Re: How to get FreeRadius 2.0 running?
Jack Daniels wrote: > No, I'm not trying to run it with 1.1.x files. I've downloaded the > latest snapshot in a brand new computer, which has only the LBS. Hmm... OK. > In previous versions, when I compiled FreeRadius, it was 100% > functional, obviously I needed to configure it to meet my needs, but at > least, it had a sample configuration which worked out-of-the-box. > When I tried the same with this release, No. 2.0 hasn't been released. You're running from CVS head, which may not even build on a daily basis. > I got the error previously > shown, and still can't get it to work, even if I modify the default > configuration in the sites-enabled directory or the listen sections in > the radiusd.conf file. I've tried some things, and I feel that the > solution to this problem is really simple, but I haven't found it yet. Can you post the *full* debug log. It will contain more information about the problem than the one-line error you posted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous usage
Hi all!
I added the Simultanous-Use attribute to radgroupcheck in my MySQL-db
with the following statement:
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value)
values("dialup", "Simultaneous-Use", ":=", "1");
But I can login twice or more with the same account... so what do i have
to enable/disable to deny simultaneous usage of the accounts???
Regards
Michael
Date: Mon, 27 Aug 2007 12:00:51 +0200
From: Michael Ziemann <[EMAIL PROTECTED]>
Subject: User login
To: freeradius-users@lists.freeradius.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Hi People!
Today I've another problem with freeradius.
The user has his own password and can login by himself, no problem. But
how can I avoid a second user logging in with the same user / pwd?
Is it a problem of the NAS or RADIUS ???
I didn't find any configuration examples on the web, so please be
patient :-)
greets
Michael
--
Message: 2
Date: Mon, 27 Aug 2007 13:11:05 +0300
From: "liran tal" <[EMAIL PROTECTED]>
Subject: Re: User login
To: "FreeRadius users mailing list"
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hey Michael,
You need to make use of the attribute Simultaneous-Use as a parameter
for controlling how many session each user will be accepted by the RADIUS
server.
Regards,
Liran Tal.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling free radius 1.1.7 on NetBSD
Ray Phillips wrote: > I've attempted to compile free radius 1.1.7 on a machine running > NetBSD/amd64 without success... FreeRADIUS is in pkgsrc. If the version there isn't 1.1.7, the patches will let you build it on NetBSD. > At first configure couldn't find krb5.h and make failed: I've fixed that in CVS head. If it can't find krb5.h, it doesn't build the module. > so I ran configure again, explicitly telling it the path to krb5.h (with > a freshly untar'ed source tree): All that does is refresh the source. It does NOT delete any files left over from a previous configure run. > % sh -c './configure CPPFLAGS=-I/usr/include/krb5 > configure.log 2>&1' Use CFLAGS, not CPPFLAGS. > Could you suggest a solution to this please? Edit src/modules/rlm_krb5/Makefile by hand. It's tiny. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre1 dies on startup: generate_sql_clients() returned error
Arran Cudbard-Bell wrote: > I know you like to kill the server off if theres any kind of > configuration parsing error; but possibly duplicate/invalid clients is > one of the exceptions where it might be better to complain bitterly... This goes for invalid clients, invalid home servers, databases that are down, etc. The list is nearly endless. It's difficult to write all of the code to catch all of those error cases. And what does your policy do when it says "proxy to FOO", and FOO doesn't exist? Does your local configuration handle that correctly, or does something else go wrong? It's easier to force people to have working configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with eap-tls authentication
Hello, I'm using radius server and and linksys access point configured to use radius security mode and windows xp in my laptop as wlan client configured like that: network authentication: open data encryption: WEP enable IEEE 802.1x authentication for this NW EAP type: smartcard or other certificate use a certificateon this computer use a simple certificate selection for the configuration of the radius server and certificate creation i have followed the EAP/TLS HOWTO .when I start connection I'm having the following problem in radius.log: Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:57 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Receive
Re: pre1 dies on startup: generate_sql_clients() returned error
Regarding the subject, it's still much better than the following headline: "A startup dies on pre1" :-))) Sorry, couldn't help thinking of it when reading the mail. Anyway, a hale to the project that has already helped so many new companies to construct their businnesses... On 28 Aug 2007, at 10:29, Alan DeKok wrote: Arran Cudbard-Bell wrote: I know you like to kill the server off if theres any kind of configuration parsing error; but possibly duplicate/invalid clients is one of the exceptions where it might be better to complain bitterly... This goes for invalid clients, invalid home servers, databases that are down, etc. The list is nearly endless. It's difficult to write all of the code to catch all of those error cases. And what does your policy do when it says "proxy to FOO", and FOO doesn't exist? Does your local configuration handle that correctly, or does something else go wrong? It's easier to force people to have working configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous usage
Michael Ziemann wrote: > I added the Simultanous-Use attribute to radgroupcheck in my MySQL-db > with the following statement: ... > But I can login twice or more with the same account... so what do i have > to enable/disable to deny simultaneous usage of the accounts??? As ALWAYS, run the server in debugging mode to see what it's doing. See the Wiki for common issues with Simulataneous-Use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 28, Issue 96
Hi all!
