Re: Active Directory with NTLM_AUTH
You can use LDAP in the authorize section to accomplish this. Is the group name you are checking against static? Is it sometimes/always/never the primary group for the user? Group name is static, never the primary group for the user. What is added to the user file for this? Is it similar to below: DEFAULT Ldap-Group == "GroupName" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, etc.. Can I simply use the: --require-membership-of='DOMAIN\Group' option of ntlm_auth to accomplish the the group check? > I have had LDAP only working with PAP, but am stuck with getting it to > work with MS-CHAP. You can't use LDAP with MS-CHAP. Use the mschap module to do the authentication. Yup I realised this which is why I'm persuring the mschap module with ntlm_auth. Look at the comments in radiusd.conf to see how to use ntlm_auth via the mschap module of FR. I'm not finding the comments very useful in terms of what I need to do next after setting the options, which why I posted here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TRAPs with radius
When I try to monitor radius server with SNMP Manager I find 1. When the radius server goes down the snmp agent generates the trap which is seen by the SNMP manager (snmp management console). 2. When the snmp agent comes up it generates a trap ( Cold start LINK UP trap ). How should I configure the snmpd.conf file so that a trap is generated by the snmp agent when the radius server comes up. Thanks Kshitij Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with NTLM_AUTH
> I also need to check that the user is a member of a particular group > in Active Directory before Access-Accept is sent - do I fall back to > LDAP for this? You can use LDAP in the authorize section to accomplish this. Is the group name you are checking against static? Is it sometimes/always/never the primary group for the user? > I have had LDAP only working with PAP, but am stuck with getting it to > work with MS-CHAP. You can't use LDAP with MS-CHAP. Use the mschap module to do the authentication. Look at the comments in radiusd.conf to see how to use ntlm_auth via the mschap module of FR. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory with NTLM_AUTH
Okay I've been following the Wiki for Active Directory Integration but now I'm stuck. I'm successful at getting the machine to join the AD with Samba3, I have NTLM_AUTH working from the command line to challenge for the user and return successful. Next part is getting FreeRadius to use this information. The end result is that I am using a Dial Up adapter within Windows to talk to radius, so I want the default Windows settings of MSCHAP to work first (means I have to customise the client end less). What (if anything) do I need to do to the users file? I also need to check that the user is a member of a particular group in Active Directory before Access-Accept is sent - do I fall back to LDAP for this? I have had LDAP only working with PAP, but am stuck with getting it to work with MS-CHAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help: How to authenticate additional attribute
Title: Help: How to authenticate additional attribute > I would like to authenticate the client with its location coordinate You didn’t provide much information about what a “location coordinate” is and how you would determine whether you would allow/deny access. Is this where the user is located geographically? Do you want them to enter it or should it be derived? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: How to authenticate additional attribute
Title: Help: How to authenticate additional attribute Hi, I am running FreeRadius to authenticate with a WinXP SP2 client using PEAP on WPA2. However, in addition to the normal username and password authentication, I would like to authenticate the client with its location coordinate i.e. the authentication will be based on username, password and location coordinate. I understand that WinXP provides a dialog box that allows me to input the username and password. Can I use the domain field to input the location coordinate? If this is possible, what must be configured or done to the FreeRadius so that it may authenticate this additional attribute? Do I need to modify the source code? Is there anybody who may advice me on this? Thanks. With Regards, Chew Heng Hui Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help returning multiple values for attrbute (rlm_ldap)
On Oct 12, 2006, at 11:39 AM, Kostas Kalevras wrote: Owen DeLong wrote: OK... The suggestion I got here last night allowed me to get basic auth working as desired, however, I have another problem. I need to return in the reply a series of values for a given attribute, such as: dn: uid=foo,ou=people,dc=zone,dc=example,dc=com uid: foo Attribute: first_value Attribute: second_value Attribute: third_value I have LDAP Attribute mapped to Radius-Attribute in the ldap.attrmap. However, when I query the server, I get back: Radius-Attribute: first-value And the second and third values are not returned. Is there a way to make this work? Either you put the += operator in the ldap attribute values: Attribute: += first_value Attribute: += second_value In this case that's not an option because RADIUS is not the only consumer of Attribute and the other consumer(s) would be very confused by += or you edit ldap.attrmap to not use the = operator for that attribute but the += operator instead. Sorry to be so ignorant, but, my ldap.attrmap doesn't contain operators and when I put them in, it seems to try and interpret them as attribute names instead of as operators. So, for example: replyItem Radius-AttributeAttribute when changed to: replyItem Radius-Attribute+= Attribute seems to get parsed the same as replyItem Radius-Attribute+= replyItem Radius-AttributeAttribute This is freeradius 1.1.3 in case that matters. Thanks, Owen PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help returning multiple values for attrbute (rlm_ldap)
Owen DeLong wrote: OK... The suggestion I got here last night allowed me to get basic auth working as desired, however, I have another problem. I need to return in the reply a series of values for a given attribute, such as: dn: uid=foo,ou=people,dc=zone,dc=example,dc=com uid: foo Attribute: first_value Attribute: second_value Attribute: third_value I have LDAP Attribute mapped to Radius-Attribute in the ldap.attrmap. However, when I query the server, I get back: Radius-Attribute: first-value And the second and third values are not returned. Is there a way to make this work? Either you put the += operator in the ldap attribute values: Attribute: += first_value Attribute: += second_value or you edit ldap.attrmap to not use the = operator for that attribute but the += operator instead. Thanks, Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Inserting attributes into the check table from Perl?
