Re: Mac based auth
[EMAIL PROTECTED] wrote: Could I also do: bob password = neil, Calling-Station-Id != 0001, Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this: bob Calling-Station-Id != 0001, Auth-Type := Reject bob User-Password := neil Well thats too easy. :) Can you instead use rlm_checkval like this: modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = *User-Name:Calling-Station-Id hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } } Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem? rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!) authorize { preprocess user2allowedmacs usermacs # other stuff } So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct? Yep /etc/raddb/user2allowedmacs: user1:001122334455 user1:aabbccddeeff user2:0123456789ab ...I think that ought to work? Thanks for the info, this is gold! Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac based auth
Looks good, i was also wondering if this could be done with mysql as backend ?! Cheers, Collen Phil Mayers wrote: [EMAIL PROTECTED] wrote: Could I also do: bobpassword = neil, Calling-Station-Id != 0001, Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this: bobCalling-Station-Id != 0001, Auth-Type := Reject bobUser-Password := neil Well thats too easy. :) Can you instead use rlm_checkval like this: modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = *User-Name:Calling-Station-Id hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } } Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem? rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!) authorize { preprocess user2allowedmacs usermacs # other stuff } So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct? Yep /etc/raddb/user2allowedmacs: user1:001122334455 user1:aabbccddeeff user2:0123456789ab ...I think that ought to work? Thanks for the info, this is gold! Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Mac based auth
Hi, we have deployed an OpenSource MAC based solution which optionally tied to FreeRadius. With this you can have better control of the MAC addresses that you have in your network. - For non 802.1x capable devices, we have the option of using VMPS or performing a MAC-Auth-Bypass if your switch allows it. - For 802.1x we use FreeRadius 1.1.3 configured to authenticate the user against a Windows Domain controller and after checking the user credentials we check for the MAC address to assign the Vlan. - A virtual machine has been released with the software needed to make it easy to test. You only have to download it and configure it. We have a MySQL backend and a Windows GUI Web GUI for administering the MAC addresses that automagically come into the database. Please go to http://www.freenac.net and let us know what you think of our system. Regards, Hector -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Collen Blijenberg Gesendet: Mittwoch, 29. November 2006 11:29 An: FreeRadius users mailing list Betreff: Re: Mac based auth Looks good, i was also wondering if this could be done with mysql as backend ?! Cheers, Collen Phil Mayers wrote: [EMAIL PROTECTED] wrote: Could I also do: bobpassword = neil, Calling-Station-Id != 0001, Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this: bobCalling-Station-Id != 0001, Auth-Type := Reject bobUser-Password := neil Well thats too easy. :) Can you instead use rlm_checkval like this: modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = *User-Name:Calling-Station-Id hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } } Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem? rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!) authorize { preprocess user2allowedmacs usermacs # other stuff } So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct? Yep /etc/raddb/user2allowedmacs: user1:001122334455 user1:aabbccddeeff user2:0123456789ab ...I think that ought to work? Thanks for the info, this is gold! Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac based auth
Collen Blijenberg wrote: Looks good, i was also wondering if this could be done with mysql as backend ?! Probably. I don't use the SQL backends so I couldn't say for sure, but it doesn't really do anything special. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unable to authenticate freeradius using PostgreSQL
OK, I've made progress. I now appear to be connecting to my Postgres database, as I'm receiving syntax errors in the database log file when trying a freeRadius authentication. The debug radius output is as follows (I now have queries against the radius_xlat line): rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 User-Name = ROSStest4 User-Password = nntlpa401 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ROSStest4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'ROSStest4' rlm_sql (sql): sql_set_user escaped user -- 'ROSStest4' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 Discarding duplicate request from client ROSSpc:1115 - ID: 5 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 5 with timestamp 456d62ae Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 User-Name = ROSStest4 User-Password = nntlpa401 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = ROSStest4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 1 radius_xlat: 'ROSStest4' rlm_sql (sql): sql_set_user escaped user -- 'ROSStest4' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns fail for request 1 modcall: group authorize returns fail for request 1 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 5 with timestamp 456d62b5 Nothing to do. Sleeping until we see a request. The following is what is logged in my /var/log/pgsql trace when trying the above query: LOG: statement: SELECT id, UserName, Attribute, Value, Op # authorize_check_query = ERROR: syntax error at end of input at
