Re: How to configure EAP Identity in 1.1.3
Govardhana K N wrote: > If that is the case, How can I add the WiMAX support in Free Radius? Send a patch, or pay someone to do the work. > What are the changes I should make in order to have WiMAX support? Read the WiMAX specifications, and read the code to FreeRADIUS. do the work to figure out what has to be done. So far, no one has done that, so there's no WiMAX support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
If that is the case, How can I add the WiMAX support in Free Radius? What are the changes I should make in order to have WiMAX support? On 7/17/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Govardhana K N wrote > I have got an Access-Challenge response from the server, and the > Access-Request sent in response to this challenge is failing > (Access-Reject is sent by the server). Below i have given the debug log > from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
Govardhana K N wrote > I have got an Access-Challenge response from the server, and the > Access-Request sent in response to this challenge is failing > (Access-Reject is sent by the server). Below i have given the debug log > from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure EAP Identity in 1.1.3
Kedar, I have used response becoz, I will be sending a EAP-Identity reponse packet to the Radius Server. So the code field is not Request it should be Response. All, Thanks for the help. I was able send the EAP message with EAP-Type-Identity field. I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, rad_recv: Access-Request packet from host 127.0.0.1:32825, id=60, length=113 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" Message-Authenticator = 0xaff453c7f7e3dc3639458de9740366a1 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry jrc at line 179 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 60 to 127.0.0.1 port 32825 CUI = "jrccui" Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = "jrcmultisessionid" HA-IP-MIP4 = 1.1.1.1 DHCPv4-Server = 2.2.2.2 MN-HA-MIP4-KEY = "jrcmipkey" MN-HA-MIP4-SPI = "jrcmipspi" DHCP-RK = "jrcdhcprk" DHCP-RK-KEY-ID = "jrcdhcpkey" DHCP-RK-LIFETIME = "20" EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1 Message-Authenticator = 0x State = 0x8343fbb52835fa0fb7fb84cab7f7a0db Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a State = 0x6a72637374617465 State = 0x8343fbb52835fa0fb7fb84cab7f7a0db EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry jrc at line 179 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Delayi
Re: dictionary files 'encrypt' option
Gaonkar, Kedar wrote: > There are a few dictionary files in /freeradius-1.1.6/share/ directory. > Some of the Attributes have 'encrypt' option with values 1 or 2. > > I tried putting 'encrypt=2' for an attribute in a packet that was meant > to be proxied on port 1814. But after giving this value, the packet is > being sent on 1812. Uh, no. The server doesn't work like that. The code that handles the encryption of attributes is completely independent of the code that does proxying. > I wanted to know what these values mean, and what are the other values > that can be given. Can someone please help me with this? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
Hi Nataniel, If you have a NASty which doesn't send accounting-off when rebooting, I guess you have three options: 1) use "checkrad" script to test if the user is indeed logged in. The NASty should have a way to check for connected users or sessions by using snmp/telnet/etc. If you have many auth requests and many "NASty"s, it will consume a lot of CPU on both sides. Result: no angry customers, but high cpu usage and no billing 2) run every N minutes a script to get the list of connected users for every NASty. compare that list with the db entries and delete lost sessions from db. Result: low cpu usage, better billing (if your customers pay by time usage, you can still charge now() - N minutes - acct_start), but 'already logged in' will last N minutes (at most) 3) use petitiononline.com service to management with a subject "Network.Access.Server.TY must be replaced with Network.Access.Upgraded.Good.Hardware.TY". Result: no problems at all. using good hardware is always the best option. You can implement all three options IN THE SAME TIME to minimize the impact. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Monday, July 16, 2007, 7:37:08 PM, you wrote: > Hello all, > I have a question: when a nas restart without sending client logout > to the freeradius server the clients stay connected in radacct table > (AcctStopTime=0). What can I do to solve this kind of problem? What > could happen is that when a nas reboot my clients keep logged and when > the nas start again they will get "You are already logged in" > (simultaneous-use). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 sqlippool %{SQL-User-Name}
Peter . as per your postgres 1.1.7 sqlippool queries, I changed the MySQL ones to use %{SQL-User-Name} instead of %{User-Name} . only it doesn't seem to pick up a value, so the UserName is coming up blank in the radippool table. Example: sqlippool_expand: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '%{Calling-Station-Id}' AND UserName = '%{SQL-User-Name}' AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}'' radius_xlat: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress = '216.108.219.36' AND pool_key = '00:14:6C:37:16:49' AND UserName = '' AND CallingStationId = '00:14:6C:37:16:49' AND FramedIPAddress = '172.168.124.120'' This happens on both 1.1.6 and 1.1.7. Should that be something like %{control:SQL-User-Name} ? My apologies - I don't know how I missed this when testing yesterday. I guess it returned an IP just fine, so I didn't actually look at what it was doing too closely! -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 MySQL postauth_query
I seem to recall having this problem when I first ran 1.1.6. The postauth_query is: postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" . but MySQL barfs about an invalid 'id' value. Maybe this is down to my schema . but surely, being an auto increment, we just don't need to specify the 'id' in the INSERT? I've modified it at my end to just be . postauth_query = "INSERT into ${postauth_table} (user, pass, reply, date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" . which works fine. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 problem with DEFAULT Auth-Type
I just had my first aborted attempt at running 1.1.7 on one of my live servers. Main problem is it just refuses to pick up the . DEFAULT Auth-Type = pam Fall-Through = 1 . in my users file, which is pretty much my entire users file, the only other entry is the standard PPP default entry. Everything else is in SQL. Unfortunately, I panicked after 5 mins of flailing around and reinstalled 1.1.6, and neglected to copy the -X output, which has since scrolled off the edge of the world. However, it definitely never printed any "Matched entry DEFAULT" lines, and complained that no Auth-Type was set. The same users file works fine in 1.1.6. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS restart without proper client logout on radius (mysql)
I don't think things like Mikrotik and Chillispot send such packets. I've never seen one from our Mikrotik which is rebotted once every week or two. I've never seen one from our Cisco either but that's because it hasn't been rebooted in last 18 months ;-) Ivan Kalik Kalik informatika ISP Dana 16/7/2007, "Hugh Messenger" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] said: >> Dana 16/7/2007, "Nataniel Klug" <[EMAIL PROTECTED]> piše: >> >> >Hello all, >> > >> >I have a question: when a nas restart without sending client logout >> >to the freeradius server the clients stay connected in radacct table >> >(AcctStopTime=0). What can I do to solve this kind of problem? What >> >could happen is that when a nas reboot my clients keep logged and when >> >the nas start again they will get "You are already logged in" >> >(simultaneous-use). >> > >> >> If they are getting that message then nastype in clients.conf is set to >> "other" which disables checkrad script and the checks are made only >> against the database. Change the nastype to the vendor of your NAS (if >> it is supported). Or simply delete all open entries older that the time >> your NAS rebooted. > >Shouldn't the NAS send one or both of accounting off/on, which (if the >accounting_onoff_query is defined correctly) should set the AcctStopTime to >"now()" (or %S depending on flavor)? > >> Ivan Kalik >> Kalik Informatika ISP > > -- hugh > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS restart without proper client logout on radius (mysql)