Hello all, I've just finished writing a perl program to give a user a different speed of service based on their accounting total for the last month in MySQL, and I'd like to also assign these users an IP based on this usage too. I wanted to do this by setting the Pool-Name check value from my script, after it's figured out what group the user being authenticated falls under. However, apparently the $RAD_CHECK hash is read-only. How do I write to the Check table from perl? Is it possible? Is there a way of invoking ip_pools from perl? thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help returning multiple values for attrbute (rlm_ldap)
OK... The suggestion I got here last night allowed me to get basic auth working as desired, however, I have another problem. I need to return in the reply a series of values for a given attribute, such as: dn: uid=foo,ou=people,dc=zone,dc=example,dc=com uid: foo Attribute: first_value Attribute: second_value Attribute: third_value I have LDAP Attribute mapped to Radius-Attribute in the ldap.attrmap. However, when I query the server, I get back: Radius-Attribute: first-value And the second and third values are not returned. Is there a way to make this work? Thanks, Owen PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Thanks to Alan Buxey for reattaching the files in a tgz file. Resending again. Mak -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 12, 2006 5:44 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" <[EMAIL PROTECTED]> wrote: > He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap > and TTLS-mschav2 authentications worked fine. > I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful > authentications. Great. > Please review the attached patch for any additional improvements as needed. Hmm... > Content-Disposition: attachment; > filename="winmail.dat" Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ttls_patch.tgz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS handshaking problem
Hi all, my configuration is FreeRadius (1.0.5) with Chillispot in proxy mode (and WPA-Enterprise-Auto), when i try to connect with a client, it accepts the certificate, but authentication failed. FreeRadius communicate with Chillispot and all seems work fine. I've seen that in the firts request, TLS give an error ( TLS_accept:error in SSLv3 read client certificate A ) but in the third request (whit the same login) it works. What's wrong? Best regards. These are radius and chilli log: rad_recv: Access-Request packet from host 192.168.181.1:1026, id=0, length=118 User-Name = "prof1" EAP-Message = 0x020a0170726f6631 Message-Authenticator = 0xa755e14d8f738a60ad50681a848c4d27 Calling-Station-Id = "00-17-F2-44-11-C2" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 192.168.181.1 NAS-Identifier = "14" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "prof1" rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mydomain,dc=it/password to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_che
Re: windows login using freeradius?
