RE: Pattern Matching in users file
> You can't use the Group attribute that way. It's for checking Unix >groups. You'll have to create another attribute for your local groups. Do I need to predefine the attribute name somewhere before I attempt to create it in the users file? >> Also, the Group attribute was added to %RAD_CHECK as opposed to >> %RAD_REQUEST (Group was not an attribute in the original request). > The "users" file is documented as behaving this way. Are you referring to the doc/processing_users_file? If so, perhaps I misunderstood the bullet within it that reads: - The check pairlist of the request is replaced by the tmpcheck pairlist (this is the same as: the check pairlist from the usersfile entry is appended to the pairlist of the request) The phrase in parentheses is what made me think I could add attributes to the request. Is this statement incorrect or am I interpreting it differently than the author intended? The first part of the bullet matches what you said and what I experienced. > If you want to add an attribute to the request, you have to use the >"hints" file. I don't think that will work for me because the hints file doc. states it adds attributes solely based upon prefix or suffix of the username. I want to add an attribute based upon the value of Cisco-AVPair. Am I misinterpreting the doc. for hints also? Thanks again for your help Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf & clients.conf
I have 1.1.2, so I'll have to upgrade. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 4:40 PM To: FreeRadius users mailing list Subject: Re: Proxy.conf & clients.conf Hi, > Ok, thanks. But how about the include statement for proxy.conf? > > I have proxy set to No, but if I comment out the include statement, > FreeRADIUS will not start. > > I am using MySQL database interface. I cannot see such a problem with proxy.conf on either 1.1.3 or 2.0pre alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf & clients.conf
Sorry. That's the first thing I looked for. Even with debug set to 3 I get no message. It says it is attempting to load the config files, then says FAILED. I am using Fedora, and to install all I did was: yum install freeradius.i386 yum install freeradius-unixODBC.i386 yum install freeradius-mysql.i386 So...I don't have the binary so I start it with: service radiusd start and no doubt I don't get the same feedback as if I were starting a binary. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Friday, September 15, 2006 4:26 PM To: FreeRadius users mailing list Subject: Re: Proxy.conf & clients.conf "Cliff Hayes" <[EMAIL PROTECTED]> wrote: > I have proxy set to No, but if I comment out the include statement, > FreeRADIUS will not start. Presumably it prints out some kind of error message. What would that be? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iODBC FreeTDS troubles
Hi to all!
I have some trouble with debian stable, iODBC and FreeTDS to connect with a MS
SQL server. I hate sql server but this is my first real job and i can't say
no.
This is my problem: freeradius says
"sql_create_socket: SQLConnectfailed: [iODBC][Driver Manager]Data source name
not found and no default driver specified. Driver could not be loaded"
This is my /etc/odbc.ini
[ODBC Data Sources]
MSSQL = sql con connessione FreeTDS
[MSSQL]
Description = FreeTDS Freeradius MSSQL
# Driver = {FreeTDS}
Database= Radius_DB
Driver = /usr/lib/odbc/libtdsodbc.so
Setup = /usr/lib/odbc/libtdsS.so
UID = wireles_admin
PWD = ***
Port= 1433
Server= 192.168.1.21
TDS Version = 8.0
[Default]
Driver = /usr/lib/odbc/libtdsodbc.so
Setup = /usr/lib/odbc/libtdsS.so
When i try
iodbctest "DSN=MSSQL;UID=wireless_admin;PWD=***"
from command line everithing works well and i can query my db.
