ;)Regards,NickOn 8/31/06, Alan DeKok <
[EMAIL PROTECTED]> wrote:"Nick Larsen" <
[EMAIL PROTECTED]> wrote:> I did notice in the output, just before the backtrace: radlog(L_ERR,> "rlm_eap_tls (%s): xlat failed.",> Could this be the problem?  It may be related.
> This GDB was configured as "sparc64-marcel-freebsd"...>> warning: exec file is newer than core file.  That's not good.  It means that the infomration from the core filemay be useless.
  And I noticed the version is 1.1.1.  Please try 1.1.3, which ahs anumber of bugs fixed.  Alan DeKok.--  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards,Nick LarsenWellingtonNEW ZEALAND
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : no Client-IP-Address in packet

2006-08-30 Thread Michael Mitchell

Mitaine Yoann wrote:


In my previous email , I forgot to say that when I received a proxing 
packet, I tried to match a rule on the radius server B like :

DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldap
where foo is defining in huntgroups file as  : 
foo Client-IP-Address == x.x.x.x

in the users file.
But this one hadn't been matched.
If somebody has an idea...?



Have you run the server in debug mode to see what it is doing? radiusd -X

As Phil said "Client-IP-Address is added by the preprocess module. Have you removed this from 
"authorize"? If so, don't do that."

The huntgroups file is also processed in the preprocess module, so if you have 
removed preprocess from the authorize section then your configuration wont work 
anyway.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: FreeRADIUS crashes after EAP/PEAP authentication

2006-08-30 Thread Alan DeKok
"Nick Larsen" <[EMAIL PROTECTED]> wrote:
> I did notice in the output, just before the backtrace: radlog(L_ERR,
> "rlm_eap_tls (%s): xlat failed.",
> Could this be the problem?

  It may be related.

> This GDB was configured as "sparc64-marcel-freebsd"...
> 
> warning: exec file is newer than core file.

  That's not good.  It means that the infomration from the core file
may be useless.

  And I noticed the version is 1.1.1.  Please try 1.1.3, which ahs a
number of bugs fixed.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Building Freeradius RPM on Redhat ES 4.0

2006-08-30 Thread King, Michael
I seem to be having the same problem.

Editing Line 102 allowed the package to build.

Where did you remove /usr/local/bin from your path?

Mike

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> g 
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of B Thompson
> Sent: Wednesday, August 30, 2006 6:14 AM
> To: FreeRadius users mailing list
> Subject: Re: Building Freeradius RPM on Redhat ES 4.0
> 
> On Wed, Aug 30, 2006 at 08:47:13AM +0100, B Thompson wrote:
> > On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote:
> > 
> > > cp: will not overwrite just-created
> > > `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' 
> > > with `README'
> > > error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc)
> > 
> > I get this error too. It looks like line 102 in the spec file is 
> > causing it :-
> > 
> > %doc doc/* LICENSE COPYRIGHT CREDITS README
> > 
> > Should this line simply be :
> > 
> > %doc doc/*
> > 
> > This change allows the package to build on my system but 
> when I try to 
> > install the rpm I get the following message :-
> > 
> > error: Failed dependencies:
> > /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386
> 
> 
> Having googled about for this I removed /usr/local/bin from 
> my path and ran rpmbuild again. This time everything worked OK.
> 
> 
> -- 
> 
> Ben Thompson
> University of York
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


certificate issue

2006-08-30 Thread Kartthik
I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could you pls help me to resolve it.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name []:
+ openssl ca -policy policy_anything -out newcert.pem -passin '' -key '' -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem
Using configuration from /usr/local/openssl/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
a1:cc:f7:86:19:ea:57:48
Validity
Not Before: Aug 30 22:25:40 2006 GMT
Not After : Aug 30 22:25:40 2007 GMT
Subject:
countryName   = US
stateOrProvinceName   = 
localityName  = 
organizationName  = 
organizationalUnitName= 
commonName= 
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Aug 30 22:25:40 2007 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin 'pass:' -passout 'pass:'
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin 'pass:' -passout 'pass:'
22665:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
22666:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
+ echo -e '\n\t\t##\n'

##

thanks in advance.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius crashed on me

2006-08-30 Thread Alan DeKok
"Lisa Casey" <[EMAIL PROTECTED]> wrote:
> Wed Aug 30 14:19:28 2006 : Error: ERROR: Cannot find a configuration =
> entry for module "exec".

  If that's from a previously working configuration, it looks like
your disk has been corrupted.

  Can you restore from a backup of yuor configuration?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: (no subject)

2006-08-30 Thread Alan DeKok
"Kartthik" <[EMAIL PROTECTED]> wrote:
> The password aren't in /etc/passwd file. As i joined linux box to
> windows 2003 active directory it should authenticate the users
> againt the active directory using winbind. In nsswitch.conf file i
> have configured winbind and here is the configuration:

  if you can login as a normal user (NOT using RADIUS, but at the
shell), then RADIUS authentication will work, too.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Alan DeKok
Tilen <[EMAIL PROTECTED]> wrote:
> Yes i know that, i heard it 100 times already... that's why i'm asking how
> to store them in cleartext/NT hash

  You update the LDAP database to contain the clear-text password.

  How that's done is up to the LDAP server.   See it's documentation.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Freeradius crashed on me

2006-08-30 Thread Lisa Casey




Hi,
 
I have a FreeBSD 5.3 box running freeradius. This 
box also runs sendmail and does e-mail for a small amount (~50) 
users.
 
For the past two days I have been trying to rebuild 
sendmail on this box so it would support SMTP Auth. I have not got that working, 
but that would be truly off-topic for this list. I'm only mentioning this 
because it MAY have played a role in what happened with Freeradius. As part of 
trying to get SMTP Auth working, I installed Cyrus-SASL v2. Again, I have no 
idea if this has any bearing on what happened with radius or not.
 
I'm working on sendmail, haven't messed with radius 
at all, radius has been working fine, then I get a call from a customer about 
2:00 - he can't get connected. So I took a look at the radius.log  and saw 
this:
 
Wed Aug 30 14:01:37 2006 : Error: 
radiusd.conf[1299] Failed to link to module 'rlm_counter': Shared object 
"libgdbm.so.3" not found, required by "rlm_counter-1.0.1.so"
 
So I paniced. At this point radius wasn't working 
and none of our customers can get connected. I started trying to "fix" things on 
an emergency basis. 
 
I edited /usr/local/etc/raddb/radiusd.conf and 
commevnted out my rlm_counter monthly stuff. Then I attempted to restart the 
radius server. I next got this in radius.log:
 
Wed Aug 30 14:19:28 2006 : Error: ERROR: Cannot 
find a configuration entry for module "exec".
 
