Re: radiusd stop responding. deadlock?

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> We using freeradius 1.1.0 for PEAP authentication,
> and it is working well almost.

  Use 1.1.6.  It has a NUMBER of bugs fixed over 1.1.0.
...
> (gdb) attach 10127
> Attaching to program: /usr/dot1x/sbin/radiusd, process 10127
> Symbols already loaded for /lib/libcrypt.so.1
> (snip)...
> 0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0
> (gdb) whrere
> #0  0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0

  If the code is blocking in the libc malloc() implementation, there
isn't much that FreeRADIUS can do to fix that.

  Try upgrading to 1.1.6, and see if that fixes it.  I don't know...

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 with 1.1.4

[Alan DeKok]

Matt Cobb wrote:
> Using 1.1.4, still can’t get MSCHAPv2 working to a local file.  Here is
...
>   rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password 
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  Then either the password you have on the server isn't the same as the
password on the client, OR the MS-CHAP calculations are being done
different on the client and server.

  FreeRADIUS works in tens of thousands of deployments using MS-CHAP,
for tens of millions of users.  It's fine.

  See src/tests for a sample MS-CHAP request that you can send to the
server with radclient.  If *that* fails, then something is very broken
on your system.  If it works, then either the passwords aren't the same,
OR the client you're using is broken.

  So... which client are you using?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password in Radius Debug

[Alan DeKok]

Cody Jarrett wrote:
> I notice the password during supplicant connects to the radius server 
> are displayed in plain text. Is there a way to disable this?

  No.  Anyone who can run the server in debugging mode can access the
passwords via another method.

  If you don't want the passwords visible, post-process the output of
debugging mode to remove the passwords.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd stop responding. deadlock?

[blue_11j]

Hi,
I'm *sorry* that I am not good at English
because I'm Japanese.

We using freeradius 1.1.0 for PEAP authentication,
and it is working well almost.
but sometime, radiusd stops responding.CPU usage is 100%.
(need to radiusd stop/start).

following is result of ps.

#ps -efml | grep radius
1 S root 10134 10127  0  69   0-  7395 148a46 Jun19 ?   
00:00:00 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
1 S root 17737 10134  0  69   0-  7395 10800b Jun19 ?   
00:00:01 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
1 S root 17835 10134  0  68   0-  7395 10800b Jun19 ?   
00:00:00 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
0 R root 10127 1 47  80   0-  7395  - Jun19 ?   
19:24:13 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
1 S root 17769 10134  0  69   0-  7395 10800b Jun19 ?   
00:00:01 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
1 R root 17800 10134 49  76   0-  7395  - Jun19 ?   
19:19:02 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x
1 S root 17713 10134  0  69   0-  7395 10800b Jun19 ?   
00:00:01 /usr/dot1x/sbin/radiusd -d /e
tc/raddb -l syslog -g local0 -x


pid:10127(main) eats 47% CPU.
pid:17800 eats 49% CPU.

following is result of gdb about these thread.

# gdb
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux".
(gdb) attach 10127
Attaching to process 10127
Reading symbols from /usr/dot1x/sbin/radiusd...(no debugging symbols
found)...
done.
(snip)...
0x4019a072 in pthread_once () from /lib/libpthread.so.0
(gdb) where
#0  0x4019a072 in pthread_once () from /lib/libpthread.so.0
#1  0x4027df03 in malloc () from /lib/libc.so.6
#2  0x401eae87 in rad_recv () from /usr/dot1x/lib/libradius-1.1.0.so
#3  0x0804d78b in main ()
#4  0x4021cd06 in __libc_start_main () from /lib/libc.so.6
(gdb) detach
Detaching from program: /usr/dot1x/sbin/radiusd, process 10127
(gdb) 
(gdb) 
(gdb) attach 10127
Attaching to program: /usr/dot1x/sbin/radiusd, process 10127
Symbols already loaded for /lib/libcrypt.so.1
(snip)...
0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0
(gdb) whrere
#0  0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0
#1  0x4027c65f in _IO_file_xsputn () from /lib/libc.so.6
#2  0x4027df03 in malloc () from /lib/libc.so.6
#3  0x401eae87 in rad_recv () from /usr/dot1x/lib/libradius-1.1.0.so
#4  0x0804d78b in main ()
#5  0x4021cd06 in __libc_start_main () from /lib/libc.so.6
(gdb) detach
Detaching from program: /usr/dot1x/sbin/radiusd, process 10127
(gdb) 
(gdb) attach 17800
Attaching to program: /usr/dot1x/sbin/radiusd, process 17800
Symbols already loaded for /lib/libcrypt.so.1
(snip)...
0x4027f4b0 in mallopt () from /lib/libc.so.6
(gdb) 
(gdb) where
#0  0x4027f4b0 in mallopt () from /lib/libc.so.6
#1  0x4027ed83 in mallopt () from /lib/libc.so.6
#2  0x4027df1a in malloc () from /lib/libc.so.6
#3  0x4038a2e9 in ber_memalloc_x () from /usr/dot1x/lib/liblber-2.2.so.7
#4  0x4038a478 in ber_memrealloc_x () from /usr/dot1x/lib/liblber-2.2.so.7
#5  0x40388790 in ber_realloc () from /usr/dot1x/lib/liblber-2.2.so.7
#6  0x403886b4 in ber_write () from /usr/dot1x/lib/liblber-2.2.so.7
#7  0x40387179 in ber_put_tag () from /usr/dot1x/lib/liblber-2.2.so.7
#8  0x40387404 in ber_put_int_or_enum () from
/usr/dot1x/lib/liblber-2.2.so.7
#9  0x40388416 in ber_printf () from /usr/dot1x/lib/liblber-2.2.so.7
#10 0x403612f2 in ldap_build_search_req () from
/usr/dot1x/lib/libldap-2.2.so.7
#11 0x403611da in ldap_search () from /usr/dot1x/lib/libldap-2.2.so.7
#12 0x40361432 in ldap_search_st () from /usr/dot1x/lib/libldap-2.2.so.7
#13 0x4033f803 in _init () from /usr/dot1x/lib/rlm_ldap-1.1.0.so
#14 0x403400d6 in _init () from /usr/dot1x/lib/rlm_ldap-1.1.0.so
#15 0x08050c19 in vp_listdebug ()
#16 0x08050fde in paircmp ()
#17 0x403f820f in _init () from /usr/dot1x/lib/rlm_files-1.1.0.so
#18 0x08057c99 in module_post_auth ()
#19 0x080582df in modcall ()
#20 0x08057d0f in module_post_auth ()
#21 0x08057e06 in module_post_auth ()
#22 0x08058254 in modcall ()
#23 0x08057d0f in module_post_auth ()
#24 0x08057e06 in module_post_auth ()
#25 0x08058254 in modcall ()
#26 0x08056fff in find_module_instance ()
#27 0x080578f0 in module_authorize ()
#28 0x08053aa3 in rad_authenticate ()
#29 0x0804dcf8 in rad_respond ()
#30 0x0805b5a0 in radius_xlat ()
#31 0x40198ca3 in pthread_detach () from /lib/libpthread.so.0
(gdb) detach
Detaching from program: /usr/dot1x/sbin/radiusd, process 17800
(gdb) 
--

