Re: XLAT Parsing error.
Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> alternate values arnt being parsed correctly in xlat strings involving >> modules. >> > > It doesn't work. It's not intended to work, because ":-" is a > perfectly valid string to pass to a module. ":-" only works for attributes. > > Yes I suppose it is .. >> What would be really cool is if one query returned a null string a >> second query could be executed as an alternate, but i'm not sure how >> hard that would be to do. >> > > That's probably not hard. > > %{%{sql:foo}:-%{sql:bar}} > > It's easier to parse. It looks slightly more complicated to look at, > but not too bad. > > That would be excellent ... Allows If user not found here look there type stuff. Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XLAT Parsing error.
Arran Cudbard-Bell wrote: > alternate values arnt being parsed correctly in xlat strings involving > modules. It doesn't work. It's not intended to work, because ":-" is a perfectly valid string to pass to a module. ":-" only works for attributes. > What would be really cool is if one query returned a null string a > second query could be executed as an alternate, but i'm not sure how > hard that would be to do. That's probably not hard. %{%{sql:foo}:-%{sql:bar}} It's easier to parse. It looks slightly more complicated to look at, but not too bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed in conffile.c, line 109,Abort
Arran Cudbard-Bell wrote: > Including separate configuration files in major stanza subsections > results in. > > Assertion failed in conffile.c, line 109 > Abort ... > It's definitely the include statement. Yes. There's one condition not caught in the module code apparently. I'll commit a fix shortly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
it's a compile time option. add "-DLDAP_DEPRECATED" to your CFLAGS. so when you compile it ( if you're using a spec file to build an RPM which i am assuming cause you're running FC5 ) just add that to your CFLAGS -- it should be one of the first few lines in the spec file under the %build section. you can also set it thru the configure script before you compile (if you're not using an RPM) i hope that makes it a little more clear. and i hope it helps you, let me know good luck! i had the EXACT same symptoms, and this solved it for me, so i would try it before worrying about extensive debugging stuff. Joe -Original Message- From: [EMAIL PROTECTED] on behalf of Robert E. Toense Sent: Mon 6/25/2007 7:47 PM To: FreeRadius users mailing list Subject: Re: FreeRadius 1.1.6 Segmentation Fault with LDAP Joe, This may sound silly, but could you elaborate? Is this a "configure" option to FreeRadius? If so, I don't see it. Thanks, Robert Joe Vieira wrote: > You need to compile with ldap depricated option. > Joe > > -Original Message- > From: "Robert E. Toense" <[EMAIL PROTECTED]> > To: "freeradius-users@lists.freeradius.org" > > Sent: 6/25/2007 6:03 PM > Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP > > I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to > an LDAP backend on another server. PEAP is working just fine to local > Radius passwords. However, I get a segmentation fault whenever I try to > use LDAP. Output from radiusd -X follows (sensitive information sanitized). > > OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. > > I see no network traffic between the Radius server and the LDAP server. > > Any hints? > > Robert > > > > rlm_ldap: - authorize > rlm_ldap: performing user authorization for username > radius_xlat: '(uid=username)' > radius_xlat: 'ou=,dc=,dc=,dc=DDD' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 > Segmentation fault > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.1.6 Segmentation Fault with LDAP
Joe, This may sound silly, but could you elaborate? Is this a "configure" option to FreeRadius? If so, I don't see it. Thanks, Robert Joe Vieira wrote: > You need to compile with ldap depricated option. > Joe > > -Original Message- > From: "Robert E. Toense" <[EMAIL PROTECTED]> > To: "freeradius-users@lists.freeradius.org" > > Sent: 6/25/2007 6:03 PM > Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP > > I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to > an LDAP backend on another server. PEAP is working just fine to local > Radius passwords. However, I get a segmentation fault whenever I try to > use LDAP. Output from radiusd -X follows (sensitive information sanitized). > > OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. > > I see no network traffic between the Radius server and the LDAP server. > > Any hints? > > Robert > > > > rlm_ldap: - authorize > rlm_ldap: performing user authorization for username > radius_xlat: '(uid=username)' > radius_xlat: 'ou=,dc=,dc=,dc=DDD' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 > Segmentation fault > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
You need to compile with ldap depricated option. Joe -Original Message- From: "Robert E. Toense" <[EMAIL PROTECTED]> To: "freeradius-users@lists.freeradius.org" Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.1.6 Segmentation Fault with LDAP
I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
There is a DEFAULT entry in your users file setting Auth-Type System (and you are trying to use something else). Uncomment or delete that entry and try again. This is a blind guess. It would help if you would post debug from the request. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >I used numbers (123456) and it seems to work.seems?? > >when i use user:akim passwd:willy everything is allwright (redirection >authentication on radius and message response ok.) using browsing the net > >but when i try to use another user (carl passwd:aniam or all the several >users i created ) i have an access-reject message >with following result: > > modcall[authorize]: module "pap" returns noop for request 24 >modcall: leaving group authorize (returns ok) for request 24 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 24 > modcall[authenticate]: module "unix" returns notfound for request 24 >modcall: leaving group authenticate (returns notfound) for request 24 >auth: Failed to validate the user. >Delaying request 24 for 1 seconds >Finished request 24 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 0 to 192.168.1.3 port 2051 >Waking up in 4 seconds... >--- Walking the entire request list --- >Cleaning up request 24 ID 0 with timestamp 467fea7b > >what might be the fault >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 26, Issue 120
