Big Problem with peap-mschapv2+freeradius 1.1.7
Hi, I have a big problem with my radius setup. I want to authenticate my users with peap+mschapv2. The radius backend is an ldap server. I have this setup working with Freeradius 1.0.1 on Redhat 4 ES. But after upgrading to 1.1.7 this setup does not work anymore. I configured my radius/eap/client config file the same way like the old file was. I additionally tried to start the new radius with the old config files with the same effect, it does not work. Here is my setup: Freeradius 1.1.7 OPenldap (newest version) Clients: Windows Xp Sp 2 WPA Supplicant, Juniper Odyysee Client, Cisco Secure Services Client In my ldap i have following attributes: cn,uid, description, UserPassword, If i look at the logfiles, i can see that the ldap authorization seems to work. It seems that something goes wrong with the authentication. But i cant find the reason :-( ... Here is the logfile output of radiusd -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius/etc/raddb/eap.conf Config: including file: /usr/local/freeradius/etc/raddb/sql.conf main: prefix = "/usr/local/freeradius" main: localstatedir = "/usr/local/freeradius/var" main: logdir = "/usr/local/freeradius/var/log/radius" main: libdir = "/usr/local/freeradius/lib" main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/certs/wcsserver.key" tls: certificate_file = "/usr/local/certs/wcsserver.pem" tls: CA_file = "/usr/local/certs/root.pem" tls: private_key_password = "wcs" tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh" tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certifica
Re: juniper authentication with freeradius
"ashish verma" <[EMAIL PROTECTED]> writes: > I am trying to do juniper m7i router authentication with freeradius. > Can someone provide me some documentation? > > I have configured juniper but i suppose i missing something on radius side. You don't say how you configured neither the JUNOS box nor FreeRADIUS. My guess is that you're lacking something on the router: http://www.juniper.net/techpubs/software/junos/junos84/swconfig84-system-basics/id-10674699.html > added following in dictionary file. why? They have been in the default dictionary.juniper for ages. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
juniper authentication with freeradius
hi,
oh.. i didnt have dictionary.juniper file under /etc/freeradius.
so i added those lines in "dictionary" file under /etc/freeradius.
and this is my juniper side configuration.
authentication-order [ radius password ];
radius-server {
192.168.1.49 {
port 1812;
accounting-port 1813;
secret "$9$mTnCOBEyrvO1SeKM-d"; ## SECRET-DATA
}
}
i tried doing it without specifying the ports as well..but didnt work.
under "users" file i have this
edward Auth-type := Local, User-Password = "edward"
Juniper-Local-User-Name = "fritz12"
clients.conf contains
client 192.168.1.10/24 {
secret = secret
shortname = junoscope.server.name
type = Juniper:nas
}
On 8/16/07, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users@lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>1. Re: juniper authentication with freeradius (Bj?rn Mork)
>
>
> --
>
> Message: 1
> Date: Thu, 16 Aug 2007 11:20:09 +0200
> From: Bj?rn Mork <[EMAIL PROTECTED]>
> Subject: Re: juniper authentication with freeradius
> To: FreeRadius users mailing list
>
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=iso-8859-1
>
> "ashish verma" <[EMAIL PROTECTED]> writes:
>
> > I am trying to do juniper m7i router authentication with freeradius.
> > Can someone provide me some documentation?
> >
> > I have configured juniper but i suppose i missing something on radius
> side.
>
> You don't say how you configured neither the JUNOS box nor FreeRADIUS.
> My guess is that you're lacking something on the router:
>
> http://www.juniper.net/techpubs/software/junos/junos84/swconfig84-system-basics/id-10674699.html
>
>
> > added following in dictionary file.
>
> why? They have been in the default dictionary.juniper for ages.
>
>
>
> Bj?rn
>
>
>
> --
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 28, Issue 55
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: juniper authentication with freeradius
"ashish verma" <[EMAIL PROTECTED]> writes:
> oh.. i didnt have dictionary.juniper file under /etc/freeradius.
> so i added those lines in "dictionary" file under /etc/freeradius.
> and this is my juniper side configuration.