On Thu 12 Oct 2006 16:59, Stefan Winter wrote: > Hi, > > > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > > does anyone have a current mail address of Charles Schwartz? I tried two > (uni.lu and crp-sante.healthnet.lu) but they didn't work any more. I'd like > to integrate his tutorial in a document and wanted to ask for his > permission... Yes. I received written confirmation from him via email that I could incorporate his doc into the wiki. I will send you a privat email with his address. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpxpu0Dy4Yb0.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securew2
Hi, > Hi to all, > anybody know what's happening to securew2 site? > It is down from a few of week ago. > > Does it disappeared? some of us have noticed and wondered the same thing. I've resorted to currently hosting the file for local downloads and will continue to do so until I know whats up. (there are many other sites where is can be publically downloaded!) speculation: the DNS has been messed up severely. though the WHOIS still is correct. the software has been sold to a new owner Vista needs a good supplicant. bought out by a competitor and removed from the market. though this would be interesting regarding its licence new version coming soon and they pulled old version prematurely alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Securew2
> anybody know what's happening to securew2 site? > It is down from a few of week ago. They sent an E-mail stating that it moved. Try: http://securew2.alfa-ariss.com/uk/index.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql and Auth-Type:=Reject Problem
I am using a mysql database with user information and simulate an 802.1x authentication via eapol_test. In special situations I want to send an Auth-Type:=Reject from the table radreply, although the EAP authentication succeeded. This does not seem to work for me with freeradius 1.1.3. freeradius -AX modcall: leaving group authenticate (returns ok) for request 21 Sending Access-Accept of id 9 to 127.0.0.1 port 1226 Framed-IP-Address = 1.2.3.4 MS-MPPE-Recv-Key = 0xd8a5e8adaa368def127716024634cf6d7633ed034d8206e376ab21f408771f31 MS-MPPE-Send-Key = 0x7e67cb055071a333c28c7e462914bcfba12208c6a547ef8740c939f9c3be5173 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = "host/de7018tc.ww901.siemens.net" Finished request 21 Going to the next request Waking up in 6 seconds... where the ip 1.2.3.4 is definitely from that table and the select freeradius starts, gives the correct result in mysql client itself: mysql> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'host/de7018tc.ww901.siemens.net' ORDER BY id; ++-+---+-++ | id | UserName| Attribute | Value | op | ++-+---+-++ | 32 | host/de7018tc.ww901.siemens.net | Auth-Type | Reject | := | | 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | 1.2.3.4 | = | ++-+---+-++ The operator ==,+= or = do not work either. The database contains the following: mysql> select * from usergroup; +--+-+---+-+-+-+ | id | UserName| GroupName | loaddate| validto | konftyp | +--+-+---+-+-+-+ | 16148296 | HOST/de7018tc.ww901.siemens.net | vl1 | 2006-10-12 14:17:22 | 2006-10-13 00:00:00 | NULL| +--+-+---+-+-+-+ 1 row in set (0.00 sec) The following entry is only there to get the attributes from radreply later: mysql> select * from radcheck; +--+-+--++---+-+ | id | UserName| Attribute| op | Value | validto | +--+-+--++---+-+ | 12131722 | HOST/de7018tc.ww901.siemens.net | Idle-Timeout | += | 12345 | 2006-10-13 00:00:00 | +--+-+--++---+-+ 1 row in set (0.00 sec) mysql> select * from radreply; ++-+---++-++--+-+ | id | UserName| Attribute | op | Value | ra_nasname | ra_GroupName | validto | ++-+---++-++--+-+ | 32 | host/de7018tc.ww901.siemens.net | Auth-Type | := | Reject | 4711 | NULL | NULL| | 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | = | 1.2.3.4 | 0815 | NULL | NULL| ++-+---++-++--+-+ 2 rows in set (0.00 sec) The complete logfile can be found at http://www.wegener-net.de/fr/ What do I have to change to make that work? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Securew2
Weird.. I just got this email this morning... SecureW2 is no longer at www.securew2.org Please visit http://securew2.alfa-ariss.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alessandro Agostini Sent: Thursday, October 12, 2006 9:53 AM To: freeradius-users@lists.freeradius.org Subject: Securew2 Hi to all, anybody know what's happening to securew2 site? It is down from a few of week ago. Does it disappeared? Thanks A.Agostini - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy realm
Hi all, sorry...another question we use freeradius as proxy. We configured a suffix realm based proxy with delimiter character "/". If there is a username like this : "user/test/server1" (I mean with more than one "/") which one of "/" does freeradius consider as suffix delimiter ? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows login using freeradius?
Hi, > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO does anyone have a current mail address of Charles Schwartz? I tried two (uni.lu and crp-sante.healthnet.lu) but they didn't work any more. I'd like to integrate his tutorial in a document and wanted to ask for his permission... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpzziFEqPZWU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Securew2
Hi to all, anybody know what's happening to securew2 site? It is down from a few of week ago. Does it disappeared? Thanks A.Agostini - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows login using freeradius?