Re: Accounts staying online past Session Timeout value
I am having some problems lately with freeradius 1.1.2 + mysql, and users staying online past their session timeout value (4 hours). Can anyone shed some light on the matter? I had similar trouble recently; running in debug mode, I was able to see that the session-timeout attribute was not being sent by freeradius. In my case, it was due to the users not being listed in the usergroups table. The session-timeout was in radgroupreply... Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius auth. with Active Directory and LDAP
Did any of you guys already configured a freeRADIUS and AD with LDAP ? Is this posible? Yes, if the incoming request from the user contains his password in cleartext. No, if he is using any sort of non-reversible encryption. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpywLbkTPgGa.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd.conf: Why extra Auth-Type in authenticate section?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: Martin Gadbois [EMAIL PROTECTED] wrote: Why the Auth-Type PAP { } construct? I tried RTFM and RTFC, but I have not seen an actual description of why that is there. It's not strictly necessary, but it doesn't hurt to have it. Does it mean if(Auth-Type == PAP) then { call pap } ? Is it general purpose? Could I do Group == staff { pap } in the authenticate {} section? Could you give me a function name in the source where this is done? (I like to RTFC!) Thanks! - -- == +--+ Martin Gadbois | Windows might take you from 0 to 60 faster, | S/W Developer | but to go to 100 you need Unix.| Colubris Networks Inc. +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFbZH19Y3/iTTCEDkRAssbAJ4oVPsDLGI2xeMJUdDdiBYE5Q2k7gCfW6W+ MpY30iG/NGAlrb+bgBrcbCg= =5ra6 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius auth. with Active Directory and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert wrote: Hi I want that my freeRadius validates users against Active Directory with LDAP. For configuration reasons, I can't use NTLM. Did any of you guys already configured a freeRADIUS and AD with LDAP ? Is this posible? Thanks in advance , I've done that, but the password needs to be in clear, that is PAP needs to be used. See: http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html http://wiki.freeradius.org/Rlm_ldap (at the end see Directory Compatibility) - -- == +--+ Martin Gadbois | Windows might take you from 0 to 60 faster, | S/W Developer | but to go to 100 you need Unix.| Colubris Networks Inc. +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFbZP99Y3/iTTCEDkRAikgAJwMGVCH2AuV5XT1N3u/mpZnn6wITwCeJcuy wWQ0qCw9w8wNp8Q43p1FbYo= =+9V4 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
hey, Vista now working with freeRADIUS? any debugging information needed? ca mIke Alan DeKok schrieb: Pedro Ribeiro [EMAIL PROTECTED] wrote: The Radiator people are talking about problems with SSL empty fragments handing in Windows Vista ... I've tried to compile FreeRADIUS with SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, clients can't connect! i.e. the patch below MAY help. There is still an issue in the FreeRADIUS state machine where it MAY send an empty ACK once the SSL tunnel is set up. Most clients seem to be OK with this, but maybe Vista isn't. A solution, I *think* would be to have FreeRADIUS send an EAP Identity request inside of the tunneled session for PEAP, as soon as the session is established. This should work with third-party supplicants, and may allow Vista to work, too. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different accounting based on avpair
Hi, Thanks, it worked :) Just for the record, redhat's RPMS doesn't bring doc/Acct-Type :) Nuno Fernandes On Friday 24 November 2006 16:50, Alan DeKok wrote: Nuno Pais Fernandes wrote: Hi, Does someone have any info on this? Is it possible with freeradius? Does anyone have this setup working? Yes. See doc/Acct-Type and doc/configurable_failover. You can configure two SQL modules, and select which one to use via Acct-Type. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] Cisco Certified Network Associate Oracle Certified Professional Eurotux Informática, S.A. [http://eurotux.com] Rua Rosalvo de Almeida, 5. 4710-429 BRAGA PORTUGAL Tel: (+351) 253 257395 - Fax: (+351) 253 257396 pgphfSLp22m9n.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-AKA support?
Hi, searching through the mail archive and the Freeradius bugzilla on Freeradius support for EAP-AKA authentication I found this : http://bugs.freeradius.org/show_bug.cgi?id=386 (Yes, I know that this Wiki page http://wiki.freeradius.org/EAP does not include EAP-AKA in the list of supported methods) Does anyone have any input on the status of this code? Is it stable, does it need further testing? Thanks and Regards, Johannes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem starting freeradius 1.1.3
I used the rpmbuild -ta command to build an rpm of freeradius-1.1.3 and all went well with the build. I then installed the rpm, and I'm getting the following error message after running radiusd -X. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: symbol lookup error: radiusd: undefined symbol: udpfromto_init I'm not sure what to do to get around the problem of the undefined symbol udpfromto_init error. Has anyone any ideas on what I can do to get freeradius working? Regards Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptp + vpn + freeradius Acct-Status-Type Alive
Is it possible to enable Acct-Status-Type Alive for pptp vpn? If so how.. Best regards Jóhann B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Windows Vista doing PEAP - WORKING!!!
