Re: Freeradius-Users Digest, Vol 17, Issue 47

[ego seek]

thank you for yor reply.do you know if i can use NT-PASSWORD using windowsXP client?do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"?how then I can make the sistem work? what I have to put in the 
radiusd.conf?thank you.Best regards2006/9/12, [EMAIL PROTECTED] <
[EMAIL PROTECTED]>:Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]
You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."Today's Topics:   1. Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for the  comunication--- (Rob Shepherd)
   2. Re: FreeRadius suport IPv6 ??/  (Alan DeKok)   3. Re: Probs with pppoe-server + radius  (Alan DeKok)   4. Re: rautmp not working..  (Alan DeKok)   5. Re: Question about rlm modules  (Alan DeKok)
   6. Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for the  comunication---  (Alan DeKok)   7. Re: Question about rlm modules  (Alan DeKok)   8. Re: Re: Re: IAS e Openser (Artur Hayne)
--Message: 1Date: Tue, 12 Sep 2006 15:09:46 +0100From: Rob Shepherd <[EMAIL PROTECTED]
>Subject: Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for  thecomunication---To: FreeRadius users mailing list<
freeradius-users@lists.freeradius.org>Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
ego seek wrote:>>> Does Anybody know HOW I can make radius WORK with md5-stored password in> the db?>> I use EAP-PEAP-MSCHAPv2, and if the system works great if the pwds are
> in clear in the mysqlDB>You can't. Seehttp://deployingradius.com/documents/protocols/compatibility.htmlStore an 'NT-Password' value as a config ':=' attribute in the radcheck
table.NT password hashes can be generated in most programming languages.Rob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
[EMAIL PROTECTED] | 01248 675024 | 077988 72480--Message: 2Date: Tue, 12 Sep 2006 10:21:38 -0400From: "Alan DeKok" <
[EMAIL PROTECTED]>Subject: Re: FreeRadius suport IPv6 ??/To: FreeRadius users mailing listMessage-ID: <[EMAIL PROTECTED]>Christian Hahn <[EMAIL PROTECTED]> wrote:
> Do you mean IPv6 transport or support for IPv6 attributes (RFC3162)?> RFC3162 is supported by freeradius 2.0.0-pre0 (CVS), IPv6 transport as> far as I know is not supported.  The CVS version also supports IPv6 transport.
  Alan DeKok.--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/ - The blog
--Message: 3Date: Tue, 12 Sep 2006 10:23:15 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: Probs with pppoe-server + radius
To: FreeRadius users mailing listMessage-ID: <
[EMAIL PROTECTED]>Ali Jawad <[EMAIL PROTECTED]> wrote:> The info above is to help you guys in helping me pinpoint my prolem, my
> real problem is that I can dial into my server using pppoe and simple> chap and/or pap authenication. However once I use radius to authenicate> the pppoe-dialup requests into the server. I get the following output in
> pppd.log  And in all of this you are carefully avoiding the one tool thatwill help you solve the problem: running the server in debugging mode.  See the README, FAQ, INSTALL.  Alan DeKok.
--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/ - The blog--
Message: 4Date: Tue, 12 Sep 2006 10:25:37 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: rautmp not working..To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]
>Collen Blijenberg <[EMAIL PROTECTED]> wrote:> but no radutmp file is created, and if created by hand it stay's 0 bytes...>
> dunno my guesses tells me i forgot something... ???  Send the server accounting packets.  radutmp is created when the NASagrees that the user has logged in, not when the server tells the NASto let the user in.
  Alan DeKok.--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/ - The blog
--Message: 5Date: Tue, 12 Sep 2006 10:26:24 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: Question about rlm modules
To: FreeRadius users mailing listMessage-ID: <
[EMAIL PROTECTED]>Shankar Ganesh C <[EMAIL PROTECTED]> wrote:> Could you let me know how d

Re: Freeradius-Users Digest, Vol 17, Issue 47

[Rob Shepherd]

ego seek wrote:

thank you for yor reply.


Which one?

Don't top-post above an entire digest message!!



do you know if i can use NT-PASSWORD using windowsXP client?



The windowsXP client, if configured appropriately, will use mschapv2 
inside PEAP.  It will be supplying an NT password hash as part of this.



do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"?


