Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Yep. Its called a firewall...
-Peter
On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for auth-type in my users file. Is there a simple way to
say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
groups of engrs, admins, and operators and need to discriminate who can
access which device
Scott
-Original Message-
From: Ellis, Scott 1 (N-Comptel Inc.)
Sent: Tuesday, January 02, 2007 11:40 AM
To: 'FreeRadius users mailing list'
Cc: Ellis, Scott 1 (N-Comptel Inc.)
Subject: RE: How to restrict users /PAM to specific NAS devices??
I have looked it over, but I am still not clear. I was thinking that I
could use huntgroups to map devices to specific groups, but then I am
not clear on how to restrict users ('users' file) to those groups. I
know this has probably been done most everywhere in one form or another.
Any examples that show the actual entries in the approp. files?
Thanks,
Scott
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 02, 2007 9:43 AM
To: FreeRadius users mailing list
Subject: Re: How to restrict users /PAM to specific NAS devices??
Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for Auth-Type.
I want to be able to either 1) restrict the devices the user has
access to (admins,operators, etc) by username and/or 2) preferably
carve into groups my network gear/NAS devices and then assign users to
groups.
See man rlm_passwd. It's documentation describes how to create
groups like this.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgpIDymn7X3Ol.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin NAS List
Cory Robson wrote: I'm hoping someone may be able to assist in modifying the user_finger.php script to retrieve the list of NAS's for the online users from radacct table. Why not just use the nas table. In the cvs version of dialupadmin there's a file called lib/sql/nas_list.php3 It will read the nas table and get the nas list. You could try changing that one if it suits your needs. Basically instead of reading the text file and cycling through them to add the breakdown of NAS's I want to use something like select DISTINCT NASIPAddress from radacct add them to an array and use the php gethostbyaddr() function to retrieve the true hostname to sort them by I don't need any of the snmp or NAS type or number of lines left as my upstream does not allow me to connect to verify the information anyway . This should just be a quick change for someone more talented than I to remove the existing loop and replace it with the relevant sql loop instead. Anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Hello, I change my set and now i have that problem: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=135 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 State = 0xc278794268fad26149d90a3209f98f21 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x29e1dbe751ff97581d9c6a0a7b4a30c5 Tue Jan 16 09:45:50 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 16 09:45:50 2007 : Debug: modcall: entering group authorize for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: - authorize Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: performing user authorization for rka Tue Jan 16 09:45:50 2007 : Debug: radius_xlat: '(uid=rka)' Tue Jan 16 09:45:50 2007 : Debug: radius_xlat: 'ou=Users,dc=domain' Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: user rka authorized to use remote access Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module ldap returns ok for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP packet type response id 1 length 6 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module eap returns updated for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall: leaving group authorize (returns updated) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 16 09:45:50 2007 : Debug: auth: type EAP Tue Jan 16 09:45:50 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 16 09:45:50 2007 : Debug: modcall: entering group authenticate for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP NAK Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP-NAK asked for EAP-Type/peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No such EAP type peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: Failed in EAP select Tue Jan 16 09:45:50 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authenticate]: module eap returns invalid for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 9 Tue Jan 16 09:45:50 2007 : Debug: auth: Failed to validate the user. Tue Jan 16 09:45:50 2007 : Debug: Delaying request 9 for 1 seconds Tue Jan 16 09:45:50 2007 : Debug: Finished request 9 Tue Jan 16 09:45:50 2007 : Debug: Going to the next request Tue Jan 16 09:45:50 2007 : Debug: rl_next: returning NULL Tue Jan 16 09:45:50 2007 : Debug: Waking up in 6 seconds... Tue Jan 16 09:45:56 2007 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.245 port 3072 EAP-Message = 0x04010004 Message-Authenticator = 0x Where is the problem ? -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com-User-Access-Level Not Applied
Alexandre Soares wrote: Hello Alan, I am checked in the offical web site, the last version is 1.1.4 OK... 1.1.4 or 1.1.3 has some fixes that correct problems with 3com attributes in previous versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Hoping to be more helpful here, I know how to implement this functionality
in freeradius, but only when using a mysql database backend (which is a good
idea for most setups using more than about 20 users).
I am assuming you want to control user logins to multiple NASes and this is
what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If
you need to just filter traffic based on real network devices, for example
where Y and Z are IP addresses on your network, you can safely ignore my
first radgroupcheck entry below that restricts NAS choice.
If you get a standard mysql setup working, all you need to do is add the
user's password to radcheck (for table names username,attribute,op,value
you should have bobengineer,User-Password,==,nortel), and add the user to
a group in radgroup (username, group = bobengineer,engineers). then you can
set group-specific policies by putting entries in radgroupcheck and
radgroupreply, such as...:
radgroupcheck: [groupname,attribute,op,value]
engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do
so from NAS with IP addrss 11.22.33.44)
engineers, Pool-Name,==,engineers_pool (all engineers connecting will be
assigned an IP from the 'engineers' IP pool, which means you can firewall
them off using IPTables (or the Shorewall frontend to iptables, which I
recommend using) or something similar)
Basically this provides you with both tools you will need - the ability to
restrict where users can log into, and the ability to restrict what IP
address users recieve. You'll need to set up rlm_ippool to automatically
assign IPs, and you'll want to make sure your NAS devices send accounting
packets (accounting start/stop are important - also if accounting stop's
aren't sent, you'll run out of IP addresses).