Hello Alan, I can confirm it's working now!!! When I've seen the comment in the release notes of Radiator I thought it was a conditional compiling (#ifdef) flag, thanks for the help! Tuesday, November 28, 2006, 10:06:11 PM, you wrote: Pedro Ribeiro [EMAIL PROTECTED] wrote: The Radiator people are talking about problems with SSL empty fragments handing in Windows Vista ... I've tried to compile FreeRADIUS with SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, clients can't connect! i.e. the patch below MAY help. There is still an issue in the FreeRADIUS state machine where it MAY send an empty ACK once the SSL tunnel is set up. Most clients seem to be OK with this, but maybe Vista isn't. A solution, I *think* would be to have FreeRADIUS send an EAP Identity request inside of the tunneled session for PEAP, as soon as the session is established. This should work with third-party supplicants, and may allow Vista to work, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Index: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c === RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v retrieving revision 1.21.4.11 diff -u -r1.21.4.11 rlm_eap_tls.c --- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 26 Oct 2006 17:13:04 - 1.21.4.11 +++ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 28 Nov 2006 22:04:44 - @@ -368,7 +368,7 @@ * time needed during negotiation, but it is not very * large. */ - ctx_options |= SSL_OP_SINGLE_DH_USE; + ctx_options |= SSL_OP_SINGLE_DH_USE | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; SSL_CTX_set_options(ctx, ctx_options); /* -- Best regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Pedro Ribeiro IPLNet - Rede de dados e comunicações Instituto Politécnico de Lisboa (IPL) Mail: mailto:[EMAIL PROTECTED] VoIP: sip:[EMAIL PROTECTED] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unable to authenticate freeradius using PostgreSQL
All sorted! I copied a fresh-install postgresql.conf file from another server, and bingo, all is working fine. Must have made a mistake while editing this file - note to self, make copies of the file BEFORE editing it! Thanks for everyones help. Ross -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Ross McOwat Sent: 29 November 2006 10:53 To: FreeRadius users mailing list Subject: RE: Unable to authenticate freeradius using PostgreSQL OK, I've made progress. I now appear to be connecting to my Postgres database, as I'm receiving syntax errors in the database log file when trying a freeRadius authentication. The debug radius output is as follows (I now have queries against the radius_xlat line): rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 User-Name = ROSStest4 User-Password = nntlpa401 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ROSStest4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'ROSStest4' rlm_sql (sql): sql_set_user escaped user -- 'ROSStest4' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 Discarding duplicate request from client ROSSpc:1115 - ID: 5 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 5 with timestamp 456d62ae Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.150.19.134:1115, id=5, length=49 User-Name = ROSStest4 User-Password = nntlpa401 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = ROSStest4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 1 radius_xlat: 'ROSStest4' rlm_sql (sql): sql_set_user escaped user -- 'ROSStest4' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns fail for request 1 modcall: group
Re: Unable to authenticate freeradius using PostgreSQL
On Wednesday 29 November 2006 05:52, Ross McOwat wrote: radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR radius_xlat now shows the query, but SELECT id, UserName, Attribute, Value, Op is not a valid SQL query. The authorize_check_query being listed in the radius_xlat line means that you haven't properly quoted the SQL query in the config file. Look at the default postgresql.conf to see what you're missing... paying close attention to quotation marks. I have changed the 'value' and 'op' columns around, as the authentication sql query within postgresql.conf appears to try and retrieve 'value' before 'op'. Using the supplied database schema, the op column appears BEFORE value. Not sure if this is significant or not? Or possibly the actual data format I've entered is incorrect? I suspect (hope) it's something as simple as that. It doesn't matter how the table columns are arranged, as long as your query asks for them in the correct order. Kevin Bonner pgpQu8YGcSSMw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem starting freeradius 1.1.3
Ian Walker wrote: I used the rpmbuild -ta command to build an rpm of freeradius-1.1.3 and all went well with the build. I then installed the rpm, and I'm getting the following error message after running radiusd -X. ... radiusd: symbol lookup error: radiusd: undefined symbol: udpfromto_init You probably have two versions of the server installed. This error is coming from the one that's not part of the RPM build, I think. I'm not sure what to do to get around the problem of the undefined symbol udpfromto_init error. Has anyone any ideas on what I can do to get freeradius working? Double-check how many versions you have installed. Use the correct libraries. udpfromto_init is part of the RADIUS library that comes with the server. If the daemon references that function, then the library includes that function. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptp + vpn + freeradius Acct-Status-Type Alive
Jóhann B. Guðmundsson wrote: Is it possible to enable Acct-Status-Type Alive for pptp vpn? If so how.. Read the VPN documentation. If it doesn't say how, it's impossible. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unable to authenticate freeradius using PostgreSQL
