Difference between Auth-type=System and Auth type=Local
HI: I amm a beginner of Radius and use NTRadPing to test . I am confiused with what is the difference between setting of user in user_conf of Auth-type:=System and Auth-type:=Local. If I set a user with Auth-Type := Local in user_conf, Radiusd it will reply with Access-Accept. If I set a user with Auth-Type := System in user_conf , Radius will reply with Access-reject. Why ? any \one can help ? Best regards, Hsia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Wohoo it works now :D Clear text password in LDAP worked like a charm now (dunno why i had problems with it in the past) :P Thank you all guys 10x!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to configure free radius to make it listen to different udpports?
Shankar Ganesh wrote: > > How can i make freeradius listen to different UDP ports? Hi Shankar, This is very clearly explained in the radiusd.conf configuration file. Search for "listen" regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure free radius to make it listen to different udp ports?
On Thu, 2006-08-31 at 10:34 +0530, Shankar Ganesh C wrote:
> Hi,
>
> How can i make freeradius listen to different UDP ports?
>
> Thanks and regards
> Shankar ganesh
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://wiki.freeradius.org/index.php/Radiusd.conf
look for the listen { } section.
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generic info rqrd...
Hi All, I need some general info on Free Radius. 1)Does it support 64-bit compilers? 2)Does it has support for both Solaris and HP-Unix. 3)Is it Multi Threaded safe. Thanks in advance, Ram. Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure free radius to make it listen to different udp ports?
Hi, How can i make freeradius listen to different UDP ports? Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool auth-type error
SORRY NOW WITH PROPER SUBJECT :D hello all im new to radius, but i got freeradius configured with mysql. radtest is working fine for my test user. now i configured an ippool, which get successfully loaded on startup. again radtest works fine, only new thing is the following trace: rlm_ippool: enter postauth rlm_ippool: Could not find Pool-Name attribute. the enter postauth trace was added by me. now i added the Pool-Name to radcheck for my user. after that what happens is: >> rad_recv: Access-Request packet from host 127.0.0.1:34065, id=125, length=55 User-Name = "SVD" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "SVD", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 radius_xlat: 'SVD' rlm_sql (sql): sql_set_user escaped user --> 'SVD' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'SVD' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'SVD' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'SVD' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'SVD' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [SVD] modcall[authorize]: module "sql" returns notfound for request 4 modcall: leaving group authorize (returns ok) for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [SVD/secret] (from client localhost port 0) <, funny thing is, i dont even see the ippool trace again. i can post more details, but maybe this is a common error. thx in advance for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
hello all im new to radius, but i got freeradius configured with mysql. radtest is working fine for my test user. now i configured an ippool, which get successfully loaded on startup. again radtest works fine, only new thing is the following trace: rlm_ippool: enter postauth rlm_ippool: Could not find Pool-Name attribute. the enter postauth trace was added by me. now i added the Pool-Name to radcheck for my user. after that what happens is: >> rad_recv: Access-Request packet from host 127.0.0.1:34065, id=125, length=55 User-Name = "SVD" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "SVD", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 radius_xlat: 'SVD' rlm_sql (sql): sql_set_user escaped user --> 'SVD' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'SVD' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'SVD' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'SVD' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'SVD' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [SVD] modcall[authorize]: module "sql" returns notfound for request 4 modcall: leaving group authorize (returns ok) for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [SVD/secret] (from client localhost port 0) <, funny thing is, i dont even see the ippool trace again. i can post more details, but maybe this is a common error. thx in advance for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crashes after EAP/PEAP authentication
Cool,Thanks, I'll try FreeRADIUS 1.1.3, let hope it solves my problems ;)Regards,NickOn 8/31/06, Alan DeKok < [EMAIL PROTECTED]> wrote:"Nick Larsen" < [EMAIL PROTECTED]> wrote:> I did notice in the output, just before the backtrace: radlog(L_ERR,> "rlm_eap_tls (%s): xlat failed.",> Could this be the problem? It may be related. > This GDB was configured as "sparc64-marcel-freebsd"...>> warning: exec file is newer than core file. That's not good. It means that the infomration from the core filemay be useless. And I noticed the version is 1.1.1. Please try 1.1.3, which ahs anumber of bugs fixed. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards,Nick LarsenWellingtonNEW ZEALAND - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : no Client-IP-Address in packet
Mitaine Yoann wrote: In my previous email , I forgot to say that when I received a proxing packet, I tried to match a rule on the radius server B like : DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldap where foo is defining in huntgroups file as : foo Client-IP-Address == x.x.x.x in the users file. But this one hadn't been matched. If somebody has an idea...? Have you run the server in debug mode to see what it is doing? radiusd -X As Phil said "Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that." The huntgroups file is also processed in the preprocess module, so if you have removed preprocess from the authorize section then your configuration wont work anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crashes after EAP/PEAP authentication
"Nick Larsen" <[EMAIL PROTECTED]> wrote: > I did notice in the output, just before the backtrace: radlog(L_ERR, > "rlm_eap_tls (%s): xlat failed.", > Could this be the problem? It may be related. > This GDB was configured as "sparc64-marcel-freebsd"... > > warning: exec file is newer than core file. That's not good. It means that the infomration from the core file may be useless. And I noticed the version is 1.1.1. Please try 1.1.3, which ahs a number of bugs fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building Freeradius RPM on Redhat ES 4.0