So I edited radiusd.conf again and commented out 
exec in the Instantiate section. I restarted radius and got this in 
radius.log:
 
Wed Aug 30 15:07:12 2006 : Error: ERROR: Cannot 
find a configuration entry for module "expr".
 

So I edited radiusd.conf again and commented out 
expr in the Instantiate section. I restarted radius and got this in 
radius.log:
 
I restarted radius and got this in 
radius.log:
 
Wed Aug 30 15:08:31 2006 : Error: 
/usr/local/etc/raddb/users[1]: Unexpected trailing comma in check item list 
for entry DEFAULTWed Aug 30 15:08:31 2006 : Error: Errors reading 
/usr/local/etc/raddb/usersWed Aug 30 15:08:31 2006 : Error: 
radiusd.conf[1020]: files: Module instantiation failed.
 
So I edited my users file and removed the DEFAULT 
entry I had at the top  for monthly time limits. I then restarted radius 
and now it works.
 
My question is: What the hell happened? I honestly 
don't know. I haven't been working on radius or changed anything. What I was 
doing was installing Cyrus SASL and attempting to rebuild Sendmail.
 
The only thing I can figure is that while I was 
messing around with SASL and sendmail I did something with shared libraries? I 
don't have a clue if this is what happened, but if it is I don't know where to 
go look to see what's wrong with libraries (if anything). 
 
Help, please? Anyone?
 
Thanks,
 
Lisa Casey
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Alan DeKok wrote:  It is impossible to do MS-CHAP if the passwords are stored in
crypt'd format.  Yes i know that, i heard it 100 times already... that's why i'm asking how to store them in cleartext/NT hash (i still posted radius output though, just in case). I think i tried once by simply typing PW in cleartext in ldap users file before importing user to database but it didn't work. Will try again tommorow.
    
    Edvin Seferovic wrote:

Set up the ldap module
right for your server and map your NAS attributes to the LDAP attributes ! Shouldn't
be hard to set up !Yes, module is already set up correctly for my server, will try to set up attributes now. Hope it really isn't too hard :) Thanks for help.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

2006-08-30 Thread Kartthik
Alan,

The password aren't in /etc/passwd file. As i joined linux box to windows 2003 active directory it should authenticate the users againt the active directory using winbind. In nsswitch.conf file i have configured winbind and here is the configuration:

passwd: files winbind
shadow: files winbind
group:  files winbind

#hosts: db files nisplus nis dns
hosts:  files winbind dns

Am able to read the active directory users with wbinfo -u command. Here is few o/p:

domain\kartthikr
domain\test

Still i get the same error message as before:

rad_recv: Access-Request packet from host 127.0.0.1:32802, id=165, length=61
User-Name = "kartthikr"
User-Password = ""
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "kartthikr", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  modcall[authenticate]: module "unix" returns notfound for request 1
modcall: leaving group authenticate (returns notfound) for request 1
auth: Failed to validate the user.

so aint sure what am doing wrong here, pls help me !!!

Kartthik


"Kartthik" <[EMAIL PROTECTED]> wrote:
> When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output.
...
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_unix: [test]: invalid password

The user isn't in /etc/passwd.

What, exactly did you do to configure the server to check the user
against the AD login credentials?

Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WebDAV HTTP Auth to RADIUS, possible?

2006-08-30 Thread Alan DeKok
"Michael Check" <[EMAIL PROTECTED]> wrote:
> Is it possible to set up an Apache 1.3 server with WebDAV to
> authenticate to a freeRADIUS?

  Unless I'm mistaken, webdav uses HTTP digest for authentication.
That makes it difficult.

> Ideally, I would like to tell the Apache directives to look at
> freeRADIUS for authentication using the httpd.conf file.

  If it's using basic authentication, mod_auth_radius can help.

> We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing
> off an Active Directory master.

  If it's using HTTP digest authentication, then this is impossible.
HTTP digest requires the clear-text password, and AD doesn't supply it.  

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Alan DeKok
Tilen <[EMAIL PROTECTED]> wrote:
> rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check
> items
...
>   rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  http://deployingradius.com/documents/protocols/compatibility.html

  It is impossible to do MS-CHAP if the passwords are stored in
crypt'd format.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: RE : Re: no Client-IP-Address in packet

2006-08-30 Thread Phil Mayers

Mitaine Yoann wrote:


*/Michael Mitchell <[EMAIL PROTECTED]>/* a écrit :

Client-IP-Address is an internal freeRADIUS attribute, and is not
defined in the RFC's. Hence it is never proxied to another server.


Yes, I am aware of that. I said that, in fact.



In fact, the "Client-IP-Address" for server B in the example above
would be the address of server A, and not the NAS.

Exactly, but it would seem that never arrives.
Could you tell me, how to make so that the Client-IP-Address have the  
IP address value of server  A .


Don't remove the preprocess module from authorize.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Seferovic Edvin








Set up the ldap module
right for your server and map your NAS attributes to the LDAP attributes ! Shouldn’t
be hard to set up !

 

Regards,

 

Edvin Seferovic

 









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tilen
Sent: Mittwoch, 30. August 2006
16:58
To: FreeRadius
 users mailing list
Subject: Re: Freeradius + OpenLDAP
- user password problem



 

So, what i want to achieve is, to authorize against OpenLDAP the
easiest way. I don't care if i use cleartext passwords or NT hashes. What would
be the fastest way to make things work? I'm running out of time for this >.<






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Alan DeKok
Tilen <[EMAIL PROTECTED]> wrote:
>  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
...
> Hm, now i have to make LDAP passwords in NT hash and it will work (still
> gotta figure out how)? Or should i make changes in ldap.attrmap file too?

  No.  If you have the clear-text password in the ldap "userPassword"
attribute, it should just work.


  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: 2.0.0-pre0 from CVS: Invalid version in module

2006-08-30 Thread Alan DeKok
Christian Hahn <[EMAIL PROTECTED]> wrote:
> I've just compiled the CVS version from 20060830 with
> prefix=/root/bin/freeradius-cvs. When starting radiusd it complains
> that the compiled modules have the wrong version:
> 
> - 8<
> radiusd:  entering modules setup
> Module: Library search path is /root/bin/freeradius-cvs/lib
> radiusd.conf[1634] Invalid version in module 'rlm_exec'
> Errors setting up modules

  You've installed the CVS version on a box which already had 1.1.3,
and it's picking up the old modules.  Those modules are incompatible,
hence the error message.

> And all the modules in lib are freshly build and installed with the
> server. I have also checked the radiusd.conf for wrong lib paths.