Thanks Kevin - you were right, the issue was with the SQL query in postgresql.conf. I replaced my existing file with a default file on another server, and everything worked fine. Many thanks for your help! Ross -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Kevin Bonner Sent: 29 November 2006 16:16 To: FreeRadius users mailing list Subject: Re: Unable to authenticate freeradius using PostgreSQL On Wednesday 29 November 2006 05:52, Ross McOwat wrote: radius_xlat: 'SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = ' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op #?authorize_check_query = rlm_sql_postgresql: Status: PGRES_FATAL_ERROR radius_xlat now shows the query, but SELECT id, UserName, Attribute, Value, Op is not a valid SQL query. The authorize_check_query being listed in the radius_xlat line means that you haven't properly quoted the SQL query in the config file. Look at the default postgresql.conf to see what you're missing... paying close attention to quotation marks. I have changed the 'value' and 'op' columns around, as the authentication sql query within postgresql.conf appears to try and retrieve 'value' before 'op'. Using the supplied database schema, the op column appears BEFORE value. Not sure if this is significant or not? Or possibly the actual data format I've entered is incorrect? I suspect (hope) it's something as simple as that. It doesn't matter how the table columns are arranged, as long as your query asks for them in the correct order. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate freeradius using PostgreSQL
On Wednesday 29 November 2006 10:36, Ross McOwat wrote: All sorted! I copied a fresh-install postgresql.conf file from another server, and bingo, all is working fine. Must have made a mistake while editing this file - note to self, make copies of the file BEFORE editing it! Thanks for everyones help. Ross Got this message right after I sent out my other one. Good to see it's all working now. Making copies works, but I prefer RCS or some other revision control to manage changes. -Kevin pgpzzIvdpdPkq.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptp + vpn + freeradius Acct-Status-Type Alive
Alan DeKok wrote: Jóhann B. Guðmundsson wrote: Is it possible to enable Acct-Status-Type Alive for pptp vpn? If so how.. Read the VPN documentation. If it doesn't say how, it's impossible. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, google returned nothing and nothing in the vpn documentain so will stop trying now it was nothing trivial any how ;) Best regards... Johann B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication... Help Me...
Hi, I'm a newbie for Freeradius. I've implemented this type of structure: APPLICATION -- PAM -- FREERADIUS -- SQL I want substitute SQL with a LDAP backend; I don't need any type of accounting; I just want that application check userid and password on my LDAP server. How can I accomplish that? MySql seem to work but frequently I get this type of error in radiusd.log: Nov 29 18:04:11 public20 safesquid: pam_radius_auth: RADIUS server 212.80.192.120 failed to respond Nov 29 18:04:11 public20 safesquid: pam_radius_auth: All RADIUS servers failed to respond. Nov 29 18:04:11 public20 safesquid: pam_radius_auth: RADIUS server 212.80.192.120 failed to respond Nov 29 18:04:11 public20 safesquid: pam_radius_auth: All RADIUS servers failed to respond. Nov 29 18:04:15 public20 safesquid: pam_radius_auth: RADIUS server 212.80.192.120 failed to respond Nov 29 18:04:15 public20 safesquid: pam_radius_auth: All RADIUS servers failed to respond. And I don't know why this error appear. Can anybody help me? Thank's, Maury76 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap peap
Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert- srv.pem tls: certificate_file = (null) tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = radiusUDP tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[1]: eap: Module instantiation failed. radiusd.conf[399] Unknown module eap. radiusd.conf[382] Failed to parse authenticate section. any ideas??? certificates created with certs.sh radius:/home/dromero/radius/freeradius-1.1.3/scripts# sh certs.sh Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time +++..+...++...+...+.+.++*++*++*++*++*++* See the 'certs' directory for the certificates. The 'certs' directory should be copied to .../etc/raddb/ All passwords have been set to 'whatever' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap peap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Romero wrote: Module: Instantiated mschap (mschap) .. snip.. tls: certificate_file = (null) any ideas??? Don't you need to specify the certificate, signed by the CA? - -- == +--+ Martin Gadbois | Windows might take you from 0 to 60 faster, | S/W Developer | but to go to 100 you need Unix.| Colubris Networks Inc. +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFbdYO9Y3/iTTCEDkRAhXYAJ9iDC8gDx8lEAcHk7d4dCdVq8cQFQCgxuuO 5KUVdHl2l/+CSAxKPIeJzq0= =laC8 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd.conf: Why extra Auth-Type in authenticate section?
Martin Gadbois wrote: Does it mean if(Auth-Type == PAP) then { call pap } ? No. When the authenticate section is run, the Auth-Type is used to choose a particular module or section. It is NOT more general than that. Is it general purpose? Could I do Group == staff { pap } in the authenticate {} section? No. Could you give me a function name in the source where this is done? (I like to RTFC!) src/main/modules.c src/main/modcall.c Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Michael Messner wrote: Vista now working with freeRADIUS? No idea. any debugging information needed? Yes, someone to test it would be nice. I don't have Vista, so I can't test it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant LDAP servers
hi all, is it possible to have multiple ldap servers for lookup for redundancy purposes in a similar way below? ldap { server = ldap1.myorg.com, ldap2.myorg.com, ldap3.myorg.com login= cn=admin,o=myorg,c=au password = mypass } cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-AKA support?