On Mon 25 Jun 2007, Arran Cudbard-Bell wrote: > Hugh Messenger wrote: > > "Flavio Silvestrone" <[EMAIL PROTECTED]> said: > >> Subject: Re: "Clear text password not available" > >> The version of radius is "freeradius-1.0.1-3". > > > > All together now: > > > > "Upgrade to 1.1.6" > > > > I've kind of lost track of exactly what you are trying to do, but what > > the users file is seems to be set up to do is to authenticate 'massi' > > locally in the users file, and flavio against the UNIX passwd file. And > > UNIX is telling you it doesn't know anything about 'flavio'. > > > > I think. But definitely upgrade to 1.1.6, regardless!! > > Soon it'll be upgrade to 2.0.0 :) > > Ah debugging peoples unlang configurations, what fun that'll be *shudder* -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assertion failed in conffile.c, line 109,Abort
Including separate configuration files in major stanza subsections results in. Assertion failed in conffile.c, line 109 Abort Post-Auth-Type REJECT { # * Uniform called station ID + SSID extraction # * Uniform calling station ID # * Correct NAS Port Type # * Rewrite loopback ips $INCLUDE ${confdir}/attrrewrite.conf # Log rejected attempts to help with debugging sql attr_filter.access_reject } Does the config parser not check in sub sections for files to be included ? Adding the relevant configuration lines contained in attrrewrite.conf does not result in the error. It's definitely the include statement. This happens in authorize, post-auth etc ... Sorry, last bug for today :) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
Kevin Bonner wrote: > On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: >>> If you are using a recent version of freeradius, you should have the > ... >> The version of radius is "freeradius-1.0.1-3". > > 1.0.1 is not recent. Use 1.1.6. > >> flavio Cleartext-Password := "flavio" >>Service-Type = Framed-User, >>Framed-Protocol = PPP, >>Framed-IP-Address = 10.1.1.8, >>Framed-IP-Netmask = 255.255.255.0, >>Framed-Routing = Broadcast-Listen, >> # Framed-Filter-Id = "std.ppp", >>Framed-MTU = 1500, >> # Framed-Compression = Van-Jacobsen-TCP-IP > > Since you're using such an old version of freeradius, you cannot use > Cleartext-Password here as it was available in 1.1.5 (I think) and later > versions. You can use User-Password, but you should upgrade to a newer > version. Probably should also get rid of: DEFAULTAuth-Type = System Fall-Through = 1 Futher up in the users file. It doesn't look like you are trying to use the /etc/passwd file, which I think is what System is for. In general, never set Auth-Type. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: > > If you are using a recent version of freeradius, you should have the ... > The version of radius is "freeradius-1.0.1-3". 1.0.1 is not recent. Use 1.1.6. > flavio Cleartext-Password := "flavio" >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 10.1.1.8, >Framed-IP-Netmask = 255.255.255.0, >Framed-Routing = Broadcast-Listen, > # Framed-Filter-Id = "std.ppp", >Framed-MTU = 1500, > # Framed-Compression = Van-Jacobsen-TCP-IP Since you're using such an old version of freeradius, you cannot use Cleartext-Password here as it was available in 1.1.5 (I think) and later versions. You can use User-Password, but you should upgrade to a newer version. Kevin Bonner pgpwSTaVHg9Y8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 26, Issue 120
Hugh Messenger wrote: > "Flavio Silvestrone" <[EMAIL PROTECTED]> said: >> Subject: Re: "Clear text password not available" >> The version of radius is "freeradius-1.0.1-3". > > All together now: > > "Upgrade to 1.1.6" > > I've kind of lost track of exactly what you are trying to do, but what the > users file is seems to be set up to do is to authenticate 'massi' locally in > the users file, and flavio against the UNIX passwd file. And UNIX is > telling you it doesn't know anything about 'flavio'. > > I think. But definitely upgrade to 1.1.6, regardless!! > Soon it'll be upgrade to 2.0.0 :) Ah debugging peoples unlang configurations, what fun that'll be I have trouble enough debugging my own ... ++? if ("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i) expand: %{Called-Station-Id} -> 00-14-C2-B6-7D-32:eduroam ? Evaluating ("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i) -> TRUE ++? if ("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i) -> TRUE ++- entering if ("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0014C2B67D32 expand: %{7} -> eduroam +++[request] returns updated ++- if ("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i) returns updated ++? if ("%{Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{Calling-Station-Id} -> 00-19-E3-0C-CD-58 ? Evaluating ("%{Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE ++? if ("%{Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE ++- entering if ("%{Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0019E30CCD58 +++[request] returns updated ++- if ("%{Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns updated ++? if (!"%{NAS-Port-Type}"||("%{NAS-Port-Id}" =~ /wl[0-9]*/)) expand: %{NAS-Port-Type} -> Wireless-802.11 ? Evaluating "Wireless-802.11" -> FALSE expand: %{NAS-Port-Id} -> ? Evaluating ("%{NAS-Port-Id}" =~ /wl[0-9]*/) -> FALSE ++? if (!"%{NAS-Port-Type}"||("%{NAS-Port-Id}" =~ /wl[0-9]*/)) -> FALSE ++? if ("%{NAS-IP-Address}" == "127.0.0.1") expand: %{NAS-IP-Address} -> 139.184.6.42 ? Evaluating ("%{NAS-IP-Address}" == "127.0.0.1") -> FALSE ++? if ("%{NAS-IP-Address}" == "127.0.0.1") -> FALSE Muahaha -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 26, Issue 120
"Flavio Silvestrone" <[EMAIL PROTECTED]> said: > Subject: Re: "Clear text password not available" > The version of radius is "freeradius-1.0.1-3". All together now: "Upgrade to 1.1.6" I've kind of lost track of exactly what you are trying to do, but what the users file is seems to be set up to do is to authenticate 'massi' locally in the users file, and flavio against the UNIX passwd file. And UNIX is telling you it doesn't know anything about 'flavio'. I think. But definitely upgrade to 1.1.6, regardless!! -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use problem.