>
> authentication-order [ radius password ];
>radius-server {
>192.168.1.49 {
>port 1812;
>accounting-port 1813;
>secret "$9$mTnCOBEyrvO1SeKM-d"; ## SECRET-DATA
>}
>}
You might need to specify the source address here. I.e.
radius-server {
192.168.1.49 {
port 1812;
accounting-port 1813;
secret "$9$mTnCOBEyrvO1SeKM-d"; ## SECRET-DATA
source-address 192.168.1.10;
}
}
> i tried doing it without specifying the ports as well..but didnt work.
>
> under "users" file i have this
>
> edward Auth-type := Local, User-Password = "edward"
>Juniper-Local-User-Name = "fritz12"
Did you define the local user "fritz12" on the router?
> clients.conf contains
>
> client 192.168.1.10/24 {
>secret = secret
>shortname = junoscope.server.name
>type = Juniper:nas
>}
That's a somewhat strange entry. I would have expected either
'client 192.168.1.0/24' or 'client 192.168.1.1'
Do you get anything in the radius logs, indicating that the connection
is OK?
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Big Problem with peap-mschapv2+freeradius 1.1.7
Christian Frank wrote: > I have a big problem with my radius setup. I want to authenticate > my users with peap+mschapv2. The radius backend is an ldap server. Does the LDAP server contain a clear-text or NT hashed password for the user? > I have this setup working with Freeradius 1.0.1 on Redhat 4 ES. > > But after upgrading to 1.1.7 this setup does not work anymore. > I configured my radius/eap/client config file the same way like the old file > was. Are you sure? The configurations are similar, but not identical. > rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra) > rlm_ldap: checking if remote access for cfra is allowed by uid > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user cfra authorized to use remote access BUT there was no "known good" password for the user found in LDAP. That's why authentication is failing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius stops immediately
Hello all. I am trying to run freeradius-1.1.5 but it stops immediately after executing the command ./radiusd -X The computer´s answer is "Finalizado" because I have chossen spanish as my Solaris language There is no log file. # ./radiusd -X Finalizado # uname -a SunOS xterminal 5.7 Generic_106541-04 sun4u SUNW,Ultra-30 Solaris Any help please? Thank you Ruben Savia Professional Services Specialist Gcia. Operaciones y Servicios [EMAIL PROTECTED] Av. Vieytes 1710. (C1275AGT) Ciudad Autónoma de Buenos Aires Te : 4349- int 1001 Fax: 4349-1129- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius stops immediately
[EMAIL PROTECTED] wrote: > I am trying to run freeradius-1.1.5 but it stops immediately > after executing the command ./radiusd -X Use 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enterasys Mac-auth Dynamic-VLAN
Hello to everyone ! I have a problem with Enterasys switch SecureStack A2. It work with 802.1X and MAC-authentication but the dynamic vlan assignment works only the first one. I want use it with the MAC authentication (as with Cisco,HP,...) but the Enterasys switch don't accept the tunnel attributes that the Radius server send it. It seems that these are accepted only with 802.1X autentication. I use Freeradius with Mysql so I would want to know if there is a way to say to Freeradius to use the Calling-Station-Id as password for EAP module and use DEFAULT user for every authentication. Thanks a lot for your support. Fabrizio Stoppani- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Big Problem with peap-mschapv2+freeradius 1.1.7
Alan DeKok schrieb:
> Christian Frank wrote:
>> I have a big problem with my radius setup. I want to authenticate
>> my users with peap+mschapv2. The radius backend is an ldap server.
>
> Does the LDAP server contain a clear-text or NT hashed password for
> the user?
The ldap server contains a clear text password. I added it using jxplorer.
>
>> I have this setup working with Freeradius 1.0.1 on Redhat 4 ES.
>>
>> But after upgrading to 1.1.7 this setup does not work anymore.
>> I configured my radius/eap/client config file the same way like the old file
>> was.
>
> Are you sure? The configurations are similar, but not identical.
I will doublecheck this tomorrow morning. Maybe i haved missed something...
>
>> rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra)
>> rlm_ldap: checking if remote access for cfra is allowed by uid
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user cfra authorized to use remote access
>
> BUT there was no "known good" password for the user found in LDAP.
> That's why authentication is failing.
