RE: POD not work with radclient
Well I suppose would need to see what information you are sending it and what it is expecting. Nobody can see that except yourself so there is no way we can probably understand why it is not working. I would suggest you double check the ascend-session-key and not the unique session field. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of satish patel Sent: Thursday, 29 March 2007 2:58 PM To: FreeRadius users mailing list Subject: Re: POD not work with radclient but why this is not working for me everything is configure correctly but still error NO match session ??? Peter Nixon [EMAIL PROTECTED] wrote: On Wed 28 Mar 2007 16:30, satish patel wrote: Dear guys I am comming with new problem now i have enable POD packet of disconnet on cisco router and now i m trying to disconnect user with radclient command but i got this output -snip- rad_recv: Disconnect-NAK packet from host 192.168.1.1:1700, id=115, length=41 Reply-Message = No Matching Session Thats a pretty easy to understand error message sent back by your NAS... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com _ Here's a new way to find what you're looking for - Yahoo! http://us.rd.yahoo.com/mail/in/yanswers/*http:/in.answers.yahoo.com/ Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: POD not work with radclient
Well I suppose would need to see what information you are sending it and what it is expecting. Nobody can see that except yourself so there is no way we can probably understand why it is not working. I would suggest you double check the ascend-session-key and not the unique session field. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of satish patel Sent: Thursday, 29 March 2007 2:58 PM To: FreeRadius users mailing list Subject: Re: POD not work with radclient but why this is not working for me everything is configure correctly but still error NO match session ??? Peter Nixon [EMAIL PROTECTED] wrote: On Wed 28 Mar 2007 16:30, satish patel wrote: Dear guys I am comming with new problem now i have enable POD packet of disconnet on cisco router and now i m trying to disconnect user with radclient command but i got this output -snip- rad_recv: Disconnect-NAK packet from host 192.168.1.1:1700, id=115, length=41 Reply-Message = No Matching Session Thats a pretty easy to understand error message sent back by your NAS... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
deepak kumar wrote: Thanks I have implemented EAP-TTLS , stored EAP-Type value in radpostauth table and able to connect to internet without UAM. Once a user is authenticated through EAP-TTLS , his details are put in radpostauth table and he is allowed to acess internet without UAM,but his accounting information is not stored in radacct table. how to store accounting information in radacct, in case of EAP-TTLS. This is in the FAQ. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
I am confusing between to community key one which is store in cat /etc/raddb/snmp.cong smux_password = verysecret and second which is located in /etc/snmp/snmpd.conf smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret rocommunity public so which one i use to query to freeradius ?? verysecret ??? public can any one explain me which one i use with snmpwalk command public or verysecret ??? when i use public i it give me system information not radius and when i use verysecret it give me nothing timeout ??? Kevin Bonner [EMAIL PROTECTED] wrote: On Wednesday 28 March 2007 08:17:00 satish patel wrote: main: smux_password = verysecret main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. This looks good. It successfully registered with the local SNMP daemon, which means FreeRADIUS is built with SNMP support and is properly configured. Now i have run snmpwalk but i didnt get any output from radius $snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.67.1.1.1.1 End of MIB This looks correct as well. Make sure the public community has permission to view that OID tree. I did test my local SNMP config and receive the same results when I restrict the public community from accessing that OID. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
solved: Re : OT: MAC OS X - wired 802.1x supplicant
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, Eshun Benjamin schrieb: The link below will help http://docs.info.apple.com/article.html?artnum=303471 thanks a lot! ca mIke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGC5KFyUY4xkIcFVQRAjz3AKCGdMN9T15nzrGzzMhMBHQbH64wsQCeND9u G/9pTkopBa3nK9zKcT0nLfg= =J1y3 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: MAC OS X - wired 802.1x supplicant
Michael Messner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hey all, not a freeRADIUS problem but I hope that someone can help me. I have no problem with my ibook to connect to a wireless network via 802.1x but I can't find any possibility to make a connection to a 802.1x-secured wired network! Am I blind or is this not supported from OSX? Any other supplicants for OSX available? thanks for every info Hi, If you have at least 10.4.8 OS X version, you have all types of 802.1x built in (including TTLS-PAP) ... no need to install other supplicats. Only problem is that sometimes the automathic detection of authentication type selects wrong method. Go to System Preference / Network / Airport and enter the 802.1x details manualy. Stepan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ACCESS-REJECT authentication messages are not logged