Hope this is a little more helpful than the usually flippent replies on the
mailing list, I was in the same boat before too :-)
thanks,
Jan
On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote:
Yep. Its called a firewall...
-Peter
On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for auth-type in my users file. Is there a simple way to
say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
groups of engrs, admins, and operators and need to discriminate who can
access which device
Scott
-Original Message-
From: Ellis, Scott 1 (N-Comptel Inc.)
Sent: Tuesday, January 02, 2007 11:40 AM
To: 'FreeRadius users mailing list'
Cc: Ellis, Scott 1 (N-Comptel Inc.)
Subject: RE: How to restrict users /PAM to specific NAS devices??
I have looked it over, but I am still not clear. I was thinking that I
could use huntgroups to map devices to specific groups, but then I am
not clear on how to restrict users ('users' file) to those groups. I
know this has probably been done most everywhere in one form or another.
Any examples that show the actual entries in the approp. files?
Thanks,
Scott
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 02, 2007 9:43 AM
To: FreeRadius users mailing list
Subject: Re: How to restrict users /PAM to specific NAS devices??
Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for Auth-Type.
I want to be able to either 1) restrict the devices the user has
access to (admins,operators, etc) by username and/or 2) preferably
carve into groups my network gear/NAS devices and then assign users to
groups.
See man rlm_passwd. It's documentation describes how to create
groups like this.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Sic :( I set eap with tls, because when i connect from PC i saw in debug TLS. Then i set tls in eap, but when i started freeraius (freeradius -XXX -A) i saw: Error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory Error: radiusd.conf[661]: eap: Module instantiation failed. Error: radiusd.conf[1767] Unknown module eap. Error: radiusd.conf[1713] Failed to parse authenticate section. where is the problem ? BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin NAS List
Whilst this is a good example it still doesn't suit my purpose. It requires someone to constantly update the list for it to be effective. This is not to be confused with the clients. I have multiple roaming numbers, therefore if a customer is travelling around and dials in at different locations I will receive a diff NASIP from that local POP. As this information is provided in the account start/stop and update packets then why enter them manually. Just drill through the existing radacct table filtering on no stop time to see a list of active NAS's and display them as I wanted. No further updating the separate table. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Tuesday, 16 January 2007 6:53 PM To: FreeRadius users mailing list Subject: Re: Dialup Admin NAS List Cory Robson wrote: I'm hoping someone may be able to assist in modifying the user_finger.php script to retrieve the list of NAS's for the online users from radacct table. Why not just use the nas table. In the cvs version of dialupadmin there's a file called lib/sql/nas_list.php3 It will read the nas table and get the nas list. You could try changing that one if it suits your needs. Basically instead of reading the text file and cycling through them to add the breakdown of NAS's I want to use something like select DISTINCT NASIPAddress from radacct add them to an array and use the php gethostbyaddr() function to retrieve the true hostname to sort them by I don't need any of the snmp or NAS type or number of lines left as my upstream does not allow me to connect to verify the information anyway . This should just be a quick change for someone more talented than I to remove the existing loop and replace it with the relevant sql loop instead. Anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1981 (20070116) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Rafa? Kamin'ski wrote: Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP-NAK asked for EAP-Type/peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No such EAP type peap ... Where is the problem ? The client is requesting to do PEAP, and you didn't configure peap in eap.conf. See the Wiki various howto's. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale session problem
Jan Mulders wrote: I would be very interested in this. We had some downtime on a 30 concurrent user test server because IPs had gotten lost in accounting, eg the NAS hadn't sent an accounting-stop so the IP was never added back to the pool. Preventing this from happening automatically would be very useful (having the script produce a usable output to a logfile or sql would be even handier, so we can see just where the IPs are leaking). The server could really use a little better handling of stale sessions. For example, if Session-Timeout is set to an hour, then you're pretty sure that after an hour or so, the user isn't online any more. (This doesn't work for some NASes, of course...) The server tries to do this right now by looking at NAS reboots and logins from the same NAS port. But some NASes don't send reboot messages, and some don't send NAS port, or always send the same information for NAS port. It's difficult to do this correctly in a way that's robust. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile freeradius + debian + rlm_eap_tls
Hello, I have freeradius on debian etch but without rlm_eap_tls. How i can compile new freeradius-1.1.4 witch rlm_eap_tls ? Sorry for easy question, but i'm new one in that. BR, Rafal Kaminski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : Problem with Freeradius+LDAP+wifi
Could you post this file ?