I added the Simultanous-Use attribute to radgroupcheck in my MySQL-db
with the following statement:
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value)
values("dialup", "Simultaneous-Use", ":=", "1");
But I can login twice or more with the same account... so what do i have
to enable/disable to deny simultaneous usage of the accounts???
Regards
Michael
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and direct server return
Hi All I have a problem with freeradius and Direct Server return configuration. I use Alteon load balancer configured for DSR, freeradius listen on the virtual IP address and the real address as health check request are sent on the real IP address but client request are sent on the virtual IP address. The problem is that the server respond to client request with the real IP address instead of virtual, then the client discard the response. Is there any configuration that tells freeradius to answer using the virtual address ??? Regards Giuseppe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling free radius 1.1.7 on NetBSD
Ray Phillips wrote: > Yes, it is there. I suppose I'm obstinate, but I'd like the original > sources to be compilable without having to patch them. I've fixed it in CVS head. For 1.1.8 (if it's released), we'll see. > If you understand them. :) It looks to me as though none of the > patches in /usr/pkgsrc/net/freeradius/patches apply to files in > ./src/modules/rlm_krb5. Ask the pkgsrc package maintainer for patches, OR create them yourself. > change the RLM_FLAGS line to > > RLM_CFLAGS = -I/usr/include/et -I/usr/include/krb5 > > (what's normally in /usr/include/et by the way? I've not heard of that > directory.) It's where the Kerberos headers live on many other systems. ... > rlm_krb5.c: In function 'verify_krb5_tgt': > rlm_krb5.c:96: warning: implicit declaration of function > 'krb5_princ_component' > rlm_krb5.c:96: error: 'c' undeclared (first use in this function) I no longer user NetBSD on a daily basis, and I no longer use Kerberos. > Can you see what should be done about this? Someone using Kerberos on NetBSD should track down the problem and submit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and direct server return
On Tue, 2007-08-28 at 11:39 +0200, Giuseppe Tricarico wrote:
> Hi All
> I have a problem with freeradius and Direct Server return configuration.
>
> I use Alteon load balancer configured for DSR, freeradius listen on the
> virtual IP address and the real address as health check request are sent
> on the real IP address but client request are sent on the virtual IP
> address. The problem is that the server respond to client request with
> the real IP address instead of virtual, then the client discard the
> response.
I believe FreeRadius should respond on the IP the packet came in on.
What does your "listen { ..." stanza say in radiusd.conf?
What does:
lsof -i :1812
...show?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID
On Mon, 2007-08-27 at 19:00 -0500, Stefan Adams wrote:
> Is there anyway that I can rewrite the Calling-Station-ID to the name
> of the PC instead of the MAC address? This table can be found in LDAP
In which case, you might be able to do it in the hints file with an
ldap: xlat
DEFAULT Calling-Station-Id =~ "..-..-..-..-..-.."
Calling-Station-Id := "%{ldap:LDAPQUERY}"
LDAPQUERY would be something like:
ldap:///dc=dom,dc=com?machineName?sub?macAddress=%{Calling-Station-Id}
I don't recommend it though - keeping the CLID around is very useful.
> or even in DHCP. Is there a way to call an external program that
> will provide the rewrite rules such that the log shows:
> Login OK: [username] (from client switch port 0 cli PCName)
> Instead of:
> Login OK: [username] (from client switch port 0 cli
> 00-11-22-33-44-55)
If I were you, I'd also stop relying on the radiusd.log - it's a pretty
poor logging mechanism. Use a "detail" or "sql" module in "post-auth",
and then you can extend the queries to do whatever you like, including
log extra attributes
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling free radius 1.1.7 on NetBSD
Thanks for your reply Alan. > I've attempted to compile free radius 1.1.7 on a machine running NetBSD/amd64 without success... FreeRADIUS is in pkgsrc. Yes, it is there. I suppose I'm obstinate, but I'd like the original sources to be compilable without having to patch them. If the version there isn't 1.1.7, The 2007Q2 pkgsrc, which I think is the most recent, contains FreeRADIUS 1.1.6. the patches will let you build it on NetBSD. If you understand them. :) It looks to me as though none of the patches in /usr/pkgsrc/net/freeradius/patches apply to files in ./src/modules/rlm_krb5. > At first configure couldn't find krb5.h and make failed: I've fixed that in CVS head. If it can't find krb5.h, it doesn't build the module. Thanks. > so I ran configure again, explicitly telling it the path to krb5.h (with a freshly untar'ed source tree): All that does is refresh the source. It does NOT delete any files left over from a previous configure run. Sorry, I meant I deleted the directory where I'd just run ./configure, executed 'tar jxf freeradius-1.1.7.tar.bz2' and