Re: Freeradius-Users Digest, Vol 17, Issue 47
thank you for yor reply.do you know if i can use NT-PASSWORD using windowsXP client?do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"?how then I can make the sistem work? what I have to put in the radiusd.conf?thank you.Best regards2006/9/12, [EMAIL PROTECTED] < [EMAIL PROTECTED]>:Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED] You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."Today's Topics: 1. Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for the comunication--- (Rob Shepherd) 2. Re: FreeRadius suport IPv6 ??/ (Alan DeKok) 3. Re: Probs with pppoe-server + radius (Alan DeKok) 4. Re: rautmp not working.. (Alan DeKok) 5. Re: Question about rlm modules (Alan DeKok) 6. Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for the comunication--- (Alan DeKok) 7. Re: Question about rlm modules (Alan DeKok) 8. Re: Re: Re: IAS e Openser (Artur Hayne) --Message: 1Date: Tue, 12 Sep 2006 15:09:46 +0100From: Rob Shepherd <[EMAIL PROTECTED] >Subject: Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for thecomunication---To: FreeRadius users mailing list< freeradius-users@lists.freeradius.org>Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=ISO-8859-1; format=flowed ego seek wrote:>>> Does Anybody know HOW I can make radius WORK with md5-stored password in> the db?>> I use EAP-PEAP-MSCHAPv2, and if the system works great if the pwds are > in clear in the mysqlDB>You can't. Seehttp://deployingradius.com/documents/protocols/compatibility.htmlStore an 'NT-Password' value as a config ':=' attribute in the radcheck table.NT password hashes can be generated in most programming languages.Rob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 077988 72480--Message: 2Date: Tue, 12 Sep 2006 10:21:38 -0400From: "Alan DeKok" < [EMAIL PROTECTED]>Subject: Re: FreeRadius suport IPv6 ??/To: FreeRadius users mailing listMessage-ID: <[EMAIL PROTECTED]>Christian Hahn <[EMAIL PROTECTED]> wrote: > Do you mean IPv6 transport or support for IPv6 attributes (RFC3162)?> RFC3162 is supported by freeradius 2.0.0-pre0 (CVS), IPv6 transport as> far as I know is not supported. The CVS version also supports IPv6 transport. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog --Message: 3Date: Tue, 12 Sep 2006 10:23:15 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: Probs with pppoe-server + radius To: FreeRadius users mailing list Message-ID: < [EMAIL PROTECTED]>Ali Jawad <[EMAIL PROTECTED]> wrote:> The info above is to help you guys in helping me pinpoint my prolem, my > real problem is that I can dial into my server using pppoe and simple> chap and/or pap authenication. However once I use radius to authenicate> the pppoe-dialup requests into the server. I get the following output in > pppd.log And in all of this you are carefully avoiding the one tool thatwill help you solve the problem: running the server in debugging mode. See the README, FAQ, INSTALL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-- Message: 4Date: Tue, 12 Sep 2006 10:25:37 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: rautmp not working..To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED] >Collen Blijenberg <[EMAIL PROTECTED]> wrote:> but no radutmp file is created, and if created by hand it stay's 0 bytes...> > dunno my guesses tells me i forgot something... ??? Send the server accounting packets. radutmp is created when the NASagrees that the user has logged in, not when the server tells the NASto let the user in. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog --Message: 5Date: Tue, 12 Sep 2006 10:26:24 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: Question about rlm modules To: FreeRadius users mailing list Message-ID: < [EMAIL PROTECTED]>Shankar Ganesh C <[EMAIL PROTECTED]> wrote:> Could you let me know how d
Re: Freeradius-Users Digest, Vol 17, Issue 47
ego seek wrote: thank you for yor reply. Which one? Don't top-post above an entire digest message!! do you know if i can use NT-PASSWORD using windowsXP client? The windowsXP client, if configured appropriately, will use mschapv2 inside PEAP. It will be supplying an NT password hash as part of this. do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"? Yes. However `Password` is usually a check item, for comparing clear text passwords. The `NT-Password` needs to be a config item. radiusd will figure out what to do with it. Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 077988 72480 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rautmp not working..