I have only:
eap {
default_eap_type = tls
tls {
tls_cacertfile = /etc/freeradius/cert/ca.pem
tls_certfile = /etc/freeradius/cert/radius.crt
tls_keyfile = /etc/freeradius/cert/radius.key
}
}
BR,
Rafal Kaminski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin NAS List
Cory Robson wrote: Whilst this is a good example it still doesn't suit my purpose. It requires someone to constantly update the list for it to be effective. This is not to be confused with the clients. I have multiple roaming numbers, therefore if a customer is travelling around and dials in at different locations I will receive a diff NASIP from that local POP. As this information is provided in the account start/stop and update packets then why enter them manually. Just drill through the existing radacct table filtering on no stop time to see a list of active NAS's and display them as I wanted. No further updating the separate table. So edit lib/sql/nas_list.php3 to read the radacct table instead and set the nas type/port num variables to some default value. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Tuesday, 16 January 2007 6:53 PM To: FreeRadius users mailing list Subject: Re: Dialup Admin NAS List Cory Robson wrote: I'm hoping someone may be able to assist in modifying the user_finger.php script to retrieve the list of NAS's for the online users from radacct table. Why not just use the nas table. In the cvs version of dialupadmin there's a file called lib/sql/nas_list.php3 It will read the nas table and get the nas list. You could try changing that one if it suits your needs. Basically instead of reading the text file and cycling through them to add the breakdown of NAS's I want to use something like select DISTINCT NASIPAddress from radacct add them to an array and use the php gethostbyaddr() function to retrieve the true hostname to sort them by I don't need any of the snmp or NAS type or number of lines left as my upstream does not allow me to connect to verify the information anyway . This should just be a quick change for someone more talented than I to remove the existing loop and replace it with the relevant sql loop instead. Anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1981 (20070116) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patch to 3Com-User-Access-Level
Hi All,
I found in other msgs fill changes applied in /usr/local/src/freeradius-
1.1.4/src/lib/valuepair.c (showed below), but the 3Com-User-Access-Level
attibute still sending wrong.
Thanks for all, but if anyone have any suggestion please send me.
case PW_TYPE_INTEGER:
/*
* Note that ALL integers are unsigned!
*/
vp-lvalue = (uint32_t) strtoul(value, p, 10);
if (!*p) {
vp-length = 4;
break;
}
/*
* Look for the named value for the given
* attribute.
*/
if ((dval = dict_valbyname(vp-attribute, value)) ==
NULL) {
librad_log(Unknown value %s for attribute %s,
value, vp-name);
return NULL;
}
vp-lvalue = dval-value;
vp-length = 4;
break;
case PW_TYPE_DATE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : Problem with Freeradius+LDAP+wifi
Could you post this file ?
I have only:
eap {
default_eap_type = tls
tls {
tls_cacertfile = /etc/freeradius/cert/ca.pem
tls_certfile = /etc/freeradius/cert/radius.crt
tls_keyfile = /etc/freeradius/cert/radius.key
}
}
You're lacking the peap sub part:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to no to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
}
Why have you deleted this entry? When you don't want to use a feature, just
comment the section it'll make it easier to update the configuration in the
future.
BR,
Rafal Kaminski
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Oki, i compile freeradius with tls eap, but now i have that problem when i want start freeradius: Tue Jan 16 13:49:16 2007 : Debug: Module: Loaded eap Tue Jan 16 13:49:16 2007 : Debug: eap: default_eap_type = tls Tue Jan 16 13:49:16 2007 : Debug: eap: timer_expire = 60 Tue Jan 16 13:49:16 2007 : Debug: eap: ignore_unknown_eap_types = no Tue Jan 16 13:49:16 2007 : Debug: eap: cisco_accounting_username_bug = no Tue Jan 16 13:49:16 2007 : Debug: tls: rsa_key_exchange = no Tue Jan 16 13:49:16 2007 : Debug: tls: dh_key_exchange = yes Tue Jan 16 13:49:16 2007 : Debug: tls: rsa_key_length = 512 Tue Jan 16 13:49:16 2007 : Debug: tls: dh_key_length = 512 Tue Jan 16 13:49:16 2007 : Debug: tls: verify_depth = 0 Tue Jan 16 13:49:16 2007 : Debug: tls: CA_path = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: pem_file_type = yes Tue Jan 16 13:49:16 2007 : Debug: tls: private_key_file = /etc/freeradius/cert/radius.key Tue Jan 16 13:49:16 2007 : Debug: tls: certificate_file = /etc/freeradius/cert/radius.crt Tue Jan 16 13:49:16 2007 : Debug: tls: CA_file = /etc/freeradius/cert/ca.pem Tue Jan 16 13:49:16 2007 : Debug: tls: private_key_password = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: dh_file = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: random_file = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: fragment_size = 1024 Tue Jan 16 13:49:16 2007 : Debug: tls: include_length = yes Tue Jan 16 13:49:16 2007 : Debug: tls: check_crl = no Tue Jan 16 13:49:16 2007 : Debug: tls: check_cert_cn = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: cipher_list = (null) Tue Jan 16 13:49:16 2007 : Debug: tls: check_cert_issuer = (null) Tue Jan 16 13:49:16 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Tue Jan 16 13:49:16 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue Jan 16 13:49:16 2007 : Error: rlm_eap_tls: Error loading randomness Tue Jan 16 13:49:16 2007 : Error: rlm_eap: Failed to initialize type tls Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[10]: eap: Module instantiation failed. Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[1767] Unknown module eap. Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[1720] Failed to parse authenticate section. What is that error :( ?? -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Fast Reconnect?