> On Monday 25 June 2007 11:42:08 Josh Howlett wrote: > > I have a feeling that the answer is blindingly obvious, but I can't > > figure it out... > > > > The 'users' file consists of: > > > > DEFAULT Auth-Type = Accept > > Simultaneous-Use := 1 > > Because Simultaneous-Use is in the wrong place. Make it a > check item and the session section should be processed. That fixed it. As I thought, blindingly obvious; a case of needing another pair of eyes... Thanks, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner - Hi Kevin I can't find what you say as "Cleartext-Password as a check item" . The version of radius is "freeradius-1.0.1-3". Here my users file, thank's a lot : # #Please read the documentation file ../doc/processing_users_file, #or 'man 5 users' (after installing the server) for more information. # #This file contains authentication security and configuration #information for each user. Accounting requests are NOT processed #through this file. Instead, see 'acct_users', in this directory. # #The first field is the user's name and can be up to #253 characters in length. This is followed (on the same line) with #the list of authentication requirements for that user. This can #include password, comm server name, comm server port number, protocol #type (perhaps set by the "hints" file), and huntgroup name (set by #the "huntgroups" file). # #If you are not sure why a particular reply is being sent by the #server, then run the server in debugging mode (radiusd -X), and #you will see which entries in this file are matched. # #When an authentication request is received from the comm server, #these values are tested. Only the first match is used unless the #"Fall-Through" variable is set to "Yes". # #A special user named "DEFAULT" matches on all usernames. #You can have several DEFAULT entries. All entries are processed #in the order they appear in this file. The first entry that #matches the login-request will stop processing unless you use #the Fall-Through variable. # #If you use the database support to turn this file into a .db or .dbm #file, the DEFAULT entries _have_ to be at the end of this file and #you can't have multiple entries for one username. # #You don't need to specify a password if you set Auth-Type += System #on the list of authentication requirements. The RADIUS server #will then check the system password file. # #Indented (with the tab character) lines following the first #line indicate the configuration values to be passed back to #the comm server to allow the initiation of a user session. #This can include things like the PPP configuration values #or the host to log the user onto. # #You can include another `users' file with `$INCLUDE users.other' # # #For a list of RADIUS attributes, and links to their definitions, #see: # #http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuserAuth-Type := Reject #Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == "disabled", Auth-Type := Reject #Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steveAuth-Type := Local, User-Password == "testing" #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = "std.ppp", #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe"Auth-Type := Local, User-Password == "hello" #Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #DegAuth-Type := Local, User-Password == "ge55ged" #Service-Type = Callback-Login-User, #Login-IP-Host = 0.0.0.0, #Callback-Number = "9,5551212", #Login-Service = Telnet, #Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbkAuth-Type := Local, User-Password == "callme" #Service-Type = Callback-Login-User, #Login-IP-Host = timeshare1, #Login-Service = PortMaster, #Call
Re:users authentication failed
I used numbers (123456) and it seems to work.seems?? when i use user:akim passwd:willy everything is allwright (redirection authentication on radius and message response ok.) using browsing the net but when i try to use another user (carl passwd:aniam or all the several users i created ) i have an access-reject message with following result: modcall[authorize]: module "pap" returns noop for request 24 modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 modcall[authenticate]: module "unix" returns notfound for request 24 modcall: leaving group authenticate (returns notfound) for request 24 auth: Failed to validate the user. Delaying request 24 for 1 seconds Finished request 24 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 24 ID 0 with timestamp 467fea7b what might be the fault -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
On Monday 25 June 2007 10:14:07 Flavio Silvestrone wrote: > If i enable the same pppoe profile (user: flavio, password: flavio) on the > Access Point all work fine; When i disable the profile on the Access Point > and i configure the radius client on the Access Point i have the problem > This is the configuration on the file /etc/raddb/users for the user > "flavio" > > >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 10.1.1.8, >Framed-IP-Netmask = 255.255.255.0, >Framed-Routing = Broadcast-Listen, > # Framed-Filter-Id = "std.ppp", >Framed-MTU = 1500, > # Framed-Compression = Van-Jacobsen-TCP-IP > > Any idea to find out the prob ? > Than's a lot > Flavio Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner pgpuOvqj7Bku9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote: > I have a feeling that the answer is blindingly obvious, but I can't > figure it out... > > The 'users' file consists of: > > DEFAULT Auth-Type = Accept > Simultaneous-Use := 1 Simultaneous-Use is a check item, not a reply item. > In radiusd.conf I also have: > > session { > sql > } > > authorize { > radius-user-auth > } > > 'radius-user-auth' is an rlm_exec instance that invokes a script used to > authenticate users. It works fine, but the 'session' section never gets > processed. Why? > > josh. Because Simultaneous-Use is in the wrong place. Make it a check item and the session section should be processed. Kevin Bonner pgpvI8CdFN5pf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XLAT Parsing error.
