TRAPs with radius
When I try to monitor radius server with SNMP Manager I find 1. When the radius server goes down the snmp agent generates the trap which is seen by the SNMP manager (snmp management console). 2. When the snmp agent comes up it generates a trap ( Cold start LINK UP trap ). How should I configure the snmpd.conf file so that a trap is generated by the snmp agent when the radius server comes up. Thanks Kshitij Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory with NTLM_AUTH
You can use LDAP in the authorize section to accomplish this. Is the group name you are checking against static? Is it sometimes/always/never the primary group for the user? Group name is static, never the primary group for the user. What is added to the user file for this? Is it similar to below: DEFAULT Ldap-Group == GroupName Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, etc.. Can I simply use the: --require-membership-of='DOMAIN\Group' option of ntlm_auth to accomplish the the group check? I have had LDAP only working with PAP, but am stuck with getting it to work with MS-CHAP. You can't use LDAP with MS-CHAP. Use the mschap module to do the authentication. Yup I realised this which is why I'm persuring the mschap module with ntlm_auth. Look at the comments in radiusd.conf to see how to use ntlm_auth via the mschap module of FR. I'm not finding the comments very useful in terms of what I need to do next after setting the options, which why I posted here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instances of the exec module
Hi All, I am new to FreeRadius and in fact Radius. Having spent some time playing with FreeRadius (Windows ver) I need to call an external program in the preacct, authorize authenticate sections. While the code comment in the piece prior to the exec module states the following: # If you wish to execute an external program in more than # one section (e.g. 'authorize', 'pre_proxy', etc), then it # is probably best to define a different instance of the # 'exec' module for every section. I am lost as to where or maybe how this definition is done. If I duplicate the exec module in the actual section, RadiusD complains about 'wait' not being defined. Can anyone provide guidance? Many thanks Les Brinkworth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql and Auth-Type:=Reject Problem
Hi, On 10/12/06, Norbert Wegener [EMAIL PROTECTED] wrote: What do I have to change to make that work? Sorry, that's a bit too much at the moment. But for starters: setting Auth-Type (assuming that this is one of the cases it actually makes sense) as a reply item (i.e. by virtue of coming from radreply table) won't work. See doc/processing_users_file, doc/aaa.txt, man users etc. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mobile Phones Radius Authentications
Hi to all; I'm setting up GPRS with radius authentication. Authentication accepted when using the GPRS phone as modem for internet connections(PPP). Authentication fails when using GPRS WAP applications. GPRS phones security features was enabled including the username and password but the radius server keeps on rejecting connections. Is there any similar cases thats being resolved? Thanks for any replies... Regards, NUS __ What will the world find in 2020? Leave a part of your 2006 in the Yahoo! Time Capsule. Contribute now! http://timecapsule.yahoo.com/capsule.php?intl=ph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS handshaking problem
Hi, maybe a few helpful notes: On 10/12/06, Giuseppina Venezia [EMAIL PROTECTED] wrote: I've seen that in the firts request, TLS give an error ( TLS_accept:error in SSLv3 read client certificate A ) but in the third request (whit the same login) it works. What's wrong? TLS_accept:error isn't really an error here, just an error message not to worry about (see the list archives). The different reuqests/challenges are part of the ongoing EAP mechanism (normally consisting of approx. 5-15 in either direction). So after the third one: SSL Connection Established means just that, it's not a successful auth yet. If configured/working correctly, the next challenge sent by freeradius would be the requiring the client (meaning supplicant) to provide the users's credentials inside the now established SSL layer (inside EAP transmitted inside RADIUS protocol from the client (here meaning nas, i.e. apparently chillispot)). Apparently you cut the freeradius debug here, as the chillispot claims: Received access reject from radius server which doesn't show up in freeradius debug output as being sent. So, whatever (really) fails, is further down the line. You should check that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of the exec module
On 10/13/06, Les Brinkworth [EMAIL PROTECTED] wrote: I am lost as to where or maybe how this definition is done. If I duplicate the exec module in the actual section, RadiusD complains about 'wait' not being defined. Just a guess (as you didn't provide any output): The error (more of a warning) is something like ...Wait=yes but no output defined...? So check for the subsequent comment in the definition of an exec instance called echo. Which should also serve as an example how to define different instances, which would then be called in the actual section by their name. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
Hi, On 10/13/06, nsuralullec [EMAIL PROTECTED] wrote: Is there any similar cases thats being resolved? Probably. If you are interested in answers with a little more content you should provide more data than the equivalent of It doesn't work as mentioned in the FAQ, INSTALL (provided you even talk about freeradius) etc. and almost daily on this list. Even if someone would know anything more specific than me, I think (s)he would consider it too burdensome to reply to such a broad question. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable escaping ins sql.conf
in sql.conf I use something like: usergroup.GroupName like 'v%y' and radius -AX tells me: WARNING: Unknown variable '%y': See 'doc/variables.txt' How would I escape that kind of variable to pass it to the sql query? The usual \ did not work. Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple instances of the exec module
Hi K
Thanks for the reply. My apologies for including the code and trace. I
have done so below. The error I think is more serious as the server
fails to load. I am obviously understanding the define incorrectly.