Hi all, i'm trying to test the Fast-Reauthentication Method of EAP-TLS. i tried it with wpa_supplicant - hostapd, but then found out the the authentication server of hostapd doesn't support Fast-Reauthentication. so right now i'm running wpa_supplicant - hostapd - freeradius 1.1.3. eap-tls is working, but not Fast-Reauthentication. I found no entry in the config-files to switch it on or off. Does Freeradius 1.1.3 support Fast-Reauthentication of EAP-TLS? greetings, michael. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Sorry for my all post :( I set peap/eap/tls and i start freeradius but when user on laptop with wifi want to auth. to radius over linksys, in log is: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=167 User-Name = lpa NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 State = 0xd7a7e508bf067ebf840f706609179973 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800261900170301001b0a80b340ff12abb3c834cd77d204562a8b8514d1823bfd2b9ecbf2 Message-Authenticator = 0x242aac203af35c0d27c38f590d032df8 Tue Jan 16 14:35:56 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 16 14:35:56 2007 : Debug: modcall: entering group authorize for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: - authorize Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: performing user authorization for lpa Tue Jan 16 14:35:56 2007 : Debug: radius_xlat: '(uid=lpa)' Tue Jan 16 14:35:56 2007 : Debug: radius_xlat: 'ou=Users,dc=domain' Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=lpa) Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: user lpa authorized to use remote access Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module ldap returns ok for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: EAP packet type response id 8 length 38 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module eap returns updated for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall: leaving group authorize (returns updated) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 16 14:35:56 2007 : Debug: auth: type EAP Tue Jan 16 14:35:56 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 16 14:35:56 2007 : Debug: modcall: entering group authenticate for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: EAP/peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: processing type peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Authenticate Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_tls: processing TLS Tue Jan 16 14:35:56 2007 : Debug: eaptls_verify returned 7 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_tls: Done initial handshake Tue Jan 16 14:35:56 2007 : Debug: eaptls_process returned 7 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: EAPTLS_OK Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 02 08 00 0b 21 80 03 00 02 00 02 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Handler failed in EAP/peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Failed in EAP select Tue Jan 16 14:35:56 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authenticate]: module eap returns invalid for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 19 Tue Jan 16 14:35:56 2007 : Debug: auth: Failed to validate the user. Tue Jan 16 14:35:56 2007 : Debug: Delaying request 19 for 1 seconds Tue Jan 16 14:35:56 2007 : Debug: Finished request 19 Tue
Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request
Since this is my first post to this list, hello everyone.
I do apologize if this question has been asked before; unfortunately I've been
unable to find this information in the list archives.
I have a working setup with Windows XP clients, MSAD, FreeRADIUS 1.1.0 running
on SLES 10, and Enterasys switches. Authentication via PEAP and MS-CHAPv2.
Everything works perfectly fine when a Windows user logs on; ldap module looks
up the user, mschap authenticates, client is dropped into the right VLAN...
beautiful.
However, what I am also trying to achieve is to force the client into a specific
VLAN when no user is logged on (this corresponds to the Authenticate as
computer when computer information is available option in the Authentication
tab of the Windows connection properties dialog). The tricky part is that XP's
supplicant, which supplies the username as DOMAIN\\Username while a user is
logged on, supplies a username in the form of host/computername.my.domain
otherwise -- this corresponds to the servicePrincipalName attribute on the
machine's object in MSAD. This is of course a format that ntlm_auth can't deal
with.
So, my approach is this:
1. When authorizing, look up the LDAP DN using a filter that checks both
sAMAccountName and servicePrincipalName:
radiusd.conf:
modules {
# [...]
ldap {
# [...]
filter =
(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(servicePrincipalName=%{S
tripped-User-Name:-%{User-Name}}))
# [...]
}
}
}
2. While authorizing, retrieve the value of the sAMAccountName from LDAP. For
this purpose, I have the following entry in the LDAP Attribute map:
replyItem MSAD-SAM-Account-Name sAMAccountName
3. When authenticating, feed mschap's ntlm_auth the MSAD-SAM-Account-Name if it
is available:
modules {
# [...]
mschap {
# [...]
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{MSAD-SAM-Account-Name:-%{Stripped-User-Name:-%{User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
# [...]
}
}
}
From the debug logs, it appears such that the computer's LDAP object is looked
up successfully (using the servicePrincipalName host/testpc.demo.com), and that
the MSAD-SAM-Account-Name replyItem is set correctly (to TESTPC$). However,
ntlm_auth is invoked with the username None instead, so it appears that the LDAP
replyItems are not made available to the mschap authentication module.
