VPN authentication from Windows Vista
Hi, My users said the VPN login failed with their Windows Vista. I enabled freeradius debug. I came across an authentication method, md5chap in debug output that my freeradius is currently not configured to support. If the user unselects "Require Data Encryption" in VPN. It then works fine. Can anyone confirm the following questions for me? 1. Is it that Vista uses md5chap for VPN authentication with "Data Encryption"? 2. Can freeradius be configured to support md5chap? I don't get a lot of information about md5chap in google. I appreciate any pointers on this subject and how freeradius can be made to support it, as radiusd.conf seems no mentioning on this subject. Thanks. Lai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Gaddis, Jeremy L. wrote: > The immediate question that comes to mind is "Does FreeRADIUS reread its > configuration when it receives a -HUP?". The immediate answer is have you tried reading the documentation? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi.. FR:1.1.2 FBSD:6.0 My rlm_perl keep logging error as example below. Everytime this happen radiusd will hang and DO NOT respond to any request. But this NEVER happen while running in debug mode and working fine. rlm_perl is used to load timeout based on certain rules.. u can see below my perl script (newtimeou5.pl) and also config files setting. Please help TQ. Error /var/log/radius.log ## Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= Undefined subroutine &main:: called. Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic: leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184. Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage: Encode::is_utf8(sv, check = 0) at /usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, line 424. Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Undefined subroutine &Convert::ASN1::authorize called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status= Undefined subroutine &Convert::ASN1::preacct called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 ##users DEFAULT NAS-Identifier == "Wireless-802.11", Autz-Type := Y5, Auth-Type :Y5 #radiusd.conf# authorize { Autz-Type Y5 { redundant { ldapy51 ldapy52 } y5perl } } modules { perl y5perl { module = /usr/local/etc/raddb/newtimeout5.pl } } authenticate { Auth-Type Y5 { redundant { ldapy51 ldapy52 } } } ## ###newtimeout5.pl sub authorize { ##main my $return_value = 0; $return_value = &timeout; print "VALUE return: $return_value\n"; if ($return_value eq '-1'){ return RLM_MODULE_REJECT; }else{ return RLM_MODULE_OK; } } sub timeout { my $query; my $query2; my $uid=$RAD_REQUEST{'User-Name'}; my $userfrom; my $userconnect=$RAD_REQUEST{'NAS-Identifier'}; my $timeout; if ($userconnect =~ /Wireless-802.11|WiFi/) { $query="Service"; $query2 = "TimeoutWIFI"; } if ($query){ $userfrom = ldapquery($uid,$query); if ($userfrom =~ /Y5PLAT|Y5GOLD/){ $userfrom = "WiFi-BTP"; }elsif ($userfrom =~ /^Y5$/){ $userfrom = "Wireless-802.11"; } if ($userconnect eq $userfrom){ print "rlm_perl: Local user.. No timeout.. Unlimited!!!\n"; return (1); }elsif ($userconnect ne $userfrom){ print "rlm_perl: Roaming user.. Timeout will be loaded !!\n"; $timeout = ldapquery($uid,$query2); print "rlm_perl: $query2:$timeout\n"; if (!$timeout){ return (-1); }else{ $RAD_REPLY{'Session-Timeout'} = $timeout; print "rlm_perl: NOT YET\n"; return (1); } } }else{ print "rlm_perl: Not a wifi connection !!!\n"; return (1); } } sub ldapquery { my ( $uid, $query ) = @_; my $host = "xx"; my $value; my $baseDN = "ou=Y5,ou=AAA, ou=x, dc=x, dc="; my $ldap = Net::LDAP->new( $host ) or die "$@"; my $mesg = $ldap->bind ;# an anonymous bind $mesg = $ldap->search( # perform a search base => $baseDN, filter => "(&(uid=$uid))" ); my $count = $mesg->count; if ($mesg->code) { return ("NULL"); }
Re: ntlm_auth authentication against multiple ADS domains
On Thu, 8 Feb 2007, Dow, Corey wrote: > up, and I have it working with a single ADS domain. The problem I've > encountered is performing authentication against multiple ADS domains using > ntlm_auth. > > ADS Parent domain netidm.net > ADS Child domain xyz.abc.com Are you actually trying to authenticate to domains in separate forests (e.g. netidm.net and abc.com) or are you trying to authenticate to both a parent and child domain in the same forest (e.g. abc.com and child.abc.com)? > If I join to abc.com using net ads join, I can use ntlm_auth with no > problems, but how do I perform authentications against xyz.abc.com ? If these domains are in separate forests, you'll need an explicit trust between the two forests. In the domains are in the same forest, there's an implicit trust between them already. Have you tried the reverse (joining child.abc.com and authenticating users in abc.com)? Not saying that would work, just curious. Any hints in the kerberos logfiles? > Corey Dow > Network Solution's Test Center > ProCurve Networking by HP Nice products. =) Any chance you could mail me (off-list) directions for disabling the password on a 9308m from the console (password is lost and I keep forgetting how). I've bothered ProCurve support enough. =) Thanks, -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
On Thu, 8 Feb 2007, Oxiel Contreras wrote: > The Access-Accept part of radiusd -X is now sending the switch the correct > information: > > modcall[authenticate]: module "eap" returns ok for request 8 > modcall: leaving group authenticate (returns ok) for request 8 > Sending Access-Accept of id 1 to 192.168.10.20 port 1068 >Tunnel-Type:0 += VLAN >Tunnel-Medium-Type:0 += IEEE-802 >Tunnel-Private-Group-Id:0 += "3" >MS-MPPE-Recv-Key = > 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b >MS-MPPE-Send-Key = > 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e >EAP-Message = 0x030a0004 >Message-Authenticator = 0x >User-Name = "MYDOMAIN\\jose" > Finished request 8 > > But still the VLAN is not assigned, what else can it be ? Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that. -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
On Wed, 7 Feb 2007, Alan DeKok wrote: >> Maybe simply reloading the nas configuration from SQL at configurable >> time intervals would do that? > > Send a patch. :) > > The difficulty with doing automatic reloads is timing, and updating > the configuration while the server is running. The immediate question that comes to mind is "Does FreeRADIUS reread its configuration when it receives a -HUP?". Thanks, -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius on eth1
On Wed, 7 Feb 2007, Cihan DEM?R wrote: > I am using the latest FreeRadius version on Redhat. I want to run FreeRadius > on eth1 because it's gateway is different and it is directly connected to GSM > operator. How can i configure it? http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ Your answer is in there. [snipped huge freakin' disclaimer] -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth authentication against multiple ADS domains