If i try
iodbctest "DSN=MSSQL"
i have this error
1: SQLDriverConnect = [FreeTDS][SQL Server]Could not find UID parameter (0)
SQLSTATE=IM007
1: ODBC_Connect = [FreeTDS][SQL Server]Could not find UID parameter (0)
SQLSTATE=IM007
I have the ODBCINI set to /etc/odbc.ini
Can anyone help me?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA in Local User Profile
On Friday 15 September 2006 15:52, A. K. wrote: > Although it appears as Account-Info in dictionary.cisco, in the users file > it has to be Cisco-Account-Info (some sort or automatic prepending occurs > based on Vendor ID), so actually i was entering in the new VSA incorrectly. Where do you see Account-Info in dictionary.cisco? In my CVS and 1.1.3 installs of freeradius, it isn't there. > Changing it to Cisco-Account-Info creates a different problem. Only the > first VSA of that name gets sent back in the Access-Accept response. Is > this behavior configurable? Your operators aren't correct. See http://wiki.freeradius.org/index.php/Operators Kevin Bonner pgpVHnCrY8jzW.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf & clients.conf
Hi, > "Cliff Hayes" <[EMAIL PROTECTED]> wrote: > > I have proxy set to No, but if I comment out the include statement, > > FreeRADIUS will not start. > > Presumably it prints out some kind of error message. What would that be? with the absent clients.conf file, FR just disappears - even with -X debug (1.1.3 of course) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf & clients.conf
Hi, > Ok, thanks. But how about the include statement for proxy.conf? > > I have proxy set to No, but if I comment out the include statement, > FreeRADIUS will not start. > > I am using MySQL database interface. I cannot see such a problem with proxy.conf on either 1.1.3 or 2.0pre alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf & clients.conf
"Cliff Hayes" <[EMAIL PROTECTED]> wrote: > I have proxy set to No, but if I comment out the include statement, > FreeRADIUS will not start. Presumably it prints out some kind of error message. What would that be? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf & clients.conf
Ok, thanks. But how about the include statement for proxy.conf? I have proxy set to No, but if I comment out the include statement, FreeRADIUS will not start. I am using MySQL database interface. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 3:24 PM To: FreeRadius users mailing list Subject: Re: Proxy.conf & clients.conf Hi, > Also, the clients file is almost completely commented out except for the > 127.0.0.1 section, which the directions say should be commented out anyway > after testing. just tested behaviour in 2.0 CVS pre release. you dont need to have clients.conf - its a 1.1.x issue that you are seeing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pattern Matching in users file
"Garber, Neal" <[EMAIL PROTECTED]> wrote:
> DEFAULT Cisco-AVPair =~ "ssid=3D(.*)", Group := "%{1}"
You can't use the Group attribute that way. It's for checking Unix
groups. You'll have to create another attribute for your local groups.
> Also, the Group attribute was added to %RAD_CHECK as opposed to
> %RAD_REQUEST (Group was not an attribute in the original request).
The "users" file is documented as behaving this way.
If you want to add an attribute to the request, you have to use the
"hints" file.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf & clients.conf
Hi, > Also, the clients file is almost completely commented out except for the > 127.0.0.1 section, which the directions say should be commented out anyway > after testing. just tested behaviour in 2.0 CVS pre release. you dont need to have clients.conf - its a 1.1.x issue that you are seeing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AAA configuration for given attributes - need help please !!!
> EAP Message Exchange will occure (EAP-TTLS MS-CHAP-v2 authentication or any other authentication What are you planning to use for authentication? No one else can decide for you! > Hope that clarify the problem. It’s still not clear exactly what you are trying to accomplish. Instead of describing the workings of the RADIUS protocol, describe what you are trying to do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA in Local User Profile
Although it appears as Account-Info in dictionary.cisco, in the users file it has to be Cisco-Account-Info (some sort or automatic prepending occurs based on Vendor ID), so actually i was entering in the new VSA incorrectly. Changing it to Cisco-Account-Info creates a different problem. Only the first VSA of that name gets sent back in the Access-Accept response. Is this behavior configurable?On 9/15/06, Kevin Bonner <[EMAIL PROTECTED]> wrote: On Friday 15 September 2006 14:39, A. K. wrote:> User profile is as follows:>> "test" Auth-Type := Local, User-Password == "test"> Idle-Timeout = 300,> Session-Timeout = 1560, > Acct-Interim-Interval = 600,> Account-Info = "QU;8000;4000;D;8000;4000",> Reply-Message = Authenticated,> Cisco-Account-Info = Axxx>> All attributes are returned in the Access-Accept message except for: >> Account-Info = "QU;8000;4000;D;8000;4000">> Am I violating some sort of syntax restriction?$ grep Account-Info share/dictionary*share/dictionary.cisco:ATTRIBUTECisco-Account-Info250string In the default dictionary files, I see no Account-Info attribute. Did you addthis to your local dictionary file? When you run freeradius in debug mode,do you see an error when it encounters that line? Kevin Bonner-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pattern Matching in users file
I have the following entry in my users file:
DEFAULT
Cisco-AVPair =~ "ssid=(.*)", Group := “%{1}”
I added a perl module after files in my authorize section and
data::dumper’ed %RAD_REQUEST, %RAD_CHECK and %RAD_CONFIG for debugging
purposes. The Cisco-AVPair value in the request is “ssid=EE-Corp”.
I would expect that the value of Group would be “EE-Corp”.
Instead, the value of Group was “(.*)”. I tried using
backticks around the %{1}. I tried “=” as opposed to “:=”.