M. Here is my ldap config from radiusd.conf
ldap {
#server = "ldap.your.domain"
server = "150.150.40.241"
# identity = "cn=admin,o=My Org,c=UA"
identity = "cn=Manager,dc=rsel,dc=com"
# password = mypass
password = secret
#basedn = "o=My Org,c=UA"
basedn = "dc=rsel,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir= /path/to/ca/dir/
# tls_certfile= /path/to/radius.crt
# tls_keyfile= /path/to/radius.key
# tls_randfile= /path/to/rnd
# tls_require_cert= "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
#password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
#0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}
The only thing i do not understand in this case is the password_header =
"{clear}" directive.
What is its prupose ? Maybe that is the problem ?
Today i tried 2.0 pre 1 and it is working with this version (And the
password_header thing seems to be changed in this version).
I get a big warning about that "something with my
Re: Duplicate requests in a session
Hi guys, As far as I can see from 1.1.7, this was never rolled into the code. Can I suggest simply adding an index like this by default: ALTER TABLE radacct ADD constraint radacct_unique_session UNIQUE ( acctuniqueid); Then the composition of acctuniqueid can still be set in the unique id module as appropriate for the site in question? Alex On 31/08/06, Peter Nixon <[EMAIL PROTECTED]> wrote: > Good question. Does anyone have anything against changing this? > > -Peter > > On Thu 31 Aug 2006 10:11, Santiago Balaguer García wrote: > > Thanks James, I don't figure out to use primary key solves the problem of > > duplicate keys. > > I had in radacct as primary key <> but now I am going to have > > <>. > > > > This proble cause a new thread: why radacctid is the primary key of radacct > > table instead od acctuniqueid? > > > > >From: James Wakefield <[EMAIL PROTECTED]> > > >Reply-To: FreeRadius users mailing list > > > > > >To: FreeRadius users mailing list > > >Subject: Re: Duplicate requests in a session > > >Date: Wed, 30 Aug 2006 22:07:09 +1000 > > > > > >Santiago Balaguer García wrote: > > >>Hi people, > > >> > > >>1) > > >> In my activity I realize that when the conexion to Internet of a NAS is > > >>NOT good (there are some reday in the DSL), the NAS send several Start > > >>requests. My problen is my RADIUS server ask for all these requests and > > >>they are inserted in my DB. So, when the user or the NAS finalize the > > >>session and NAS sends Stop Request, the credit associates to the user > > >>account is decremented several times. It happens so because I put a > > >> trgger in my DB to decrement the user credit atomatically. > > >> > > >> Can I avoid the problem of inserting several times the start request? > > >> If it is so, how?? > > >> > > >>2) Is it supposed that the value of acctsessionid and acctuniqueid in > > >>radacct table are UNIQUE and they can not be duplicated ? > > >> > > >>Thanks, > > >>Santiago > > > > > >Hi Santiago, > > > > > >Does your DBMS enforce primary key constraints? Do you have a primary key > > >defined for your radacct table? If I recall correctly, MySQL by default > > >doesn't, are you using MySQL? > > > > > >Cheers, > > >-- > > >James Wakefield, > > >Unix Administrator, Information Technology Services Division > > >Deakin University, Geelong, Victoria 3217 Australia. > > > > > >Phone: 03 5227 8690 International: +61 3 5227 8690 > > >Fax: 03 5227 8866 International: +61 3 5227 8866 > > >E-mail: [EMAIL PROTECTED] > > >Website: http://www.deakin.edu.au > > >- List info/subscribe/unsubscribe? See > > >http://www.freeradius.org/list/users.html > > > > _ > > Acepta el reto MSN Premium: Protección para tus hijos en internet. > > Descárgalo y pruébalo 2 meses gratis. > > http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccionin > >fantil > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > > Peter Nixon > http://www.peternixon.net/ > PGP Key: http://www.peternixon.net/public.asc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
healthcheck?