Hi All, This is more of an ntlm_auth how to than a FreeRADIUS question, but I thought I would post here since others may have run across this. We're trying to use ntlm_auth and FreeRADIUS to authenticate users against an ADS back-end. I've found several excellent articles on how to set this up, and I have it working with a single ADS domain. The problem I've encountered is performing authentication against multiple ADS domains using ntlm_auth. ADS Parent domain netidm.net ADS Child domain xyz.abc.com If I join to abc.com using net ads join, I can use ntlm_auth with no problems, but how do I perform authentications against xyz.abc.com ? I've tried: Ntlm_auth --request-nt-key --DOMAIN=XYZ --username=jdoe But I get an NT_STATUS_IO_TIMEOUT. I'm assuming this is because I'm joined to the Parent domain and not the child domain, but can't this work by only joining the one domain? # Samba Config workgroup = ABC server string = Samba Server security = ads load printers = yes log file = /usr/local/samba/var/log.%m max log size = 50 realm = ABC.COM wins server = 180.44.200.53 dns proxy = no comment = Home Directories browseable = no writable = yes comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes #Kerberos Config default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log default_realm = ABC.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes ABC.COM = { kdc = 180.44.200.53:88 kdc = 180.44.200.54:88 } XYZ.ABC.COM = { kdc = 180.44.200.69:88 } .abc.com = ABC.COM abc.com = ABC.COM .xyz.abc.com = XYZ.ABC.COM xyz.abc.com = XYZ.ABC.COM profile = /var/kerberos/krb5kdc/kdc.conf pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Any help greatly appreciated. Corey Corey Dow Network Solution's Test Center ProCurve Networking by HP smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
latest cvs - gdbm fatal: lseek error
Hi!! I compiled the latest cvs version of freeradius and installed it as always. When I tried to run it by radiusd -X to check if everything was ok I got the following error which probably considered counter module (is it error or I missed something?): Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded counter counter: filename = "/home/radius/freeradius/raddb/db.daily" counter: key = "User-Name" counter: reset = "daily" counter: count-attribute = "Acct-Session-Time" counter: counter-name = "Daily-Session-Time" counter: check-name = "Max-Daily-Session" counter: reply-name = "Session-Timeout" counter: allowed-servicetype = "Framed-User" counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 1830 rlm_counter: Current Time: 1170980756 [2007-02-09 01:25:56], Next reset 1171062000 [2007-02-10 00:00:00] gdbm fatal: lseek error My radiusd.conf: instantiate { exec expr daily expiration logintime } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout allowed-servicetype = Framed-User cache-size = 5000 } bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
On Thu, 8 Feb 2007, ChristosH wrote: > > > Phil Mayers wrote: >> >> A stored procedure is one solution to a particular set of problems. >> Whether it's appropriate depends on what you're trying to do. >> >> What do you want to achieve? You can certainly vary the reply info based >> on NAS without a stored procedure. >> > > Well, what I want to do is return a different vendor specific response based > on the NAS IP. The user data doesn't change depending on the NAS IP, but > depending on where the user tries to authenticate from they'll have a > different source NAS IP in the authenticate request packet and my response > has to return a different response depending on where they are. Right now I > have only 2 different responses that they could be, so I don't think it > should be too difficult. Is there a quick workaround? Okay, so create a table with your NASes, include the IP adderss, include a "type" flag. Create another table with the responses for each type, join to the query on the "type" flag. Use those responses. -Dan -- "A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum." -No Doubt, "Different People", from "Tragic Kingdom" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
Phil Mayers wrote: > > A stored procedure is one solution to a particular set of problems. > Whether it's appropriate depends on what you're trying to do. > > What do you want to achieve? You can certainly vary the reply info based > on NAS without a stored procedure. > Well, what I want to do is return a different vendor specific response based on the NAS IP. The user data doesn't change depending on the NAS IP, but depending on where the user tries to authenticate from they'll have a different source NAS IP in the authenticate request packet and my response has to return a different response depending on where they are. Right now I have only 2 different responses that they could be, so I don't think it should be too difficult. Is there a quick workaround? -- View this message in context: http://www.nabble.com/SQL-help-from-someone-who-groks-c%2C-please--tf3172009.html#a8874556 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
> So if I was looking to select a different response based on NAS what I > should be doing is creating a stored procedure that ends up authenticating > for me? I don't quite see where this would fit in with the rlm_sql logic. > Would that go in the sql.conf file? For using a new schema, would that mean > instead adding an extra column in the radcheck table and the response table > to associate with the NAS IP? A stored procedure is one solution to a particular set of problems. Whether it's appropriate depends on what you're trying to do. What do you want to achieve? You can certainly vary the reply info based on NAS without a stored procedure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Alan. Thank you, as you adviced i've changed users file, now it's : "MYDOMAIN\\jose" Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 The Access-Accept part of radiusd -X is now sending the switch the correct information: modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3" MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = "MYDOMAIN\\jose" Finished request 8 But still the VLAN is not assigned, what else can it be ? Best regards. Oxiel > Don't set Auth-Type. Ever. > > > Tunnel-Type += VLAN, > > Tunnel-Medium-Type += IEEE-802, > > Tunnel-Private-Group-Id += 3 > > > > But the port is never assigned to VLAN 3 for the user "jose". > > Because that information isn't being sent back to the NAS. > > > Is it possible to assign VLAN's with Alcatel ? > > I presume so. See the Alacatel documentation. > > > It seems to me, that the VLAN parameters are never returned to the > > switch in > > > the Access-Accept parth of this the result from radiusd -X. > > Yes. The username in the request is "MYDOMAIN\\jose", not "jose". Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