started again in the new freeradius-1.1.7 directory. > % sh -c './configure CPPFLAGS=-I/usr/include/krb5 > configure.log 2>&1' Use CFLAGS, not CPPFLAGS. OK. > Could you suggest a solution to this please? Edit src/modules/rlm_krb5/Makefile by hand. It's tiny. I did actually try that but didn't mention it because I thought it might have been a silly approach... I noticed ./src/modules/rlm_krb5/Makefile contains the line include ../rules.mak and ./src/modules/rules.mak contains ' contains the line $(RLM_DIR)../../../Make.inc and ./Make.inc contains the line: CFLAGS = $(INCLUDE) -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG (I don't know which directory RLM_DIR is but guess that path points to freeradius-1.1.7/Makefile.inc ?) so I thought ./src/modules/rlm_krb/Makefile would implicitly know to use -I/usr/include/krb5. Anyway, I'll try again now... % ls freeradius-1.1.7.tar.bz2 % tar jxf * % cd freeradius-1.1.7 % /usr/bin/time sh -c './configure CFLAGS=-I/usr/include/krb5 > configure.log 2>&1' 33.24 real15.51 user16.47 sys % vi src/modules/rlm_krb5/Makefile change the RLM_FLAGS line to RLM_CFLAGS = -I/usr/include/et -I/usr/include/krb5 (what's normally in /usr/include/et by the way? I've not heard of that directory.) % /usr/bin/time sh -c 'gmake > gmake.log 2>&1' 23.74 real14.38 user11.71 sys % sed -n '920,$p' gmake.log Making all in rlm_krb5... gmake[6]: Entering directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5' /usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/libtool --mode=compile gcc -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -I/usr/include/krb5 -c rlm_krb5.c mkdir .libs gcc -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -I/usr/include/krb5 -c rlm_krb5.c -fPIC -DPIC -o .libs/rlm_krb5.o rlm_krb5.c: In function 'verify_krb5_tgt': rlm_krb5.c:96: warning: implicit declaration of function 'krb5_princ_component' rlm_krb5.c:96: error: 'c' undeclared (first use in this function) rlm_krb5.c:96: error: (Each undeclared identifier is reported only once rlm_krb5.c:96: error: for each function it appears in.) rlm_krb5.c:96: error: invalid type argument of '->' rlm_krb5.c:105: warning: passing argument 2 of 'krb5_kt_read_service_key' discards qualifiers from pointer target type rlm_krb5.c: In function 'krb5_auth': rlm_krb5.c:217: warning: initialization makes pointer from integer without a cast rlm_krb5.c:219: warning: excess elements in struct initializer rlm_krb5.c:219: warning: (near initialization for 'tgtname') rlm_krb5.c:257: warning: pointer targets in assignment differ in signedness rlm_krb5.c:258: warning: pointer targets in assignment differ in signedness rlm_krb5.c:292: error: request for member 'length' in something not a structure or union rlm_krb5.c:293: error: request for member 'data' in something not a structure or union rlm_krb5.c:296: error: request for member 'length' in something not a structure or union rlm_krb5.c:297: error: request for member 'data' in something not a structure or union gmake[6]: *** [rlm_krb5.lo] Error 1 gmake[6]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules' gmake[3]: *** [common
Help me : rc_read_dictionary: invalid type
Fedora core 5 freeradius-client-1.1.5.tar.bz2 ./confiugre make make install freeradius-1.1.7.tar.gz rpmbuild -bb redhat/freeradius.spec cp /usr/share/freeradius/dictionary.microsoft \ /usr/local/etc/radiusclient vi /usr/local/etc/radiusclient/dictionary INCLUDE /usr/local/etc/radiusclient/dictionary.merit INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft rpm -Uvh pptpd-1.3.3-1.fc5.i386.rpm options.pptpd plugin radius.so radius-config-file /usr/local/etc/radiusclient/radiusclient.conf plugin radattr.so starting connect windows xp tail -f /var/log/messages Aug 27 19:00:59 no1 pptpd[1099]: CTRL: Starting call (launching pppd, opening GRE) Aug 27 19:00:59 no1 pppd[1100]: Plugin radius.so loaded. Aug 27 19:00:59 no1 pppd[1100]: RADIUS plugin initialized. Aug 27 19:00:59 no1 pppd[1100]: Plugin radattr.so loaded. Aug 27 19:00:59 no1 pppd[1100]: RADATTR plugin initialized. Aug 27 19:00:59 no1 pppd[1100]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Aug 27 19:00:59 no1 pppd[1100]: pppd 2.4.3 started by root, uid 0 Aug 27 19:00:59 no1 pppd[1100]: Using interface ppp0 Aug 27 19:00:59 no1 pppd[1100]: Connect: ppp0 <--> /dev/pts/2 Aug 27 19:01:02 no1 pptpd[1099]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 27 19:01:02 no1 pppd[1100]: rc_read_dictionary: invalid type on line 11 of dictionary /usr/local/etc/radiusclient/dictionary.microsoft Aug 27 19:01:02 no1 pppd[1100]: RADIUS: Can't read dictionary file /usr/local/etc/radiusclient/dictionary Aug 27 19:01:02 no1 pppd[1100]: Peer testuser failed CHAP authentication Aug 27 19:01:02 no1 pppd[1100]: Connection terminated. Aug 27 19:01:02 no1 pppd[1100]: Exit. Aug 27 19:01:02 no1 pptpd[1099]: CTRL: Client 123.xx.xx.xx control connection finished- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous login
Hi all !
I don't know what to do... sql is enabled, but i still can login
twice... i inserted the Simultaneous-Use attribute already in my db ...
Here's the debug info, startet with radiusd -X ...