Also, the Group attribute was added to %RAD_CHECK as opposed
to %RAD_REQUEST (Group was not an attribute in the original request).
This prevented me from using module checkval to test it. I ended up using
the attr_rewrite module to change Cisco-AVPair so it could be tested by
checkval..
So, if it’s supported, what is the syntax for regex
pattern matching and substitution in the users file? Also, if it’s
possible, what is the syntax to create a new request attribute in the users file?
Thank you for creating/supporting/maintaining the best and
most flexible Radius server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA configuration for given attributes - need help please !!!
Le Fri, Sep 15, 2006 at 08:42:37PM +0300, Peter Nixon ecrivait: > On Fri 15 Sep 2006 20:27, Alan DeKok wrote: > > "Rafiqul Ahsan" <[EMAIL PROTECTED]> wrote: > > > I am new to this AAA freeradius area, I need to configure the AAA radius > > > server for following mentioned attributes according to the message, > > > Access-req, Access-Accept, and Access-Challenge, and Access-Reject (pls > > > see below). > > > > Configure the server to do... what, exactly? > > > > The question you're asking is the same as "how do I configure a web > > server to send bold text." The answer is "huh?" > > Why do I have the nasty feeling that there is a university somewhere teaching > AAA as a course The teacher is a realy bad one then... Regards, Fox. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA in Local User Profile
On Friday 15 September 2006 14:39, A. K. wrote: > User profile is as follows: > > "test" Auth-Type := Local, User-Password == "test" > Idle-Timeout = 300, > Session-Timeout = 1560, > Acct-Interim-Interval = 600, > Account-Info = "QU;8000;4000;D;8000;4000", > Reply-Message = Authenticated, > Cisco-Account-Info = Axxx > > All attributes are returned in the Access-Accept message except for: > > Account-Info = "QU;8000;4000;D;8000;4000" > > Am I violating some sort of syntax restriction? $ grep Account-Info share/dictionary* share/dictionary.cisco:ATTRIBUTECisco-Account-Info250string In the default dictionary files, I see no Account-Info attribute. Did you add this to your local dictionary file? When you run freeradius in debug mode, do you see an error when it encounters that line? Kevin Bonner pgppDZSVF6ez4.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA configuration for given attributes - need help please !!!
The answer to that is, user will be authenticated by sending RADIUS Access Req with EAP Message, Sever will respond to the client by RADIUS Access-Challenge, EAP-TTLS Tunnel will be established (TLS handshake protocol using EAP message), EAP Message Exchange will occure (EAP-TTLS MS-CHAP-v2 authentication or any other authentication), and Server will either send RADIUS Access-Accept, or Access-Reject. The attributes will be included in the messages - my question is how to find the particular radius file where we are going to configure these attributes ? I have seen client.conf, users and radiusd.conf - not finding much...because of my lack of experiance... Hope that clarify the problem. Thanks rafi On 9/15/06, Peter Nixon <[EMAIL PROTECTED]> wrote: On Fri 15 Sep 2006 20:27, Alan DeKok wrote:> "Rafiqul Ahsan" < [EMAIL PROTECTED]> wrote:> > I am new to this AAA freeradius area, I need to configure the AAA radius> > server for following mentioned attributes according to the message,> > Access-req, Access-Accept, and Access-Challenge, and Access-Reject (pls > > see below).>> Configure the server to do... what, exactly?>> The question you're asking is the same as "how do I configure a web> server to send bold text." The answer is "huh?" Why do I have the nasty feeling that there is a university somewhere teachingAAA as a course--Peter Nixonhttp://www.peternixon.net/PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rafiqul Ahsan630-717-1698(h)2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf & clients.conf
Oops. I forgot to mention that I am using MySQL and have all my client data in the nas table and attributes in the radgroupreply table. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Seferovic Edvin Sent: Friday, September 15, 2006 11:28 AM To: 'FreeRadius users mailing list' Subject: RE: Proxy.conf & clients.conf Hello, how do you except the server to work if he doesn't know which clients are allowed to use it? Commenting out the proxy.conf should not affect the server if you do not need proxy features. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Cliff Hayes Sent: Freitag, 15. September 2006 18:07 To: freeradius-users@lists.freeradius.org Subject: Proxy.conf & clients.conf Hello, I am a new FreeRADIUS user. The server is working for us. However, I am wondering why it won't start if I comment out the includes for clients.conf and proxy.conf. Even setting to debug level 3 doesn't tell me why. We are not proxying, and I have proxying turned off. Also, the clients file is almost completely commented out except for the 127.0.0.1 section, which the directions say should be commented out anyway after testing. Thanks in advance, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA does not work when using PROXY