We want to reject slb health checks immediately. What is the best way to do that? tried to add "healthcheck Auth := Reject" but it still go through all authorization/authentication modules. Is there anyway that we can immediately reject it so we can make it lighter? Thanks in advance. Kevin - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ad
)
Module: Loaded preprocess
preprocess: huntgroups = "/etc//raddb/huntgroups"
preprocess: hints = "/etc//raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc//raddb/users"
files: acctusersfile = "/etc//raddb/acct_users"
files: preproxy_usersfile = "/etc//raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.134.64.199:1124, id=220, length=114
User-Name = "REFAP\\dadfh9"
EAP-Message = 0x020100110152454641505c646164666839
NAS-IP-Address = 10.134.64.199
Service-Type = Login-User
Calling-Station-Id = "00-0f-ea-21-ee-51"
NAS-Port-Type = Ethernet
NAS-Port = 16
Message-Authenticator = 0x10edbda09bf5ad2634790b585ee77e6f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.134.64.199/auth-detail-20070816'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.134.64.199/auth-detail-20070816
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "REFAP\dadfh9", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 220 to 10.134.64.199 port 1124
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x0547bc9804181b086d78b1affb7fbc3d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.134.64.199:1125, id=221, length=195
User-Name = "REFAP\\dadfh9"
EAP-Message =
0x02020050198000461603010041013d030146c498cadf74708ca364202e238eb621ae25ade0d60009aebe42d9b5a1788b0a1600040005000a000900640062000300060013001200630100
NAS-IP-Address = 10.134.64.199
Service-Type = Login-User
Calling-Station-Id = "00-0f-ea-21-ee-51"
NAS-Port-Type
Re: freeradius + ad
>Exec-Program output: Logon failure (0xc06d) >Exec-Program-Wait: plaintext: Logon failure (0xc06d) >Exec-Program: returned: 1 > rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit -> get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address not logged in detail
On Thu 17 May 2007, Alan DeKok wrote:
> Milan Holub wrote:
> > despite the note in radiusd.conf:
> > ...
> > # It also adds the %{Client-IP-Address} attribute to the request.
> > preprocess
>
> This no longer happens. That documentation should be removed.
>
> > it looks like that the attribute is not added:
> DEBUG
> >
> > rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
> > request, unique ID MAY be inconsistent
> >
> DEBUG
>
> That should be updated to use Packet-Src-IP-Address, or
> Packet-Src-IPv6-Address
>
> > and I do not find it in detail file neither(where I would need it for
> > radrelaying).
>
> The detail module should be updated to write src/dst IP's to the
> detail file, along with src/dst ports.
Hmm.. Just a reminder to the list that this still seems to be an open issue.
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Many questions about FreeRadius
Pedro Henrique Morsch Mazzoni wrote: > Can I integrate FreeRadius with RSA securID? Yes. > Can I use Cisco Downloable ACL´s? I believe so. > Can I create group profiles? Yes. > Can I integrate with a TACACS server for command authorization? No. > Can I integrate with the SIM RSA Envision? No idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Many questions about FreeRadius
Hi Everyone! Can I integrate FreeRadius with RSA securID? Can I use Cisco Downloable ACL´s? Can I create group profiles? Can I integrate with a TACACS server for command authorization? Can I integrate with the SIM RSA Envision? Tks! Pedro Mazzoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address not logged in detail
Peter Nixon wrote: >> The detail module should be updated to write src/dst IP's to the >> detail file, along with src/dst ports. > > Hmm.. Just a reminder to the list that this still seems to be an open issue. See "log_packet_header", which will do precisely this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary for Huawei