  The only other thing is that maybe it's a 64 bit issue?  The CVS
version works fine for me, but I don't run on a 64-bit platform.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problem using EAP-TTLS

2006-08-30 Thread Alan DeKok
"luigi natalino" <[EMAIL PROTECTED]> wrote:
> I've launched chillispot  with --eapolenable option -> chilli --eapolenable
> I've installed and configured SecureW2 client on WinXP.
> The problem is that EAP-TTLS are not used as shown in this log:

  Which shows a CHAP session.

> Have I done any mistake in the Freeradius configuration or it depends on 
> SecureW2?

  The client is choosing to do CHAP.  You've probably "logged in" via
a web page on the Chillispot server.  This means youre not using
SecureW2 at all.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: sqlcounter

2006-08-30 Thread Guy Fraser
On Wed, 2006-08-30 at 15:35 +0200, Graham Beneke wrote:
> K. Hoercher wrote:
> > On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote:
> >> I've benn searching with no sucess about this... It's frustrating...
> >> there is no documents about.
> >
> > Perhaps the looking into the very obscure doc/rlm_sqlcounter file
> > helps, although it' not "DOC" for some strange reason.
> >
> 
> I've also looked at that document and it has not got me any closer to
> knowing what is going on. It gives examples of how to use sqlcounter for
> time based billing - but it does not explain what the different elements
> of the sqlcounter are - or how they work.
> 
> I am wanting to build an octets based billing system using some custom
> dictionary items from the Chillispot NAS - but I can't find info
> anywhere. Although I have heard that it has been successfully been
> implemented.

There is also some "documentation" in the config file.

There may also be some "documentation" in the comments 
within the source code.

I believe this has been discussed many times and there should 
be some information in the archives. Have you Googled for it?

Once you figure it out, maybe you wouldn't mind contributing 
some better documentation for rlm_sqlcounter to the project.
I am sure future implementers would appreciate it.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: 1.1.3 on Solaris 10 (sparc)

2006-08-30 Thread Alan DeKok
> I would be most intersted in your posting. At this point I'm try to get 
> plain old rlm_unix working using /etc/passwd & secret to get a foundation 
> established, but I'm getting authnet failures, which I think are to do with 
> the compliation and radiusd.conf of unix and pam.

  So... post the debug log.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Interface binding problem

2006-08-30 Thread Alan DeKok
[EMAIL PROTECTED] wrote:
> The CVS snapshot indicates that this will be version 2.0. Is this the 
> next planned release or is it more like a development branch which is 
> maintained together with a stable 1.1-branch?

  We plan on releasing 2.0 this fall, based on what's in CVS.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: How to return the values from the exec program to free radius?

2006-08-30 Thread Alan DeKok
Shankar Ganesh C <[EMAIL PROTECTED]> wrote:
> Could some body help me to know how to return values from the exec program ?

  scripts/exec-program-wait

  It describes what to do.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Dialupadmin in dedicated server

2006-08-30 Thread Guilherme Franco
Thank you very much Kostas!I really apreciate your help!On 8/30/06, Kostas Kalevras <[EMAIL PROTECTED]
> wrote:On Wed, 30 Aug 2006, Guilherme Franco wrote:> Hello,>
> I need to use Dialup Admin that is installed alone in a dedicated server.>> In the dialupadmin admin.config, it states thats it needs the> /etc/local/radius in the same machine.>> What can I do? (considering that the freeradius in installed in another
> server)dialupadmin does not really need radius in the same machine. The dependenciesare the following:test user page needs radclientlog_badlogins can read the clints.conf to find nas information
So you can place a statically linked radclient on the same machine withdialupadmin (in order for the test page to work) and if you need log_badloginsyou can also transfer your clients.conf file.>
> Thank you.>--Kostas Kalevras Network Operations Center[EMAIL PROTECTED]  National Technical University of Athens, GreeceWork Phone: +30 210 7721861
'Go back to the shadow' Gandalf-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS crashes after EAP/PEAP authentication

2006-08-30 Thread Alan DeKok
"Nick Larsen" <[EMAIL PROTECTED]> wrote:
> Segmentation fault: 11 (core dumped)
> [EMAIL PROTECTED] [/etc/raddb]#

  See doc/bugs.  It describes exactly what to do when you get a core dump.

  And the contents of the core dump say what's going wrong, too.  

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: 2.0.0-pre0 from CVS: Invalid version in module

2006-08-30 Thread Duane Cox
> I've just compiled the CVS version from 20060830 with
> prefix=/root/bin/freeradius-cvs. When starting radiusd it complains
> that the compiled modules have the wrong version:

I've been running 2.0.0-pre0 for quite some time, and constanty cvs update too.
I'm not sure what exact date my check out is, but I run this and have never 
seen any problems that you pointed out.

./configure --prefix=/usr \
  --libexecdir=/usr/sbin \
  --localstatedir=/var \
  --sysconfdir=/etc \
  --with-raddbdir=/srv/radiusd \
  --with-docdir=/usr/share/doc/freeradius-2.0.0-pre0 \
  --with-logdir=/var/log \
  --with-radacctdir=/srv/radiusd/acct \
  --with-gnu-ld \
  --without-rlm_x99_token &&
make &&
make install &&


> 
> - 8<
> radiusd:  entering modules setup
> Module: Library search path is /root/bin/freeradius-cvs/lib
> radiusd.conf[1634] Invalid version in module 'rlm_exec'
> Errors setting up modules
> - >8
> 
> This happens not only for the rlm_exec module, if I comment this out
> it gives an error for rlm_expr ... a.s.o.
> I have:
> 
> radiusd: FreeRADIUS Version 2.0.0-pre0, for host
> x86_64-unknown-linux-gnu, built on Aug 30 2006 at 12:58:10
> 
> And all the modules in lib are freshly build and installed with the
> server. I have also checked the radiusd.conf for wrong lib paths.
> 
> Any ideas what happend here?
> 
> thanks,
> Christian Hahn
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFE9Yje6kMW7HW8620RAnmdAKC71GKjxryrD12RczaZInhDNysI3gCfeFWW
> ExBmtSIHLtV4xvd/0npiLFI=
> =e4Dt
> -END PGP SIGNATURE-
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius and SNMP

2006-08-30 Thread Michael Schwartzkopff
Am Dienstag, 29. August 2006 22:35 schrieb Kevin Bonner:
(...)
> The private enterprise number 3317 is assigned by IANA [1] to "Port
> Community Rotterdam", which released the GNOME-SMI MIB module.  The
> GNOME-SMI MIB is used in mibs/GNOME-PRODUCT-RADIUSD-MIB, and using that
> file you can obtain a full object name for the enterprises.3317.1.3.1 OID. 
> It's only use right now is for the SMUX connection, but may also be needed
> if/when AgentX support is added.
>
> Kevin Bonner

Hi,

thanks to that explanation. But my question was: Why I do get no answer if I 
do 
snmpwalk (...) localhost enterprises.3317

while walking mib-2.67 gives results?