Grzegorz_Bech wrote: Hi I have difficulty in setting radius to create logs of ACCESS-REJECT authentication messages. It logs only ACCESS-ACCEPT packets (sent and received). You need to list the detail module in the post-auth section reject. See the sample radiusd.conf for details. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
On 3/28/07, Ramazan Ulker [EMAIL PROTECTED] wrote: Hi these are error lines in apache error log and apache conf files. thanks for your assistance No problem. The fewer passwords the better :). I don't see anything that stands out. However, when I set up apache with our two-factor I did everything inside of httpd.conf inside the vhost listing: VirtualHost Location /WiKIDBlog/*/cbentry_view AuthType Basic AuthName WiKID Two-factor + Apache AuthXRadiusAddServer wikid_server:1812 radius_secret AuthXRadiusTimeout 7 AuthXRadiusRetries 2 require valid-user /Location /VirtualHost So, perhaps apache is getting confused about what mechanism to use where, putting it all in one place might clarify things. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Brad Lachel wrote: When the detail module is loaded, the auth_log appears to get loaded, but the reply_log does not. Most likely because it's not being referenced from anywhere. It is probably due more to my like of knowledge in this area. Can you post the contents of the post-auth section? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile =
/usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Here are the lines I thought were relevant from the
radius.conf file:
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
# This MUST be 0600, otherwise anyone can
read
# the users passwords!
detailperm = 0600
}
#
# This module logs authentication reply packets
sent
# to a NAS. Both Access-Accept and
Access-Reject packets
# are logged.
#
# You will also need to un-comment the
'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone
can read
# the users passwords!
detailperm = 0600
}
#
# If you want to have a log of authentication
requests,
# un-comment the following line, and the 'detail
auth_log'
# section, above.
auth_log
#
# If you want to have a log of authentication
replies,
# un-comment the following line, and the 'detail
reply_log'
# section, above.
reply_log
On Thu, 29 Mar 2007 13:48:17 +0100
Alan DeKok [EMAIL PROTECTED] wrote:
Brad Lachel wrote:
When the detail module is loaded, the auth_log appears
to get loaded,
but the reply_log does not.
Most likely because it's not being referenced from
anywhere.
It is probably due more to my like of knowledge in this
area.
Can you post the contents of the post-auth section?
Alan DeKok.
--
http://deployingradius.com - The web site of the
book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
All e-mail to and from this address is subject to the Acceptable Use Policies
of Community High School District #155. All e-mail may be monitored and/or
disclosed to third parties. Any views or opinions presented in an e-mail are
solely those of the author and may not represent those of Community High School
District #155.
Community High School District #155
http://www.d155.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
Claudiu Filip wrote:
...
Second:
8x-8x--
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=nume,secret=secret
rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list
Segmentation fault (core dumped)
OK. I don't put clients into SQL, so I haven't tested that portion of
the code.
...
So, we free the same location..
I guess the problem is in the clients_parse_section which doesnt
return a new address space.
A better solution is this:
- remove the read clients from SQL code in src/modules/rlm_sql.
- add configuration to the clients section, e.g.:
client 192.168.0.0/16 {
query = %{sql: SELECT }
}
And have it do the SELECT, and parse the result at run time. It will
take a bit of work to add that, but it's a much better solution.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Here is the entire post-auth section:
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication
replies,
# un-comment the following line, and the 'detail
reply_log'
# section, above.
reply_log
#
# After authenticating the user, do another SQL
query.
#
# See Authentication Logging Queries in
sql.conf
# sql
#
# Instead of sending the query to the SQL
server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap
module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the
REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module
name to the ldap instance
# name if you have set
'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
On Thu, 29 Mar 2007 13:48:17 +0100
Alan DeKok [EMAIL PROTECTED] wrote:
Brad Lachel wrote:
When the detail module is loaded, the auth_log appears
to get loaded,
but the reply_log does not.
