Accountig-Response
I need to configure freeradius to send specific attributes in accounting-response packet! I use a MySQL database that's why it would be nice to configure freeradius to send these attributes(in VSA ) from the database! In sql.conf there are auth_reply configuration queries but i couldn't find a way to make it for account-response! My NAS is absolutelly configurable so there is no problem with NAS understanding these new Attributes! Thanks! Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_krb5
[EMAIL PROTECTED] wrote: Can't use that as an argument, mickeysoft strongly recommends to leave it disabled, and i'm not the windows admin. Don't send HTML to the list. As Alan has tried to explain, the Reversible Encryption flag in AD is not needed. So you don't need to change anything. Just setup Samba on your machine, join the domain, and configure FreeRadius to use the ntlm_auth helper in the mschap module. This is documented lots of places. Use google. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double-free in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c causes crash on HUP
Phil Mayers wrote: At least on RHEL4 with glibc 2.3.4-2.13, a double-free in the above file causes a crash on HUP in some circumstances. I've confirmed that removing this fixes the issue. 459 460 free(conf-check_cert_cn); 461 free(conf-check_cert_cn); 462 free(conf-cipher_list); Submitted to bugs.freeradius.org as bug 404 The bug tracker is insanely slow... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius server can not see any request from clients.
Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used tcpdump -v port 1812 in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much! Best Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius server can not see any request from clients.
I guess you didn't type " radtest username password localhost 0 sharedsecret" but " radtest username password localhost 1812 sharedsecret" why send it to the port 0?richard Bai [EMAIL PROTECTED] wrote: Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using " radtest username password localhost 0 sharedsecret" And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using "radtest username password IP of server 0 sharedsecret" from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used " tcpdump -v port 1812 " in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much!Best Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Attributes
Hello all, How must I configure my freeradius server to include in the Access-Accept response to the AP several radius attributes such as Session-Timeout or Framed-IP-Address? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius server can not see any request from clients.
Hi, Actually, the 0 in the radtest command means NAS-Port. Since 1812 is the default port for radiusdefined in/etc/service, the Access-Request isalways sent to port 1812. I can see the samemessege as follow when I type both 0 or 1812: Sending Access-Request of id 40 to IP of server port 1812 User-Name = username User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0/1812 (According to the number typed in radtest command) Now, I am not sure wether the RADIUS server receives the Access-Request from the client or not. As I said, I can see the packet arrives at the interface and port of the server, but no information printed out in RADIUS debug mode. And the local test just works fine. Thanks! BR Richard On 10/26/06, Vasea Marii [EMAIL PROTECTED] wrote: I guess you didn't type radtest username password localhost 0 sharedsecret but radtest username password localhost 1812 sharedsecret why send it to the port 0? richard Bai [EMAIL PROTECTED] wrote: Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used tcpdump -v port 1812 in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much! Best Regards Richard- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business . -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius server can not see any request from clients.
Sounds like you may be running iptables or other similar filter software on your server which is blocking the packet from reaching RADIUS. Owen On Oct 26, 2006, at 4:38 AM, richard Bai wrote: Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used tcpdump - v port 1812 in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much! Best Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius server can not see any request from clients.
Richard, to be sure about the packet arriving at the radius machine and see the content of the packet you can use netcat. @radius-server : nc -l -u -p 1812 -vv -o /tmp/dump_hex_packet (will use UDP and dump hex info) @client_machine : radtest as usual hope it helps [EMAIL PROTECTED] wrote on 10/26/2006 09:29:27 AM: Hi, Actually, the 0 in the radtest command means NAS-Port. Since 1812 is the default port for radius defined in /etc/service, the Access- Request is always sent to port 1812. I can see the same messege as follow when I type both 0 or 1812: Sending Access-Request of id 40 to IP of server port 1812 User-Name = username User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0/1812 (According to the number typed in radtest command) Now, I am not sure wether the RADIUS server receives the Access- Request from the client or not. As I said, I can see the packet arrives at the interface and port of the server, but no information printed out in RADIUS debug mode. And the local test just works fine. Thanks! BR Richard On 10/26/06, Vasea Marii [EMAIL PROTECTED] wrote: I guess you didn't type radtest username password localhost 0 sharedsecret but radtest username password localhost 1812 sharedsecret why send it to the port 0? richard Bai [EMAIL PROTECTED] wrote: Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used tcpdump - v port 1812 in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much! Best Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business . - List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
On Thu, Oct 26, 2006 at 12:22:48AM +0100, Phil Mayers wrote: B Thompson wrote: On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote: B Thompson wrote: I cannot continue to use 1.1.3 as we are regularly using HUP to re-read the configs and there appears to be a problem with this in versions 1.0.1. Yes, there does. I haven't had time to gather the relevant debugging info (we just restart instead of HUP the server as a workaround) but we have several processes running on the same box. Some crash on hup, some don't. Those that do are the ones with the eap/peap modules enabled, so I am thinking it might be SSL related. What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, FreeRadius 1.1.3 Yes, Same here. Found it. Double-free at line 460 of src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c - see the email I just sent. There must be two separate issues with HUP as this has not fixed the problems we are seeing. Here is my original email about it :- http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius server can not see any request from clients.