[EMAIL PROTECTED] said: > Dana 16/7/2007, "Nataniel Klug" <[EMAIL PROTECTED]> piše: > > >Hello all, > > > >I have a question: when a nas restart without sending client logout > >to the freeradius server the clients stay connected in radacct table > >(AcctStopTime=0). What can I do to solve this kind of problem? What > >could happen is that when a nas reboot my clients keep logged and when > >the nas start again they will get "You are already logged in" > >(simultaneous-use). > > > > If they are getting that message then nastype in clients.conf is set to > "other" which disables checkrad script and the checks are made only > against the database. Change the nastype to the vendor of your NAS (if > it is supported). Or simply delete all open entries older that the time > your NAS rebooted. Shouldn't the NAS send one or both of accounting off/on, which (if the accounting_onoff_query is defined correctly) should set the AcctStopTime to "now()" (or %S depending on flavor)? > Ivan Kalik > Kalik Informatika ISP -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary files 'encrypt' option
Hi, There are a few dictionary files in /freeradius-1.1.6/share/ directory. Some of the Attributes have 'encrypt' option with values 1 or 2. I tried putting 'encrypt=2' for an attribute in a packet that was meant to be proxied on port 1814. But after giving this value, the packet is being sent on 1812. I wanted to know what these values mean, and what are the other values that can be given. Can someone please help me with this? Thanks! Regards, - Kedar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
On Monday 16 July 2007 12:37:08 Nataniel Klug wrote: > Hello all, > > I have a question: when a nas restart without sending client logout > to the freeradius server the clients stay connected in radacct table > (AcctStopTime=0). What can I do to solve this kind of problem? What > could happen is that when a nas reboot my clients keep logged and when > the nas start again they will get "You are already logged in" > (simultaneous-use). Your NAS should send an Accounting-On packet which you can use to flag the existing connections as offline/disconnected. You can also use checkrad to confirm the session is active. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
its not i do not understand its just these stupid bi-focals i have a hard time seeing. I overlooked that, sorry for being a blind idiot _ From: Dennis Skinner [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Mon, 16 Jul 2007 13:54:02 -0400 Subject: Re: mysql accounting connect speeds Jeff wrote: > AcctOutputOctets = '%{Acct-Output-Octets}' \ Need comma on live above. This is a MySQL issue, not a FR issue. Please read the MySQL docs if you don't understand how to create a valid query. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
Why is the Code field of the EAP message 01? Isn't that a REQUEST message? Please correct me if I am wrong, but I thought the RADIUS server should get a Response packet with Code 2 and Type should be 1 (EAP Resp/Identity packet). May be it didnt get the Identity packet, and hence it cannot verify the Identity. Regards - Kedar Gaonkar Date: Mon, 16 Jul 2007 15:58:57 + (GMT) From: Eshun Benjamin <[EMAIL PROTECTED]> Subject: Re : How to configure EAP Identity in 1.1.3 To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Check on your AP, client.conf and naslist == Benjamin K. Eshun - Message d'origine De : Govardhana K N <[EMAIL PROTECTED]> ? : FreeRadius users mailing list Envoy? le : Lundi, 16 Juillet 2007, 13h28mn 28s Objet : How to configure EAP Identity in 1.1.3 I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin <[EMAIL PROTECTED]> wrote: You have misconfigured the Nas-Identifier > govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = "jrcnas" == Benjamin K. Eshun - Message d'origine De : Govardhana K N < [EMAIL PROTECTED]> ? : FreeRadius Envoy? le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed". How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack =
Re: mysql accounting connect speeds
Jeff wrote: > AcctOutputOctets = '%{Acct-Output-Octets}' \ Need comma on live above. This is a MySQL issue, not a FR issue. Please read the MySQL docs if you don't understand how to create a valid query. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
If they are getting that message then nastype in clients.conf is set to "other" which disables checkrad script and the checks are made only against the database. Change the nastype to the vendor of your NAS (if it is supported). Or simply delete all open entries older that the time your NAS rebooted. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Nataniel Klug" <[EMAIL PROTECTED]> piše: >Hello all, > >I have a question: when a nas restart without sending client logout >to the freeradius server the clients stay connected in radacct table >(AcctStopTime=0). What can I do to solve this kind of problem? What >could happen is that when a nas reboot my clients keep logged and when >the nas start again they will get "You are already logged in" >(simultaneous-use). > >-- >Att, > >NATANIEL KLUG >[EMAIL PROTECTED] > > >Cyber Nett - Internet Banda Larga >www.cnett.com.br >(42) 3635-2957 >Rua Diogo Pinto, 1046, Centro >Laranjeiras do Sul - PR >Brasil - 85301-290 > >"... também os sábios possuem coraçăo tangível e podem, por vezes, usar da >cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os >julgam suscetíveis." >Visconde de Taunay > > >-- >Esta mensagem foi verificada pelo antivirus e antispam >e acredita-se nao se tratar de nenhum dos dois. > >Sistema de email Cyber Nett - v2.0 > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Yes. You are missing commas before AscendDataRate and USRConnectSpeed expressions that you have added to the update query. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Dennis Skinner" <[EMAIL PROTECTED]> piše: >Jeff wrote: >> Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL >> accounting ALIVE record - You have an error in your SQL syntax; check >> the manual that corresponds to your MySQL server version for the right >> syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = >> '' WHERE AcctSess' at line 1 > >You need a comma between data items: > >'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess' >^^^ > >-- >Dennis Skinner >Systems Administrator >BlueFrog Internet >http://www.bluefrog.com >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
ok heres what i have now accounting_update_query = "UPDATE ${acct_table1} \ SET FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ AscendDataRate = '%{Ascend-Data-Rate}', \ USRConnectSpeed = '%{USR-Connect-Speed}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}'" an heres the new error Mon Jul 16 12:49:19 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200', USRConnectSpeed = '' WHERE AcctSes' at line 1 Mon Jul 16 12:49:35 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200', USRConnectSpeed = '' WHERE AcctSes' at line 1 Mon Jul 16 12:49:40 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200', USRConnectSpeed = '' WHERE AcctSes' at line 1 Mon Jul 16 12:49:59 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200', USRConnectSpeed = '' WHERE AcctSes' at line _ From: Dennis Skinner [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Mon, 16 Jul 2007 11:59:34 -0400 Subject: Re: mysql accounting connect speeds Jeff wrote: > Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL > accounting ALIVE record - You have an error in your SQL syntax; check > the manual that corresponds to your MySQL server version for the right > syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = > '' WHERE AcctSess' at line 1 You need a comma between data items: 'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess' ^^^ -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS restart without proper client logout on radius (mysql)
Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get "You are already logged in" (simultaneous-use). -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL -> Logs (where they are?)
Thanks Alan, I found the solution. Alan DeKok escreveu: Nataniel Klug wrote: Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. If the server starts, it prints text to that file. If the file is empty, the server isn't running as a daemon. If you're running in debugging mode, all output goes to the screen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.7 %{foo:-0} syntax?
