radsniff bug in 2.0.0-pre2?
Hi all, I am testing radsniff, and I have the following behaviour: When launching radsniff with the following input, the program crashes (FreeRADIUS v2.0.0-pre2) [EMAIL PROTECTED] bin]# ./radsniff -f udp Device: [eth0] PCAP filter: [udp] RADIUS secret: [testing123] *** glibc detected *** free(): invalid pointer: 0x08120dbc *** Aborted It seems that radsniff crashes when it tries to decode packets that are not RADIUS ones (dns requests for example). If the filter is very restrictive and matches only used RADIUS ports, it works fine. I just have a problem with a RADIUS request used by my RADIUS load balancer to test my servers status (server version 1.1.3). The request used is a Status-Server request. The content of the request is the following : [EMAIL PROTECTED] ~]# tcpdump -X udp and host 10.67.106.3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 06:36:26.078778 IP 10.67.106.3.57084 rafale.50812: UDP, length 26 0x: 4500 0036 ff11 d32b 0a43 6a03 E..6...+.Cj. 0x0010: 0a43 6a02 defc c67c 0022 7932 0c01 001a .Cj|.y2 0x0020: 0fc2 4720 8f36 9096 d8b9 f507 de5d 811d ..G..6...].. 0x0030: 0406 0aa2 39c3 9. 06:36:26.079186 IP rafale.50812 10.67.106.3.57084: UDP, length 49 0x: 4500 004d 4000 4011 5215 0a43 6a02 [EMAIL PROTECTED]@.R..Cj. 0x0010: 0a43 6a03 c67c defc 0039 e8d5 0201 0031 .Cj..|...9.1 0x0020: 8605 feab 8157 42de 0bad 532a c113 9148 .WB...S*...H 0x0030: 121d 4672 6565 5241 4449 5553 2075 7020 ..FreeRADIUS.up. 0x0040: 3020 6461 7973 2c20 3232 3a34 34 0.days,.22:44 With this issue, to make radsniff work, I have to exclude my load-balancer source IP address from the CAP filter : udp port 1812 or 1813 or 1814 and host not IP_SRC_LB (my load-balancer performs NAT of the server, so I still see the packets from my clients) Furthermore, would the community be interested in having the date of the packet (in the same format as in radius.log) and the packet id? I think the patch is not much to do. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : radsniff bug in 2.0.0-pre2?
The request used is a Status-Server request. The content of the request is the following : I have just tested sniffing a Status-Request generated by radclient (v2.0.0-pre2), and radsniff crashes the same way. Regards, Geoffroy _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure hints in mysql
Hello, I'm using freeradius 1.1.5, which came bundled with Fedora 7. All users are kept in mysql database. I have to configure this so users can login with username (i.e. service) and receive standard set of reply items based on group membership, and with username.local (i.e. service.local) and receive different set of reply attributes. I tried this with hints and users files and it worked exactly as needed. This is excerpt from config files: hints DEFAULT Suffix == .local, Strip-User-Name = Yes Hint = LOCAL, Service-Type = Framed-User, Framed-Protocol = PPP users service Cleartext-Password := password Service-Type = Framed-User, Framed-Protocol = PPP, Rate-Limit = 256k/256k, Fall-Through = Yes DEFAULT Hint == LOCAL Rate-Limit := 2048k/2048k Now I'm having troubles moving those settings into database. Here is some data from tables: radcheck ++--+--+++ | id | UserName | Attribute| op | Value | ++--+--+++ | 1 | service | Password | := | password | ++--+--+++ usergroup ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | service | wl256 | ++--+---+ radgroupreply ++---+-++-+ | id | GroupName | Attribute | op | Value | ++---+-++-+ | 1 | wl256 | Service-Type| := | Framed-User | | 2 | wl256 | Framed-Protocol | := | PPP | | 3 | wl256 | Rate-Limit | := | 256k| ++---+-++-+ What to put where to have same functionality as with files? I tried different combinations with attribute Hint and group DEFAULT in radgroupreply and radreply but without success. Thanks in advance Danilo Telebakovic prijedor.com Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-LDAPv3.schema attribute description(s)