How does one define two instances of exec with different names that can
be called from other sections?
Code snippet from Modules section of radiusd.conf...
exec {
wait = yes
program = handlebillingrequests.exe ACCR:%Z
input_pairs = request
output_pairs = reply
packet_type = Accounting-Request
}
...This executes for an accounting request
If I then add the same code to the authorize section...
exec {
wait = yes
program = handlebillingrequests.exe AUTR:%Z
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
...it results in the following when I run debug
C:\Documents and Settings\lbrinkworthCd \Program
Files\FreeRADIUS.net-1.1.1-r0.0.1
C:\Program Files\FreeRADIUS.net-1.1.1-r0.0.1start_radiusd_debug.bat
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: ../etc/raddb/proxy.conf
Config: including file: ../etc/raddb/clients.conf
Config: including file: ../etc/raddb/snmp.conf
Config: including file: ../etc/raddb/eap.conf
Config: including file: ../etc/raddb/mssql.conf
main: prefix = ..
main: localstatedir = ../var
main: logdir = ../var/log/radius
main: libdir = ../lib
main: radacctdir = ../var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = ../var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = ../var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = ../bin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is ../lib
Module: Loaded exec
exec: wait = yes
exec: program = handlebillingrequests.exe ACCR:%Z
exec: input_pairs = request
exec: output_pairs = reply
exec: packet_type = Accounting-Request
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = ../var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem
tls: certificate_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt
tls: CA_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt
tls: private_key_password = demo
tls: dh_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh
tls: random_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = %{User-Name}
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = yes
RE: SQL Accounting oddness
Here is something else I found.
I run radius in debug mode, radiusd -X, after altering the line in sql.conf
to:
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
So that it would create the sql trace logfile as it does on my other radius
server.
But the logfile did not get created although in debug mode I could see
attempts to log to the radacct table.
I'm at a total loose as to where the problem is.
I'm running:
Centos 4.4 Final
freeradius-1.0.1-3.RHEL4.3
freeradius-mysql-1.0.1-3.RHEL4.3
Exactly the same as my other radius server.
Anyone got any ideas at all?
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of John
Williams
Sent: 12 October 2006 13:10
To: 'FreeRadius users mailing list'
Subject: RE: SQL Accounting oddness
Dave
There aren't any errors in the mysql log at all.
Not even the radius log show any errors.
Like I said I run Radius in debug mode, radiusd -X, and see it trying to
write to the accounting table but no errors.
When I took the line it was trying to insert and replaced it with real
values instead of variables it wrote to the table ok.
So I'm still at a loose.
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
David Roze
Sent: 12 October 2006 11:29
To: FreeRadius users mailing list
Subject: RE: SQL Accounting oddness
Hi John,
I would try to run Mysql with error and warning logging like
--log-error=/var/log/mysql-errors --log-warnings
And check the logs
Have you also tried to copy the query sent from Radius and execute it
manually? You might get your solution there
David
--
http://www.netexpertise.eu
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of John Williams
Sent: 12 October 2006 08:26
To: 'FreeRadius users mailing list'
Subject: Spam:RE: SQL Accounting oddness
All the ports are open.
The authentication packets and accounting packets are hitting the server
ok.
The authentication is being checked against the radcheck table in SQL
and
authenticates users.
But the accounting information isn't being written to the radacct table,
even though I can see freeradius sending it if I run radius in debug
mode.
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
Sean
Sent: 11 October 2006 17:39
To: freeradius-users@lists.freeradius.org
Subject: RE: SQL Accounting oddness
Hi,
Check that you have all the ports used by FreeRadius open. It looks as
if the accounting traffic is not getting through to the server.
Let me know if I'm right.