rlm_ldap: performing search in dc=demo,dc=com, with filter
(|(sAMAccountName=host/testpc.demo.com)(userPrincipalName=host/testpc.demo.com)(
servicePrincipalName=host/testpc.demo.com))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding sAMAccountName as MSAD-SAM-Account-Name, value TESTPC$ op=11
rlm_ldap: user host/testpc.demo.com authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 5
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/testpc.demo.com with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: e8
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=None
--challenge=30585713439262e1
--nt-response=bbef10b2df1d9a084db75e86b02df137e7166eb6ce3e4d30'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=None
--challenge=30585713439262e1
--nt-response=bbef10b2df1d9a084db75e86b02df137e7166eb6ce3e4d30
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
... and then subsequently, the whole request of course fails.
I'm almost certain that I am missing something very obvious. Would someone be
kind enough to enlighten me?
Thanks very much.
Florian
--
Mag.(FH) Florian G. Haas | Systemingenieur
Kapsch BusinessCom AG | Wienerbergstraße 53 | A-1120 Wien
www.kapschbusiness.com | www.kapsch.net
Firmenbuch HG Wien FN 178368g | Firmensitz Wien
The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to
Re: Compile freeradius + debian + rlm_eap_tls
Rafal Kaminski wrote: I have freeradius on debian etch but without rlm_eap_tls. How i can compile new freeradius-1.1.4 witch rlm_eap_tls ? Sorry for easy question, but i'm new one in that. You should build the Debian packages from sources. See http://wiki.freeradius.org/Build#Building_Debian_packages -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of freeradius...?
Tas Dionisakos wrote: Why dont you have the seession-idel attribute set, so that when no bytes are transfered for a certain period of time the connection is terminated? Tas. Peter Nixon wrote: On Tue 16 Jan 2007 02:22, apolyxrono wrote: Hi list , I have set up a wlan using : freeradius-1.1.4 (peap-eap/mschapv2-authentication), AccessPoint-3Com7250 and windows xp wireless users. My AP has the option for accounting and i have set it on. I logged the accounting info in the radius database in the radacct table to be more specific. When a wireless user connected to the wlan i am executing the following sql query: select UserName , NASIPAddress , AcctStartTime , AcctStopTime , AcctSessionTime , AcctInputOctets , AcctOutputOctets from radacct ; and the output is : +--+--+-+-+--- --+-+--+ | UserName | NASIPAddress | AcctStartTime | AcctStopTime| AcctSessionTime | AcctInputOctets | AcctOutputOctets | +--+--+-+-+--- --+-+--+ | sony | 10.0.0.10| 2007-01-15 22:33:12 | -00-00 00:00:00 |41 |718 | 164 | +--+--+-+-+--- --+-+--+ After If the user select from his wireless card software to disconnect from the specific wlan and make the same query to the database i can see that the AcctStopTime have a specific value and accounting for this user has stopped. However if the user does not use his/her wireless software to disconnect from the wlan and tun-off the wlan switcher of his/her card the accounting is continued (AcctSessionTime is counting) on freeradius but the AcctInputOctets and AcctOutputOctets stop counting. Why is that happening ? How should i know when the user is connected in the wlan and the user was just turned-off his/her switch of wlan ? If your NAS does not tell radius that the user has disconnected RADIUS will not know - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Tas, Peter , James and thanks for your reply , I noticed that when the wireless user turned-off his wireless card the AP stores him/her Mac-Address for 10 minutes in a table (station table) and then dropped the Mac-Address. However freeradius continued to do accounting for this user over 2 hours. I read about the Idle - Timeout attribute but i don't know how to set it on. I authenticate my users from the local file users. Do you think my AP doesn't say nothing to freeradius after the mac-address drop? There is nothing in the AP web-configuration which could set it on and solve the problem. If the problem is the nas there is not a solution ? Thanks a lot for your time ___ All new Yahoo! Mail The new Interface is stunning in its simplicity and ease of use. - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale session problem
On Thu 21 Dec 2006 05:41, Alan DeKok wrote: Cory Robson wrote: Has anyone written a script or event process to monitor the update packets against the users apparently online and in the event that no update is received in a 20 min period (my updates are every 15 mins from the NAS) create a close session event? I don't think one has been written, but it shouldn't be too hard to write something that does the proper SQL SELECTs. If you do write one, *please* submit it back, and we'll include it in the next release This is so trivial to do that I am surprised that it takes up a thread on the mailing list :-) We run the following from cron: # crontab -l 0 23 * * * /usr/local/bin/radcleanunknowns # cat /usr/local/bin/radcleanunknowns #!/bin/sh /bin/su postgres -c 'cd ~ echo psql -d radius -f /etc/radsql/drop_unkowns.sql' # cat /etc/radsql/drop_unkowns.sql UPDATE radacct SET acctstoptime = acctstarttime, acctsessiontime = 0 WHERE acctstoptime IS NULL AND (now() - acctstarttime) '23 hour'::interval AND acctsessiontime IS NULL; UPDATE radacct SET acctstoptime = (acctstarttime + acctsessiontime::text::interval) WHERE acctstoptime IS NULL AND (now() - acctstarttime - acctsessiontime::text::interval) '1 hour'::interval ; Just adjust it to suit your needs... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpUd9kN5SNT2.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Fast Reconnect?