Michael.
-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpXBnIjRsI75.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS multi clients

2006-08-30 Thread Matteo Lazzarini

K. Hoercher wrote:


On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote:


 First of all I excuseme for my English. :-(



Ah no problem, after it got sorted out.

itself correctly to the wlan, authenticated from freeradius whit 
eap-tls.

 Now therefore not there are more problems for that it regards the
authentication.



Grats. So it was just my pessimism to  suppose there are still issues.


 The CA.all script generates me only 1 server, 1 client and 1 root



Hm. Ok, those are just provided to be able to check the freeradius
setup with respect to eap et al., they are not meant to be a
production CA. So I'd suggest looking at openssl.org for further
information (looking at the scripts might give you some starting point
though). Basically you are to issue (unique) client certs (modelled to
the one CA.all gave you) to other users either by acting as your own
CA or using some commercial CA.

regards
K. Hoercher
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


I have need of certs for 3 clients, for some tests on freeradius with a 
sniffer that it capture the input .
Therefore I want certs of test the type which already use, generated 
with the CA.all script.

How I can make 3 certs for distinct for the clients?
Is it possible to modify CA.all in order to create certs for 1 root, 1 
serveur and 3 or more client certs for EAP-TLS (xpextension incuded)?
Someone knows gives me of the information also on the guides who can 
help me?

Thousand thanks for all

Matteo ;-)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
So, what i want to achieve is, to authorize against OpenLDAP the
easiest way. I don't care if i use cleartext passwords or NT hashes.
What would be the fastest way to make things work? I'm running out of
time for this >.<
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : Re: no Client-IP-Address in packet

2006-08-30 Thread Mitaine Yoann
Michael Mitchell <[EMAIL PROTECTED]> a écrit :Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server.In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the  IP address value of server  A .  your sincerly 
		 
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Ok sorry for spamming :) But here is update (again):

I noticed i had " password_attribute = userPassword" commented out in ldap module configuration. 
After i uncommented that, i get new output:

 
  ...
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'ou=People,dc=kapion,dc=si'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test)
rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 5
modcall: group Auth-Type returns reject for request 5
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 5
modcall: group authenticate returns reject for request 5
auth: Failed to validate the user.
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
  
...


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Yes yes, i understand, this works now :) I copied CA public key to wireless client and now it works. Now i only get this error:

 rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 5
modcall: group Auth-Type returns reject for request 5
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 5
modcall: group authenticate returns reject for request 5
auth: Failed to validate the user.
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE

Hm, now i have to make LDAP passwords in NT hash and it will work
(still gotta figure out how)? Or should i make changes in ldap.attrmap
file too?
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wpa auth.xp stuck on login

2006-08-30 Thread Collen Blijenberg

Good day to you all,

I'm kinda stuck with authenticating a windows xp sp2 laptop to a wlan - ap
that uses wpa.

i followed the 802.1X port based auth howto from tldp.org but no luck.
the idea is to use ms-chapv2,eap,tls,peap
in the log file i can see the user auth. come by, but no errors or 
problems showed up.

the other day, a friend tried is with his mac i-book, and he did get in!?
but now my xp machine doesn't..  dunno where it goes wrong..

starting  radiusd -XX gives alot of output, but no error's shown either.
here is a small dump..
-
rad_recv: Access-Request packet from host 10.0.0.20:3072, id=0, length=125
   User-Name = "collen"
   NAS-IP-Address = 10.0.0.20
   Called-Station-Id = "0016b69e59c3"
   Calling-Station-Id = "00166f980e78"
   NAS-Identifier = "0016b69e59c3"
   NAS-Port = 46
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x020b01636f6c6c656e
   Message-Authenticator = 0xe97abfadc688db9d412503fc8a0e283f
Wed Aug 30 15:53:02 2006 : Debug:   Processing the authorize section of 
radiusd.conf
Wed Aug 30 15:53:02 2006 : Debug: modcall: entering group authorize for 
request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: calling 
auth_log (rlm_detail) for request 0
Wed Aug 30 15:53:02 2006 : Debug: radius_xlat:  
'/usr/local/freeradius/var/log/radius/radacct/10.0.0.20/auth-detail-20060830'
Wed Aug 30 15:53:02 2006 : Debug: rlm_detail: 
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/usr/local/freeradius/var/log/radius/radacct/10.0.0.20/auth-detail-20060830
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: returned from 
auth_log (rlm_detail) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authorize]: module 
"auth_log" returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: returned from 
mschap (rlm_mschap) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authorize]: module "mschap" 
returns noop for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap: EAP packet type response id 
0 length 11
Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap: No EAP Start, assuming it's 
an on-going EAP conversation
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authorize]: module "eap" 
returns updated for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: calling files 
(rlm_files) for request 0
Wed Aug 30 15:53:02 2006 : Debug: users: Matched entry collen at 
line 217
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authorize]: returned from 
files (rlm_files) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authorize]: module "files" 
returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall: leaving group authorize 
(returns updated) for request 0

Wed Aug 30 15:53:02 2006 : Debug:   rad_check_password:  Found Auth-Type EAP
Wed Aug 30 15:53:02 2006 : Debug: auth: type "EAP"
Wed Aug 30 15:53:02 2006 : Debug:   Processing the authenticate section 
of radiusd.conf
Wed Aug 30 15:53:02 2006 : Debug: modcall: entering group authenticate 
for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authenticate]: calling eap 
(rlm_eap) for request 0

Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap: EAP Identity
Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap: processing type tls
Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap_tls: Initiate
Wed Aug 30 15:53:02 2006 : Debug:   rlm_eap_tls: Start returned 1
Wed Aug 30 15:53:02 2006 : Debug:   modsingle[authenticate]: returned 
from eap (rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug:   modcall[authenticate]: module "eap" 
returns handled for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall: leaving group authenticate 
(returns handled) for request 0

Sending Access-Challenge of id 0 to 10.0.0.20 port 3072
   Reply-Message = "Go and See your system administrator"
   EAP-Message = 0x010100061920
   Message-Authenticator = 0x
   State = 0x514be7fc208b2ee1df2cc191b5282f3a
Wed Aug 30 15:53:02 2006 : Debug: Finished request 0
Wed Aug 30 15:53:02 2006 : Debug: Going to the next request
Wed Aug 30 15:53:02 2006 : Debug: --- Walking the entire r

Re: Reply VSA-s in Access-Reject

2006-08-30 Thread Nicolas Baradakis
Yervand Petrosyan wrote:

> Really, it would be reasonably to have this option
> configurable.