I seem to be having the same problem. Editing Line 102 allowed the package to build. Where did you remove /usr/local/bin from your path? Mike > -Original Message- > From: > [EMAIL PROTECTED] > g > [mailto:[EMAIL PROTECTED] > adius.org] On Behalf Of B Thompson > Sent: Wednesday, August 30, 2006 6:14 AM > To: FreeRadius users mailing list > Subject: Re: Building Freeradius RPM on Redhat ES 4.0 > > On Wed, Aug 30, 2006 at 08:47:13AM +0100, B Thompson wrote: > > On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote: > > > > > cp: will not overwrite just-created > > > `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' > > > with `README' > > > error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) > > > > I get this error too. It looks like line 102 in the spec file is > > causing it :- > > > > %doc doc/* LICENSE COPYRIGHT CREDITS README > > > > Should this line simply be : > > > > %doc doc/* > > > > This change allows the package to build on my system but > when I try to > > install the rpm I get the following message :- > > > > error: Failed dependencies: > > /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386 > > > Having googled about for this I removed /usr/local/bin from > my path and ran rpmbuild again. This time everything worked OK. > > > -- > > Ben Thompson > University of York > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate issue
I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could you pls help me to resolve it. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name []: + openssl ca -policy policy_anything -out newcert.pem -passin '' -key '' -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem Using configuration from /usr/local/openssl/ssl/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: a1:cc:f7:86:19:ea:57:48 Validity Not Before: Aug 30 22:25:40 2006 GMT Not After : Aug 30 22:25:40 2007 GMT Subject: countryName = US stateOrProvinceName = localityName = organizationName = organizationalUnitName= commonName= X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Aug 30 22:25:40 2007 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin 'pass:' -passout 'pass:' No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin 'pass:' -passout 'pass:' 22665:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 22666:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' ## thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crashed on me
"Lisa Casey" <[EMAIL PROTECTED]> wrote: > Wed Aug 30 14:19:28 2006 : Error: ERROR: Cannot find a configuration = > entry for module "exec". If that's from a previously working configuration, it looks like your disk has been corrupted. Can you restore from a backup of yuor configuration? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
"Kartthik" <[EMAIL PROTECTED]> wrote: > The password aren't in /etc/passwd file. As i joined linux box to > windows 2003 active directory it should authenticate the users > againt the active directory using winbind. In nsswitch.conf file i > have configured winbind and here is the configuration: if you can login as a normal user (NOT using RADIUS, but at the shell), then RADIUS authentication will work, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote: > Yes i know that, i heard it 100 times already... that's why i'm asking how > to store them in cleartext/NT hash You update the LDAP database to contain the clear-text password. How that's done is up to the LDAP server. See it's documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius crashed on me
Hi, I have a FreeBSD 5.3 box running freeradius. This box also runs sendmail and does e-mail for a small amount (~50) users. For the past two days I have been trying to rebuild sendmail on this box so it would support SMTP Auth. I have not got that working, but that would be truly off-topic for this list. I'm only mentioning this because it MAY have played a role in what happened with Freeradius. As part of trying to get SMTP Auth working, I installed Cyrus-SASL v2. Again, I have no idea if this has any bearing on what happened with radius or not. I'm working on sendmail, haven't messed with radius at all, radius has been working fine, then I get a call from a customer about 2:00 - he can't get connected. So I took a look at the radius.log and saw this: Wed Aug 30 14:01:37 2006 : Error: radiusd.conf[1299] Failed to link to module 'rlm_counter': Shared object "libgdbm.so.3" not found, required by "rlm_counter-1.0.1.so" So I paniced. At this point radius wasn't working and none of our customers can get connected. I started trying to "fix" things on an emergency basis. I edited /usr/local/etc/raddb/radiusd.conf and commevnted out my rlm_counter monthly stuff. Then I attempted to restart the radius server. I next got this in radius.log: Wed Aug 30 14:19:28 2006 : Error: ERROR: Cannot find a configuration entry for module "exec". So I edited radiusd.conf again and commented out exec in the Instantiate section. I restarted radius and got this in radius.log: Wed Aug 30 15:07:12 2006 : Error: ERROR: Cannot find a configuration entry for module "expr". So I edited radiusd.conf again and commented out expr in the Instantiate section. I restarted radius and got this in radius.log: I restarted radius and got this in radius.log: Wed Aug 30 15:08:31 2006 : Error: /usr/local/etc/raddb/users[1]: Unexpected trailing comma in check item list for entry DEFAULTWed Aug 30 15:08:31 2006 : Error: Errors reading /usr/local/etc/raddb/usersWed Aug 30 15:08:31 2006 : Error: radiusd.conf[1020]: files: Module instantiation failed. So I edited my users file and removed the DEFAULT entry I had at the top for monthly time limits. I then restarted radius and now it works. My question is: What the hell happened? I honestly don't know. I haven't been working on radius or changed anything. What I was doing was installing Cyrus SASL and attempting to rebuild Sendmail. The only thing I can figure is that while I was messing around with SASL and sendmail I did something with shared libraries? I don't have a clue if this is what happened, but if it is I don't know where to go look to see what's wrong with libraries (if anything). Help, please? Anyone? Thanks, Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Alan DeKok wrote: It is impossible to do MS-CHAP if the passwords are stored in crypt'd format. Yes i know that, i heard it 100 times already... that's why i'm asking how to store them in cleartext/NT hash (i still posted radius output though, just in case). I think i tried once by simply typing PW in cleartext in ldap users file before importing user to database but it didn't work. Will try again tommorow. Edvin Seferovic wrote: Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldn't be hard to set up !Yes, module is already set up correctly for my server, will try to set up attributes now. Hope it really isn't too hard :) Thanks for help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Alan, The password aren't in /etc/passwd file. As i joined linux box to windows 2003 active directory it should authenticate the users againt the active directory using winbind. In nsswitch.conf file i have configured winbind and here is the configuration: passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files winbind dns Am able to read the active directory users with wbinfo -u command. Here is few o/p: domain\kartthikr domain\test Still i get the same error message as before: rad_recv: Access-Request packet from host 127.0.0.1:32802, id=165, length=61 User-Name = "kartthikr" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "kartthikr", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. so aint sure what am doing wrong here, pls help me !!! Kartthik "Kartthik" <[EMAIL PROTECTED]> wrote: > When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output. ... > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_unix: [test]: invalid password The user isn't in /etc/passwd. What, exactly did you do to configure the server to check the user against the AD login credentials? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WebDAV HTTP Auth to RADIUS, possible?