rad_authlog , radlog

[Mahalakshmi Vijayakumar]

hi,
can anyone explain the purpose of  functions rad_authlog, radlog and
vradlog?
thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with OpenLDAP + FreeRADIUS

[gosha-necr]

Hi all! I'm setup Samba PDC (3.0.25a) + LDAP and i want that users connect to 
the internet throught VPN using their LDAP credentials. I think it will be MPD 
+ FreeRADIUS. But when i'm try to configure radius work with ldap it get me 
error.
I use this HOW-TO: 
http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html
This is my radiusd.conf: http://pastebin.ru/44057
And when i'm try  /usr/local/sbin/radiusd -X -A it tells me: 
http://pastebin.ru/44058
There is my /usr/local/etc/raddb/ldap.attrmap: http://pastebin.ru/44059
My OS: FreeBSD 6.2 i386
FreeRadius 1.1.6
Please help me :)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password in Radius Debug

[Peter Nixon]

On Thu 21 Jun 2007, Cody Jarrett wrote:
> I notice the password during supplicant connects to the radius server
> are displayed in plain text. Is there a way to disable this?

Yep. Don't run in debug mode...

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MSCHAPv2 with 1.1.4

[Matt Cobb]

Same thing basically:

  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: Found NT-Password
  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 0

My users file now looks like:

#cobb User-Password=="secret"
#cobb Cleartext-Password=="secret"
#cobb Cleartext-Password:="secret"
#cobb NT-Password == "0xB6FFB3200061D7B7928F0D932F095128"
#cobb NT-Password == "B6FFB3200061D7B7928F0D932F095128"
#cobb NT-Password := "0xB6FFB3200061D7B7928F0D932F095128"
cobb NT-Password := "B6FFB3200061D7B7928F0D932F095128"



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MSCHAPv2 with 1.1.4

[tnt]

Try := with NT-Password. Cleartext-Password works fine in 1.1.6

Ivan Kalik
Kalik Informatika ISP


Dana 21/6/2007, "Matt Cobb" <[EMAIL PROTECTED]> piše:

>Hello,
>
>>> thats why. you cant use a plain password.
>
>>>alan
>
>[Cobb] What should I use?  I have tried User-Password==,
>Cleartext-Password:=, Cleartext-Password==,
>NT-Password=="0x0123456789abcdef...",
>NT-Password=="0123456789abcdef.."
>
>All complain that the NT Response is invalid and all but User-Password
>complain that the User-Password is not supplied.
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MSCHAPv2 with 1.1.4

[Matt Cobb]

Hello,

>> thats why. you cant use a plain password.

>>alan

[Cobb] What should I use?  I have tried User-Password==,
Cleartext-Password:=, Cleartext-Password==,
NT-Password=="0x0123456789abcdef...",
NT-Password=="0123456789abcdef.."

All complain that the NT Response is invalid and all but User-Password
complain that the User-Password is not supplied.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MSCHAPv2 with 1.1.4

[Matt Cobb]

Tried that already. 

cobb Cleartext-Password := "secret"

It just spits out an error that says I didn't use User-Password and
fails:

Thread 1 handling request 0, (1 handled so far)

NAS-Identifier = "localhost"

NAS-Port-Type = Ethernet

Service-Type = Framed-User

Framed-Protocol = PPP

Calling-Station-Id = "127.0.0.1"

User-Name = "[EMAIL PROTECTED]"

MS-CHAP2-Response =
0x01013410fa7660ac21dc93c5313bcab77f15e601cdc04a6c368aed
b66db426dff79111702aa7dbf9d3bb

MS-CHAP-Challenge = 0xc171ce27fd0fc0189daf86b649fe8588

Service-Type = 47

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

  modcall[authorize]: module "mschap" returns ok for request 0

modcall: entering group  for request 0

rlm_realm: Looking up realm "guests" for User-Name = "[EMAIL PROTECTED]"

rlm_realm: Found realm "guests"

rlm_realm: Adding Stripped-User-Name = "cobb"

rlm_realm: Proxying request from user cobb to realm guests

rlm_realm: Adding Realm = "guests"

rlm_realm: Authentication realm is LOCAL.

  modcall[authorize]: module "suffix" returns noop for request 0

rlm_realm: Request already proxied.  Ignoring.

  modcall[authorize]: module "ntdomain" returns noop for request 0

modcall: leaving group  (returns noop) for request 0

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 0

users: Matched entry cobb at line 2

  modcall[authorize]: module "files" returns ok for request 0

modcall: leaving group authorize (returns ok) for request 0

  rad_check_password:  Found Auth-Type MS-CHAP

auth: type "MS-CHAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group MS-CHAP for request 0

  rlm_mschap: No User-Password configured.  Cannot create LM-Password.

  rlm_mschap: No User-Password configured.  Cannot create NT-Password.