Hi, Another small xlat parsing error, alternate values arnt being parsed correctly in xlat strings involving modules. update request { Supplicant-Flags = "%{sql_clients:SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1:-null}" } expands to SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1:-null when should expand to SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1 What would be really cool is if one query returned a null string a second query could be executed as an alternate, but i'm not sure how hard that would be to do. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
here de complite debug with radiusd -X thanks: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.36:1024, id=96, length=152 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2920 NAS-Port-Type = Ethernet User-Name = "flavio" Calling-Station-Id = "00:15:D6:04:60:82" Called-Station-Id = "internet-test-2.4GH" NAS-Port-Id = "wlan1" CHAP-Challenge = 0xc690abfe086a6ece658731151fc97728 CHAP-Password = 0x01e407ca5d5840551e1d6bb
Virtual servers
> >> Yes but it still needs to grab various attributes from the SQL database, >> and I thought a different query was run for post-auth ... as in the one >> that logs reply packets ;) ? > > Hmm... that may need fixing. > > Alan DeKok. Yes, would be nice, though then you would have to be able to pass arguments to modules... Or create a new section called post-auth-logging .. Which reminds me, return codes :P ? Listening on authentication address 139.184.14.180 port 1812 as server primary Listening on accounting address 139.184.14.180 port 1813 as server primary Ok first bug, Global clients aren't being copied across to virtual servers, even when no clients are specified in the virtual server. With SQL based and static declarations. This is with one virtual server, no default server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem.
I have a feeling that the answer is blindingly obvious, but I can't figure it out... The 'users' file consists of: DEFAULT Auth-Type = Accept Simultaneous-Use := 1 In radiusd.conf I also have: session { sql } authorize { radius-user-auth } 'radius-user-auth' is an rlm_exec instance that invokes a script used to authenticate users. It works fine, but the 'session' section never gets processed. Why? josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
Remove Auth-Type, change password attribute to Cleartext-Password and operator to := and post the output of radiusd -X. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Flavio Silvestrone" <[EMAIL PROTECTED]> piše: >I'm sorry, here the entry: > >flavio Auth-Type := Local, User-Password == "flavio" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 10.1.1.8, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, ># Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, ># Framed-Compression = Van-Jacobsen-TCP-IP > >thank's > >2007/6/25, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: >> >> >This is the configuration on the file /etc/raddb/users for the user >> "flavio" >> >: >> > >> > Service-Type = Framed-User, >> > Framed-Protocol = PPP, >> > Framed-IP-Address = 10.1.1.8, >> > Framed-IP-Netmask = 255.255.255.0, >> > Framed-Routing = Broadcast-Listen, >> ># Framed-Filter-Id = "std.ppp", >> > Framed-MTU = 1500, >> ># Framed-Compression = Van-Jacobsen-TCP-IP >> > >> >Any idea to find out the prob ? >> >> There is no password here or the name of the user. Post the whole entry >> for user flavio. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: >> I'm not sure why that matters. the *NAS* sets User-Name in the >> Access-Request. The proxying server doesn't have to do anything. > > Well it needs to be able to read an identity of *some* kind, else how > would it know where to proxy the packets to . The NAS doesn't proxy the packets by user name. It just sends them to the locally configured RADIUS server. The NAS doesn't really set the user name, either. It just copies it from the EAP packet sent by the supplicant. > Yes but it still needs to grab various attributes from the SQL database, > and I thought a different query was run for post-auth ... as in the one > that logs reply packets ;) ? Hmm... that may need fixing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
Flavio Silvestrone wrote: > I'm sorry, here the entry: > > flavio Auth-Type := Local, User-Password == "flavio" Why? See the FAQ. DO NOT SET Auth-Type. Use Cleartext-Password := "flavio". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
Carl aniams wrote: > Be sure that i crossed check the shared secret on my server and on the > nas (the AP) yet nothing > i even changed them yet nothing Then either the MD5 libraries are broken, or the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Alan DeKok wrote: > Arran Cudbard-Bell wrote: >> And indeed as the RFC states, the User-Identity needs to be set in the >> access requests for none EAP aware proxies. I suspect FreeRADIUS may >> count as one of these, as for all intensive purposes as it provides no >> mechanism to proxy arbitrary segments of an EAP conversation on inner >> identity alone. > > I'm not sure why that matters. the *NAS* sets User-Name in the > Access-Request. The proxying server doesn't have to do anything. Well it needs to be able to read an identity of *some* kind, else how would it know where to proxy the packets to . Just saying it's not technically EAP aware in proxying mode, it doesn't matter, just academic discussion :) > >> Reason why I was asking is because most of the tests on the JRS test >> website seem to break when you base the reply in FreeRADIUS, on the >> inner identity as opposed to the outer identity. > > The "post-auth" section is run in the outer identity, so you can > re-write the reply to be whatever you want. > Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Maybe i'll move the defaults stuff to post-auth, as defaults set attributes using = , so can't overwrite anything set ealier in Authorize just fill in the blanks. > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
I'm sorry, here the entry: flavio Auth-Type := Local, User-Password == "flavio" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP thank's 2007/6/25, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: >This is the configuration on the file /etc/raddb/users for the user "flavio" >: > > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 10.1.1.8, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, ># Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, ># Framed-Compression = Van-Jacobsen-TCP-IP > >Any idea to find out the prob ? There is no password here or the name of the user. Post the whole entry for user flavio. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