"Michael Check" <[EMAIL PROTECTED]> wrote: > Is it possible to set up an Apache 1.3 server with WebDAV to > authenticate to a freeRADIUS? Unless I'm mistaken, webdav uses HTTP digest for authentication. That makes it difficult. > Ideally, I would like to tell the Apache directives to look at > freeRADIUS for authentication using the httpd.conf file. If it's using basic authentication, mod_auth_radius can help. > We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing > off an Active Directory master. If it's using HTTP digest authentication, then this is impossible. HTTP digest requires the clear-text password, and AD doesn't supply it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote:
> rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check
> items
...
> rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
http://deployingradius.com/documents/protocols/compatibility.html
It is impossible to do MS-CHAP if the passwords are stored in
crypt'd format.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Re: no Client-IP-Address in packet
Mitaine Yoann wrote: */Michael Mitchell <[EMAIL PROTECTED]>/* a écrit : Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server. Yes, I am aware of that. I said that, in fact. In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A . Don't remove the preprocess module from authorize. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLDAP - user password problem
Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldn’t be hard to set up ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tilen Sent: Mittwoch, 30. August 2006 16:58 To: FreeRadius users mailing list Subject: Re: Freeradius + OpenLDAP - user password problem So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote: > rlm_mschap: No User-Password configured. Cannot create LM-Password. ... > Hm, now i have to make LDAP passwords in NT hash and it will work (still > gotta figure out how)? Or should i make changes in ldap.attrmap file too? No. If you have the clear-text password in the ldap "userPassword" attribute, it should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre0 from CVS: Invalid version in module
Christian Hahn <[EMAIL PROTECTED]> wrote: > I've just compiled the CVS version from 20060830 with > prefix=/root/bin/freeradius-cvs. When starting radiusd it complains > that the compiled modules have the wrong version: > > - 8< > radiusd: entering modules setup > Module: Library search path is /root/bin/freeradius-cvs/lib > radiusd.conf[1634] Invalid version in module 'rlm_exec' > Errors setting up modules You've installed the CVS version on a box which already had 1.1.3, and it's picking up the old modules. Those modules are incompatible, hence the error message. > And all the modules in lib are freshly build and installed with the > server. I have also checked the radiusd.conf for wrong lib paths. The only other thing is that maybe it's a 64 bit issue? The CVS version works fine for me, but I don't run on a 64-bit platform. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem using EAP-TTLS
"luigi natalino" <[EMAIL PROTECTED]> wrote: > I've launched chillispot with --eapolenable option -> chilli --eapolenable > I've installed and configured SecureW2 client on WinXP. > The problem is that EAP-TTLS are not used as shown in this log: Which shows a CHAP session. > Have I done any mistake in the Freeradius configuration or it depends on > SecureW2? The client is choosing to do CHAP. You've probably "logged in" via a web page on the Chillispot server. This means youre not using SecureW2 at all. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
On Wed, 2006-08-30 at 15:35 +0200, Graham Beneke wrote: > K. Hoercher wrote: > > On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote: > >> I've benn searching with no sucess about this... It's frustrating... > >> there is no documents about. > > > > Perhaps the looking into the very obscure doc/rlm_sqlcounter file > > helps, although it' not "DOC" for some strange reason. > > > > I've also looked at that document and it has not got me any closer to > knowing what is going on. It gives examples of how to use sqlcounter for > time based billing - but it does not explain what the different elements > of the sqlcounter are - or how they work. > > I am wanting to build an octets based billing system using some custom > dictionary items from the Chillispot NAS - but I can't find info > anywhere. Although I have heard that it has been successfully been > implemented. There is also some "documentation" in the config file. There may also be some "documentation" in the comments within the source code. I believe this has been discussed many times and there should be some information in the archives. Have you Googled for it? Once you figure it out, maybe you wouldn't mind contributing some better documentation for rlm_sqlcounter to the project. I am sure future implementers would appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
> I would be most intersted in your posting. At this point I'm try to get > plain old rlm_unix working using /etc/passwd & secret to get a foundation > established, but I'm getting authnet failures, which I think are to do with > the compliation and radiusd.conf of unix and pam. So... post the debug log. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface binding problem
[EMAIL PROTECTED] wrote: > The CVS snapshot indicates that this will be version 2.0. Is this the > next planned release or is it more like a development branch which is > maintained together with a stable 1.1-branch? We plan on releasing 2.0 this fall, based on what's in CVS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return the values from the exec program to free radius?