Ramm-Ericson, Johannes wrote: (Yes, I know that this Wiki page http://wiki.freeradius.org/EAP does not include EAP-AKA in the list of supported methods) Does anyone have any input on the status of this code? Is it stable, does it need further testing? If you can test it and see if it works, that would help. There aren't any major reasons why it hasn't been integrated, just testing cleanups. i.e. there is a lot of overlap between EAP-SIM EAP-AKA. The AKA implementation submitted just copied the SIM code and changed SIM to AKA in many places. It would be better to abstract the code, so that there's only one source, and therefore only one place to fix error. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Alan DeKok schrieb: Michael Messner wrote: Vista now working with freeRADIUS? No idea. any debugging information needed? Yes, someone to test it would be nice. I don't have Vista, so I can't test it. I think you have not seen the mail from [EMAIL PROTECTED] with subject: Re[4]: Windows Vista doing PEAP - WORKING!!! Hello Alan, I can confirm it's working now!!! so my question is when there will be the next freeRADIUS release with included vista support? ca mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Hi, so my question is when there will be the next freeRADIUS release with included vista support? right now with CVS and the one-liner patch ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Swapping RADIUS servers.
I'm hoping somebody can shed a little light on this, I found it very strange. btw: we're talking about freeradius version 1.1.3 here. We currently run some lesser radius server on our network, and I have been engaged in converting the environment to freeradius (yea!). I believe we have worked out (lab and pilot-site testing) all the kinks for our authentication needs, and today we attempted to implement the change across our whole network. Our lesser radius server lives on two physical boxes and listens on ports 1645/1646 AND 1812/1813 (can freeradius mimic this and listen on both sets of ports?) Our plan has been to make sure appropriate radius client devices were all pointing to the 1812/1813 authentication ports prior to the change. The change involved stopping the lesser server and bringing up freeradius on the ports 1812/1813 on both of the two physical servers. The idea was that the clients (chiefly Cisco WAPs) would have a seemless conversion and continue to authenticate using the same IP and ports they were previously using. This however was not the observed result. What happened was almost universal failure. What we saw were requests coming into freeradius, being processed as expected, and returning the appropriate response - many Accept responses clearly visible in the logs. The radius clients however did not accept these responses and treated them as authentication failure. The pilot: We ran freeradius on ports 11812/11813 on these same physical servers, side-by-side with the lesser radius server. We then pointed the client devices to the alternate port combination. They were successful and behaved exactly as expected. Log (debug) output from freeradius for the successful pilots and the failed implementation today are identical, however, with the new ports today 1812/1813 the pilot sites who had previously been working also failed. Does anyone have an idea what could have happened here? If a radius client was talking to server X, and then suddenly recieves a response from server Y on the same IP / port combination... is there some way that the client can tell the server has changed, and thus reject any responses from it as invalid? Does the radius client bind in some way to the server (on the application layer I would assume)? Shared secrets are the same and the request is clearly visible and processed by freeradius. debug output for a request looks like the following: freeradius does it's job but the client device doesn't authenticate the user. Please note that LDAP should fail in this instance. LDAP is used for another kind of authentication. The users file which matches DEFAULT at line 7798 is where the authentication comes from. Nov 29 10:58:48 rad_recv: Access-Request packet from host 10.32.251.10:32768, id=105, length=183 Nov 29 10:58:48 User-Name = 0014a4858ad0 Nov 29 10:58:48 Called-Station-Id = 00-15-62-a9-cc-50:guest Nov 29 10:58:48 Calling-Station-Id = 00-14-a4-85-8a-d0 Nov 29 10:58:48 NAS-Port = 29 Nov 29 10:58:48 NAS-IP-Address = 10.32.251.10 Nov 29 10:58:48 NAS-Identifier = co-lp-wlc01 Nov 29 10:58:48 Airespace-Wlan-Id = 7 Nov 29 10:58:48 User-Password = Nov 29 10:58:48 Service-Type = Call-Check Nov 29 10:58:48 Framed-MTU = 1300 Nov 29 10:58:48 NAS-Port-Type = Wireless-802.11 Nov 29 10:58:48 Tunnel-Type:0 = VLAN Nov 29 10:58:48 Tunnel-Medium-Type:0 = IEEE-802 Nov 29 10:58:48 Tunnel-Private-Group-Id:0 = 2250 Nov 29 10:58:48 Processing the authorize section of radiusd.conf Nov 29 10:58:48 modcall: entering group authorize for request 0 Nov 29 10:58:48 hints: Matched DEFAULT at 39 Nov 29 10:58:48 modcall[authorize]: module preprocess returns ok for request 0 Nov 29 10:58:48 rlm_realm: No '@' in User-Name = 0014a4858ad0, looking up realm NULL Nov 29 10:58:48 rlm_realm: No such realm NULL Nov 29 10:58:48 modcall[authorize]: module suffix returns noop for request 0 Nov 29 10:58:48 users: Matched entry DEFAULT at line 7798 Nov 29 10:58:48 modcall[authorize]: module files returns ok for request 0 Nov 29 10:58:48 radius_xlat: '/usr/local/freeradius/etc/scripts/wireless.atz 0014a4858ad0' Nov 29 10:58:48 Exec-Program: /usr/local/freeradius/etc/scripts/wireless.atz 0014a4858ad0 Nov 29 10:58:48 Exec-Program output: Requested WLAN is not restricted, deferring authentication. Nov 29 10:58:48 Exec-Program-Wait: plaintext: Requested WLAN is not restricted, deferring authentication. Nov 29 10:58:48 Exec-Program: returned: 0 Nov 29 10:58:48 modcall[authorize]: module wireless returns ok for request 0 Nov 29 10:58:48 rlm_ldap: - authorize Nov 29 10:58:48 rlm_ldap: performing user authorization for 0014a4858ad0 Nov 29 10:58:48 radius_xlat: '((uid=0014a4858ad0)(accesslist=)(isaccountenabled=true))' Nov 29 10:58:48 radius_xlat: 'o=xyz' Nov 29 10:58:48 rlm_ldap: ldap_get_conn: Checking Id: 0 Nov 29 10:58:48 rlm_ldap: ldap_get_conn:
eap/peap
Hi. I'm istalling freeradius on a debian machine, with OpenSSL 0.9.8d 28 Sep 2006, but i'm having some problems (i'm a newbie in radius) eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no #md5 { #} #leap { #} #gtc { #challenge = Password: #auth_type = PAP #} # To generate ctest certificates, run the script #../scripts/certs.sh # http://www.dslreports.com/forum/remark,9286052~mode=flat tls { private_key_password = radiusUDP private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = yes check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd check_cert_cn = %{User-Name} cipher_list = DEFAULT } #ttls { #default_eap_type = peap #copy_request_to_tunnel = no #use_tunneled_reply = no #} peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } mschapv2 { } } radius.conf can be downloaded herehttp://200.14.84.251/%7Edromero/radiusd.conf The log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = radiusUDP tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = %{User-Name} tls: cipher_list = DEFAULT tls: check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[1]: eap: Module instantiation failed. radiusd.conf[398] Unknown module eap. radiusd.conf[381] Failed to parse authenticate section. Help!!! ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Michael Messner wrote: I think you have not seen the mail from [EMAIL PROTECTED] with subject: Re[4]: Windows Vista doing PEAP - WORKING!!! Hmm... I have noticed the occasional email show up in the list archives, but not in my inbox. Oh well. I've added the patch to 1.1.4 CVS head. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/peap
First question. Did you install from source, did you create your own binaries, or did you use debian provided binaries. Debian provided Binaries do not include SSL support. (Violation of SSL license terms I believe) Creating your own binaries are easily done http://wiki.freeradius.org/Build#Building_Debian_packages Hi. I'm istalling freeradius on a debian machine, with OpenSSL 0.9.8d 28 Sep 2006, but i'm having some problems (i'm a newbie in radius) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap
Daniel Romero wrote: I'm istalling freeradius on a debian machine, with OpenSSL 0.9.8d 28 Sep 2006, but i'm having some problems (i'm a newbie in radius) eap.conf ... tls { private_key_password = radiusUDP private_key_file = ${raddbdir}/certs/cert- srv.pem Are you sure?The space looks suspicious. Alan DeKok. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP servers
Peter Param wrote: hi all, is it possible to have multiple ldap servers for lookup for redundancy purposes in a similar way below? ldap { server = ldap1.myorg.com, ldap2.myorg.com, ldap3.myorg.com You can do: ldap ldap1 { server = ldap1 } ldap ldap2 { server = ldap2... } And see doc/configurable_failover for how to set up redundancy, load balancing, and failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Swapping RADIUS servers.