Carl aniams wrote: ... > please any suggestion ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! What part of that message is unclear? Be sure that i crossed check the shared secret on my server and on the nas (the AP) yet nothing i even changed them yet nothing Alan DeKok. -- -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
>This is the configuration on the file /etc/raddb/users for the user "flavio" >: > > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 10.1.1.8, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, ># Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, ># Framed-Compression = Van-Jacobsen-TCP-IP > >Any idea to find out the prob ? There is no password here or the name of the user. Post the whole entry for user flavio. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Clear text password not available"
Hello list, For me it's the first time with freeradius; i try to find a solution or a way to solve my problem but i have not found anything. I have this message on the log of the freeradius server when a wireless client try to estabilish a pppoe session. Auth: Login incorrect (rlm_chap: Clear text password not available): [flavio/] (from client Erri port 1511 cli 00:35:00:04:60:99) The message is clear but i don't know where to solve. The configuration is: - two wireless client with pppoe profile - one wireless Access Point - one freeradius server If i enable the same pppoe profile (user: flavio, password: flavio) on the Access Point all work fine; When i disable the profile on the Access Point and i configure the radius client on the Access Point i have the problem This is the configuration on the file /etc/raddb/users for the user "flavio" : Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? Than's a lot Flavio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Alan, > > I do not want to terminate the EAP tunnels for the foreign realms, but I > > have to terminate the local one (@tu-darmstadt.de and NULL) as I have to > > forward the requests to a set of internal radius servers not capable of > > speaking EAP. > > Set Proxy-To-Realm := LOCAL for the realms you want to terminate > locally. Make sure that this is done before the "eap" module is run in > the "authorise" section. > > Then, put the following in the "users" file to proxy the inner request > to another realm: > > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm = oldservers I've already had these rules in user. The final hint was to set authhost = LOCAL in proxy.conf. Now it works as expected. Thanks a lot to all who helped, especially to Alan of course! -Andreas -- Andreas Liebe/Darmstadt University of Technology/+49 6151 16-3150/3050(FAX) signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reŁş Problem on freeradius+openldap+tls
You are looking in the wrong place. Your problem is not with the server but client (certificate). Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Hangjun He" <[EMAIL PROTECTED]> piše: >when I use ldapsearch -H ldaps://localhost/..I can get correct record. > > debug info: > connection_get(11): got connid=12 >connection_read(11): checking for input on id=12 >TLS trace: SSL_accept:before/accept initialization >TLS trace: SSL_accept:SSLv3 read client hello A >TLS trace: SSL_accept:SSLv3 write server hello A >TLS trace: SSL_accept:SSLv3 write certificate A >TLS trace: SSL_accept:SSLv3 write server done A >TLS trace: SSL_accept:SSLv3 flush data >TLS trace: SSL_accept:error in SSLv3 read client certificate A >TLS trace: SSL_accept:error in SSLv3 read client certificate A >connection_get(11): got connid=12 >connection_read(11): checking for input on id=12 >TLS trace: SSL_accept:SSLv3 read client key exchange A >TLS trace: SSL_accept:SSLv3 read finished A >TLS trace: SSL_accept:SSLv3 write change cipher spec A >TLS trace: SSL_accept:SSLv3 write finished A >TLS trace: SSL_accept:SSLv3 flush data >connection_read(11): unable to get TLS client DN, error=49 id=12 >connection_get(11): got connid=12 >connection_read(11): checking for input on id=12 >ber_get_next >ber_get_next: tag 0x30 len 45 contents: >ber_get_next >do_bind >ber_scanf fmt ({imt) ber: >ber_scanf fmt (m}) ber: dnPrettyNormal: ><<< dnPrettyNormal: , >do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" >method=128 >do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to >"cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3 >send_ldap_response: msgid=1 tag=97 err=0 >ber_flush: 14 bytes to sd 11 >connection_get(11): got connid=12 >connection_read(11): checking for input on id=12 >ber_get_next >ber_get_next: tag 0x30 len 73 contents: >ber_get_next >do_search >ber_scanf fmt ({mb) ber: dnPrettyNormal: ><<< dnPrettyNormal: , > >ber_scanf fmt (m) ber: >ber_scanf fmt ({M}}) ber: >=> bdb_search >bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com") >search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x000b) >scope=2 >=> bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com") ><= bdb_dn2idl: id=1 first=11 last=11 >=> bdb_presence_candidates (objectClass) >bdb_search_candidates: id=1 first=11 last=11 >=> send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com" >ber_flush: 188 bytes to sd 11 ><= send_search_entry: conn 12 exit. >send_ldap_result: conn=12 op=1 p=3 >send_ldap_response: msgid=2 tag=101 err=0 >ber_flush: 14 bytes to sd 11 >connection_get(11): got connid=12 >connection_read(11): checking for input on id=12 >ber_get_next >ber_get_next: tag 0x30 len 5 contents: >ber_get_next >do_unbind >connection_closing: readying conn=12 sd=11 for close >connection_resched: attempting closing conn=12 sd=11 >connection_close: conn=12 sd=11 >TLS trace: SSL3 alert write:warning:close notify > > > when I use freeradius in the same host: > do_extended >ber_scanf fmt ({m) ber: >send_ldap_extended: err=0 oid= len=0 >send_ldap_response: msgid=1 tag=120 err=0 >ber_flush: 14 bytes to sd 11 >connection_get(11): got connid=11 >connection_read(11): checking for input on id=11 >TLS trace: SSL_accept:before/accept initialization >TLS trace: SSL_accept:SSLv3 read client hello A >TLS trace: SSL_accept:SSLv3 write server hello A >TLS trace: SSL_accept:SSLv3 write certificate A >TLS trace: SSL_accept:SSLv3 write server done A >TLS trace: SSL_accept:SSLv3 flush data >TLS trace: SSL_accept:error in SSLv3 read client certificate A >TLS trace: SSL_accept:error in SSLv3 read client certificate A >connection_get(11): got connid=11 >connection_read(11): checking for input on id=11 >TLS trace: SSL_accept:SSLv3 read client key exchange A >TLS trace: SSL_accept:SSLv3 read finished A >TLS trace: SSL_accept:SSLv3 write change cipher spec A >TLS trace: SSL_accept:SSLv3 