Shankar Ganesh C <[EMAIL PROTECTED]> wrote: > Could some body help me to know how to return values from the exec program ? scripts/exec-program-wait It describes what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin in dedicated server
Thank you very much Kostas!I really apreciate your help!On 8/30/06, Kostas Kalevras <[EMAIL PROTECTED] > wrote:On Wed, 30 Aug 2006, Guilherme Franco wrote:> Hello,> > I need to use Dialup Admin that is installed alone in a dedicated server.>> In the dialupadmin admin.config, it states thats it needs the> /etc/local/radius in the same machine.>> What can I do? (considering that the freeradius in installed in another > server)dialupadmin does not really need radius in the same machine. The dependenciesare the following:test user page needs radclientlog_badlogins can read the clints.conf to find nas information So you can place a statically linked radclient on the same machine withdialupadmin (in order for the test page to work) and if you need log_badloginsyou can also transfer your clients.conf file.> > Thank you.>--Kostas Kalevras Network Operations Center[EMAIL PROTECTED] National Technical University of Athens, GreeceWork Phone: +30 210 7721861 'Go back to the shadow' Gandalf-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crashes after EAP/PEAP authentication
"Nick Larsen" <[EMAIL PROTECTED]> wrote: > Segmentation fault: 11 (core dumped) > [EMAIL PROTECTED] [/etc/raddb]# See doc/bugs. It describes exactly what to do when you get a core dump. And the contents of the core dump say what's going wrong, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre0 from CVS: Invalid version in module
> I've just compiled the CVS version from 20060830 with > prefix=/root/bin/freeradius-cvs. When starting radiusd it complains > that the compiled modules have the wrong version: I've been running 2.0.0-pre0 for quite some time, and constanty cvs update too. I'm not sure what exact date my check out is, but I run this and have never seen any problems that you pointed out. ./configure --prefix=/usr \ --libexecdir=/usr/sbin \ --localstatedir=/var \ --sysconfdir=/etc \ --with-raddbdir=/srv/radiusd \ --with-docdir=/usr/share/doc/freeradius-2.0.0-pre0 \ --with-logdir=/var/log \ --with-radacctdir=/srv/radiusd/acct \ --with-gnu-ld \ --without-rlm_x99_token && make && make install && > > - 8< > radiusd: entering modules setup > Module: Library search path is /root/bin/freeradius-cvs/lib > radiusd.conf[1634] Invalid version in module 'rlm_exec' > Errors setting up modules > - >8 > > This happens not only for the rlm_exec module, if I comment this out > it gives an error for rlm_expr ... a.s.o. > I have: > > radiusd: FreeRADIUS Version 2.0.0-pre0, for host > x86_64-unknown-linux-gnu, built on Aug 30 2006 at 12:58:10 > > And all the modules in lib are freshly build and installed with the > server. I have also checked the radiusd.conf for wrong lib paths. > > Any ideas what happend here? > > thanks, > Christian Hahn > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE9Yje6kMW7HW8620RAnmdAKC71GKjxryrD12RczaZInhDNysI3gCfeFWW > ExBmtSIHLtV4xvd/0npiLFI= > =e4Dt > -END PGP SIGNATURE- > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Am Dienstag, 29. August 2006 22:35 schrieb Kevin Bonner: (...) > The private enterprise number 3317 is assigned by IANA [1] to "Port > Community Rotterdam", which released the GNOME-SMI MIB module. The > GNOME-SMI MIB is used in mibs/GNOME-PRODUCT-RADIUSD-MIB, and using that > file you can obtain a full object name for the enterprises.3317.1.3.1 OID. > It's only use right now is for the SMUX connection, but may also be needed > if/when AgentX support is added. > > Kevin Bonner Hi, thanks to that explanation. But my question was: Why I do get no answer if I do snmpwalk (...) localhost enterprises.3317 while walking mib-2.67 gives results? Michael. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpXBnIjRsI75.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS multi clients
K. Hoercher wrote: On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: no Client-IP-Address in packet
Michael Mitchell <[EMAIL PROTECTED]> a écrit :Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server.In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A . your sincerly Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok sorry for spamming :) But here is update (again):
I noticed i had " password_attribute = userPassword" commented out in ldap module configuration.
After i uncommented that, i get new output:
...
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=People,dc=kapion,dc=si'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test)
rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 5
modcall: group Auth-Type returns reject for request 5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 5
modcall: group authenticate returns reject for request 5
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Yes yes, i understand, this works now :) I copied CA public key to wireless client and now it works. Now i only get this error: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa auth.xp stuck on login
Good day to you all,
I'm kinda stuck with authenticating a windows xp sp2 laptop to a wlan - ap
that uses wpa.
i followed the 802.1X port based auth howto from tldp.org but no luck.
the idea is to use ms-chapv2,eap,tls,peap
in the log file i can see the user auth. come by, but no errors or
problems showed up.
the other day, a friend tried is with his mac i-book, and he did get in!?
but now my xp machine doesn't.. dunno where it goes wrong..
starting radiusd -XX gives alot of output, but no error's shown either.
here is a small dump..