On Mon 16 Jul 2007, Hugh Messenger wrote: > Alan DeKok said: > > Hugh Messenger wrote: > > > Does 1.1.7 use the newer %{%{foo}:-0} or the older %{foo:-0} format? > > > > It uses the old format. > > OK, the reason I asked was that the sql.conf in the 1.1.7 from the day I > posted that question had the new format, but that appears to have been > fixed in todays update. Yep. That was my mistake. I found it during testing today. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
Check on your AP, client.conf and naslist == Benjamin K. Eshun - Message d'origine De : Govardhana K N <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Lundi, 16 Juillet 2007, 13h28mn 28s Objet : How to configure EAP Identity in 1.1.3 I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin <[EMAIL PROTECTED]> wrote: You have misconfigured the Nas-Identifier > govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = "jrcnas" == Benjamin K. Eshun - Message d'origine De : Govardhana K N < [EMAIL PROTECTED]> À : FreeRadius Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed". How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no real
Re: mysql accounting connect speeds
Jeff wrote: > Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL > accounting ALIVE record - You have an error in your SQL syntax; check > the manual that corresponds to your MySQL server version for the right > syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = > '' WHERE AcctSess' at line 1 You need a comma between data items: 'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess' ^^^ -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting connect speeds
Yes, and the AscendDataRate too. I get the inserts fine on the start packet and the data goes right in as suppose too. all works fine this way for our GlobalPOPS and all data shows up and into sql using this line in the start --- accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AscendDataRate, USRConnectSpeed, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '%{Ascend-Xmit-Rate}', '%{USR-Connect-Speed}', '0')" --- data goes right into mysql tables But YNP for some reason most miss the start, so I thought maybe I could grab them on the update query cause i see one or the other on in update packet, for ynp so then i would have what i need, but as i stated this errors out with the error i mentioned below trying to do this Jeff _ From: Hugh Messenger [mailto:[EMAIL PROTECTED] To: 'FreeRadius users mailing list' [mailto:[EMAIL PROTECTED] Sent: Mon, 16 Jul 2007 11:40:53 -0400 Subject: RE: mysql accounting connect speeds Jeff said: > USRConnectSpeed = '%{USR-Connect-Speed}' \ Did you actually add a USRConnectSpeed column to the radacct table? There isn't one by default. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
I'm so sorry ! the Problem was the secret between proxy and the Cisco Device. Enven if the secret is different, the access-request is forwarded to the radius server, I didn't know that :( Thank you very much!!! Nicolas. Selon [EMAIL PROTECTED]: > Check then secret in clents.conf on the proxy and Cisco device radius > key. They are not the same then. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 16/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi¹e: > > > > >:) No because with other devices, the proxy works fine !! > > > >I don 't understand why it doesn't work :( > > > > > >Selon Peter Nixon <[EMAIL PROTECTED]>: > > > >> On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: > >> > The shared secret is the same because I use a radius Proxy and this > proxy > >> > forwards the access-request to my radius server. The problem is the > >> > password ! With a password in plain text (Check with H3C 2811 and Cisco > >> > 2960 equipmnents). > >> > >> Then you have the shared secret wrong between your proxy and your radius > >> server. > >> > >> -- > >> > >> Peter Nixon > >> http://peternixon.net/ > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting connect speeds
Jeff said: > USRConnectSpeed = '%{USR-Connect-Speed}' \ Did you actually add a USRConnectSpeed column to the radacct table? There isn't one by default. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1.1.7 %{foo:-0} syntax?
Alan DeKok said: > Hugh Messenger wrote: > > Does 1.1.7 use the newer %{%{foo}:-0} or the older %{foo:-0} format? > > It uses the old format. OK, the reason I asked was that the sql.conf in the 1.1.7 from the day I posted that question had the new format, but that appears to have been fixed in todays update. > Alan DeKok. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = '' WHERE AcctSess' at line 1 Mon Jul 16 11:23:24 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200' USRConnectSpeed = '' WHERE AcctSess' at line 1 Mon Jul 16 11:23:37 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200' USRConnectSpeed = '' WHERE AcctSess' at line 1 Mon Jul 16 11:23:42 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '19200' USRConnectSpeed = '' WHERE AcctSess' at line 1 _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Mon, 16 Jul 2007 11:06:28 -0400 Subject: Re: mysql accounting connect speeds And the errors are? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Jeff" <[EMAIL PROTECTED]> piše: >I need to log connect speeds from users > >At any rate things working fine from our own carrier globalpops to capture >these on the start packet > >but Yournetplus for some reason it doesn't work. > >I see this info in the update accounting packet so i thought I would modify >the update query but It gives errors > >anyone know why this is wrong.. it stops right at the AscendDataRate ='26400' >for example then nothing after > >Trying to gather the Ascend-Data-Rate and USR-Connect-Speed > > accounting_update_query = "UPDATE ${acct_table1} \ > SET FramedIPAddress = '%{Framed-IP-Address}', \ > AcctSessionTime = '%{Acct-Session-Time}', \ > AcctInputOctets = '%{Acct-Input-Octets}', \ > AcctOutputOctets = '%{Acct-Output-Octets}' \ > AscenDataRate = '%{Ascend-Xmit-Rate}' \ > USRConnectSpeed = '%{USR-Connect-Speed}' \ > WHERE AcctSessionId = '%{Acct-Session-Id}' \ > AND UserName = '%{SQL-User-Name}' \ > AND NASIPAddress= '%{NAS-IP-Address}'" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
Help you with what? If you managed to add the password to the check table what could be the problem in adding Session-Timeout to the reply table? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Osvaldohp" <[EMAIL PROTECTED]> piše: >I have a hotSpot that give access to the internet for my users. I use IPCOP >with advproxy addon like a point controller. >So when a user try to aceess the internet IPCOP (advproxy) ask for a >username and password and then try to authenticate the user in the radius >server. >Everything is great so far my only problem is i can't limit the user to >access the internet using Session-timeout attribute. >I really don't know what i have to do now. Can someone help me? > > >Message sent using Prodepa Webmail 2.7.9 > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Check then secret in clents.conf on the proxy and Cisco device radius key. They are not the same then. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: > >:) No because with other devices, the proxy works fine !! > >I don 't understand why it doesn't work :( > > >Selon Peter Nixon <[EMAIL PROTECTED]>: > >> On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: >> > The shared secret is the same because I use a radius Proxy and this proxy >> > forwards the access-request to my radius server. The problem is the >> > password ! With a password in plain text (Check with H3C 2811 and Cisco >> > 2960 equipmnents). >> >> Then you have the shared secret wrong between your proxy and your radius >> server. >> >> -- >> >> Peter Nixon >> http://peternixon.net/ >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration doubt
I have a hotSpot that give access to the internet for my users. I use IPCOP with advproxy addon like a point controller. So when a user try to aceess the internet IPCOP (advproxy) ask for a username and password and then try to authenticate the user in the radius server. Everything is great so far my only problem is i can't limit the user to access the internet using Session-timeout attribute. I really don't know what i have to do now. Can someone help me? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
And the errors are? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Jeff" <[EMAIL PROTECTED]> piše: >I need to log connect speeds from users > >At any rate things working fine from our own carrier globalpops to capture >these on the start packet > >but Yournetplus for some reason it doesn't work. > >I see this info in the update accounting packet so i thought I would modify >the update query but It gives errors > >anyone know why this is wrong.. it stops right at the AscendDataRate ='26400' >for example then nothing after > >Trying to gather the Ascend-Data-Rate and USR-Connect-Speed > > accounting_update_query = "UPDATE ${acct_table1} \ > SET FramedIPAddress = '%{Framed-IP-Address}', \ > AcctSessionTime = '%{Acct-Session-Time}', \ > AcctInputOctets = '%{Acct-Input-Octets}', \ > AcctOutputOctets = '%{Acct-Output-Octets}' \ > AscenDataRate = '%{Ascend-Xmit-Rate}' \ > USRConnectSpeed = '%{USR-Connect-Speed}' \ > WHERE AcctSessionId = '%{Acct-Session-Id}' \ > AND UserName = '%{SQL-User-Name}' \ > AND NASIPAddress= '%{NAS-IP-Address}'" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
:) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon <[EMAIL PROTECTED]>: > On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: > > The shared secret is the same because I use a radius Proxy and this proxy > > forwards the access-request to my radius server. The problem is the > > password ! With a password in plain text (Check with H3C 2811 and Cisco > > 2960 equipmnents). > > Then you have the shared secret wrong between your proxy and your radius > server. > > -- > > Peter Nixon > http://peternixon.net/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting connect speeds
I need to log connect speeds from users At any rate things working fine from our own carrier globalpops to capture these on the start packet but Yournetplus for some reason it doesn't work. I see this info in the update accounting packet so i thought I would modify the update query but It gives errors anyone know why this is wrong.. it stops right at the AscendDataRate ='26400' for example then nothing after Trying to gather the Ascend-Data-Rate and USR-Connect-Speed accounting_update_query = "UPDATE ${acct_table1} \ SET FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ AscenDataRate = '%{Ascend-Xmit-Rate}' \ USRConnectSpeed = '%{USR-Connect-Speed}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}'"- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: figuration doubt
On Monday 16 July 2007 09:40:48 Osvaldohp wrote: > I found a nice paper about freeradius+mysql, so far everything is installed > and working fine. My guestion is which field of my radius database > (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of > the Internet from my HotSpot users? Session-Timeout is a reply item, so it can go into the user or group reply item tables. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
On Monday 16 July 2007 08:05:15 Alan DeKok wrote: > Osvaldohp wrote: > > This is my users file: > > mike Auth-Type = System, User-Password == mike" > > Session-Timeout := 3600, > > > > What i am doing wrong? > > You're telling the server to look in /etc/passwd for the users > password, and then also telling it what the users password is. > > Don't set Auth-Type. > > Use 1.1.6. > > Use Cleartext-Password, not "User-Password", as suggested in the FAQ. > > Alan DeKok. Don't forget to use the ':=' operator for the Cleartext-Password attribute, in addition to all of the above. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco redirect from freeradius
hi freeradius people, I want to redirect http traffic for some users in a cisco NAS. Is there any way to do this ? maybe with some VSA thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL -> Logs (where they are?)