write finished A >TLS trace: SSL_accept:SSLv3 flush data >connection_read(11): unable to get TLS client DN, error=49 id=11 >connection_get(11): got connid=11 >connection_read(11): checking for input on id=11 >ber_get_next >ber_get_next: tag 0x30 len 5 contents: >ber_get_next >TLS trace: SSL3 alert read:warning:close notify >ber_get_next on fd 11 failed errno=0 (Success) >connection_closing: readying conn=11 sd=11 for close >connection_close: deferring conn=11 sd=11 >do_unbind >connection_resched: attempting closing conn=11 sd=11 >connection_close: conn=11 sd=11 >TLS trace: SSL3 alert write:warning:close notify > > > >Hangjun He <[EMAIL PROTECTED]> Đ´ľŔŁş > freeradius version 1.1.6 > openldap version 2.3.23 > opensll verson 0.9.7g > >Hangjun He <[EMAIL PROTECTED]> Đ´ľŔŁş >hi, >freeradis with openldap is OK when use cleartext communication. > Now I want to use tls. > > openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile > /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is > correct. > > > But when I use freeradis with tls, errors pup up
Re: users authentication failed
1. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! 2. You have a DEFAULT entry in users file setting Auth-Type System. Comment it out. I assume your password is in the database. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >hi >i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT >v23 with enabled chilli. >i have the users created through the dialupadmin page. users are >successfully created but while trying to log through chilli i have the >following when i do radiusd -X >please any suggestion >welcome >Ready to process requests. >rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 >User-Name = "akim" >User-Password = >"\332%\300D\310\373h\345]\237\036\216\242\373\362\001" >NAS-IP-Address = 0.0.0.0 >Service-Type = Login-User >Framed-IP-Address = 192.168.182.2 >Calling-Station-Id = "00-90-4B-A4-D0-E8" >Called-Station-Id = "00-18-F8-68-09-F5" >NAS-Identifier = "hotspot" >Acct-Session-Id = "467fca8f" >NAS-Port-Type = Wireless-802.11 >NAS-Port = 0 >Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 >WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 >rlm_realm: No '@' in User-Name = "akim", looking up realm NULL >rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 >users: Matched entry DEFAULT at line 153 > modcall[authorize]: module "files" returns ok for request 0 >radius_xlat: 'akim' >rlm_sql (sql): sql_set_user escaped user --> 'akim' >radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >radcheck WHERE Username = 'akim' ORDER BY id' >rlm_sql (sql): Reserving sql socket id: 4 >radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, >radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM >radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND >usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >radreply WHERE Username = 'akim' ORDER BY id' >radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, >radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM >radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND >usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >rlm_sql (sql): Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok for request 0 >rlm_pap: Found existing Auth-Type, not changing it. > modcall[authorize]: module "pap" returns noop for request 0 >modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 0 >rlm_unix: [akim]: invalid password > modcall[authenticate]: module "unix" returns reject for request 0 >modcall: leaving group authenticate (returns reject) for request 0 >auth: Failed to validate the user. > WARNING: Unprintable characters in the password. ? Double-check the >shared secret on the server and the NAS! >Delaying request 0 for 1 seconds >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 0 to 192.168.1.3 port 2051 >Waking up in 4 seconds... >--- Walking the entire request list --- >Cleaning up request 0 ID 0 with timestamp 467fb396 >Nothing to do. Sleeping until we see a request. > > >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Problem on freeradius+openldap+tls
when I use ldapsearch -H ldaps://localhost/..I can get correct record. debug info: connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=12 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 45 contents: ber_get_next do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <<< dnPrettyNormal: , do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128 do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 73 contents: ber_get_next do_search ber_scanf fmt ({mb) ber: >>> dnPrettyNormal: <<< dnPrettyNormal: , ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com") search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x000b) scope=2 => bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com") <= bdb_dn2idl: id=1 first=11 last=11 => bdb_presence_candidates (objectClass) bdb_search_candidates: id=1 first=11 last=11 => send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com" ber_flush: 188 bytes to sd 11 <= send_search_entry: conn 12 exit. send_ldap_result: conn=12 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=12 sd=11 for close connection_resched: attempting closing conn=12 sd=11 connection_close: conn=12 sd=11 TLS trace: SSL3 alert write:warning:close notify when I use freeradius in the same host: do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=11 sd=11 for close connection_close: deferring conn=11 sd=11 do_unbind connection_resched: attempting closing conn=11 sd=11 connection_close: conn=11 sd=11 TLS trace: SSL3 alert write:warning:close notify Hangjun He <[EMAIL PROTECTED]> 写道: freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g Hangjun He <[EMAIL PROTECTED]> 写道: hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect
Re: users authentication failed
Carl aniams wrote: ... > please any suggestion ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! What part of that message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication failed
hi i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT v23 with enabled chilli. i have the users created through the dialupadmin page. users are successfully created but while trying to log through chilli i have the following when i do radiusd -X please any suggestion welcome Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 User-Name = "akim" User-Password = "\332%\300D\310\373h\345]\237\036\216\242\373\362\001" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-90-4B-A4-D0-E8" Called-Station-Id = "00-18-F8-68-09-F5" NAS-Identifier = "hotspot" Acct-Session-Id = "467fca8f" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "akim", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'akim' rlm_sql (sql): sql_set_user escaped user --> 'akim' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'akim' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'akim' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [akim]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 467fb396 Nothing to do. Sleeping until we see a request. -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