Hi, Everyone, Thanks for helping. I think I find out the problem. The damn Firewall is running automatically with the system. After I disable it, RADIUS starts responding. So, although I can see the request packet arrived at the interface and port from tcpdum command, it doesn't mean the RADIUS server see the packet. Thanks again! BR Richard On 10/26/06, Hernan Antolini [EMAIL PROTECTED] wrote: Richard, to be sure about the packet arriving at the radius machine and see the content of the packet you can use netcat. @radius-server : nc -l -u -p 1812 -vv -o /tmp/dump_hex_packet (will use UDP and dump hex info) @client_machine : radtest as usual hope it helps freeradius-users-bounces+antolini= [EMAIL PROTECTED] wrote on 10/26/2006 09:29:27 AM: Hi, Actually, the 0 in the radtest command means NAS-Port. Since 1812 is the default port for radius defined in /etc/service, the Access- Request is always sent to port 1812. I can see the same messege as follow when I type both 0 or 1812:Sending Access-Request of id 40 to IP of server port 1812 User-Name = username User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0/1812 (According to the number typed in radtest command)Now, I am not sure wether the RADIUS server receives the Access- Request from the client or not. As I said, I can see the packet arrives at the interface and port of the server, but no information printed out in RADIUS debug mode. And the local test just works fine.Thanks!BR RichardOn 10/26/06, Vasea Marii [EMAIL PROTECTED] wrote: I guess you didn't type radtest username password localhost 0 sharedsecret but radtest username password localhost 1812 sharedsecret why send it to the port 0?richard Bai [EMAIL PROTECTED] wrote: Hi, everyone,I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP.I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I think the serve works just fine.But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used tcpdump - v port 1812 in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open.Please give me some idea. Any advices or solution is welcome. Thank you very much! Best Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business . - List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and ntlm_auth howto
All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto? I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe below is the debug output of freeradius Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = KMT-EU.KMTG.NET\\sstruyf State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request
RE: freeradius and ntlm_auth howto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The debugging output is exactly saying whats wrong Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens [EMAIL PROTECTED] Verzonden: donderdag 26 oktober 2006 16:24 Aan: freeradius-users@lists.freeradius.org Onderwerp: freeradius and ntlm_auth howto All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto? I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe below is the debug output of freeradius Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = KMT-EU.KMTG.NET\\sstruyf State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT- EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT- Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --
Re: Accountig-Response
Vasea Marii [EMAIL PROTECTED] wrote: I need to configure freeradius to send specific attributes in accounting-response packet! Why? (Or should I say Why!) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double-free in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c causes crash on HUP
Phil Mayers [EMAIL PROTECTED] wrote: Submitted to bugs.freeradius.org as bug 404 I'll commit a fix in a few hours. This means we should release another 1.1.x... The bug tracker is insanely slow... As is www.freeradius.org occasionally. I'm in the process of moving them, in between family, job, and trips out of the country, I'm nearly maxed out. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
B Thompson [EMAIL PROTECTED] wrote: http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html A short work-around (i.e. hack) may be to not reload everything on HUP. Why are you HUPing it so often? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote: I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site. Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accountig-Response
I'm sory..i didn' understand the tone of the answer but hopping for best i say that i try to make routing on Radius, i mean that a conversation between NAS and Radius(where the routes are stored in MySQL) and using a VSA i could sendto the NAS the needed route ! Thanks in advance!Alan DeKok [EMAIL PROTECTED] wrote: Vasea Marii <[EMAIL PROTECTED]>wrote: I need to configure freeradius to send specific attributes in accounting-response packet!Why? (Or should I say Why!)Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get your email and more, right on the new Yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
