Re: FreeRadius+AD integration
Hi, > radius.conf as per the instructions, but radtest fails with Access-Reject .I > have attached the debug window output for reference. no you havent. you've attached a tiny snippet of the debug output. > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user but at least it shows this bit - how are you attempting to authenticate and WHAT are you attempting to authenticate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius+AD integration
Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html . everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. rad_recv: Access-Request packet from host 127.0.0.1:32928, id=44, length=57 User-Name = "raduser" User-Password = "radpass" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry sbhat at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 _ Any help fixing this issue will be appreciated. thank you! SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot run radiusd - error loading shared libraries
Hi Eugene Try puting /usr/loval/lib into the file /etc/ld.so.conf and then run ldconfig ... Hope that helps. Regards Matthias [EMAIL PROTECTED] wrote: > Platform Suse 9.0 > > No error on compile. > > When I try: > > # /usr/local/sbin/radiusd > > I get: > > /usr/local/sbin/radiusd: error while loading shared libraries: > libradius-1.1.4.so: cannot open shared object file: No such file or > directory > > The file appears to be there: > > # whereis libradius-1.1.4.so > libradius-1.1.4: /usr/local/lib/libradius-1.1.4.la > /usr/local/lib/libradius-1.1.4.so > > Please provide assistance. > > Kind regards, > Eugene > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias CramerSystem & Network Manager Interway Communication GmbHPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zuerichhttp://www.interway.ch/ signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot run radiusd - error loading shared libraries
Platform Suse 9.0 No error on compile. When I try: # /usr/local/sbin/radiusd I get: /usr/local/sbin/radiusd: error while loading shared libraries: libradius-1.1.4.so: cannot open shared object file: No such file or directory The file appears to be there: # whereis libradius-1.1.4.so libradius-1.1.4: /usr/local/lib/libradius-1.1.4.la /usr/local/lib/libradius-1.1.4.so Please provide assistance. Kind regards, Eugene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking for existence of User-Password
[EMAIL PROTECTED] wrote: > Might be worth trying: =~ "." > Maybe regexp operator will sift those that don't exist. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 22/4/2007, "Arran Cudbard-Bell" <[EMAIL PROTECTED]> piše: > > >> Alan DeKok wrote: >> >>> Arran Cudbard-Bell wrote: >>> >>> Just wondering if theres any way of checking the existence of User-Password in users... =* ANY always matches even if User-Password attribute isn't in the request.. which is not the correct behaviour. >>> That was done historically because the server didn't have >>> Cleartext-Password. Now that it does, I think that should be fixed in >>> 1.1.7. >>> >>> Alan DeKok. >>> -- >>> http://deployingradius.com - The web site of the book >>> http://deployingradius.com/blog/ - The blog >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >> And cvs head ? :) >> >> Could the check_val module be used in the mean time ? >> >> I was just looking to implement your trick with the authz sections, >> unfortunately I also need to support ClearText passwords >> for administrative logins to the switches... so I needed to check the >> existence of a User-Password attribute and send the request through the >> right authz section. >> >> Oh btw, any news on the radclient bug ? >> >> Thanks, >> Arran >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > No sadly not tried it already, still matches. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Size Limitations on clients.conf
On Sun 22 Apr 2007, Alexander Papenburg wrote: > Hi, > > iam just wondering if there are any "size" limitations on the > clients.conf file. > > Background is: > The current file consist of many /24 net-ranges and is currently 22k big > ;) For the past days I recognised some strange activities but > unfortunately only saw the > following in the log: > . > Auth: Login incorrect (Home Server says so): [aaliyah] (from client > INET-X.X.X.X/16 port 2 cli A.B.C.D) > . > > Obviously A.B.C.D tries a Word-List-Attack on one device in the range > but I can't figure out on which one > without going into debugging mode. Why dont you log failed auth to a detail file or database? Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking for existence of User-Password
Might be worth trying: =~ "." Maybe regexp operator will sift those that don't exist. Ivan Kalik Kalik Informatika ISP Dana 22/4/2007, "Arran Cudbard-Bell" <[EMAIL PROTECTED]> piše: >Alan DeKok wrote: >> Arran Cudbard-Bell wrote: >> >>> Just wondering if theres any way of checking the existence of >>> User-Password in users... >>> =* ANY always matches even if User-Password attribute isn't in the >>> request.. which is not the correct behaviour. >>> >> >> That was done historically because the server didn't have >> Cleartext-Password. Now that it does, I think that should be fixed in >> 1.1.7. >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >And cvs head ? :) > >Could the check_val module be used in the mean time ? > >I was just looking to implement your trick with the authz sections, >unfortunately I also need to support ClearText passwords >for administrative logins to the switches... so I needed to check the >existence of a User-Password attribute and send the request through the >right authz section. > >Oh btw, any news on the radclient bug ? > >Thanks, >Arran >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Size Limitations on clients.conf