suganthi V wrote: > i tried to understand the code... But i didnt get a clear idea. > Actually i dont know how and where to start reading the coding... Coding what? And if you're asking coding questions, please subscribe to freeradius-devel... that list is for development questions. > i want > the order in which i have to go thro the coding so that i will get a > clear idea of the design... Start at main(). The source code also has a lot of comments. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: > And indeed as the RFC states, the User-Identity needs to be set in the > access requests for none EAP aware proxies. I suspect FreeRADIUS may > count as one of these, as for all intensive purposes as it provides no > mechanism to proxy arbitrary segments of an EAP conversation on inner > identity alone. I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything. > Reason why I was asking is because most of the tests on the JRS test > website seem to break when you base the reply in FreeRADIUS, on the > inner identity as opposed to the outer identity. The "post-auth" section is run in the outer identity, so you can re-write the reply to be whatever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminating EAP tunnels, proxy and realms
> > Nope; see RFC 3579 for the gory details: > > > > "the NAS MUST copy the contents of the Type-Data field of the > > EAP-Response/Identity received from the peer into the User-Name > > attribute" > > > > See thats what I suspected, else how could the User-Name > attribute be populated in the access requests... > And indeed as the RFC states, the User-Identity needs to be > set in the access requests for none EAP aware proxies. I > suspect FreeRADIUS may count as one of these, as for all > intensive purposes as it provides no mechanism to proxy > arbitrary segments of an EAP conversation on inner identity alone. > Unless I missed something ? No, that's correct. > > For the reason given above, it *does* need to understand the > > EAP-Identity-Response. But that's about it! The NAS is a > pretty dumb > > device. > > Reason why I was asking is because most of the tests on the > JRS test website seem to break when you base the reply in > FreeRADIUS, on the inner identity as opposed to the outer identity. I'm surprised at that, IIRC (and I did write the code originally :-) the tests use the same name for inner and outer. Still, it would probably be best if you raised a ticket with JANET Customer Services as this is a bit OT for this list. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
Hi, i tried to understand the code... But i didnt get a clear idea. Actually i dont know how and where to start reading the coding... i want the order in which i have to go thro the coding so that i will get a clear idea of the design... Alan DeKok <[EMAIL PROTECTED]> wrote: suganthi V wrote: > I am new to freeradius. I want to understand the over all > code flow and design of freeradius. Can anyone suggest any reference > guide for understanding the design of freeradius please??? There is none. Reading the source code is your best bet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Download prohibited? No problem. CHAT from any browser, without download.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Problem on freeradius+openldap+tls
freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g Hangjun He <[EMAIL PROTECTED]> 写道: hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - 抢注雅虎免费邮箱-3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
suganthi V wrote: > I am new to freeradius. I want to understand the over all > code flow and design of freeradius. Can anyone suggest any reference > guide for understanding the design of freeradius please??? There is none. Reading the source code is your best bet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Josh Howlett wrote: > Gah, my message bounced owing to change of email address... > > Arran wrote: >> Can you clear something up for me with inner/outer identity. >> The outer identity is in the User-Name attribute , it's a standard >> RADIUS attribute... Inner identity is encoded in the EAP message, and >> is pulled out by the EAP module prior to internal proxying and set as >> the User-Name attribute (which should overwrite the User-Name >> attribute in the request) ? > > Correct. > >> And it's standard practice to leave the outer identity as anonymous, >> as the only communication between the NAS and the Supplicant is EAP >> based when using EAPOL, and so the NAS would have to understand EAP to > >> be able to extract the User-Name string and write it into the >> Access-Request packet ? > > Nope; see RFC 3579 for the gory details: > > "the NAS MUST copy the contents of the Type-Data field of the > EAP-Response/Identity received from the peer into the User-Name > attribute" > See thats what I suspected, else how could the User-Name attribute be populated in the access requests... And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. Unless I missed something ? > The use of "anonymous" is simply to preserve privacy; it's not a > technical requirement of any EAP method (that I know of). > > An interesting tangent: note that "end-user identity hiding" is simply a > "requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"), > which I think is a shame. > >> So although the NAS must send an EAP-Identity-Request when the client > >> connects it's not required to understand the EAP-Identity-Response ? > > For the reason given above, it *does* need to understand the > EAP-Identity-Response. But that's about it! The NAS is a pretty dumb > device. > > josh. Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. So FreeRADIUS will copy all the attributes from the last attribute request into the internally proxied request, and base the reply to the NAS, on the attributes coming back as the result of the internal proxy. I have to do it like this else I get lots of duplicate reply attributes and things overwriting other things when they shouldn't. PEAP seems to work ok, but all the other TTLS tests break. Trying to track down what the issue is... I'll post some debug traces when i've moved the latest CVS to our "production" server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reference guide...