-
rad_recv: Access-Request packet from host 10.0.0.20:3072, id=0, length=125
User-Name = "collen"
NAS-IP-Address = 10.0.0.20
Called-Station-Id = "0016b69e59c3"
Calling-Station-Id = "00166f980e78"
NAS-Identifier = "0016b69e59c3"
NAS-Port = 46
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b01636f6c6c656e
Message-Authenticator = 0xe97abfadc688db9d412503fc8a0e283f
Wed Aug 30 15:53:02 2006 : Debug: Processing the authorize section of
radiusd.conf
Wed Aug 30 15:53:02 2006 : Debug: modcall: entering group authorize for
request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: calling
auth_log (rlm_detail) for request 0
Wed Aug 30 15:53:02 2006 : Debug: radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/10.0.0.20/auth-detail-20060830'
Wed Aug 30 15:53:02 2006 : Debug: rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/freeradius/var/log/radius/radacct/10.0.0.20/auth-detail-20060830
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: returned from
auth_log (rlm_detail) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authorize]: module
"auth_log" returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authorize]: module "mschap"
returns noop for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap: EAP packet type response id
0 length 11
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authorize]: module "eap"
returns updated for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Wed Aug 30 15:53:02 2006 : Debug: users: Matched entry collen at
line 217
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authorize]: module "files"
returns ok for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall: leaving group authorize
(returns updated) for request 0
Wed Aug 30 15:53:02 2006 : Debug: rad_check_password: Found Auth-Type EAP
Wed Aug 30 15:53:02 2006 : Debug: auth: type "EAP"
Wed Aug 30 15:53:02 2006 : Debug: Processing the authenticate section
of radiusd.conf
Wed Aug 30 15:53:02 2006 : Debug: modcall: entering group authenticate
for request 0
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap: EAP Identity
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap: processing type tls
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap_tls: Initiate
Wed Aug 30 15:53:02 2006 : Debug: rlm_eap_tls: Start returned 1
Wed Aug 30 15:53:02 2006 : Debug: modsingle[authenticate]: returned
from eap (rlm_eap) for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall[authenticate]: module "eap"
returns handled for request 0
Wed Aug 30 15:53:02 2006 : Debug: modcall: leaving group authenticate
(returns handled) for request 0
Sending Access-Challenge of id 0 to 10.0.0.20 port 3072
Reply-Message = "Go and See your system administrator"
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x514be7fc208b2ee1df2cc191b5282f3a
Wed Aug 30 15:53:02 2006 : Debug: Finished request 0
Wed Aug 30 15:53:02 2006 : Debug: Going to the next request
Wed Aug 30 15:53:02 2006 : Debug: --- Walking the entire r
Re: Reply VSA-s in Access-Reject
Yervand Petrosyan wrote: > Really, it would be reasonably to have this option > configurable. As always, patches are welcome. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
K. Hoercher wrote: > On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote: >> I've benn searching with no sucess about this... It's frustrating... >> there is no documents about. > > Perhaps the looking into the very obscure doc/rlm_sqlcounter file > helps, although it' not "DOC" for some strange reason. > I've also looked at that document and it has not got me any closer to knowing what is going on. It gives examples of how to use sqlcounter for time based billing - but it does not explain what the different elements of the sqlcounter are - or how they work. I am wanting to build an octets based billing system using some custom dictionary items from the Chillispot NAS - but I can't find info anywhere. Although I have heard that it has been successfully been implemented. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, nevermind, i get it now. Client needs CA public key to verify the certificate authority, becouse i created it and is not in public registry. So, if i copy cacert.pem to client machine i should get rid of this error, right? WIll try i tnow, really hope it works :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no Client-IP-Address in packet
Phil Mayers wrote: Mitaine Yoann wrote: When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that. Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server. In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : no Client-IP-Address in packet
Dear everybody,In my previous email , I forgot to say that when I received a proxing packet, I tried to match a rule on the radius server B like :DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldapwhere foo is defining in huntgroups file as : foo Client-IP-Address == x.x.x.xin the users file.But this one hadn't been matched.If somebody has an idea...?Mitaine Yoann <[EMAIL PROTECTED]> a écrit : Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture : client < > AP <> Radius A <> Radius B 802.1X proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance.Your sincerly. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0-pre0 from CVS: Invalid version in module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I don't know if this is better asked on the developers list, but before I bother these guys I will try it here. I've just compiled the CVS version from 20060830 with prefix=/root/bin/freeradius-cvs. When starting radiusd it complains that the compiled modules have the wrong version: - 8< radiusd: entering modules setup Module: Library search path is /root/bin/freeradius-cvs/lib radiusd.conf[1634] Invalid version in module 'rlm_exec' Errors setting up modules - >8 This happens not only for the rlm_exec module, if I comment this out it gives an error for rlm_expr ... a.s.o. I have: radiusd: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Aug 30 2006 at 12:58:10 And all the modules in lib are freshly build and installed with the server. I have also checked the radiusd.conf for wrong lib paths. Any ideas what happend here? thanks, Christian Hahn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9Yje6kMW7HW8620RAnmdAKC71GKjxryrD12RczaZInhDNysI3gCfeFWW ExBmtSIHLtV4xvd/0npiLFI= =e4Dt -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin in dedicated server
On Wed, 30 Aug 2006, Guilherme Franco wrote: Hello, I need to use Dialup Admin that is installed alone in a dedicated server. In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine. What can I do? (considering that the freeradius in installed in another server) dialupadmin does not really need radius in the same machine. The dependencies are the following: test user page needs radclient log_badlogins can read the clints.conf to find nas information So you can place a statically linked radclient on the same machine with dialupadmin (in order for the test page to work) and if you need log_badlogins you can also transfer your clients.conf file. Thank you. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/30/06, Tilen <[EMAIL PROTECTED]> wrote: Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem<-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req Your supplicant is sending an TLS Alert Message, because _it_ cannot find a CA certificate. What you are talking about is the freeradius side of things which looks alright at first glance. And if you don't get it to work, please first check with demo certficates to be generated by the CA.all script. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no more [EMAIL PROTECTED]
hi, got a small question for those used to xlate etc. I have a development/test setup here which is happily authenticating via EAP/TTLS and PEAP. however, what I am seeing is that Windows users using PEAP are having their real name logged and recorded, whereas the Mac TTLS and Windows TTLS folk are being recorded as [EMAIL PROTECTED] - ie the outer layer is being recorded as their username (the inner layer username is happily being used for the authorization stage so all is okaybut the NAS and authentication/accounting SQL are filled with the [EMAIL PROTECTED] now, the Windows PEAP users also have [EMAIL PROTECTED] as their outer ID but I believe its the 'Windows is a bit leaky with inner credentials' issue that is allowing their real ID to be caught and logged. whats the recommended way of fixing this? what have other people done to fix this? enabling features such as use_tunneled_reply and log_stripped_name havent helped... I am thinking that xlate is the way to go oh, and currently the RADPOSTAUTH table is showing the real ID and the anonymous ID which isnt helping the NAS which receives the anonymous part last. do I simply drop or discard the anonymous part when it gets to this proxy box? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate requests in a session
Santiago Balaguer García wrote: Hi people, 1) In my activity I realize that when the conexion to Internet of a NAS is NOT good (there are some reday in the DSL), the NAS send several Start requests. My problen is my RADIUS server ask for all these requests and they are inserted in my DB. So, when the user or the NAS finalize the session and NAS sends Stop Request, the credit associates to the user account is decremented several times. It happens so because I put a trgger in my DB to decrement the user credit atomatically. Can I avoid the problem of inserting several times the start request? If it is so, how?? 2) Is it supposed that the value of acctsessionid and acctuniqueid in radacct table are UNIQUE and they can not be duplicated ? Thanks, Santiago Hi Santiago, Does your DBMS enforce primary key constraints? Do you have a primary key defined for your radacct table? If I recall correctly, MySQL by default doesn't, are you using MySQL? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialupadmin in dedicated server
Hello, I need to use Dialup Admin that is installed alone in a dedicated server.In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine. What can I do? (considering that the freeradius in installed in another server)Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem using EAP-TTLS
Hello,i've installed freeradius 1.1.2 and I've configured eap-ttls
in eap.conf
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
I've not made other changes to this file.