  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password

  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.

  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  modcall[authenticate]: module "mschap" returns reject for request 0

modcall: leaving group MS-CHAP (returns reject) for request 0

auth: Failed to validate the user.

Login incorrect: [EMAIL PROTECTED] (from client localhost port 0 cli
127.0.0.1)

  Found Post-Auth-Type

  Processing the post-auth section of radiusd.conf

modcall: entering group REJECT for request 0

DBUS Method Call to com.lockdownnetworks.RadiusEvents:/ on
com.lockdownnetworks.RadiusEvents

Early exit of processing return values.

Finished with dbus method.

  modcall[post-auth]: module "dbus" returns reject for request 0

modcall: leaving group REJECT (returns reject) for request 0

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

Thread 1 waiting to be assigned a request

rad_recv: Access-Request packet from host 127.0.0.1:32776, id=181,
length=161

Sending Access-Reject of id 181 to 127.0.0.1 port 32776

--- Walking the entire request list ---

Waking up in 3 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 181 with timestamp 467ae04a

Nothing to do.  Sleeping until we see a request.



-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, June 21, 2007 11:30 AM
To: FreeRadius users mailing list
Subject: Re: MSCHAPv2 with 1.1.4

>
>users file:
>
>cobb User-Password=="secret"
>
>(also tried Cleartext-Password with same results)
>

Wrong operator (==) for Cleartext-Password. Use :=

cobb   Cleartext-Password := "secret"

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-TTLS PAP Mysql problems

[Ivan Kalik]

You need to post the debug (radiusd -X) output. Whole thing.
 
Ivan Kalik
Kalik Informatika ISP
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of emmcosta
Sent: 21 June 2007 20:22
To: FreeRadius users mailing list
Subject: Re: EAP-TTLS PAP Mysql problems


Stefan Winter wrote: 

What it is that I need put in mysql and my configuration, for before I

obtain good authentication return: Tunnel-Type, Tunnel-Medium-Type and

Tunnel-Private-Group-ID for the client make a dhclient in vlan I return?





Put the appropriate attributes for VLAN assignment into the radreply table
for 

the user in question.

Chances are that you also need to set the option 



use_tunneled_reply = yes



in eap.conf.



Greetings,



Stefan Winter



  


  _  


- 

List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

I already put appropriate attributes for VLAN assignment into the radreply
table, but I think I have a problem with authentication because log this
lines: 
Wed Jun 20 19:46:47 2007 : Error: Trying to look up name of unknown

client 127.0.0.1.

Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/secret] (from client

UNKNOWN-CLIENT port 327 cli 0040.96a2.24f3)

Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/] (from client ap2 port 327 cli 0040.96a2.24f3)



but if I use cli with command radtest authentication is sucessefull and
receive reply attributes.
I'm to use a Cisco ap1100 configurated with wpa-tkip and for client use a pc
with windows XP with supplicant securew2 configured with eap-ttls pap.

Can help-me?

-- 

/emmc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS PAP Mysql problems

[A . L . M . Buxey]

Hi,

> Wed Jun 20 19:46:47 2007 : Error: Trying to look up name of unknown
> client 127.0.0.1.
> Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/secret] (from client
> UNKNOWN-CLIENT port 327 cli 0040.96a2.24f3)
> Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/ attribute>] (from client ap2 port 327 cli 0040.96a2.24f3)
> 
> but if I use cli with command radtest authentication is sucessefull and 
> receive reply attributes.
> 
> I'm to use a Cisco ap1100 configurated with wpa-tkip and for client use
> a pc with windows XP with supplicant securew2 configured with eap-ttls pap.

send us you naslist table and clients.conf

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Password in Radius Debug

[Cody Jarrett]

I notice the password during supplicant connects to the radius server 
are displayed in plain text. Is there a way to disable this?

-- 
Cody Jarrett
IT Freedom
[EMAIL PROTECTED] 
Office: 512.419.0070
Fax: 512.419.0080

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS PAP Mysql problems

[emmcosta]

Stefan Winter wrote:
>> What it is that I need put in mysql and my configuration, for before I
>> obtain good authentication return: Tunnel-Type, Tunnel-Medium-Type and
>> Tunnel-Private-Group-ID for the client make a dhclient in vlan I return?
>> 
>
> Put the appropriate attributes for VLAN assignment into the radreply table 
> for 
> the user in question.
> Chances are that you also need to set the option 
>
> use_tunneled_reply = yes
>
> in eap.conf.
>
> Greetings,
>
> Stefan Winter
>
>   
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I already put appropriate attributes for VLAN assignment into the
radreply table, but I think I have a problem with authentication because
log this lines:

Wed Jun 20 19:46:47 2007 : Error: Trying to look up name of unknown
client 127.0.0.1.
Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/secret] (from client
UNKNOWN-CLIENT port 327 cli 0040.96a2.24f3)
Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/] (from client ap2 port 327 cli 0040.96a2.24f3)

but if I use cli with command radtest authentication is sucessefull and receive 
reply attributes.

I'm to use a Cisco ap1100 configurated with wpa-tkip and for client use
a pc with windows XP with supplicant securew2 configured with eap-ttls pap.

Can help-me?

-- 
/emmc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 with 1.1.4

[tnt]

>
>users file:
>
>cobb User-Password=="secret"
>
>(also tried Cleartext-Password with same results)
>

Wrong operator (==) for Cleartext-Password. Use :=

cobb   Cleartext-Password := "secret"

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 with 1.1.4

[A . L . M . Buxey]

Hi,

> Using 1.1.4, still can't get MSCHAPv2 working to a local file.  Here is
> the full output and the conf files:

use 1.1.6

>   rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password

note this debug output line.

>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

attempt was rejected. why? ...

> cobb User-Password=="secret"
> 
> (also tried Cleartext-Password with same results)

thats why. you cant use a plain password.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy fallback?