Yes. However `Password` is usually a check item, for comparing clear 
text passwords. The `NT-Password` needs to be a config item. radiusd 
will figure out what to do with it.


Rob


--
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
[EMAIL PROTECTED] | 01248 675024 | 077988 72480
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rautmp not working..

[Collen Blijenberg]

Thx,
ehh, and how do i do that ??? (sorry newbe)

somehow there isn't anny accounting done ?!
i do have a auth_log and reply_log.
but no detail log (and no radutmp either)

getting stranger by the minute...  
but i also have no idea how to make the nas (linksys wap54g v3 eu) or 
the freeradius (1.1.3) do accounting.

i use the wpa-enterprise option.

anny hinds on howto make accounting work ??

Cheers..

Collen
Alan DeKok wrote:

Collen Blijenberg <[EMAIL PROTECTED]> wrote:
  

but no radutmp file is created, and if created by hand it stay's 0 bytes...

dunno my guesses tells me i forgot something... ???



  Send the server accounting packets.  radutmp is created when the NAS
agrees that the user has logged in, not when the server tells the NAS
to let the user in.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: opinion?? anyone??

[Elie Hani]

Hi Peter,

I have used the iptables, and I was able to redirect the Real pool of IPs to
a certain destination.

But after connecting and authenticated with a fake IP, I was able to trace
only to the RAS server.

Any idea?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Peter Nixon
Sent: Tuesday, September 12, 2006 11:55 PM
To: FreeRadius users mailing list
Subject: Re: opinion?? anyone??

On Tue 12 Sep 2006 18:43, Elie Hani wrote:
> Hi;
>
>
>
> I need to know what is the best to work with, if I want to redirect a
> subnet of IPs to a single one (which is a single page), for the dial up
> users.
>
> I will be testing the chillispot, if there's another tested software to be
> used on linux, please advice.

iptables?

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mysql failover issue

[andy]

Hi,

I have seen these errors when primary radius server goes offline and the 
secondary takes over:
All requests are coming via Redback SE400:

Wed Sep 13 07:51:34 2006 : Error: Dropping conflicting packet from client 
redback:1812 - ID: 1 due to unfinished 
request 1051
285
Wed Sep 13 07:51:35 2006 : Error: Dropping conflicting packet from client 
redback:1812 - ID: 2 due to unfinished 
request 1051
286


This happens on both servers and after an hour it seemed to sort itself out.

Setup is as follows:

2xfreeradius server
2xmysql cluster API nodes

each FR server is pointed to a different node, so when we take one node 
offline, the secondary defined freeradius 
server should kick in and talk to its API.

When the primary radius server came back after its mysql API was brought back 
after a planned outage, the primary and 
secondary radius servers got confused. They both started to drop connections 
with the above errors and no users could 
authenticate.

Is this issue a known issue, is there a fix, has anyone got any further info on 
when this would happen.
Restarting the primary radius server fixed the issue however this solution is 
meant to be a resiliant and redundant 
solution capable of working through either radius or mysql node failures.

any info or assistance would be helpful for my RFO here.

cheers

 -- 
andy[EMAIL PROTECTED]
---
Never argue with an idiot. They drag you down 
to their level, then beat you with experience.
--- 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radippool table for Oracle

[Peter Nixon]

Hi 

Please update to the latest sqlippool.conf in cvs as I have just committed a 
lot of cleanups to it.