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radius"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "ichangedit"
sql: password = "ichangedit"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('
Re: Help me : rc_read_dictionary: invalid type
On Tue, 2007-08-28 at 19:20 +0900, hyunok wrote: > Fedora core 5 > freeradius-client-1.1.5.tar.bz2 > ./confiugre > make > make install Great, so you posted this barely-comprehensible gibberish to the poptop list and now to the FreeRadius list. http://catb.org/~esr/faqs/smart-questions.html (Though Eric Raymond is a gun-toting nut, this particular doc is good) Per your previous reply on the poptop list, the problem is coming from the PPPD radius plugin; this is nothing to do with FreeRadius. I don't know why you're installing "freeradius-client" or "freeradius" - pppd doesn't use them. The VERY FIRST HIT on google for: freeradius dictionary.microsoft ...leads here, which although it happens to be in the FreeRadius Wiki still doesn't make it a FreeRadius problem: http://wiki.freeradius.org/PopTop#The_radiusclient_setup_part_.28on_the_Poptop_server.29 Basically, unless you've patched it otherwise, pppd used the (old) radiusclient library. radiusclient cannot read FreeRadius-formatted dictionaries, so you are wasting your time copying the FreeRadius dictionaries to radiusclient. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous usage
Hi Guys! Bad bad error ... the user had wrong rights, so the server couldn't write down who's online... very bad mistake... Regards Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous login
Michael Ziemann wrote: > Hi all ! > > I don't know what to do... sql is enabled, but i still can login > twice... i inserted the Simultaneous-Use attribute already in my db ... > > Here's the debug info, startet with radiusd -X ... ... > Ready to process requests. So... the server starts. That's nice. How exactly is that supposed to help anyone figure out what's happening when a user logs in? Post the debug log from when someone is trying to log in. This means the server receives packets, and sends replies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL-NASlist + Dynamic IP
Hello! I have the NAS-List in MySQL with hostnames, like nas1.foo.bar. It's nessecary to restart freeradius if the ip of a nas changes? In the morning i had this error and i think this is because my ip has changed: # Error: Ignoring request from unknown client 85.25.116.14:2052 Or is there an option, which i can use to have not to restart? Greetz Matthias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL-NASlist + Dynamic IP
>Matthias Lohr wrote: >> I have the NAS-List in MySQL with hostnames, like nas1.foo.bar. It's >nessecary >> to restart freeradius if the ip of a nas changes? > > Yes. Does a restart have any influence to running sessions? > >> In the morning i had this >> error and i think this is because my ip has changed: >> # Error: Ignoring request from unknown client 85.25.116.14:2052 >> Or is there an option, which i can use to have not to restart? > > No. > > Don't use hostnames for RADIUS. Use IP addresses. I have only NAS with dynamic ips, so that doesn't work > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accepting clients with expired certificates
Norbert Wegener wrote: > If the client's certificate is expired, eap/tls will, of course, fail. > In this case a guest vlan shall be assigned to the client. I'm not sure that's good enough. The client may not believe it was successfully authenticated until the TLS session is properly finished. > Having a module, that adds the needed radius-attributes seems to work, > if an additional Auth-Type += Accept is added. > Doing this, the eap-tls is short-circuited and may result in a: > > Incoming RADIUS packet did not have correct Message-Authenticator - dropped > message > on the client side. Try adding a Message-Authenticator to the reply. Any value will do, as it will be re-calculated when the packet is sent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-NASlist + Dynamic IP
Matthias Lohr wrote: > Does a restart have any influence to running sessions? If you're doing EAP, yes. If you're not doing EAP, there are no ongoing RADIUS sessions. >> Don't use hostnames for RADIUS. Use IP addresses. > I have only NAS with dynamic ips, so that doesn't work Fix your network so that NASes have static IP's. RADIUS was designed to use static IP's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls authentication
inelec communication wrote: > Sending Access-Challenge of id 0 to 192.168.0.211:2057 > EAP-Message = 0x0113000a0d80 > Message-Authenticator = 0x > State = 0x1859df1e2a63289dde2fcecf053c07cc > Finished request 107 > Going to the next request > Waking up in 6 seconds... ... > please can any one help me to solve this problem? Read the FAQ about TLS or PEAP not working with Windows machines. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls authentication
Hello, I'm using radius server and and linksys access point configured to use radius security mode and windows xp in my laptop as wlan client configured like that: network authentication: open data encryption: WEP enable IEEE 802.1x authentication for this NW EAP type: smartcard or other certificate use a certificateon this computer use a simple certificate selection for the configuration of the radius server and certificate creation i have followed the EAP/TLS HOWTO .when I start connection I'm having the following problem in radius.log: Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:57 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message T
accepting clients with expired certificates
I have setup authentication against AD according to: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO This works as expected. If the client's certificate is expired, eap/tls will, of course, fail. In this case a guest vlan shall be assigned to the client. Having a module, that adds the needed radius-attributes seems to work, if an additional Auth-Type += Accept is added. Doing this, the eap-tls is short-circuited and may result in a: Incoming RADIUS packet did not have correct Message-Authenticator - dropped message on the client side. Is this acceptable? What would be the best way to handle a situation like that? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-NASlist + Dynamic IP
Matthias Lohr wrote: > I have the NAS-List in MySQL with hostnames, like nas1.foo.bar. It's > nessecary > to restart freeradius if the ip of a nas changes? Yes. > In the morning i had this > error and i think this is because my ip has changed: > # Error: Ignoring request from unknown client 85.25.116.14:2052 > Or is there an option, which i can use to have not to restart? No. Don't use hostnames for RADIUS. Use IP addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-NASlist + Dynamic IP
Hi, > > Don't use hostnames for RADIUS. Use IP addresses. > I have only NAS with dynamic ips, so that doesn't work using a VPN between the NAS and the server could help in this case - if its possible - that way the NAS is always the same IP endpoint of the VPN tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accepting clients with expired certificates
Alan DeKok wrote: ... Incoming RADIUS packet did not have correct Message-Authenticator - dropped message on the client side. Try adding a Message-Authenticator to the reply. Any value will do, as it will be re-calculated when the packet is sent. freeradius now sends a Message-Authenticator with value 0x00: rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 0 to 156.215.207.190 port 58366 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "VL-G-DE-GU14-0001" Message-Authenticator 0x Finished request 0 but there seems to be a problem on the other end, as eapol_test shows: STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.05 sec RADIUS packet matching with station could not extract EAP-Message from RADIUS message EAPOL: startWhen --> 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE freeradius version is 1.1.6 Norbert Wegener -- Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Type cast error in rlm_sql_unixodbc?
