Re: Radius Server refusing to MS-CHAP
Evan Vittitow wrote: Contents: localip 192.168.102.1-101 remoteip 192.168.102.102-203 option /etc/ppp/options.pptpd In which case I don't have any other suggestion. pppd decides what authentication algorithm to use - Radius does not have any choice in the matter. You might try enabling the various ppp debugging options (debub, kdebug) and inspecting the output. To be clear: nothing you can do in FreeRadius will make pppd use MS-CHAP. One more thing - looking back at a previous email, I infer you are setting Auth-Type in the users file to MS-CHAP? Don't do that. If the request is a real MS-CHAP request, the mschap module will set that itself. If it's not, setting it will just break things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user/group and permissions CentOS 4.4
In process of building 1.4 on CentOS 4.4. When started (as root) in debug mode, all goes well. When using default user/group nobody I get Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied) Can someone give me a little guidance with the permissions and user/group setup for Cent. --Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re:MySql and calling-station-id help please
I cannot get the above to work at all, can anyone please give me an idea of how to do the above? See the FAQ about it doesn't work. Also, try posting pieces of your current config. What you want isn't hard to do, but we have no idea what your configuration is, so it's impossible to say what is going wrong. Alan DeKok Alan, Where is the “it doesn’t work” faq? This is the logic I am following. In my usergroup table, I have got the same username with different groupnames: Usergroup Table --- UserName | GroupName User1 | group1 User1 | group2 User1 | group3 Then in the radcheck table, I have the correct password for that user: Radcheck table -- UserName | Attribute | op | Value User1 | Password | == | pass1 I am then having the calling-station-id s inside the radgroupcheck table. Bearing in mind that Radius will match all the attributes from the request with the values inside the radgroupcheck table Radgroupcheck GroupName | Attribute | op | Value Group1 | Calling-Station-Id | := | 123456 Group2 | Calling-Station-Id | := | 345677 In the radgroupreply, I am assigning the different Framed-Ip-Address to the different groups. Radgroupreply GroupName | Attribute | op | Value | prio Group1 | Framed-IP-Address | := | xxx | 0 Group2 | Framed-IP-Address | := | yyy | 0 However, every time a request is coming in, the same IP address is being assigned. Radius is not differentiating at all between the different Calling-Station-Id. I know this should be a simple thing to do, but its not working for me. Please help and advise. Al -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.10/624 - Release Date: 12/01/2007 14:04 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user/group and permissions CentOS 4.4
Andrew Long wrote: In process of building 1.4 on CentOS 4.4. When started (as root) in debug mode, all goes well. When using default user/group nobody I get Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied) Can someone give me a little guidance with the permissions and user/group setup for Cent. I would suggest running the server as user radiusd, group radiusd. The var/log/radius directory should be writable by that user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.1.3 + snmp...
Hi list, I have ubuntu 6.10 and i have set-up my freeradius-1.1.3 for peap-eap/mschapv2. I have got this packages for snmp : libsnmp9 , libsnmp9-dev , libsnmp-base , libsnmp-perl , libsnmp-session-perl , php5-snmp , snmp ,snmpd I have configured the radiusd.conf to support snmp and in snmp.conf i have set the community string to public as it is in snmpd.conf. However when i am running freeradius in debugging mode : radiusd -X , i get the following output and the freeradius does not start. Why is that happening ? When i configured the radiusd.conf without snmp everything works perfect. [EMAIL PROTECTED]:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 10.0.0.15 IP address [10.0.0.15] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/server_keycert.pem tls: certificate_file = /usr/local/etc/raddb/certs/server_keycert.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files:
Re: MySql and calling-station-id help please
On Friday 12 January 2007 10:19, Ackbar Joolia wrote: See the FAQ about it doesn't work. Also, try posting pieces of your current config. What you want isn't hard to do, but we have no idea what your configuration is, so it's impossible to say what is going wrong. Alan DeKok Alan, Where is the “it doesn’t work” faq? http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Radcheck table -- UserName | Attribute | op | Value User1 | Password | == | pass1 Operator should be :=. Attribute should be User-Password (or Cleartext-Password depending on your freeradius version), but Password should be fine for your tests. Radgroupcheck GroupName | Attribute | op | Value Group1 | Calling-Station-Id | := | 123456 Group2 | Calling-Station-Id | := | 345677 The operator is incorrect. := sets the attribute to that value. See the Operators page in the wiki or man 5 users for more info on operator behavior. Kevin Bonner pgpXt3Nxpciy7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.3 + snmp...