Quoting Turbo Fredriksson [EMAIL PROTECTED]: Is there any documentation of the attributes in the LDAP schema? I'm trying to write a GUI manager for RADIUS (actually a 'plugin' to my http://phpQLAdmin.com) but I don't know how to write the lead text to the form... Cross referencing with the ldap.attrmap, I managed to make the following patch. But a DESCription like: DESC 'replyItem: Reply-Message' for the LDAP attribute 'radiusReplyMessage', it kind'a sucks. Maybe there's better documentation for the RADIUS attribute. I'll check... But that still leaves no mapping for the following RADIUS attributes: dialupAccess radiusArapFeatures radiusArapSecurity radiusArapZoneAccess radiusClientIPAddress radiusGroupName radiusHint radiusHuntgroupName radiusLoginTime radiusPasswordRetry radiusProfileDn radiusPrompt radiusProxyToRealm radiusRealm radiusReplicateToRealm radiusStripUserName radiusTunnelAssignmentId radiusTunnelClientEndpoint radiusTunnelMediumType radiusTunnelPassword radiusTunnelPreference radiusTunnelPrivateGroupId radiusTunnelServerEndpoint radiusTunnelType radiusUserCategory radiusVSA At least, they are'nt referenced in ldap.attrmap. Oversight, are these LDAP attributes deprecated (or not implemented)? One I recognize is 'radiusRealm'. Must be the RADIUS attribute 'Realm', right? Shouldn't that be in ldap.attrmap? If someone could finish the line(s) above ({reply,check}Item) and the corresponding RADIUS attribute, I'm happy to produce a good patch for this... --- ./doc/examples/openldap.schema.orig 2007-09-14 09:27:51.0 + +++ ./doc/examples/openldap.schema 2007-09-14 09:51:43.0 + @@ -35,7 +35,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' - DESC '' + DESC 'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -44,7 +44,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' - DESC '' + DESC 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -53,7 +53,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' - DESC '' + DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -62,7 +62,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' - DESC '' + DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -71,7 +71,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId' - DESC '' + DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -80,7 +80,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' - DESC '' + DESC 'replyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -97,7 +97,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' - DESC '' + DESC 'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -105,7 +105,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalkLink' - DESC '' + DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -114,7 +114,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalkNetwork' - DESC '' + DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -122,7 +122,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalkZone' - DESC '' + DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -131,7 +131,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompression' - DESC '' + DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -139,7 +139,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress' - DESC '' + DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -148,7 +148,7 @@ attributetype ( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask' - DESC '' + DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE @@ -157,7 +157,7 @@
Re: RADIUS-LDAPv3.schema attribute description(s)
O/H Turbo Fredriksson έγραψε: Quoting Turbo Fredriksson [EMAIL PROTECTED]: Is there any documentation of the attributes in the LDAP schema? I'm trying to write a GUI manager for RADIUS (actually a 'plugin' to my http://phpQLAdmin.com) but I don't know how to write the lead text to the form... Cross referencing with the ldap.attrmap, I managed to make the following patch. But a DESCription like: DESC 'replyItem: Reply-Message' for the LDAP attribute 'radiusReplyMessage', it kind'a sucks. Maybe there's better documentation for the RADIUS attribute. I'll check... But that still leaves no mapping for the following RADIUS attributes: dialupAccess See doc/rlm_ldap radiusArapFeatures radiusArapSecurity radiusArapZoneAccess radiusClientIPAddress Maped to Client-IP-Address, could be used to only allow access to specific client-ip-address for a user radiusGroupName radiusHint Hint attribute radiusHuntgroupName Huntgroups radiusLoginTime The Login-Time attribute used by the corresponding module radiusPasswordRetry radiusProfileDn Used for ldap radius regular profiles. See doc/rlm_ldap radiusPrompt radiusProxyToRealm Proxy-To-Realm. I think this attribute is deprecated. radiusRealm Realm attribute. radiusReplicateToRealm Replicate-To-Realm. Again I think this attribute is deprecated. radiusStripUserName radiusTunnelAssignmentId radiusTunnelClientEndpoint radiusTunnelMediumType radiusTunnelPassword radiusTunnelPreference radiusTunnelPrivateGroupId radiusTunnelServerEndpoint radiusTunnelType radiusUserCategory radiusVSA At least, they are'nt referenced in ldap.attrmap. Oversight, are these LDAP attributes deprecated (or not implemented)? One I recognize is 'radiusRealm'. Must be the RADIUS attribute 'Realm', right? Shouldn't that be in ldap.attrmap? If someone could finish the line(s) above ({reply,check}Item) and the corresponding RADIUS attribute, I'm happy to produce a good patch for this... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Huntgroups for one User? 2nd Try