Regards,
Sean Bracken
http://swarmhotspots.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.3/473 - Release Date: 12/10/2006
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
On Fri 13 Oct 2006 11:20, nsuralullec wrote: Hi to all; I'm setting up GPRS with radius authentication. Authentication accepted when using the GPRS phone as modem for internet connections(PPP). Authentication fails when using GPRS WAP applications. GPRS phones security features was enabled including the username and password but the radius server keeps on rejecting connections. Is there any similar cases thats being resolved? We have a large number of phones being authenticated by FreeRADIUS for both WAP and GPRS access on multiple APNs. It works great so if you are having problems you need to provide detailed debug logs if you wish us to help you debug your configuration. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgprBHVddvXSZ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy errors in radius log
I’m getting a lot of entries in my radius log on one of our radius servers like the following: Error: Reply from home server 10.0.0.1:1646 - ID: 172 arrived too late for request 5280. Try increasing 'retry_delay' or 'max_request_time' Error: Reply from home server 10.0.0.2:1646 - ID: 150 arrived too late for request 5256. Try increasing 'retry_delay' or 'max_request_time' Is this a problem on our radius server or the company we are proxying to and their radius servers? If it is our server what do I need to do to resolve this? Thanks John -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.3/473 - Release Date: 12/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate accounting packets
Why would I see more than one start entry in the radacct table for a user all with the same session id? +-+---+-+-+ | UserName| AccStatus | AcctStartTime | AcctStopTime| +-+---+-+-+ | [EMAIL PROTECTED] | Start | 2006-10-13 12:39:08 | -00-00 00:00:00 | | [EMAIL PROTECTED] | Start | 2006-10-13 12:39:15 | -00-00 00:00:00 | | [EMAIL PROTECTED] | Start | 2006-10-13 12:39:22 | -00-00 00:00:00 | | [EMAIL PROTECTED] | Start | 2006-10-13 12:39:30 | -00-00 00:00:00 | | [EMAIL PROTECTED] | Start | 2006-10-13 12:39:37 | -00-00 00:00:00 | Normally I wouldn't worry about it but I'm trying to script something that will show each users stats, time online, octets in/out etc. But having more than one start entry without a stop time for each is going to be a problem. Thanks John -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.3/473 - Release Date: 12/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
Correct me if my concept are wrong. I successfully configured the radius.conf and proxy.conf to authenticate my WAP mobile phone in the freeradius, MOBILE- NAS - RADIUS - WAP Gateway but after successfully authenticated it does not go directly to my WAP gateway server which is a Kannel Wap gateway a page not found displayed. My Mobile configuration works if not authenticating with a radius server. All the logs seems ok and just waiting for transactions. --- Peter Nixon [EMAIL PROTECTED] wrote: On Fri 13 Oct 2006 11:20, nsuralullec wrote: Hi to all; I'm setting up GPRS with radius authentication. Authentication accepted when using the GPRS phone as modem for internet connections(PPP). Authentication fails when using GPRS WAP applications. GPRS phones security features was enabled including the username and password but the radius server keeps on rejecting connections. Is there any similar cases thats being resolved? We have a large number of phones being authenticated by FreeRADIUS for both WAP and GPRS access on multiple APNs. It works great so if you are having problems you need to provide detailed debug logs if you wish us to help you debug your configuration. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc __ What will the world find in 2020? Leave a part of your 2006 in the Yahoo! Time Capsule. Contribute now! http://timecapsule.yahoo.com/capsule.php?intl=ph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
On Fri 13 Oct 2006 14:51, nsuralullec wrote: Correct me if my concept are wrong. I successfully configured the radius.conf and proxy.conf to authenticate my WAP mobile phone in the freeradius, MOBILE- NAS - RADIUS - WAP Gateway but after successfully authenticated it does not go directly to my WAP gateway server which is a Kannel Wap gateway a page not found displayed. My Mobile configuration works if not authenticating with a radius server. All the logs seems ok and just waiting for transactions. Your concept is most likely wrong, but as you haven't provided network details I can't be sure. Most likely radius and kannel are not in any way related. Most like radius is authing your PPP session, and then your phone initiates a wap session AFTER it connects to the network. You either have a radius problem, a wap problem or a network problem. With the info you have provided it is not possible to tell. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpI2zIOTVDOz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness - SOLVED
Ok solved this one.
Bloody sys admin hadn't opened the firewall for UDP packets on port 1646.
But he had opened TCP on port 1646, fat lot of good.
Sorry for taking up everyone's time with something that was easily solved if
I hadn't taken someone's word about the firewall.
Thanks
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of John
Williams
Sent: 13 October 2006 11:45
To: 'FreeRadius users mailing list'
Subject: RE: SQL Accounting oddness
Here is something else I found.
