Re: 1.1.4 stops responding to requests

[Stefan Winter]

Hi,

> The fix for this is in the CVS HEAD and probably should be backported
> to the latest release branch.  There was a race condition in the code
> where the server could clean up an accounting request before a thread
> actually got to it to process it.

yes, that definitely deserves a backport IMO. Up to now, accounting is a 
dangerous endeavour in the 1.1 branch :-(

Greetings,

Stefan Winter

-- 
Stefan WINTER

RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
R&D Engineer

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu               Fax:      +352 422473


pgps1ul7FXT4h.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN assigment and Alcatel Omniswitch 7800

[Oxiel Contreras]

Hello Santa.

El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió:
> You can not use the standard attributes :
>
> Tunnel-Type:0 += VLAN
> Tunnel-Medium-Type:0 += IEEE-802
> Tunnel-Private-Group-Id:0 += "3"
>
> The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you
> should check the user manual.

I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these:

ATTRIBUTE   Alcatel-Auth-Group  134 integer

and modified users file like these:

Tunnel-Type += 13,
Tunnel-Medium-Type += 6,
Alcatel-Auth-Group += 3

now i see the Access-Accept part of the log which is sent it with the 
attribute, but nothing happens.

Sending Access-Accept of id 181 to 192.168.10.20 port 1074
Tunnel-Type:0 += VLAN
Tunnel-Medium-Type:0 += IEEE-802
Alcatel-Auth-Group += 3
MS-MPPE-Recv-Key = 
0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e7e50045ec24473b3
MS-MPPE-Send-Key = 
0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecbb298d302c64b9359
EAP-Message = 0x030d0004
Message-Authenticator = 0x
User-Name = "MYDOMAIN\\jose"
Finished request 8

Could you please pass me the relevant parts of your switch setup ?

vlan port mobile
vlan authentication
aaa

Is it necessary to defina vlan rules on the switch in order to move the mobile 
port to the vlan designed with Alcatel-Auth-Group ?

Thanks and best regards

Oxiel
Chiacchiera con i tuoi amici in tempo reale! 
 http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.4 stops responding to requests

[Michael Griego]

The fix for this is in the CVS HEAD and probably should be backported  
to the latest release branch.  There was a race condition in the code  
where the server could clean up an accounting request before a thread  
actually got to it to process it.

--Mike

On Feb 13, 2007, at 1:36 PM, Phil Allred wrote:

> Interesting.  I don't think it is needed here.  I'll check with our
> wireless vendor, then give it a shot.
>
> Thanks very much!
>
> Phil
>
> Guilherme Franco wrote:
>> Hello,
>>
>> Same with me, but acct is necessary.
>>
>> The solution was radsqlrelay.
>>
>> Regards,
>>
>> Guilherme
>>
>> On 2/13/07, *Stefan Winter* <[EMAIL PROTECTED]
>> > wrote:
>>
>> Hi,
>>
>>> 1.1.4 will run for a few hours and then either stop responding to
>>> requests or die.   There is no seg fault warning in any log
>> file.  If I
>>> restart radius, it then begins answering again.  Since it is a
>>> production environment in which 300-500 users are connected at
>> any given
>>> time, we were unable to simply turn on debugging and look for
>> problems.
>>> Once we realized the problem we had to quickly revert to 1.0.5
>> for now
>>> and make our relatively few Vista users for a little longer.
>>
>> Interesting... I've been seeing exactly this happening on our own
>> system. In
>> our case, I could track it down to the fact that it stopped  
>> responding
>> shortly after accounting packets came in. Turning off accounting
>> (already on
>> NAS level) deterministically solved the problem for me, so I
>> suspect the
>> problem to be somewhere near there.
>> I never followed this trace, because accounting is optional at  
>> our
>> site (free
>> wireless) and it was our prod environment, I didn't want to mess
>> around
>> without a good reason. So accounting is just off at the moment.
>>
>>> I am going to try running it in debug mode over a weekend in a
>>> particular subset of the school's wireless network where not
>> many users
>>> would be affected by a crash and see if I can collect any more
>>> information.  I will do it on a system that never had any earlier
>>> version of freeradius installed on it, just to be safe.  In the
>>> meantime, any advice would be appreciated.
>>
>> Is it an option to not do accounting? Or maybe queue the acct in
>> files rather
>> than a proper backend (for me, the issue happened in combination
>> with mysql).
>> I never tried if the hangs occur also when logging to a file.
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> --
>> Stefan WINTER
>>
>> Fondation RESTENA - Réseau Téléinformatique de l'Education
>> Nationale et de
>> la Recherche - Ingénieur de recherche
>>
>> 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
>>
>>
>> - 
>> ---
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
>> list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN assigment and Alcatel Omniswitch 7800