[Alan DeKok]

Christopher Fournier wrote:
> Using freeradius 1.1.6: I'm trying to establish a sequential auth order,
> but it seems I'm missing the boat on something. The goal is the
> following auth order, in iteration:
> 
> 1) Check for local users in MySQL table
> 2) Proxy the request to another server
> 3) Use the local 'users' file (that is to permit all users, by default)

  It doesn't work that way.  Proxying is really an authentication step,
and the "users" file gets run during the authorization step.  Also, if
the home server returns reject, then that's pretty much it.  You can't
then go accept the user.

  I suggest changing the rules to:

1) check for local users in MySQL
2) if notfound, check for realms A, B, C, D && proxy to another server
3) else accept the user

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compiling freradius 1.1.6 on Intel Xeon Mac os X server 10.4.9

[sandramr]

We try to install freeradius 1.1.6 on Xserve 2 x 2.66 Ghz Dual-core Intel
xeon with Mac OsX server 10.4.9

We have done these steps
1) ./configure --enable-developer --disable-shared
2) Edit file Make.inc and delete the rlm_perl in the MODULES section
3) make

we have this error :
.
lssl -lcrypto
i686-apple-darwin8-gcc-4.0.1: unrecognized option '-pie'
/usr/bin/ld: warning fat file:
../modules/rlm_sql/drivers/rlm_sql_mysql/.libs/rlm_sql_mysql.a does not
contain an architecture that matches the specified -arch flag: i386 (file
ignored)
/usr/bin/ld: Undefined symbols:
_rlm_sql_mysql
collect2: ld returned 1 exit status
rm -f .libs/radiusdS.o
make[4]: *** [radiusd] Error 1
make[3]: *** [common] Error 2
make[2]: *** [all] Error 2
make[1]: *** [common] Error 2
make: *** [all] Error 2

We tried the same things on 2 GHz Intel Core Duo with Mac OsX 10.4.9 and all
worked.

Have you any suggestion ???

Thanks
Sandra e Francesco

-- 
View this message in context: 
http://www.nabble.com/Compiling-freradius-1.1.6-on-Intel-Xeon-Mac-os-X-server-10.4.9-tf3959000.html#a11233992
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy fallback?

[Christopher Fournier]

Using freeradius 1.1.6: I'm trying to establish a sequential auth order,
but it seems I'm missing the boat on something. The goal is the
following auth order, in iteration:

1) Check for local users in MySQL table
2) Proxy the request to another server
3) Use the local 'users' file (that is to permit all users, by default)

In the 'authorize' clause, I have tried several configurations, but none
seem to work as expected. In its most basic form, it was:

authorize {
 preprocess
 sql
 suffix
 files
}

I have also tried modifying the clause using the 'redundant' and 'group'
token:

authorize {
preprocess
redundant {
sql {
notfound = 4
fail = 4
}
suffix {
notfound = 1
reject = 2
updated = 3
fail = 4
}
}
files 
}

And lots of variations thereof. What seems to happen consistently, is
that the 'suffix' clause supersedes the 'files' module, that is
configured to permit all by default. Below is the debug: 


rad_recv: Access-Request packet from host 127.0.0.1:44323, id=85,
length=59
User-Name = "xyzuser"
User-Password = "foo"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
modcall: entering group redundant  for request 0
radius_xlat:  'xyzuser'
rlm_sql (sql): sql_set_user escaped user --> 'xyzuser'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radcheck   WHERE Username = 'xyzuser'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User xyzuser not found in radcheck
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'xyzuser' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'xyzuser' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User xyzuser not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
  modcall[authorize]: module "sql" returns notfound for request 0
rlm_realm: No '@' in User-Name = "xyzuser", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "xyzuser"
rlm_realm: Proxying request from user xyzuser to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
  modcall[authorize]: module "suffix" returns updated for request 0
modcall: leaving group redundant  (returns notfound) for request 0
users: Matched entry DEFAULT at line 1
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Sending Access-Request of id 0 to [DELETED] port 1645
User-Name = "xyzuser"
User-Password = "foo"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = 0x3835
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Reject packet from host [DELETED]:1645, id=0, length=73
Nortel-Attr-1 = 0x
Nortel-Attr-2 = 0x756e6b6e6f776e5f7573657220
Nortel-Attr-4 = 0x4e6f20737563682075736572
Login incorrect (Home Server says so): [xyzuser/foo] (from client
localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request


If I move the 'files' module before the 'suffix' module in the
'authorize' clause, it works fine. Again, it seems that the proxy
over-rides any further processing, despite changing the priorities. 

Could anyone provide some idea as to what I'm missing, or how to make
this work? Thank you in advance for any help!

- Chris




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 1.1.6 initial testing

[Andrew Long]

>   Also, for the "users" file:
> ...
> > users: Matched entry DEFAULT at line 153
> > users: Matched entry along at line 218
> 
>   Go look at those entries, and read "man users".  It should 
> be clear why the server is behaving as it is.
> 
>   Also, the FAQ says how to put an entry in the "users" file 
> to do local password authentication.  It works.  Follow it.
> 
>   Alan DeKok.
> -

Yes, I already have the MYSQL working... I stepped back to the
original config here to check why the users piece was not...

Thanks for the leads.

Andrew


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 initial testing

[Alan DeKok]

Andrew Long wrote:
> 1st run, using MYSQL. Testing on localhost, I find I cannot authenticate
> using an entry in user or one in the sql...

  You haven't configured the server to *use* the SQL module for
Access-Requests.  The debug output below clearly shows that: No SQL
module is references after the Access-Request is received.

  Also, for the "users" file:
...
> users: Matched entry DEFAULT at line 153
> users: Matched entry along at line 218

  Go look at those entries, and read "man users".  It should be clear
why the server is behaving as it is.