On Friday 12 January 2007 11:13, adreas Polyxronopoulos wrote: I have configured the radiusd.conf to support snmp and in snmp.conf i have set the community string to public as it is in snmpd.conf. In your snmpd.conf file, do you have a line that looks like the following? smuxpeer .1.3.6.1.4.1.3317.1.3.1 public Are there any errors in your log files that might indicate a problem with your snmpd config? However when i am running freeradius in debugging mode : radiusd -X , i get the following output and the freeradius does not start. Why is that happening ? When i configured the radiusd.conf without snmp everything works perfect. Does freeradius exit without error or do you press Ctrl-C to kill it? Kevin Bonner pgp7UST2LqcE9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySql and calling-station-id help please
Kevin, Password is working fine. I have tried almost all the operators and none is doing the job for me. I wonder whether the logic I am using is good or not? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bonner Sent: 12 January 2007 16:29 To: FreeRadius users mailing list Subject: Re: MySql and calling-station-id help please On Friday 12 January 2007 10:19, Ackbar Joolia wrote: See the FAQ about it doesn't work. Also, try posting pieces of your current config. What you want isn't hard to do, but we have no idea what your configuration is, so it's impossible to say what is going wrong. Alan DeKok Alan, Where is the “it doesn’t work” faq? http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Radcheck table -- UserName | Attribute | op | Value User1 | Password | == | pass1 Operator should be :=. Attribute should be User-Password (or Cleartext-Password depending on your freeradius version), but Password should be fine for your tests. Radgroupcheck GroupName | Attribute | op | Value Group1 | Calling-Station-Id | := | 123456 Group2 | Calling-Station-Id | := | 345677 The operator is incorrect. := sets the attribute to that value. See the Operators page in the wiki or man 5 users for more info on operator behavior. Kevin Bonner *** Email COnfidentiality Notice *** This message is private and confidential.If you have received this in error, please notify us and remove it from your system. Contact [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.10/624 - Release Date: 12/01/2007 14:04 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.10/624 - Release Date: 12/01/2007 14:04 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.3 + snmp...
Hi Kevin and thanks for your time, - In your snmpd.conf file, do you have a line that looks like the following? smuxpeer .1.3.6.1.4.1.3317.1.3.1 public + No i hadn't in my snmpd.conf a line like the follwing : smuxpeer .1.3.6.1.4.1.3317.1.3.1 public However when i add the line in my snmpd.conf at a random place in the file i got the same output. Do i have to write it in a specific place in the snmpd.conf ? - Are there any errors in your log files that might indicate a problem with your snmpd config? + I checked the radiusd.log but nothing useful. - Does freeradius exit without error or do you press Ctrl-C to kill it? + No my freeradius exits without error and i don't press Ctrl-C to kill it. Adreas Polyxronopoulos - Original Message From: Kevin Bonner [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, 12 January, 2007 6:43:04 PM Subject: Re: freeradius-1.1.3 + snmp... On Friday 12 January 2007 11:13, adreas Polyxronopoulos wrote: I have configured the radiusd.conf to support snmp and in snmp.conf i have set the community string to public as it is in snmpd.conf. In your snmpd.conf file, do you have a line that looks like the following? smuxpeer .1.3.6.1.4.1.3317.1.3.1 public Are there any errors in your log files that might indicate a problem with your snmpd config? However when i am running freeradius in debugging mode : radiusd -X , i get the following output and the freeradius does not start. Why is that happening ? When i configured the radiusd.conf without snmp everything works perfect. Does freeradius exit without error or do you press Ctrl-C to kill it? Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Server refusing to MS-CHAP
Phil Mayers wrote: Evan Vittitow wrote: Contents: localip 192.168.102.1-101 remoteip 192.168.102.102-203 option /etc/ppp/options.pptpd In which case I don't have any other suggestion. pppd decides what authentication algorithm to use - Radius does not have any choice in the matter. You might try enabling the various ppp debugging options (debub, kdebug) and inspecting the output. To be clear: nothing you can do in FreeRadius will make pppd use MS-CHAP. One more thing - looking back at a previous email, I infer you are setting Auth-Type in the users file to MS-CHAP? Don't do that. If the request is a real MS-CHAP request, the mschap module will set that itself. If it's not, setting it will just break things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Maybe thats part of my problem. What should that be set to then? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Server refusing to MS-CHAP
Hi, Maybe thats part of my problem. What should that be set to then? nothing, you dont set it. the server deals with it and knows many things alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Server refusing to MS-CHAP
Evan Vittitow wrote: DEFAULT Auth-Type := MS-CHAP Fall-Through = 1 Thats what it is set too, should it be something else? The ONLY circumstances you should set Auth-Type to ANYTHING are (in order of probability): 1. Setting it to Reject to refuse authentication e.g. based on group 2. Setting it to Accept for PAP requests which you wish to permit-all e.g. MAC-based authentication 3. Setting it (in old versions of the server) for the few modules which don't set it to themselves - namely, PAP Basically - DON'T set it. Delete that entry from the users file completely. Let the server figure it out, it will do the right thing if configured correctly. Also, do you know how to have pppd use Client side PEAP? Maybe I can skip MS-CHAP and use PEAP for both PPTP and 802.1X Not sure - you'd have to consult the pppd docs. In theory it's possible, but I know of no-one using it, and I'm not sure it interacts correctly with PPTP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP with crypt
When using OpenLDAP, is there a way to make CHAP work without storing passwords as clear text/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius IRC...
Do you folks ever show up on Freenode's #FreeRadius channel? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP with crypt
Evan Vittitow wrote: When using OpenLDAP, is there a way to make CHAP work without storing passwords as clear text/ OpenLDAP has nothing to do with it. Crypt is one-way by its very nature. Since CHAP crypts it on the wire, the password that RADIUS (or any service) checks against must be in clear text because it cannot decrypt the password that it was sent. See this for further details: http://deployingradius.com/documents/protocols/compatibility.html In short, the answer is: no, secure your database. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