2nd Try, just in case my 1st message was not recognized ;-) Hi Freeradius-List, is it possible to give/deny access to multiple huntgroups for a single user/group? E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and 10.0.0.3 but is allowed to access all the other hosts in 10.0.0.0/24. Something like hostpools would be nice (e.g.: user/group1 can access pool1, pool2 and pool3. user2 can access pools 1+2 but is denied to access pool3). Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure MNID as a reply-item
Hi, We need to configure MNID as a string in the CallBack-Id attribute for Access-Accept message. Can you tell me the procedure. Regards, Jatin. - Why delete messages? Unlimited storage is just a click away.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
On Fri, 2007-09-14 at 00:05 -0300, Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, I've replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in invalid queries like: update radacct set... ...acctiputoctets = 0 32 | 98... Is that not because you put an invalid query template in? You need () around the (val N) bit. You also almost certain want to do: (giga 32) + words ...rather than using bitwise | operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Huntgroups for one User? 2nd Try
huntgroups file: pool3 NAS-IP-Address == NAS1IPAddress pool3 NAS-IP-Address == NAS2IPAddress pool3 NAS-IP-Address == NAS3IPAddress DEFAULT Huntgroup-Name == pool3, User-Name == user2, Auth-Type := Reject in users file. Huntgroups *are* what you refer to as hostpools. Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, Alexander Papenburg [EMAIL PROTECTED] piše: 2nd Try, just in case my 1st message was not recognized ;-) Hi Freeradius-List, is it possible to give/deny access to multiple huntgroups for a single user/group? E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and 10.0.0.3 but is allowed to access all the other hosts in 10.0.0.0/24. Something like hostpools would be nice (e.g.: user/group1 can access pool1, pool2 and pool3. user2 can access pools 1+2 but is denied to access pool3). Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.0-pre2 has been released
Jakob Hirsch wrote: Wow, looks very nice! The unlang will probably will allow us to throw away some of our own modules. That's the idea. As I understand the virtual servers, it is possible to have all vservers listen to the same ip/port socket, but have different client configurations. Is that right? Hmm... hadn't thought of doing it that way. It could be possible. And would that be a sensible thing to do in a high traffic environment (many million requests per day)? I'd think that every request would have to be processed by all the vserser instances only to decide that the request has to be discarded by most of them. No. The idea would be do tie a client to a virtual server. Then, all requests from that client would be sent to one, and only one virtual server. And no matter what, a request is handled by *one* virtual server. You seem to be saying that a request will be handled by many in parallel. That will never happen, for the reasons you point out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, Upgrade to 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate read permission and user running radius problem
Hi all, i can't understand why if I run radiusd as nobody (user and group) it can't access the directory that contains the certificates for eap. Can someone help me, plz. thanks in advance Arjuna Scagnetto begin:vcard fn:Arjuna Scagnetto n:Scagnetto;Arjuna org:Universita' degli Studi di Trieste;Dipartimento Fisica Teorica adr:ICTP Main Building Office Number 222;;Via Strada Costiera 11;Trieste;TS;34100;Italy email;internet:[EMAIL PROTECTED] title:Co-System Administrator tel;work:+390402240 288 note;quoted-printable:-BEGIN PGP PUBLIC KEY BLOCK-=0D=0A= Version: GnuPG v1.4.6 (MingW32)=0D=0A= =0D=0A= mQGiBEWVcvERBACcPQOh85PwZDa9NOLVV1y4mUdN3h4Fgt+YsWmd02JVL+y+2/Zg=0D=0A= 2AqvNVX8s/jp/jjhRYdpLCCOv3/3V6BkasBnFCxA56i1S2BLfcMR1YuDuqOJOi93=0D=0A= JzlkA4+Hok6HKMfXInJeATRvhYF6y/NdTFSq5YQLFry88bXQblYodLW8ZwCgtewA=0D=0A= 1AbK6o8/LFAYGbmRZCzfLtcD/0ufAx+vGtBgw6zwCzLYSx9bhi8rh7k0PeSS51WT=0D=0A= 