I run radius in debug mode, radiusd -X, after altering the line in
sql.conf
to:
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
So that it would create the sql trace logfile as it does on my other
radius
server.
But the logfile did not get created although in debug mode I could see
attempts to log to the radacct table.
I'm at a total loose as to where the problem is.
I'm running:
Centos 4.4 Final
freeradius-1.0.1-3.RHEL4.3
freeradius-mysql-1.0.1-3.RHEL4.3
Exactly the same as my other radius server.
Anyone got any ideas at all?
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
John
Williams
Sent: 12 October 2006 13:10
To: 'FreeRadius users mailing list'
Subject: RE: SQL Accounting oddness
Dave
There aren't any errors in the mysql log at all.
Not even the radius log show any errors.
Like I said I run Radius in debug mode, radiusd -X, and see it trying to
write to the accounting table but no errors.
When I took the line it was trying to insert and replaced it with real
values instead of variables it wrote to the table ok.
So I'm still at a loose.
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
David Roze
Sent: 12 October 2006 11:29
To: FreeRadius users mailing list
Subject: RE: SQL Accounting oddness
Hi John,
I would try to run Mysql with error and warning logging like
--log-error=/var/log/mysql-errors --log-warnings
And check the logs
Have you also tried to copy the query sent from Radius and execute it
manually? You might get your solution there
David
--
http://www.netexpertise.eu
-Original Message-
From: [EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED]
On Behalf Of John Williams
Sent: 12 October 2006 08:26
To: 'FreeRadius users mailing list'
Subject: Spam:RE: SQL Accounting oddness
All the ports are open.
The authentication packets and accounting packets are hitting the
server
ok.
The authentication is being checked against the radcheck table in SQL
and
authenticates users.
But the accounting information isn't being written to the radacct
table,
even though I can see freeradius sending it if I run radius in debug
mode.
John
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf
Of
Sean
Sent: 11 October 2006 17:39
To: freeradius-users@lists.freeradius.org
Subject: RE: SQL Accounting oddness
Hi,
Check that you have all the ports used by FreeRadius open. It looks
as
if the accounting traffic is not getting through to the server.
Let me know if I'm right.
Regards,
Sean Bracken
http://swarmhotspots.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date:
10/10/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.408 / Virus Database: 268.13.3/473 - Release Date: 12/10/2006
-
List
Re: Multiple instances of the exec module
On 10/13/06, Les Brinkworth [EMAIL PROTECTED] wrote:
How does one define two instances of exec with different names that can
be called from other sections?
Aaah, now it gets a bit more clear to me. You should take into account
the comments at the beginning of the modules{} section. That would
lead to something like:
Code snippet from Modules section of radiusd.conf...
exec doacctfoo {
wait = yes
program = handlebillingrequests.exe ACCR:%Z
input_pairs = request
output_pairs = reply
packet_type = Accounting-Request
}
...This executes for an accounting request
If I then add the same code to the authorize section...
ah no, that won't work. you just put it into the modules{} too with
analogous change:
exec dorequestfoo {
wait = yes
program = handlebillingrequests.exe AUTR:%Z
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
...it results in the following when I run debug
radiusd.conf[1527] Unknown module rcode 'wait'.
radiusd.conf[1513] Failed to parse authorize section.
Ok, that confuses freeradius way to much, as that is not the place to
define module instances (see above), especially when another one (the
unnamed one) already is present.
But you can now put the named defined ones in the appropriate section e.g.
authorize {
...
dorequestfoo
...
}
accounting {
...
doacctfoo
...
}
There might be other ways of doing it, (using the same module, but
changing the called program, so it can cope with both tasks
accordingly) but keeping it simple at first and following the
recommendations in the comments looks preferable, at least until you
get some working config.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logs: invalid Message-Authenticator! (Shared secret is incorrect.)
I try to get chillispot to work with freeradius.I can't authenticate. Log files show me this entry:Fri Oct 13 14:38:28 2006 : Error: Received packet from 192.168.2.165 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. radius2:/var/log/freeradius# Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration.Any hints?Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL_read failed in a system call
I posted this to the list back in September, but was unable to chase it
then.
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg294
52.html
But it has returned with a vengeance. It only seems to affect the 1.1.3
server. I have not tried any other versions, other than the 1.0.4 I've
listed below, which seems to work fine
I think it's load related, since when I test with a few clients, it
worked fine. When I dumped 1000 of clients, with over 50 auths/sec,
things went horrible wrong.