Hi, I've noticed that there is no dictionary for Huawei in the source. Can you please add this one: # # dictionary.huawei # VENDOR Huawei2011 # # Huawei Attributes ATTRIBUTE Huawei-Input-ATTRIB_UNUSED 1 integer Huawei ATTRIBUTE Huawei-Input-Average-Rate 2 integer Huawei ATTRIBUTE Huawei-Input-Peak-Rate 3 integer Huawei ATTRIBUTE Huawei-Output-ATTRIB_UNUSED 4 integer Huawei ATTRIBUTE Huawei-Output-Average-Rate 5 integer Huawei ATTRIBUTE Huawei-Output-Peak-Rate 6 integer Huawei ATTRIBUTE Huawei-In-Kb-Before-T-Switch7 integer Huawei ATTRIBUTE Huawei-Out-Kb-Before-T-Switch 8 integer Huawei ATTRIBUTE Huawei-In-Pkt-Before-T-Switch 9 integer Huawei ATTRIBUTE Huawei-Out-Pkt-Before-T-Switch 10 integer Huawei ATTRIBUTE Huawei-In-Kb-After-T-Switch 11 integer Huawei ATTRIBUTE Huawei-Out-Kb-After-T-Switch12 integer Huawei ATTRIBUTE Huawei-In-Pkt-After-T-Switch13 integer Huawei ATTRIBUTE Huawei-Out-Pkt-After-T-Switch 14 integer Huawei ATTRIBUTE Huawei-Remanent-Volume 15 integer Huawei ATTRIBUTE Huawei-Tariff-Switch-Interval 16 integer Huawei ATTRIBUTE Huawei-ISP-ID 17 string Huawei ATTRIBUTE Huawei-Max-Users-Per-Logic-Port 18 integer Huawei ATTRIBUTE Huawei-Command 20 integer Huawei ATTRIBUTE Huawei-Priority 22 integer Huawei ATTRIBUTE Huawei-Control-Identifier 24 integer Huawei ATTRIBUTE Huawei-Result-Code 25 integer Huawei ATTRIBUTE Huawei-Connect-ID 26 integer Huawei ATTRIBUTE Huawei-PortalURL27 string Huawei ATTRIBUTE Huawei-FTP-Directory28 string Huawei ATTRIBUTE Huawei-Exec-Privilege 29 integer Huawei ATTRIBUTE Huawei-IP-Address 30 integer Huawei ATTRIBUTE Huawei-Qos-Profile-Name 31 string Huawei ATTRIBUTE Huawei-Destnation-IP-Addr 39 string Huawei ATTRIBUTE Huawei-Destnation-Volume40 string Huawei ATTRIBUTE Huawei-Startup-Stamp59 integer Huawei ATTRIBUTE Huawei-IPHost-Addr 60 string Huawei ATTRIBUTE Huawei-HW-Portal-Mode 85 integer Huawei ATTRIBUTE Huawei-VPN-Instance 94 string Huawei ATTRIBUTE Huawei-Policy-Name 95 string Huawei ATTRIBUTE Huawei-Tunnel-Group-Name96 string Huawei ATTRIBUTE Huawei-Multicast-Source-Group 97 string Huawei ATTRIBUTE Huawei-Multicast-Receive-Group 98 ipaddr Huawei ATTRIBUTE Huawei-User-Multicast-Type 99 integer Huawei ATTRIBUTE Huawei-Service-Chg-Cmd 105 integer Huawei ATTRIBUTE Huawei-Acct-Packet-Type 106 integer Huawei ATTRIBUTE Huawei-Call-Reference 107 integer Huawei ATTRIBUTE Huawei-PSTN-Port108 integer Huawei ATTRIBUTE Huawei-Voip-Service-Type109 integer Huawei ATTRIBUTE Huawei-Acct-Connection-Time 110 integer Huawei ATTRIBUTE Huawei-Error-Reason 112 integer Huawei ATTRIBUTE Huawei-Remain-Monney113 integer Huawei ATTRIBUTE Huawei-Org-GK-ipaddr123 ipaddr Huawei ATTRIBUTE Huawei-Org-GW-ipaddr124 ipaddr Huawei ATTRIBUTE Huawei-Dst-GK-ipaddr125 ipaddr Huawei ATTRIBUTE Huawei-Dst-GW-ipaddr126 ipaddr Huawei ATTRIBUTE Huawei-Access-Num 127 string Huawei ATTRIBUTE Huawei-Remain-Time 128 integer Huawei ATTRIBUTE Huawei-Codec-Type 131 integer Huawei ATTRIBUTE Huawei-Transfer-Num 132 string Huawei ATTRIBUTE Huawei-New-User-Name133 string Huawei ATTRIBUTE Huawei-Transfer-Station-Id 134 string Huawei ATTRIBUTE Huawei-Primary-DNS 135 ipaddr Huawei ATTRIBUTE Huawei-Secondary-DNS136 ipaddr Huawei ATTRIBUTE Huawei-ONLY-Account-Type137 integer Huawei ATTRIBUTE Huawei-Domain-Name 138 string Huawei ATTRIBUTE Huawei-Version 254 string Huawei ATTRIBUTE Huawei-Product-ID 255 string Huawei kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ipsec EAP_TLS
Hi every One, Does the implementation of free radius provide support EAP-TLS authentication in IpSec ? After the TLS handshake (between the IPsec client and the free radius server ) is complete, shared master key will be generated at the VPN client and at the radius server. Does the current implementation of free radius provides capability that these keys can be securely transfererred to the VPN gateway ? Thanks in advance Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql - accept user based only on username
It's actually quite simple: select * from radcheck; id | username | attribute | op | value ++---++ 12 | 2392382942 | Auth-Type | := | Accept regards Pshem On 16/08/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: > Hi, > > I'm trying to build a radius system that accepts users only based on > their username (which in our case is a mixture of calling and called > station id). What should i put in the radcheck (and possibly radreply) > to achive it? Basically if the username is in the table is should get > accepted. > > Any hints? > > kind regards > Pshem > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
juniper authentication with freeradius
hi,
it is working now.thanks for your help
i was missing the following entry
user<http://www.juniper.net/techpubs/software/junos/junos84/swconfig84-system-basics/id-11121928.html#id-11121928>remote
{full-name
"All remote users";uid *uid-value*;class *class-name*;thanks again.