On Thu, 8 Feb 2007, ChristosH wrote: No, wrong. You can include any %{check-item} in your query. I didn't have to modify the code at all, but my queries are PERVERSE. Yours will probably be simpler. If you want to give me your proposed database setup and schema, and what you need to auth against, I might be able to offer you a quick answer. If it's a longer and more involved thing, contact me off-list and I might be able to work something for you. This is my auth query (which is actually two) (beware, it's for our site database which polls a LOT of info from different tables you won't need -- however I find this to be a far more real-world example than dedicated radius tables) -- You can see that in this case I manually insert the Password Attribute, and Operator by using string literals. authorize_check_query="\ SELECT `adm_permissions`.`admPermitID` AS `id`, `adm_permissions`.`admp_username` AS `UserName`, 'Password' as Attribute, \ `adm_permissions`.`admp_password` AS `Value`, '==' as Op FROM `adm_permissions` , `switches` Inner Join `interface_ip` ON \ `switches`.`id` = `interface_ip`.`deviceid` WHERE admp_username = '%{SQL-User-Name}' AND \ `interface_ip`.`interface_is_primary` = '1' AND \ interface_address = '%{NAS-IP-Address}' This above gets permissions for any staff user, and checks our one-to-many interface table to find out what device they're actually logging into. UNION SELECT IPCustomerID as id, `ip_customer`.`ipc_rmtusername`, 'Password' as \ Attribute,\ `ip_customer`.`ipc_rmtpassword` as Value, '==' as Op FROM `ip_customer` Inner Join `interface_ip` ON \ `ip_customer`.`ipc_rmtip` = `interface_ip`.`interface_address` Inner Join `switches` ON `switches`.`id` = \ `interface_ip`.`deviceid` WHERE interface_address = '%{NAS-IP-Address}' AND ipc_rmtusername = '%{SQL-User-Name}' \ GROUP BY `ip_customer`.`ipc_rmtusername`,\ `interface_ip`.`interface_address`" This does the same for any customer user. Then my reply-items authorize_reply_query = "SELECT `ip_customer`.`ipCustomerID` AS `id`, `ip_customer`.`ipc_rmtusername` AS UserName,\ `rad_reply`.`Attribute`,`rad_reply`.`Value`, `rad_reply`.`Op` FROM `ip_customer` Left Join `interface_ip` ON \ `ip_customer`.`ipc_rmtip` =`interface_ip`.`interface_address` Inner Join `switches` ON `switches`.`id` = \ `interface_ip`.`deviceid` Inner Join`rad_reply` ON `switches`.`role` = `rad_reply`.`devicetype` WHERE \ `rad_reply`.`Usertype` = '2' AND ipc_rmtusername ='%{SQL-User-Name}' and interface_address = '%{NAS-IP-Address}' group by \ ipc_rmtusername, interface_address This only lets a customer in if it has a devicetype of 2 (which is a remote reboot unit AND if they are listed as having a device on that unit. We have a table that specifies if you are a customer user then your reply is "Outlet" If you're staff then it's Admin-User. UNION SELECT`adm_permissions`.`admPermitID` AS `id`, `adm_permissions`.`admp_username` \ AS `UserName`, `rad_reply`.`Attribute`,`rad_reply`.`Value`, `rad_reply`.`Op` FROM `adm_permissions` , `switches` Inner \ Join `interface_ip` ON `switches`.`id` =`interface_ip`.`deviceid` Inner Join `rad_reply` ON `switches`.`role` = \ `rad_reply`.`devicetype` WHERE`rad_reply`.`Usertype` = '1' AND admp_username = '%{SQL-User-Name}' and interface_address = \ '%{NAS-IP-Address}' Do the same as above with staff. UNION SELECT `remote`.`port`as id, `ip_customer`.`ipc_rmtusername` as UserName, _latin1 \ 'APC-Outlets' as Attribute,group_concat(remote.port order by remote.port asc separator ',') as Value, _latin1 ':=' as \ Op FROM `remote` Inner Join`ip_customer` ON `remote`.`suite` = `ip_customer`.`ipc_suite` AND `remote`.`row` = \ `ip_customer`.`ipc_row` AND`remote`.`rack` = `ip_customer`.`ipc_rack` AND `remote`.`server` = `ip_customer`.`ipc_server` \ Inner Join `interface_ip` ON`remote`.`deviceid` = `interface_ip`.`deviceid` Inner Join `switches` ON remote.deviceid = \ switches.id WHERE`ip_customer`.`ipc_rmtreboot` = 'y' AND ip_customer.ipc_rmtusername = '%{SQL-User-Name}' AND ipc_rmtip = \ '%{NAS-IP-Address}' AND switches.role = '4' GROUP BY interface_address, `ip_customer`.`ipc_rmtusername`" If they are a customer, return a comma-separated list of which outlets they are authorized for. (See the APC radius spec). > > > > Phil Mayers wrote: >> >> Dan Mahoney, System Admin wrote: >> >> My suggestion is that you use a custom schema and queries for your >> database - probably a stored procedure. Pass the NAS-IP-Address into >> these queries, and return different values based on the nas. Effectively >> you move the code that walks over the request and chooses the right >> values into the SQL server. >> > > So if I was looking to select a different response based on NAS what I > should be doing is creating a stored procedure that ends up authenticating > for me? I don't quite see where this would fit in with the rlm_sql logic. > Would that go in the sql.conf file? For using a new schema, would t
Re: Comiling for use with Oracle
Brian Atkins wrote: > Just curious what the minimum modules required to use Freeradius to > authenticate (not sure if that is the correct terminology) from and > Oracle DB. The oracle module is required. Not much else. > Which generates an error: > > rlm_perl.c: In function `rlm_perl_get_handles': > rlm_perl.c:226: warning: cast to pointer from integer of different size > rlm_perl.c: At top level: > rlm_perl.c:614: error: external linkage required for symbol > 'XS_radiusd_radlog' because of 'dllexport' attribute. If you're not going to use rlm_perl, just delete the directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql (sql): Unsupported Acct-Status-Type = 15
tzieleniewski wrote: > Hi! > > I am trying to process Accounting request to radius but I get the following > error from sql module: > rlm_sql (sql): Unsupported Acct-Status-Type = 15 > > I have added the $INCLUDE dictionary.ser line to the dictionary file and the > dictionary.ser file contains the following records: > VALUE Acct-Status-Type Interim-Update 3 # RFC2866, acc_radius > VALUE Acct-Status-Type Failed 15 # RFC2866, acc_radius > > Why the rlm_sql doesn't see the Acct-Status-Type of the value 15? Because the source code to rlm_sql needs to be updated to support it. There have been ongoing discussions with the OpenSER developers about this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
Phil Mayers wrote: > > Dan Mahoney, System Admin wrote: > > My suggestion is that you use a custom schema and queries for your > database - probably a stored procedure. Pass the NAS-IP-Address into > these queries, and return different values based on the nas. Effectively > you move the code that walks over the request and chooses the right > values into the SQL server. > So if I was looking to select a different response based on NAS what I should be doing is creating a stored procedure that ends up authenticating for me? I don't quite see where this would fit in with the rlm_sql logic. Would that go in the sql.conf file? For using a new schema, would that mean instead adding an extra column in the radcheck table and the response table to associate with the NAS IP? Would it be easier to create a function that inserts a prefex to the user name then processes the SQL as normal? The only issue I see with this is doubling the amount of users and user responses in the database . Either way, I think i'm going to have to modify the rlm_sql.c file and then having to recompile FreeRadius after I'm done editing it? -- View this message in context: http://www.nabble.com/SQL-help-from-someone-who-groks-c%2C-please--tf3172009.html#a8870617 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during "Accounting Request"
Alan DeKok napisał(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) thanks!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during "Accounting Request"
Alan DeKok napisał(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) thanks!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during "Accounting Request"
Alan DeKok napisał(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Setting up a VPN server with pptp and RADIUS for all sorts ofclients