I found this on the net with the same error string:
http://www.mail-archive.com/modssl-users@modssl.org/msg16180.html
There is definately something wrong in openssl 0.9.7a, or, mod_ssl
2.8.14 is trying
to call 0.9.6 functions which are different/don't exist in 0.9.7
And I found this:
http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2005-November
/000418.html
Which has a link to:
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1204 (OpenSSL's
BugTracker?)
Use of SSL_OP_TLS_BLOCK_PADDING_BUG, which is included in SSL_OP_ALL,
triggers a bug in OpenSSL if both the client and server is using
version 0.9.8.
Unfortunately, I'm using 0.9.7
Here's my status
I've built a new radius server.
FreeRADIUS 1.1.3
Windbind using ntlm_auth to talk to ActiveDirectory.
Mostly XP clients using the Built-in XP supplicant. (PEAP)
Running on RedHat RHEL 4
Server has a trusted root Cert from Equifax. (I do NOT have a
self-signed Cert)
Server name is brand new, it has never been used in my network before
OpenSSL is openssl-0.9.7a-43.11 via Up2date
I got it all setup and operating correctly (based on my 1.0.4 config
that's been in production for 1.5 years). Tested it with a few clients,
everything looks fine.
I put some major traffic on it, and everything goes downhill. :-(
The logs read this (per user)
Wed Oct 11 17:57:58 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Wed Oct 11 17:57:58 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Wed Oct 11 17:57:58 2006 : Error: TLS Alert write:fatal:bad record mac
Wed Oct 11 17:57:58 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Wed Oct 11 17:57:58 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Wed Oct 11 17:57:58 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Wed Oct 11 17:57:58 2006 : Auth: Login incorrect: [BSC\\mking] (from
client BUWiSM-1-2 port 29 cli 00-90-96-F4-2A-BB)
For every single user.
At the very beginning, a few users authenticate fine, nobody gets on
after that. (All this in the first second of starting the server)
So I move everyone back to my working server (version 1.0.4, OpenSSL is
0.9.7e-3 via debian)
Now, it's still in this state. If I stop and start the server, it'll be
normal again.
Is there anykind of debugging info I can get you right now without
killing the running process?
I moved traffic to the server at:
17:54:03
I moved traffic off at:
17:54:36
As you can see above, I tried it with a test station at 17:57:58, and it
was still busted. (Test station worked fine at 17:50)
Also, I checked out the /var/log/messages file, it had this weirdness in
it. I tried restarting winbindd a few seconds before these time stamps,
so that's may be what threw all the error messages.
Oct 11 17:02:42 radius1 kernel: audit(1160600562.652:20): avc: denied
{ search } for pid=2831 comm=winbindd name=lib dev=dm-0 ino=589826
scontext=user
_u:system_r:winbind_t tcontext=system_u:object_r:var_lib_t tclass=dir
Oct 11 17:02:42 radius1 kernel: audit(1160600562.652:21): avc: denied
{ getattr } for pid=2831 comm=winbindd name=samba dev=dm-0
ino=589961 scontext=u
ser_u:system_r:winbind_t tcontext=system_u:object_r:var_lib_t tclass=dir
Oct 11 17:57:44 radius1 winbind: winbindd shutdown succeeded
Oct 11 17:57:46 radius1 kernel: audit(1160603866.541:22): avc: denied
{ setattr } for pid=4000 comm=winbindd name=winbindd dev=dm-0
ino=590836 scontex
t=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=dir
Oct 11 17:57:46 radius1 kernel: audit(1160603866.566:23): avc: denied
{ write } for pid=4000 comm=winbindd name=secrets.tdb dev=dm-0
ino=937186 sconte
xt=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t
tclass=file
Oct 11 17:57:46 radius1 kernel: audit(1160603866.566:24): avc: denied
{ search } for pid=4000 comm=winbindd name=lib dev=dm-0 ino=589826
scontext=root
:system_r:winbind_t tcontext=system_u:object_r:var_lib_t tclass=dir
Oct 11 17:57:46 radius1 kernel: audit(1160603866.566:25): avc: denied
{ read write } for pid=4000 comm=winbindd name=gencache.tdb
dev=dm-0 ino=590838
scontext=root:system_r:winbind_t tcontext=root:object_r:var_lib_t
tclass=file
Oct 11 17:57:46 radius1 kernel: audit(1160603866.566:26): avc: denied
{ lock } for pid=4000 comm=winbindd name=gencache.tdb dev=dm-0
ino=590838 sconte
xt=root:system_r:winbind_t
RE: Multiple instances of the exec module
K. Many thanks for clarifying...
Les
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
rg] On Behalf Of K. Hoercher
Sent: 13 October 2006 14:44 PM
To: FreeRadius users mailing list
Subject: Re: Multiple instances of the exec module
On 10/13/06, Les Brinkworth [EMAIL PROTECTED] wrote:
How does one define two instances of exec with different names that
can be called from other sections?