Cheers

Peter

On Tue 12 Sep 2006 23:56, Guilherme Franco wrote:
> Mr. Peter,
>
> Thanks, yes, that's correct.
>
> But what I need is this behaviour even if the user disconnects and
> even if I run out of IPs in the pool. Basically, John logs in for the
> first time and randomly catches ip 1.1.1.130. When John logs out and
> comes back next week, he should be able to get 1.1.1.130 again, so
> that IP can't be reused.
>
> Is there any form to do that?
>
> Sorry, maybe I've described the problem in a wrong way earlier.
>
> Thank you very much for the answers, I hope to contribute later to
> freeradius posting my oracle schema.
>
> On 9/12/06, Peter Nixon <[EMAIL PROTECTED]> wrote:
> > On Tue 12 Sep 2006 22:44, Guilherme Franco wrote:
> > > Thanks Mr. Nixon,
> > >
> > > I thought that someone might have already created such a schema.
> > >
> > > But that's not a problem.
> > >
> > > I'll be playing with the errors and as I get a working schema I'll post
> > > back.
> > >
> > > Just another doubt: Is there any way to create a pool of addresses and
> > > when someone receives one ip  from this pool, this ip stays assigned
> > > to that user forever (lease forever, just like a static IP)? I need
> > > this so that I assign an IP only based in the group (which has some
> > > pools assigned to it), no need to manually create Frammed-Ip-Address =
> > > x.x.x.x for that user.
> >
> > That is basically what the default sqlippool config does unless you run
> > out of IPs in the pool, in which case it will start to hand reusing IPs
> > that are currently not connected.
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpIq63PEO9g0.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radippool table for Oracle

[Guilherme Franco]

Thank you!

I'm downloading it right now.

Thanks again!


On 9/13/06, Peter Nixon <[EMAIL PROTECTED]> wrote:

Hi

Please update to the latest sqlippool.conf in cvs as I have just committed a
lot of cleanups to it.

Cheers

Peter

On Tue 12 Sep 2006 23:56, Guilherme Franco wrote:
> Mr. Peter,
>
> Thanks, yes, that's correct.
>
> But what I need is this behaviour even if the user disconnects and
> even if I run out of IPs in the pool. Basically, John logs in for the
> first time and randomly catches ip 1.1.1.130. When John logs out and
> comes back next week, he should be able to get 1.1.1.130 again, so
> that IP can't be reused.
>
> Is there any form to do that?
>
> Sorry, maybe I've described the problem in a wrong way earlier.
>
> Thank you very much for the answers, I hope to contribute later to
> freeradius posting my oracle schema.
>
> On 9/12/06, Peter Nixon <[EMAIL PROTECTED]> wrote:
> > On Tue 12 Sep 2006 22:44, Guilherme Franco wrote:
> > > Thanks Mr. Nixon,
> > >
> > > I thought that someone might have already created such a schema.
> > >
> > > But that's not a problem.
> > >
> > > I'll be playing with the errors and as I get a working schema I'll post
> > > back.
> > >
> > > Just another doubt: Is there any way to create a pool of addresses and
> > > when someone receives one ip  from this pool, this ip stays assigned
> > > to that user forever (lease forever, just like a static IP)? I need
> > > this so that I assign an IP only based in the group (which has some
> > > pools assigned to it), no need to manually create Frammed-Ip-Address =
> > > x.x.x.x for that user.
> >
> > That is basically what the default sqlippool config does unless you run
> > out of IPs in the pool, in which case it will start to hand reusing IPs
> > that are currently not connected.
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NT-PASSWORD--Re: Freeradius-Users Digest, Vol 17, Issue 47

[ego seek]

I'm working with mschapv2, I use a PHP web site to register a user,  can i insert into the db a NT-hased password?Have I to configure the radius to accept che NT-PASSWORD value or it does by itself?
thank you so much.you're so helpful.egoseekMessage: 1Date: Wed, 13 Sep 2006 10:26:52 +0100From: Rob Shepherd <
[EMAIL PROTECTED]>Subject: Re: Freeradius-Users Digest, Vol 17, Issue 47To: FreeRadius users mailing list        <
freeradius-users@lists.freeradius.org>Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
ego seek wrote:> thank you for yor reply.Which one?Don't top-post above an entire digest message!!>> do you know if i can use NT-PASSWORD using windowsXP client?>
The windowsXP client, if configured appropriately, will use mschapv2inside PEAP.  It will be supplying an NT password hash as part of this.> do I have only modify the table insert "NT-PASSWORD" instead "PASSWORD"?
Yes. However `Password` is usually a check item, for comparing cleartext passwords. The `NT-Password` needs to be a config item. radiusdwill figure out what to do with it.Rob
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rautmp not working..

[Alan DeKok]

Collen Blijenberg <[EMAIL PROTECTED]> wrote:
> but i also have no idea how to make the nas (linksys wap54g v3 eu) or 
> the freeradius (1.1.3) do accounting.