Alan DeKok wrote: B Thompson [EMAIL PROTECTED] wrote: http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html A short work-around (i.e. hack) may be to not reload everything on HUP. Why are you HUPing it so often? I realise this question wasn't directed to me, but the reason we HUP it so often is to reload a *large* rlm_passwd map in response to users registering and de-registering for things, and users being blocked and unblocked. I realise in theory an SQL lookup might make more sense, but frankly we've found SQL in FreeRadius to be less-than reliable in the past, and it's certainly never going to be anything like as fast as rlm_passwd. Largely these issues were to do with peak load scaling and MVCC issues in Postgres (MySQL not being an option). It's my intention to write and contribute an rlm_tdb module at some point when I have the free time (ha!) which would allow update processes to write to the binary map file whilst FR is running e.g. modules tdb mac2zone { file = %{confdir}/mac2zone.tdb key = Calling-Station-Id result = ~MyZone ~MyHostId } tdb nas2vlanset { file = %{confdir}/nas2vlanset.tdb key = NAS-IP-Address result = ~MyVlanset ~MyNasId } tdb zonevlan2vlan { file = %{confdir}/zonevlan2vlan key = MyZone MyVlanset result = Tunnel-Private-Group-Id } } authorize { preprocess files Autz-Type MACBASEVLANS { mac2zone nas2vlanset zonevlan2vlan } } ...and one could update the .tdb live - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
B Thompson wrote: On Thu, Oct 26, 2006 at 12:22:48AM +0100, Phil Mayers wrote: B Thompson wrote: On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote: B Thompson wrote: I cannot continue to use 1.1.3 as we are regularly using HUP to re-read the configs and there appears to be a problem with this in versions 1.0.1. Yes, there does. I haven't had time to gather the relevant debugging info (we just restart instead of HUP the server as a workaround) but we have several processes running on the same box. Some crash on hup, some don't. Those that do are the ones with the eap/peap modules enabled, so I am thinking it might be SSL related. What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, FreeRadius 1.1.3 Yes, Same here. Found it. Double-free at line 460 of src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c - see the email I just sent. There must be two separate issues with HUP as this has not fixed the problems we are seeing. Here is my original email about it :- Could you run FR like this to trace it maybe? ./configure --enable-developer make make install gdb /usr/local/sbin/radiusd set logging file radiusd.log set logging on handle SIGHUP nostop break modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c:323 run -f # wait for it to crash thread apply all bt full print conf print conf-certificate_file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Q:ABOUTE:GET AN ATTRIBUET FROM NAS TO CHANGE QUERY IN RADIUS
Hi evreybody. I need to get the attribute Caller-Station-ID and then include in the where section of the query that access the table radreply. This is because i have only 1 user to access the IP net from PSTN but i need send back different values to the device dependeing what station is calling. How can i get this behavor? Thank's in Advanced ___ Do You Yahoo!? La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + NIS
Expensive friends, I am with authentication problem, being that I opted to using the FreeRadius. I ask for the gentility you to answer if the FreeRadius has support to catch the base of users of a server NIS. It forgives for my English, therefore I am Brazilian. Until more, and thanks. Dagoberto Carvalio Junior Analyst Systems - Universidade de São Paulo. -- Dagoberto Carvalio Junior - CCNA/CCAI/FCPF/FCPM/SCS Analista de Sistemas Instituto de Ciencias Matematicas e de Computacao UNIVERSIDADE DE SAO PAULO USER LINUX #417157 EMail : [EMAIL PROTECTED] Tel : 55 16 3373-9652 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd service hang
Am running freeradius on a RHELv3 box, to authenticate802.11 usersagainstAD.All of sudden the802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box.It looks like radius serviceget hangs atleast weekly once for no reason, i couldnt findanything in the log file /var/log/messages. Is anyone facing this issue? everytime when the user complain that wireless i notworking, have to restart the service manually. any help would be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
Phil Mayers [EMAIL PROTECTED] wrote: I realise this question wasn't directed to me, but the reason we HUP it so often is to reload a *large* rlm_passwd map in response to users registering and de-registering for things, and users being blocked and unblocked. Ok. I think in the CVS head, we should fix HUP so that all modules have a reload method. HUP will cause module config to be reloaded, but will NOT change anything else. It's my intention to write and contribute an rlm_tdb module at some point when I have the free time (ha!) which would allow update processes to write to the binary map file whilst FR is running e.g. Sounds good to me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accountig-Response