Aaah, now it gets a bit more clear to me. You should take into account
the comments at the beginning of the modules{} section. That would lead
to something like:
Code snippet from Modules section of radiusd.conf...
exec doacctfoo {
wait = yes
program = handlebillingrequests.exe ACCR:%Z
input_pairs = request
output_pairs = reply
packet_type = Accounting-Request
}
...This executes for an accounting request
If I then add the same code to the authorize section...
ah no, that won't work. you just put it into the modules{} too with
analogous change:
exec dorequestfoo {
wait = yes
program = handlebillingrequests.exe AUTR:%Z
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
...it results in the following when I run debug
radiusd.conf[1527] Unknown module rcode 'wait'.
radiusd.conf[1513] Failed to parse authorize section.
Ok, that confuses freeradius way to much, as that is not the place to
define module instances (see above), especially when another one (the
unnamed one) already is present.
But you can now put the named defined ones in the appropriate section
e.g.
authorize {
...
dorequestfoo
...
}
accounting {
...
doacctfoo
...
}
There might be other ways of doing it, (using the same module, but
changing the called program, so it can cope with both tasks
accordingly) but keeping it simple at first and following the
recommendations in the comments looks preferable, at least until you get
some working config.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribtes from accounting{} and acct_users/users files
I wonder if its possible to do ldap lookups when handling accounting (start)
packets? This would likely mean adding an ldap entry to the accounting{}
section of the radiusd.conf file.
At the moment I am calling an external script from the acct-users file usingg:
DEFAULT Acct-Status-Type == Start
Exec-Program = /etc/freeradius/scripts/acct_start.py
%{User-Name}
but this is inefficient as i want to only start an external interpreter if an
ldap attribiute is set to certain values. if the freeradius daemon, which holds
open sessions to the ldap server, can re-use those connections during the
accounting phase, and the acct-users file could restrict calling the external
code based on those attributes ... something like:
DEFAULT Acct-Status-Type == Start, Ldap_Attribute == My_Specific_Value_1
Exec-Program = /etc/freeradius/scripts/acct_start.py
%{User-Name}
DEFAULT Acct-Status-Type == Start, Ldap_Attribute == My_Specific_Value_2
Exec-Program = /etc/freeradius/scripts/acct_start.py
%{User-Name}
i've not found anyone try this.
is it a bad idea to try to get the rlm_ldap module called from the
accounting{} section? can the returned attributes be mapped or accessed such as
{%ldap:Attribue_Name} or similar?
I'm prepared to do some development work to get this working - i know that when
i last looked at freeradius 1.0.2 accessing ldap attributes from the users
files was not possible.
any ideas or comments or pointers would be gratefully received
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with NTLM_AUTH
What is added to the user file for this? Is it similar to below: Do you need those reply attributes returned? If not, you may not need anything in the users file. I don't have anything in mine, but I'm not using radius for dial-up/PPP. Can I simply use the: --require-membership-of='DOMAIN\Group' option of ntlm_auth to accomplish the the group check? I've used this option manually with clear-text passwords, but I haven't tried it from mschap in FR. Does it work for you when you run ntlm_auth from a shell prompt? If you can't get it to work from mschap, you can have LDAP get the user's group memberships by adding a checkItem to ldap.attrmap. In our environment, the groups to which a user is a member are stored in the memberOf LDAP attribute. So, I have the following in my ldap.attrmap file: checkItem Ldap-Group memberOf Then, ensure ldap is in your authorize section. This checkItem will cause ldap to create one Ldap-Group check attribute for each group to which the user is a member. In the past, I have successfully used checkval to do the comparison. The checkval module compares a request attribute to a check attribute. If your group name isn't in a request attribute, you can use attr_rewrite to add a request attribute with the group name you desire to test against. You would then put checkval after the attr_rewrite and ldap modules in authorize. I'm currently using perl to do authorization because of the flexibility it affords. (In my case, depending upon the Huntgroup-Name, the group membership requirement varies. Also, for some Huntgroups, I allow several groups and I return a custom reply attribute that specifies the user's privilege level based on which group they were a member.) If you use perl, you wouldn't need attr_rewrite or checkval. I haven't been using FR for very long so this may not be the best approach. However, I'm sure others will chime in if there are better alternatives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)