michael able wrote: Hi all, i'm trying to test the Fast-Reauthentication Method of EAP-TLS. i tried it with wpa_supplicant - hostapd, but then found out the the authentication server of hostapd doesn't support Fast-Reauthentication. so right now i'm running wpa_supplicant - hostapd - freeradius 1.1.3. eap-tls is working, but not Fast-Reauthentication. I found no entry in the config-files to switch it on or off. Does Freeradius 1.1.3 support Fast-Reauthentication of EAP-TLS? It doesn't. As always, patches are welcome. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Rafa? Kamin'ski wrote: Sorry for my all post :( PEAP tunnel data in : 02 08 00 0b 21 80 03 00 02 00 02 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Read the REST of the debug log to see what's going on. I have question: what is this: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. ??? I think it is the problem with reject :( Yes... did you read the earlier debug messages? You were very careful to remove almost all useful information from your post. This makes it nearly impossible to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of freeradius...?
Polyxronopoulos Adreas wrote: Do you think my AP doesn't say nothing to freeradius after the mac-address drop? There is nothing in the AP web-configuration which could set it on and solve the problem. If the problem is the nas there is not a solution ? Thanks a lot for your time I suspect the AP isn't sending Accounting-Stop in this situation, but you can confirm that by running freeradius in debug mode (-X) and watching the screen, or running a packet sniffer such as wireshark or tcpdump. If the AP isn't sending Accounting-Stop, and there's no way you can get a better AP that does, I guess you could periodically run a script from cron to log into the AP's web interface and grab the list of MAC addresses and compare against what your accounting database thinks are open sessions... -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com-User-Access-Level Not Applied
Hello Alean,
I applied below changes in the source valuepair.c present in sr/lib but the
problem still present, do you have other ideia ?
case PW_TYPE_INTEGER:
/*
* Note that ALL integers are unsigned!
*/
vp-lvalue = (uint32_t) strtoul(value, p, 10);
if (!*p) {
vp-length = 4;
break;
}
/*
* Look for the named value for the given
* attribute.
*/
if ((dval = dict_valbyname(vp-attribute, value)) ==
NULL) {
librad_log(Unknown value %s for attribute %s,
value, vp-name);
return NULL;
}
vp-lvalue = dval-value;
vp-length = 4;
break;
On 1/16/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexandre Soares wrote:
Hello Alan,
I am checked in the offical web site, the last version is 1.1.4
OK... 1.1.4 or 1.1.3 has some fixes that correct problems with 3com
attributes in previous versions.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bypassing freeradius accounting?
I have successfully setup a freeradius, mysql, chillispot. Im just wondering if there is a way to allow free sites for my users, without radius accounting? I guessing that an IP table rules will do the job, as in allow a subnet range to bypass accounting. Has anyone successfully done this before, maybe some IP tables rules? Tas. -- * Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building from CVS
I wanted to try the Pre2.0 release in the CVS to see if the TLS locking code fixed the problem I had with the SSL errors in PEAP. I downloaded the snapshot from ftp.freeradius.org freeradius-server-snapshot-20070116.tar.bz2 I'm building on Debian, so I wanted to package it (Especially since it not really released code yet) I unzipped it, and ran fakeroot dpkg-buildpackage -b -uc It failed with: checking how to run the C++ preprocessor... /lib/cpp configure: error: C++ preprocessor /lib/cpp fails sanity check See `config.log' for more details. make: *** [stamp-build] Error 1 netdev:/tmp/freeradius-server-snapshot-20070116# Config.log is as follows netdev:/tmp/freeradius-server-snapshot-20070116# more config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --build i386-linux --config-cache --prefix=/usr --exec-prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --libdir=/usr/lib/freeradius --d atadir=/usr/share --localstatedir=/var --with-raddbdir=/etc/freeradius --with-logdir=/var/log/freeradius --with-system-libtool --disable-ltdl-install --with- large-files --with-udpfromto --with-edir --enable-strict-dependencies --enable-developer --without-rlm_otp --without-rlm_sql_postgresql --without-snmp ## - ## ## Platform. ## ## - ## hostname = netdev uname -m = i686 uname -r = 2.6.8-3-686 uname -s = Linux uname -v = #1 Tue Dec 5 21:26:38 UTC 2006 /usr/bin/uname -p = unknown /bin/uname -X = unknown /bin/arch = i686 /usr/bin/arch -k = unknown /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /sbin PATH: /bin PATH: /usr/sbin PATH: /usr/bin PATH: /usr/bin/X11 PATH: /usr/local/sbin PATH: /usr/local/bin ## --- ## ## Core tests. ## ## --- ## configure:1423: loading cache config.cache configure:1566: checking for gcc configure:1582: found /usr/bin/gcc configure:1592: result: gcc configure:1836: checking for C compiler version configure:1839: gcc --version /dev/null 5 gcc (GCC) 3.3.5 (Debian 1:3.3.5-13) Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:1842: $? = 0 configure:1844: gcc -v /dev/null 5 Reading specs from /usr/lib/gcc-lib/i486-linux/3.3.5/specs Configured with: ../src/configure -v --enable-languages=c,c++,java,f77,pascal,objc,ada,treelang --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/in fo --with-gxx-include-dir=/usr/include/c++/3.3 --enable-shared --enable-__cxa_atexit --with-system-zlib --enable-nls --without-included-gettext --enable-cloc ale=gnu --enable-debug --enable-java-gc=boehm --enable-java-awt=xlib --enable-objc-gc i486-linux Thread model: posix gcc version 3.3.5 (Debian 1:3.3.5-13) configure:1847: $? = 0 configure:1849: gcc -V /dev/null 5 gcc: `-V' option must have argument configure:1852: $? = 1 configure:1875: checking for C compiler default output file name configure:1878: gcc -Wall -g -O2 conftest.c 5 configure:1881: $? = 0 configure:1927: result: a.out configure:1932: checking whether the C compiler works configure:1938: ./a.out configure:1941: $? = 0 configure:1958: result: yes configure:1965: checking whether we are cross compiling configure:1967: result: no configure:1970: checking for suffix of executables configure:1972: gcc -o conftest -Wall -g -O2 conftest.c 5 configure:1975: $? = 0 configure:2000: result: configure:2006: checking for suffix of object files configure:2027: gcc -c -Wall -g -O2 conftest.c 5 configure:2030: $? = 0 configure:2052: result: o configure:2056: checking whether we are using the GNU C compiler configure:2080: gcc -c -Wall -g -O2 conftest.c 5 configure:2086: $? = 0 configure:2089: test -z || test ! -s conftest.err configure:2092: $? = 0 configure:2095: test -s conftest.o configure:2098: $? = 0 configure:2111: result: yes configure:2117: checking whether gcc accepts -g configure:2138: gcc -c -g conftest.c 5 configure:2144: $? = 0 configure:2147: test -z || test ! -s conftest.err configure:2150: $? = 0 configure:2153: test -s conftest.o configure:2156: $? = 0 configure:2167: result: yes configure:2184: checking for gcc option to accept ANSI C configure:2254: gcc -c -Wall -g -O2 conftest.c 5 configure:2260: $? = 0 configure:2263: test -z || test ! -s conftest.err configure:2266: $? = 0 configure:2269: test -s conftest.o configure:2272: $? = 0 configure:2290: result: none needed configure:2308: gcc -c -Wall -g -O2 conftest.c 5 conftest.c:2: error: syntax error before me configure:2314: $? = 1 configure: failed program
rlm_eap: SSL error
Hi List, FreeRADIUS 1.1.4 on FreeBSD (5-STABLE), Apple Airport Extreme NAS, MacBook Pro client, WPA2 Enterprise with 2k keys. I'm having the much mentioned but very hard to get real information about error below: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: :lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: :lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Auth: Login OK: [wireless- client.jamver.id.au] (from client apple-basestation port 255 cli xx- xx-xx-xx-xx-xx) Now, the best explanation I can find on list is that it's safe to ignore the 3 lines of errors, which, although appears to be very accurate in that they have no effect on the running service, should not be there if they are really not errors. Can anybody explain what is actually causing these errors (and why) and what would be required to silence them? cheers, James smime.p7s Description: S/MIME cryptographic signature PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building 1.4 (CentOS 4.4) MYSQL 99% home
Thanks to help from many folks here, tonight I got one property up and running on our new server. THANK YOU! Now, another question. When I start radius with radiusd or /usr/local/sbin/radiusd, I get a brief message reading configuration file...; then, doing ps aux | grep radiusd returns nothing but my grep. If I start radius with radiusd -X all runs smoothly. Clearly, I need to be able to start it in normal mode and be able to verify its process; what am I doing wrong here? Version 1.4. - ANdrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Probably a file or directory has the wrong permissions. When you run in debug with -X the server runs as root. When you run for real it changes to user radiusd or whatever you set up. Try strace -e open,stat -f radiusd and look for EPERM lines. Frank -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Andrew Long Sent: Wednesday, 17 January 2007 10:51 To: FreeRadius users mailing list Subject: building 1.4 (CentOS 4.4) MYSQL 99% home Thanks to help from many folks here, tonight I got one property up and running on our new server. THANK YOU! Now, another question. When I start radius with radiusd or /usr/local/sbin/radiusd, I get a brief message reading configuration file...; then, doing ps aux | grep radiusd returns nothing but my grep. If I start radius with radiusd -X all runs smoothly. Clearly, I need to be able to start it in normal mode and be able to verify its process; what am I doing wrong here? Version 1.4. - ANdrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Probably a file or directory has the wrong permissions. When you run in debug with -X the server runs as root. When you run for real it changes to user radiusd or whatever you set up. Try strace -e open,stat -f radiusd and look for EPERM lines. Frank -- Here is the output... No EPERM but it does have that one line, Starting - reading configuration... which as far as the server gets when starting normally. [EMAIL PROTECTED] ~]# strace -e open,stat -f radiusd open(/usr/local/lib/tls/i686/libnsl.so.1, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/local/lib/tls/libnsl.so.1, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/local/lib/i686/libnsl.so.1, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/local/lib/libnsl.so.1, O_RDONLY) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 open(/lib/libnsl.so.1, O_RDONLY) = 3 open(/usr/local/lib/libresolv.so.2, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/libresolv.so.2, O_RDONLY) = 3 open(/usr/local/lib/libpthread.so.0, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/tls/libpthread.so.0, O_RDONLY) = 3 open(/usr/local/lib/libradius-1.1.4.so, O_RDONLY) = 3 open(/usr/local/lib/libcrypt.so.1, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/libcrypt.so.1, O_RDONLY)= 3 open(/usr/local/lib/libltdl.so.3, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/libltdl.so.3, O_RDONLY) = 3 open(/usr/local/lib/libdl.so.2, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/libdl.so.2, O_RDONLY) = 3 open(/usr/local/lib/libc.so.6, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/tls/libc.so.6, O_RDONLY)= 3 open(/etc/localtime, O_RDONLY)= 3 Tue Jan 16 21:39:28 2007 : Info: Starting - reading configuration files ... open(/usr/local/etc/raddb/radiusd.conf, O_RDONLY) = 3 open(/usr/local/etc/raddb/proxy.