Vasea Marii [EMAIL PROTECTED] wrote: I'm sory..i didn' understand the tone of the answer sigh All of your sentences end with exclamation marks! You seem very excited! Always! but hopping for best i say that i try to make routing on Radius, i mean that a conversation between NAS and Radius(where the routes are stored in MySQL) and using a VSA i could send to the NAS the needed route ! Uh, no. Routes are assigned in Access-Accept, not in Accounting-Response. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Number of concurrencies requests
Hi, my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests... Is possible this? How to increase or caching input requests? Italo Morellato... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd service hang
Hi Karthik, I used to have the same problem in 2 different cases: - WhenFreeradius was installed on Redhat 9, it used to hang every 3 or 4 days as well but you're on Redhat Ent3 so you should be fine - When the connectionto the MySQL server was dropping Are you sure your connection to AD is reliable? David -http://www.netexpertise.eu - Original Message - From: Karthik R To: freeradius-users@lists.freeradius.org Sent: Thursday, October 26, 2006 6:03 PM Subject: radiusd service hang Am running freeradius on a RHELv3 box, to authenticate802.11 usersagainstAD.All of sudden the802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box.It looks like radius serviceget hangs atleast weekly once for no reason, i couldnt findanything in the log file /var/log/messages. Is anyone facing this issue? everytime when the user complain that wireless i notworking, have to restart the service manually. any help would be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd service hang
On Thu, Oct 26, 2006 at 12:03:37PM -0500, Karthik R wrote: Am running freeradius on a RHEL v3 box, to authenticate 802.11users against AD. All of sudden the 802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box. It looks like radius service get hangs atleast weekly once for no reason, i couldnt find anything in the log file /var/log/messages. Is anyone facing this issue ? everytime when the user complain that wireless i not working, have to restart the service manually. any help would be appreciated. Which version of FreeRADIUS are you running? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius on OS X with OD, password attribute is not checked
Hi all, I'm setting up a wireless network where users use login details provided by OpenDirectory + certificate. The goal is that user of the WiFi network must provide certificate and username with password. If the user is disabled in OD (via WGM - access account thick box), user must not access the network. My setup: OSX 10.4.8 Server, OpenDirectory, freeRADIUS, ZyWall 35 with WiFi AP using WPA Ent. Clients: 99.9% Mac OSX 10.4.8 I got all setup, freeRADIUS 1.1.3 running, certificates, but I can't get the freeRADIUS to check the user password from OD. Using radtest, I have no problems: --- Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = 12345 User-Password = 12345 NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=20 --- However, when a client from WiFi logs in, username and certificate are the only criteria which are checked to grant access. If you can help, please read the debug dump below. It seems that RADIUS has managed to decrypt the password and adds it to checklist: rlm_ldap: Added password in check items ... but then the access is granted anyway ... doesn't matter what you write in the password :-( To achieve my goals, am I using the correct method (EAP-TLS)? When using unecrypted connection, I can clearly see the password attribute, but that defeats the whole purpose of WPA ... I hope you guys don't mind that I dumped bits of my log conf into this forum, I'm getting very frustrated ... I have already added userPassword as User-Password ... RADIUS reply to connection using certificate: --- rad_recv: Access-Request packet from host 192.168.1.1:1131, id=16, length=144 User-Name = 12345 NAS-IP-Address = 192.168.1.1 NAS-Identifier = zywall Framed-MTU = 1496 Called-Station-Id = 00-11-22-33-44-55-66-77:Test Test Calling-Station-Id = 00-11-22-33-44-55 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00060d00 State = 0xa5e4df76eacd676aa056b162e018e148 Message-Authenticator = 0x55082c87332500d61cb52cd8ca640361 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 rlm_eap: EAP packet type response id 11 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for 12345 radius_xlat: '(uid=12345)' radius_xlat: 'dc=st,dc=ln' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=st,dc=ln, with filter (uid=12345) rlm_ldap: checking if remote access for 12345 is allowed by uid rlm_ldap: Added password in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 12345 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Sending Access-Accept of id 16 to 192.168.1.1 port 1131 MS-MPPE-Recv-Key = 0x1e908975f56513420942c8e6680139f19ebf58ee76c2c13a2315873f5ca1c6cf MS-MPPE-Send-Key = 0xedddaafac5513c090db385d154acfe8d19c5b7e542b264e1c6974850faddb2a6 EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = 12345 Finished request 9 - From radiusd.conf: - ldap { server = 192.168.1.2 basedn = dc=st,dc=ln filter = (uid=%{Stripped-User-Name:-%{User-Name}}) access_attr = uid dictionary_mapping = ${raddbdir}/ldap.attrmap password_attribute = userPassword } authorize { eap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } -- I have also added checkItem User-Password userPassword to ldap.attrmap. Please please help, many thanks in advance Stepan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of concurrencies requests