Nataniel Klug wrote: > Yes, I know that this kind of log is put in /var/log/radius/radius.log. > The problem is that they are not been logged there. If the server starts, it prints text to that file. If the file is empty, the server isn't running as a daemon. If you're running in debugging mode, all output goes to the screen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL -> Logs (where they are?)
auth_log Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Nataniel Klug" <[EMAIL PROTECTED]> piše: >Hello Alan, > >Yes, I know that this kind of log is put in /var/log/radius/radius.log. >The problem is that they are not been logged there. It's a configuration >in radiusd.conf? I could not find this... Can you tell me what tag? > >Alan DeKok escreveu: >> Nataniel Klug wrote: >> >>> I have configured my FreeRadius server to auth my clients over a >>> MySQL table. The problem is that I do not have any more logs (like wrong >>> login attempts). The detailed log is been done into a MySQL table named >>> radacct (and works fine to bloqs simultaneous use) but the problem is >>> that I cant see anymore why a login attempt gets rejected. >>> >>> Can someone tell me where to look? >>> >> >> The logs are put in the file "radius.log", not in SQL. See radiusd.conf. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> -- >> Esta mensagem foi verificada pelo antivirus e antispam >> e acredita-se nao se tratar de nenhum dos dois. >> >> Sistema de email Cyber Nett - v2.0 >> >> >> > >-- >Att, > >NATANIEL KLUG >[EMAIL PROTECTED] > > >Cyber Nett - Internet Banda Larga >www.cnett.com.br >(42) 3635-2957 >Rua Diogo Pinto, 1046, Centro >Laranjeiras do Sul - PR >Brasil - 85301-290 > >"... também os sábios possuem coraçăo tangível e podem, por vezes, usar da >cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os >julgam suscetíveis." >Visconde de Taunay > > >-- >Esta mensagem foi verificada pelo antivirus e antispam >e acredita-se nao se tratar de nenhum dos dois. > >Sistema de email Cyber Nett - v2.0 > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL -> Logs (where they are?)
Hello Alan, Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. It's a configuration in radiusd.conf? I could not find this... Can you tell me what tag? Alan DeKok escreveu: Nataniel Klug wrote: I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? The logs are put in the file "radius.log", not in SQL. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
He is not tunneling the request, just doing MAC auth. Problem is on the controller. debug aaa on it and see why is VLAN override not working. You are sure that override is on for that SSID? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Brian Ertel" <[EMAIL PROTECTED]> piše: >Alan, > >I did not modify this file at all > ># Whatever you do, do NOT set 'Auth-Type := EAP'. The server ># is smart enough to figure this out on its own. The most ># common side effect of setting 'Auth-Type := EAP' is that the ># users then cannot use ANY other authentication method. ># ># $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $ ># >eap { ># Invoke the default supported EAP type when ># EAP-Identity response is received. ># ># The incoming EAP messages DO NOT specify which EAP ># type they will be using, so it MUST be set here. ># ># For now, only one default EAP type may be used at a time. ># ># If the EAP-Type attribute is set by another module, ># then that EAP type takes precedence over the ># default type configured here. ># >default_eap_type = md5 > ># A list is maintained to correlate EAP-Response ># packets with EAP-Request packets. After a ># configurable length of time, entries in the list ># expire, and are deleted. ># >timer_expire = 60 > ># There are many EAP types, but the server has support ># for only a limited subset. If the server receives ># a request for an EAP type it does not support, then ># it normally rejects the request. By setting this ># configuration to "yes", you can tell the server to ># instead keep processing the request. Another module ># MUST then be configured to proxy the request to ># another RADIUS server which supports that EAP type. ># ># If another module is NOT configured to handle the ># request, then the request will still end up being ># rejected. >ignore_unknown_eap_types = no > ># Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given ># a User-Name attribute in an Access-Accept, it copies one ># more byte than it should. ># ># We can work around it by configurably adding an extra ># zero byte. >cisco_accounting_username_bug = no > ># Supported EAP-types > ># ># We do NOT recommend using EAP-MD5 authentication ># for wireless connections. It is insecure, and does ># not provide for dynamic WEP keys. ># >md5 { >} > ># Cisco LEAP ># ># We do not recommend using LEAP in new deployments. See: ># http://www.securiteam.com/tools/5TP012ACKE.html ># ># Cisco LEAP uses the MS-CHAP algorithm (but not ># the MS-CHAP attributes) to perform it's authentication. ># ># As a result, LEAP *requires* access to the plain-text ># User-Password, or the NT-Password attributes. ># 'System' authentication is impossible with LEAP. ># >leap { >} > ># Generic Token Card. ># ># Currently, this is only permitted inside of EAP-TTLS, ># or EAP-PEAP. The module "challenges" the user with ># text, and the response from the user is taken to be ># the User-Password. ># ># Proxying the tunneled EAP-GTC session is a bad idea, ># the users password will go over the wire in plain-text, ># for anyone to see. ># >gtc { ># The default challenge, which many clients ># ignore.. >#challenge = "Password: " > ># The plain-text response which comes back ># is put into a User-Password attribute, ># and passed to another module for ># authentication. This allows the EAP-GTC ># response to be checked against plain-text, ># or crypt'd passwords. ># ># If you say "Local" instead of "PAP", then ># t
Re: figuration doubt
Session-Timeout is a reply attribute, so it goes into radreply or radgroupreply table. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Osvaldohp" <[EMAIL PROTECTED]> piše: >I found a nice paper about freeradius+mysql, so far everything is installed >and working fine. My guestion is which field of my radius database >(db_mysql.sql) i have to put Session-Timeout attribute to limit the use of >the Internet from my HotSpot users? > > >Message sent using Prodepa Webmail 2.7.9 > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership
handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): starting 5 rlm_sql (sql): Attempting to connect rlm_sql_mysql #5 rlm_sql_mysql: Starting connect to MySQL server for #5 rlm_sql (sql): Connected new DB handle, #5 rlm_sql (sql): starting 6 rlm_sql (sql): Attempting to connect rlm_sql_mysql #6 rlm_sql_mysql: Starting connect to MySQL server for #6 rlm_sql (sql): Connected new DB handle, #6 rlm_sql (sql): starting 7 rlm_sql (sql): Attempting to connect rlm_sql_mysql #7 rlm_sql_mysql: Starting connect to MySQL server for #7 rlm_sql (sql): Connected new DB handle, #7 rlm_sql (sql): starting 8 rlm_sql (sql): Attempting to connect rlm_sql_mysql #8 rlm_sql_mysql: Starting connect to MySQL server for #8 rlm_sql (sql): Connected new DB handle, #8 rlm_sql (sql): starting 9 rlm_sql (sql): Attempting to connect rlm_sql_mysql #9 rlm_sql_mysql: Starting connect to MySQL server for #9 rlm_sql (sql): Connected new DB handle, #9 rlm_sql (sql): starting 10 rlm_sql (sql): Attempting to connect rlm_sql_mysql #10 rlm_sql_mysql: Starting connect to MySQL server for #10 rlm_sql (sql): Connected new DB handle, #10 rlm_sql (sql): starting 11 rlm_sql (sql): Attempting to connect rlm_sql_mysql #11 rlm_sql_mysql: Starting connect to MySQL server for #11 rlm_sql (sql): Connected new DB handle, #11 rlm_sql (sql): starting 12 rlm_sql (sql): Attempting to connect rlm_sql_mysql #12 rlm_sql_mysql: Starting connect to MySQL server for #12 rlm_sql (sql): Connected new DB handle, #12 rlm_sql (sql): starting 13 rlm_sql (sql): Attempting to connect rlm_sql_mysql #13 rlm_sql_mysql: Starting connect to