Hi all,
We are running FreeRADIUS 1.1.6 on Solaris 10 (sparc) and want to
retrieve authorization information from an Pervasive SQL database via an
ODBC Bridge.
In order to do so we installed on our Solaris host:
- the unixODBC ODBC Manager 2.2.12
- Easysoft ODBC-ODBC Client 32bit for Solaris
But every time a RADIUS request was processed and a valid SQL query was
send via module rlm_sql_unixodb to the SQL database, both RADIUS and the
remote ODBC server crashed. Error in radiusd: memory allocation.
It took quite some debugging to find the cause of this. In the driver
rlm_sql_unixodbc, in file sql_unixodbc.c we found the following code:
===
static int sql_num_fields(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
rlm_sql_unixodbc_sock *unixodbc_sock = sqlsocket->conn;
long err_handle;
int num_fields = 0;
err_handle =
SQLNumResultCols(unixodbc_sock->stmt_handle,(SQLSMALLINT *)&num_fields);
if (sql_state(err_handle, sqlsocket, config))
return -1;
return num_fields;
}
===
SQLSMALLINT is defined in unixODBC, file: include/sqltypes.h
typedef signed short int SQLSMALLINT;
But num_fields is of type 'int' !
This caused the function to return 0x2 instead of 0x001, which in
turn caused both the radiusd and the remote ODBC server to allocate
memory for 0x2 (131072) rows!
I simply changed this piece of code to:
===
static int sql_num_fields(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
rlm_sql_unixodbc_sock *unixodbc_sock = sqlsocket->conn;
long err_handle;
SQLSMALLINT num_fields = 0;
err_handle =
SQLNumResultCols(unixodbc_sock->stmt_handle,&num_fields);
if (sql_state(err_handle, sqlsocket, config))
return -1;
return num_fields;
}
===
This solved our crashes.
So the solution only involved changing the type of num_fields to
SQLSMALLINT (the same as required by the SQL call SQLNumResultCols) and
removing the type cast in the actual call to SQLNumResultCols
(unnecessary now).
After we solved it this way, I found the same error fixed in a similar
way on a SUSE distribution list:
http://lists.opensuse.org/opensuse-commit/2007-05/msg00099.html
I believe this to be a small error in the rlm_sql_unixodbc Driver.
Hopefully other people can benefit from our experience.
Can anyone confirm that my solution is correct and should work for all
OS's (as I expect) even though this might not cause problems on all OS's
(as on some, a short int is just as big a normal int)? Then I will send
in a bugreport via the site.