Most likely because it's not being referenced from
anywhere.
It is probably due more to my like of knowledge in this
area.
Can you post the contents of the post-auth section?
Alan DeKok.
--
http://deployingradius.com - The web site of the
book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
All e-mail to and from this address is subject to the Acceptable Use Policies
of Community High School District #155. All e-mail may be monitored and/or
disclosed to third parties. Any views or opinions presented in an e-mail are
solely those of the author and may not represent those of Community High School
District #155.
Community High School District #155
http://www.d155.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Brad's Junk Mail wrote: That's not quite what I asked for... Here are the lines I thought were relevant from the radius.conf file: Please post the lines I asked for, and double-check the default configuration as I said. Posting out of context snippets from radiusd.conf helps less than you might think. The post-auth section should have a reject sub-section, that contains reply_log. That will log Access-Reject packets. The comments in radiusd.conf explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Thanks, I was missing the info in the reject subsection. On Mar 29, 2007, at 8:01 AM, Alan DeKok wrote: Brad's Junk Mail wrote: That's not quite what I asked for... Here are the lines I thought were relevant from the radius.conf file: Please post the lines I asked for, and double-check the default configuration as I said. Posting out of context snippets from radiusd.conf helps less than you might think. The post-auth section should have a reject sub-section, that contains reply_log. That will log Access-Reject packets. The comments in radiusd.conf explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. Community High School District #155 http://www.d155.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
O/H Alan DeKok έγραψε:
Claudiu Filip wrote:
...
Second:
8x-8x--
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=nume,secret=secret
rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list
Segmentation fault (core dumped)
OK. I don't put clients into SQL, so I haven't tested that portion of
the code.
...
So, we free the same location..
I guess the problem is in the clients_parse_section which doesnt
return a new address space.
A better solution is this:
- remove the read clients from SQL code in src/modules/rlm_sql.
- add configuration to the clients section, e.g.:
client 192.168.0.0/16 {
query = %{sql: SELECT }
}
Hmm that would mean stil having to add client entris in the
clients.conf. We 'd like to avoid that when using sql.
Something like:
clients.conf:
per_socket_clients {
clients_query = %{sql: SELECT }
}
And have it do the SELECT, and parse the result at run time. It will
take a bit of work to add that, but it's a much better solution.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kostas Kalevras
Network Operations Center - National Technical University of Athens
http://kkalev.wordpress.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
Kostas Kalevras wrote: Hmm that would mean stil having to add client entris in the clients.conf. We 'd like to avoid that when using sql. Yes. The reason is DoS attacks. My idea was to limit the number of IP's looked up in SQL by network. So if a particular network is getting lots of new clients, it may be a DoS attack, and the server can just start dropping the requests. In other words, it's OK for known clients to cause the server to do lots of SQL lookups. It's not OK for random people on the net to cause the server to do lots of SQL lookups. If there's a way to restrict the lookups to avoid DoS attacks, I'm all for it. Maybe something like doing lookups of new clients only once a second. That should rate-limit DoS attacks to something manageable, and still allow new clients to be discovered quickly. So adding 30 new clients would require at minimum 30s of time, but I that shouldn't be much of a problem... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+OpenLDAP+SAMBA+Windows Domain Logon.
Hello all. My freeradius1.1.5 is configured to work with openldap and samba PDC, resume, it works fine when i login with username/password/domain, but this user already logon one time on domain, that is, the user is on cache in this windows machine (XP and W2kPRO). When i try with a username/password/the same domain that never logon in this machine, or do not have cache in windows, return a message error that do not have controler domain. What can i do to resolve? The windows XP and 2k can`t logon this way with switchs-802.1x ? []`s Kojima, Sérgio --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap rlm_sql authentication problem
I am adding a new MSC to our list of clients and trying to verify the config
with -X and ntradping.
I keep getting rejected.