As always, patches are welcome.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: sqlcounter

2006-08-30 Thread Graham Beneke
K. Hoercher wrote:
> On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote:
>> I've benn searching with no sucess about this... It's frustrating...
>> there is no documents about.
>
> Perhaps the looking into the very obscure doc/rlm_sqlcounter file
> helps, although it' not "DOC" for some strange reason.
>

I've also looked at that document and it has not got me any closer to
knowing what is going on. It gives examples of how to use sqlcounter for
time based billing - but it does not explain what the different elements
of the sqlcounter are - or how they work.

I am wanting to build an octets based billing system using some custom
dictionary items from the Chillispot NAS - but I can't find info
anywhere. Although I have heard that it has been successfully been
implemented.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Ok, nevermind, i get it now. Client needs CA public key to verify the certificate authority, becouse i created it and is not in public registry. So, if i copy cacert.pem to client machine i should get rid of this error, right? WIll try i tnow, really hope it works :D

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: no Client-IP-Address in packet

2006-08-30 Thread Michael Mitchell

Phil Mayers wrote:

Mitaine Yoann wrote:

When I proxied  the request from to server A to the server B, there 
wasn't

Client-IP-Address in the packet.


Client-IP-Address is added by the preprocess module. Have you removed 
this from "authorize"? If so, don't do that.



Client-IP-Address is an internal freeRADIUS attribute, and is not defined in 
the RFC's. Hence it is never proxied to another server.

In fact, the "Client-IP-Address" for server B in the example above would be the 
address of server A, and not the NAS.

regards,
Mike

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE : no Client-IP-Address in packet

2006-08-30 Thread Mitaine Yoann
Dear everybody,In my previous email , I forgot  to say that when I received a proxing packet, I tried to match a rule on the radius server B like :DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldapwhere foo is defining in huntgroups file as  :  foo Client-IP-Address == x.x.x.xin the users file.But this one hadn't been matched.If somebody has an idea...?Mitaine Yoann <[EMAIL PROTECTED]> a écrit :   Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture :    client < > AP <> Radius A <> Radius B                                      
 802.1X     proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied  the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address  for Client-IP-Address  attribute  before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet.    Thanks in advance.Your sincerly.  Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet !  Yahoo!
 Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.  - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
		 
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.0.0-pre0 from CVS: Invalid version in module

2006-08-30 Thread Christian Hahn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I don't know if this is better asked on the developers list, but
before I bother these guys I will try it here.

I've just compiled the CVS version from 20060830 with
prefix=/root/bin/freeradius-cvs. When starting radiusd it complains
that the compiled modules have the wrong version:

- 8<
radiusd:  entering modules setup
Module: Library search path is /root/bin/freeradius-cvs/lib
radiusd.conf[1634] Invalid version in module 'rlm_exec'
Errors setting up modules
- >8

This happens not only for the rlm_exec module, if I comment this out
it gives an error for rlm_expr ... a.s.o.
I have:

radiusd: FreeRADIUS Version 2.0.0-pre0, for host
x86_64-unknown-linux-gnu, built on Aug 30 2006 at 12:58:10

And all the modules in lib are freshly build and installed with the
server. I have also checked the radiusd.conf for wrong lib paths.

Any ideas what happend here?

thanks,
Christian Hahn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE9Yje6kMW7HW8620RAnmdAKC71GKjxryrD12RczaZInhDNysI3gCfeFWW
ExBmtSIHLtV4xvd/0npiLFI=
=e4Dt
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Dialupadmin in dedicated server

2006-08-30 Thread Kostas Kalevras

On Wed, 30 Aug 2006, Guilherme Franco wrote:


Hello,

I need to use Dialup Admin that is installed alone in a dedicated server.

In the dialupadmin admin.config, it states thats it needs the
/etc/local/radius in the same machine.

What can I do? (considering that the freeradius in installed in another
server)


dialupadmin does not really need radius in the same machine. The dependencies 
are the following:

test user page needs radclient
log_badlogins can read the clints.conf to find nas information

So you can place a statically linked radclient on the same machine with 
dialupadmin (in order for the test page to work) and if you need log_badlogins 
you can also transfer your clients.conf file.




Thank you.



--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread K. Hoercher

On 8/30/06, Tilen <[EMAIL PROTECTED]> wrote:

Ok i really don't get it. I made all certificates myself using only openssl
(no scripts) and entered path to them in TLS part of the eap.conf file.
CA, server cert.., everything is there in the same directory (in my case -
CERTS, with big letters) (how would i sign certificate if i wouldn't create
CA first?). And i don't have CA.all file at all :\ Files i'm using:

 cacert.pem<-- this is my CA
 cakey.pem
 newcert.pem   <-- and this is my server cert
 newcert.req


Your supplicant is sending an TLS Alert Message, because _it_ cannot
find a CA certificate. What you are talking about is the freeradius
side of things which looks alright at first glance.
And if you don't get it to work, please first check with demo
certficates to be generated by the CA.all script.

hth
K. Hoercher
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


no more [EMAIL PROTECTED]

2006-08-30 Thread A . L . M . Buxey
hi,

got a small question for those used to xlate etc.  I have a development/test 
setup
here which is happily authenticating via EAP/TTLS and PEAP. however, what
I am seeing is that Windows users using PEAP are having their real name logged
and recorded, whereas the Mac TTLS and Windows TTLS folk are being recorded
as [EMAIL PROTECTED] - ie the outer layer is being recorded as their username
(the inner layer username is happily being used for the authorization stage
so all is okaybut the NAS and authentication/accounting SQL are filled with
the [EMAIL PROTECTED]

now, the Windows PEAP users also have [EMAIL PROTECTED] as their outer ID but
I believe its the 'Windows is a bit leaky with inner credentials' issue that
is allowing their real ID to be caught and logged. 

whats the recommended way of fixing this? what have other people done to fix 
this?
enabling features such as  use_tunneled_reply  and  log_stripped_name havent
helped... I am thinking that xlate is the way to go  

oh, and currently the RADPOSTAUTH table is showing the real ID and the 
anonymous ID
which isnt helping the NAS which receives the anonymous part last.  do I simply 
drop
or discard the anonymous part when it gets to this proxy box?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Duplicate requests in a session

2006-08-30 Thread James Wakefield

Santiago Balaguer García wrote:

Hi people,

1)
 In my activity I realize that when the conexion to Internet of a NAS is 
NOT good (there are some reday in the DSL), the NAS send several Start 
requests. My problen is my RADIUS server ask for all these requests and 
they are inserted in my DB. So, when the user or the NAS finalize the 
session and NAS sends Stop Request, the credit associates to the user 
account is decremented several times. It happens so because I put a 
trgger in my DB to decrement the user credit atomatically.


 Can I avoid the problem of inserting several times the start request?
 If it is so, how??

2) Is it supposed that the value of acctsessionid and acctuniqueid in 
radacct table  are UNIQUE and they can not be duplicated ?


