WPA/RADIUS Problems
Hi list, I'm a FreeRADIUS noob, and I've been charged with getting some WiFi APs authenticating against an existing FreeRADIUS server being used for dialup users. I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). When I run radtest everything looks OK: $ radtest pants localhost 1 XX Sending Access-Request of id 141 to 127.0.0.1:1812 User-Name = pants User-Password = NAS-IP-Address = newdeewhy NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141, length=35 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 When I try to connect from my Mac OS X client I get the following error: And the following appears in the radius.log: Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E) Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code 2 sent to a non-proxy reply port from client testap:1025 - ID 0 : IGNORED Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): # tcpdump -nXi eth1 -s 65535 host 10.0.0.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:08:43.990613 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x00 length: 193 0x: 4500 00dd 0008 4011 6540 0a00 0064 [EMAIL PROTECTED]@...d 0x0010: 0a00 0065 0403 0714 00c9 0613 0100 00c1 ...e 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929 P...K..D5~.) 0x0040: 2bbd 0606 0002 0108 7061 6e74 7300 +.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e 3131 674f 0c02 0a01 7061 802.11gO..pa 0x00c0: 6e74 7304 060a 6405 0600 0157 nts.d..W 0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1 16:08:43.992271 IP 10.0.0.101.1812 10.0.0.100.1027: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0015 4000 4011 25d1 0a00 0065 [EMAIL PROTECTED]@. %e 0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d. +.|...# 0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}. 3... 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:46.987506 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0009 4011 65dd 0a00 0064 [EMAIL PROTECTED] 0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e. +.# 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:48.382840 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x01 length: 193 0x: 4500 00dd 000a 4011 653e 0a00 0064 [EMAIL PROTECTED]...d 0x0010: 0a00 0065 0403 0714 00c9 bedd 0101 00c1 ...e 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0 661d ...fS._..BG.8.f. 0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2 P.F.t.M.tE.. 0x0040: 301d 0606 0002 0108 7061 6e74 7300 0.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e
Re: Duplicate requests in a session
If you aplly this change and add this rule, you do the same that freeradius does to build acctuniqueid attribute and put this attribute as primery key. Good question. Does anyone have anything against changing this? -Peter On Thu 31 Aug 2006 10:11, Santiago Balaguer GarcÃa wrote: Thanks James, I don't figure out to use primary key solves the problem of duplicate keys. I had in radacct as primary key radacctid but now I am going to have acctuniqueid. This proble cause a new thread: why radacctid is the primary key of radacct table instead od acctuniqueid? I used a slightly different solution in my PostgreSQL implementation : ALTER TABLE ONLY radacct ADD CONSTRAINT radacct_unique_session UNIQUE ( username, nasipaddress, nasportid, acctsessionid ); NOTE: When duplicate records come in you will see errors in the log file like these : Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): failed after re-connect Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): Couldn't insert SQL accounting START record - ERROR: duplicate key violates unique constraint radacct_unique_session These errors are mostly informational, because when the insert fails, rlm_sql will use the alternate update method and will succeed. This is the same method I used on a customized Cistron server I used for over 5 years and had no problems. For some reason acctuniqueid was not unique in the duplicate packets, so my initial attempts at using it were unsuccessful. PostgreSQL can have a primary key that spans multiple columns, and would look like this {IIRC} : ALTER TABLE ONLY radacct ADD CONSTRAINT radacct_pkey_session PRIMARY KEY ( username, nasipaddress, nasportid, acctsessionid ); I did not use this, because I did not want to significantly change the default configuration of most of the tables. Once I get a chance to clean up the admin interface I have been developing I will likely want to add some changes to the PostgreSQL default schema that will allow better management without affecting the default configuration, but since I am not finished I don't want to add the changes to CVS quite yet. _ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_proteccioninfantil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