  Also, the FAQ says how to put an entry in the "users" file to do local
password authentication.  It works.  Follow it.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 initial testing

[Debashis Prusty]

Please make some changes in your radiusd.conf file as shown below & 
comment out the line "edir_account_policy_check=no".
authorise { preprocess chap mschap #counter #attr_filter #eap suffix sql 
#files #etc_smbpasswd } authenticate { authtype PAP { pap } authtype 
CHAP { chap } authtype MS-CHAP{ mschap } #pam #unix #authtype LDAP { # 
ldap #} } preacct { preprocess suffix #files } accounting { acct_unique 
detail #counter unix sql radutmp #sradutmp } session { radutmp }


Andrew Long wrote:

1st run, using MYSQL. Testing on localhost, I find I cannot authenticate
using an entry in user or one in the sql...

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sqlcounter.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 0
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded SQL
 sql: driver = "rlm_sql_mysql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "radiusd"
 sql: password = ""
 sql: radius_db = "radius"
 sql: nas_table = "nas"
 sql: sqltrace = no
 sql: sqltracefile = "/var/log/radius/sqltrace.sql"
 sql: readclients = no
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = "%{User-Name}"
 sql: default_user_profile = ""
 sql: query_on_not_found = no
 sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op   
FROM radcheck   WHERE Username = '%{SQL-User-Name}'   ORDER BY id"
 sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op   
FROM radreply   WHERE Username = '%{SQL-User-Name}'   ORDER BY id"
 sql: authorize_group_check_query = "SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
 sql: authorize_group_reply_query = "SELECT 

Re: Re : Off-topic: DHCP server with radius support

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> Something like:
> 
> http://tools.ietf.org/html/rfc4014

  Which requires support in the access points, and therefore isn't
implemented anywhere.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 initial testing

[tnt]

>users: Matched entry DEFAULT at line 153
>users: Matched entry along at line 218
>  modcall[authorize]: module "files" returns ok for request 0
>rlm_pap: Found existing Auth-Type, not changing it.
>  modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns ok) for request 0
>  rad_check_password:  Found Auth-Type System
>auth: type "System"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
>rlm_unix: [along]: invalid password
>  modcall[authenticate]: module "unix" returns reject for request 0
>modcall: leaving group authenticate (returns reject) for request 0

There is a DEFAULT entry setting up Auth-Type System *above* your user
entry. Comment it out or place user entry above it.

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 initial testing

[Dennis Skinner]

Andrew Long wrote:

>!!! users: Matched entry DEFAULT at line 153 !!!
> users: Matched entry along at line 218
>   modcall[authorize]: module "files" returns ok for request 0
> rlm_pap: Found existing Auth-Type, not changing it.
>   modcall[authorize]: module "pap" returns noop for request 0
> modcall: leaving group authorize (returns ok) for request 0
>  !!! rad_check_password:  Found Auth-Type System !!!
> auth: type "System"

Read the *whole* debug output.

Comment out line 153 of the users file.  Don't set Auth-Type.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Off-topic: DHCP server with radius support

[Peter Nixon]

That RFC actually describes the opposite of what we are talking about. (ie. 
How a RADIUS server can ask a DHCP server to assign an IP instead of how a 
DHCP server can ask a RADIUS server to assign an IP)

Cheers

Peter

On Thu 21 Jun 2007, [EMAIL PROTECTED] wrote:
> Something like:
>
> http://tools.ietf.org/html/rfc4014
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 21/6/2007, "Peter Nixon" <[EMAIL PROTECTED]> piše:
> >On Thu 21 Jun 2007, Kostas Kalevras wrote:
> >> O/H Eshun Benjamin έγριψξ:
> >> > Slightly off-topic. Is anyone aware of a DHCP server with radius
> >> > support. Or even just with exec support? I 'd like to setup a DHPC
> >> > that will ask a radius server for IP instead of assigning it itself
> >> >
> >> > A radius server assigning IPs ...that is not radius (!) . May be
> >> > you mean the radius server authenticating (MACs and/or IPs) before
> >> > the dhcp assigns it; this you have to configure and write your own
> >> > scripts on the dhcp server to authenticate against the radius. Radius
> >> > is for AAA
> >>
> >> No i meant exactly what i wrote. RADIUS can assign IP's (that's why we
> >> have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address
> >> attribute). I need to forward some information to home radius servers
> >> first and based on their response decide on the ip pool to give out
> >> IP's. Moreover, i need the extensibility and features of freeradius in
> >> my setup. I could provide you with the exact details of what i 'd like
> >> to achieve but they 're not important for the question asked.A DHCP
> >> request can be transformed to an Acesss-Request (with some default
> >> password), forwarded to a RADIUS server and the IP assigned by the
> >> radius server returned back to the user.
> >
> >This is a logical integration, and something that I think would be very
> >useful. :-)



-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.1.6 initial testing

[Andrew Long]

1st run, using MYSQL. Testing on localhost, I find I cannot authenticate
using an entry in user or one in the sql...

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sqlcounter.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 0
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded SQL
 sql: driver = "rlm_sql_mysql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "radiusd"
 sql: password = ""
 sql: radius_db = "radius"
 sql: nas_table = "nas"
 sql: sqltrace = no
 sql: sqltracefile = "/var/log/radius/sqltrace.sql"
 sql: readclients = no
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = "%{User-Name}"
 sql: default_user_profile = ""
 sql: query_on_not_found = no
 sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op
   FROM radcheck   WHERE Username = '%{SQL-User-Name}'   ORDER 
BY id"
 sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
   FROM radreply   WHERE Username = '%{SQL-User-Name}'   ORDER 
BY id"
 sql: authorize_group_check_query = "SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
 sql: authorize_group_reply_query = "SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
 sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', 
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), 
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = 
'%{Acct-Delay-Time}' WHERE AcctSe

Re: Re : Off-topic: DHCP server with radius support

[tnt]

Something like:

http://tools.ietf.org/html/rfc4014

Ivan Kalik
Kalik Informatika ISP


Dana 21/6/2007, "Peter Nixon" <[EMAIL PROTECTED]> piše:

>On Thu 21 Jun 2007, Kostas Kalevras wrote:
>> O/H Eshun Benjamin έγριψξ:
>> > Slightly off-topic. Is anyone aware of a DHCP server with radius
>> > support. Or even just with exec support? I 'd like to setup a DHPC that
>> > will ask a radius server for IP instead of assigning it itself
>> >
>> > A radius server assigning IPs ...that is not radius (!) . May be
>> > you mean the radius server authenticating (MACs and/or IPs) before the
>> > dhcp assigns it; this you have to configure and write your own scripts
>> > on the dhcp server to authenticate against the radius. Radius is for AAA
>>
>> No i meant exactly what i wrote. RADIUS can assign IP's (that's why we
>> have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address
>> attribute). I need to forward some information to home radius servers
>> first and based on their response decide on the ip pool to give out
>> IP's. Moreover, i need the extensibility and features of freeradius in
>> my setup. I could provide you with the exact details of what i 'd like
>> to achieve but they 're not important for the question asked.A DHCP
>> request can be transformed to an Acesss-Request (with some default
>> password), forwarded to a RADIUS server and the IP assigned by the
>> radius server returned back to the user.
>
>This is a logical integration, and something that I think would be very 
>useful. :-)
>
>Cheers
>-- 
>
>Peter Nixon
>http://www.peternixon.net/
>PGP Key: http://www.peternixon.net/public.asc
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Off-topic: DHCP server with radius support

[Peter Nixon]

On Thu 21 Jun 2007, Kostas Kalevras wrote:
> O/H Eshun Benjamin έγραψε:
> > Slightly off-topic. Is anyone aware of a DHCP server with radius
> > support. Or even just with exec support? I 'd like to setup a DHPC that
> > will ask a radius server for IP instead of assigning it itself
> >
> > A radius server assigning IPs ...that is not radius (!) . May be
> > you mean the radius server authenticating (MACs and/or IPs) before the
> > dhcp assigns it; this you have to configure and write your own scripts
> > on the dhcp server to authenticate against the radius. Radius is for AAA
>
> No i meant exactly what i wrote. RADIUS can assign IP's (that's why we
> have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address
> attribute). I need to forward some information to home radius servers
> first and based on their response decide on the ip pool to give out
> IP's. Moreover, i need the extensibility and features of freeradius in
> my setup. I could provide you with the exact details of what i 'd like
> to achieve but they 're not important for the question asked.A DHCP
> request can be transformed to an Acesss-Request (with some default
> password), forwarded to a RADIUS server and the IP assigned by the
> radius server returned back to the user.

This is a logical integration, and something that I think would be very 
useful. :-)

Cheers
-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Nokia IP 260 and User-Password

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> We are receiving the attached information from a Nokia IP 260 Firewall
> and VPN appliance,

  ... please run the server in debugging mode.

> The password sent is '' but we just get gibberish on our end
> (and the tethereal capture also looks weird). The VPN is using PAP, as
> we are. Any hints on what can be wrong? (shared key is okay on both
> sides,

  Are you sure?  That's the typical cause of passwords being gibberish.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[tnt]

I can't see the fault with the server or the client (certificates are
there, wired 802.1x supplicant is enabled by default and set to do
EAP-TLS with certificate from local store by default). Only place left
to look is NAS.

Can you enable debug radius and see what does the log show?

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Bryant Marsh" <[EMAIL PROTECTED]> piše:

>
>Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in
>the trusted root certificates.
>
>I was looking at another document that was putting chmod 0444 on the
>cert-clt.p12 and chmod 0400 on the cacert.pem.
>Then, chown to radius:users on both.
>Is that necessary?
>
>Thanks,
>Bryant.
>
>
>You don't need users file if all user/pass information is stored in AD.
>Can you check if imported certificate is in "Trusted Root" and not
>some other certificate folder. I can't think of any other reason why
>the conversation wouldn't start with your network configuration.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>--
>View this message in context: 
>http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-digest - devel question

[Alan DeKok]

UriCALL Support wrote:
> I have noticed that in latest versions of rlm_digest the part with
converting of the attributes to something useful (DEBUG("rlm_digest:
Converting Digest-Attributes to something sane...")) was moved from
authorize section to authenticate section. There was even a discussion a
while back on the mailing list that this could be moved again to
authorize part (so it can be used by other modules as well), but still
nothing has happened.
> I am building a module which will make use of the conversion of those 
> attributes and using right now the old version of rlm_digest.c file. Is there 
> any reason for which the conversion of the attributes is not moved back to 
> authorize section in standard distribution? I am asking this because I must 
> instruct my users to patch freeradius every time they use my module.

  It should probably be changed back before the 2.0.0 release.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : 2.0.0-pre : Failed to open socket.

[Alan DeKok]

David Wood wrote:
> Following a little bit of detective work with gdb, I realised that the 
> problem is with the udpfromto code in -pre1, at least on FreeBSD. 

  Yes that's been known for a while, and has been mentioned on this
list.  There was no need to investigate, just upgrade to CVS head, which
people have said works.

> Passing --without-udpfromto to configure on FreeBSD means 2.0.0-pre1 
> works on FreeBSD 6.2-RELEASE. Supposedly udpfromto works on BSD like 
> operating systems, but I've never got it to work on FreeBSD, even in 
> 1.1.x.

  That's news to me.

> Has the faulty code really been taken out or fixed, or is the resolution 
> of this situation a side-effect of udpfromto being disabled in HEAD at 
> the moment?

  I don't have access to a current BSD box, so I have no idea if it's
fixed.  I do know that the udpfromto code works for me on Linux.

> I have a working FreeBSD port for 2.0.0-pre1 on my system, but I'm loath 
> to ask for it to be committed. I have to patch for bugs #452, 453 and 
> 454 (thanks to Nicolas for committing my enhanced patch for #454 to HEAD 
> and the 1.1 branch), and pass --without-udpfromto to get the thing to 
> work at all - though it is now working on my live system.

  Bugs #452 and 453 have fixed in CVS head for almost a month.