[Oxiel Contreras]

Hello Marcel

> I suggest you look into chapter 22 of your 7700/7800/8800 Network
> Configuration Guide, where dot1x is explained. Somewhere in the first
> few pages of this chapter is an explanation of assigning users to VLANs
> based on RADIUS authentication. Authenticated VLAN appears to be
> something completely different (although it uses RADIUS and assigns
> VLANs to users, the methods are different, probably more like a captive
> portal). It looks like you'll need to provide the VLAN number in a VSA
> (see chapter 20).

I did read it, that's why i began to try this setup at the first place, but 
i've to confess my ignorance about the VSA topic, didn't understand it 
completely until recently, thanks a lot for your help.

> Because I work at Alcatel-Lucent (as you can probably see from my e-mail
> address), a big fat disclaimer is in place: This mail does not represent
> Alcatel-Lucent in any way. Everything I have written in this mail is
> either my opinion or information I interpreted from publically available
> documents (I found the manuals through Google on a server that, judging
> from its name, is open for public access). I don't work in a department
> that has anything to do with Omniswitches and have not used them myself.
> Because of that, this information may be inaccurate or even plain wrong,
> Alcatel-Lucent is not responsible for the accuracy of this information.
> I'm just trying to be helpful here based on what I know.

Indeed you were right, and i was wrong, at least according to what i was told 
from support at first consult.

For your tranquillity and my happiness :) it happens that no licenses were 
needed to support this task, i'll let you know what is the final setup and 
solution.

Thanks for your help again.

Best regards

Oxiel
Chiacchiera con i tuoi amici in tempo reale! 
 http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.4 stops responding to requests

[Phil Allred]

Interesting.  I don't think it is needed here.  I'll check with our 
wireless vendor, then give it a shot. 

Thanks very much!

Phil

Guilherme Franco wrote:
> Hello,
>  
> Same with me, but acct is necessary.
>  
> The solution was radsqlrelay.
>  
> Regards,
>  
> Guilherme
>  
> On 2/13/07, *Stefan Winter* <[EMAIL PROTECTED] 
> > wrote:
>
> Hi,
>
> > 1.1.4 will run for a few hours and then either stop responding to
> > requests or die.   There is no seg fault warning in any log
> file.  If I
> > restart radius, it then begins answering again.  Since it is a
> > production environment in which 300-500 users are connected at
> any given
> > time, we were unable to simply turn on debugging and look for
> problems.
> > Once we realized the problem we had to quickly revert to 1.0.5
> for now
> > and make our relatively few Vista users for a little longer.
>
> Interesting... I've been seeing exactly this happening on our own
> system. In
> our case, I could track it down to the fact that it stopped responding
> shortly after accounting packets came in. Turning off accounting
> (already on
> NAS level) deterministically solved the problem for me, so I
> suspect the
> problem to be somewhere near there.
> I never followed this trace, because accounting is optional at our
> site (free
> wireless) and it was our prod environment, I didn't want to mess
> around
> without a good reason. So accounting is just off at the moment.
>
> > I am going to try running it in debug mode over a weekend in a
> > particular subset of the school's wireless network where not
> many users
> > would be affected by a crash and see if I can collect any more
> > information.  I will do it on a system that never had any earlier
> > version of freeradius installed on it, just to be safe.  In the
> > meantime, any advice would be appreciated.
>
> Is it an option to not do accounting? Or maybe queue the acct in
> files rather
> than a proper backend (for me, the issue happened in combination
> with mysql).
> I never tried if the hangs occur also when logging to a file.
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
>
> Fondation RESTENA - Réseau Téléinformatique de l'Education
> Nationale et de
> la Recherche - Ingénieur de recherche
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
>
>
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_postgresql , accounting and Framed-IP-Address

[Francisco Gimeno]

hello.. Thanks for your answer!...

then, how could I put the IP there?
Is the post-auth hook the right place?

2007/2/12, Phil Mayers <[EMAIL PROTECTED]>:


Francisco Gimeno wrote:
>
> The %{reply:Framed-IP-Address} or %{Framed-IP-Address} isn't xlated at
> all... SQL module is executed after sqlippool, so, that variable should
> be available.

Nop. Accounting replies contain NO attributes, therefore reply:Anything
is invalid/empty.