1Gs+V79yLsTPehj2g1FKwufSIdEAguyFfK/VWj1CCYtYtc2nnhRfveTjKsqVau2E=0D=0A= cWAQJALdJQgycZM+rFqzkinIgN7xjCVnVVR7hB4aJ9/6xTnQAFdtaADIDF2miLo8=0D=0A= jJbBA/9ZT+hBW628jKLiJMr0tldSNbPPdn9mGql1AhNSZRXKyq8wL1RORaT5elWN=0D=0A= pskirYRksBGUmL2sadvUx7QYeDUvtnqIbTD/PZH0bFQF2O0HKbRkTyKoR7/h1hw0=0D=0A= y7uaYYX5bXEfwoWReIVmLVYewnCNDKt+a/pqal/jdJmbuTpFvbQlbXlOYW1lIChj=0D=0A= b21tZW50KSA8bXllbWFpbEBhZGRyZXNzLml0PohmBBMRAgAmBQJFlXLxAhsDBQkB=0D=0A= 4TOABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQaWpNBkqM0mREEwCfSLbikTLs=0D=0A= xeJrEZruZHbAaBcRzl8AoJnp8BCmuKaUfqYM8sNqxCTG5EA+uQENBEWVcvIQBACH=0D=0A= Bq9xYHqZvDE1jqK63amQAPvxIih9R0+1JGhm1LNKmpTX/JiRcnjc/PvYdjXLcmkL=0D=0A= f96SMArWU0jOMZP4ncebxGQ/DxjRw2ZHMvKQKJLTXd3emFv0pQeACFbyByzndBsX=0D=0A= BRpbxJQ7S2N2FJ35MtDYFUN8P29A+9MZSpF7KShpMwADBQP+K8xS2hOM3B36Sli8=0D=0A= alq4XpJdRZTTjb7mBYgK4os9knqoFMRgPZlxzQA/LDlvfUNzXpGH82dl6YY7E60G=0D=0A= 4AhA2nYesldbCSKUXWGsB1suo++5DCYk0giWHxlLI8D1QIv+x0petiY66GjxfoK7=0D=0A= KVe/7chBMSVX1M+q3fA4hXs3o2GITwQYEQIADwUCRZVy8gIbDAUJAeEzgAAKCRBp=0D=0A= ak0GSozSZKY/AJ4+Kbp6k/99jb5tsYCreT04AEhclwCgg+gvqapWTC5EI/g66tVh=0D=0A= pYCNowM=3D=0D=0A= =3DaATJ=0D=0A= -END PGP PUBLIC KEY BLOCK-=0D=0A= x-mozilla-html:FALSE url:http://www-dft.ts.infn.it/~arjuna version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate read permission and user running radius problem
Arjuna Scagnetto wrote: i can't understand why if I run radiusd as nobody (user and group) it can't access the directory that contains the certificates for eap. Check the file permissions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
Phil Mayers wrote: Related; how would you envisage FreeRadius presenting the presence of 1 authentication exchange inside the tunnel? Presumably the same issue exists with the EAP-TNC inside TTLS method. Code has to be written to support it. Given the virtual server stuff in 2.x, this becomes a *lot* easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate read permission and user running radius problem
with these permissions it doesn't work. (radiusd runned as nobody) TestCerts/ drw-r-xr-x nobody nobody cert.pem-rw-r-xr-x nobody nobody cacert.pem -rw-r-xr-x nobody nobody with these permissions it works. (radiusd runned as nobody) TestCerts/ drw-r-xr-x root root cert.pem-rw-r-xr-x root root cacert.pem -rw-r-xr-x root root I'm realy confused! begin:vcard fn:Arjuna Scagnetto n:Scagnetto;Arjuna org:Universita' degli Studi di Trieste;Dipartimento Fisica Teorica adr:ICTP Main Building Office Number 222;;Via Strada Costiera 11;Trieste;TS;34100;Italy email;internet:[EMAIL PROTECTED] title:Co-System Administrator tel;work:+390402240 288 note;quoted-printable:-BEGIN PGP PUBLIC KEY BLOCK-=0D=0A= Version: GnuPG v1.4.6 (MingW32)=0D=0A= =0D=0A= mQGiBEWVcvERBACcPQOh85PwZDa9NOLVV1y4mUdN3h4Fgt+YsWmd02JVL+y+2/Zg=0D=0A= 2AqvNVX8s/jp/jjhRYdpLCCOv3/3V6BkasBnFCxA56i1S2BLfcMR1YuDuqOJOi93=0D=0A= JzlkA4+Hok6HKMfXInJeATRvhYF6y/NdTFSq5YQLFry88bXQblYodLW8ZwCgtewA=0D=0A= 1AbK6o8/LFAYGbmRZCzfLtcD/0ufAx+vGtBgw6zwCzLYSx9bhi8rh7k0PeSS51WT=0D=0A= 1Gs+V79yLsTPehj2g1FKwufSIdEAguyFfK/VWj1CCYtYtc2nnhRfveTjKsqVau2E=0D=0A= cWAQJALdJQgycZM+rFqzkinIgN7xjCVnVVR7hB4aJ9/6xTnQAFdtaADIDF2miLo8=0D=0A= jJbBA/9ZT+hBW628jKLiJMr0tldSNbPPdn9mGql1AhNSZRXKyq8wL1RORaT5elWN=0D=0A= pskirYRksBGUmL2sadvUx7QYeDUvtnqIbTD/PZH0bFQF2O0HKbRkTyKoR7/h1hw0=0D=0A= y7uaYYX5bXEfwoWReIVmLVYewnCNDKt+a/pqal/jdJmbuTpFvbQlbXlOYW1lIChj=0D=0A= b21tZW50KSA8bXllbWFpbEBhZGRyZXNzLml0PohmBBMRAgAmBQJFlXLxAhsDBQkB=0D=0A= 4TOABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQaWpNBkqM0mREEwCfSLbikTLs=0D=0A= xeJrEZruZHbAaBcRzl8AoJnp8BCmuKaUfqYM8sNqxCTG5EA+uQENBEWVcvIQBACH=0D=0A= Bq9xYHqZvDE1jqK63amQAPvxIih9R0+1JGhm1LNKmpTX/JiRcnjc/PvYdjXLcmkL=0D=0A= f96SMArWU0jOMZP4ncebxGQ/DxjRw2ZHMvKQKJLTXd3emFv0pQeACFbyByzndBsX=0D=0A= BRpbxJQ7S2N2FJ35MtDYFUN8P29A+9MZSpF7KShpMwADBQP+K8xS2hOM3B36Sli8=0D=0A= alq4XpJdRZTTjb7mBYgK4os9knqoFMRgPZlxzQA/LDlvfUNzXpGH82dl6YY7E60G=0D=0A= 4AhA2nYesldbCSKUXWGsB1suo++5DCYk0giWHxlLI8D1QIv+x0petiY66GjxfoK7=0D=0A= KVe/7chBMSVX1M+q3fA4hXs3o2GITwQYEQIADwUCRZVy8gIbDAUJAeEzgAAKCRBp=0D=0A= ak0GSozSZKY/AJ4+Kbp6k/99jb5tsYCreT04AEhclwCgg+gvqapWTC5EI/g66tVh=0D=0A= pYCNowM=3D=0D=0A= =3DaATJ=0D=0A= -END PGP PUBLIC KEY BLOCK-=0D=0A= x-mozilla-html:FALSE url:http://www-dft.ts.infn.it/~arjuna version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
fuki wrote: ... According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server? Yes. But I think some code may be needed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP + FreeRADIUS Complete Solution [sec=unclassified]