I have the following in clients.conf:
client 192.168.10.100 (MY LAPTOP IP FOR NOW) {
secret = [EMAIL PROTECTED]
shortname = cn3200_hiegalleria
nastype = other
In NTRADPING, I am using:
username: bufhiegall_cn3200
secret: [EMAIL PROTECTED]
password: password1 (same as in radius.radcheck)
I note the could not find clear text password at bottom of reply, but am not
sure why this is so;
The password is present in radcheck.
The -X out put is as follows:
rad_recv: Access-Request packet from host 192.168.10.100:49424, id=11, length=58
User-Name = bufhiegall_cn3200
CHAP-Password = 0x8f98ab538676182e04964979e34fbc0580
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = bufhiegall_cn3200, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
radius_xlat: 'bufhiegall_cn3200'
rlm_sql (sql): sql_set_user escaped user -- 'bufhiegall_cn3200'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'bufhiegall_cn3200' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bufhiegall_cn3200'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'bufhiegall_cn3200' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'bufhiegall_cn3200'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user
[bufhiegall_cn3200]
modcall[authorize]: module sql returns notfound for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module noresetcounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module dailycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module monthlycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module daypasscounter returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by bufhiegall_cn3200 with CHAP password
rlm_chap: Could not find clear text password for user bufhiegall_cn3200
modcall[authenticate]: module chap returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 11 to 1
I have run all the queries manually on the server, and they all return results
as
expected (except the query to radgroupreply, as there is nothing configured
there).
Regards,
Andrew Long
** CONFIDENTIALITY NOTICE **
NOTICE: This e-mail message and all attachments transmitted with it may contain
legally
privileged and confidential information intended solely for the use of the
addressee. If the
reader of this message is not the intended recipient, you are hereby notified
that any reading,
dissemination, distribution, copying, or other use of this message or its
attachments is strictly
prohibited. If you have received this message in error, please notify the
sender immediately
and delete this message from your system. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
Thanks for help i got it and now my freeradius working with snmpd and it is working fine now can u tell me what i monitor through snmpd means can i check how much users login currently and how much failed and what stat i can check throgh this feature $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
On Thursday 29 March 2007 12:47:38 satish patel wrote: Thanks for help i got it and now my freeradius working with snmpd and it is working fine now can u tell me what i monitor through snmpd means can i check how much users login currently and how much failed and what stat i can check throgh this feature The RADIUS mibs are in the mibs/ directory of the freeradius release. You should be able to monitor any of those values. -Kevin pgpdHQD20yMNo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+OpenLDAP+SAMBA+Windows Domain Logon.
Sérgio Kojima wrote: Hello all. My freeradius1.1.5 is configured to work with openldap and samba PDC, resume, it works fine when i login with username/password/domain, but this user already logon one time on domain, that is, the user is on cache in this windows machine (XP and W2kPRO). When i try with a username/password/the same domain that never logon in this machine, or do not have cache in windows, return a message error that do not have controler domain. What can i do to resolve? The windows XP and 2k can`t logon this way with switchs-802.1x ? I am also very curious if anyone has a good solution for this...i've read some stuff about 802.1x bootstraping in XP/vista, but haven't really seen it working. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: I am adding a new MSC to our list of clients and trying to verify the config with -X and ntradping. I keep getting rejected. ... I note the could not find clear text password at bottom of reply, but am not sure why this is so; The password is present in radcheck. It's not found: The -X out put is as follows: ... rlm_sql (sql): No matching entry in the database for request from user [bufhiegall_cn3200] modcall[authorize]: module sql returns notfound for request 0 That's pretty definitive. I have run all the queries manually on the server, and they all return results as expected (except the query to radgroupreply, as there is nothing configured there). They may return what you expect, but not what the server needs. Please post the output from the queries here. Odds are something is misconfigured, so that the queries return data, but not anything the server can use. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT and users file