I've launched chillispot with --eapolenable option -> chilli --eapolenable
I've installed and configured SecureW2 client on WinXP.
The problem is that EAP-TTLS are not used as shown in this log:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=valug,dc=it"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "mypass"
ldap: basedn = "ou=homewifi,dc=valug,dc=it"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "userPassword"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
r
Re: no Client-IP-Address in packet
Mitaine Yoann wrote: Dear everybody, I've installed the radius 's CVS version of 08-23-06. I've this architecture : client < > AP <> Radius A <> Radius B 802.1X proxying The client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated. I'm doing an EAP/TTLS authentication. Client-IP-Address refers to the client of the radius server, not the client of the NAS When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply VSA-s in Access-Reject
Thank you for answers, Really, it would be reasonably to have this option configurable. Yervand On Wed 30 Aug 2006 12:13, Nicolas Baradakis wrote: > Yervand Petrosyan wrote: > > In 1.1.3 version Access-Reject doesn't return in reply > > VSA attributes but it is works well in 1.0.1. > > Something was changed? > > Yes, because it was considered as a bug. > See http://bugs.freeradius.org/show_bug.cgi?id=207 > > I also note Vendor-Specific attributes aren't allow in Access-Reject > packets per RFC 2865. (section 5.44) > See http://www.ietf.org/rfc/rfc2865.txt This is not the first time we have been asked this, and as it appears that some NASes used this behaviour, maybe we should make this rfc compliance a configurable option.. I have added a section to the FAQ: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#VSA_in_Access-Reject -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060830/de8f9431/attachment.bin __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate requests in a session
Hi people, 1) In my activity I realize that when the conexion to Internet of a NAS is NOT good (there are some reday in the DSL), the NAS send several Start requests. My problen is my RADIUS server ask for all these requests and they are inserted in my DB. So, when the user or the NAS finalize the session and NAS sends Stop Request, the credit associates to the user account is decremented several times. It happens so because I put a trgger in my DB to decrement the user credit atomatically. Can I avoid the problem of inserting several times the start request? If it is so, how?? 2) Is it supposed that the value of acctsessionid and acctuniqueid in radacct table are UNIQUE and they can not be duplicated ? Thanks, Santiago _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
Zitat von Nicolas Baradakis <[EMAIL PROTECTED]>: > Michael Check wrote: > > > On 8/22/06, Michael Check <[EMAIL PROTECTED]> wrote: > > > We tried googling around and we're happy to hear that freeradius will > > > be a part of 10.5, but we'd like to get it running now... There > > > really is no other docs we've found on getting it compiled (after > > > difficulty like the above) and installed. Certainly nothing recent > > > anyway. Is it true that it _should_ just work? :) > > > > > > Thanks in advance for any assistance, > > > > This is issue is not really solved, I didn't get it to compile, but I > > thought those of you that are looking for a solution to run freeRADIUS > > on OSX should look to the package installer that I found. It is quite > > recent (version 1.1.0pre0) and runs great. > > I don't own an Apple machine, so I'm not able to test it myself. > However from what I read on the mailing lists, it should be possible > to build version 1.1.3 of FreeRADIUS on Mac OS 10.4.7 with the > following commands: > > $ configure --enable-developer > $ make > $ su - > # make install > it was actually me who reported sucessful compiling ... i just rechecked it: # downloaded freeradius-1.1.3.tar.gz # ./configure --enable-developer # make # sudo make install and freeradius runs and responds to radtest. another way would be "./configure", then remove the option "-s" in the line "INSTALLSTRIP = -s", then "make", "sudo make install", dont now about additional differences to "--enable-developer" (except from warning flags). but i should point out that i do not use any sql-module (do not have the libraries installed which were required) or unixodbc, and have no libgdbm, so there is no rlm_counter, rlm_ippool. maybe there is your problem? i am using a recent mac os 10.4.7 on an "ancient" g4 powerbook. regards markus > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to return the values from the exec program to free radius?