Lin Richardson wrote: Our lesser radius server lives on two physical boxes and listens on ports 1645/1646 AND 1812/1813 (can freeradius mimic this and listen on both sets of ports?) Yes. See listen in radiusd.conf. What we saw were requests coming into freeradius, being processed as expected, and returning the appropriate response - many Accept responses clearly visible in the logs. The radius clients however did not accept these responses and treated them as authentication failure. See the FAQ. Do you have multiple IP's on the machine? Does anyone have an idea what could have happened here? If a radius client was talking to server X, and then suddenly recieves a response from server Y on the same IP / port combination... Huh? What does that mean? Suddenly, as in... what, exactly? If you shut down the old machine, and start a new machine with the same IP, then RADIUS should work as before, assuming the server configuration is the same. Nov 29 10:58:48 rad_check_password: Found Auth-Type Accept Nov 29 10:58:48 rad_check_password: Auth-Type = Accept, accepting the user Nov 29 10:58:48 Sending Access-Accept of id 105 to 10.32.251.10 http://10.32.251.10 port 32768 Nov 29 10:58:48 Finished request 0 The Access-Accept contains no attributes. Are you sure you want to do that? The request contained VLAN attributes, so I presume you want to put the user in a VLAN. i.e. Are you sure that you have configured FreeRADIUS to return the SAME response as your old server? If the old server returns a bunch of attributes, and FreeRADIUS doesn't... then the configurations aren't identical, and the clients will behave differently. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap
Hi. freeradius fully compiled on my machine... The problem was solved... i't was a misstyped secret on the key. But now there is another problem: the suplicant send the access-request and freeradius anwer with a Access-Challenge, but the handshake stop here: rad_recv: Access-Request packet from host 192.168.100.185:1086, id=0, length=202 Message-Authenticator = 0x38acd1df3dc52ea08db48df987a4eb1f Service-Type = Framed-User User-Name = dromero Framed-MTU = 1488 Called-Station-Id = 00-18-6E-18-62-00:RadiusLab Calling-Station-Id = 00-0E-6A-9B-86-20 NAS-Identifier = 3Com Access Point 7760 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020c0164726f6d65726f NAS-IP-Address = 192.168.100.185 NAS-Port = 1 NAS-Port-Id = STA port # 1 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Sending Access-Challenge id=0 (to id=2) . . . Sending Access-Challenge of id 3 to 192.168.100.185 port 1084 Framed-IP-Address := 192.168.100.210 Framed-IP-Netmask := 255.255.255.255 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010400061900 Message-Authenticator = 0x State = 0xdaa73e4eb46715230e0f671b850c7224 and stop... any ideas? On 11/29/06, King, Michael [EMAIL PROTECTED] wrote: First question. Did you install from source, did you create your own binaries, or did you use debian provided binaries. Debian provided Binaries do not include SSL support. (Violation of SSL license terms I believe) Creating your own binaries are easily done http://wiki.freeradius.org/Build#Building_Debian_packages Hi. I'm istalling freeradius on a debian machine, with OpenSSL 0.9.8d 28 Sep 2006, but i'm having some problems (i'm a newbie in radius) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
romel invites you to join Zorpia
Hi freeradius-users! Your friend romel from , just invited you to his online photo albums and journals at Zorpia.com. About romel : Know Me Know Fun No Me No Fun So what is Zorpia? It is an online community that allows you to upload unlimited amount of photos, write journals and make friends. We also have a variety of skins in store for you so that you can customize your homepage freely. Join now for free! Please click the following link to join Zorpia: http://signup.zorpia.com/signup?invitation_key=7d3391e3c6586a56fcd14ad5a68f53e0referral=romelD This message was delivered with the romel's initiation. If you wish to discontinue receiving invitations from us, please click the following link: http://signup.zorpia.com/email/optout/freeradius-users@lists.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac based auth
Alan and Phil, Thanks a lot for all the help in getting this set up. I now have a username/password pair as well as also requiring the MAC to be present in the authentication. Your help was invaluable to me for getting this working right and for clearing up some of the assumptions I had made while reading the docs. Thanks again, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Cool deal. I have also been able to confirm that adding the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option to the CTX makes Vista work. This is good news for us since we have a volume license deal and now have release copies beginning to be installed. :) --Mike On Nov 29, 2006, at 5:00 PM, Alan DeKok wrote: Michael Messner wrote: I think you have not seen the mail from [EMAIL PROTECTED] with subject: Re[4]: Windows Vista doing PEAP - WORKING!!! Hmm... I have noticed the occasional email show up in the list archives, but not in my inbox. Oh well. I've added the patch to 1.1.4 CVS head. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Swapping RADIUS servers.