Very helpful, thanks a ton! This will give me something to bang around on for awhile and I should be able to get it to do everything we want it to. Ranner, Frank MR wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Friday, 14 September 2007 04:18 To: FreeRadius users mailing list Subject: Re: OpenLDAP + FreeRADIUS Complete Solution O/H Mitch McCracken έγραψε: When organizations grow, there becomes more and more systems that need to be maintained, and each may have different configurations and users which have access to them. Individually editing local config files gets old pretty fast for hundred of devices, and developing a unified and central user authorization database system that spans across all types of information systems becomes necessary. Enter: OpenLDAP. I think I've developed a solution to maintain Linux hosts which controls POSIX users/groups/sudo access/apache website access/etc. by using a central LDAP database that stores policies of what a user can do on any one of our PCs. The actual configuration got fairly ugly, though (PAM not allowing you to specify more than one LDAP Group to allow access to the machine, thus the posixGroup LDAP schema had to be used (since /etc/security/access.conf allows you to specify multiple posix group access) instead of groupOfNames, but groupOfNames is needed for apache's ldap auth module, so both must be used..), but I've only covered access management for our websites and Linux PCs, not all of the various routers, switches, or other RADIUS-aware equipment that exist within the organization. We use radiuGroupName to assign users to groups. The attribute is stored with the User DN and you can have multiple instances. Apache mod_ldap is compatible with this approach. Enter: FreeRADIUS. We do already have a FreeRADIUS configuration that is auto-generated by our internal MySQL-based access policies to control access to our networking equipment, although this is fairly ugly, and it would be much much nicer if it could use the LDAP database I'm currently developing to control access across all devices instead. To put it gently, I want FreeRADIUS to be configured *entirely* off of LDAP. [snip] users: All users which will have some sort of access to one of the clients. It appears users are able to be pulled from the LDAP directory by providing the correct DN users are located in. For me, users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. My personal entry is something like: dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu objectClass: inetOrgPerson objectClass: posixAccount objectClass: radiusprofile ... uid: mrmccrac I still need to go back and look at the HOWTO perhaps, although I believe this setup can be used somehow/somewhere with FreeRADIUS to have it pull all of our users (specifically uids) from LDAP instead of a local file. This leads me to the next FreeRADIUS construct.. groups (group): this specifies groups of users, which can then later be used to define access levels (in huntgroups?). From what I read this too can be pulled from FreeRADIUS, that is, the groupOfNames object class can be interpreted if you supply the DN which has all of the groups. An example groupOfNames object I currently have is as such: dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu cn: dev objectClass: groupOfNames objectClass: top member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu Thus I should be able to tell FreeRADIUS to look at dn: ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to look at the member attributes to determine which users DN are in each group it finds. Now, finally... huntgroups: I believe this is the glue between users/groups to RADIUS clients. I think the level of access can be defined per group (which would be ideal), and then with huntgroups we say which groups may get their specified level of access (enable mode or not..) to which networking devices we specified in the clients. Again, like clients.conf, I don't want to have to edit the huntgroups file anytime a change is made, but instead make the change in the LDAP directory and have FreeRADIUS pull all huntgroups from there. In raddb/hints DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}` Is any/all of what I mentioned currently possible based upon my current setup and FreeRADIUS's capabilities? Or, will all changes to clients and huntgroups need to be made locally in a file on the radius server, but I can at least pull available users and
Re: Getting PEAP/MSChap-v2 working with Cisco AP1231G Access points.