> Further, pre1 has features missing compared to HEAD (not least the 
> sites-available / sites-enabled stuff in raddb, which leads to quite a 
> few changes in the configuration file), 

  It's not *necessary* to use it, but it is *extremely* useful.  It will
be more useful in the future, for a number of reasons.

>the PGP signature for the pre1 
> .tar.gz doesn't verify

  It does on my system.  What's the error?

> and the .tar.bz2 isn't PGP signed, also 
> raddb/certs/bootstrap doesn't work for me in pre1.

  What is the error?  I think it's likely using the wrong "make"
program.  That can be fixed by turning the Makefile from a GNU make file
into a more standard Make file.

> Is there any hope of a 2.0.0-pre2 release any time soon?

  Yes.  Hopefully this week, or next week.

> Whilst "it's fixed in HEAD" is fine for those who hang out here, FreeBSD 
> ports are not really supposed to depend on a CVS or Subversion checkout 
> for their main tarball. Recent discussion on freebsd-ports has suggested 
> that, at most, using a checkout should be a non-default option. As 
> development on 2.x continues, the FreeBSD package list is changing, so 
> that really leaves my only options at the moment as patching 2.0.0-pre1 
> or creating an unofficial 2.0.0-pre2 based on a tarball I'd have to host 
> myself.

  I would suggest *not* creating an official port of 2.0.0 until it has
been officially released.  That is, you can try creating a local port,
but *please* don't commit it to the FreeBSD "ports" tree.  It's not
stable, it's not meant to be stable, it's not meant to be used in any
production environment.

> On that note, whilst I know this isn't the best place to report it (what 
> is - bug database?), there's a typo in HEAD. raddb/Makefile version 1.26 
> has a typo in the second line of the install target - it should be 
> sites-available not sites-evailable.

  Fixed, thanks.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Nokia IP 260 and User-Password

[david . suarezdelis]

Greetings,

We are receiving the attached information from a Nokia IP 260 Firewall and 
VPN appliance,

The Access-Request is processed by a Perl program (through rlm_perl), and 
AR::RADIUSRequest is the class of objects that represent a generic RADIUS 
packet (don't mind the empty attributes).

The password sent is '' but we just get gibberish on our end (and 
the tethereal capture also looks weird). The VPN is using PAP, as we are. 
Any hints on what can be wrong? (shared key is okay on both sides, and no 
other NAS is doing this weird thing). I'm thinking in some configuration 
options that may be hurting with this NAS, but, frankly...

Server is 1.1.3 on a Debian 3.1 intel box.

Thanks for any help
david

PS- tethereal capture:

Frame 4 (101 bytes on wire, 101 bytes captured)
Arrival Time: Jun 21, 2007 10:32:18.545587000
Time delta from previous packet: 5.050255000 seconds
Time since reference or first frame: 10.108408000 seconds
Frame Number: 4
Packet Length: 101 bytes
Capture Length: 101 bytes
Protocols in frame: eth:ip:udp:radius
Ethernet II, Src: 00:17:cb:5a:81:7e, Dst: 00:11:0a:2f:61:3b
Destination: 00:11:0a:2f:61:3b (HewlettP_2f:61:3b)
Source: 00:17:cb:5a:81:7e (00:17:cb:5a:81:7e)
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.235.236.14 (10.235.236.14), Dst Addr: 
10.235.244.133 (10.235.244.133)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 87
Identification: 0x79dc (31196)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 55
Protocol: UDP (0x11)
Header checksum: 0x1350 (correct)
Source: 10.235.236.14 (10.235.236.14)
Destination: 10.235.244.133 (10.235.244.133)
User Datagram Protocol, Src Port: 2305 (2305), Dst Port: radius (1812)
Source port: 2305 (2305)
Destination port: radius (1812)
Length: 67
Checksum: 0xa4c4 (correct)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x41 (65)
Length: 59
Authenticator: 0x9FE8712917FDD893EF8E416B424D0E89
Attribute value pairs
t:User Name(1) l:9, Value:"user1"
User-Name: un41814
t:User Password(2) l:18, Value:A0EB498C3FAD6541B06C0785F76F04C2
t:Service Type(6) l:6, Value:Login(1)
Service-Type: Login (1)
t:NAS IP Address(4) l:6, Value: xxx.xxx.xxx.xxx
Nas IP Address: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)

PPS- Perl Data::Dumper dump:

User-Password = ''

'REQUEST' => bless( {
   'MODIFICATION_TIME' => 
'1182414728.493002',
   'ATTR' => {
   'Acct-Input-Octets' => 
'',
   'NAS-Port-Type' => '',
   'Acct-Session-Id' => 
'',
   'Service-Type' => 
'Login-User',
   'Called-Station-Id' => 
'',
   'Client-IP-Address' => 
'10.235.236.14',
 'Tunnel-Client-Endpoint' => '',
   'Acct-Authentic' => '',
   'Acct-Status-Type' => 
'',
   'Acct-Output-Packets' 
=> '',
   'NAS-IP-Address' => 
'xxx.xxx.xxx.xxx',
   'Acct-Output-Octets' => 
'',
 'Acct-Tunnel-Client-Endpoint:0' => '',
   'Acct-Terminate-Cause' 
=> '',
   'Acct-Session-Time' => 
'',
   'Calling-Station-Id' => 
'',
   'Framed-Protocol' => 
'',
   'User-Name' => 'user1',
   'User-Password' => 
'x\\264\\343\\023y\\232\\004\\211\\357\\333\\010\\214\\2163U\\217',
 'Tunnel-Client-Endpoint:0' => '',
   'Acct-Input-Packets' => 
'',
   'Framed-IP-Address' => 
'',
   'Class' => '',
   'NAS-Port' => '',
   'Acct-Delay-Time' => ''
 },
   'CREATION_TIME' => 
'1182414728.493002'
   

Re: Re : Off-topic: DHCP server with radius support

[Alan DeKok]

Eshun Benjamin wrote:
...
> A radius server assigning IPs  ...that is not radius (!) .