Hello, Please Help! Using latest CVS - Proxy-Radius does not pass the VSA, as below (in users): DEFAULT Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = "default", Framed-Routing == None, Framed-Protocol = PPP, Service-Type = Framed-User note: those vsa works correctly when I try with local users (no proxy): In attrs file: realm Service-Type == Framed-User, Framed-Protocol == PPP, X-Ascend-Client-Primary-DNS == x.x.x.x, X-Ascend-Client-Assign-DNS == 1, ERX-Virtual-Router-Name == "default", Idle-Timeout <= 600, Session-Timeout <= 28800 Output: rad_recv: Access-Request packet from host x.x.x.x port 5, id=55, length=251 User-Password = "xxx" User-Name = "[EMAIL PROTECTED]" Acct-Session-Id = "erx atm 3/2.42:100.221:0009437817" Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "pppoe 12:34:56:78:9a:bc" Calling-Station-Id = "#BRAS-01#this is a description#100#221" Connect-Info = "speed:UBR:12000" NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = "atm 3/2.42:100.221" NAS-IP-Address = x.x.x.x NAS-Identifier = "BRAS-01" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: Looking up realm "realm" for User-Name = "xxx" rlm_realm: Found realm "realm" rlm_realm: Adding Stripped-User-Name = "xxx" rlm_realm: Proxying request from user xxx to realm realm rlm_realm: Adding Realm = "realm" rlm_realm: Preparing to proxy authentication request to realm "realm" rlm_eap: No EAP-Message, not doing EAP users: Matched entry DEFAULT at line 194 modcall: group authorize returns noop for request 0 Sending Access-Request of id 155 to x.x.x.x port 1645 User-Password = "xxx" User-Name = "xxx" Acct-Session-Id = "erx atm 3/2.42:100.221:0009437817" Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "pppoe 12:34:56:78:9a:bc" Calling-Station-Id = "#BRAS-01#this is a description#100#221" Connect-Info = "speed:UBR:12000" NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = "atm 3/2.42:100.221" NAS-IP-Address = x.x.x.x NAS-Identifier = "BRAS-01" Proxy-State = 0x3535 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Accept packet from host x.x.x.x port 1645, id=155, length=60 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Proxy-State = 0x3535 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 attr_filter: Matched entry realm at line 52 modcall: group post-proxy returns noop for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: 'x.x.x.x 845414621' rlm_ippool: MD5 on 'key' directive maps to: 6e4d4f13b0396f83e15609738a3bc036 rlm_ippool: Searching for an entry for key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: Allocating ip to key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: num: 1 rlm_ippool: Allocated ip x.x.x.x to client key: 6e4d4f13b0396f83e15609738a3bc036 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 55 to x.x.x.x port 5 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x Framed-IP-Netmask = 255.255.255.255 Finished request 0 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 55 with timestamp 450b0ba9 Nothing to do. Sleeping until we see a request. As you can see, The VSA was not included in the Access-Accept response. Please HELP! THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA in Local User Profile
User profile is as follows: "test" Auth-Type := Local, User-Password == "test" Idle-Timeout = 300, Session-Timeout = 1560, Acct-Interim-Interval = 600, Account-Info = "QU;8000;4000;D;8000;4000", Reply-Message = Authenticated, Cisco-Account-Info = Axxx All attributes are returned in the Access-Accept message except for: Account-Info = "QU;8000;4000;D;8000;4000" Am I violating some sort of syntax restriction? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf & clients.conf
Hi, > how do you except the server to work if he doesn't know which clients are > allowed to use it? Commenting out the proxy.conf should not affect the > server if you do not need proxy features. we have faced this same issue with clients.conf - which is a little weird if you have all your clients defined in a NAS database you shouldnt need the file. removing extraneous files is a handy way of elimating excess baggage (everyone should be deleting clients and naslist too of course) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA configuration for given attributes - need help please !!!
On Fri 15 Sep 2006 20:27, Alan DeKok wrote: > "Rafiqul Ahsan" <[EMAIL PROTECTED]> wrote: > > I am new to this AAA freeradius area, I need to configure the AAA radius > > server for following mentioned attributes according to the message, > > Access-req, Access-Accept, and Access-Challenge, and Access-Reject (pls > > see below). > > Configure the server to do... what, exactly? > > The question you're asking is the same as "how do I configure a web > server to send bold text." The answer is "huh?" Why do I have the nasty feeling that there is a university somewhere teaching AAA as a course -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpp0bKIVt05J.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA configuration for given attributes - need help please !!!