Kind regards,
Erik Plaggenmarsch
ÿþD�i�t� �b�e�r�i�c�h�t� �i�s� �v�e�r�t�r�o�u�w�e�l�i�j�k� �e�n� �k�a�n�
�g�e�h�e�i�m�e� �i�n�f�o�r�m�a�t�i�e� �b�e�v�a�t�t�e�n� �e�n�k�e�l�
�
�b�e�s�t�e�m�d� �v�o�o�r� �d�e� �g�e�a�d�r�e�s�s�e�e�r�d�e�.� �I�n�d�i�e�n�
�d�i�t� �b�e�r�i�c�h�t� �n�i�e�t� �v�o�o�r� �u� �i�s� �b�e�s�t�e�m�d�,�
�
�v�e�r�z�o�e�k�e�n� �w�i�j� �u� �d�i�t� �o�n�m�i�d�d�e�l�l�i�j�k� �a�a�n�
�o�n�s� �t�e� �m�e�l�d�e�n� �e�n� �h�e�t� �b�e�r�i�c�h�t� �t�e�
�
�v�e�r�n�i�e�t�i�g�e�n�.�
�
�A�a�n�g�e�z�i�e�n� �d�e� �i�n�t�e�g�r�i�t�e�i�t� �v�a�n� �h�e�t�
�b�e�r�i�c�h�t� �n�i�e�t� �v�e�i�l�i�g� �g�e�s�t�e�l�d� �i�s� �m�i�d�d�e�l�s�
�
�v�e�r�z�e�n�d�i�n�g� �v�i�a� �i�n�t�e�r�n�e�t�,� �k�a�n� �A�t�o�s�
�O�r�i�g�i�n� �n�i�e�t� �a�a�n�s�p�r�a�k�e�l�i�j�k� �w�o�r�d�e�n�
�g�e�h�o�u�d�e�n�
�
�v�o�o�r� �d�e� �i�n�h�o�u�d� �d�a�a�r�v�a�n�.�
�
�H�o�e�w�e�l� �w�i�j� �o�n�s� �i�n�s�p�a�n�n�e�n� �e�e�n� �v�i�r�u�s�v�r�i�j�
�n�e�t�w�e�r�k� �t�e� �h�a�n�t�e�r�e�n�,� �g�e�v�e�n�
�
�w�i�j� �g�e�e�n� �e�n�k�e�l�e� �g�a�r�a�n�t�i�e� �d�a�t� �d�i�t�
�b�e�r�i�c�h�t� �v�i�r�u�s�v�r�i�j� �i�s�,� �n�o�c�h� �a�a�n�v�a�a�r�d�e�n�
�w�i�j�
�
�e�n�i�g�e� �a�a�n�s�p�r�a�k�e�l�i�j�k�h�e�i�d� �v�o�o�r� �d�e�
�m�o�g�e�l�i�j�k�e� �a�a�n�w�e�z�i�g�h�e�i�d� �v�a�n� �e�e�n� �v�i�r�u�s� �i�n�
�d�i�t�
�
�b�e�r�i�c�h�t�.�
�
� �
�
�O�p� �a�l� �o�n�z�e� �r�e�c�h�t�s�v�e�r�h�o�u�d�i�n�g�e�n�,�
�a�a�n�b�i�e�d�i�n�g�e�n� �e�n� �o�v�e�r�e�e�n�k�o�m�s�t�e�n�
�w�a�a�r�o�n�d�e�r�
�
�A�t�o�s� �O�r�i�g�i�n� �g�o�e�d�e�r�e�n� �e�n�/�o�f� �d�i�e�n�s�t�e�n�
�l�e�v�e�r�t� �z�i�j�n� �m�e�t� �u�i�t�s�l�u�i�t�i�n�g� �v�a�n� �a�l�l�e�
�
�a�n�d�e�r�e� �v�o�o�r�w�a�a�r�d�e�n� �d�e�
�L�e�v�e�r�i�n�g�s�v�o�o�r�w�a�a�r�d�e�n� �v�a�n� �A�t�o�s� �O�r�i�g�i�n�
�v�a�n� �t�o�e�p�a�s�s�i�n�g�.�
�
�D�e�z�e� �w�o�r�d�e�n� �u� �o�p� �a�a�n�v�r�a�a�g� �d�i�r�e�c�t�
�k�o�s�t�e�l�o�o�s� �t�o�e�g�e�z�o�n�d�e�n�.�
�
� �
�
�T�h�i�s� �e�-�m�a�i�l� �a�n�d� �t�h�e� �d�o�c�u�m�e�n�t�s� �a�t�t�a�c�h�e�d�
�a�r�e� �c�o�n�f�i�d�e�n�t�i�a�l� �a�n�d� �i�n�t�e�n�d�e�d� �s�o�l�e�l�y�
�
�f�o�r� �t�h�e� �a�d�d�r�e�s�s�e�e�;� �i�t� �m�a�y� �a�l�s�o� �b�e�
�p�r�i�v�i�l�e�g�e�d�.� �I�f� �y�o�u� �r�e�c�e�i�v�e� �t�h�i�s� �e�-�m�a�i�l�
�
�i�n� �e�r�r�o�r�,� �p�l�e�a�s�e� �n�o�t�i�f�y� �t�h�e� �s�e�n�d�e�r�
�i�m�m�e�d�i�a�t�e�l�y� �a�n�d� �d�e�s�t�r�o�y� �i�t�.�
�
�A�s� �i�t�s� �i�n�t�e�g�r�i�t�y� �c�a�n�n�o�t� �b�e� �s�e�c�u�r�e�d� �o�n�
�t�h�e� �I�n�t�e�r�n�e�t�,� �t�h�e
Re: Radius problem with EAP
Hi, > I am having in starting radius. Following is text output of "radiusd -X" ..and its obvious... > rlm_eap: No such sub-type for default EAP type peap > The eap.conf has following configuration - oh my. you have seriously and blindly edited the eap.conf - removing several required parts - eg the peap stanza is completely empty(!) why!??! put the original eap.conf back in place and ONLY edit the individual lines that you need to change. dont just blindly cut everything away. if you've done this to radiusd.conf and other files then I doubt your install will ever work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user already logged in
Hi Guys! I've another problem ... When I enter radwho, it displays user1, user2 and user3 ... But they aren't connected, and with these accounts I can't login since I entered the Simultaneous-Use into radgroupcheck ... The Value is 1. I already deleted the radacct tables, and disabled the radutmp in sql.conf. I tried to solve the problem with adding an Idle-Timeout attribute in radgroupreply and in radreply, but it doesn't work. Can anybody help me? If I login the debug tell's me, that the user already is logged in ... Thanks for your patience. Regards Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accepting clients with expired certificates
Norbert Wegener wrote: > freeradius now sends a Message-Authenticator with value 0x00: ... > but there seems to be a problem on the other end, as eapol_test shows: > > STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending > request, round trip time 0.05 sec > RADIUS packet matching with station > could not extract EAP-Message from RADIUS message Yes. As I said, the supplicant may not like it if you don't complete the whole TLS conversation. At the minimum, you'll need to send an EAP Success packet inside of the EAP-Message attribute. But don't expect that to work. If the client certificate has expired, the odds are that the client *cannot* be authenticated, even with the sacrifice of small animals, and the sprinkling of their leavings in graveyards at midnight... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with older wireless network drivers.