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/clients.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/snmp.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/sqlcounter.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/eap.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/sql.conf, O_RDONLY) = 4 open(/usr/local/etc/raddb/dictionary, O_RDONLY) = 3 open(/dev/urandom, O_RDONLY) = 4 open(/usr/local/share/freeradius/dictionary, O_RDONLY) = 4 open(/usr/local/share/freeradius/dictionary.compat, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc2865, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc2866, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc2867, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc2868, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc2869, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc3162, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc3576, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.rfc3580, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.3com, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.3gpp, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.3gpp2, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.acc, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.airespace, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.alcatel, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.alteon, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.alvarion, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.aruba, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.ascend, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.bay, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.bintec, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cablelabs, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cabletron, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cisco, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cisco.vpn5000, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cisco.bbsm, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.colubris, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.cosine, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.digium, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.epygi, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.erx, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.ericsson, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.extreme, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.freeradius, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.fortinet, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.foundry, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.gandalf, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.gemtek, O_RDONLY) = 5 open(/usr/local/share/freeradius/dictionary.issanni, O_RDONLY) = 5
freeradius and Quintum call-relay
hi all, Can someone guide me on how to integrate Quintum call relay with freeradius goksie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
BTW - I have it configued in radiusd.conf to run under nobody:nobody. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS/seg fault with 4096 bit keys
Hi again list, Another issue I have had in setting up a WPA2 Enterprise environment is that I can get it to work as expected with 2k keys, however, if I go to 4k keys, freeradius 1.1.4 loads properly but seg faults when handling a 4k key request. The environment is Apple Airport Extreme base station, and MacBook Pro client wth FreeRADIUS 1.1.4 under FreeBSD 5-STABLE. As soon as I migrate back to 2k keys it again works as expected. Can anybody make any suggestions on how to debug this? cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Long wrote: BTW - I have it configued in radiusd.conf to run under nobody:nobody. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hey Andrew, I'm sure you've checked it, but was there anything interesting in radius.log? /var/log/messages? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypassing freeradius accounting?
Tas Dionisakos wrote: I have successfully setup a freeradius, mysql, chillispot. Im just wondering if there is a way to allow free sites for my users, without radius accounting? That's up to Chillispot. See it's configuration for details. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
James Lever wrote: ... I'm having the much mentioned but very hard to get real information about error below: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A That just means there's no client certificate. Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) OpenSSL puts a lot of effort into telling the application that there was an error, and then saying nope, no error when asked for more details. Now, the best explanation I can find on list is that it's safe to ignore the 3 lines of errors, which, although appears to be very accurate in that they have no effect on the running service, should not be there if they are really not errors. Can anybody explain what is actually causing these errors (and why) and what would be required to silence them? Fix OpenSSL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