  The linksys simply might not do accounting.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: opinion?? anyone??

[Elie Hani]

I found out the solution, I used policy based routing.

Thanks anyway 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Elie Hani
Sent: Wednesday, September 13, 2006 12:34 PM
To: 'FreeRadius users mailing list'
Subject: RE: opinion?? anyone??

Hi Peter,

I have used the iptables, and I was able to redirect the Real pool of IPs to
a certain destination.

But after connecting and authenticated with a fake IP, I was able to trace
only to the RAS server.

Any idea?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Peter Nixon
Sent: Tuesday, September 12, 2006 11:55 PM
To: FreeRadius users mailing list
Subject: Re: opinion?? anyone??

On Tue 12 Sep 2006 18:43, Elie Hani wrote:
> Hi;
>
>
>
> I need to know what is the best to work with, if I want to redirect a
> subnet of IPs to a single one (which is a single page), for the dial up
> users.
>
> I will be testing the chillispot, if there's another tested software to be
> used on linux, please advice.

iptables?

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS proxy-----trace user site surfed------

[ego seek]

Does anybody know how can I setup RADIUS and a proxy server to generate a log for the users?I need to trace where in the Internet the user went.Do yoy have any other suggestion for this pourpose?
thank you.Best regardsegoseek
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IAS and Openser

[Artur Hayne]

Hello,  How can I transform freeradius server in a proxy? I configured the proxy.conf, but seems dont work  proxy.conf:  proxy server {     synchronous = no     retry_delay = 5     retry_count = 3     dead_time = 120     default_fallback = yes     post_proxy_authorize = no }  realm DEFAULT {        type    = radius     authhost    = mydomain.br     accthost    = mydomain.br     secret  = mysecret     nostrip
 }  And I uncommnet the line in radiusd.conf:  proxy_requests  = yes $INCLUDE  ${confdir}/proxy.conf   I wanna do this: |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD| Its work?  And in IAS should I configured anything?   Sorry for the portuguese e-mail.  [EMAIL PROTECTED] escreveu:Hello!This list is in English.>  Como faço para transformar o Freeradius num cliente do IAS? Existe algum> tutorial, ou artigo? Se for sem passar pelo servidor freeradius eu já> configurei o radiusclient para ir direto ao IAS, mas não deu certo, nada> acontece, e o pior de tudo que não tenho nem como debugar o problema e o> arquivo de log do IAS é muito fraco.>>  |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD|>>  Da pra fazer isso? Como faço isso?>>  Alguma idéia?If I got you right, all you want to do is use FreeRADIUS as a proxy to communicate to an
 IAS which does the authentication. This is easy, all you need to do is proxy all incoming requests to the IAS. See proxy.conf, read it, try it, and if doesn't work for you ask here again. But in English please, it's been quite a time since I had Spanish in school.Greetings,Stefan Winter-- Stefan WINTERRESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la RechercheR&D Engineer6, rue Richard Coudenhove-KalergiL-1359 Luxembourgemail: [EMAIL PROTECTED]     Tel.:     +352 424409-1http://www.restena.lu               Fax:      +352 422473-- next part --A non-text attachment was scrubbed...Name: not availableType: application/pgp-signatureSize: 189 bytesDesc: not availableUrl :
 https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060913/cc735d98/attachment.bin-- 
		 
Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NT-PASSWORD--Re: Freeradius-Users Digest, Vol 17, Issue 47

[Rob Shepherd]

ego seek wrote:

I'm working with mschapv2,
I use a PHP web site to register a user,  can i insert into the db a 
NT-hased password?


Yes, radcheck should contain

UserName  |  Attribute|  op  |  Value |
--|---|--||
colin |  NT_Password  |  :=  |  abcdef1234567890abcdef1234567890  |

I use Pear Crypt...

password = $password;
  $NThash = bin2hex($cr->ntPasswordHash());
?>



Rob



--
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
[EMAIL PROTECTED] | 01248 675024 | 077988 72480
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS proxy-----trace user site surfed------

[Alan DeKok]

"ego seek" <[EMAIL PROTECTED]> wrote:
> Does anybody know how can I setup RADIUS and a proxy server to generate a
> log for the users?
> 
> I need to trace where in the Internet the user went.