On the rare occasions that I post to mailing lists I always forget something in the first message. This is the error that I get from Internet Connect on Mac OS X when I connect: 802.1X Authentication has failed. 802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator. ( Error: 1 on port en1 ) Loukas On 01/09/2006, at 4:12 PM, Loukas Kalenderidis wrote: Hi list, I'm a FreeRADIUS noob, and I've been charged with getting some WiFi APs authenticating against an existing FreeRADIUS server being used for dialup users. I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). When I run radtest everything looks OK: $ radtest pants localhost 1 XX Sending Access-Request of id 141 to 127.0.0.1:1812 User-Name = pants User-Password = NAS-IP-Address = newdeewhy NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141, length=35 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 When I try to connect from my Mac OS X client I get the following error: And the following appears in the radius.log: Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E) Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code 2 sent to a non-proxy reply port from client testap:1025 - ID 0 : IGNORED Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): # tcpdump -nXi eth1 -s 65535 host 10.0.0.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:08:43.990613 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x00 length: 193 0x: 4500 00dd 0008 4011 6540 0a00 0064 [EMAIL PROTECTED]@...d 0x0010: 0a00 0065 0403 0714 00c9 0613 0100 00c1 ...e 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929 P...K..D5~.) 0x0040: 2bbd 0606 0002 0108 7061 6e74 7300 +.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e 3131 674f 0c02 0a01 7061 802.11gO..pa 0x00c0: 6e74 7304 060a 6405 0600 0157 nts.d..W 0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1 16:08:43.992271 IP 10.0.0.101.1812 10.0.0.100.1027: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0015 4000 4011 25d1 0a00 0065 [EMAIL PROTECTED]@. %e 0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d. +.|...# 0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}. 3... 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:46.987506 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0009 4011 65dd 0a00 0064 [EMAIL PROTECTED] 0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e. +.# 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:48.382840 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x01 length: 193 0x: 4500 00dd 000a 4011 653e 0a00 0064 [EMAIL PROTECTED]...d 0x0010: 0a00 0065 0403 0714 00c9 bedd 0101 00c1 ...e 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0 661d ...fS._..BG.8.f. 0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2 P.F.t.M.tE.. 0x0040: 301d 0606 0002 0108
Re: URGENT! Dialupadmin Could not connect to SQL database
Make sure you pass the checklist on http://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the probe On 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line "php", for example "php test.php" and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks.On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option "--with-oci8", and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Am Freitag, 1. September 2006 00:16 schrieb Kevin Bonner: On Wednesday 30 August 2006 11:09, Michael Schwartzkopff wrote: Hi, thanks to that explanation. But my question was: Why I do get no answer if I do snmpwalk (...) localhost enterprises.3317 while walking mib-2.67 gives results? Michael. The ent.3317 OID is only used to establish the SMUX session with the SNMP daemon. It is never registered with snmpd, which is why you receive no results. -Kevin Thanks. That explains a lot. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpMPSoUuEUvM.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WebDAV HTTP Auth to RADIUS, possible?