For accounting queries to log the IP address, your NAS must send the
Framed-IP-Address attribute in the accounting request. If it doesn't (as
it must not be) you can't log it.

Consult the documentation for your NAS.

You've undoubtedly taken that reply:Framed-IP-Address from the
"post-auth" query where it is valid.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mysql - radcheck, radreply, radgroupcheck and radgroupreply

[Fabrício F. Kammer]

Anyone can help me with this???


Hi,

I'm using Freeradius + Mysql to do the MAC Address authentication of the 
clients that connection on my APs (Mikrotik machines).

In the mysql I've the follow:

Table usergroup:
UserName = MAC address
GroupName = NAS-Port-ID - (the name of the AP where the client will be 
connected - ex. "MyAP1")

Table radgroupcheck:
GroupName = NAS-Port-ID - (the name of the AP where the client will be 
connected - ex. "MyAP1")
Then I've four lines for each GroupName with the follow:
Attribute: "Auth-Type" // op: ":=" // Value: "Local"
Attribute: "NAS-IP-Address" // op: "==" // Value: "IP of the AP"
Attribute: "NAS-Port-Identify" // op: "==" // Value: "Name of the AP - 
Ex: MyAP1"

On the table radcheck I don't have anything. This table is empty.

In the table radreply I've one record:
UserName: "MAC Address of the client"
Attribute: "Mikrotik-Rate-Limite"
op: "="
Value: "64000/128000"

The problem is: If the Freeradius don't find the UserName on the table 
radcheck it doesn't return the attributes that are on the table 
radreply, just the records of the table radgroupreply are returned. I 
need to return the reply different for each client because this 
parameter is the speed of upload and download and this values are 
different for each client.

My questio is: Is it possible that the Freeradius return the values of 
the table radreply if I don't have any value on the radcheck? (The 
authentication was made in the radgroupcheck table)

Thanks in advanced,

Fabrício F.: Kammer
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.4 stops responding to requests

[Guilherme Franco]

Hello,

Same with me, but acct is necessary.

The solution was radsqlrelay.

Regards,

Guilherme

On 2/13/07, Stefan Winter <[EMAIL PROTECTED]> wrote:


Hi,

> 1.1.4 will run for a few hours and then either stop responding to
> requests or die.   There is no seg fault warning in any log file.  If I
> restart radius, it then begins answering again.  Since it is a
> production environment in which 300-500 users are connected at any given
> time, we were unable to simply turn on debugging and look for problems.
> Once we realized the problem we had to quickly revert to 1.0.5 for now
> and make our relatively few Vista users for a little longer.

Interesting... I've been seeing exactly this happening on our own system.
In
our case, I could track it down to the fact that it stopped responding
shortly after accounting packets came in. Turning off accounting (already
on
NAS level) deterministically solved the problem for me, so I suspect the
problem to be somewhere near there.
I never followed this trace, because accounting is optional at our site
(free
wireless) and it was our prod environment, I didn't want to mess around
without a good reason. So accounting is just off at the moment.

> I am going to try running it in debug mode over a weekend in a
> particular subset of the school's wireless network where not many users
> would be affected by a crash and see if I can collect any more
> information.  I will do it on a system that never had any earlier
> version of freeradius installed on it, just to be safe.  In the
> meantime, any advice would be appreciated.

Is it an option to not do accounting? Or maybe queue the acct in files
rather
than a proper backend (for me, the issue happened in combination with
mysql).
I never tried if the hangs occur also when logging to a file.

Greetings,

Stefan Winter

--
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.4 stops responding to requests

[Stefan Winter]

Hi,

> 1.1.4 will run for a few hours and then either stop responding to
> requests or die.   There is no seg fault warning in any log file.  If I
> restart radius, it then begins answering again.  Since it is a
> production environment in which 300-500 users are connected at any given
> time, we were unable to simply turn on debugging and look for problems.
> Once we realized the problem we had to quickly revert to 1.0.5 for now
> and make our relatively few Vista users for a little longer.

Interesting... I've been seeing exactly this happening on our own system. In 
our case, I could track it down to the fact that it stopped responding 
shortly after accounting packets came in. Turning off accounting (already on 
NAS level) deterministically solved the problem for me, so I suspect the 
problem to be somewhere near there.
I never followed this trace, because accounting is optional at our site (free 
wireless) and it was our prod environment, I didn't want to mess around 
without a good reason. So accounting is just off at the moment.