Thanks,
   Santiago


Hi Santiago,

Does your DBMS enforce primary key constraints?  Do you have a primary 
key defined for your radacct table? If I recall correctly, MySQL by 
default doesn't, are you using MySQL?


Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Dialupadmin in dedicated server

2006-08-30 Thread Guilherme Franco
Hello,  I need to use Dialup Admin that is installed alone in a dedicated server.In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine.
What can I do? (considering that the freeradius in installed in another server)Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem using EAP-TTLS

2006-08-30 Thread luigi natalino

Hello,i've installed freeradius 1.1.2 and I've configured eap-ttls

in eap.conf

tls {
   private_key_password = whatever
   private_key_file = ${raddbdir}/certs/cert-srv.pem
   certificate_file = ${raddbdir}/certs/cert-srv.pem
   CA_file = ${raddbdir}/certs/demoCA/cacert.pem
   dh_file = ${raddbdir}/certs/dh
   random_file = ${raddbdir}/certs/random
   fragment_size = 1024
   include_length = yes
}
ttls {

   default_eap_type = md5
   copy_request_to_tunnel = no
   use_tunneled_reply = no
}

I've not made other changes to this file.
I've launched chillispot  with --eapolenable option -> chilli --eapolenable
I've installed and configured SecureW2 client on WinXP.
The problem is that EAP-TTLS are not used as shown in this log:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=valug,dc=it"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "mypass"
ldap: basedn = "ou=homewifi,dc=valug,dc=it"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "userPassword"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
r

Re: no Client-IP-Address in packet

2006-08-30 Thread Phil Mayers

Mitaine Yoann wrote:

Dear everybody,

I've installed the radius 's CVS version of 08-23-06.

I've this architecture :
client < > AP <> Radius A <> Radius B
   802.1X  
   proxying


The client does not have adress of IP, it recover his IP address by the 
DHCP server installed in radius server A, after being authenticated.

I'm doing an EAP/TTLS authentication.


Client-IP-Address refers to the client of the radius server, not the 
client of the NAS




When I proxied  the request from to server A to the server B, there wasn't
Client-IP-Address in the packet.


Client-IP-Address is added by the preprocess module. Have you removed 
this from "authorize"? If so, don't do that.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Reply VSA-s in Access-Reject

2006-08-30 Thread Yervand Petrosyan
Thank you for answers,

Really, it would be reasonably to have this option
configurable.

Yervand


On Wed 30 Aug 2006 12:13, Nicolas Baradakis wrote:
> Yervand Petrosyan wrote:
> > In 1.1.3 version Access-Reject doesn't return in
reply
> > VSA attributes but it is works well in 1.0.1.
> > Something was changed?
>
> Yes, because it was considered as a bug.
> See http://bugs.freeradius.org/show_bug.cgi?id=207
>
> I also note Vendor-Specific attributes aren't allow
in Access-Reject
> packets per RFC 2865. (section 5.44)
> See http://www.ietf.org/rfc/rfc2865.txt

This is not the first time we have been asked this,
and as it appears that 
some NASes used this behaviour, maybe we should make
this rfc compliance a 
configurable option..

I have added a section to the FAQ:

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#VSA_in_Access-Reject

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060830/de8f9431/attachment.bin



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Duplicate requests in a session

2006-08-30 Thread Santiago Balaguer García

Hi people,

1)
 In my activity I realize that when the conexion to Internet of a NAS is 
NOT good (there are some reday in the DSL), the NAS send several Start 
requests. My problen is my RADIUS server ask for all these requests and they 
are inserted in my DB. So, when the user or the NAS finalize the session and 
NAS sends Stop Request, the credit associates to the user account is 
decremented several times. It happens so because I put a trgger in my DB to 
decrement the user credit atomatically.


 Can I avoid the problem of inserting several times the start request?
 If it is so, how??

2) Is it supposed that the value of acctsessionid and acctuniqueid in 
radacct table  are UNIQUE and they can not be duplicated ?


Thanks,
   Santiago

_
Grandes éxitos, superhéroes, imitaciones, cine y TV... 
http://es.msn.kiwee.com/ Lo mejor para tu móvil.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Cannot compile and run on Mac OS X 10.4.7

2006-08-30 Thread Markus Krause
Zitat von Nicolas Baradakis <[EMAIL PROTECTED]>:
> Michael Check wrote:
>
> > On 8/22/06, Michael Check <[EMAIL PROTECTED]> wrote:
> > > We tried googling around and we're happy to hear that freeradius will
> > > be a part of 10.5, but we'd like to get it running now...  There
> > > really is no other docs we've found  on getting it compiled (after
> > > difficulty like the above) and installed.  Certainly nothing recent
> > > anyway.  Is it true that it _should_ just work? :)
> > >
> > > Thanks in advance for any assistance,
> >
> > This is issue is not really solved, I didn't get it to compile, but I
> > thought those of you that are looking for a solution to run freeRADIUS
> > on OSX should look to the package installer that I found.  It is quite
> > recent (version 1.1.0pre0) and runs great.
>
> I don't own an Apple machine, so I'm not able to test it myself.
> However from what I read on the mailing lists, it should be possible
> to build version 1.1.3 of FreeRADIUS on Mac OS 10.4.7 with the
> following commands:
>
> $ configure --enable-developer
> $ make
> $ su -
> # make install
>

it was actually me who reported sucessful compiling ...
i just rechecked it:
  # downloaded freeradius-1.1.3.tar.gz
  # ./configure --enable-developer
  # make
  # sudo make install

and freeradius runs and responds to radtest.
another way would be "./configure", then remove the option "-s" in the line
"INSTALLSTRIP = -s", then "make", "sudo make install", dont now about
additional differences to "--enable-developer" (except from warning flags).

but i should point out that i do not use any sql-module (do not have the
libraries installed which were required) or unixodbc, and have no libgdbm, so
there is no rlm_counter, rlm_ippool. maybe there is your problem?
i am using a recent mac os 10.4.7 on an "ancient" g4 powerbook.

regards
   markus

> --
> Nicolas Baradakis
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


--
Markus Krause   email: [EMAIL PROTECTED]
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98

-
 This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: How to return the values from the exec program to free radius?

2006-08-30 Thread Shankar Ganesh C



Hi 
All,
 
Could 
some body help me on the same?
 
Thanks 
and regards
Shankar ganesh

  -Original Message-From: Shankar Ganesh 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 30, 
  2006 11:02 AMTo: 
  freeradius-users@lists.freeradius.orgSubject: How to return the 
  values from the exec program to free radius?
  Hi 
  All,
   
  Could some body 
  help me to know how to return values from the exec program 
  ?
  I can understand 
  that I need to use the output-pairs or reply list .But do not really know 
  how to use that any sample code or document would really help 
  
  me.
   