Thx, ehh, and how do i do that ??? (sorry newbe) somehow there isn't anny accounting done ?! i do have a auth_log and reply_log. but no detail log (and no radutmp either) getting stranger by the minute... but i also have no idea how to make the nas (linksys wap54g v3 eu) or the freeradius (1.1.3) do accounting. i use the wpa-enterprise option. anny hinds on howto make accounting work ?? Cheers.. Collen Alan DeKok wrote: Collen Blijenberg <[EMAIL PROTECTED]> wrote: but no radutmp file is created, and if created by hand it stay's 0 bytes... dunno my guesses tells me i forgot something... ??? Send the server accounting packets. radutmp is created when the NAS agrees that the user has logged in, not when the server tells the NAS to let the user in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: opinion?? anyone??
Hi Peter, I have used the iptables, and I was able to redirect the Real pool of IPs to a certain destination. But after connecting and authenticated with a fake IP, I was able to trace only to the RAS server. Any idea? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Tuesday, September 12, 2006 11:55 PM To: FreeRadius users mailing list Subject: Re: opinion?? anyone?? On Tue 12 Sep 2006 18:43, Elie Hani wrote: > Hi; > > > > I need to know what is the best to work with, if I want to redirect a > subnet of IPs to a single one (which is a single page), for the dial up > users. > > I will be testing the chillispot, if there's another tested software to be > used on linux, please advice. iptables? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql failover issue
Hi, I have seen these errors when primary radius server goes offline and the secondary takes over: All requests are coming via Redback SE400: Wed Sep 13 07:51:34 2006 : Error: Dropping conflicting packet from client redback:1812 - ID: 1 due to unfinished request 1051 285 Wed Sep 13 07:51:35 2006 : Error: Dropping conflicting packet from client redback:1812 - ID: 2 due to unfinished request 1051 286 This happens on both servers and after an hour it seemed to sort itself out. Setup is as follows: 2xfreeradius server 2xmysql cluster API nodes each FR server is pointed to a different node, so when we take one node offline, the secondary defined freeradius server should kick in and talk to its API. When the primary radius server came back after its mysql API was brought back after a planned outage, the primary and secondary radius servers got confused. They both started to drop connections with the above errors and no users could authenticate. Is this issue a known issue, is there a fix, has anyone got any further info on when this would happen. Restarting the primary radius server fixed the issue however this solution is meant to be a resiliant and redundant solution capable of working through either radius or mysql node failures. any info or assistance would be helpful for my RFO here. cheers -- andy[EMAIL PROTECTED] --- Never argue with an idiot. They drag you down to their level, then beat you with experience. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radippool table for Oracle
Hi Please update to the latest sqlippool.conf in cvs as I have just committed a lot of cleanups to it. Cheers Peter On Tue 12 Sep 2006 23:56, Guilherme Franco wrote: > Mr. Peter, > > Thanks, yes, that's correct. > > But what I need is this behaviour even if the user disconnects and > even if I run out of IPs in the pool. Basically, John logs in for the > first time and randomly catches ip 1.1.1.130. When John logs out and > comes back next week, he should be able to get 1.1.1.130 again, so > that IP can't be reused. > > Is there any form to do that? > > Sorry, maybe I've described the problem in a wrong way earlier. > > Thank you very much for the answers, I hope to contribute later to > freeradius posting my oracle schema. > > On 9/12/06, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Tue 12 Sep 2006 22:44, Guilherme Franco wrote: > > > Thanks Mr. Nixon, > > > > > > I thought that someone might have already created such a schema. > > > > > > But that's not a problem. > > > > > > I'll be playing with the errors and as I get a working schema I'll post > > > back. > > > > > > Just another doubt: Is there any way