> I didn't meen a mistake, but was wondering if my radiusclient had a > wrong mapping, that requests NT-password instead of > User-password (as an > example) > Here is the output from the radius server: > > > Ready to process requests. > rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, > id=109, length=152 >Service-Type = Framed-User >Framed-Protocol = PPP >User-Name = "test" >MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 >MS-CHAP2-Response = > > 0x0800e2f1b3176070ca65916fe24cce80d27147f1823b > 3c33996107424059c73866a135b07e51e08c2f4a > >Calling-Station-Id = "yyy.yyy.yyy.yyy" >NAS-IP-Address = xxx.xxx.xxx.xxx >NAS-Port = 0 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > radius_xlat: '/var/log/radius/radacct//detail-07022007' > rlm_detail: > /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands > to /var/log/radius/radacct//detail-07022007 > modcall[authorize]: module "detail" returns ok for request 0 > modcall[authorize]: module "attr_filter" returns noop > for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > rlm_mschap: Found MS-CHAP attributes. Setting > 'Auth-Type = mschap' > modcall[authorize]: module "mschap" returns ok for request 0 >rlm_realm: No '@' in User-Name = "test", looking up realm NULL >rlm_realm: Found realm "NULL" >rlm_realm: Adding Stripped-User-Name = "test" >rlm_realm: Proxying request from user dupontd to realm NULL >rlm_realm: Adding Realm = "NULL" >rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > modcall[authorize]: module "files" returns notfound for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for test > radius_xlat: > > '(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test > )(ulhcharte=TRUE)))' > > radius_xlat: 'dc=univ-lehavre,dc=fr' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 > rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt > rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ > rlm_ldap: setting TLS Require Cert to demand > rlm_ldap: starting TLS > rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter > > (|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test) > (ulhcharte=TRUE))) > > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & > op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 > rlm_ldap: Adding radiusTunnelMediumType as > Tunnel-Medium-Type, value > 6 & op=11 > rlm_ldap: Adding radiusTunnelPrivateGroupId as > Tunnel-Private-Group-Id, value 40 & op=11 > rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, > value member > & op=11 > rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 > rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & > op=11 You see nothing like "Adding userPassword" here. For instance you could have something like: rlm_ldap: Added password rlm_ldap: Adding myldapNTPassword Could the freeradius admin check: * the ldap {} section: see the "password_attribute =" line (till FR 1.1.4) * the mapping in ldap.attrmap > rad_check_password: Found Auth-Type MS-CHAP > auth: type "MS-CHAP" > Processing the authenticate section of radiusd.conf > modcall: entering group MS-CHAP for request 0 > rlm_mschap: No User-Password configured. Cannot create > LM-Password. > rlm_mschap: No User-Password configured. Cannot create > NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect How is/are your password(s) stored on the Ldap directory: in clear text, MD5-hashed, SHA-Hased, NTLM-Hashed ? What is/are the Ldap attribute(s) used to store your password(s) ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Cleartext-Password
On Sun, Feb 04, 2007 at 01:20:17PM +0100, Federico Giannici wrote: > Unfortunately it works with PAP only! > With CHAP it gives me "rlm_chap: Clear text password not available"... > > Any suggestion? You may try to stick with User-Password for now, it's still recognized by rlm_pap. CVS version of rlm_chap already uses Cleartext-Password, so it's probably planned for v2.0. My guess is, that setting both User- and Cleartext-Password may work too. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comiling for use with Oracle
Just curious what the minimum modules required to use Freeradius to authenticate (not sure if that is the correct terminology) from and Oracle DB. Keep in mind that I am only planning on querying the DB and not updating or inserting information for accounting purposes. However, I wouldn't rule out using a text file (radutmp, I think) for accounting purposes, though. I have been trying to compile it using the following: # ORACLE_HOME=/cygdrive/d/oracle/ora92; export ORACLE_HOME # cd freeradius-1.1.4 # ./configure Which generates an error: rlm_perl.c: In function `rlm_perl_get_handles': rlm_perl.c:226: warning: cast to pointer from integer of different size rlm_perl.c: At top level: rlm_perl.c:614: error: external linkage required for symbol 'XS_radiusd_radlog' because of 'dllexport' attribute. I have also used: # ./configure --without-rlm_perl Which appear to compile successfully, but I get a lot of errors about missing modules and/or libraries. # ./radiusd.exe -X ... radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[10] Failed to link to module 'rlm_sql': No such file or directory radiusd.conf[1850] Unknown module "sql". radiusd.conf[1779] Failed to parse authorize section. I know I have a library linking issue, but I read the http://wiki.freeradius.org/index.php/FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F";>FAQs and attempted to resolve them using the methods mentioned. I get no errors during the configure for sql modules (other than mysql, but I'm not trying to compile support for that anyway). Since I'm using the Oracle libs to create the Oracle modules, I don't *think* I should disable shared libraries. ... Or should I? I've also tried setting: LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/cygdrive/d/oracle/ora92/oci/lib:/cygdrive/d/oracle/ora92/lib Without good results. I also do not have ld.conf nor ldconfig on the system (Cygwin), but I have read elsewhere that neither of them should be required. I realize that this is not necessarily an issue with Freeradius. Although I am having trouble compiling from source, I can install the .NET version and run without issue. From my understanding, both are basically the same, just .NET has had changes made to deal with the different path structure in Cygwin. I saw a lot of old posts (<2003) that dealt with similar issues, but on much older versions (Oracle 8 and Freeradius .1 - .3). Help, insight, thoughts are all appreciated. Attached below is my somewhat hacked up conf files. Sorry for the long post. Thanks, Brian RADIUSD.CONF prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = no extended_expressions= no log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { files { } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } $INCLUDE ${confdir}/oraclesql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "no" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } a
rlm_sql (sql): Unsupported Acct-Status-Type = 15