"Rafiqul Ahsan" <[EMAIL PROTECTED]> wrote: > I am new to this AAA freeradius area, I need to configure the AAA radius > server for following mentioned attributes according to the message, > Access-req, Access-Accept, and Access-Challenge, and Access-Reject (pls see > below). Configure the server to do... what, exactly? The question you're asking is the same as "how do I configure a web server to send bold text." The answer is "huh?" Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP1200 - Freeradius - LDAP configuration
as a follow up, reading from the radiusd.conf file: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORKOn 9/15/06, Lin Richardson <[EMAIL PROTECTED]> wrote: Haven't I read that if you do LDAP authentication, you have to use cleartext passwords?Not sure you can use EAP + LDAP. Someone can correct me if I'm wrong.Regards,Lin ps, We use Cisco1200's for our Enterprise WLAN, they work great with freeradius MAC authentication. We store our MAC addresses in LDAP, and that creates some interesting issues. Best of luck!On 9/15/06, Tho Nguyen < [EMAIL PROTECTED]> wrote:Hello Everyone,I am trying to configure Cisco AP1200, FreeRadius, and LDAP. I use EAPAuthentication. I tried many ways, but it didn't go anywhere. If anyof you have good configuration or have documents to show me how to setit up, please let me know. Thanks very much in advance. Tho Nguyen-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AAA configuration for given attributes - need help please !!!
Hi, I am new to this AAA freeradius area, I need to configure the AAA radius server for following mentioned attributes according to the message, Access-req, Access-Accept, and Access-Challenge, and Access-Reject (pls see below). Also, I looked at the configuration files at radius server like clients.conf, users, radiusd.conf - I am not sure where this attributes to configure. Could any body help me getting started with this that would be highly appreciated. Also, please comment on the VSA attribute below - I am tryign to understand on section 5.26, RFC 2865 - but not sure where to start. Your help would be highly appreciated. Below the attributes : Access Request attributes User-Name User-PasswordNAS-IPAddressNAS-PortService-TypeStateVendor-SpecificSession-TimeoutNAS-IdentifierCalled-Station-IDCalling-Station-IDNAS-Port-TypeEAP-MessageMessage-Authenticator Access-Challenge attributes Reply-MessageStateSession-TimeoutEAP-MessageMessage-Authenticator Access-Accept attributes User-NameStateService-TypeSession-TimeoutEAP-MessageVSA (Vendor Suitable Attributes)VSA ( ---)Message-Authenticator Access-Reject Attributes Reply-MessageStateSession-TimeoutEAP-MessageMessage-Authenticator Thanks Rafi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf & clients.conf
Hello, how do you except the server to work if he doesn't know which clients are allowed to use it? Commenting out the proxy.conf should not affect the server if you do not need proxy features. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Cliff Hayes Sent: Freitag, 15. September 2006 18:07 To: freeradius-users@lists.freeradius.org Subject: Proxy.conf & clients.conf Hello, I am a new FreeRADIUS user. The server is working for us. However, I am wondering why it won't start if I comment out the includes for clients.conf and proxy.conf. Even setting to debug level 3 doesn't tell me why. We are not proxying, and I have proxying turned off. Also, the clients file is almost completely commented out except for the 127.0.0.1 section, which the directions say should be commented out anyway after testing. Thanks in advance, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Attribute Operators
Perfect! Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Nixon Sent: Thursday, September 14, 2006 4:48 PM To: FreeRadius users mailing list Subject: Re: Attribute Operators On Thu 14 Sep 2006 19:09, Cliff Hayes wrote: > Hello everyone, > > Does anyone know of a good reference site for the attribute operators (:=, > ==, +=) that shows what each means? http://wiki.freeradius.org/index.php/Operators -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy.conf & clients.conf
Hello, I am a new FreeRADIUS user. The server is working for us. However, I am wondering why it won't start if I comment out the includes for clients.conf and proxy.conf. Even setting to debug level 3 doesn't tell me why. We are not proxying, and I have proxying turned off. Also, the clients file is almost completely commented out except for the 127.0.0.1 section, which the directions say should be commented out anyway after testing. Thanks in advance, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute Operators
On Friday 15 September 2006 03:04, Peter Nixon wrote: > Thanks. I was meaning to fix that this morning. It was midnight when I > copied that data in there and I couldn't be bothered at the time to figure > out how to cancel the wiki formating :-) I've added the link that I use for MediaWiki formatting to http://wiki.freeradius.org/index.php/Help:Editing It would be nice to use apache rewrites to drop the index.php and make the URL a little cleaner, but that's not necessary for the wiki to work. Switching to another skin, it looks like the $wgLogo option wasn't set. To get rid of the logo spot on the default skin, did someone just edit the template file for that skin? I don't mind the default skin, but being able to switch to another one and have it look similar would be great! -Kevin pgp7uELtRnfkY.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR! Proxy listen.c error
Hello, Using Proxy, when user mistypes the password, radiusd -X crashes with Assertion failed in listen.c, line 558 Line 558 = rad_assert(request->listener == listener); Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: denying access to user from device
Where is your "files" declaration in the authorize section? Do you see the server looking at your users file in the debug messages? If the users file is never processed, I don't think Autz-Type will be set as you intend.