to create a pool of addresses and > > > when someone receives one ip from this pool, this ip stays assigned > > > to that user forever (lease forever, just like a static IP)? I need > > > this so that I assign an IP only based in the group (which has some > > > pools assigned to it), no need to manually create Frammed-Ip-Address = > > > x.x.x.x for that user. > > > > That is basically what the default sqlippool config does unless you run > > out of IPs in the pool, in which case it will start to hand reusing IPs > > that are currently not connected. > > > > -- > > > > Peter Nixon > > http://www.peternixon.net/ > > PGP Key: http://www.peternixon.net/public.asc > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpIq63PEO9g0.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radippool table for Oracle
Thank you! I'm downloading it right now. Thanks again! On 9/13/06, Peter Nixon <[EMAIL PROTECTED]> wrote: Hi Please update to the latest sqlippool.conf in cvs as I have just committed a lot of cleanups to it. Cheers Peter On Tue 12 Sep 2006 23:56, Guilherme Franco wrote: > Mr. Peter, > > Thanks, yes, that's correct. > > But what I need is this behaviour even if the user disconnects and > even if I run out of IPs in the pool. Basically, John logs in for the > first time and randomly catches ip 1.1.1.130. When John logs out and > comes back next week, he should be able to get 1.1.1.130 again, so > that IP can't be reused. > > Is there any form to do that? > > Sorry, maybe I've described the problem in a wrong way earlier. > > Thank you very much for the answers, I hope to contribute later to > freeradius posting my oracle schema. > > On 9/12/06, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Tue 12 Sep 2006 22:44, Guilherme Franco wrote: > > > Thanks Mr. Nixon, > > > > > > I thought that someone might have already created such a schema. > > > > > > But that's not a problem. > > > > > > I'll be playing with the errors and as I get a working schema I'll post > > > back. > > > > > > Just another doubt: Is there any way to create a pool of addresses and > > > when someone receives one ip from this pool, this ip stays assigned > > > to that user forever (lease forever, just like a static IP)? I need > > > this so that I assign an IP only based in the group (which has some > > > pools assigned to it), no need to manually create Frammed-Ip-Address = > > > x.x.x.x for that user. > > > > That is basically what the default sqlippool config does unless you run > > out of IPs in the pool, in which case it will start to hand reusing IPs > > that are currently not connected. > > > > -- > > > > Peter Nixon > > http://www.peternixon.net/ > > PGP Key: http://www.peternixon.net/public.asc > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NT-PASSWORD--Re: Freeradius-Users Digest, Vol 17, Issue 47
I'm working with mschapv2, I use a PHP web site to register a user, can i insert into the db a NT-hased password?Have I to configure the radius to accept che NT-PASSWORD value or it does by itself? thank you so much.you're so helpful.egoseekMessage: 1Date: Wed, 13 Sep 2006 10:26:52 +0100From: Rob Shepherd < [EMAIL PROTECTED]>Subject: Re: Freeradius-Users Digest, Vol 17, Issue 47To: FreeRadius users mailing list < freeradius-users@lists.freeradius.org>Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=ISO-8859-1; format=flowed ego seek wrote:> thank you for yor reply.Which one?Don't top-post above an entire digest message!!>> do you know if i can use NT-PASSWORD using windowsXP client?> The windowsXP client, if configured appropriately, will use mschapv2inside PEAP. It will be supplying an NT password hash as part of this.> do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"? Yes. However `Password` is usually a check item, for comparing cleartext passwords. The `NT-Password` needs to be a config item. radiusdwill figure out what to do with it.Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rautmp not working..
Collen Blijenberg <[EMAIL PROTECTED]> wrote: > but i also have no idea how to make the nas (linksys wap54g v3 eu) or > the freeradius (1.1.3) do accounting. The linksys simply might not do accounting. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: opinion?? anyone??