On 8/16/07, [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users@lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>1. juniper authentication with freeradius (ashish verma)
>2. Re: juniper authentication with freeradius (Bj?rn Mork)
>3. Re: Big Problem with peap-mschapv2+freeradius 1.1.7 (Alan DeKok)
>4. freeradius stops immediately ([EMAIL PROTECTED])
>5. Re: freeradius stops immediately (Alan DeKok)
>6. Enterasys Mac-auth Dynamic-VLAN (Fabrizio Stoppani)
>
>
> --
>
> Message: 1
> Date: Thu, 16 Aug 2007 16:00:07 +0530
> From: "ashish verma" < [EMAIL PROTECTED]>
> Subject: juniper authentication with freeradius
> To: freeradius-users@lists.freeradius.org
> Message-ID:
> <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> hi,
>
> oh.. i didnt have dictionary.juniper file under /etc/freeradius.
> so i added those lines in "dictionary" file under /etc/freeradius.
> and this is my juniper side configuration.
>
> authentication-order [ radius password ];
>radius-server {
>192.168.1.49 {
>port 1812;
>accounting-port 1813;
>secret "$9$mTnCOBEyrvO1SeKM-d"; ## SECRET-DATA
>}
>}
>
> i tried doing it without specifying the ports as well..but didnt work.
>
> under "users" file i have this
>
> edward Auth-type := Local, User-Password = "edward"
>Juniper-Local-User-Name = "fritz12"
>
> clients.conf contains
>
> client 192.168.1.10/24 {
>secret = secret
>shortname = junoscope.server.name
>type = Juniper:nas
>}
>
>
> On 8/16/07, [EMAIL PROTECTED] <
> [EMAIL PROTECTED] > wrote:
> >
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users@lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > [EMAIL PROTECTED]
> >
> > You can reach the person managing the list at
> > [EMAIL PROTECTED]
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >1. Re: juniper authentication with freeradius (Bj?rn Mork)
> >
> >
> > --
> >
> > Message: 1
> > Date: Thu, 16 Aug 2007 11:20:09 +0200
> > From: Bj?rn Mork <[EMAIL PROTECTED]>
> > Subject: Re: juniper authentication with freeradius
> > To: FreeRadius users mailing list
> > < freeradius-users@lists.freeradius.org>
> > Message-ID: <[EMAIL PROTECTED]>
> > Content-Type: text/plain; charset=iso-8859-1
> >
> > "ashish verma" < [EMAIL PROTECTED]> writes:
> >
> > > I am trying to do juniper m7i router authentication with freeradius.
> > > Can someone provide me some documentation?
> > >
> > > I have configured juniper but i suppose i missing something on radius
> > side.
> >
> > You don't say how you configured neither the JUNOS box nor FreeRADIUS.
> > My guess is that you're lacking something on the router:
> >
> >
> http://www.juniper.net/techpubs/software/junos/junos84/swconfig84-system-basics/id-10674699.html
> >
> >
> > > added following in dictionary file.
> >
> > why? They have been in the default dictionary.juniper for ages.
> >
> >
> >
> > Bj?rn
> >
> >