Hi All, Could some body help me on the same? Thanks and regards Shankar ganesh -Original Message-From: Shankar Ganesh [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 30, 2006 11:02 AMTo: freeradius-users@lists.freeradius.orgSubject: How to return the values from the exec program to free radius? Hi All, Could some body help me to know how to return values from the exec program ? I can understand that I need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: public key for source signature
Jonathan Casiot wrote: > I've downloaded the most recent source, freeradius-1.1.3.tar.gz, and I'd > like to verify the file against the PGP signature but I can't find the > public key anywhere. Can someone point me to it's location? http://freeradius.org/pgp/[EMAIL PROTECTED] -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no Client-IP-Address in packet
Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture : client < > AP <> Radius A <> Radius B 802.1X proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance.Your sincerly. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checking Service-Type with checkval and mysql
Hello
I am currently trying to have my FreeRadius server check the "Service-Type"
values, and reject Login attempts from a user that should be used for
service-type Outbound only.
My client equipment always send the "Service-Type" attribute in its requests.
This attribute is defined into the check databases, but debug mode says:
>>Debug: rlm_checkval: Could not find attribute named Service-Type in check
>>pairs
I really do not see what is wrong and why value checking is not done properly.
It should find the attribute in the database, and reject the request. Can you
help me out ?
Below is my radcheck table, relevant parts of my radiusd.config and the debug
output.
mysql> select * from radcheck;
++--+--++--+
| id | UserName | Attribute| op | Value|
++--+--++--+
| 3 | admin| Password | == | cisco|
| 5 | admin| Service-Type | == | Outbound |
++--+--++--+
checkval {
item-name = Service-Type
check-name = Service-Type
data-type = string
notfound-reject = yes
}
//...
authorize {
preprocess
chap
suffix
eap
#files
sql
checkval
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
eap
}
rad_recv: Access-Request packet from host 10.10.107.68:1645, id=6, length=86
NAS-IP-Address = 10.10.107.68
NAS-Port = 500
NAS-Port-Type = Virtual
User-Name = "admin"
Calling-Station-Id = "XXX.XXX.XXX.XXX"
User-Password = "cisco"
Service-Type = Login-User
Wed Aug 30 11:30:13 2006 : Debug: Processing the authorize section of
radiusd.conf
Wed Aug 30 11:30:13 2006 : Debug: modcall: entering group authorize for request
1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "preprocess"
returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "chap" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No '@' in User-Name = "admin",
looking up realm NULL
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "suffix" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap)
for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "eap" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling sql (rlm_sql)
for request 1
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'admin'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): sql_set_user escaped user -->
'admin'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'admin' ORDER BY
id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'admin' ORDER BY
id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from sql
(rlm_sql) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "sql" returns ok
for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling checkval
(rlm_checkval) for request 1
Wed Aug 30 11:30:
Re: 1.1.3 on Solaris 10 (sparc)
Geoffroy, I would be most intersted in your posting. At this point I'm try to get plain old rlm_unix working using /etc/passwd & secret to get a foundation established, but I'm getting authnet failures, which I think are to do with the compliation and radiusd.conf of unix and pam. Regards BernieD - Original Message - From: "Geoffroy Arnoud" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, August 29, 2006 4:08 PM Subject: Re : 1.1.3 on Solaris 10 (sparc) I am quite pleased to report I have, with minimal discomfort, version 1.1.3 running on Solaris 10. The source actually compiles perfectly once OS dependencies etc. are met. I will share a few tips here for any who may be attempting the same. My main goal was LDAP functionality. Other bells and whistles might require additional steps. Please forgive the Solaris info here, it is dangerously close to being off-topic... except that you need it to install freeradius. I suggest that those tips shall be stored in the docs directory under FreeRadius CVS. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building Freeradius RPM on Redhat ES 4.0
On Wed, Aug 30, 2006 at 08:47:13AM +0100, B Thompson wrote: > On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote: > > > cp: will not overwrite just-created > > `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with > > `README' > > error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) > > I get this error too. It looks like line 102 in the spec file is > causing it :- > > %doc doc/* LICENSE COPYRIGHT CREDITS README > > Should this line simply be : > > %doc doc/* > > This change allows the package to build on my system but when I try to > install the rpm I get the following message :- > > error: Failed dependencies: > /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386 Having googled about for this I removed /usr/local/bin from my path and ran rpmbuild again. This time everything worked OK. -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply VSA-s in Access-Reject
On Wed 30 Aug 2006 12:13, Nicolas Baradakis wrote: > Yervand Petrosyan wrote: > > In 1.1.3 version Access-Reject doesn't return in reply > > VSA attributes but it is works well in 1.0.1. > > Something was changed? > > Yes, because it was considered as a bug. > See http://bugs.freeradius.org/show_bug.cgi?id=207 > > I also note Vendor-Specific attributes aren't allow in Access-Reject > packets per RFC 2865. (section 5.44) > See http://www.ietf.org/rfc/rfc2865.txt This is not the first time we have been asked this, and as it appears that some NASes used this behaviour, maybe we should make this rfc compliance a configurable option.. I have added a section to the FAQ: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#VSA_in_Access-Reject -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp2jfvDuFbzI.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