Hi Alan, Thanks for taking a look at this. A quick clarification. The configuration of freeradius in this situation has already been tested and is not really the basis for my question. It is not a standard configuration, but it does work. Freeradius is installed on the same physical machine and listens on the same IP address as another vended radius solution. Freeradius is configured to use nonstandard ports (11812/11813), while the vended solution is using both sets of common ports - (same IP address, same physical machine). We have moved entire pilot facilities to authenticate on the nonstandard ports using freeradius and everything works swimmingly. Huge kudos to freeradius on that count. We have chosen to use freeradius not for economy, but rather for flexibility - hence the nonstandard configuration. We want to move all facilities to freeradius now for production use. We would like to use the standard ports of 1812/1813 in an effort to keep things somewhat industry standard, and also because all the clients are already configured for those ports. We would have to manually change the configuration of hundreds of WAPs to the nonstandard ports if we intended to continue to use them. The concept was simple - shut down the vended radius solution, thus freeing up the desired ports. Change the listen directive in radiusd.conf to use 1812/1813, and restart freeradius. All the clients that WERE using the vended solution on the given ports should continue on as if nothing had happened, only now they would be talking to freeradius. Bear in mind that literally the same configuration and installation of freeradius with only a different listening port have already been in limited production use with the very devices in question. I did read the FAQ which talked about needing to pass the same/correct attributes back to the client as a previous/other working radius solution in order for freeradius to work. I strongly believe that this is not the problem here as it has already been working without any problems on a different port. I almost wonder if power cycling the client device would resolve the problem... once freeradius had assumed the new ports. What we saw were requests coming into freeradius, being processed as expected, and returning the appropriate response - many Accept responses clearly visible in the logs. The radius clients however did not accept these responses and treated them as authentication failure. See the FAQ. Do you have multiple IP's on the machine? No multiple IPs Does anyone have an idea what could have happened here? If a radius client was talking to server X, and then suddenly recieves a response from server Y on the same IP / port combination... Huh? What does that mean? Suddenly, as in... what, exactly? Just an expression meaning no other event to mark the change. Really more unexpectedly than suddenly. If you shut down the old machine, and start a new machine with the same IP, then RADIUS should work as before, assuming the server configuration is the same. So... even if they are on the same machine... killing the vended radius solution and starting freeradius on the same ports the vended solution was using should work seamlessly? Clients won't know or care, provided their shared secret and attributes are the same? Could a radius response with spoofed source IP and port be accepted as valid by a radius client simply based on the IP and port... and of course the coherence of the reply to a corresponding request? Nov 29 10:58:48 rad_check_password: Found Auth-Type Accept Nov 29 10:58:48 rad_check_password: Auth-Type = Accept, accepting the user Nov 29 10:58:48 Sending Access-Accept of id 105 to 10.32.251.10 http://10.32.251.10 port 32768 Nov 29 10:58:48 Finished request 0 The Access-Accept contains no attributes. Are you sure you want to do that? The request contained VLAN attributes, so I presume you want to put the user in a VLAN. The WAP controls this, and I have been forbidden to specify anything to do with VLANs. Which of the request attributes do/don't flow through to the reply? i.e. Are you sure that you have configured FreeRADIUS to return the SAME response as your old server? If the old server returns a bunch of attributes, and FreeRADIUS doesn't... then the configurations aren't identical, and the clients will behave differently. Because this is such a logical explanation I will also revisit this possibility. For a different type of radius client we do pass some things back, but the WAPs have always worked without anything else. Again, thanks for taking time to kick this around, I am truely at a loss. Regards, Lin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Swapping RADIUS servers.
Lin Richardson wrote: We want to move all facilities to freeradius now for production use. We would like to use the standard ports of 1812/1813 in an effort to keep things somewhat industry standard, and also because all the clients are already configured for those ports. We would have to manually change the configuration of hundreds of WAPs to the nonstandard ports if we intended to continue to use them. Or... IP re-write rules on the RADIUS server. There's more than one way to solve a problem. Bear in mind that literally the same configuration and installation of freeradius with only a different listening port have already been in limited production use with the very devices in question. OK. I almost wonder if power cycling the client device would resolve the problem... once freeradius had assumed the new ports. I don't see why. RADIUS doesn't maintain sessions across states, and NASes are pretty dumb. This kind of behavior is a little surprising. So... even if they are on the same machine... killing the vended radius solution and starting freeradius on the same ports the vended solution was using should work seamlessly? Clients won't know or care, provided their shared secret and attributes are the same? Yes. The clients know nothing more than RADIUS requests and RADIUS responses. Same request/response == same behavior. Could a radius response with spoofed source IP and port be accepted as valid by a radius client simply based on the IP and port... and of course the coherence of the reply to a corresponding request? No, you need the shared secret, too. The WAP controls this, and I have been forbidden to specify anything to do with VLANs. Which of the request attributes do/don't flow through to the reply? None flow through to the reply. RADIUS clients can request anything they want, and you can't control that. So sane RADIUS servers don't let the clients control the reply. They let the *administrator* control the reply. Because this is such a logical explanation I will also revisit this possibility. For a different type of radius client we do pass some things back, but the WAPs have always worked without anything else. Even for the old server? An empty Access-Accept? That sounds a little odd. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap
Daniel Romero wrote: But now there is another problem: the suplicant send the access-request and freeradius anwer with a Access-Challenge, but the handshake stop here: See the FAQ. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html