Italo Morellato [EMAIL PROTECTED] wrote: my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests... What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simple question
How can I determine that version of freeRadius that is currently running? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple question
Am Donnerstag, 26. Oktober 2006 20:56 schrieb Mike May: How can I determine that version of freeRadius that is currently running? radiusd -v RTFM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WAP EAP-TLS
Hello everybody, I'm implementing a environment for secure my wireless lan with radius. For this I choose WAP with EAP-TLS. But I have some questions to do. Is there a way to Authenticate/Authorizate: - Per machine certificate AND - Per user certificate AND - Per user password mapped on a NIS-Server, or a file in radius server. Note that I need this three modes of authentication. Thanks, Pedro Mazzoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd service hangs
Hi Karthik,I used to have the same problem in 2 different cases:- When Freeradius was installed on Redhat 9, it used to hang every 3 or 4 days as well but you're on Redhat Ent3 so you should be fine- When the connection to the MySQL server was dropping Are you sure your connection to AD is reliable?David- Am running freeradius ver 1.1.1. My connection to AD is reliable, but today i remembered before this issue araised recently i rebooted the domain controller. Not sure if this is causing the issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on OS X with OD, password attribute is not checked
Stepan Raichl [EMAIL PROTECTED] wrote: However, when a client from WiFi logs in, username and certificate are the only criteria which are checked to grant access. If you can help, please read the debug dump below. if you're using EAP-TLS, then there is *no* password to check. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating question
Hi, authenticate correctly and he'd be given access at this point. But if we could get Radius to check and LDAP field which say which vlan he has access to, and allow or deny access to the network if the user is not currently in that vlan, then I guess that would be the ideal solution. thats exactly one way to do it - use the LDAP checking for group attribute. other ways depend on how your directory is configured, do you have other attributes, are the userid's obvious etc? rlm_perl can then be used, for example to query and set the VLAN attribute correctly (if the WLAN kit supports such attributes) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius consuming a lot of memory 1.6G
Hi, We've built a radius-proxy using freeradius and rlm_perl (with ithreads). Currently we have the following settings: thread pool { start_servers = 20 max_servers = 100 min_spare_servers = 20 max_spare_servers = 50 max_requests_per_server = 500 } perl { module = /usr/lib/perl5/rlmPerl.pm func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_accounting = accounting func_checksimul = checksimul func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_xlat = xlat func_detach = detach max_clones = 100 start_clones = 20 min_spare_clones = 20 max_spare_clones = 100 cleanup_delay = 5 max_request_per_clone = 100 } The whole setup works fine (there are two machines, load-balanced). Every single request is piped to the rlm_perl. The number of threads (ps -eLf) oscillates around 45-50 on both machines. There are no dealys, or any problems, except for the huge memory consumption. Authentication request are simply proxied (with minimal changes to the packets - filtering out some attributes and setting the others, no db access), accounting is send to a session database (postgresql) on a separate machine (no load problems there). Should freeradius use that amount of memory? The amount of memory is directly linked to the number of threads - with 25 threads (in the middle of the night) the memory consumption drops to about 900M. perl useses the following modules: use DBI; use Digest::JHash qw(jhash); use IPC::Shareable (':lock'); use Storable; (all variables shared between perl threads are stored in shared memory using perl IPC). So the question is should freeradius use that amount of memory and how can I decrease that? regards pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of concurrencies requests