  Thanks and 
  regards
  Shankar 
  ganesh
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: public key for source signature

2006-08-30 Thread Nicolas Baradakis
Jonathan Casiot wrote:

> I've downloaded the most recent source, freeradius-1.1.3.tar.gz, and I'd 
>  like to verify the file against the PGP signature but I can't find the 
> public key anywhere. Can someone point me to it's location?

http://freeradius.org/pgp/[EMAIL PROTECTED]

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


no Client-IP-Address in packet

2006-08-30 Thread Mitaine Yoann
  Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture :    client < > AP <> Radius A <> Radius B                                       802.1X     proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied  the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address  for Client-IP-Address
 attribute  before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet.    Thanks in advance.Your sincerly. 
		 
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Checking Service-Type with checkval and mysql

2006-08-30 Thread Guilhem MORE-CAUSSE
Hello

I am currently trying to have my FreeRadius server check the "Service-Type" 
values, and reject Login attempts from a user that should be used for 
service-type Outbound only.

My client equipment always send the "Service-Type" attribute in its requests. 
This attribute is defined into the check databases, but debug mode says:

>>Debug: rlm_checkval: Could not find attribute named Service-Type in check 
>>pairs

I really do not see what is wrong and why value checking is not done properly. 
It should find the attribute in the database, and reject the request. Can you 
help me out ?

Below is my radcheck table, relevant parts of my radiusd.config and the debug 
output. 

mysql> select * from radcheck;
++--+--++--+
| id | UserName | Attribute| op | Value|
++--+--++--+
|  3 | admin| Password | == | cisco|
|  5 | admin| Service-Type | == | Outbound |
++--+--++--+


checkval {
item-name = Service-Type
check-name = Service-Type
data-type = string
notfound-reject = yes
}
//...
authorize {
preprocess
chap
suffix
eap
#files
sql
checkval
}
authenticate {
Auth-Type PAP {
  pap
}
Auth-Type CHAP {
  chap
}
eap
}




rad_recv: Access-Request packet from host 10.10.107.68:1645, id=6, length=86
NAS-IP-Address = 10.10.107.68
NAS-Port = 500
NAS-Port-Type = Virtual
User-Name = "admin"
Calling-Station-Id = "XXX.XXX.XXX.XXX"
User-Password = "cisco"
Service-Type = Login-User
Wed Aug 30 11:30:13 2006 : Debug:   Processing the authorize section of 
radiusd.conf
Wed Aug 30 11:30:13 2006 : Debug: modcall: entering group authorize for request 
1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "preprocess" 
returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from chap 
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "chap" returns 
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling suffix 
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No '@' in User-Name = "admin", 
looking up realm NULL
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from suffix 
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "suffix" returns 
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling eap (rlm_eap) 
for request 1
Wed Aug 30 11:30:13 2006 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from eap 
(rlm_eap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "eap" returns 
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling sql (rlm_sql) 
for request 1
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'admin'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): sql_set_user escaped user --> 
'admin'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'admin' ORDER BY 
id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'admin' ORDER BY 
id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from sql 
(rlm_sql) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "sql" returns ok 
for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling checkval 
(rlm_checkval) for request 1
Wed Aug 30 11:30:

Re: 1.1.3 on Solaris 10 (sparc)

2006-08-30 Thread Bernie Dolan

Geoffroy,
I would be most intersted in your posting. At this point I'm try to get 
plain old rlm_unix working using /etc/passwd & secret to get a foundation 
established, but I'm getting authnet failures, which I think are to do with 
the compliation and radiusd.conf of unix and pam.

Regards
BernieD

- Original Message - 
From: "Geoffroy Arnoud" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Tuesday, August 29, 2006 4:08 PM
Subject: Re : 1.1.3 on Solaris 10 (sparc)


I am quite pleased to report I have, with minimal discomfort, version 
1.1.3 running on Solaris 10.


The source actually compiles perfectly once OS dependencies etc. are met.
I will share a few tips here for any who may be attempting the same.
My main goal was LDAP functionality.  Other bells and whistles might 
require additional steps.
Please forgive the Solaris info here, it is dangerously close to being 
off-topic... except that you need

it to install freeradius.


I suggest that those tips shall be stored in the docs directory under 
FreeRadius CVS.


Geoff.



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Building Freeradius RPM on Redhat ES 4.0

2006-08-30 Thread B Thompson
On Wed, Aug 30, 2006 at 08:47:13AM +0100, B Thompson wrote:
> On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote:
> 
> > cp: will not overwrite just-created
> > `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with
> > `README'
> > error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc)
> 
> I get this error too. It looks like line 102 in the spec file is
> causing it :-
> 
> %doc doc/* LICENSE COPYRIGHT CREDITS README
> 
> Should this line simply be :
> 
> %doc doc/*
> 
> This change allows the package to build on my system but when I try to
> install the rpm I get the following message :-
> 
> error: Failed dependencies:
> /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386


Having googled about for this I removed /usr/local/bin from my path
and ran rpmbuild again. This time everything worked OK.


-- 

Ben Thompson
University of York
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Reply VSA-s in Access-Reject

2006-08-30 Thread Peter Nixon
On Wed 30 Aug 2006 12:13, Nicolas Baradakis wrote:
> Yervand Petrosyan wrote:
> > In 1.1.3 version Access-Reject doesn't return in reply
> > VSA attributes but it is works well in 1.0.1.
> > Something was changed?
>
> Yes, because it was considered as a bug.
> See http://bugs.freeradius.org/show_bug.cgi?id=207
>
> I also note Vendor-Specific attributes aren't allow in Access-Reject
> packets per RFC 2865. (section 5.44)
> See http://www.ietf.org/rfc/rfc2865.txt

This is not the first time we have been asked this, and as it appears that 
some NASes used this behaviour, maybe we should make this rfc compliance a 
configurable option..

I have added a section to the FAQ:

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#VSA_in_Access-Reject

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgp2jfvDuFbzI.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cannot compile and run on Mac OS X 10.4.7

2006-08-30 Thread Nicolas Baradakis
Michael Check wrote:

> On 8/22/06, Michael Check <[EMAIL PROTECTED]> wrote:
> > We tried googling around and we're happy to hear that freeradius will
> > be a part of 10.5, but we'd like to get it running now...  There
> > really is no other docs we've found  on getting it compiled (after
> > difficulty like the above) and installed.  Certainly nothing recent
> > anyway.  Is it true that it _should_ just work? :)
> >
> > Thanks in advance for any assistance,
>
> This is issue is not really solved, I didn't get it to compile, but I
> thought those of you that are looking for a solution to run freeRADIUS
> on OSX should look to the package installer that I found.  It is quite
> recent (version 1.1.0pre0) and runs great.