I found out the solution, I used policy based routing. Thanks anyway -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elie Hani Sent: Wednesday, September 13, 2006 12:34 PM To: 'FreeRadius users mailing list' Subject: RE: opinion?? anyone?? Hi Peter, I have used the iptables, and I was able to redirect the Real pool of IPs to a certain destination. But after connecting and authenticated with a fake IP, I was able to trace only to the RAS server. Any idea? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Tuesday, September 12, 2006 11:55 PM To: FreeRadius users mailing list Subject: Re: opinion?? anyone?? On Tue 12 Sep 2006 18:43, Elie Hani wrote: > Hi; > > > > I need to know what is the best to work with, if I want to redirect a > subnet of IPs to a single one (which is a single page), for the dial up > users. > > I will be testing the chillispot, if there's another tested software to be > used on linux, please advice. iptables? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS proxy-----trace user site surfed------
Does anybody know how can I setup RADIUS and a proxy server to generate a log for the users?I need to trace where in the Internet the user went.Do yoy have any other suggestion for this pourpose? thank you.Best regardsegoseek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IAS and Openser
Hello, How can I transform freeradius server in a proxy? I configured the proxy.conf, but seems dont work proxy.conf: proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm DEFAULT { type = radius authhost = mydomain.br accthost = mydomain.br secret = mysecret nostrip } And I uncommnet the line in radiusd.conf: proxy_requests = yes $INCLUDE ${confdir}/proxy.conf I wanna do this: |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD| Its work? And in IAS should I configured anything? Sorry for the portuguese e-mail. [EMAIL PROTECTED] escreveu:Hello!This list is in English.> Como faço para transformar o Freeradius num cliente do IAS? Existe algum> tutorial, ou artigo? Se for sem passar pelo servidor freeradius eu já> configurei o radiusclient para ir direto ao IAS, mas não deu certo, nada> acontece, e o pior de tudo que não tenho nem como debugar o problema e o> arquivo de log do IAS é muito fraco.>> |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD|>> Da pra fazer isso? Como faço isso?>> Alguma idéia?If I got you right, all you want to do is use FreeRADIUS as a proxy to communicate to an IAS which does the authentication. This is easy, all you need to do is proxy all incoming requests to the IAS. See proxy.conf, read it, try it, and if doesn't work for you ask here again. But in English please, it's been quite a time since I had Spanish in school.Greetings,Stefan Winter-- Stefan WINTERRESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la RechercheR&D Engineer6, rue Richard Coudenhove-KalergiL-1359 Luxembourgemail: [EMAIL PROTECTED] Tel.: +352 424409-1http://www.restena.lu Fax: +352 422473-- next part --A non-text attachment was scrubbed...Name: not availableType: application/pgp-signatureSize: 189 bytesDesc: not availableUrl : https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060913/cc735d98/attachment.bin-- Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NT-PASSWORD--Re: Freeradius-Users Digest, Vol 17, Issue 47
ego seek wrote: I'm working with mschapv2, I use a PHP web site to register a user, can i insert into the db a NT-hased password? Yes, radcheck should contain UserName | Attribute| op | Value | --|---|--|| colin | NT_Password | := | abcdef1234567890abcdef1234567890 | I use Pear Crypt... password = $password; $NThash = bin2hex($cr->ntPasswordHash()); ?> Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 077988 72480 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS proxy-----trace user site surfed------
"ego seek" <[EMAIL PROTECTED]> wrote: > Does anybody know how can I setup RADIUS and a proxy server to generate a > log for the users? > > I need to trace where in the Internet the user went. RADIUS doesn't do that. You need a transparent web proxy. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Dialupadmin page not loading