Try authorize { preprocess files eap mschap Autz-Type LDAP { ldap } Autz-Type LDMS { ldap
sql }}Regards,LinOn 9/15/06, Rob Shepherd <[EMAIL PROTECTED]
> wrote:[EMAIL PROTECTED]
wrote: > Rob Shepherd wrote:> > TYPO!> >> > DEFAULT HuntGroup-Name == ciscovpnc> > Autz-Type := ldap> >> > ...is how it looks in raddb/user.
>> You need to put the Autz-Type on the first line as a check item.>> DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldapThanks to Alan D. and Garret M. for their comments..However , neither ldap nor sql are checked at all in any case now. I've
not quite got it rightI've since ditched declaring raddb/huntgroups, as a simplifyingexercise. I'm checking for NAS-IP-Address instead in raddb/users.raddb/users now looks like this
DEFAULT Auth-Type := PAP Fall-Through = yes# wlan controller - needs LDAP and MySQLDEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802, Fall-Through = yes# vpn concentrator - only LDAPDEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP Fall-Through = yes
radiusd has this..authorize { preprocess eap mschap Autz-Type LDAP { ldap } Autz-Type LDMS { ldap
sql }}The modules section is as it was when wireless was working. I can seewith -X that the ldap and sql modules are instantiated fine.Here's the only processing that is done.
Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for therequest: Rejecting the userauth: Failed to validate the user.If anybody would be so kind as to point me in the right direction
Thanks IARob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ[EMAIL PROTECTED] | 01248 675024 | 077988 72480-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP1200 - Freeradius - LDAP configuration
Haven't I read that if you do LDAP authentication, you have to use cleartext passwords?Not sure you can use EAP + LDAP. Someone can correct me if I'm wrong.Regards,Linps, We use Cisco1200's for our Enterprise WLAN, they work great with freeradius MAC authentication. We store our MAC addresses in LDAP, and that creates some interesting issues. Best of luck!On 9/15/06, Tho Nguyen < [EMAIL PROTECTED]> wrote:Hello Everyone,I am trying to configure Cisco AP1200, FreeRadius, and LDAP. I use EAPAuthentication. I tried many ways, but it didn't go anywhere. If anyof you have good configuration or have documents to show me how to setit up, please let me know. Thanks very much in advance. Tho Nguyen-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: denying access to user from device
Rob Shepherd <[EMAIL PROTECTED]> wrote: > If anybody would be so kind as to point me in the right direction The "authorize" section doesn't list "files. So... the debug log doesn't show it matching any entries in the "users" file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
non existing account can still login / freeradius only runs in debugmode ?