  RADIUS doesn't do that.  You need a transparent web proxy.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius Dialupadmin page not loading

[Nico Gazzano]

I’ve got php4 installed and for some reason when I try
to load the admin page it asks if I want to open or save the buttons.html.php3
file, I wasn’t thinking and clicked save and now it saves the file
instead of opening the admin page.  Can someone help?  I’m doing this
locally on the server.  

 

Nico Gazzano

Network & Systems Admin

MIS Choice Inc.

1699 Wall ST
  Suite 602

Mount Prospect, IL 60056

Phone 847-690-1900 ext206

Fax 847-690-1350

[EMAIL PROTECTED]

 






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MSChapv2 authentication

[Christopher, Paul]

Hi Alan,
Thanks for the response. I remove the Auth-Type, but it is still not working. 
Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 
and the user was able to authenticate. I don't know why it doesn't work for 
EAP-MSchapv2. Thanks for your help! Below is the debug log: 

rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, 
length=140NAS-IP-Address = 13.138.136.68
NAS-Port = 50003
NAS-Port-Type = Ethernet
User-Name = "tester"
Called-Station-Id = "00-0A-B8-39-79-85"
Calling-Station-Id = "00-0B-DB-64-9B-A7"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x9b24bde92b2edf137fd180df54de624a
EAP-Message = 0x021300060315
Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
  modcall[authorize]: module "preprocess" returns ok for request 19
  modcall[authorize]: module "chap" returns noop for request 19
  modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 19
  rlm_eap: EAP packet type response id 19 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry tester at line 83
  modcall[authorize]: module "files" returns ok for request 19
modcall: leaving group authorize (returns updated) for request 19
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/ttls
 rlm_eap: No such EAP type ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 19
modcall: leaving group authenticate (returns invalid) for request 19
auth: Failed to validate the user.
Delaying request 19 for 1 seconds
Finished request 19
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, 
length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645
EAP-Message = 0x04130004
Message-Authenticator = 0x
--- Walking the entire request list ---
Waking up in 1 seconds...

This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential information. Any 
unauthorized review, use, disclosure or distribution is prohibited. If you are 
not the intended recipient(s) please contact the sender by reply e-mail and 
destroy all copies of the original message. Thank you


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Tuesday, September 12, 2006 4:12 PM
To: FreeRadius users mailing list
Subject: Re: EAP-MSChapv2 authentication 


"Christopher, Paul" <[EMAIL PROTECTED]> wrote:
> I have a device that uses EAP-MSCHAPv2 (without PEAP) for 
> authentication. I am running freeRadius on Redhat. The device is 
> plugged into a switch which sends the EAP request to the server. I am 
> unable to get the device authenticated with the Radius server. In the 
> users file should the Auth-type be local or MS-Chap?

  Neither.  Don't set Auth-Type at all.  The server WILL figure it out.

>  Should I be sending the authentication request to an NT domain or 
> will the username and password in the user file be sufficient?

  Putting a username and password into the "users" file will be sufficient.

#
bob User-Password := "hello"

#

  EAP-MSCHAPv2 *will* work.  See:

http://deployingradius.com/documents/configuration/pap.html

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MSChapv2 authentication

[Alan DeKok]

"Christopher, Paul" <[EMAIL PROTECTED]> wrote:
> Thanks for the response. I remove the Auth-Type, but it is still not
> working. Now I get a new set of errors. I did a radtest bob hello
> localhost 0 testing123 and the user was able to authenticate.

  Because PAP authentication is simple, and doesn't involve EAP.

>  I don't know why it doesn't work for EAP-MSchapv2. Thanks for your
> help! Below is the debug log:
...
>  rlm_eap: EAP-NAK asked for EAP-Type/ttls
>  rlm_eap: No such EAP type ttls

  Uh... what part of that message is unclear?