I’ve got php4 installed and for some reason when I try to load the admin page it asks if I want to open or save the buttons.html.php3 file, I wasn’t thinking and clicked save and now it saves the file instead of opening the admin page. Can someone help? I’m doing this locally on the server. Nico Gazzano Network & Systems Admin MIS Choice Inc. 1699 Wall ST Suite 602 Mount Prospect, IL 60056 Phone 847-690-1900 ext206 Fax 847-690-1350 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Hi Alan, Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140NAS-IP-Address = 13.138.136.68 NAS-Port = 50003 NAS-Port-Type = Ethernet User-Name = "tester" Called-Station-Id = "00-0A-B8-39-79-85" Calling-Station-Id = "00-0B-DB-64-9B-A7" Service-Type = Framed-User Framed-MTU = 1500 State = 0x9b24bde92b2edf137fd180df54de624a EAP-Message = 0x021300060315 Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 19 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry tester at line 83 modcall[authorize]: module "files" returns ok for request 19 modcall: leaving group authorize (returns updated) for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 19 modcall: leaving group authenticate (returns invalid) for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645 EAP-Message = 0x04130004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 1 seconds... This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, September 12, 2006 4:12 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication "Christopher, Paul" <[EMAIL PROTECTED]> wrote: > I have a device that uses EAP-MSCHAPv2 (without PEAP) for > authentication. I am running freeRadius on Redhat. The device is > plugged into a switch which sends the EAP request to the server. I am > unable to get the device authenticated with the Radius server. In the > users file should the Auth-type be local or MS-Chap? Neither. Don't set Auth-Type at all. The server WILL figure it out. > Should I be sending the authentication request to an NT domain or > will the username and password in the user file be sufficient? Putting a username and password into the "users" file will be sufficient. # bob User-Password := "hello" # EAP-MSCHAPv2 *will* work. See: http://deployingradius.com/documents/configuration/pap.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
"Christopher, Paul" <[EMAIL PROTECTED]> wrote: > Thanks for the response. I remove the Auth-Type, but it is still not > working. Now I get a new set of errors. I did a radtest bob hello > localhost 0 testing123 and the user was able to authenticate. Because PAP authentication is simple, and doesn't involve EAP. > I don't know why it doesn't work for EAP-MSchapv2. Thanks for your > help! Below is the debug log: ... > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls Uh... what part of that message is unclear? The client isn't doing EAP-MSCHAPv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac authenication
Hi Guys Ive got my pppoe server up and running and the authenication process is just fine. What I want to do now is to bind the username and password combination to a mac..so that that the mentioned user/password combination can only be used on a per pc "i.e. per mac" basis. Can anyone help me on how to do this, please. -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Dialupadmin page not loading
You clearly have not configured apache to work with php4,even if you click open instead of save it will open the file an editor. You have to do that first before you can use php on apache. search for something like php3 or php4 in the config file of apache and uncomment it. You also have to install the php4 module for apache. Apart from having mysql installed to make dialupadmin work. There are many howtos online which explain how to do that. If you are using debian Iam willing to help you on that issue too. On 9/13/06, Nico Gazzano <[EMAIL PROTECTED]> wrote: I've got php4 installed and for some reason when I try to load the admin page it asks if I want to open or save the buttons.html.php3 file, I wasn't thinking and clicked save and now it saves the file instead of opening the admin page. Can someone help? I'm doing this locally on the server. Nico Gazzano Network & Systems Admin MIS Choice Inc. 1699 Wall ST Suite 602 Mount Prospect, IL 60056 Phone 847-690-1900 ext206 Fax 847-690-1350 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Dialupadmin page not loading