Hello guys, we have a server setup running freeradius (= 1.1.2-2) with a mysql backend on debian Linux.We receive a lot of authorization requests and accounting requests from the equipment of an isp.Setup is as follows : server A with master freeradius and mysql, server B with backup radius that uses mysql on server A.The mysql is of course still single point of failure. We tried it first with a local mysql server on server B but did find it difficult to process the accounting records in an easy and simple way when they are scattered over two databases on two different servers. Any suggestions on this setup would be greatly appreciated. Everything seems to work except for the following:- if we try to start the server threaded and as it is supposed to work (ie /etc/init.d/freeradius start), it crashes regularly under load without any further explanation... If we run freeradius in debugmode (/usr/sbin/freeradius -X) , everything keeps working just fine... I have done several upgrades (coming from version 0.9) but i still see the same problem and i cannot get it to work without a crash (sooner or later) in threaded mode. Do any of you experience similar problems ? Is there a remedy or things i could try to find the cause ?- usernames that can't (and should not be able to) login (username not present anymore in the mysql database, nor any passwd file) and get a "Login incorrect" most of the time, sometimes get through and get authenticated (!)... Its very strange behavior and i have been trying to find a cause for this. At first i thought the culprit would be the equipment at the other side that did something wrong, but apparently it receives explicitly a Login OK from our radius (togheter with profile info etc) as i see in the packetflow. I cannot find a single Login OK for these specific users in the debuginfo however, only the login incorrects and acct records (see below). rlm_chap: login attempt by "USERNAME1" with CHAP password rlm_chap: Could not find clear text password for user USERNAME1 Login incorrect (rlm_chap: Clear text password not available): [USERNAME1/] (from clie nt adsl port xxx)The mysql acct records do show traffic and alive records for these logins (a few) and a lot of Login Failures.Is there an easy way to dig deeper into this problem and find the cause for these spooky logins that should not happen ? Any help or suggestions greatly appreciated, Best regards, Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL.conf
"Dan Massey" <[EMAIL PROTECTED]> wrote: > I am trying to log parts of the accounting data to a different table > than 'radacct', but am struggling to get the sysntax for adding an > 'INSERT INTO ' line to the 'accounting_update_query', is there a way > to get it to execute 2 SQL commands? No. You can run two sql modules, though. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
W2K doesn't ask FreeRadius with EAP
Hi, I got a very strange problem and I don't know where to look else. Maybe one of you have an idea what could be wrong. I've setup (with a lot of the lists help) a Freeradius server, based on certificated, doing a machine authentification over our linksys switch as AP. The clients are using EAP-TLS and for the most clients it works. But there are two W2K clients which doesn't want to register over radius, the radius server even doesn't get a request. I took a freshinstall W2K with SP4, put on all updated, put on IE6 and the necessary certs and registry patch, started the wireless service, configured network settings, rebooted. If I connect the networkcable to secured ethernet port I get in Windows "Couldn't logon to the network" (in german). I have 2 other W2K machine working without a problem (even on the same Switch port). I had a Realtek NIC in that PC, put on new drivers, no effect. Put in an older 3com NIC, no effect. It's like the AP doesn't forward the request to the Freeradius server. With other W2K no problem, with XP no problem with this AP. Something I could do, beside throw the pc out of the window? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius autentication delay
Hi, I am using the version of Free Radius 1.0.5 to authenticate the users of a net wireless, with eDirectory. Since the first day, I am experimenting problems of delays on the freeRadius authentication of the wireless net. There are moments that it works well, it authenticates in 2 seconds, this happens after restarting the FreeRadius, but during the normal operation one time delay 2 seconds and two more times delay 30 seconds, it seems that some timeout expires, it is late of the order of 30 seconds on authenticating. The configuration is the following one: - Red Hat Enterprise Linux AS release 3 (Taroon Update 5) - FreeRadius 1.0.5 - The ldap server is eDirectory in (two nodes) with load balancing. I can discard that the problem is from the load balancing since I have reconfigured the Freeradius with the ip of each eDirectory and reacts in the same way in both nodes. Have you can make some suggestion in order to solve this problem, maybe him the parametrization of the FreeRadius ?, any help will be from great value for me, thank you-- josep.colominaATgmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
URGENT! User does not get VSA attribute If override = yes and in radiusd.conf and using PROXY
Hi, I need to set override = yes in radiusd.conf in order to the user get an IP. This way because it's a proxy request. i.e: [EMAIL PROTECTED] -> proxy to realm -> realm authorize user -> myradius sets the IP The IP assignment does not work with override = no, because the proxy radius tends to set the IP 255.255.255.254. Ok, if override = yes, the users get the correcty ip from the pool, but not the VSA, as below: DEFAULT Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Secondary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = "default", Framed-Routing == None, Framed-Protocol = PPP, Service-Type = Framed-User note: those vsa works correctly when I specify local users like this (not proxy): testuser Auth-Type := local, User-Password == "foo", Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Secondary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = "default", Fall-Through = Yes Please HELP! THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP1200 - Freeradius - LDAP configuration
Hello Everyone, I am trying to configure Cisco AP1200, FreeRadius, and LDAP. I use EAP Authentication. I tried many ways, but it didn't go anywhere. If any of you have good configuration or have documents to show me how to set it up, please let me know. Thanks very much in advance. Tho Nguyen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with SNMP -- Urgent
Am Freitag, 15. September 2006 12:03 schrieb Kshitij Korde: > I didnt referred any document , so I am not very sure about this > configuration , please provide some useful information about this > > Regards > kshitij READ (!) snmp.conf from the FR sources. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpzLizXcB43q.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: denying access to user from device
[EMAIL PROTECTED] wrote:
> Rob Shepherd wrote:
> TYPO!