Michael Check wrote: On 8/31/06, Michael Check [EMAIL PROTECTED] wrote: WebDAV will allow either Basic or Digest (it uses the same HTTP Auth mechanism that Apache provides) so I think it will work. Even with DAV On, you can have AuthType Basic - so my assumption at this point is that it will work. I'll report back to the list. I'm having difficulty getting Basic authentication done with mod_auth_radius Here is the http conf directives used: IfModule mod_auth_radius.c AddRadiusAuth 127.0.0.1:1812 testing123 5:3 AddRadiusCookieValid 5 /IfModule Location /calendars/ AllowOverride None Options None AuthType Basic AuthName Calendars #AuthAuthoritative Off AuthRadiusAuthoritative On AuthRadiusCookieValid 5 AuthRadiusActive On Limit GET HEAD OPTIONS require valid-user /Limit /Location Our configuration for Apache 1.3 (but it was for https authentication, not for WebDAV...) was AuthAuthoritative on AuthRadiusAuthoritative on As far as I remember the order of module declaration was also important. We had : LoadModule access_module libexec/mod_access.so LoadModule radius_auth_module libexec/mod_auth_radius.so LoadModule auth_module libexec/mod_auth.so Hope it will help you -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Loukas Kalenderidis [EMAIL PROTECTED] wrote: I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept That won't make WPA work. WPA requires a whole bunch of data exchange before all the machines involved believe that net access has been granted. You have to configure users, passwords, and certificates for it to work. The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). They're for VLAN assignment. You don't need them. Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): That's what the debug log shows, too. I'm a little surprised that the AP is sending the Access-Request back to the server. Since you've configured the server to do something the AP doesn't expect, I guess you're in an untested area of its behavior. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirect question
Hi allI have a question i used freeradisu with mysqlbackend for auth and accounting for dialup account , i want to know it is is possible when the user account is expired i want to allow the user to connect but to be redirected to a website telling him that the account is expired is it possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirect question
Mordor Networks [EMAIL PROTECTED] wrote: I have a question i used freeradisu with mysqlbackend for auth and accounting for dialup account , i want to know it is is possible when the user account is expired i want to allow the user to connect but to be redirected to a website telling him that the account is expired is it possible? You will need a captive portal to do this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL user in multiple groups
Hello! Anybody uses user in multiple groups with SQL backend? -- Pavel D.Kuzin System Administrator Nodex ISP St. Petersburg, Russia [EMAIL PROTECTED] http://nodex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var/run sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb { wait = yes program = /usr/local/bin/cerbauth -e freeradius input_pairs = request output_pairs = reply } preprocess { } } authorize { preprocess eap files } authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb } } as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:No such EAP type mschapv2 I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Everything lookslike it works, but PC is not authentified
Hi, I'am running Freeradius 1.1.0 on Suse 10.1 with certificates. After a lot of help from that list and a good FAQ I'am so far, that I generated the certs for server and client and that the communication between Client, Server and AP (Linksys Switch) works. My problem is, that looking in the logs, the client should be authentified, but it isn't. The AP doesn't open the port. I assume the problem is windows, submitting the username as host/computername which brakes the certs (but I have no hint on the logfile). The PC tries to autheticate 13 times (I get at least 13 requests to the radius), but I get no error... My users files contains that: testuserUser-Password == test2 host/vinfo-t1 Auth-Type:= EAP vinfo-t1 Auth-Type:= EAP # On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = Bye Please have a short look on my debuglog. I don't know where to look further. TIA Alex Debuglog: radius:/etc/raddb # radiusd -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/ssl/radius-neuer-cert-key.pem tls: certificate_file = /etc/raddb/certs/ssl/radius-neuer-cert-key.pem tls: CA_file = /etc/raddb/certs/ssl/ServiceCenter-IT_KHB_HfM_HfS-cacert.pem tls: private_key_password = secret tls: dh_file = /etc/raddb/certs/ssl/dh tls: random_file = /etc/raddb/certs/ssl/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
RE: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned there? The one's that ship with the server are expired, you have to generate your owncertificate. What version of FreeRADIUS. Version 1.1.1 fixed alot of little PEAP things. Version 1.1.3 of course is what you should be running. Mostversionsafter1.0.0havetheeapsectionbrokenouttoaseparatefile,thathaslotsofcommentsinitaboutgeneratingCerts. Also, it looks like your actual problem is that you have re-written the eap section... and missed a Paren This is Mine. In yours you have included mschapv2 inside of PEAP. It is its own section, outside of the PEAP section. peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes } mschapv2 { } From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36 AMTo: freeradius-users@lists.freeradius.orgSubject: Problems getting eap-mschapv2 working. Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var/run sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb { wait = yes program = "/usr/local/bin/cerbauth -e freeradius" input_pairs = request output_pairs = reply } preprocess { } } authorize { preprocess eap files } authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb } } as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:"No such EAP type mschapv2" I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On Friday 01 September 2006 08:36, Ian Walker wrote: Been trying to get eap working with peap/mschapv2 but it doesn't seem to work. This is my radiusd.conf file: } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that stanza. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d80 Message-Authenticator = 0x State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about this topic that exists both here in the list archives and n HOWTOs throughout the web. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: URGENT! Dialupadmin Could not connect to SQL database
Thanks,I've already managed to make it work using oracle instant client and custom tnsnames.ora. I was using the entire oracle enterprise install before and it didn't work! Crazy, but it's working now.Thanks. On 9/1/06, Edoardo Causarano [EMAIL PROTECTED] wrote: Make sure you pass the checklist onhttp://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the prob eOn 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line php, for example php test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks. On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled. This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor. I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl certificate, need help
Could someone help me out pleas... we're trying to make our wpa-wlan work, but currently i'm stuck with the certificates part of tls. i'd tried running CA.all, but the script gives me error's. (freeradius 1.1.3) - + openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever Error opening input file demoCA/cacert.pem demoCA/cacert.pem: No such file or directory + openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever Error opening input file root.p12 root.p12: No such file or directory + openssl x509 -inform PEM -outform DER -in root.pem -out root.der Error opening Certificate root.pem 20898:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('root.pem','r') 20898:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280: unable to load certificate in the script dir there is no demoCA en no cacert.pam?! also, the CA.all script has a rm -rf demoCA. so if i comment the 'rm' out, copied the default demoCA and cacert.pam from my working installation (version 1.0.2 that was shipped with fedora, and has certificates for localhost) and gues what, another error: --- + openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever 21004:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in root.pem -out root.der unable to load certificate 21005:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE + echo -e '' - dunno where to go now!? is there some help on how to make the certificate thing work for tls, and windowsxpsp2 clients ?? Thx Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, On 9/1/06, Alexandros Gougousoudis [EMAIL PROTECTED] wrote: My users files contains that: testuserUser-Password == test2 host/vinfo-t1 Auth-Type:= EAP vinfo-t1 Auth-Type:= EAP # On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = Bye 1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html 2. Further action depends on what you want (eap-tls or eap-peap/mschapv2), eventually the CN in your client's certificates and finally what the supplicant sends. What is host/vinfo-t1 supposed to be? regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to log connection details in MySQL?
Hello: I'd like to know if it is possible to save all the info under the log directory radacct (connections' details by client's IP) in MySQL instead of files in hard disk. Are all the variables accessible?. I mean, are they valid for an SQL sentence in 'postauth_query' variables %{Packet-Type}, %{User-Name}, %{User-Password}, %{NAS-IP-Address}, %{NAS-Port} and %{Client-IP-Address}? Am I missing any other info? After reading the answer (http://wiki.freeradius.org/index.php/FAQ#How_do_I_log_failed_login_attempts_in_a_SQL_database.3F) to the question How do I log failed login attempts in a SQL database? in the FreeRadius wiki it seems it is possible with adequate SQL sentences. I see three problems: - I don't see clearly how to separate successfully authentication of unsuccessfull. Maybe like this? How could I tell FreeRadius different queries depending on type of request? post-auth { # Login successful: get an address from the IP pool. ippool Post-Auth-Type ACCEPT { sql } Post-Auth-Type REJECT { # Login failed: log to SQL database. sql } } - Where I can find documentation about the different packet types and their data? - Is it possible to tell FreeRadius that I want to send more than one query to MySQL? I really want this functionality (keep the connection logs in MySQL, not in the filesystem). I make this question to know if I am in the right path or ideally if anybody has already make something like this. -- View this message in context: http://www.nabble.com/Is-it-possible-to-log-connection-details-in-MySQL--tf2202961.html#a6099963 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Stefan Winter wrote: Hi, Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d80 Message-Authenticator = 0x State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup? A quick 60 second scan of the OpenSSL API doesn't show the obvious call, but given how incomprehensible the OpenSSL API is in general, that's not surprising... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to log connection details in MySQL?