I'm using Ubuntu with apache2. Nico Gazzano Network & Systems Admin MIS Choice Inc. 1699 Wall ST Suite 602 Mount Prospect, IL 60056 Phone 847-690-1900 ext206 Fax 847-690-1350 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ali Jawad Sent: Wednesday, September 13, 2006 1:30 PM To: FreeRadius users mailing list Subject: Re: FreeRadius Dialupadmin page not loading You clearly have not configured apache to work with php4,even if you click open instead of save it will open the file an editor. You have to do that first before you can use php on apache. search for something like php3 or php4 in the config file of apache and uncomment it. You also have to install the php4 module for apache. Apart from having mysql installed to make dialupadmin work. There are many howtos online which explain how to do that. If you are using debian Iam willing to help you on that issue too. On 9/13/06, Nico Gazzano <[EMAIL PROTECTED]> wrote: > > > > > I've got php4 installed and for some reason when I try to load the admin > page it asks if I want to open or save the buttons.html.php3 file, I wasn't > thinking and clicked save and now it saves the file instead of opening the > admin page. Can someone help? I'm doing this locally on the server. > > > > Nico Gazzano > > Network & Systems Admin > > MIS Choice Inc. > > 1699 Wall ST Suite 602 > > Mount Prospect, IL 60056 > > Phone 847-690-1900 ext206 > > Fax 847-690-1350 > > [EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, > > rlm_eap: EAP-NAK asked for EAP-Type/ttls > > rlm_eap: No such EAP type ttls > > Uh... what part of that message is unclear? > > The client isn't doing EAP-MSCHAPv2. indeed, looks like EAP-TTLS with MSCHAPv2 inside the tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Dialupadmin page not loading
Hi, > I'm using Ubuntu with apache2. apt-get install libapache2-mod-php4 should do most of the leg work for you. you may need to edit the apache2 files (/etc/apache2/* to make sure that .php3 has a handler set. by default it'll be happy with .php4 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Hi Alan, Thanks for your response. I don't understand what you mean by 'did you build from source?' Please explain. I did not generate any certs. I didn't think EAP-MSChapv2 needed certificates. Paul. This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 13, 2006 3:22 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication Hi, > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Paul, I think what Alan was getting at is that Your client asked for EAP-TTLS, not EAP-MSChapV2. This might be the root of your problem. If you Intend to do MSChapV2 inside of TTLS Tunnels, you MUST setup a certificate. This is make quite clear in the eap.conf file, that TTLS is dependant on TLS being setup. What is your user source? (users file, passwd file, LDAP, Active Directory) I ask because MSChapV2 is incompatable with a few of these sources. > -Original Message- > > rlm_eap: EAP-NAK asked for EAP-Type/ttls > > rlm_eap: No such EAP type ttls > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Dialupadmin page not loading
>apt-get install libapache2-mod-php4 should do most of the leg work for >you. I tried this >you may need to edit the apache2 files (/etc/apache2/*) to make sure that >.php3 has a handler set. Not sure what you mean, I've looked in my httpd.conf and apache2.conf and I see nothing referring to php3 or php4. Nico Gazzano Network & Systems Admin MIS Choice Inc. 1699 Wall ST Suite 602 Mount Prospect, IL 60056 Phone 847-690-1900 ext206 Fax 847-690-1350 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 13, 2006 2:32 PM To: FreeRadius users mailing list Subject: Re: FreeRadius Dialupadmin page not loading Hi, > I'm using Ubuntu with apache2. apt-get install libapache2-mod-php4 should do most of the leg work for you. you may need to edit the apache2 files (/etc/apache2/* to make sure that .php3 has a handler set. by default it'll be happy with .php4 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Dialupadmin page not loading
Hi, > >apt-get install libapache2-mod-php4 should do most of the leg work for > >you. > > I tried this > > >you may need to edit the apache2 files (/etc/apache2/*) to make sure that > >.php3 has a handler set. > > Not sure what you mean, I've looked in my httpd.conf and apache2.conf and I > see nothing referring to php3 or php4. does your location firewall google? just a few quick searches for... "ubuntu php apache2" will yield many riches: http://www.howtoforge.com/apache2_with_php5_and_php4_p2 http://www.phpfreaks.com/forums/index.php?topic=107132.new for example... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, > Hi Alan, > Thanks for your response. I don't understand what you mean by 'did you > build from source?' Please explain. I did not generate any certs. I > didn't think EAP-MSChapv2 needed certificates. build from source - did you download the freeradius-1.1.3.tar.gz and then extract it, run ./configure, make, make install etc not built from source - did you simply apt-get install freeradius or yum install freeradius etc. PS if a gentoo user, if you 'emerge freeradius' I would class that as building from source ;-) the next question is are you really doing raw EAP-MSCHAPv2 - this isnt too common (on this list anyway) the error log you posted clearly hinted at EAP-TTLS ... so any MSCHAPv2 would be in the tunnel. if you have this form of EAP then the TLS section must be working...as the first few lines of eap.conf clearly state. otherwise it 'just wont work'(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Sat, 9 Sep 2006, Keith Woodworth wrote: |->|-> |->|->> And while Radius seems to send an Access-Accept, the dialup user gets an |->|->> error 691 password invalid. |->|-> |->|-> Because you're not sending the same reply attributes as in the |->|->previous example. Fix that. |->|-> |->|->> Again I get Access-Accept, but a 691 password error on the client side. |->|-> |->|-> Again because the replies are empty. |-> |->Just testing a different way to do this I setup the users file with: |-> |->DEFAULT Service-Type = Framed-User |->Framed-Protocol = PPP, |->Framed-Routing = None, |->Framed-IP-Netmask = 255.255.255.255, |->Framed-Compression = Van-Jacobsen-TCP-IP, |->Framed-MTU = 1500 |-> |->Now when I try to login: |-> Again had to put this aside for a few days (really starting to grind on me, its a wonder I actually get any work done) Anyway so started in again on this. One thing overall I think that has confused me is that I was trying to do everything from SQL, which now I dont think I need to do. Basicall: Have a user and their crypted password stored in SQL, have radius query the database for that info, if its ok, start a PPP session. Only way I could get that to work was have the username in both the radcheck AND usergroup tables. I didnt want it to work that way as it would be extra work to populate the database from our current radius setup, which uses Auth-Type System. I think I have figured it out, though not sure if its the correct way. Use a combination of users(5) and SQL. Have the user and password in radcheck, auth-type=local in radgroupcheck and use the users(5) file to do the rest and it seems to finally work. My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
Keith Woodworth wrote: My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? Expressions on the first line in a users file stanza are check items. Expressions on subsequent lines are reply items. You probably want to use the second method and replace "Service-Type = Framed-User" with the comparison "Service-Type == Framed-User". And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? If the check and reply items needed for your setup don't result in a users file that's unmanageable, it's acceptable. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IAS and Openser
Hi, > How can I transform freeradius server in a proxy? > I configured the proxy.conf, but seems dont work > > And I uncommnet the line in radiusd.conf: > > proxy_requests = yes > $INCLUDE ${confdir}/proxy.conf > > I wanna do this: > |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD| > > Its work? > > And in IAS should I configured anything? Configure the NULL realm with the same settings as DEFAULT. Other than that, the config sounds good to me. Did you change anything apart from that in the default config file? In particular, you need to have at least one instance of the "realm" module in authorize { }. The default config has "suffix" in there, that should be fine. You need to be sure then that your user names don't contain the @ character - otherwise they won't match the DEFAULT realm you set up in proxy.conf. If you are positive that an instance of realm is in authorize and NULL is configured, but it still doesn't work then please post the debug output (radiusd -X) of a packet that arrived and was supposed to be proxied, but wasn't. > Sorry for the portuguese e-mail. When I read it, I wondered what strange dialect of Spanish this is. :-) Portuguese and Spanish aren't that far apart after all, it seems. Greetings, Stefan Winter -- Stefan WINTER RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la Recherche R&D Engineer 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpBt0b3PkIbM.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS doc
hi did u get the answer if u did plz tell me coz i got the same problem On 8/28/06, Carlo Prestopino <[EMAIL PROTECTED]> wrote: Hi all,I'm trying to access freeRaDIUS doc section( http://www.freeradius.org/radiusd/doc/), but I got a "Forbidden" accessmessage. Is this section accessible to normal users?Best regards,Carlo-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html