> I am going to try running it in debug mode over a weekend in a
> particular subset of the school's wireless network where not many users
> would be affected by a crash and see if I can collect any more
> information.  I will do it on a system that never had any earlier
> version of freeradius installed on it, just to be safe.  In the
> meantime, any advice would be appreciated.

Is it an option to not do accounting? Or maybe queue the acct in files rather 
than a proper backend (for me, the issue happened in combination with mysql). 
I never tried if the hangs occur also when logging to a file.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Re: nas table in rlm_sql module - usage

[A . L . M . Buxey]

Hi,

> SQL refuses to start when I comment out the INCLUDE line with clients.conf.
> Is there anything else I have to change so that it knows to look to SQL for
> a table of acceptable NAS's and to get it to run other than commenting out
> this INCLUDE statement?

last time I looked, you still had to have a stub clients.conf - even with just
a fake client in it.

to USE the NAS SQL table, simply look at the bottom few lines of sql.conf -
its self documented!

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes


ensure that the other lines in sql.conf are okay eg

nas_table = "nas"
#  NAS Query
nas_query = "SELECT id, nasname, shortname, type, secret FROM 
${nas_table}"


alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Re: nas table in rlm_sql module - usage

[ChristosH]

SQL refuses to start when I comment out the INCLUDE line with clients.conf.
Is there anything else I have to change so that it knows to look to SQL for
a table of acceptable NAS's and to get it to run other than commenting out
this INCLUDE statement?


tzieleniewski wrote:
> 
> Yes I checked it.
> You may comment it out from the radiusd.conf file.
> 
>> Is there anything I have to config so it doesn't touch the config files?
>> How
>> do I move the server onto pure SQL for the NAS list? Can the clients.conf
>> file be totally empty?
>> 
>> 
>> tzieleniewski wrote:
>> > 
>> > What I managed to figure out is that nasname is a source for a name to
>> ip
>> > resolving.
>> > So probably the nasname has to be different (its ip resolution) from
>> the
>> > one specified in the clients.conf file.
>> > Well those of course are only my suggestions:)
>> > 
>> > Cheers 
>> > -tomasz
>> >>
>> -- 
>> View this message in context:
>> http://www.nabble.com/nas-table-in-rlm_sql-module---usage-tf3201294.html#a8894555
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>> 
>> - 
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/nas-table-in-rlm_sql-module---usage-tf3201294.html#a8949012
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.1.4 stops responding to requests

[Phil Allred]

Just a heads up:  In our production environment here at Brooklyn Law 
School, 1.1.4 stops responding to radius requests after a few hours.  We 
have used freeradius for some time (and love it) to authenticate 
wireless users to our ldap servers.  We use it with two different 
wireless systems, trapeeze and colubris, which each do 802.1x 
authentication to freeradius servers using PEAP and mschapv2.  We run it 
on three different servers.  When vista came along, we had to upgrade 
from 1.1.4 to 1.0.5.  We run Fedora Core 5 and Fedora Core 6 on these 
servers.  Because there is no 1.1.4 rpm out yet for Core 5 or Core 6,  
we built freeradius from source.  Since we are in  a production 
environment, we were careful to use non-overlapping directory structures 
when we compiled and installed 1.1.4 so that if there was a problem, we 
could quickly go back to the rpm. 

1.1.4 will run for a few hours and then either stop responding to 
requests or die.   There is no seg fault warning in any log file.  If I 
restart radius, it then begins answering again.  Since it is a 
production environment in which 300-500 users are connected at any given 
time, we were unable to simply turn on debugging and look for problems.  
Once we realized the problem we had to quickly revert to 1.0.5 for now 
and make our relatively few Vista users for a little longer.

I am going to try running it in debug mode over a weekend in a 
particular subset of the school's wireless network where not many users  
would be affected by a crash and see if I can collect any more 
information.  I will do it on a system that never had any earlier 
version of freeradius installed on it, just to be safe.  In the 
meantime, any advice would be appreciated.

Thanks,
Phil Allred
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[Davide Molteni]

Ok you got it! It was a simple user permissions problem on the file
clients.conf! Shame on me...
The daemon tried to read the old confguration files clients and naslist
just because user that runs radiusd can't access the actual clients.conf
Now everything is working fine, I have to review some concepts on cisco
AAA because it won't authorize my users but just authenticate it but
this issue it's surely on cisco side.