Hi, On 10/13/06, YvesDM [EMAIL PROTECTED] wrote: Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration. Any hints? Well, as you said yourself, it looks pretty obvious. But as it would be extremely unlikely for both statements to be true, I'd suggest (in no particular order): Check clients.conf for eventual more specific entries overriding those for subnets. Does some sql reading of nas's set another secret? Do the alleged correct config files get actually used by freeradius (been there, done that *g*). Something to those effects regarding chilli.conf. Some of that might have been ruled out/in already, had you provided the full debug output and pertinent snippets from your config. Sniff the radius traffic, and check validity manually. See src/lib/hmac.c hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)
Hi,Have you checked your authentication protocol on the shared secret? Are you sending with CHAP when freeradius is not expecting it or vice versa?Have you tried testing with a radius test client - this should allow you determine if the problem is in the Client or the Server config... or just a misconfiguration between the two! Kind regards,Paul.On 10/13/06, K. Hoercher [EMAIL PROTECTED] wrote: Hi,On 10/13/06, YvesDM [EMAIL PROTECTED] wrote: Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration. Any hints?Well, as you said yourself, it looks pretty obvious. But as it wouldbe extremely unlikely for both statements to be true, I'd suggest (inno particular order):Check clients.conf for eventual more specific entries overriding those for subnets. Does some sql reading of nas's set another secret? Do thealleged correct config files get actually used by freeradius (beenthere, done that *g*).Something to those effects regarding chilli.conf.Some of that might have been ruled out/in already, had you providedthe full debug output and pertinent snippets from your config.Sniff the radius traffic, and check validity manually. See src/lib/hmac.c hthK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re:Help: How to authenticate additional attribute
Title: Re:Re:Help: How to authenticate additional attribute The location coordinate is a value e.g. 10,10 100,100 input by a system or the user and it serves as another set of authentication parameters in addition to the password. So whenever the user is authenticated, he has to input the password and location coordinates. At the present, I would like to modify/configure the freeradius server so that when the radius server authenticates the user, or whenever it is re-associated again to the AP, it will prompt the user to enter the password and location coordinates. Thereafter, the radius server will check on the password and the location coordinate. If either is not right, it will reject the connection. The server will maintain a set of legitimate location coordinates in a file and it will be updated by another program automatically. In the future, the coordinate may be derived by a system. Can you tell me how may I configure/modify the freeradius server to make it work? Thanks. I would like to authenticate the client with its location coordinate You didn't provide much information about what a location coordinate is and how you would determine whether you would allow/deny access. Is this where the user is located geographically? Do you want them to enter it or should it be derived? With Regards, Chew Heng Hui Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
changing default session time on the fly
Greetings, We have been using freeradius for a couple years now and have been very satisfied with it. One issue I have is we change the default session time based on the time the connection is made. The accounts are all system accounts ( not my doing ) and we are now using mysql as a backend for all accounts that aren't normal ( ie static IP, paid longer connection time, multiple accesses ). What we do now is via a cron job change the users file where the only difference is the Session-Timeout value and then HUP freeradius. My question is can this be put into the sql database and have it figure out the session time or should I just stick with the current set up? Here is on of my users file, it only differs from the others in the Session-Timeout value. DEFAULT Auth-Type := System Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = VanJacobson-TCP-IP, Idle-Timeout = 800, Session-Timeout = 14400, Fall-Through = 1 DEFAULT Simultaneous-Use := 1 Fall-Through = 1 Thanks, Wade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)
On 10/13/06, Paul Lambert [EMAIL PROTECTED] wrote: Hi,Have you checked your authentication protocol on the shared secret? Are you sending with CHAP when freeradius is not expecting it or vice versa?Have you tried testing with a radius test client - this should allow you determine if the problem is in the Client or the Server config... or just a misconfiguration between the two! Kind regards,Paul.On 10/13/06, K. Hoercher [EMAIL PROTECTED] wrote: Hi,On 10/13/06, YvesDM [EMAIL PROTECTED] wrote: Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration. Any hints?Well, as you said yourself, it looks pretty obvious. But as it wouldbe extremely unlikely for both statements to be true, I'd suggest (inno particular order):Check clients.conf for eventual more specific entries overriding those for subnets. Does some sql reading of nas's set another secret? Do thealleged correct config files get actually used by freeradius (beenthere, done that *g*).Something to those effects regarding chilli.conf.Some of that might have been ruled out/in already, had you providedthe full debug output and pertinent snippets from your config.Sniff the radius traffic, and check validity manually. See src/lib/hmac.c hthK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tnx for the answers. Meanwhile I've upgraded chillispot to the newest version, changed the shared secrets into something else and reloaded the radius configuration and the problem was gone. Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto mac address (help please)