Hi! I am trying to process Accounting request to radius but I get the following error from sql module: rlm_sql (sql): Unsupported Acct-Status-Type = 15 I have added the $INCLUDE dictionary.ser line to the dictionary file and the dictionary.ser file contains the following records: VALUE Acct-Status-Type Interim-Update 3 # RFC2866, acc_radius VALUE Acct-Status-Type Failed 15 # RFC2866, acc_radius Why the rlm_sql doesn't see the Acct-Status-Type of the value 15? Thanks in advanced for any help. Below is the Accounting request received by radius. Thu Feb 8 17:02:04 2007 SER-Attr = "" Acct-Session-Id = "[EMAIL PROTECTED]" Sip-To-Tag = "b27e1a1d33761e85846fc98f5f3a7e58.42d5" SER-From = "hellboy ;tag=612417995" SER-Flags = 12 SER-Original-Request-ID = "sip:[EMAIL PROTECTED]" Sip-Method = "INVITE" Sip-Cseq = 19049 Sip-Translated-Request-ID = "sip:[EMAIL PROTECTED]" Sip-Source-IP-Address = 192.168.0.117 Sip-From-Tag = "612417995" SER-To = ";tag=b27e1a1d33761e85846fc98f5f3a7e58.42d5" SER-Digest-Username = "hellboy" SER-Request-Timestamp = 1170950524 Calling-Station-Id = "sip:[EMAIL PROTECTED]:5061" Sip-Source-Port = 5061 SER-Digest-Realm = "voip.touk.pl" Sip-Response-Code = 480 Called-Station-Id = "sip:[EMAIL PROTECTED]" SER-Response-Timestamp = 1170950524 Acct-Status-Type = Failed Service-Type = IAPP-Register NAS-Port = 5060 Acct-Delay-Time = 0 NAS-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = "1276a21c3858a944" Timestamp = 1170950524 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with the attribute "Message-Authenticator"
yao guoxian wrote: > I write a program to send Access-request packet to the Radius > server. This list isn't a general discussion for questions about implementing RADIUS clients. You have access to the FreeRADIUS source code, read it to see how RADIUS should be implemented. > | eap_message = > "pdsicygx" | Uh, no. > Is it right to calculate "Message_authenticator" as I did? Apparently not. Go read the RFC's. They include test vectors. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Nortel telnet authentication using FreeRadius [unclas]
Frank, That worked! Thank you! Prior to this the Nortel device would just instatntly kick back an error. By the way, do you have a list of all the reply-itmes for authenticating (telnetting/ssh) to a Nortel box? In other words, is there a specific reply-item than controls access (R - R/W access, etc), as well as any other variables? Thank you again! Paul Conn >From: "Ranner, Frank MR" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: "FreeRadius users mailing list" >Subject: RE: Nortel telnet authentication using FreeRadius [unclas] >Date: Thu, 8 Feb 2007 11:52:35 +1100 > >You need to send the service-type reply attribute. > >For admins: >Service-Type = Administrative-User > >For numpties >Service-Type = Nas-Prompt-User > >Regards, >Frank Ranner > > > > > -Original Message- > > From: > > [EMAIL PROTECTED] >eradius.org [mailto:freeradius-users-> >[EMAIL PROTECTED] On > > Behalf Of Paul Conn > > Sent: Thursday, 8 February 2007 08:04 > > To: freeradius-users@lists.freeradius.org > > Subject: Nortel telnet authentication using FreeRadius > > > > Anyone have experience configuring Nortel devices (450/60/70) > > for radius, telnet/ssh authentication? I keep getting > > "Sending Access-Accept of id 2 to x.x.x.x port 1024. > > > > Thanks. > > > > Paul Conn > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP2EAP bridging
On Thu, Feb 08, 2007 at 01:52:18AM +0100, Alan DeKok wrote: > You can run eapol_test directly from FreeRADIUS, but that's not much > better than what you're doing right now. Huh, I was afraid you might say that :| Alright, thank you Alan. -- NAME:Dinko.kreator.Korunic DISCLAIMER:Standard.disclaimer.applies IRC:kreICQ:16965294JAB:[EMAIL PROTECTED]PGP:0xea160d0b HOME:http://dkorunic.netBLOG:http://dkorunic.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and ldap
In my configuration there is also pap in my configuration, i forgot to write in mail. I resend authentication block in radius.conf authenticate { Auth-Type PAP { pap } ldap eap } On 2/8/07, Ramazan Ulker <[EMAIL PROTECTED]> wrote: Hi I sent two ldapentry ldapsearch result and debug. In this ldapsearch there is clear-text userPassword. anyway i decribe the problem shortly for your help. like in howto authorize { preprocess files ldap eap } authenticate { ldap eap } ldapsearch result userpassword=ramazan . radiusclass=groupnet objectclass=radiusprofile objectclass=top objectclass=posixAccount objectclass=shadowAccount ... radtest successful for this configuration but xp client does't. ldapattr.map has User-Password to userPassword mapping. deleting the entry ldap in authentication block in radius.conf results unsuccessful both for radtest and xp client. For this configuration above debug log rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7, length=129 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" Called-Station-Id = "00-0F-8F-77-DB-81" Calling-Station-Id = "00-12-79-AE-D2-4D" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0204000c0172616d617a616e Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=dot1x.com' radius_xlat: '(uid=ramazan)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0 rlm_ldap: bind as / to 192.168.100.18:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc= dot1x.com, with filter (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc= dot1x.com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group VPN ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ramazan radius_xlat: '(uid=ramazan)' radius_xlat: 'dc=dot1x.com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) rlm_ldap: checking if remote access for ramazan is allowed by radiusGroupName rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 2 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusClass as Class, value employee & op=11 rlm_ldap: user ramazan authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [ramazan/] (from client radius port 50001 cli 00-12-79-AE-D2-4D) Sending Access-Challenge of id 7 to 192.168.100.17:1812 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = 6 Tunnel-Type:0 = VLAN Class = 0x656d706c6f796565 EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f Message-Authenticator = 0x State = 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8, length=184 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" C
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
Phil Mayers wrote: > robert wrote: > > >> A log sent from the Radius Admin shows that the mschap module fails to >> find User-Password (this is how I have understood it!) and refuses to >> validate the user. >> > > >> here is the part I am talking about: >> FROM Radius log: >> >> auth: type "MS-CHAP" >> >> Processing the authenticate section of radiusd.conf >> modcall: entering group MS-CHAP for request 0 >> rlm_mschap: No User-Password configured. Cannot create LM-Password. >> rlm_mschap: No User-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password >> >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. >> >> But I am sure that the field User password contains the valid password I >> am trying to use. >> > > It definitely doesn't. The server doesn't make elementary mistakes like > that. > > Could you please post the entire output of FR run under debug (-X > switch) so we can see the details. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > I didn't meen a mistake, but was wondering if my radiusclient had a wrong mapping, that requests NT-password instead of User-password (as an example) Here is the output from the radius server: Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, id=109, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 MS-CHAP2-Response = 0x0800e2f1b3176070ca65916fe24cce80d27147f1823b3c33996107424059c73866a135b07e51e08c2f4a Calling-Station-Id = "yyy.yyy.yyy.yyy" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module "detail" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user dupontd to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test)(ulhcharte=TRUE)))' radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter (|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test)(ulhcharte=TRUE))) rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 & op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member & op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 194.254.109.252 rlm_checkval: Could not find attribute named Calli