Hi, I'm using EAP-TTLS to supplicant authentication. to authenticate the users at freeradius, I'm using users file to match user's password: user User-Password == test Reply-Message = success Is there a way, using DEFAULT, for example, to return success to all users without the necessity to match the User-Password(bypass freeradius authentication). What I'm trying to do is authenticate users just at post-auth. I'm using some examples from doc directory, but without success... Thanks, Erico. __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT and users file
Erico Augusto wrote: Hi, I'm using EAP-TTLS to supplicant authentication. to authenticate the users at freeradius, I'm using users file to match user's password: user User-Password == test Reply-Message = success Is there a way, using DEFAULT, for example, to return success to all users without the necessity to match the User-Password(bypass freeradius authentication). What I'm trying to do is authenticate users just at post-auth. I'm using some examples from doc directory, but without success... Thanks, Erico. do you mean like,? DEFAULTAuth-Type := Accept Reply-Message = success to accept all users and reply success to them or just DEFAULT Reply-Message = success just to reply success to everyone (im pretty sure) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Login
My freeradius is working, the thing is that the computer that logged in, every time that it is turned off it remembers the user and do not ask for it. Can someone help me??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: DEFAULT and users file
Hi,
1. Post-Auth packet becomes empty with that approach
2. eap module works different with that approach
radiusd.conf:
authenticate {
eap
}
Got the output (radiusd -X):
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.10.1/auth-detail-20070329'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.1/auth-detail-20070329
modcall[authorize]: module auth_log returns ok for request 0
rlm_realm: No '@' in User-Name = agentnode, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 164
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'success'
Login OK: [agentnode] (from client erico-gprt port 2 cli
00-40-F4-C5-88-C7)
Sending Access-Accept of id 0 to 10.10.10.1 port 2015
Reply-Message = success
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.10.10.1:2015, id=0, length=29
Authentication reply packet code 2 sent to a non-proxy reply port from
client erico-gprt:2015 - ID 0 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 460c15b6
Nothing to do. Sleeping until we see a request.
Thanks, Erico.
- Mensagem original
De: joe vieira [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quinta-feira, 29 de Março de 2007 16:23:24
Assunto: Re: DEFAULT and users file
Erico Augusto wrote:
Hi,
I'm using EAP-TTLS to supplicant authentication.
to authenticate the users at freeradius, I'm using users file to match
user's password:
user User-Password == test
Reply-Message = success
Is there a way, using DEFAULT, for example, to return success to all
users without the necessity to match the User-Password(bypass
freeradius authentication). What I'm trying to do is authenticate
users just at post-auth. I'm using some examples from doc directory,
but without success...
Thanks, Erico.
do you mean like,?
DEFAULTAuth-Type := Accept
Reply-Message = success
to accept all users and reply success to them
or just
DEFAULT
Reply-Message = success
just to reply success to everyone (im pretty sure)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/ -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
I think I got it, I can now authenticate with ntradping, but I get an attribute dump: unknown vendor 8744, size xx='' repeated many times... Is this because I am impersonating the NAS from a laptop? ie., should clear up when the NAS is actually authenticating or does this point to another misconfiguration? All the other request types, accounting start,stop, update, go normally. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Login
Hi, My freeradius is working, the thing is that the computer that logged in, every time that it is turned off it remembers the user and do not ask for it. Can someone help me??? Windows PEAP by any chance? ;-) if so , you need to clear the EAPOL credentialeg -8 cut here and save file as clean_eap.reg ---8 - REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] 8---8 cut here--8--- ensure this command is run on logout, login ..and heck, shutdown and bootup too! I'm assured that Windows Vista now has a proper 'do not cache this' feature ;-) if its not windows then check your supplicant - or OSX keychain etc to ensure you havent allowed the saving of the config (the Mac will happily save the details too!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Login
-Original Message- I'm assured that Windows Vista now has a proper 'do not cache this' feature ;-) It does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing 802.1x auth requests
Hi, We would like to load-balance 802.1X wireless authentications on multiple radius servers. The problem is that EAP methods require a series of requests and replies between the client and the same radius server, but a normal radius proxy will treat each request as a new one and forward them to different servers. With the latest release of FreeRADIUS, is it possible to keep states in the proxy server so that it can distinguish new requests from current outstanding requests? Any suggestions/insights would be much appreciated. Thanks, Alison Lee Telecommunications and Networking University of Texas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