When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see "radius timeout" I try to increase timeout up to 3000ms (300ms is the default timeout)but problem persist... sunday I install 1.1.3 but I think is not depend from different release... Any idea? Many Thanks - Original Message - From: Alan DeKok To: FreeRadius users mailing list Sent: Thursday, October 26, 2006 8:41 PM Subject: Re: Number of concurrencies requests "Italo Morellato" [EMAIL PROTECTED] wrote: my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests... What's the problem? Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of concurrencies requests
Italo Morellato [EMAIL PROTECTED] wrote: When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this = situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see radius timeout Does the RADIUS server *respond* with a packet? What does tcpdump say? What does radiusd -X say? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLIPPOOL problem
Hi, This is very important, please. In ippool module I can use two or more pools just by setting ippool POOL1{...} ippool POOL2{...} In SQLIPPOOL, I know that I can create as many pools as I wan't but I need to treat that pools differently, say, POOL1 assigns static IPs and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in databaseY. So I did this sqlippool.conf: sqlippool POOL1{...} sqlippool POOL2{...} And then in radiusd.conf post-auth{ POOL1 POOL2 } But the user that have Pool-Name := POOL2 in radcheck receives the IP (because POOL2 exists in the database), but it's not treated by the POOL2 instance created in sqlippool.conf (radiusd -X shows that both module POOL1 and POOL2 are instantiated), it's being treated by the POOL1 instance. So, how can I tell that for users that belong to POOL2 use the POOL2 module, instead of POOL1 and vice-versa? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius against AD not working
Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against Windows 2003 Active directory. I was able to bind linux box to Windows domain successfully and able to read the active directory users and groups using wbinfo - uR1\AdministratorR1\Guest and wbinfo -g. Using ntlm_auth tool am able to successfully authenticate the users too. -bash-3.00# ntlm_auth --request-nt-key --username=kartthikrpassword:NT_STATUS_OK: Success (0x0) But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message. rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61 User-Name = removed User-Password = removed NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = removed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0auth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list --- Sending Access-Reject of id 243 to 127.0.0.1 port 32927Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 243 with timestamp 45413139 Nothing to do. Sleeping until we see a request. Here is nss config file: passwd: files winbindshadow: files winbindgroup: files winbind hosts: files winbind nis dns protocols: files winbind # nisservices: files winbind # nisnetgroup: files winbind # nisautomount: files winbind nis Here is radiusd.conf file: modules {pap {encryption_scheme = crypt} chap {authtype = CHAP} pam {pam_auth = radiusd}unix {cache = nocache_reload = 600radwtmp = ${logdir}/radwtmp} $INCLUDE ${confdir}/eap.conf mschap {authtype = MS-CHAP#use_mppe = no require_encryption = yes #require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of concurrencies requests
in radiusd -X I see: Going to the next requestrad_recv: Accounting-Request packet from host 10.10.0.50:4216, id=84, length=153 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1788 NAS-Port-Type = Ethernet User-Name = "cesar.paredes" Calling-Station-Id = "00:15:D6:02:34:94" Called-Station-Id = "pppoe-Cimarani" NAS-Port-Id = "hotspot" Acct-Session-Id = "81f00366" Framed-IP-Address = 10.0.6.245 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = "Cimarani" NAS-IP-Address = 10.10.0.50 Acct-Delay-Time = 0 Processing the preacct section of radiusd.confmodcall: entering group preacct for request 3 modcall[preacct]: module "preprocess" returns noop for request 3rlm_acct_unique: Hashing 'NAS-Port = 1788,Client-IP-Address = 10.10.0.50,NAS-IP-Address = 10.10.0.50,Acct-Session-Id = "81f00366",User-Name = "cesar.paredes"'rlm_acct_unique: Acct-Unique-Session-ID = "8a2b71e9b25570c2". modcall[preacct]: module "acct_unique" returns ok for request 3 rlm_realm: No '@' in User-Name = "cesar.paredes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 3modcall: leaving group preacct (returns ok) for request 3 Processing the accounting section of radiusd.confmodcall: entering group accounting for request 3radius_xlat: '/usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027 modcall[accounting]: module "detail" returns ok for request 3radius_xlat: '/usr/local/var/log/radius/radutmp'radius_xlat: 'cesar.paredes' modcall[accounting]: module "radutmp" returns ok for request 3radius_xlat: 'cesar.paredes'rlm_sql (sql): sql_set_user escaped user -- 'cesar.paredes'radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81f00366', '8a2b71e9b25570c2', 