MySQL server for #13 rlm_sql (sql): Connected new DB handle, #13 rlm_sql (sql): starting 14 rlm_sql (sql): Attempting to connect rlm_sql_mysql #14 rlm_sql_mysql: Starting connect to MySQL server for #14 rlm_sql (sql): Connected new DB handle, #14 rlm_sql (sql): starting 15 rlm_sql (sql): Attempting to connect rlm_sql_mysql #15 rlm_sql_mysql: Starting connect to MySQL server for #15 rlm_sql (sql): Connected new DB handle, #15 rlm_sql (sql): starting 16 rlm_sql (sql): Attempting to connect rlm_sql_mysql #16 rlm_sql_mysql: Starting connect to MySQL server for #16 rlm_sql (sql): Connected new DB handle, #16 rlm_sql (sql): starting 17 rlm_sql (sql): Attempting to connect rlm_sql_mysql #17 rlm_sql_mysql: Starting connect to MySQL server for #17 rlm_sql (sql): Connected new DB handle, #17 rlm_sql (sql): starting 18 rlm_sql (sql): Attempting to connect rlm_sql_mysql #18 rlm_sql_mysql: Starting connect to MySQL server for #18 rlm_sql (sql): Connected new DB handle, #18 rlm_sql (sql): starting 19 rlm_sql (sql): Attempting to connect rlm_sql_mysql #19 rlm_sql_mysql: Starting connect to MySQL server for #19 rlm_sql (sql): Connected new DB handle, #19 Module: Instantiated sql (sql) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host :32802, id=0, length=160 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0 Message-Authenticator = 0x** Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/**/auth-detail-20070716' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/**/auth-detail-20070716 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm ".it" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm ".it" rlm_realm: Proxying request from user testuser to realm **.it rlm_realm: Adding Realm = "***.it" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 122 users: Matched entry DEFAULT at line 159 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 Found Autz-Type LDAP Processing the authorize section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'dc=*,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.**.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem rlm_ldap: bind as cn=,ou=servizi,dc=**,dc=it/*** to ldap.**.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=**,dc=it, with filter ([EMAIL PROTECTED]) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group LDAP (returns notfound) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to * port 32802 Reply-Message = "Access Denied" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 469b4247 Nothing to do. Sleeping until we see a request. PS Thanks in advance for your help Bye, Inverse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Alan, I did not modify this file at all # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $ # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = md5 # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to "yes", you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # leap { } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say "Local" instead of "PAP", then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # auth_type = PAP } ## EAP-TLS # # To generate ctest certificates, run the script # #
Re: Re : Re : Password = xpgk (Kalik)
"This" User-Password (the one in the request) is the one coming from the gateway. So you modify it there. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "E. abdelghani" <[EMAIL PROTECTED]> piše: >hello Ivan Kalik: hier is the output from radiusd -X : >i worked with Mera Softswitch and freeraduis for authentification! >also who can i modified this User-Password "xpgk" ? > >rad_recv: Access-Request packet from host 192.168.100.211:1912, id=10, >length=696 >User-Name = "192.168.100.180" >User-Password = "xpgk" >NAS-IP-Address = 192.168.100.211 >NAS-Port-Type = Async >Service-Type = Login-User >Called-Station-Id = "907070" >Calling-Station-Id = "4002" >Cisco-AVPair = "xpgk-request-type=number" >Acct-Session-Id = "5ca3d369-8-3c1329b1" >h323-conf-id = "h323-conf-id=02B21DF1 D6B213A4 3E960001 A8045DEC" >Cisco-AVPair = "h323-call-id=02B21DF1 D6B213A4 3E950001 A8045DEC" >h323-gw-id = "h323-gw-id=192.168.100.180" >Cisco-AVPair = "h323-gw-address=192.168.100.180" >Cisco-AVPair = "h323-incoming-local-address=192.168.100.211" >h323-remote-address = "h323-remote-address=194.6.239.4" >Cisco-AVPair = "h323-remote-id=194.6.239.4" >Cisco-AVPair = "xpgk-h323-id=4FXS-045dec" >Cisco-AVPair = "xpgk-src-number-in=4002" >Cisco-AVPair = "xpgk-src-number-out=4002" >Cisco-AVPair = "xpgk-dst-number-in=907070" >Cisco-AVPair = "xpgk-dst-number-out=907070" >h323-setup-time = "h323-setup-time=14:02:37.000 CEST Mon Jul 16 >2007" >Cisco-AVPair = "xpgk-route-retries=1" > >thinks! > >_ >Découvrez le Blog heroic Fantaisy d'Eragon! >http://eragon-heroic-fantasy.spaces.live.com/ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP-TLS authentication
Perhaps because of this: > main: log_auth = no Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
figuration doubt
I found a nice paper about freeradius+mysql, so far everything is installed and working fine. My guestion is which field of my radius database (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of the Internet from my HotSpot users? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Hi, > What should I be looking for in the eap.conf file? whether you are tunneling the reply in PEAP and TTLS. by not providing this list with your config files you arent helping us to help you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: > The shared secret is the same because I use a radius Proxy and this proxy > forwards the access-request to my radius server. The problem is the > password ! With a password in plain text (Check with H3C 2811 and Cisco > 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Ivan, Yes, the controller does have VLAN 157 configured, that is actually the original client vlan configured before I started testing with vlan tags from freeradius. Thanks, Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 14, 2007 11:26 AM To: FreeRadius users mailing list Subject: Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller Radius is doing it's bit. Your problem is with the Controller configuration. Have you configured a VLAN with ID of 157 on the Controller? Have you enabled Radius override of default settings on WLAN? Ivan Kalik Kalik Informatika ISP Dana 13/7/2007, "Brian Ertel" <[EMAIL PROTECTED]> piše: >Hi, > >I've gotten a bit further but am still getting stuck. I have the Cisco >Wireless Controller configured to hit Freeradius for MAC Address >Authentication. Freeradius sees the request from the controller and >sends back the configure attributes from the users file but the >controller doesn't seem to see it correctly (the desired VLAN tag) and I >end up in the default VLAN as configured on the controller. Below is my >users, clients.conf, and radiusd verbose data output. Any thoughts? > >Ready to process requests. >rad_recv: Access-Request packet from host 148.85.34.82:32768, id=35, >length=174 >User-Name = "00:0e:35:1c:e0:52" >Called-Station-Id = "00-1a-6d-6b-f0-80:2000test" >Calling-Station-Id = "00-0e-35-1c-e0-52" >NAS-Port = 1 >NAS-IP-Address = 148.85.34.82 >NAS-Identifier = "WLC-34-82" >Airespace-Wlan-Id = 1 >User-Password = "testing" >Service-Type = Call-Check >Framed-MTU = 1300 >NAS-Port-Type = Wireless-802.11 >Tunnel-Type:0 = VLAN >Tunnel-Medium-Type:0 = IEEE-802 >Tunnel-Private-Group-Id:0 = "159" > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 >rlm_realm: No '@' in User-Name = "00:0e:35:1c:e0:52", looking up >realm NULL >rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 >users: Matched entry 00:0e:35:1c:e0:52 at line 80 > modcall[authorize]: module "files" returns ok for request 0 >modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type Local >auth: type Local >auth: user supplied User-Password matches local User-Password Sending >Access-Accept of id 35 to 148.85.34.82 port 32768 >Tunnel-Medium-Type:0 = IEEE-802 >Tunnel-Type:0 = VLAN >Tunnel-Private-Group-Id:0 = "157" >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 