On Fri 01 Sep 2006 17:42, ZaiPower wrote: Hello: I'd like to know if it is possible to save all the info under the log directory radacct (connections' details by client's IP) in MySQL instead of files in hard disk. Yes. This is certainly possible. Are all the variables accessible?. I mean, are they valid for an SQL sentence in 'postauth_query' variables %{Packet-Type}, %{User-Name}, %{User-Password}, %{NAS-IP-Address}, %{NAS-Port} and %{Client-IP-Address}? Am I missing any other info? 'postauth_query' is funnily enough related to postauth, NOT Accounting. Please read http://wiki.freeradius.org/index.php/Rlm_sql After reading the answer (http://wiki.freeradius.org/index.php/FAQ#How_do_I_log_failed_login_attempt s_in_a_SQL_database.3F) to the question How do I log failed login attempts in a SQL database? in the FreeRadius wiki it seems it is possible with adequate SQL sentences. Yes. Do you want to log unsuccessfull logins or (successfull) accounting info to SQL? I see three problems: - I don't see clearly how to separate successfully authentication of unsuccessfull. Maybe like this? How could I tell FreeRadius different queries depending on type of request? post-auth { # Login successful: get an address from the IP pool. ippool Post-Auth-Type ACCEPT { sql } Post-Auth-Type REJECT { # Login failed: log to SQL database. sql } } Please reread this. It is very clear. - Where I can find documentation about the different packet types and their data? Your NAS documentation may contain this info. You can also read http://www.ietf.org/rfc/rfc2865.txt http://www.ietf.org/rfc/rfc2866.txt - Is it possible to tell FreeRadius that I want to send more than one query to MySQL? More than one query for what? I really want this functionality (keep the connection logs in MySQL, not in the filesystem). I make this question to know if I am in the right path or ideally if anybody has already make something like this. Excellent. This functionality exists. Enjoy :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpM6cTAdx41u.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Phil Mayers [EMAIL PROTECTED] wrote: I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup? I think so. X509_print_ex, I believe. Dump the certificate to a string buffer, and do strstr for the OID. Yucky, but it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate issue
When i run CA.all script to generate the certificates, all the certificate get generated except root.cer and get the below error message: + openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin 'pass:whatever' -passout 'pass:whatever' No certificate matches private key + openssl pkcs12 -in root.p12 -out root.pem -passin 'pass:whatever' -passout 'pass:whatever' 17703:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: + openssl x509 -inform PEM -outform DER -in root.pem -out root.der unable to load certificate 17704:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE + echo -e '' I deleted the newcert.pem and newreq.pem but still it didnt work. Did a fresh installation of openssl 0.9.8 but still get this error message and tried with different passin key and DN. can someone help me to resolve this issue. Thanks, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOW-TO for Linux radius client
Hi, I am looking for a Linux client side HOW-TO for radiusauthentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftpetc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add "ldap" to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TOfor radiusauthentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HOW-TO for Linux radius client
Hello, what are you using as backend for freeradius server? If you use LDAP as backend for freeradius, I really do NOT see the need for the use of RADIUS protocol to do authentication for such services ( login, ssh etc ). It would be easier if you implement auth against LDAP directory for such services, and use RADIUS where it can serve the purpose ( full AAA ) ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. C. Desai Sent: Freitag, 01. September 2006 21:34 To: freeradius-users@lists.freeradius.org Subject: HOW-TO for Linux radius client Hi, I am looking for a Linux client side HOW-TO for radiusauthentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftpetc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add ldap to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TOfor radiusauthentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOW-TO for Linux radius client
J. C. Desai wrote: I am looking for a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally. Please no HTML to the list. I already tried to implement a similar setup but never found all the pieces of the puzzle. 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) Indeed, the missing piece is the libnss-radius. I think you'll have to write your own. I've already looked at it and it's not very hard to do. My tests indicate that you need to implement only 2 functions to get login, xdm, ssh, etc. working on the client machines. enum nss_status _nss_radius_getpwnam_r(const char *name, struct passwd *result, char *buffer, size_t buflen); enum nss_status _nss_radius_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen); More info in the glibc manual: http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html