Thanks a lot for the quick help 
Davide



Il giorno mar, 13/02/2007 alle 15.26 +0100, Alan DeKok ha scritto: 
> Davide Molteni wrote:
> >>> Error: Ignoring request from unknown client ipmycisco:1645
> >>   Did you configure the server to have that IP in "clients.conf"?
> > 
> > Sure! With the IP and the same shared key as the cisco NAS client
> 
> The server isn't finding it.
> 
>   Are you sure the server is reading the "clients.conf" file you're editing?
> 
> > Please notice that I would like to use this radius for simple PAP ONLY.
> > Maybe I'm doing something wrong with users file?
> 
>   No.
> 
> > Please tell me the right way to configure a single test user for PAP
> > only. I would like to disable unused modules (ldap,mysql...)
> 
>   It's in the FAQ.
> 
> > It couldn't be a problem of authentication method?
> 
>   No.
> 
> > I forgot an important element to tell anyone wants to help.
> > I tried to change the shared key on one side (radius) and noticed that
> > log file continue to write again the same error
> > 
> > Ignoring request from unknown client IP:1645
> > 
> > So the issue it's due to the fact that cisco client don't exchange
> > shared key with radius...
> 
>   No.  They don't exchange shared keys.  You MUST list the Cisco's IP in
> "clients.conf".
> 
>   It looks like you're not doing that, or you're doing it wrong, or
> you're editing a file the server isn't reading.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[Alan DeKok]

Davide Molteni wrote:
>>> Error: Ignoring request from unknown client ipmycisco:1645
>>   Did you configure the server to have that IP in "clients.conf"?
> 
> Sure! With the IP and the same shared key as the cisco NAS client

The server isn't finding it.

  Are you sure the server is reading the "clients.conf" file you're editing?

> Please notice that I would like to use this radius for simple PAP ONLY.
> Maybe I'm doing something wrong with users file?

  No.

> Please tell me the right way to configure a single test user for PAP
> only. I would like to disable unused modules (ldap,mysql...)

  It's in the FAQ.

> It couldn't be a problem of authentication method?

  No.

> I forgot an important element to tell anyone wants to help.
> I tried to change the shared key on one side (radius) and noticed that
> log file continue to write again the same error
> 
> Ignoring request from unknown client IP:1645
> 
> So the issue it's due to the fact that cisco client don't exchange
> shared key with radius...

  No.  They don't exchange shared keys.  You MUST list the Cisco's IP in
"clients.conf".

  It looks like you're not doing that, or you're doing it wrong, or
you're editing a file the server isn't reading.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems regarding MAC address authentication

[Alan DeKok]

Shobhit Jindal wrote:
> how to implement the above?(this is the question that eludes me)
> 
> PS: i would really like to know why filtering the ldap database using
> uid works and fails while using radiusCallingStationId

  See your LDAP documentation.

  Run LDAP queries by hand until you get the result you want, and then
configure the server to use those queries.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems regarding MAC address authentication

[Shobhit Jindal]

On 2/13/07, Alan DeKok <[EMAIL PROTECTED]> wrote:


> radiusCallingStationId: 00-90-4B-ED-AB-52

  Please read the documentation and the debug output.  This entry in
LDAP says "send the Calling-Station-Id attribute in the Access-Accept".
It is documented as doing that, and the debug log shows it's doing that.



how can a field alone say that it is a reply item or a check item?
my ldap.attrmap says
checkItem   Calling-Station-Id  radiusCallingStationId

You can't just list things in configurations, and magically expect it

to do what you want.



yeah, am a newbie for freeradius server but am trying my best :)

 If you put the MAC into another field in LDAP, you can query the LDAP

server for that field, and see if it matches the field in the packet.



how to implement the above?(this is the question that eludes me)

PS: i would really like to know why filtering the ldap database using uid
works and fails while using radiusCallingStationId

cheers for helping out :)
--
Registerd Linux User #426561
-
Shobhit Jindal
B.Tech. Part-III,
Department Of Electronics Engineering, ITBHU
INDIA
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wep encryption

[A . L . M . Buxey]

Hi,

> Active Directory. I am looking to add encryption, but unfortunately many
> of my wireless devices are older 802.11b devices that can't handle wpa.
> I am also restricted in how much I am allowed to put the end user
> through. Is there a way to cenralize a wep key in the server, as I have
> 26 access points that I would hope not to have to go into individually
> to add encryption (I already need to set up 70+ devices). Because I
> can't put any truly strong protection on the network, and I can't take
> the wlan off of the main network, I am trying to add as many layers of
> lesser protection as I can. Does anyone have any other ideas for me?
> Thanks

in a word, no. FreeRADIUS can help in WPA because it does the EAP methods.
with WEP you are really stuck with configuring single APs - or, in a centralised
system , configuring WEP on the central controller. 