> if yes, can we guide me to some related materials? http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
-Original Message- Are you sure you're using the new code? It looks to me like it's NOT installing the server with symbols, and it's NOT printing the new debugging messages. I was, I just wasn't building the server right. I figured it out a few hours later (See my later emails) The last one has the gdb logs pasted into it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
"Mak Moussa" <[EMAIL PROTECTED]> wrote: > He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap > and TTLS-mschav2 authentications worked fine. > I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful > authentications. Great. > Please review the attached patch for any additional improvements as needed. Hmm... > Content-Disposition: attachment; > filename="winmail.dat" Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness
Dave There aren't any errors in the mysql log at all. Not even the radius log show any errors. Like I said I run Radius in debug mode, radiusd -X, and see it trying to write to the accounting table but no errors. When I took the line it was trying to insert and replaced it with real values instead of variables it wrote to the table ok. So I'm still at a loose. John > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of > David Roze > Sent: 12 October 2006 11:29 > To: FreeRadius users mailing list > Subject: RE: SQL Accounting oddness > > Hi John, > > I would try to run Mysql with error and warning logging like > --log-error=/var/log/mysql-errors --log-warnings > And check the logs > > Have you also tried to copy the query sent from Radius and execute it > manually? You might get your solution there > > David > > -- > http://www.netexpertise.eu > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of John Williams > Sent: 12 October 2006 08:26 > To: 'FreeRadius users mailing list' > Subject: Spam:RE: SQL Accounting oddness > > All the ports are open. > The authentication packets and accounting packets are hitting the server > ok. > The authentication is being checked against the radcheck table in SQL > and > authenticates users. > But the accounting information isn't being written to the radacct table, > even though I can see freeradius sending it if I run radius in debug > mode. > > John > > > -Original Message- > > From: freeradius-users- > > [EMAIL PROTECTED] > > [mailto:freeradius-users- > > [EMAIL PROTECTED] On Behalf Of > Sean > > Sent: 11 October 2006 17:39 > > To: freeradius-users@lists.freeradius.org > > Subject: RE: SQL Accounting oddness > > > > Hi, > > > > Check that you have all the ports used by FreeRadius open. It looks as > > if the accounting traffic is not getting through to the server. > > > > Let me know if I'm right. > > > > > > Regards, > > > > Sean Bracken > > > > http://swarmhotspots.com > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: > 10/10/2006 > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: > 10/10/2006 > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness
Hi John, I would try to run Mysql with error and warning logging like --log-error=/var/log/mysql-errors --log-warnings And check the logs Have you also tried to copy the query sent from Radius and execute it manually? You might get your solution there David -- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Williams Sent: 12 October 2006 08:26 To: 'FreeRadius users mailing list' Subject: Spam:RE: SQL Accounting oddness All the ports are open. The authentication packets and accounting packets are hitting the server ok. The authentication is being checked against the radcheck table in SQL and authenticates users. But the accounting information isn't being written to the radacct table, even though I can see freeradius sending it if I run radius in debug mode. John > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Sean > Sent: 11 October 2006 17:39 > To: freeradius-users@lists.freeradius.org > Subject: RE: SQL Accounting oddness > > Hi, > > Check that you have all the ports used by FreeRadius open. It looks as > if the accounting traffic is not getting through to the server. > > Let me know if I'm right. > > > Regards, > > Sean Bracken > > http://swarmhotspots.com > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
You might want to set sql_debug "or something like it" to on in the dialupadmin config file..this will run sql queries in debugging mode..and will might help you to reveal the problem On 10/12/06, Kostas Kalevras <[EMAIL PROTECTED]> wrote: Andy Dixon wrote: > On 11 Oct 2006, at 19:11, Ali Jawad wrote: > >> Could be a permissions issue..you might wana investigate that >> > > > I thought it may have been an issue with PHP and / or apache. I > tailed the logs from Apache and got nothing, but PHP threw up lots of > notices about un-initialized constants / variables / etc, a warning > about a for loop being given something dodgy, and another error about > a security risk. > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Usually when you get a blank page in dialupadmin the reason is that php is lacking mysql support. I would suggest to check that one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius authentication
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == "test"
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "512wyse83.cosmote.rom"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Insert charactrer in username