6 seconds... >--- Walking the entire request list --- >Cleaning up request 0 ID 35 with timestamp 4697de6a Nothing to do. >Sleeping until we see a request. > > > > >00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing" > >Tunnel-Medium-Type = "IEEE-802", >Tunnel-Type = "VLAN", >Tunnel-Private-Group-Id = "157", > >__ > >client 148.85.34.82 { ># ># The shared secret use to "encrypt" and "sign" packets between ># the NAS and FreeRADIUS. You MUST change this secret from the ># default, otherwise it's not a secret any more! ># ># The secret can be any string, up to 31 characters in length. ># >secret = xxx > ># ># The short name is used as an alias for the fully qualified ># domain name, or the IP address. ># >shortname = controller > ># ># the following three fields are optional, but may be used by ># checkrad.pl for simultaneous use checks ># > ># ># The nastype tells 'checkrad.pl' which NAS-specific method to ># use to query the NAS for simultaneous use. ># ># Permitted NAS types are: ># ># cisco ># computone ># livingston ># max40xx ># multitech ># netserver ># pathras ># patton ># portslave ># tc ># usrhiper ># other # for all other types > ># >nastype = other # localhost isn't usually a NAS... > >_ > >Brian Ertel >Network Administrator >Amherst College >413-542-8320 >[EMAIL PROTECTED] >_ > > >- >List info/subscribe/unsubscribe? S
Re: FreeRadius MySQL -> Logs (where they are?)
Nataniel Klug wrote: > I have configured my FreeRadius server to auth my clients over a > MySQL table. The problem is that I do not have any more logs (like wrong > login attempts). The detailed log is been done into a MySQL table named > radacct (and works fine to bloqs simultaneous use) but the problem is > that I cant see anymore why a login attempt gets rejected. > > Can someone tell me where to look? The logs are put in the file "radius.log", not in SQL. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Here, my radius configuration : radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 7 RADUIUS_KEY radius-server retransmit 1 radius-server timeout 2 Thanks ! Selon Stefan Winter <[EMAIL PROTECTED]>: > Hm, this means the NAS actually sent this garbage/hash. In this case, it > would > be enlightening to see the lines in your IOS config that start with > > radius-server > > not the aaa ones. > > Stefan > > -- > Stefan WINTER > > Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > http://www.restena.luFax: +352 422473 > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Hm, this means the NAS actually sent this garbage/hash. In this case, it would be enlightening to see the lines in your IOS config that start with radius-server not the aaa ones. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: > [Govardhana:] I have put the configuration in dictionary.wimax > ATTRIBUTE MSK5 There's rather more than that, I think. In any case, what's probably happening is that you've edited the dictionary on the server, but not on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Thanks for your help ! Nicolas. Selon Stefan Winter <[EMAIL PROTECTED]>: > > User-Password = "ry\My\Pass/Wo\rd\Hash\Not\Plain\Text`" > > > > Why is my password not in plain text ? With other cisco devices (Switch > > 2960 for example), the User-Password is in plain text.. If I receive a > > hashed password, the authentication doesn't work.. > > Are you sure it's hashed, and not just garbled? First guess is: check the > shared secret on the Cisco device and the server. > > Stefan > > -- > Stefan WINTER > > Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > http://www.restena.luFax: +352 422473 > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Hi Alan, What should I be looking for in the eap.conf file? Thanks, Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 13, 2007 5:16 PM To: FreeRadius users mailing list Subject: Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller and your eap.conf? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius MySQL -> Logs (where they are?)
Hello all, I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
I have put the configuration details inline. I am using the Radius server for Testing purpose, I want to receive WiMAX attributes in the Access-Accept, so i have configured those in "dictionary" file and "users" file. Thanks & Regards, Govardhana K N On 7/16/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Govardhana K N wrote: > 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, > MN-HA-MIP4-SPI) in dictionary.wimax, with option "encrypt=2", the > values are getting encrypted. Can you post that here? I'm not sure the server will understand the WiMAX attributes, as multiple WiMAX attributes are packed into one WiMAX VSA. [Govardhana:] I have put the configuration in dictionary.wimax ATTRIBUTE MSK5 string encrypt=2 ATTRIBUTE HA-IP-MIP4 6 string ATTRIBUTE DHCPv4-Server 8 string ATTRIBUTE MN-HA-MIP4-KEY 10 string encrypt=2 ATTRIBUTE MN-HA-MIP4-SPI 11 string encrypt=2 ATTRIBUTE DHCP-RK40 string ATTRIBUTE DHCP-RK-KEY-ID41 string ATTRIBUTE DHCP-RK-LIFETIME 42 string ... > MS-MPPE-Send-Key = 0x6a72636d736b > MS-MPPE-Recv-Key = 0x6a7263726563766d736b That came across just fine. > MN-HA-MIP4-KEY = > "\225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30" > MN-HA-MIP4-SPI = "\234V.\326\014_\363fn\253_K\355-([\326\020" That didn't. You're running a configuraton that no one has seen before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Password = xpgk (Kalik)
hello Ivan Kalik: hier is the output from radiusd -X : i worked with Mera Softswitch and freeraduis for authentification! also who can i modified this User-Password "xpgk" ? rad_recv: Access-Request packet from host 192.168.100.211:1912, id=10, length=696 User-Name = "192.168.100.180" User-Password = "xpgk" NAS-IP-Address = 192.168.100.211 NAS-Port-Type = Async Service-Type = Login-User Called-Station-Id = "907070" Calling-Station-Id = "4002" Cisco-AVPair = "xpgk-request-type=number" Acct-Session-Id = "5ca3d369-8-3c1329b1" h323-conf-id = "h323-conf-id=02B21DF1 D6B213A4 3E960001 A8045DEC" Cisco-AVPair = "h323-call-id=02B21DF1 D6B213A4 3E950001 A8045DEC" h323-gw-id = "h323-gw-id=192.168.100.180" Cisco-AVPair = "h323-gw-address=192.168.100.180" Cisco-AVPair = "h323-incoming-local-address=192.168.100.211" h323-remote-address = "h323-remote-address=194.6.239.4" Cisco-AVPair = "h323-remote-id=194.6.239.4" Cisco-AVPair = "xpgk-h323-id=4FXS-045dec" Cisco-AVPair = "xpgk-src-number-in=4002" Cisco-AVPair = "xpgk-src-number-out=4002" Cisco-AVPair = "xpgk-dst-number-in=907070" Cisco-AVPair = "xpgk-dst-number-out=907070" h323-setup-time = "h323-setup-time=14:02:37.000 CEST Mon Jul 16 2007" Cisco-AVPair = "xpgk-route-retries=1" thinks! _ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : EAP-TLS authentication
> radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on authentication 127.0.0.1:1812 > Listening on accounting 127.0.0.1:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:32813, id=179, > length=95 > User-Name = \"jrc\" > NAS-Identifier = \"jrcnas\" > NAS-Port-Type = Ethernet > CUI = \"0\" > Service-Type = Framed-User > Framed-MTU = 1400 > Calling-Station-Id = \"1:1:1:1:1:1\" > EAP-Message = 0x0118016a7263 > Message-Authenticator = 0x64c5851b699cd2c027877bbb94fe7f8b > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module \"preprocess\" returns ok for request 0 > modcall[authorize]: module \"chap\" returns noop for request 0 > modcall[authorize]: module \"mschap\" returns noop for request 0 > rlm_realm: No \'@\' in User-Name = \"jrc\", looking up realm NULL > rlm_realm: No such realm \"NULL\" > modcall[authorize]: module \"suffix\" returns noop for request 0 > rlm_eap: EAP packet type request id 16 length 8 > rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation > modcall[authorize]: module \"eap\" returns updated for request 0 > users: Matched entry DEFAULT at line 152 > users: Matched entry jrc at line 178 > modcall[authorize]: module \"files\" returns ok for request 0 > modcall: leaving group authorize (returns updated) for request 0 > rad_check_password: Found Auth-Type EAP > auth: type \"EAP\" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_eap: Identity Unknown, authentication failed > rlm_eap: Failed in handler > modcall[authenticate]: module \"eap\" returns invalid for request 0 > modcall: leaving group authenticate (returns invalid) for request 0 > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 179 to 127.0.0.1 port 32813 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 179 with timestamp 469b9233 > Nothing to do. Sleeping until we see a request. > > > debug log from Client: > - > > cheux301:/home/govardhana# radeapclient -x localhost auth jrcsecret > > +++> About to send encoded packet: > User-Name = \"jrc\" > NAS-Identifier = \"jrcnas\" > NAS-Port-Type = Ethernet > CUI = \"0\" > Service-Type = Framed-User > Framed-MTU = 1400 > Calling-Station-Id = \"1:1:1:1:1:1\" > EAP-Message = 0x0118016a7263 > Message-Authenticator = 0x00 > Sending Access-Request of id 179 to 127.0.0.1 port 1812 > User-Name = \"jrc\" > NAS-Identifier = \"jrcnas\" > NAS-Port-Type = Ethernet > CUI = \"0\" > Service-Type = Framed-User > Framed-MTU = 1400 > Calling-Station-Id = \"1:1:1:1:1:1\" > EAP-Message = 0x0118016a7263 > Message-Authenticator = 0x > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=179, > length=20 > rlm_eap: EAP-Message not found > <+++ EAP decoded packet: > > > Thanks & Regards, > Govardhana K N > > > > > -- > With Regards, > Govardhana K N > -- next part -- > An HTML attachment was scrubbed... > URL: > https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070716/79e22469/attachment-0001.html > > > -- > > Message: 3 > Date: Mon, 16 Jul 2007 12:31:27 +0200 > From: Stefan Winter <[EMAIL PROTECTED]> > Subject: Re: FreeRadius and User-Password from Cisco Device > To: FreeRadius users mailing list > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=\"iso-8859-1\" > > > User-Password = \"ryMyPass/WordHashNotPlainText`\" > > > > Why is my password not in plain text ? With other cisco devices > (Swit
Re: Password = xpkg ?
NAT (Network Address Translation) or NAS (Network Access Server)? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "E. abdelghani" <[EMAIL PROTECTED]> piše: > >hello > > >so i have Mera Softswitch with Radius in contact, so the authentification work >very will. >the Username is my NAT-IP and the Password is "xpgk" My Question is who i can >this Password modified and in witch file is saved ? >I have stored in Radius server DB ( Radchek table) .but the NAT need one >Password to be connected. > > >Now if i modified the Password in RADIUS ,the connection not working with my >PBX > My Question is who i can this NAT- Password modified and in witch file is >saved ?MSN Hotmail sur i-mode : dialoguez sur votre mobile comme sur votre PC >avec Bouygues TELECOM ! > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
Add EAP-Type-Identity to radeapclient attributes. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, "Govardhana K N" <[EMAIL PROTECTED]> piše: >Hi, > >I was trying to configure FreeRadius server with EAP authentication. AS >mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a >EAP message, and Message-Authenticator attributes in Access-Request. When i >tried sending an Access-Request with EAP-Message, I got the following error >"rlm_eap: Identity Unknown, authentication failed". > >How to configure the Identity for EAP? > >debug log from server: >- > >Starting - reading configuration files ... >reread_config: reading radiusd.conf >Config: including file: /etc/freeradius/proxy.conf >Config: including file: /etc/freeradius/clients.conf >Config: including file: /etc/freeradius/snmp.conf >Config: including file: /etc/freeradius/eap.conf >Config: including file: /etc/freeradius/sql.conf > main: prefix = "/usr" > main: localstatedir = "/var" > main: logdir = "/var/log/freeradius" > main: libdir = "/usr/lib/freeradius" > main: radacctdir = "/var/log/freeradius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 1812 > main: allow_core_dumps = no > main: log_stripped_names = yes > main: log_file = "/var/log/freeradius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/freeradius/freeradius.pid" > main: bind_address = 127.0.0.1 IP address [127.0.0.1] > main: user = "freerad" > main: group = "freerad" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/sbin/checkrad" > main: proxy_requests = no > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 >read_config_files: reading dictionary >read_config_files: reading naslist >Using deprecated naslist file. Support for this will go away soon. >read_config_files: reading clients >read_config_files: reading realms >radiusd: entering modules setup >Module: Library search path is /usr/lib/freeradius >Module: Loaded exec > exec: wait = no > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" >Module: Instantiated exec (exec) >Module: Loaded expr >Module: Instantiated expr (expr) >Module: Loaded PAP > pap: encryption_scheme = "crypt" >Module: Instantiated pap (pap) >Module: Loaded CHAP >Module: Instantiated chap (chap) >Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: ntlm_auth = "(null)" >Module: Instantiated mschap (mschap) >Module: Loaded System > unix: cache = no > unix: passwd = "/etc/passwd" > unix: shadow = "/etc/shadow" > unix: group = "/etc/group" > unix: radwtmp = "/var/log/freeradius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 >Module: Instantiated unix (unix) >Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no >rlm_eap: Loaded and initialized type md5 >rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" >rlm_eap: Loaded and initialized type gtc > mschapv2: with_ntdomain_hack = no >rlm_eap: Loaded and initialized type mschapv2 >Module: Instantiated eap (eap) >Module: Loaded preprocess > preprocess: huntgroups = "/etc/freeradius/huntgroups" > preprocess: hints = "/etc/freeradius/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > preprocess: with_alvarion_vsa_hack = no >Module: Instantiated preprocess (preprocess) >Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no >Module: Instantiated realm (suffix) >Module: Loaded files > files: usersfile = "/etc/freeradius/users" > files: acctusersfile = "/etc/freeradius/acct_users" > files: preproxy_usersfile = "/etc/freeradius/preproxy_users" > files: compat = "no" >Module: Instantiated files (files) >Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, >Client-IP-Address, NAS-Port" >Module: Instantiated acct_unique (acct_unique) >Module: Loaded detail > detail: detailfile = >"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: det
How to configure EAP Identity in 1.1.3
I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin <[EMAIL PROTECTED]> wrote: You have misconfigured the Nas-Identifier > govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = "jrcnas" == Benjamin K. Eshun - Message d'origine De : Govardhana K N <[EMAIL PROTECTED]> À : FreeRadius Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed". How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, N
Configuration doubt
Hi all. I'd like some help to configure my Radius server. My Radius authenticates users from my HotSpot to access the internet. I want to limit the uses to access the Internet, i did try Session-Timeout attribute but don't work so far. This is my users file: mike Auth-Type = System, User-Password == mike" Session-Timeout := 3600, What i am doing wrong? Can anyone help me with this task? Thanks Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: > 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, > MN-HA-MIP4-SPI) in dictionary.wimax, with option "encrypt=2", the > values are getting encrypted. Can you post that here? I'm not sure the server will understand the WiMAX attributes, as multiple WiMAX attributes are packed into one WiMAX VSA. ... > MS-MPPE-Send-Key = 0x6a72636d736b > MS-MPPE-Recv-Key = 0x6a7263726563766d736b That came across just fine. > MN-HA-MIP4-KEY = > "\225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30" > MN-HA-MIP4-SPI = "\234V.\326\014_\363fn\253_K\355-([\326\020" That didn't. You're running a configuraton that no one has seen before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