Terry Pelley wrote: FreeRADIUS Version 1.1.3-r0.1.2 Hmm... it would be best to upgrade to 1.1.7, but that's a separate issue. I am fairly new to FreeRADIUS, so I expect what I am doing wrong is going to be obvious to most but any advice would be welcomed. From what I can see it appears that the User-Password attribute may not be getting processed correctly as indicated by the following lines. In 1.1.3, put the following at the TOP of the users file: bob User-Password := bob And then login via PEAP as that user. It should work. The problem is that the server hasn't been told a known good password for the user, so it can't authenticate them. Ottawa-Carleton District School Board Hmm... lived in that are for 30 years. Cold. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting PEAP/MSChap-v2 working with Cisco AP1231G Access points.
Hi, I have been using FreeRADIUS for some time now to do simple MAC authentication for the original implementation of our wireless network. This of course was a temporary solution and I am trying to move all of the users over to PEAP Authentication. okay. you'd be much better off with recent version of the server/daemon..but still. by the looks of it, almost everything is fine - barring the final check of the use r- HOW are you attempting to authorise the users? I ask because the main issue i see from debug is rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for C12660 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 8 modcall: leaving group MS-CHAP (returns reject) for request 8 rlm_eap: Freeing handler this means the inner tunnel part of the PEAP (MSCHAPv2) is failing because it knows not the way of dealing with the password supplied (if any!) so, you can either put a password into a DB or plain file (users) or you can use eg ntlm_auth to so a challenge response check alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth
Hi All: My name is Charles and I am starting to use FreeRadius. I need to Configure my FreeRadius to use ntlm_auth for MS-CHAP to authenticate NT users. I am following the procedures about Deploying Radius and I am with problem in following the procedure about Configuring FreeRADIUS to use ntlm_auth described in the http://deployingradius.com/documents/configuration/active_directory.html;. After I configure the users file with user Auth-Type := ntlm_auth (for testing purposes only), my FreeRadius don´t start and show the followings errors: /usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users radiusd.conf[1074]: files: Module instantiation failed. radiusd.conf[1859] Unknown module files. radiusd.conf[1795] Failed to parse authorize section. My environment is: FreeBSD 6.2 + Samba 3.0.24 + freeradius 1.1.6 My samba is ok I did the test that is described in the Deploying Radius. Any Idea ? Thanks, Charles. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
not getting authentication in 1.1.0
As you said i compiled my code in 1.1.0 because for intermediate CA authentication 1.0.x series won't work but in 1.1.0 after compilation user not getting authenticated.iam sending logs . authentication type is not getting.please can help what are the things should i change in 1.1.0. radius_xlat: '(cn=default)' radius_xlat: 'ou=users,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,dc=example,dc=com, with filter (cn=default) rlm_ldap: performing search in cn=default, ou=profiles,dc=example,dc=com, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 1 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 op=11 rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 1800 op=11 rlm_ldap: Adding radiusClass as Class, value default op=11 rlm_ldap: Added password default in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 7D891AB402CAF2E89CCDD33ED54333AC op=21 rlm_ldap: Adding lmPassword as LM-Password, value 29D5C31BFF3D8D25AAD3B435B51404EE op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user default authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 *** AGENT Modifications* modcall[authorize]: module localhost returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rad_check_password() Returns: -1 auth: Failed to validate the user. xmlMessage: User default Failed Authentication Login incorrect: [default/no User-Password attribute] (from client rad port 0 cli 00-0F-76-00-87-D6) Delaying request 1 for 1 seconds Finished request 1 Going to the next request -- View this message in context: http://www.nabble.com/not-getting-authentication-in-1.1.0-tf4442509.html#a12675286 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
[EMAIL PROTECTED] wrote: After I configure the users file with user Auth-Type := ntlm_auth (for testing purposes only), my FreeRadius don´t start and show the followings errors: /usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type You also have to list ntlm_auth in the authenticate section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Version 2
Hello all, I'm wondering where to start looking to figure out what would cause a Bus Error when attempting to start the Server? I've checked the config files and they appear to all be in the correct places. Thanks for any help you can give. Kent Here's the error log. g5dp020:~ root# radiusd -Xxxx -A Fri Sep 14 07:22:34 2007 : Info: FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0, built on Sep 13 2007 at 15:37:40 Fri Sep 14 07:22:34 2007 : Info: Copyright (C) 2000-2007 The FreeRADIUS server project. Fri Sep 14 07:22:34 2007 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Sep 14 07:22:34 2007 : Info: PARTICULAR PURPOSE. Fri Sep 14 07:22:34 2007 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Sep 14 07:22:34 2007 : Info: GNU General Public License. Fri Sep 14 07:22:34 2007 : Debug: Config: including file: /etc/raddb/radiusd.conf Bus error - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not getting authentication in 1.1.0