Hi all, we use Freeradius as proxy. Is it possible to insert a character inside the username every time in the same position (i.e. before last six characters) using preproxy_users configuration file ?. For example : original username = Johnnyfavourite username after preproxy section = [EMAIL PROTECTED] So the server can use "ourite" as proxy realm.. And if it is possible, which is the right syntax of the instruction in preproxy_users file? If it is not possible, is there another way to do it? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorizedService attribute matching
Owen DeLong wrote: I've got an LDAP database which works with PAM and uses PosixAccounts to describe users. It uses the authorizedService attribute to specify which services the user is allowed to log into. I've configured freeradius to map authorizedService -> Service-Type and have set up Service-Type as a check attribute. I'm running: (radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Oct 10 2006 at 13:13:55) For example, say user foo has: dn: uid=foo, ou=people, dc=zone, dc=example, dc=com ... authorizedService: sshd authorizedService: vpn authorizedService: xdm ... I would like this user to succeed authenticating against RADIUS if Service-Type in the request matches sshd, vpn, or xdm, but, not if it contains anything else. Is there a way to set up this comparison in freeradius? See the checkval module I've read the FAQ, but, I haven't found a way to do this. I've included debug output below, just in case. Any help, especially a sepecific set of "put this in x configuration file here and it should work" type help is greatly appreciated. Thanks, Owen Test authentication command (the username, password, and domain name have been replaced to preserve the anonymity of the implementation in question): In this case, user foo has authorizedService attributes with the following values: passwd login sshd xdm gdm sudo su (echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service- type = sshd" ) | \ radclient localhost auth testing123 results in: rad_recv: Access-Request packet from host 127.0.0.1:32772, id=37, length=50 User-Name = "foo" User-Password = "xyzzy" Service-Type = sshd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "foo", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "foo" rlm_realm: Proxying request from user owen to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for foo radius_xlat: '(uid=foo)' radius_xlat: 'ou=people,dc=zone,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com, with filter (uid=foo) rlm_ldap: checking if remote access for owen is allowed by authorizedService rlm_ldap: looking for check items in directory... rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value login & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21 rlm_ldap: Adding authorizedService as Service-Type, value su & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user foo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "foo" with password "xyzzy" rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/xyzzy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user owen authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Sending Access-Accept of id 37 to 127.0.0.1 port 32772 Finished request 0 Going to the next request --- Walking the entire request list --- Received response ID 37, code 2, length = 20 Waking up in 6 seconds... Which is correct. However, because the following does not fail: (echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service- type = vpn" ) | \ radclient localhost auth testing123 I suspect it's just that anything succeeds whether it ma
Re: Dialupadmin Problems
Andy Dixon wrote: On 11 Oct 2006, at 19:11, Ali Jawad wrote: Could be a permissions issue..you might wana investigate that I thought it may have been an issue with PHP and / or apache. I tailed the logs from Apache and got nothing, but PHP threw up lots of notices about un-initialized constants / variables / etc, a warning about a for loop being given something dodgy, and another error about a security risk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Usually when you get a blank page in dialupadmin the reason is that php is lacking mysql support. I would suggest to check that one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
hi, urgh. please never attached things using outlook/outlook express. the rest of the world doesnt tak winmail.dat files. I've fentun'd the result and reattached for you. alan ttls_patch.tgz Description: TTLS patch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness
All the ports are open. The authentication packets and accounting packets are hitting the server ok. The authentication is being checked against the radcheck table in SQL and authenticates users. But the accounting information isn't being written to the radacct table, even though I can see freeradius sending it if I run radius in debug mode. John > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Sean > Sent: 11 October 2006 17:39 > To: freeradius-users@lists.freeradius.org > Subject: RE: SQL Accounting oddness > > Hi, > > Check that you have all the ports used by FreeRadius open. It looks as > if the accounting traffic is not getting through to the server. > > Let me know if I'm right. > > > Regards, > > Sean Bracken > > http://swarmhotspots.com > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
This happened to me once with another application..because I had global_registers off...in the php.ini file..you might wana check that On 10/12/06, Andy Dixon <[EMAIL PROTECTED]> wrote: On 11 Oct 2006, at 19:11, Ali Jawad wrote: > Could be a permissions issue..you might wana investigate that > I thought it may have been an issue with PHP and / or apache. I tailed the logs from Apache and got nothing, but PHP threw up lots of notices about un-initialized constants / variables / etc, a warning about a for loop being given something dodgy, and another error about a security risk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