Osvaldohp wrote: > This is my users file: > mike Auth-Type = System, User-Password == mike" > Session-Timeout := 3600, > > What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not "User-Password", as suggested in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
You have misconfigured the Nas-Identifier > govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = "jrcnas" == Benjamin K. Eshun - Message d'origine De : Govardhana K N <[EMAIL PROTECTED]> À : FreeRadius Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed". How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct
Re : EAP-TLS authentication
There is log file. Check your configure log to find out the path you specified for the log. You can also run in debug mode. radiusd -X == Benjamin K. Eshun - Message d'origine De : "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> À : freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 11h41mn 05s Objet : Re: EAP-TLS authentication Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \"Username\" login ok or \"user login failed due to..\" So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: > Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
> User-Password = "ry\My\Pass/Wo\rd\Hash\Not\Plain\Text`" > > Why is my password not in plain text ? With other cisco devices (Switch > 2960 for example), the User-Password is in plain text.. If I receive a > hashed password, the authentication doesn't work.. Are you sure it's hashed, and not just garbled? First guess is: check the shared secret on the Cisco device and the server. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure EAP Identity in 1.1.3
Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed". How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authenticat
FreeRadius and User-Password from Cisco Device
Hello, Here a access-request packet from a Cisco Router (2621) : NAS-IP-Address = "IP_NAS" NAS-Port = 66 NAS-Port-Type = Virtual User-Name = "MyUserLogin" Calling-Station-Id = "IP NAS" User-Password = "ry\My\Pass/Wo\rd\Hash\Not\Plain\Text`" Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. My AAA configuration : aaa new-model aaa authentication login default group radius line aaa authentication login console line aaa authorization exec default group radius none aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius What can I do ? Thanks for your help ! Nicos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication (Alan DeKok)
Message: 6 Date: Fri, 13 Jul 2007 14:25:43 +0200 From: Alan DeKok <[EMAIL PROTECTED]> Subject: Re: EAP-TLS authentication (Alan DeKok) To: FreeRadius users mailing list Hi Everything is working fine.But the logs are not coming when user authenticates. Regards Anoop Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: > pls find the attached ... > Sending Access-Accept of id 4 to 192.168.0.50 port 1026 The RADIUS server thinks everything is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
> I have been using Navis radius.Now i decided to move to free radius.In > the navis radius there is a log file .So it will be shown as \"Username\" > login ok or \"user login failed due to..\" So these logs will be very > helpful for troubleshooting. > In free radius thers is no log file is getting updated. >This is not accounting. Exactly this information goes into /var/log/radius/radius.log if you enabled it in the config - as is per default. That is, only if you *NOT* running with -X. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password = xpkg ?
hello so i have Mera Softswitch with Radius in contact, so the authentification work very will. the Username is my NAT-IP and the Password is "xpgk" My Question is who i can this Password modified and in witch file is saved ? I have stored in Radius server DB ( Radchek table) .but the NAT need one Password to be connected. Now if i modified the Password in RADIUS ,the connection not working with my PBX My Question is who i can this NAT- Password modified and in witch file is saved ?MSN Hotmail sur i-mode : dialoguez sur votre mobile comme sur votre PC avec Bouygues TELECOM ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \"Username\" login ok or \"user login failed due to..\" So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: > Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Alan, I followed the following steps for configuring microsoft attributes and other vendor attributes: 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, MN-HA-MIP4-SPI) in dictionary.wimax, with option "encrypt=2", the values are getting encrypted. 2. Configured in file "users" to check for Nas-Identifier and Nas-Port-Type and configured the attributes for access-accept as below: -- govardhana Nas-Identifier == nas, Nas-Port-Type == 15 CUI = cui, Class = class, State = state, Framed-MTU = 1400, Framed-Ip-Address = 1.2.3.4, Service-Type = Framed-User, session-timeout = 30, MS-MPPE-Send-Key = msk, MS-MPPE-Recv-Key = recvmsk, AAA-Session-Id = multisessionid, HA-IP-MIP4 = 1.1.1.1, Dhcpv4-Server = 2.2.2.2, MN-HA-MIP4-KEY = mipkey, MN-HA-MIP4-SPI = mipspi, DHCP-RK = dhcprk, DHCP-RK-KEY-ID = dhcpkey, DHCP-RK-LIFETIME = 20 -- 3. Below is the snapshot from client: -- cheux301:/home/govardhana# radclient -x localhost auth jrcsecret < access-request Sending Access-Request of id 173 to 127.0.0.1 port 1812 User-Name = "govardhana" User-Password = "govardhana" NAS-Identifier = "nas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=173, length=305 CUI = "cui" Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = "multisessionid" HA-IP-MIP4 = "1.1.1.1" DHCPv4-Server = "2.2.2.2" MN-HA-MIP4-KEY = "\225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30" MN-HA-MIP4-SPI = "\234V.\326\014_\363fn\253_K\355-([\326\020" DHCP-RK = "dhcprk" DHCP-RK-KEY-ID = "dhcpkey" DHCP-RK_LIFETIME = "20" -- 5. Below is snap from Server -- rad_recv: Access-Request packet from host 127.0.0.1:32813, id=173, length=92 User-Name = "govardhana" User-Password = "govardhana" NAS-Identifier = "jrcnas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "govardhana", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry govardhana at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Login OK: [govardhana] (from client localhost port 0 cli 1:1:1:1:1:1) Sending Access-Accept of id 173 to 127.0.0.1 port 32813 CUI = "jrccui" Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 WiMAX-Capability = "Accounting-Capability" MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = "jrcmultisessionid" HA-IP-MIP4 = "1.1.1.1" DHCPv4-Server = "2.2.2
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: > I need one more help, I tried to include microsoft attributes > (MS-MPPE-Send-Key, MS-MPPE-Recv-Key) for which the encryption type is > already set to 2, but the attribute values are not getting encrypted in > Access-Accept? how can i slove this problem? Post the debug log, as suggested in the FAQ, README, INSTALL, and many other places. Are you *sure* the attributes are not being encrypted? Or maybe it's just you're not familiar with the process? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Alan, Thanks for the help. I have got how to configure the ecnryption support. I need one more help, I tried to include microsoft attributes (MS-MPPE-Send-Key, MS-MPPE-Recv-Key) for which the encryption type is already set to 2, but the attribute values are not getting encrypted in Access-Accept? how can i slove this problem? Thanks & Regards, Govardhana K N On 7/16/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Govardhana K N wrote: > Is the support for this encryption is already present in FreeRadius > 1.1.3? If yes, How can I add attibutes to use that encryption algorithm? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.7 %{foo:-0} syntax?
Hugh Messenger wrote: > Does 1.1.7 use the newer %{%{foo}:-0} or the older %{foo:-0} format? It uses the old format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html