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
Alan DeKok wrote: > robert wrote: > > >> A log sent from the Radius Admin shows that the mschap module fails to >> find User-Password (this is how I have understood it!) and refuses to >> validate the user. >> > > Yes. The server does not know what the correct password is for the > user, so it can't authenticate the user. > > Ask the RADIUS Admin to configure a password for the user. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Sorry for my confusion but as I understand it, my radius client is asking for the wrong attribute, since the "User-password" is used for every other application (mail accounts, wireless connections etc), and I am sure that it is already configured. I must apologize for my lack of knowledge about freeradius, I didn't imagine that I would have any problems with this part of my project, I haven't spent much time reading about freeradius (yet :-) ). Regards, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
specific username, specific conexion
Hi, I am using freeradius for ages, but a boss ask me if it is possible to create an account which is only navigate for a specific website. Yes, it is true. I need an account to navigate for only one site (or set of websites). How can I configure this account? Thanks.Acepta el reto MSN Premium: Envía hasta 500 megas diarios de fotos desde Hotmail. Descárgalo y pruébalo 2 meses gratis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VALGRIND: Major impact on authentication!
Hello Mr. Alan, Thank you for your concern! Just another message I've seen under /var/log/messages: kernel: radiusd[1672]: segfault at 0110 rip 002a97de2c1e rsp 007fbfffe340 error 4 Gonna implement radrelay now, then! (I was holding back because I've seen somewhere in this mail list that it breaks simultaneous-use). Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with the attribute "Message-Authenticator"
I write a program to send Access-request packet to the Radius server. The packet format is as follow: __ | code = 1 | ID = 1 |Length = 73 ( 0x 00 49 ) | __ | 16 bytes authenticator | __ | user_name = "test" | __ | chap_password | __ | eap_message = "pdsicygx" | __ | Message_authenticator | __ The Message_authenticator is calculated as follow: Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes Authenticator, user_name,chap_password,eap_message) , using the shared secret between NAS and radius server , in this case ,"testing123". While sending "chap" packets without the "eap_message" and "Message_authenticator" gets "Access request" , sending packets like above gets response from radius server as follow: rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1, length=73 Received packet from 202.117.7.223 with invalid Message-Authenticator! (Shared secret is incorrect.) Server rejecting request 1. Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 202.117.7.223:1408 Segmentations of the "Radiusd -X " are as follow: ... Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap ... Can the "eap_message" attribute be set randomly, in my packets, "pdsicygx"? Is it right to calculate "Message_authenticator" as I did? Regards Guoxian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
Guilherme Franco wrote: > As everything was good before and now it's breaking, the most probable > cause is the increase in the number of auth users, which brings lots > of acct (0 users in September 2006 and now with 4000 online users > pumping radacct). The oracle tables are well indexed so the response > time is low. What comes to my mind is that the driver is having > trouble to work with high acct throughput under peak time, starving > all the 32 threads. The problems shown by valgrind are there independent of load. The problems SHOULD be fixed! > I've considered radrelay/sqllog before, but wouldn't that break the > Simultaneous-Use functionality? Not if the accounting inserts are done quickly. Separating the authentication request from the accounting may increase the uptime of the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
robert wrote: > A log sent from the Radius Admin shows that the mschap module fails to > find User-Password (this is how I have understood it!) and refuses to > validate the user. > here is the part I am talking about: > FROM Radius log: > > auth: type "MS-CHAP" > > Processing the authenticate section of radiusd.conf > modcall: entering group MS-CHAP for request 0 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > But I am sure that the field User password contains the valid password I > am trying to use. It definitely doesn't. The server doesn't make elementary mistakes like that. Could you please post the entire output of FR run under debug (-X switch) so we can see the details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
Hello, Thank you for the consulting offer Mr. Peter but, as you told, there seems to be some bugs in the rlm_sql oracle driver. As everything was good before and now it's breaking, the most probable cause is the increase in the number of auth users, which brings lots of acct (0 users in September 2006 and now with 4000 online users pumping radacct). The oracle tables are well indexed so the response time is low. What comes to my mind is that the driver is having trouble to work with high acct throughput under peak time, starving all the 32 threads. I've considered radrelay/sqllog before, but wouldn't that break the Simultaneous-Use functionality? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
robert wrote: > A log sent from the Radius Admin shows that the mschap module fails to > find User-Password (this is how I have understood it!) and refuses to > validate the user. Yes. The server does not know what the correct password is for the user, so it can't authenticate the user. Ask the RADIUS Admin to configure a password for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Starting radius issue - configuration files globaly readable.
tzieleniewski wrote: > Hi! > > I have just compiled the latest CVS and whenever I try to start radius I get > the following info: > Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally > readable. > > This is because I use the symbolic links to files. Can this restriction be > somehow removed?? Edit the source code. I will likely be updating the checks to be a little smarter than what they are right now. But having the config files globally readable means that anyone can pretend to be the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Starting radius issue - configuration files globaly readable.