>
> DEFAULT HuntGroup-Name == ciscovpnc
> Autz-Type := ldap
>
> ...is how it looks in raddb/user.
You need to put the Autz-Type on the first line as a check item.
DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap
Thanks to Alan D. and Garret M. for their comments..
However , neither ldap nor sql are checked at all in any case now. I've
not quite got it right
I've since ditched declaring raddb/huntgroups, as a simplifying
exercise. I'm checking for NAS-IP-Address instead in raddb/users.
raddb/users now looks like this
DEFAULT Auth-Type := PAP
Fall-Through = yes
# wlan controller - needs LDAP and MySQL
DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Fall-Through = yes
# vpn concentrator - only LDAP
DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP
Fall-Through = yes
radiusd has this..
authorize {
preprocess
eap
mschap
Autz-Type LDAP {
ldap
}
Autz-Type LDMS {
ldap
sql
}
}
The modules section is as it was when wireless was working. I can see
with -X that the ldap and sql modules are instantiated fine.
Here's the only processing that is done.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
If anybody would be so kind as to point me in the right direction
Thanks IA
Rob
--
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
[EMAIL PROTECTED] | 01248 675024 | 077988 72480
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL.conf
Hi List I'm running Freeradius with MySQL I am trying to log parts of the accounting data to a different table than 'radacct', but am struggling to get the sysntax for adding an 'INSERT INTO ' line to the 'accounting_update_query', is there a way to get it to execute 2 SQL commands? Thanks in advance Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SNMP -- Urgent
Hi Ø Actually I tried to compile net-snmp-5.1.1 and tried to run "snmpd" but it was giving error as init_kmem: kvm_open failed: Permission denied Ø after that I came to know that there is already one server(snmpd) running of version NET-SNMP version: 5.0.9 Web: http://www.net-snmp.org/ Email: net-snmp-coders@lists.sourceforge.net Ø So using /usr/sfw/bin/snmpconf -> command I configured snmpd.conf. But I am not sure whether I have answered properly for all questions it asked. Ø Did you setup your snmp agent accoding to documentation? Did you restart your snmp agent? I didnt referred any document , so I am not very sure about this configuration , please provide some useful information about this Regards kshitij -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Schwartzkopff Sent: Friday, September 15, 2006 12:53 PM To: FreeRadius users mailing list Subject: Re: Radius with SNMP -- Urgent Am Freitag, 15. September 2006 07:46 schrieb Kshitij Korde: > After compiling freeradius with "--with-snmp" option and when i try > to run the server in the debug mode I see. > (...) > Can't connect to SNMP agent with SMUX: Connection refused Hi, did you setup your snmp agent accoding to documentation? Did you restart your snmp agent? -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS web access links on the website broken...
http://www.freeradius.org/development.html#cvs ciao Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
why pam_radius library send pakcet twice??? Why?
I'm make pam_client with pam_radius.so. pam_client-> pam_radius.so---> raidius_demon application layer: pam_chauthtok() once call. library layer: pam_sm_chauthtok() twice call: request send twice.. I don't know reason. Help me please. ☞ 카트라이더가 지겹다면? 이제는 인라인 레이싱게임 Xplay! ☜ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with SNMP -- Urgent
Am Freitag, 15. September 2006 07:46 schrieb Kshitij Korde: > After compiling freeradius with "--with-snmp" option and when i try to > run the server in the debug mode I see. > (...) > Can't connect to SNMP agent with SMUX: Connection refused Hi, did you setup your snmp agent accoding to documentation? Did you restart your snmp agent? -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpatVxsfJxCP.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute Operators
On Fri 15 Sep 2006 01:19, Kevin Bonner wrote: > On Thursday 14 September 2006 17:47, Peter Nixon wrote: > > On Thu 14 Sep 2006 19:09, Cliff Hayes wrote: > > > Hello everyone, > > > > > > Does anyone know of a good reference site for the attribute operators > > > (:=, ==, +=) that shows what each means? > > > > http://wiki.freeradius.org/index.php/Operators > > The := operator display is fixed. The wiki is responding much faster than > it was earlier today. Thanks. I was meaning to fix that this morning. It was midnight when I copied that data in there and I couldn't be bothered at the time to figure out how to cancel the wiki formating :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpNDbMwzuPcT.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