Hi all, I am new to freeradius. I want to understand the over all code flow and design of freeradius. Can anyone suggest any reference guide for understanding the design of freeradius please??? I went thro some manuals of freeradius. But they r theoritical, explaining about radius configurations and packet formats. But i want to understand the design of that... Please help me if u know some guide. Thanks a lot. - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Gah, my message bounced owing to change of email address... Arran wrote: > Can you clear something up for me with inner/outer identity. > The outer identity is in the User-Name attribute , it's a standard > RADIUS attribute... Inner identity is encoded in the EAP message, and > is pulled out by the EAP module prior to internal proxying and set as > the User-Name attribute (which should overwrite the User-Name > attribute in the request) ? Correct. > And it's standard practice to leave the outer identity as anonymous, > as the only communication between the NAS and the Supplicant is EAP > based when using EAPOL, and so the NAS would have to understand EAP to > be able to extract the User-Name string and write it into the > Access-Request packet ? Nope; see RFC 3579 for the gory details: "the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute" The use of "anonymous" is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of). An interesting tangent: note that "end-user identity hiding" is simply a "requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"), which I think is a shame. > So although the NAS must send an EAP-Identity-Request when the client > connects it's not required to understand the EAP-Identity-Response ? For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs.freeradius.org failure?
Hi Alan, On Mon, Jun 25, 2007 at 11:08:31AM +0200, Alan DeKok wrote: > Milan Holub wrote: > > is it possible that something is wrong with freeradius cvs? > > Yes. I think the machine's disk is full again. I'll ping the admin. ==> thanks. > > In any case, I think the "conflicting packet" problem you were seeing > is solved. ==> thanks for reply, I did not find time myself to test and reply yet, but thanks again:) > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
> > Can you clear something up for me with inner/outer identity. The outer > identity is in the User-Name attribute , it's a standard RADIUS yep > attribute... Inner identity is encoded in the EAP message, and is pulled yep > out by the EAP module prior to internal proxying and set as the > User-Name attribute (which should overwrite the User-Name attribute in > the request) ? yep > > And it's standard practice to leave the outer identity as anonymous, as varies. some supplicants just set outer==inner e.g. winXP. > the only communication between the NAS and the Supplicant is EAP based > when using EAPOL, and so the NAS would have to understand EAP to be able > to extract the User-Name string and write it into the Access-Request > packet ? In fact, since the inner identity is normally sent in an encrypted EAP flow, the NAS would have to break the encryption to access it. Basically the NAS can't see the inner User-Name > > So although the NAS must send an EAP-Identity-Request when the client > connects it's not required to understand the EAP-Identity-Response ? Correct. One final thing to add - the EAP standard specifies that in the final Access-Accept, the radius server (which DOES know the inner User-Name) should copy it to a User-Name attribute in the Access-Accept - so, the radius server tells the NAS what the user is. This is *slightly* complicated because by default, FreeRadius proxies the inner EAP to itself, so when it sends that Access-Accept it sends it to itself; and you need to "use_tunneled_reply" to actually get that back to the NAS. That is: NAS: Access-Request [EMAIL PROTECTED] SRV: Access-Challenge NAS: Access-Request [EMAIL PROTECTED] SRV: Access-Challenge NAS: Access-Request SRV: SRV(outer): Access-Request [EMAIL PROTECTED] SRV(inner): Access-Accept [EMAIL PROTECTED] SRV: SRV: Access-Accept [EMAIL PROTECTED] Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs.freeradius.org failure?
Milan Holub wrote: > is it possible that something is wrong with freeradius cvs? Yes. I think the machine's disk is full again. I'll ping the admin. In any case, I think the "conflicting packet" problem you were seeing is solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd stop responding. deadlock?
[EMAIL PROTECTED] wrote: ... > I think that "stopping responding" in our site > is similar following reports. > 2007-February/060174.html > 2006-March/051900.html > > Are these problem resolved ? No idea. I'm not going to troll through the list archives looking for those messages. > Is not > "Port OpenSSL locking fixes from CVS head" > (in ChangeLog for 1.1.5) related ? No idea. In any case, it's fixed in 1.1.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
terminater the server
how to terminate the server process. is "kill" method a correct way of terminating. thanks - The DELETE button on Yahoo! Mail is unhappy. Know why?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: ... >> It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP, >> and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv2. >> > Ah cool, thats actually really useful . Does only one packet need to be > proxied per EAP authentication ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication and authorization
Diana Robert wrote: ... > if we specify as above, can anyone say wats the difference between > authentication and authorization functions. What do you mean by that? "Authentication" and "authorization" are two different words with different meanings. The doc/ directory has files explaining how the server works, and what happens in the various sections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cvs.freeradius.org failure?
Hi Alan, is it possible that something is wrong with freeradius cvs? I can't log in as anoncvs nor I can do diffs or whatever. Client just hangs - eg.: `cvs -d:pserver:[EMAIL PROTECTED]:/source login` Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: ==> nothing happens for a long time cvs [login aborted]: received interrupt signal ==> killed by ctrl-c Please advise. With regards. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on freeradius+openldap+tls
hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication and authorization
radiusd.conf- authenticate{ Auth-Type customer1{ ldap1 } Auth-Type customer2{ ldap2 } } authorize{ preprocess suffix Autz-Type customer1{ ldap1 } Autz-Type customer2{ ldap2 } files } - users file--- DEFAULT Realm == "customer1", Autz-Type := customer1, Auth-Type := customer1 if we specify as above, can anyone say wats the difference between authentication and authorization functions. thanks. - Download prohibited? No problem. CHAT from any browser, without download.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html