Hi! I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable. This is because I use the symbolic links to files. Can this restriction be somehow removed?? Bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair = "client-mac-address=000f.ea20.e1ad" to Calling-Station-Id = "000f.ea20.e1ad" rule
Victor <[EMAIL PROTECTED]> writes: > I have accouning packet with attributes like: > > Acct-Session-Id = "0/0/1/3_01CC" > Cisco-AVPair = "client-mac-address=000f.ea20.e1ad" > Framed-Protocol = PPP > Framed-IP-Address = 192.168.0.235 > User-Name = "global" > Cisco-AVPair = "connect-progress=LAN Ses Up" > Cisco-AVPair = "nas-tx-speed=1" > Cisco-AVPair = "nas-rx-speed=1" > ... > > How can i create (or rewrite if exist) Calling-Station-Id attribute > with value 000f.ea20.e1ad (MAC from Cisco-AVPair = > "client-mac-address=000f.ea20.e1ad") for SQL accounting? > If exist Cisco-AVPair with client-mac-address, sure. You can create a Client-Mac-Address attribute by enabling with_cisco_vsa_hack = no in the preprocess section of radiusd.conf. You can then use this atttribute to rewrite Calling-Station-Id if you like. See src/modules/rlm_preprocess/rlm_preprocess.c for details on the implementation. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up a VPN server with pptp and RADIUS for all sorts of clients
Hello, This is my First post on this mailing list, so sorry if I am in the wrong place!! I am having problems getting the Radius Serv to validate my VPN clients. Reading through the mail archives, I have found similar subjects, but the main difference I have is the fact that I don't have authority on the Radius Server. The main problem comes from my windows clients, I am trying to stick to the default Microsoft auth method (using ms-chap v2) to keep the client side as simple as possible. So I have set-up my pptp daemon, installed radiusclient, and have used the dictionary.microsoft from the sources of radiusclient. I must point out that authentication works using "User-Password" field (say if I am wrong, but this is a clear text password?) on 802.1X clients, and all Users in the LDAP base have a valid User-Password (but no NT/LM Passwords) The solutions I have come across until now tell me to use NT or LM password field and the problem is solved, but I can't change the layout, It has been set by "eduroam", who guides the project. So I must get my radius client to work with User-password, but I don't know where to start... A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. here is the part I am talking about: FROM Radius log: auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. But I am sure that the field User password contains the valid password I am trying to use. Just in case, I shall post the dictionary.microsoft I am using: # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password19 string Microsoft ATTRIBUTE MS-New-ARAP-Password20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success26 string Microsoft ATTRIBUTE MS-CHAP2-CPW27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-UsageNot-Allowed 0 VALUE MS-BAP-UsageAllowed 1
Re: Segmentation fault on PAP calling
Giovanni Lovato wrote: > I'm using FreeRADIUS 1.1.4 compiled from sources on Debian Etch. > I backend against LDAP with hashed password. Now I'm trying to configure > authentication to use with WPA, but it segfaults on calling PAP: I've committed a fix for that bug, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and ldap
Hi I sent two ldapentry ldapsearch result and debug. In this ldapsearch there is clear-text userPassword. anyway i decribe the problem shortly for your help. like in howto authorize { preprocess files ldap eap } authenticate { ldap eap } ldapsearch result userpassword=ramazan . radiusclass=groupnet objectclass=radiusprofile objectclass=top objectclass=posixAccount objectclass=shadowAccount ... radtest successful for this configuration but xp client does't. ldapattr.maphas User-Password to userPassword mapping. deleting the entry ldap in authentication block in radius.conf results unsuccessful both for radtest and xp client. For this configuration above debug log rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7, length=129 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" Called-Station-Id = "00-0F-8F-77-DB-81" Calling-Station-Id = "00-12-79-AE-D2-4D" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0204000c0172616d617a616e Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=dot1x.com' radius_xlat: '(uid=ramazan)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0 rlm_ldap: bind as / to 192.168.100.18:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group VPN ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ramazan radius_xlat: '(uid=ramazan)' radius_xlat: 'dc=dot1x.com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) rlm_ldap: checking if remote access for ramazan is allowed by radiusGroupName rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 2 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusClass as Class, value employee & op=11 rlm_ldap: user ramazan authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [ramazan/] (from client radius port 50001 cli 00-12-79-AE-D2-4D) Sending Access-Challenge of id 7 to 192.168.100.17:1812 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = 6 Tunnel-Type:0 = VLAN Class = 0x656d706c6f796565 EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f Message-Authenticator = 0x State = 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8, length=184 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" Called-Station-Id = "00-0F-8F-77-DB-81" Calling-Station-Id = "00-12-79-AE-D2-4D" Service-Type = Framed-User Framed-MTU = 1500 State = 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16 EAP-Message = 0x0205001d0410820fd3de9d3280644551107995e3
Cisco-AVPair = "client-mac-address=000f.ea20.e1ad" to Calling-Station-Id = "000f.ea20.e1ad" rule
Hello, I have accouning packet with attributes like: Acct-Session-Id = "0/0/1/3_01CC" Cisco-AVPair = "client-mac-address=000f.ea20.e1ad" Framed-Protocol = PPP Framed-IP-Address = 192.168.0.235 User-Name = "global" Cisco-AVPair = "connect-progress=LAN Ses Up" Cisco-AVPair = "nas-tx-speed=1" Cisco-AVPair = "nas-rx-speed=1" ... How can i create (or rewrite if exist) Calling-Station-Id attribute with value 000f.ea20.e1ad (MAC from Cisco-AVPair = "client-mac-address=000f.ea20.e1ad") for SQL accounting? If exist Cisco-AVPair with client-mac-address, sure. ps: Im not sure than in current accounting packet its in %{Cisco-AVPair[0]} and not %{Cisco-AVPair[3]} or %{Cisco-AVPair[156]}, etc. Thanx! -- Best regards, Victor mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
