Re: terminating EAP tunnels, proxy and realms
Alan DeKok wrote: Arran Cudbard-Bell wrote: So the eap module extracts the attributes encoded in the eap message ? I can see that working for EAP GTC and EAP PAP but not MschapV2 ? It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP, and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv2. With the new virtual server support, it's now possible to have the inner tunnel session run through it's own virtual server, independent of the outer tunnel session. Just set Virtual-Server = foo via update control, and the inner tunnel session will be run through server foo. 30 lines of code changed: incredible new flexibility. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes :) I was just looking at the protocol filters, they look interesting and will make a lot of people on the list happy ... Just finished building on my 32bit machine and .. ++? if (%{NAS-IP-Address} == 127.0.0.1) - TRUE ++- entering if (%{NAS-IP-Address} == 127.0.0.1) expand: %{Packet-Src-IP-Address} - 139.184.14.161 Segmentation fault *sigh* bt radius_update_attrlist (request=0x80280840, cs=0x8004c798, input_vps=0x8016bc60, name=0x8004c7f0 request) at evaluate.c:854 854 if ((from_list[i]-operator == T_OP_EQ) || (gdb) bt #0 radius_update_attrlist (request=0x80280840, cs=0x8004c798, input_vps=0x8016bc60, name=0x8004c7f0 request) at evaluate.c:854 #1 0x80014afa in modcall (component=1, c=0x8016bdb0, request=0x80280840) at modcall.c:396 #2 0x8001141a in indexed_modcall (space=value optimized out, comp=1, idx=0, request=0x80280840) at modules.c:413 #3 0x80006c30 in rad_authenticate (request=0x80280840) at auth.c:540 #4 0x8001f096 in radius_handle_request (request=0x80280840, fun=0x80006b10 rad_authenticate) at event.c:2174 #5 0x80019fe6 in thread_pool_addrequest (request=0x80280840, fun=0x80006b10 rad_authenticate) at threads.c:836 #6 0x80015c5f in main (argc=2, argv=0xbfb42524) at radiusd.c:716 Same as on the apples !!! Are you compiling with GCC ? If you are compiling on GCC with the default configuration options ... then it can only be my config ... it's the only constant... and a bug in a source *somewhere*, just in a very obscure place. :\ Would you like the core dumps from the 32bit machine ? --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PAP Mysql problems
And the problem is? Your request gets accepted and you do return VLAN attributes. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hi, See in attach naslist, clients.conf and radius -xx log. you dont have 127.0.0.1 in your clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I already add 127.0.0.1 im my clients.conf but I continue with the problem. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PAP Mysql problems
[EMAIL PROTECTED] wrote: And the problem is? Your request gets accepted and you do return VLAN attributes. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hi, See in attach naslist, clients.conf and radius -xx log. you dont have 127.0.0.1 in your clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I already add 127.0.0.1 im my clients.conf but I continue with the problem. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think that I know which is the problem, when I change configuration in my Cisco ap 1100 to this: dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods authentication key-management wpa accounting acct_methods interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 2 mode ciphers tkip ! encryption mode ciphers tkip ! ssid FONTELONGA The authentication fail, but if I have change to this: dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods accounting acct_methods .. interface Dot11Radio0 no ip address no ip route-cache ! encryption mode wep optional ! encryption vlan 2 mode wep mandatory ! ssid FONTELONGA the authentication is sucessefull. Can you help-me, my Cisco Ap 1100 IOS version is 12.3(8)JA2. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PAP Mysql problems
Can you post the radius debug from the failed attempt. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: And the problem is? Your request gets accepted and you do return VLAN attributes. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hi, See in attach naslist, clients.conf and radius -xx log. you dont have 127.0.0.1 in your clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I already add 127.0.0.1 im my clients.conf but I continue with the problem. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think that I know which is the problem, when I change configuration in my Cisco ap 1100 to this: . dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods authentication key-management wpa accounting acct_methods interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 2 mode ciphers tkip ! encryption mode ciphers tkip ! ssid FONTELONGA . The authentication fail, but if I have change to this: . dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods accounting acct_methods ... interface Dot11Radio0 no ip address no ip route-cache ! encryption mode wep optional ! encryption vlan 2 mode wep mandatory ! ssid FONTELONGA . the authentication is sucessefull. Can you help-me, my Cisco Ap 1100 IOS version is 12.3(8)JA2. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: I was just looking at the protocol filters, they look interesting and will make a lot of people on the list happy ... rlm_protocol_filter? I put that in 2 years ago, and I didn't think anyone was using it... Just finished building on my 32bit machine and .. ++? if (%{NAS-IP-Address} == 127.0.0.1) - TRUE ++- entering if (%{NAS-IP-Address} == 127.0.0.1) expand: %{Packet-Src-IP-Address} - 139.184.14.161 Segmentation fault Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PAP Mysql problems
In what way is this not OK? RADIUS works. Do debug on your NAS to see why is connection not established. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Can you post the radius debug from the failed attempt. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: And the problem is? Your request gets accepted and you do return VLAN attributes. Ivan Kalik Kalik Informatika ISP Dana 24/6/2007, emmcosta [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hi, See in attach naslist, clients.conf and radius -xx log. you dont have 127.0.0.1 in your clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I already add 127.0.0.1 im my clients.conf but I continue with the problem. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think that I know which is the problem, when I change configuration in my Cisco ap 1100 to this: . dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods authentication key-management wpa accounting acct_methods interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 2 mode ciphers tkip ! encryption mode ciphers tkip ! ssid FONTELONGA . The authentication fail, but if I have change to this: . dot11 ssid FONTELONGA vlan 2 authentication open eap eap_methods accounting acct_methods ... interface Dot11Radio0 no ip address no ip route-cache ! encryption mode wep optional ! encryption vlan 2 mode wep mandatory ! ssid FONTELONGA . the authentication is sucessefull. Can you help-me, my Cisco Ap 1100 IOS version is 12.3(8)JA2. -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- /emmc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Alan DeKok wrote: Arran Cudbard-Bell wrote: I was just looking at the protocol filters, they look interesting and will make a lot of people on the list happy ... rlm_protocol_filter? I put that in 2 years ago, and I didn't think anyone was using it... Well it's a little obscure, it's not included in the default radiusd.conf file ? I guess if it's just working off EAP-Type then it's functionality can be replicated in unlang ... I've just seen a few requests with people saying how can I limit EAP to xyz. Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ? And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to be able to extract the User-Name string and write it into the Access-Request packet ? So although the NAS must send an EAP-Identity-Request when the client connects it's not required to understand the EAP-Identity-Response ? Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
What led you to believe %C{User-Name} would be the user name? The documentation says it's %{User-Name}. Where did the extra 'C' come from? I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html quote Example Suppose the `users' file contains the following entry: DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/sbin/telauth \ %C{User-Name} \ %C{Calling-Station-Id} Then, upon successful matching, the program `/usr/local/sbin/telauth' will be executed. It will get as its arguments the values of User-Name and Calling-Station-Id attributes from the request pairs. end of quote Anyway, after removing the extra 'C' evrything works like fine. Thanks for the help. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
On Mon 25 Jun 2007, Michael Alexeev wrote: What led you to believe %C{User-Name} would be the user name? The documentation says it's %{User-Name}. Where did the extra 'C' come from? I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which, if you read the title is the GNU Radius Manual, not the FreeRADIUS Manual. You will probably have better luck if you read docs for the software you are using ;-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting.
hi all, how is accounting implemented in freeradius in case of a prepaid user? thank you. - The DELETE button on Yahoo! Mail is unhappy. Know why?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html