I have run across a number of machines that seem to have a problem authenticating to the radius server via Cisco 1200 AP using LEAP. All the newer Cisco/Intel cards don't have a problem with current or recent drivers, but a model of Atheros and Belkin drivers that have a copyright date of 2004/2005 seem to have a problem authenticating. These are specific medical equipment from venders that the obtaining updated drivers may not be available. As a test, I setup a test, I setup a standalone AP with it's built in Radius Server, and then had the device with the older drivers try to authenticate to it, and it worked just fine. So the problem seems to be with the FreeRadius server with the older drivers!?? Below is a sample of te debug of the radius from the Cisco 1200 with the device with the old driver. Aug 27 19:13:52.864: RADIUS: User-Name [1] 9 "LAPTOP1" Aug 27 19:13:52.864: RADIUS: Framed-MTU [12] 6 1400 Aug 27 19:13:52.864: RADIUS: Called-Station-Id [30] 16 "0013.8038.1fa0" Aug 27 19:13:52.864: RADIUS: Calling-Station-Id [31] 16 "0012.cf4f.1471" Aug 27 19:13:52.864: RADIUS: Service-Type[6] 6 Login [1] Aug 27 19:13:52.865: RADIUS: Message-Authenticato[80] 18 * Aug 27 19:13:52.865: RADIUS: EAP-Message [79] 18 Aug 27 19:13:52.865: RADIUS: 01 03 00 10 11 01 00 08 92 27 97 77 53 89 5D 2F [? ]/] Aug 27 19:13:52.866: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] Aug 27 19:13:52.866: RADIUS: NAS-Port[5] 6 955446 Aug 27 19:13:52.866: RADIUS: State [24] 18 Aug 27 19:13:52.866: RADIUS: 1F A2 5E E8 18 DB 27 25 A8 42 8D EA EE 48 89 F9 [??^???'?? ??] Aug 27 19:13:52.866: RADIUS: NAS-IP-Address [4] 6 10.0.1.5 Aug 27 19:13:52.866: RADIUS: Nas-Identifier [32] 12 "WDS" Aug 27 19:19:20.265: RADIUS: NAS-IP-Address [4] 6 10.0.1.5 Aug 27 19:19:20.265: RADIUS: Nas-Identifier [32] 12 "WDS" Aug 27 19:19:25.561: RADIUS: no sg in radius-timers: ctx 0xD368A8 sg 0x Aug 27 19:19:25.561: RADIUS: Retransmit to (10.0.2.2:1812,1813) for id 1645/38 Aug 27 19:19:25.562: RADIUS: Received from id 1645/38 10.0.2.2:1812, Access-Reject, len 20 Aug 27 19:19:25.562: RADIUS: authenticator A7 6D 43 3E E8 75 98 B9 - 2E 28 22 48 95 06 81 78 Aug 27 19:19:25.563: RADIUS(000E980E): Received from id 1645/38er drivers. Thanks for any assistance. Confidentiality Notice: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information, or Protected Health Information as such term is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any unauthorized review, use, disclosure, copying or distribution is prohibited and may be unlawful. If you believe you have received this e-mail in error, please contact the sender by reply e-mail and delete all copies of the original message, including attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi Alan, how can I could know what kind of error it is? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) On 8/24/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Alexsander wrote: > > Hi Alan, this is complete log captured using: > ... > > radius_xlat: > > '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02' > > Exec-Program output: Logon failure (0xc06d) > > Yes, there's a lot of output in debugging mode. > > Read it. > > You're running ntlm_auth, and it's returning login failure. Fix that. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria "REUNIÕES". L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openikev2 interface
Alan First of all i apologize for my late reply . I dont remember exactly but openswan and strongswan were not supporting EAP payload when we started this project. Our project demands EAP-SIM. Strongswan has added this feature recently i guess. By interface i ment that the EAP-SIM payload to be forwarded to Freeradius server then the response back to the client, but through the secure tunnel of ikev2. Tunnel |--||-|- -- -|-| | client | openikev2|-| openikev2 | AAA | | | |-| | | | || [ EAP-SIM]--> | | | |--|| |--|-| On 7/8/07, Alan DeKok <[EMAIL PROTECTED] > wrote: > > Punith Raj wrote: > > Is it possible to have an interface between openikev2 and > > freeradius ?. > > To do... what? > > > We need to do this for our project called *Unlicensed > > Mobile Access * (*UMA*) where AAA server i.e freeradius receives > > packets from its clients in a secure tunnel implemented with > > openikev2.Has any one tried it before. > > Most people just use Openswan for this. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring L2tp forwarding based on suffix?