Michael Check wrote: > On 8/22/06, Michael Check <[EMAIL PROTECTED]> wrote: > > We tried googling around and we're happy to hear that freeradius will > > be a part of 10.5, but we'd like to get it running now... There > > really is no other docs we've found on getting it compiled (after > > difficulty like the above) and installed. Certainly nothing recent > > anyway. Is it true that it _should_ just work? :) > > > > Thanks in advance for any assistance, > > This is issue is not really solved, I didn't get it to compile, but I > thought those of you that are looking for a solution to run freeRADIUS > on OSX should look to the package installer that I found. It is quite > recent (version 1.1.0pre0) and runs great. I don't own an Apple machine, so I'm not able to test it myself. However from what I read on the mailing lists, it should be possible to build version 1.1.3 of FreeRADIUS on Mac OS 10.4.7 with the following commands: $ configure --enable-developer $ make $ su - # make install -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply VSA-s in Access-Reject
Yervand Petrosyan wrote: > In 1.1.3 version Access-Reject doesn't return in reply > VSA attributes but it is works well in 1.0.1. > Something was changed? Yes, because it was considered as a bug. See http://bugs.freeradius.org/show_bug.cgi?id=207 I also note Vendor-Specific attributes aren't allow in Access-Reject packets per RFC 2865. (section 5.44) See http://www.ietf.org/rfc/rfc2865.txt -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
public key for source signature
Hi I've downloaded the most recent source, freeradius-1.1.3.tar.gz, and I'd like to verify the file against the PGP signature but I can't find the public key anywhere. Can someone point me to it's location? Thanks -- Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem <-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface binding problem
Hi, > The CVS snapshot indicates that this will be version 2.0. Is this the you've checked out the main HEAD. if you want 1.1.x CVS you need to specify the correct HEAD when doing the CVS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building Freeradius RPM on Redhat ES 4.0
On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote: > cp: will not overwrite just-created > `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with > `README' > error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) I get this error too. It looks like line 102 in the spec file is causing it :- %doc doc/* LICENSE COPYRIGHT CREDITS README Should this line simply be : %doc doc/* This change allows the package to build on my system but when I try to install the rpm I get the following message :- error: Failed dependencies: /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386 -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with attribute 97 from rfc3162 in users file
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
>
>> /usr/local/etc/raddb/users[227]: Parse error (reply) for entry
>> hextest: unknown attribute type 8
>> Errors reading /usr/local/etc/raddb/users
>
> thsi works with the 2.0pre CVS code.. so theres something not quite right
> in the 1.1.3 code. and yes, theres no IPV6PREFIX handler in valuepair.c
> or in the print debugger or full handling in radius.c
Thanks for the hint, I will try the cvs version and probably check the
code of the 1.1.3 version.
Are there any information how mature the 2.0.0-pre0 code is? Is it
just a development branch for new features or will this be eventually
the next release train?
best regards,
Christian
>
> FreeRADIUS Version 2.0.0-pre0
>
> dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
> print.c:case PW_TYPE_IPV6PREFIX:
> radius.c: case PW_TYPE_IPV6PREFIX:
> radius.c: case PW_TYPE_IPV6PREFIX:
> radius.c: case PW_TYPE_IPV6PREFIX:
> radius.c: case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
> valuepair.c:case PW_TYPE_IPV6PREFIX:
>
>
> FreeRADIUS Version 1.1.3
>
> dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
> radius.c: case PW_TYPE_IPV6PREFIX:
> radius.c: case PW_TYPE_IPV6PREFIX:
>
>
> so thats why it isnt working for you
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE9UIO6kMW7HW8620RAuj8AJ4w6KDjBTVyC0C+vtuBFjf043PlqACdFO3r
7n/TuddOqHEPA4clhJGgHNk=
=7mjN
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WebDAV HTTP Auth to RADIUS, possible?
Michael Check wrote: Is it possible to set up an Apache 1.3 server with WebDAV to authenticate to a freeRADIUS? Ideally, I would like to tell the Apache directives to look at freeRADIUS for authentication using the httpd.conf file. Has anyone ever done this or able to point me in a direction? Is it even possible? We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing off an Active Directory master. I don't know a lot about WebDAV, but I think that it uses classical Apache authentication mecanism, right ? Then, you could use mod_auth_radius (http://www.freeradius.org/mod_auth_radius), or use a PAM authentication + a PAM radius module (http://www.freeradius.org/pam_radius_auth) -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication
Hi,
> I should have tried that mapping.
>
> HOWEVER
>
> It still doesn't work.
> I can perform radtest queries username/LDAPpassword, and I get the accept
> response.
> If I use the query with username/remotepassword, I get rejected.
Okay, I can't verify what I propose now, so I might be wrong, but:
ldap is usually called twice: during authorize and authenticate. authorize is
the section that pulls attributes out of LDAP using ldap.attrmap and is the
one you need. In authenticate, it tries a bind with the user's name and
password. This is NOT what you want, because the bind will fail. You could
try to _comment out_ the following lines from your authenticate section
Auth-Type LDAP {
ldap
}
so that the bind isn't attempted. Not sure if that's enough though, since the
ldap in authroze will set Auth-Type to LDAP by itself... But if it doesn't,
someone else would need to jump in, that's beyond my experience. Maybe it's
necessary to set Auth-Type to PAP in the users file manually then.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface binding problem
Nicolas Baradakis wrote: I'd like to set it up with the commandline switch (-i ), but this does not seem to work (tested on versions 0.2, 1.0.1 and 1.2): the server only takes the address from the configuration file and completely ignores the commandline switch. I do realise that the commandline switch is deprecated, but is it possible to get this to work somehow? You may try a nightly CVS snapshot. I think the -i and -p options are fixed in CVS. Yes, they are; thank you very much! The CVS snapshot indicates that this will be version 2.0. Is this the next planned release or is it more like a development branch which is maintained together with a stable 1.1-branch? (I'm trying to figure out if it's worthwhile to wait for the next released version or just use a 'stable enough' CVS snapshot for the time being if a release that fixes these options isn't planned for some time.) Thanks very much again! Kind regards, Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