most probably, radius.conf and the users file are no longer compatible. You must rebuild them manually. There error is probably in the users file: auth: type ERROR: Unknown value specified for Auth-Type. Cannot perform requested Also look at eap.conf, tls section. On 9/14/07, mallika [EMAIL PROTECTED] wrote: As you said i compiled my code in 1.1.0 because for intermediate CA authentication 1.0.x series won't work but in 1.1.0 after compilation user not getting authenticated.iam sending logs . authentication type is not getting.please can help what are the things should i change in 1.1.0. radius_xlat: '(cn=default)' radius_xlat: 'ou=users,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,dc=example,dc=com, with filter (cn=default) rlm_ldap: performing search in cn=default, ou=profiles,dc=example,dc=com, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 1 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 op=11 rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 1800 op=11 rlm_ldap: Adding radiusClass as Class, value default op=11 rlm_ldap: Added password default in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 7D891AB402CAF2E89CCDD33ED54333AC op=21 rlm_ldap: Adding lmPassword as LM-Password, value 29D5C31BFF3D8D25AAD3B435B51404EE op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user default authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 *** AGENT Modifications* modcall[authorize]: module localhost returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rad_check_password() Returns: -1 auth: Failed to validate the user. xmlMessage: User default Failed Authentication Login incorrect: [default/no User-Password attribute] (from client rad port 0 cli 00-0F-76-00-87-D6) Delaying request 1 for 1 seconds Finished request 1 Going to the next request -- View this message in context: http://www.nabble.com/not-getting-authentication-in-1.1.0-tf4442509.html#a12675286 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Version 2
Kent Thomas wrote: Hello all, I'm wondering where to start looking to figure out what would cause a Bus Error when attempting to start the Server? doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not getting authentication in 1.1.0
mallika wrote: As you said i compiled my code in 1.1.0 Why? You were told to use 1.1.7, not 1.1.0. rad_check_password: Found Auth-Type EAP auth: type ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. You didn't configure the server to do EAP. Have you tried reading the documentation, or the posts on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check for Certificate AND Username
Hi, I am using freeradius to secure my WLAN. Everything works fine so far. But i`m not much of an expert. What I have now is a working setup using EAP/TLS and self-created certificates. But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. I guess I have to use the proxy settings. But how do i make freeradius check BOTH conditions? Any help would be appreciated Regards, Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
Ok, Alan: Thanks ... It works ... Now I am trying to Configuring my FreeRadius to use ntlm_auth for MS-CHAP to authenticate my NT users, ok ? After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. The output of my FreeRadius´s console: [EMAIL PROTECTED] /usr/local/etc/raddb]# radtest copel\charles password localhost 0 testfreeradius Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=123, length=20 The complete output of Radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:52444, id=67, length=64 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = copelcharles, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 67 to 127.0.0.1 port 52444 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 67 with timestamp 46ea9900 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:50643, id=123, length=64 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = copelcharles, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module unix returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 127.0.0.1 port 50643 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 46ea9dec Nothing to do. Sleeping until we see a request. My samba is ok , I get to authenticate this user by ntlm_auth command line. Any Idea ? Thanks, Charles. Alan DeKok [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 14/09/2007 10:32 Favor responder a FreeRadius users mailing list Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org cc: cco:Charles
Re: Configuring FreeRADIUS to use ntlm_auth
[EMAIL PROTECTED] wrote: Now I am trying to Configuring my FreeRadius to use ntlm_auth for MS-CHAP to authenticate my NT users, ok ? The page does document that. After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. radtest doesn't do MS-CHAP. The page tries to make this clear. The output of my FreeRadius´s console: ... rad_check_password: Found Auth-Type System You've done rather a lot more than just add ntlm_auth to the authenticate section. This means that the config that previously worked... now doesn't work. Go back to using the working configuration, and use a client that does MS-CHAP. This usually means trying a real login, without using radtest or radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : FreeRADIUS 2.0.0-pre2 has been released
I have a question on virtual servers: can the same instance of a module (rlm_detail for example) be used in 2 different virtual servers? How are managed NO_THREAD_SAFE modules in this case (rlm_detail for example)? Thanks Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : FreeRADIUS 2.0.0-pre2 has been released
Geoffroy Arnoud wrote: I have a question on virtual servers: can the same instance of a module (rlm_detail for example) be used in 2 different virtual servers? Yes. How are managed NO_THREAD_SAFE modules in this case (rlm_detail for example)? Just as in 1.x. The virtual servers affect only configuration, nothing else. In vague pseudocode, 1.x did: process request (config) In 2.x, it's: process request(config(server)) 99% of the code is the same. The modules don't know about virtual servers, and haven't changed. Most of the server core hasn't changed. The only thing that changed was the ability to have multiple configurations, and to choose which one to use dynamically per-request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Cisco AV Pairs per realm
Hi I have a number of realms on my radius server (FreeRADIUS Version 1.1.6). All users are valid in both realms (one is for dialup, one for broadband). e.g. [EMAIL PROTECTED] [EMAIL PROTECTED] All realm's are stripped so that the user (dang in the examples above) is authenticated. However, on dial.realm I need to return a couple of Cisco-Avpair attributes; how can this be done? I have tried a hints file, however although I get the message on debug: hints: Matched DEFAULT at 17 The data specifies is not sent back in the RADIUS reply. Any help would be greatly appreciated! Cheers Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