Alan DeKok schrieb: Alexander Papenburg wrote: iam just wondering if there are any "size" limitations on the clients.conf file. How much memory do you have? That's the limit. Background is: The current file consist of many /24 net-ranges and is currently 22k big ;) For the past days I recognised some strange activities but unfortunately only saw the following in the log: . Auth: Login incorrect (Home Server says so): [aaliyah] (from client INET-X.X.X.X/16 port 2 cli A.B.C.D) . Obviously A.B.C.D tries a Word-List-Attack on one device in the range but I can't figure out on which one without going into debugging mode. So I hacked a quick and dirty perl script which generate a clients.conf with single ip's which is about 17M big ^^ Why not just run 'radnsiff'? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan are you held hostage somewhere? By some evil mad man? Or have you written a ingenious mail-robot-script which replies on all the email sent to the list 24/7? Just kidding ;) radsniff is a good hint, I will give it a try. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Size Limitations on clients.conf
Alexander Papenburg wrote: > iam just wondering if there are any "size" limitations on the > clients.conf file. How much memory do you have? That's the limit. > Background is: > The current file consist of many /24 net-ranges and is currently 22k big ;) > For the past days I recognised some strange activities but unfortunately > only saw the > following in the log: > . > Auth: Login incorrect (Home Server says so): [aaliyah] (from client > INET-X.X.X.X/16 port 2 cli A.B.C.D) > . > > Obviously A.B.C.D tries a Word-List-Attack on one device in the range > but I can't figure out on which one > without going into debugging mode. So I hacked a quick and dirty perl > script which generate a clients.conf > with single ip's which is about 17M big ^^ Why not just run 'radnsiff'? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Size Limitations on clients.conf
Hi, iam just wondering if there are any "size" limitations on the clients.conf file. Background is: The current file consist of many /24 net-ranges and is currently 22k big ;) For the past days I recognised some strange activities but unfortunately only saw the following in the log: . Auth: Login incorrect (Home Server says so): [aaliyah] (from client INET-X.X.X.X/16 port 2 cli A.B.C.D) . Obviously A.B.C.D tries a Word-List-Attack on one device in the range but I can't figure out on which one without going into debugging mode. So I hacked a quick and dirty perl script which generate a clients.conf with single ip's which is about 17M big ^^ Is there a better way? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blocking Interim-Update Accounting-Requests
Alan DeKok wrote:
> If you are trying to log some packets and not others, then do
> conditional logging. e.g. "if packet is type I want to log
That's exactly what I want. And it works now with using Acct-Type.
Thanks for that!
For the list archive (using version 1.1.4):
acct_users:
DEFAULT Acct-Status-Type == "Interim-Update", Acct-Type := "IGNORE"
radiusd.conf:
preacct {
files
...
}
accounting {
Acct-Type IGNORE {
ok
}
dumpinacct
ok
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking for existence of User-Password
Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> Just wondering if theres any way of checking the existence of >> User-Password in users... >> =* ANY always matches even if User-Password attribute isn't in the >> request.. which is not the correct behaviour. >> > > That was done historically because the server didn't have > Cleartext-Password. Now that it does, I think that should be fixed in > 1.1.7. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > And cvs head ? :) Could the check_val module be used in the mean time ? I was just looking to implement your trick with the authz sections, unfortunately I also need to support ClearText passwords for administrative logins to the switches... so I needed to check the existence of a User-Password attribute and send the request through the right authz section. Oh btw, any news on the radclient bug ? Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
Arran Cudbard-Bell wrote: > I didn't know freeradius supported bitwise operators ! They're not > listed anywhere so I assumed you couldn't use them ?! It doesn't support them. But it shouldn't be too hard to add. In the CVS head, I'm doing some large cleanups to make features like this much easier. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking for existence of User-Password
Arran Cudbard-Bell wrote: > Just wondering if theres any way of checking the existence of > User-Password in users... > =* ANY always matches even if User-Password attribute isn't in the > request.. which is not the correct behaviour. That was done historically because the server didn't have Cleartext-Password. Now that it does, I think that should be fixed in 1.1.7. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blocking Interim-Update Accounting-Requests
Jakob Hirsch wrote: > is it possible to filter out accounting requests with an > Acct-Status-Type of Interim-Update? That depends on what you mean by "filter out". > rlm_attr_filter works obviously only when we are a proxy, and rlm_files > with this acct_users changed nothing: > > DEFAULT Acct-Status-Type == Interim-Update, Auth-Type := Reject Auth-Type works for authentication, not accounting. Use Acct-Type for accounting packets. It's in the documentation. If you are trying to log some packets and not others, then do conditional logging. e.g. "if packet is type I want to log > Anybody with an idea? Otherwise I'll have to add that to our logging module. Perhaps you could explain what you mean by "filter out". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