Alan, Thank you for your e-mail in which you have sort more explanation on the problem. We have deployed Motorola Canopy network using Access Points(AP) and Subscriber Modules(SM) to provide fixed wireless broadbadn solution to our customers. Motorola have a management software known as PrizmEMS which incorporates Bandwidth and Authentication Management (BAM) module in it. There are several ways to configure the bandwidth and authentication for the SMs. I opted to use FreeRADIUS which has been configured as per the users manual provided. I still cannot have the Subscriber Modules be registered to authentacion eneabled Access Points. When I check the logs it shows that FreeRADIUS has authenticated the Subscriber Modules however it fails to authenticate on the Bandwidth and Authentication Management module of the PrizmEMS s/w. Kindly let me know if this is more clear. Regards, Bernard - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "Bernard Ochieng" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Thursday, February 08, 2007 11:41 AM Subject: Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement > Bernard Ochieng wrote: > >> What do you mean by "fails on BAM"? > > > > BAM does not accept the the authenticated elements from the FreeRADIUS hence > > CPEs are not registered to the respective APs. > > Perhaps you could try explaining in more detail, and using fewer acronyms. > > i.e. BAM? What's that? You appear to be the first person on this > list asking about BAM. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during "Accounting Request"
tzieleniewski wrote: > > I am trying to use radius as the accounting server for Sip proxy. > After i send the Accounting request to radius the radius server brokes down > and informs about memory segmentation fault. Please point me what could be > the reason for this. > Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
On Thu 08 Feb 2007 05:54, Guilherme Franco wrote: > Hi, > > I did run "valgrind radiusd -xxx" at Wed Feb 7 19:15:08 2007 and at > Wed Feb 7 20:59:04 2007 radiusd DIED. > > Afterwards, "service radius restart" would not work and of lots of > "Error: Internal error processing module entry", "Error: > rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-24338: statement > handle not executed", and "Error: rlm_sql (sql): failed after > re-connect" appeared. > > I've just disabled accounting in the NAS and then "service radiusd > start" worked. Eeek. I suggest that you consider using radrelay or sqllog for you accounting to reduce the amount of connections and queries your authentication daemon is doing. The oracle driver obviously needs someone to look at it. :-( Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpRGt1gw4RQd.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
Bernard Ochieng wrote: >> What do you mean by "fails on BAM"? > > BAM does not accept the the authenticated elements from the FreeRADIUS hence > CPEs are not registered to the respective APs. Perhaps you could try explaining in more detail, and using fewer acronyms. i.e. BAM? What's that? You appear to be the first person on this list asking about BAM. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql module doesn't use read_groups paramet er
Hi!! I was setting up the sqlcounter module and I needed to set the group parameter in the radgroupcheck table in order to set the limit values for sqlcounter. I found out that sql module doesn't work correctly. I set the read_groups parameter in the sql.conf file to 'yes' and despite that the sql module doesn't make the group processing. During the statrup procedure I don't see any info about that parameter no matter it set to 'yes' or 'no'. And then there is no processing during Request servicing in the authorize section: here is the radius output for sql module: sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "radius" sql: password = "radiustz81" sql: radius_db = "radius2_0" sql: sqltrace = yes sql: sqltracefile = "/var/log/radiusd/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" sql: default_user_profile = "" sql: nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" sql: authorize_check_query = (sql queries) ER BY priority" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S')" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius2_0 rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) authorize section from radiusd.conf: authorize { preprocess auth_req_log digest suffix sql daily expiration logintime pap auth_req_log daily_sqlcounter } And request processing by sql module: radius_xlat: 'tomix' rlm_sql (sql): sql_set_user escaped user --> 'tomix' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tomix' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tomix' ORDER BY id rlm_sql (sql): User found in radcheck table radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tomix' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tomix' ORDER BY id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair I kindly ask for your help Bests -Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple mac-auth
Phil Mayers wrote: > Mikko Husari wrote: > >> Mikko Husari wrote: >> >>> Hi! >>> >>> im currently running eap-tls with username and password (from ldap), but >>> now we're having a bunch of "stupid" wlan-client machines, and we need >>> an simple mac-auth (from ldap?) to the network. basic idea: (example >>> from outside world) "so, no certificate and login credentials, cant let >>> you in. but im on an vip-list!. Oh, i see, come on in, sorry for >>> inconvenience", for now we are happy to get just that to work, next >>> level would be something concerning vlans... i think (in the long run) >>> we don't want to have too much accessibility in those stupid machines. >>> poorly explained, not enough coffee in veins yet... >>> >>> thanks in advance >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >> Wouldn't i just be able to create hints rule that says "if >> calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar? >> > > Yes. Like I said, it's easy. > > My advice would be to use an rlm_passwd with a key of calling-station-id > and use the authtype value on the module instance to set to Accept. > > As I said, your AP still needs to support sending the MAC to Radius on > association. I suggest you consult your AP docs. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > well, i managed to do a "module" that it checks the file and returns ok/not found/noop, but now my problem is that how to do so that it authorizes me according to the maclist... at the moment it checks the eap-tls module... well, theres two section on that radiusd.conf, authenticate and authorize, i tried listing that maclist module in the last and it complained that passwd modules are not allowed in there... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
On Wed 07 Feb 2007 07:30, Bernard Ochieng wrote: >> Hello All, >> >> I have configured FreeRADIUS to do bandwidth and authentication together >>with the BAM server, however the RADIUS does authenticate but it fails on >> BAM hence the CPEs are not authenticated and registered by the Access >> Points. Anyone who can help on this? >What do you mean by "fails on BAM"? BAM does not accept the the authenticated elements from the FreeRADIUS hence CPEs are not registered to the respective APs. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - Original Message - From: "Peter Nixon" <[EMAIL PROTECTED]> To: "Bernard Ochieng" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Wednesday, February 07, 2007 3:13 PM Subject: Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radius brokes down during "Account ing Request"
[EMAIL PROTECTED]:~/freeradius/raddb$ radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Jan 29 2007 at 13:36:2 > tzieleniewski wrote: > ... > > modcall: entering group preacct for request 1 > > Naruszenie ochrony pamięci (translation -> memory segmentation fault) > > Which version of the server are you running? > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html