  The client isn't doing EAP-MSCHAPv2.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mac authenication

[Ali Jawad]

Hi Guys

Ive got my pppoe server up and running and the authenication process
is just fine. What I want to do now is to bind the username and
password combination to a mac..so that that the mentioned
user/password combination can only be used on a per pc "i.e. per mac"
basis. Can anyone help me on how to do this, please.
--
With Regards Ali Jawad
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Dialupadmin page not loading

[Ali Jawad]

You clearly have not configured apache to work with php4,even if you
click open instead of save it will open the file an editor. You have
to do that first before you can use php on apache. search for
something like php3 or php4 in the config file of apache and uncomment
it. You also have to install the php4 module for apache. Apart from
having mysql installed to make dialupadmin work.
There are many howtos online which explain how to do that. If you are
using debian Iam willing to help you on that issue too.

On 9/13/06, Nico Gazzano <[EMAIL PROTECTED]> wrote:





I've got php4 installed and for some reason when I try to load the admin
page it asks if I want to open or save the buttons.html.php3 file, I wasn't
thinking and clicked save and now it saves the file instead of opening the
admin page.  Can someone help?  I'm doing this locally on the server.



Nico Gazzano

Network & Systems Admin

MIS Choice Inc.

1699 Wall ST Suite 602

Mount Prospect, IL 60056

Phone 847-690-1900 ext206

Fax 847-690-1350

[EMAIL PROTECTED]


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





--
With Regards Ali Jawad
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius Dialupadmin page not loading

[Nico Gazzano]

I'm using Ubuntu with apache2.

Nico Gazzano
Network & Systems Admin
MIS Choice Inc.
1699 Wall ST Suite 602
Mount Prospect, IL 60056
Phone 847-690-1900 ext206
Fax 847-690-1350
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Ali Jawad
Sent: Wednesday, September 13, 2006 1:30 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius Dialupadmin page not loading

You clearly have not configured apache to work with php4,even if you
click open instead of save it will open the file an editor. You have
to do that first before you can use php on apache. search for
something like php3 or php4 in the config file of apache and uncomment
it. You also have to install the php4 module for apache. Apart from
having mysql installed to make dialupadmin work.
There are many howtos online which explain how to do that. If you are
using debian Iam willing to help you on that issue too.

On 9/13/06, Nico Gazzano <[EMAIL PROTECTED]> wrote:
>
>
>
>
> I've got php4 installed and for some reason when I try to load the admin
> page it asks if I want to open or save the buttons.html.php3 file, I
wasn't
> thinking and clicked save and now it saves the file instead of opening the
> admin page.  Can someone help?  I'm doing this locally on the server.
>
>
>
> Nico Gazzano
>
> Network & Systems Admin
>
> MIS Choice Inc.
>
> 1699 Wall ST Suite 602
>
> Mount Prospect, IL 60056
>
> Phone 847-690-1900 ext206
>
> Fax 847-690-1350
>
> [EMAIL PROTECTED]
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>


-- 
With Regards Ali Jawad
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MSChapv2 authentication

[A . L . M . Buxey]

Hi,

>  rlm_eap: EAP-NAK asked for EAP-Type/ttls
>  rlm_eap: No such EAP type ttls

only a guess - but the above line seems to be the big clue here.
have you configured your eap.conf correctly...and did you build from
source? if from source, did you check that configure passed by without
failing on anything...eg no OpenSSL dev headers etc?  you have to
have the certificates part in eap.conf sorted, or ttls wont work.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MSChapv2 authentication

[A . L . M . Buxey]

Hi,

> >  rlm_eap: EAP-NAK asked for EAP-Type/ttls
> >  rlm_eap: No such EAP type ttls
> 
>   Uh... what part of that message is unclear?
> 
>   The client isn't doing EAP-MSCHAPv2.

indeed, looks like EAP-TTLS with MSCHAPv2 inside the tunnel.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Dialupadmin page not loading

[A . L . M . Buxey]

Hi,
> I'm using Ubuntu with apache2.

apt-get install libapache2-mod-php4  should do most of the leg work for you.
you may need to edit the apache2 files (/etc/apache2/* to make sure that .php3
has a handler set. by default it'll be happy with .php4

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MSChapv2 authentication

[Christopher, Paul]

Hi Alan,
Thanks for your response. I don't understand what you mean by 'did you
build from source?' Please explain. I did not generate any certs. I
didn't think EAP-MSChapv2 needed certificates.
Paul.