'cesar.paredes', '', '10.10.0.50', '1788', 'Ethernet', '2006-10-27 01:03:02', '0', '0', 'RADIUS', '', '', '0', '0', 'pppoe-Cimarani', '00:15:D6:02:34:94', '', 'Framed-User', 'PPP', '10.0.6.245', '0', '0')'rlm_sql (sql): Reserving sql socket id: 1 at this point radius stop to work for few time - Original Message - From: Alan DeKok To: FreeRadius users mailing list Sent: Friday, October 27, 2006 12:01 AM Subject: Re: Number of concurrencies requests "Italo Morellato" [EMAIL PROTECTED] wrote: When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this = situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see "radius timeout" Does the RADIUS server *respond* with a packet? What does tcpdumpsay? What does "radiusd -X" say? Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR with AD authentication not working
Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against Windows 2003 Active directory. I was able to bind linux box to Windows domain successfully and able to read the active directory users and groups using wbinfo - uR1\AdministratorR1\Guest and wbinfo -g. Using ntlm_auth tool am able to successfully authenticate the users too. -bash-3.00# ntlm_auth --request-nt-key --username=kartthikrpassword:NT_STATUS_OK: Success (0x0) But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message.But I didnt findlogon success failurein AD when i checked event viewer. rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61 User-Name = removed User-Password = removed NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = removed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0auth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list --- Sending Access-Reject of id 243 to 127.0.0.1 port 32927Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 243 with timestamp 45413139 Nothing to do. Sleeping until we see a request. Here is nss config file: passwd: files winbindshadow: files winbindgroup: files winbind hosts: files winbind nis dns protocols: files winbind # nisservices: files winbind # nisnetgroup: files winbind # nisautomount: files winbind nis Here is radiusd.conf file: modules {pap {encryption_scheme = crypt} chap {authtype = CHAP} pam {pam_auth = radiusd}unix {cache = nocache_reload = 600radwtmp = ${logdir}/radwtmp} $INCLUDE ${confdir}/eap.conf mschap {authtype = MS-CHAP#use_mppe = no require_encryption = yes #require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } So aint sure whatam imissed here, any help will be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius against AD not working
-Original Message- But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message. Please paste the entire debug log. It looks like you missed a few bits in the cut and paste. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
race condition?
I am running freeradius 1.0.5 version. I know this is old.ldap is used in authorization and pap is usually used in authentication. We made a client tool which can send 1000 packets per second (from data file) to freeradius. What we noticed that in multi-thread, there was a race condition which makes some ldapsearch failures. We are positive in that there is no problem in our ldap because we already tested our ldaps with a similar tool and verified that our ldap can support much more load. Do you have any idea what part of things that I need to check or was there any update in ldap with this kind of issue?Kevin- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius + mysql problem
Hello all, I am trying to configure freeradius with mysql. I did the relevent changes in radiusd.conf and when i start the server in debug mode, it is giving an error:"rlm_sql (sql): Could not link driver rlm_sql_mysq: file not foundrlm_sql (sql): Make sure it (all its dependent libraries) are in the search path of your system's ld.radiusd.conf[14]: sql: Module instantiation failed."Here are the changes i made in radiusd.conf file: sqltrace=yes uncommented the line sql in Authorize section. commented the line sql in preacct section. uncommented the line sql in accounting section.Created the radius database using the schema in the file db_mysql.sql.Wht can be problem with configuration.Pls clarify any other config changes required.Thanks in advance.Regards,Sri- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on OS X with OD, password attribute is not checked
Alan DeKok wrote: Stepan Raichl [EMAIL PROTECTED] wrote: However, when a client from WiFi logs in, username and certificate are the only criteria which are checked to grant access. If you can help, please read the debug dump below. if you're using EAP-TLS, then there is *no* password to check. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - Many thanks Alan, this was the piece of information I was missing and your table about protocols on your site has done the rest. I shall stick to EAP-TTLS with PAP ... works nice on OS Tiger clients using built-in connection manager. Thanks, Stepan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html