I'm trying to set up l2tp forwarding based on an auth suffix ... I've tried something like this: DEFAULT Suffix == "[EMAIL PROTECTED]" Cisco-Avpair := "vpdn:tunnel-type=l2tp", Cisco-Avpair += "vpdn:ip-addresses=10.221.1.34", Cisco-Avpair += "vpdn:l2tp-tunnel-password=secret" Testing the access via radtest, I get the "expected" info AFAICT: rad_recv: Access-Reject packet from host 10.218.212.15:1812, id=24, length=133 Cisco-AVPair = "vpdn:tunnel-type=l2tp" Cisco-AVPair = "vpdn:ip-addresses=10.221.1.34" Cisco-AVPair = "vpdn:l2tp-tunnel-password=secret" just the "reject" seems to point towards something that's still missing ... what is it??? Loggfile also still says the auth is unsuccessful: Tue Aug 28 22:33:14 2007 : Auth: Login incorrect: [EMAIL PROTECTED] (from client radius port 1) Help appreciated! Tnx, -garry -- Garry Glendown NETHINKS GMBH - Bahnhofstraße 16 - 36037 Fulda Phone: +49 661 25 000 0 Fax:+49 661 25 000 49 E-Mail: Garry [EMAIL PROTECTED] Geschäftsführer: Uwe Bergmann Vorsitzender des Aufsichtsrats: Garry Glendown AG Fulda HRB 2546 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Crouch is out of the office.
I will be out of the office starting 08/28/2007 and will not return until 09/04/2007. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with Auth when freeradius proxies to another freeradius server.
I am running a Cisco 7200 with vpdn tunnels. Freeradius 1.1.6 server I am running, My authentications to my local box of other realms (e.g. @bbb.org, @ccc.com) within the local box is working fine, but authenticating from Cisco router nas_ip_x, to my local radius box, and then (re-) proxying realm @ggg.net to another Freeradius server is failing. The router doesn't get a response at all, but the radius debug shows that the remote freeradius is responding with rad_recv: Access-Accept packet from host remote_freeradius_ip:1812, id=3, length=48, and I can see the logs remote box it is authenticated. All I can see is that my local radius box list "modcall: group authorize returns fail for request 11" and I don't see a response to the Cisco router. Any pointers will be much appreciated. Thank you. Willie --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host nas_ip_x:1645, id=15, length=104 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x251f4cce03886d9d4594e0e977028f9364 NAS-Port-Type = Virtual NAS-Port = 655 Calling-Station-Id = "qwb209000200750" Service-Type = Framed-User NAS-IP-Address = nas_ip_x Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: Looking up realm "ggg.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "ggg.net" rlm_realm: Proxying request from user greg to realm ggg.net rlm_realm: Adding Realm = "ggg.net" rlm_realm: Preparing to proxy authentication request to realm "ggg.net" modcall[authorize]: module "suffix" returns updated for request 11 modcall[authorize]: module "files" returns notfound for request 11 radius_xlat: '' modcall[authorize]: module "sql" returns fail for request 11 modcall: group authorize returns fail for request 11 Sending Access-Request of id 3 to remote_freeradius_ip:1812 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x251f4cce03886d9d4594e0e977028f9364 NAS-Port-Type = Virtual NAS-Port = 655 Calling-Station-Id = "qwb209000200750" Service-Type = Framed-User NAS-IP-Address = nas_ip_x CHAP-Challenge = 0x4110b677d9b60422bf19448745fab584 Proxy-State = 0x3135 Waking up in 3 seconds... rad_recv: Access-Accept packet from host remote_freeradius_ip:1812, id=3, length=48 Framed-IP-Address = 210.8.255.11 Framed-Protocol = PPP Service-Type = Framed-User Framed-Compression = Van-Jacobson-TCP-IP Proxy-State = 0x3135 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP modcall[authorize]: module "chap" returns noop for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 11 modcall[authorize]: module "files" returns notfound for request 11 radius_xlat: '' modcall[authorize]: module "sql" returns fail for request 11 modcall: group authorize returns fail for request 11 Finished request 11 Going to the next request Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 14 with timestamp 46d4260e Cleaning up request 11 ID 15 with timestamp 46d4260e - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: > how can I could know what kind of error it is? What part of the error message is unclear? > AD account is ok (I'm using that) > the password works fine when I run ntlm_auth command manually: > > ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 > password: > (Success) Which is completely different than what is output in debugging mode, isn't it? Try taking the "ntlm_auth" command line that FreeRADIUS prints out in debugging mode, and running it from the CLI. It won't work. The user entered a wrong password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hints/acct_users matching of subnets
Hi, I guess I just need a RTFM reminder here, but I failed to find something on first glance: I would like to set up a rule in 1.1.7 that matches a subnet of Client-IP-Addresses. I did DEFAULT Client-IP-Address == 158.64.14.224/28, Proxy-To-Realm := NULL in acct_users. I used to think it matches 158.64.14.236 and sets proxying accordingly. BTW, the same problem shows up when trying to make a similar match in hints. The line isn't matched in -X though. Anything special to think about when trying to match an IP address range? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