This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential information. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient(s) please contact the sender by reply
e-mail and destroy all copies of the original message. Thank you
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 13, 2006 3:22 PM
To: FreeRadius users mailing list
Subject: Re: EAP-MSChapv2 authentication

Hi,

>  rlm_eap: EAP-NAK asked for EAP-Type/ttls
>  rlm_eap: No such EAP type ttls

only a guess - but the above line seems to be the big clue here.
have you configured your eap.conf correctly...and did you build from
source? if from source, did you check that configure passed by without
failing on anything...eg no OpenSSL dev headers etc?  you have to
have the certificates part in eap.conf sorted, or ttls wont work.

alan
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MSChapv2 authentication

[King, Michael]

Paul,

I think what Alan was getting at is that Your client asked for EAP-TTLS,
not EAP-MSChapV2.  This might be the root of your problem.

If you Intend to do MSChapV2 inside of TTLS Tunnels, you MUST setup a
certificate.  This is make quite clear in the eap.conf file, that TTLS
is dependant on TLS being setup.

What is your user source?  (users file, passwd file, LDAP, Active
Directory)   I ask because MSChapV2 is incompatable with a few of these
sources.
 

> -Original Message-

> >  rlm_eap: EAP-NAK asked for EAP-Type/ttls
> >  rlm_eap: No such EAP type ttls
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius Dialupadmin page not loading

[Nico Gazzano]

>apt-get install libapache2-mod-php4  should do most of the leg work for
>you.

I tried this 

>you may need to edit the apache2 files (/etc/apache2/*) to make sure that
>.php3 has a handler set.

Not sure what you mean, I've looked in my httpd.conf and apache2.conf and I
see nothing referring to php3 or php4.

Nico Gazzano
Network & Systems Admin
MIS Choice Inc.
1699 Wall ST Suite 602
Mount Prospect, IL 60056
Phone 847-690-1900 ext206
Fax 847-690-1350
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 13, 2006 2:32 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius Dialupadmin page not loading

Hi,
> I'm using Ubuntu with apache2.

apt-get install libapache2-mod-php4  should do most of the leg work for you.
you may need to edit the apache2 files (/etc/apache2/* to make sure that
.php3
has a handler set. by default it'll be happy with .php4

alan
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Dialupadmin page not loading

[A . L . M . Buxey]

Hi,

> >apt-get install libapache2-mod-php4  should do most of the leg work for
> >you.
> 
> I tried this 
> 
> >you may need to edit the apache2 files (/etc/apache2/*) to make sure that
> >.php3 has a handler set.
> 
> Not sure what you mean, I've looked in my httpd.conf and apache2.conf and I
> see nothing referring to php3 or php4.

does your location firewall google?  just a few quick searches for... 
"ubuntu php apache2" will yield many riches:

http://www.howtoforge.com/apache2_with_php5_and_php4_p2
http://www.phpfreaks.com/forums/index.php?topic=107132.new

for example...

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MSChapv2 authentication

[A . L . M . Buxey]

Hi,

> Hi Alan,
> Thanks for your response. I don't understand what you mean by 'did you
> build from source?' Please explain. I did not generate any certs. I
> didn't think EAP-MSChapv2 needed certificates.

build from source - did you download the freeradius-1.1.3.tar.gz
and then extract it, run ./configure, make, make install etc

not built from source - did you simply apt-get install freeradius
or yum install freeradius etc. 

PS if a gentoo user, if you 'emerge freeradius' I would class that as building
from source  ;-)


the next question is are you really doing raw EAP-MSCHAPv2 - this isnt too
common (on this list anyway) the error log you posted clearly hinted
at EAP-TTLS ... so any MSCHAPv2 would be in the tunnel.  if you have
this form of EAP then the TLS section must be working...as the first
few lines of eap.conf clearly state. otherwise it 'just wont work'(tm)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAP questions.