WEP is pretty pointless too. 

If I were put into that environment I would push for Open wireless that requires
authentication before you can get anyway - ie use VPN technology. clients 
install
eg OpenVPN and thats configured to talk to OpenVPN server after they've 
authenticated.
only when they have a VPN tunnel do they get network access.  2048 bit SSL keys
are somewhat better than any form of WEP. you also dont need to go around 
shouting out
the WEP key to all and sundry - only valid users can authenticate. you could 
even use
FreeRADIUS as the OpenVPN authenticator!!  :-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wep encryption

[Hillary Marek]

Hello.  I have a FreeRadius 1.1.4 server setup on Fedora Core 6. Right
Now I have it set up to filter Mac addresses and to authenticate against
Active Directory. I am looking to add encryption, but unfortunately many
of my wireless devices are older 802.11b devices that can't handle wpa.
I am also restricted in how much I am allowed to put the end user
through. Is there a way to cenralize a wep key in the server, as I have
26 access points that I would hope not to have to go into individually
to add encryption (I already need to set up 70+ devices). Because I
can't put any truly strong protection on the network, and I can't take
the wlan off of the main network, I am trying to add as many layers of
lesser protection as I can. Does anyone have any other ideas for me?
Thanks
 
 
Hillary Marek
Hazen Paper Co.
 
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-PEAP/MS-ChapV2 password storing options

[Matt Ashfield]

Thanks for the link!

BTW, I have nothing against SecureW2, but if we don't have to install an
extra piece of software on 10,000 computers on campus, I'd like to avoid it!


Matt
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED] 
Sent: February 13, 2007 2:57 AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: EAP-PEAP/MS-ChapV2 password storing options

Matt Ashfield wrote:
> We're trying to implement username/password authentication and so far are
> using EAP-PAP (with secureW2 client) because our passwords are stored in
> LDAP in a 1-way encrypted hash. 

  What's EAP-PAP?

> We're hoping to get away from this secureW2 implementation and would like
to
> use Windows built-in authentication, which seems to be EAP-PEAP with
> MS-ChapV2 authentication. 

  What's wrong with SecureW2?

> In order to get EAP-PEAP/MS-ChapV2 to work with FreeRadius, what are my
> options for storing the password in LDAP? Does it have to be clear-text?

http://deployingradius.com/documents/protocols/compatibility.html

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[A . L . M . Buxey]

Hi,

> Ok just after this test i have 
> 
> after many tries "Re-Sending Access-Request ..."
> 
> radclient: no response from server for ID 250


sounds like you have a firewall blocking the request or that your server is not 
active!

in one window, run 'radiusd -X' at the same time as the 'radtest'  this is the 
best
debug method for this level of issue.

then, run e.g. on Linux box

iptables -L -n

if you have firewall. add UDP ports 1812/1813 

slsn
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[Walt Reynolds]

I had the problem before and it was because in the clients.conf file I 
had written clients (with an s) and not client.

> 
> Message: 1
> Date: Tue, 13 Feb 2007 12:13:08 +0100
> From: Davide Molteni <[EMAIL PROTECTED]>
> Subject: Re: Error: Ignoring request from unknown client IP:1645
> To: freeradius list 
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain
> 
> I'm very sorry Alan for replying to your own email address and not on
> the list. Here it is
> 
> 
> Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto:
>> Davide Molteni wrote:
>>
>>> On the cisco I configured:
>>> radius-server host ipmyradius auth-port 1812 acct-port 1813
>>> and the other aaa commands needed
>>>
>>> If I look at the radius.log file I always see
>>>
>>> Error: Ignoring request from unknown client ipmycisco:1645
>>   Did you configure the server to have that IP in "clients.conf"?
> 
> Sure! With the IP and the same shared key as the cisco NAS client
> 
>>> The Cisco router keeps always trying to connect to radius using port
>>> 1645 even if I specified to use 1812...
>>   That's a bug in the Cisco router.
> 
> Yea but is this a problem for freeradius to properly work? I need to set
> freeradius to listen on 1645 in radiusd.conf? Or I need to change it
> in /etc/services ?
> 
>>> I have tried to configure radius
>>> server to listen on port 1645 but is the same. 
>>   Listening on port 1645 won't make the server believe that
> "ipmycisco"
>> is a known client.
> 
> Well I know this very well in fact, the client that is ignored is
> properly configured in clients.conf
>>> The microsoft radius integration(server 2003) worked at first try
> with
>>> this cisco config...
>>   Really.  Did you configure the Cisco box as a client in the MS
> RADIUS
>> server?
> 
> Yes, sure I had to put in the ms radius the cisco box as a client
> otherwise it wouldn't work...
> 
> Please notice that I would like to use this radius for simple PAP ONLY.
> Maybe I'm doing something wrong with users file?
> Please tell me the right way to configure a single test user for PAP
> only. I would like to disable unused modules (ldap,mysql...)
> 
> It couldn't be a problem of authentication method?
> 
> I forgot an important element to tell anyone wants to help.
> I tried to change the shared key on one side (radius) and noticed that
> log file continue to write again the same error
> 
> Ignoring request from unknown client IP:1645
> 
> So the issue it's due to the fact that cisco client don't exchange
> shared key with radius...
> 
> This can halp to focus better the problem?
> 
> thanks in advance
> 