I don't own an Apple machine, so I'm not able to test it myself.
However from what I read on the mailing lists, it should be possible
to build version 1.1.3 of FreeRADIUS on Mac OS 10.4.7 with the
following commands:

$ configure --enable-developer
$ make
$ su -
# make install

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Reply VSA-s in Access-Reject

2006-08-30 Thread Nicolas Baradakis
Yervand Petrosyan wrote:

> In 1.1.3 version Access-Reject doesn't return in reply
> VSA attributes but it is works well in 1.0.1.
> Something was changed?

Yes, because it was considered as a bug.
See http://bugs.freeradius.org/show_bug.cgi?id=207

I also note Vendor-Specific attributes aren't allow in Access-Reject
packets per RFC 2865. (section 5.44)
See http://www.ietf.org/rfc/rfc2865.txt

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


public key for source signature

2006-08-30 Thread Jonathan Casiot


Hi

I've downloaded the most recent source, freeradius-1.1.3.tar.gz, and I'd 
 like to verify the file against the PGP signature but I can't find the 
public key anywhere. Can someone point me to it's location?


Thanks

--
Jonathan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius + OpenLDAP - user password problem

2006-08-30 Thread Tilen
Ok i really don't get it. I made all certificates myself using only
openssl (no scripts) and entered path to them in TLS part of the
eap.conf file. CA, server cert.., everything is there in the same
directory (in my case - CERTS, with big letters) (how would i sign
certificate if i wouldn't create CA first?). And i don't have CA.all
file at all :\ Files i'm using:

cacert.pem    <-- this is my CA
cakey.pem
newcert.pem   <-- and this is my server cert
newcert.req


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Interface binding problem

2006-08-30 Thread A . L . M . Buxey
Hi,

> The CVS snapshot indicates that this will be version 2.0. Is this the 

you've checked out the main HEAD. if you want 1.1.x CVS you need to specify
the correct HEAD when doing the CVS

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Building Freeradius RPM on Redhat ES 4.0

2006-08-30 Thread B Thompson
On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote:

> cp: will not overwrite just-created
> `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with
> `README'
> error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc)

I get this error too. It looks like line 102 in the spec file is
causing it :-

%doc doc/* LICENSE COPYRIGHT CREDITS README

Should this line simply be :

%doc doc/*

This change allows the package to build on my system but when I try to
install the rpm I get the following message :-

error: Failed dependencies:
/usr/local/bin/perl is needed by freeradius-1.1.3-0.i386



-- 

Ben Thompson
University of York
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: issue with attribute 97 from rfc3162 in users file

2006-08-30 Thread Christian Hahn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> 
>> /usr/local/etc/raddb/users[227]: Parse error (reply) for entry
>> hextest: unknown attribute type 8
>> Errors reading /usr/local/etc/raddb/users
> 
> thsi works with the 2.0pre CVS code.. so theres something not quite right 
> in the 1.1.3 code. and yes,  theres no IPV6PREFIX handler in valuepair.c
> or in the print debugger or full handling in radius.c
Thanks for the hint, I will try the cvs version and probably check the
code of the 1.1.3 version.
Are there any information how mature the 2.0.0-pre0 code is? Is it
just a development branch for new features or will this be eventually
the next release train?

best regards,
Christian

> 
> FreeRADIUS Version 2.0.0-pre0
> 
> dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
> print.c:case PW_TYPE_IPV6PREFIX:
> radius.c:   case PW_TYPE_IPV6PREFIX:
> radius.c:   case PW_TYPE_IPV6PREFIX:
> radius.c:   case PW_TYPE_IPV6PREFIX:
> radius.c:   case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
> 
> 
> FreeRADIUS Version 1.1.3
> 
> dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
> radius.c:   case PW_TYPE_IPV6PREFIX:
> radius.c:   case PW_TYPE_IPV6PREFIX:
> 
> 
> so thats why it isnt working for you 
> 
> alan
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE9UIO6kMW7HW8620RAuj8AJ4w6KDjBTVyC0C+vtuBFjf043PlqACdFO3r
7n/TuddOqHEPA4clhJGgHNk=
=7mjN
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: WebDAV HTTP Auth to RADIUS, possible?

2006-08-30 Thread Samuel Degrande

Michael Check wrote:

Is it possible to set up an Apache 1.3 server with WebDAV to
authenticate to a freeRADIUS?

Ideally, I would like to tell the Apache directives to look at
freeRADIUS for authentication using the httpd.conf file.

Has anyone ever done this or able to point me in a direction?  Is it
even possible?

We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing
off an Active Directory master.



I don't know a lot about WebDAV, but I think that it uses classical
Apache authentication mecanism, right ?

Then, you could use mod_auth_radius 
(http://www.freeradius.org/mod_auth_radius),
or use a PAM authentication + a PAM radius module 
(http://www.freeradius.org/pam_radius_auth)


--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP authentication

2006-08-30 Thread Stefan Winter
Hi,

>  I should have tried that mapping.
>
> HOWEVER
>
> It still doesn't work.
> I can perform radtest queries  username/LDAPpassword, and I get the accept
> response.
> If I use the query with username/remotepassword, I get rejected.

Okay, I can't verify what I propose now, so I might be wrong, but:

ldap is usually called twice: during authorize and authenticate. authorize is 
the section that pulls attributes out of LDAP using ldap.attrmap and is the 
one you need. In authenticate, it tries a bind with the user's name and 
password. This is NOT what you want, because the bind will fail. You could 
try to _comment out_ the following lines from your authenticate section

Auth-Type LDAP {
ldap
}

so that the bind isn't attempted. Not sure if that's enough though, since the 
ldap in authroze will set Auth-Type to LDAP by itself... But if it doesn't, 
someone else would need to jump in, that's beyond my experience. Maybe it's 
necessary to set Auth-Type to PAP in the users file manually then.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Interface binding problem

2006-08-30 Thread Marcel . De_Boer

Nicolas Baradakis wrote:
I'd like to set it up with the commandline switch (-i ), but 
this does not seem to work (tested on versions 0.2, 1.0.1 and 1.2): the 
server only takes the address from the configuration file and completely 
ignores the commandline switch. I do realise that the commandline switch 
is deprecated, but is it possible to get this to work somehow?



You may try a nightly CVS snapshot. I think the -i and -p options
are fixed in CVS.
  

Yes, they are; thank you very much!

The CVS snapshot indicates that this will be version 2.0. Is this the 
next planned release or is it more like a development branch which is 
maintained together with a stable 1.1-branch? (I'm trying to figure out 
if it's worthwhile to wait for the next released version or just use a 
'stable enough' CVS snapshot for the time being if a release that fixes 
these options isn't planned for some time.)


Thanks very much again!

Kind regards,
   Marcel

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html