  RADIUS was *originally* intented to assign IP's.  It's been doing that
since at least 1993.

> May be
> you mean the radius server authenticating (MACs and/or IPs) before the
> dhcp assigns it; this you have to configure and write your own scripts
> on the dhcp server to authenticate against the radius. Radius is for AAA

  ISC DHCP supports scripts?  News to me...

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Off-topic: DHCP server with radius support

[Kostas Kalevras]

O/H Eshun Benjamin έγραψε:
> Slightly off-topic. Is anyone aware of a DHCP server with radius
> support. Or even just with exec support? I 'd like to setup a DHPC that
> will ask a radius server for IP instead of assigning it itself
>
> A radius server assigning IPs ...that is not radius (!) . May be 
> you mean the radius server authenticating (MACs and/or IPs) before the 
> dhcp assigns it; this you have to configure and write your own scripts 
> on the dhcp server to authenticate against the radius. Radius is for AAA
No i meant exactly what i wrote. RADIUS can assign IP's (that's why we 
have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address 
attribute). I need to forward some information to home radius servers 
first and based on their response decide on the ip pool to give out 
IP's. Moreover, i need the extensibility and features of freeradius in 
my setup. I could provide you with the exact details of what i 'd like 
to achieve but they 're not important for the question asked.A DHCP 
request can be transformed to an Acesss-Request (with some default 
password), forwarded to a RADIUS server and the IP assigned by the 
radius server returned back to the user.

> ==
> Benjamin K. Eshun
>
>
> - Message d'origine 
> De : Kostas Kalevras <[EMAIL PROTECTED]>
> À : FreeRadius users mailing list 
> Envoyé le : Mercredi, 20 Juin 2007, 14h18mn 09s
> Objet : Off-topic: DHCP server with radius support
>
> Slightly off-topic. Is anyone aware of a DHCP server with radius
> support. Or even just with exec support? I 'd like to setup a DHPC that
> will ask a radius server for IP instead of assigning it itself
>
> -- 
> Kostas Kalevras - Network Operations Center
> National Technical University of Athens
> http://kkalev.wordpress.com
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> 
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails 
>  vers Yahoo! Mail
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Authentication

[Peter Nixon]

Yes. FreeRADIUS has been known to run on AIX but I don't think anyone is 
actively testing it on AIX at present. Please report any issues you have, 
and you are welcome to document the installation procedure and put it in the 
wiki :-)

Regards

Peter

On Thu 21 Jun 2007, nguyenvinht wrote:
> By reading the wiki, it said FreeRadius runs on AIX. Any documentation
> about how to install FreeRadius on AIX? Please let me know. Thanks.
>
> Peter Nixonn wrote:
> > On Fri 15 Jun 2007, nguyenvinht wrote:
> >> Thanks Arran.
> >>
> >> How and where do I implement those codes in AIX RADIUS? Doable on AIX
> >> RADIUS?
> >
> > This is the FreeRADIUS mailing list. Please ask questions about other
> > RADIUS
> > servers elsewhere.

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : 2.0.0-pre : Failed to open socket.

[A . L . M . Buxey]

Hi,

> >The code has been taken out in the CVS head... if you want to use the
> >new features of 2** (of which there are many) use the CVS head not pre1.
> 
> Has the faulty code really been taken out or fixed, or is the resolution 
> of this situation a side-effect of udpfromto being disabled in HEAD at 
> the moment?

from what I recall the code is disabled (and was wrong anyway - cant
dig out the post from Alan but it was near beginning of this month)

> Further, pre1 has features missing compared to HEAD (not least the 
> sites-available / sites-enabled stuff in raddb, which leads to quite a 
> few changes in the configuration file), the PGP signature for the pre1 
> .tar.gz doesn't verify and the .tar.bz2 isn't PGP signed, also 
> raddb/certs/bootstrap doesn't work for me in pre1. I haven't bothered to 
> try to debug raddb/certs/bootstrap yet; I have my own way of building 
> the necessary certificates.
> 
> Nevertheless, if any FreeBSD users want a tarball of my 2.0.0-pre1 port, 
> please email me. At the moment, it couldn't be committed to the ports 
> tree because the patches are organised incorrectly, but it does work on 
> my machine.

 ignore pre1. work with pre2 (aka current HEAD). 

alan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : 2.0.0-pre : Failed to open socket.

[Arran Cudbard-Bell]

>> As I said earlier , but will say again for clarity.
>>
>> It *is* a bug in pre1, Alan was trying something out that broke binding
>> in some BSD based operating systems and looks like Solaris too ...
>> 
>
> Following a little bit of detective work with gdb, I realised that the 
> problem is with the udpfromto code in -pre1, at least on FreeBSD. 
> Passing --without-udpfromto to configure on FreeBSD means 2.0.0-pre1 
> works on FreeBSD 6.2-RELEASE. Supposedly udpfromto works on BSD like 
> operating systems, but I've never got it to work on FreeBSD, even in 
> 1.1.x.
>
>   
Thats the one !
>   
>> The code has been taken out in the CVS head... if you want to use the
>> new features of 2** (of which there are many) use the CVS head not pre1.
>> 
>
> Has the faulty code really been taken out or fixed, or is the resolution 
> of this situation a side-effect of udpfromto being disabled in HEAD at 
> the moment?
>
>   
Taken out as far as I know, but you'd have to ask Alan for that one.
>
> Is there any hope of a 2.0.0-pre2 release any time soon? I realise that 
> version 2 is still under active development,
Very active, though I did hear a mention of pre2 coming out soonish :)
Currently trying to help fix/diagnose a very weird bug that breaks FR on 
64 bit PPC based OSX boxes ...

Ah do you run a 64bit BSD machine ? If so would really appreciate 
feedback on whether FR can do EAP without bombing out (though the issue 
isn't actually with the EAP module) ...
>  that HEAD has just gone 
> through a period of being uninstallable for a while so it may be wise to 
> let things settle a while longer
Really ? It's been building fine for me ? What error do you get ?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html