-- 
Walt Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[Davide Molteni]

Il giorno mar, 13/02/2007 alle 11.59 +, [EMAIL PROTECTED] ha
scritto:
> Hi,
> 
> > client localhost {
> > secret = 181180
> > shortname = localhost
> > nastype = other
> > }
> > 
> > client 192.168.0.1 {
> > secret = 181180
> > shortname = testcisco
> > nastype = cisco
> > }
> > 
> 
> those look fine. have you actually tried a 'radtest' on the local server
> to check all is well?  eg put the following into your 'users' file
> 
> testuser01  Auth-Type:=Local, User-Password=="ehwtehi"
> 
> 
> restart radiusd process then do
> 
> radtest testuser01 ehwtehi localhost 1812 181180

Ok just after this test i have 

after many tries "Re-Sending Access-Request ..."

radclient: no response from server for ID 250

This without any change to the radiusd.conf Now I will make all the
modifications you suggested and send you the results.
I'm not proxying.
The freeradius version is 1.0.1
 
> 
> 
> 
> this is pure and simple PAP authentication at its best.
> 
> 
> 
> > ## radiusd.conf -- FreeRADIUS server configuration file.
> 
> which version of freeradius? this config is a bit crusty for a 1.x
> install
> 
> change the following parts
> 
> 
> #bind_address = *
> #port = 0
> 
> listen {
>   #  IP address on which to listen.
>   #  Allowed values are:
>   #   dotted quad (1.2.3.4)
>   #   hostname(radius.example.com)
>   #   wildcard(*)
>   ipaddr = *
>  
>   #  Port on which to listen.
>   #  Allowed values are:
>   #   integer port number (1812)
>   #   0 means "use /etc/services for the proper port"
>   port = 1645
>  
>   #  Type of packets to listen for.
>   #  Allowed values are:
>   #   authlisten for authentication packets
>   #   acctlisten for accounting packets
>   #
>   type = auth
> }
> 
> this uses the 1.x listen directive. i've also changed the port to 1645 - as 
> you say your
> cisco is expecting this port!
> 
> > proxy_requests  = yes
> > $INCLUDE  ${confdir}/proxy.conf
> 
> are you proxying? you didnt say so. you should set this to no(!)
> 
> > #  Supports multiple encryption schemes
> > #  clear: Clear text
> > #  crypt: Unix crypt
> > #md5: MD5 ecnryption
> > #   sha1: SHA1 encryption.
> > #  DEFAULT: crypt
> > pap {
> > encryption_scheme = crypt
> > }
> 
> to do the radtest I mentioned above, this value needs to be 'clear'
> 
> you a crypted version of that password if you wish to use 'crypt'
> 
> 
> as for all the rest. if you arent using it. comment it out.
> 
> alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[A . L . M . Buxey]

Hi,

> client localhost {
>   secret = 181180
>   shortname = localhost
>   nastype = other
> }
> 
> client 192.168.0.1 {
>   secret = 181180
>   shortname = testcisco
>   nastype = cisco
> }
> 

those look fine. have you actually tried a 'radtest' on the local server
to check all is well?  eg put the following into your 'users' file

testuser01  Auth-Type:=Local, User-Password=="ehwtehi"


restart radiusd process then do

radtest testuser01 ehwtehi localhost 1812 181180



this is pure and simple PAP authentication at its best.