Hello everyone, I'm on chillispot, freebsd6.1R, mysql 4.1, phpmyprepaid I have been told that I would do this in chilli.conf file (macallowed mac_adrs_here) will allow this specific mac address to pass the athintication. but also have been told to add it, in freeradius users file, Would anyone please let me know how to add this mac address in freeraiuds file? is it only in users file? and which database table i should added to and how? The tables are created by phpmyprepaid. Thank you so much in advance. Marwan Sultan. _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS Documentation
Hello list, I need a good documentation+example to understand how I configure the NAS administration. Tnx Abel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works but take very log time
Hi all, I'm using freeradius 1.1.3 with PEAP and EAP-TTLS,the authentication using MacOS works but the time spent from when the client insert username and password until the moment when the user is authenticated (and obtains the IP address) is very long, about 2 minutes. Is normal that authentication using WPA takes all this time? The access point is configured for using WPA-Auto-Enterprise, *Auto* means that WPA1 and WPA2 are simultaneously supported. What could be the problem? I attach the log of the first 6 request reveiced by radius server: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.181.1:1025, id=0, length=118 User-Name = prof1 EAP-Message = 0x0209000a0170726f6631 Message-Authenticator = 0x47215532a35576a17075df36ea3fc3ff Calling-Station-Id = 00-17-F2-44-11-C2 Called-Station-Id = 00-50-BF-E3-E8-2A NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 0.0.0.0 NAS-Identifier = 14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = prof1, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = prof1 rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 9 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mydomain,dc=it/PASSWORD to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dmydepartment\2cdc\3dmydomain\2cdc\3dit))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dmydepartment\2cdc\3dmydomain\2cdc\3dit)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter ((cn=student)(|((objectClass=GroupOfNames)(member=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dmydepartment\2cdc\3dmydomain\2cdc\3dit))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dmydepartment\2cdc\3dmydomain\2cdc\3dit rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module files returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 op=21 rlm_ldap: Adding userPassword as User-Password, value a op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 rlm_checkval: Item Name: Calling-Station-Id, Value:
Re: NAS Documentation
On Friday 13 October 2006 10:14, Abel Monzon wrote: Hello list, I need a good documentation+example to understand how I configure the NAS administration. Tnx Abel What NAS hardware you are using? What NAS administration are you expecting FreeRADIUS to provide (auth admins for console access, provide route/tunnel/ip pool configs, etc.)? Please provide a better description of what you are trying to do so that we can make helpful suggestions. Kevin Bonner pgpHtQCfXXOml.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works but take very log time
Message: 5 Date: Fri, 13 Oct 2006 23:38:54 +0200 From: Giuseppina Venezia [EMAIL PROTECTED] Subject: WPA authentication works but take very log time To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi all, I'm using freeradius 1.1.3 with PEAP and EAP-TTLS,the authentication using MacOS works but the time spent from when the client insert username and password until the moment when the user is authenticated (and obtains the IP address) is very long, about 2 minutes. Is normal that authentication using WPA takes all this time? The access point is configured for using WPA-Auto-Enterprise, *Auto* means that WPA1 and WPA2 are simultaneously supported. What could be the problem? I attach the log of the first 6 request reveiced by radius server: I've noticed that the time it takes to authenticate a client using EAP-TLS is heavily dependent on the Wireless Supplicant used. The best way to tell whether the RADIUS server is at fault is to simply run a packet sniffer in the background like Ethereal/Wireshark and see when EAP authentication starts and how long it takes. With the Windows XP SP2 MS supplicant login usually takes 5 OR 34 seconds. When I ran a packet sniffer I noticed that the client didn't initiate the EAP exchange until 33 seconds had gone by and the actual exchange took .55 seconds- basically instantaneous. However, when I use the Funk Odyssey Client authentication occurs in about 1 second. The Intel PROset wireless supplicant takes a few seconds- all are much faster than the MS Supplicant. The only way to tell what's holding things up is to run the packet sniffer and see what's going on. If you see nothing happening for 2 minutes, and at the last second the EAP exchange occurs, you know it's the supplicant. If the EAP exchange starts and stalls for a long period of time, it's likely your RADIUS setup. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