[Keith Woodworth]

On Sat, 9 Sep 2006, Keith Woodworth wrote:

|->|->
|->|->> And while Radius seems to send an Access-Accept, the dialup user gets an
|->|->> error 691 password invalid.
|->|->
|->|->  Because you're not sending the same reply attributes as in the
|->|->previous example.  Fix that.
|->|->
|->|->> Again I get Access-Accept, but a 691 password error on the client side.
|->|->
|->|->  Again because the replies are empty.
|->
|->Just testing a different way to do this I setup the users file with:
|->
|->DEFAULT Service-Type = Framed-User
|->Framed-Protocol = PPP,
|->Framed-Routing = None,
|->Framed-IP-Netmask = 255.255.255.255,
|->Framed-Compression = Van-Jacobsen-TCP-IP,
|->Framed-MTU = 1500
|->
|->Now when I try to login:
|->

Again had to put this aside for a few days (really starting to grind on
me, its a wonder I actually get any work done)

Anyway so started in again on this.

One thing overall I think that has confused me is that I was trying to do
everything from SQL, which now I dont think I need to do.

Basicall: Have a user and their crypted password stored in SQL, have
radius query the database for that info, if its ok, start a PPP session.

Only way I could get that to work was have the username in both the
radcheck AND usergroup tables.

I didnt want it to work that way as it would be extra work to populate the
database from our current radius setup, which uses Auth-Type System.

I think I have figured it out, though not sure if its the correct way. Use
a combination of users(5) and SQL.

Have the user and password in radcheck, auth-type=local in radgroupcheck
and use the users(5) file to do the rest and it seems to finally work.

My users file:

DEFAULT
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500

Using it like this works.

But as soon as I use it this way:

DEFAULT Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500

Why does the top way work and the bottom way not? And is this an
acceptable way to do it? Store the users and passwords in SQL and have the
Users file supply the rest?

Thanks,
Keith
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAP questions.

[James Wakefield]

Keith Woodworth wrote:


My users file:

DEFAULT
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500

Using it like this works.

But as soon as I use it this way:

DEFAULT Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500

Why does the top way work and the bottom way not? 


Expressions on the first line in a users file stanza are check items. 
Expressions on subsequent lines are reply items.  You probably want to 
use the second method and replace "Service-Type = Framed-User" with the 
comparison "Service-Type == Framed-User".


And is this an

acceptable way to do it? Store the users and passwords in SQL and have the
Users file supply the rest?


If the check and reply items needed for your setup don't result in a 
users file that's unmanageable, it's acceptable.




--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IAS and Openser

[Stefan Winter]

Hi,

>  How can I transform freeradius server in a proxy?
>  I configured the proxy.conf, but seems dont work
>
>  And I uncommnet the line in radiusd.conf:
>
>  proxy_requests  = yes
>  $INCLUDE  ${confdir}/proxy.conf
>
>  I wanna do this:
>  |Openser| -> |Radiusclient| -> |Freeradius| -> |IAS| -> |AD|
>
>  Its work?
>
>  And in IAS should I configured anything?

Configure the NULL realm with the same settings as DEFAULT. Other than that, 
the config sounds good to me. Did you change anything apart from that in the 
default config file? In particular, you need to have at least one instance of 
the "realm" module in authorize { }. The default config has "suffix" in 
there, that should be fine. You need to be sure then that your user names 
don't contain the @ character - otherwise they won't match the DEFAULT realm 
you set up in proxy.conf.

If you are positive that an instance of realm is in authorize and NULL is 
configured, but it still doesn't work then please post the debug output 
(radiusd -X) of a packet that arrived and was supposed to be proxied, but 
wasn't.

>  Sorry for the portuguese e-mail.

When I read it, I wondered what strange dialect of Spanish this is. :-) 
Portuguese and Spanish aren't that far apart after all, it seems.

Greetings,

Stefan Winter

-- 
Stefan WINTER

RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
R&D Engineer

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu               Fax:      +352 422473


pgpBt0b3PkIbM.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRADIUS doc

[affora deeb]

hi did u get the answer 
if u did plz tell me 
coz i got the same problem 
On 8/28/06, Carlo Prestopino <[EMAIL PROTECTED]> wrote:
Hi all,I'm trying to access freeRaDIUS doc section(
http://www.freeradius.org/radiusd/doc/), but I got a "Forbidden" accessmessage. Is this section accessible to normal users?Best regards,Carlo-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html