> ## radiusd.conf   -- FreeRADIUS server configuration file.

which version of freeradius? this config is a bit crusty for a 1.x
install

change the following parts


#bind_address = *
#port = 0

listen {
#  IP address on which to listen.
#  Allowed values are:
#   dotted quad (1.2.3.4)
#   hostname(radius.example.com)
#   wildcard(*)
ipaddr = *
 
#  Port on which to listen.
#  Allowed values are:
#   integer port number (1812)
#   0 means "use /etc/services for the proper port"
port = 1645
 
#  Type of packets to listen for.
#  Allowed values are:
#   authlisten for authentication packets
#   acctlisten for accounting packets
#
type = auth
}

this uses the 1.x listen directive. i've also changed the port to 1645 - as you 
say your
cisco is expecting this port!

> proxy_requests  = yes
> $INCLUDE  ${confdir}/proxy.conf

are you proxying? you didnt say so. you should set this to no(!)

>   #  Supports multiple encryption schemes
>   #  clear: Clear text
>   #  crypt: Unix crypt
>   #md5: MD5 ecnryption
>   #   sha1: SHA1 encryption.
>   #  DEFAULT: crypt
>   pap {
>   encryption_scheme = crypt
>   }

to do the radtest I mentioned above, this value needs to be 'clear'

you a crypted version of that password if you wish to use 'crypt'


as for all the rest. if you arent using it. comment it out.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[A . L . M . Buxey]

Hi,

> I'm very sorry Alan for replying to your own email address and not on
> the list. Here it is

your errors are symptomatic of a trivial but basic configuration munge.
can you email your clients.conf and radiusd.conf files

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radwho is not working

[Angel L. Mateo]

Hello,

More info about my problem... In the radius.log file I have a lot of
entries of the form:

Tue Feb 13 12:12:13 2007 : Error: rlm_radutmp: Logout for NAS ap port
1627, but no Login record
Tue Feb 13 12:12:35 2007 : Error: rlm_radutmp: Logout for NAS ap port
3100, but no Login record
Tue Feb 13 12:12:46 2007 : Error: rlm_radutmp: Logout for NAS ap port
8726, but no Login record

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Ignoring request from unknown client IP:1645

[Davide Molteni]

I'm very sorry Alan for replying to your own email address and not on
the list. Here it is


Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto:
> Davide Molteni wrote:
> 
> > On the cisco I configured:
> > radius-server host ipmyradius auth-port 1812 acct-port 1813
> > and the other aaa commands needed
> > 
> > If I look at the radius.log file I always see
> > 
> > Error: Ignoring request from unknown client ipmycisco:1645
> 
>   Did you configure the server to have that IP in "clients.conf"?

Sure! With the IP and the same shared key as the cisco NAS client

> 
> > The Cisco router keeps always trying to connect to radius using port
> > 1645 even if I specified to use 1812...
> 
>   That's a bug in the Cisco router.

Yea but is this a problem for freeradius to properly work? I need to set
freeradius to listen on 1645 in radiusd.conf? Or I need to change it
in /etc/services ?

> 
> > I have tried to configure radius
> > server to listen on port 1645 but is the same. 
> 
>   Listening on port 1645 won't make the server believe that
"ipmycisco"
> is a known client.

Well I know this very well in fact, the client that is ignored is
properly configured in clients.conf
> 
> > The microsoft radius integration(server 2003) worked at first try
with
> > this cisco config...
> 
>   Really.  Did you configure the Cisco box as a client in the MS
RADIUS
> server?

Yes, sure I had to put in the ms radius the cisco box as a client
otherwise it wouldn't work...

Please notice that I would like to use this radius for simple PAP ONLY.
Maybe I'm doing something wrong with users file?
Please tell me the right way to configure a single test user for PAP
only. I would like to disable unused modules (ldap,mysql...)

It couldn't be a problem of authentication method?

I forgot an important element to tell anyone wants to help.
I tried to change the shared key on one side (radius) and noticed that
log file continue to write again the same error

Ignoring request from unknown client IP:1645

So the issue it's due to the fact that cisco client don't exchange
shared key with radius...

This can halp to focus better the problem?

thanks in advance
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

major problem with ntlm_auth and winbindd pipe

[Habegger Lukas, ERZ-AZD-AIL]

Hi All,

I use freeradius for peap-authentication and I have multiple
samba/winbind
services to authenticate against to different ADs.

In my setup I use a perlscript to start the right winbindd for a
request.

Now I have the problem that the winbind-pipe sometime dies. 

Has anyone experiences with dieing winbind-pipes in a freeradius peap 
environment?

Can anyone help me?

Lukas

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html