Radtest doesn't do MSCHAP. Use different client: http://jradius.org/wiki/index.php/JRadiusSimulator Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Ok, Alan: Thanks ... It works ... Now I am trying to Configuring my FreeRadius to use ntlm_auth for MS-CHAP to authenticate my NT users, ok ? After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. The output of my FreeRadius´s console: [EMAIL PROTECTED] /usr/local/etc/raddb]# radtest copel\charles password localhost 0 testfreeradius Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=123, length=20 The complete output of Radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:52444, id=67, length=64 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = copelcharles, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 67 to 127.0.0.1 port 52444 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 67 with timestamp 46ea9900 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:50643, id=123, length=64 User-Name = copelcharles User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = copelcharles, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module unix returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 127.0.0.1 port 50643 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 46ea9dec Nothing to do. Sleeping until we see a request. My samba is ok , I get to authenticate this user by ntlm_auth command line. Any Idea ? Thanks, Charles. Alan DeKok [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED]
Re: Check for Certificate AND Username
Wolfgang Burger wrote: But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. That can't really be done with the server today. But why do you want to do that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for Certificate AND Username
Wolfgang Burger wrote: Well, there is another Radius-Server (DRAS, running under VMS, controlled by someone else) where all the users are listet. I just thougt it would be very nice to check for a username/password, to make sure that noone gives away his certificate in any way. Then use EAP-TTLS instead of EAP-TLS. You can then proxy the internal username/password information. With EAP-TLS, there is no username or password, so you can't proxy anything. And, and this is more important, it is possible that someone is blocked on the other server but still has a valid certificate. By proxing the request, that user would be blocked. Any other idea how to do this? Revoke the client certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for Certificate AND Username
Wolfgang Burger wrote: But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. Alan DeKok wrote: That can't really be done with the server today. But why do you want to do that? That is most likely the answer that i have expected the least. But, of course, thank you for your reply. Well, there is another Radius-Server (DRAS, running under VMS, controlled by someone else) where all the users are listet. I just thougt it would be very nice to check for a username/password, to make sure that noone gives away his certificate in any way. And, and this is more important, it is possible that someone is blocked on the other server but still has a valid certificate. By proxing the request, that user would be blocked. Any other idea how to do this? Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: The point is, it seems to work only if there is an authorize_check_query and a authorize_reply_query in the sql module. So I have to setup an authorize_reply_query with UserName,Attr Nam, Attr Value, Op, although I am only interested in the answer to the query above, which might be Cisco, Entrasys or something like that. Is there a way to avoid such an authorize_reply_query or even the authorize_check_query? Code changes in rlm_sql. Maybe for 2.1, or 3.x, we can re-factor the code into connect to db, and separately, do something with that data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.0-pre2 has been released
Quoting Alan DeKok: As I understand the virtual servers, it is possible to have all vservers listen to the same ip/port socket, but have different client configurations. Is that right? Hmm... hadn't thought of doing it that way. It could be possible. Meaning try it and get back to list when you have the results? :) And would that be a sensible thing to do in a high traffic environment (many million requests per day)? I'd think that every request would have to be processed by all the vserser instances only to decide that the request has to be discarded by most of them. No. The idea would be do tie a client to a virtual server. Then, all requests from that client would be sent to one, and only one virtual server. That's what I want. Allow me to elaborate on that: a global listen section: listen { ipaddr = 10.0.0.1 type = auth } two virtual servers: server foo { client 10.1.0.1 { secret = secret1 } autz... auth... } server bar { client 10.2.0.1 { secret = secret2 } autz... auth... } So 10.1.0.1 and 10.2.0.1 will both send their requests to the server's address 10.0.0.1, and freeradius will determine by itself (with little performance penalty) the proper virtual server for the requests? And no matter what, a request is handled by *one* virtual server. You seem to be saying that a request will be handled by many in parallel. That will never happen, for the reasons you point out. Ok, that's what I wanted to read :) But what happens with requests that could be processed by more than one virtual server? Like, in the example above, if they had both the same client definition (same ip-address, same secret). Random, sequentially selected (e.g. first match wins), config error, doomsday? (Hm, it's really time to set up a test installation... ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
set up freeradius to use /etc/passwd and separate authorization account
Hi, I would like to set up around 100 user profiles. Each user profile has its own Cisco permit statement to allow the user to access specific hosts. The authentication method will be checked against /etc/passwd file. Could someone please show me how to accomplish this. How to force users to check against system /etc/passwd and how to create each separate profile to return to NAS? Thanks in advance for your reply. I am currently using freeradius1.1.7 on Linux Enterprise. Regards, Vinh - Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
Hello Mr. Mayers, I don't think so cause I've copied the very same sintax that can be found in oraclesql.conf of FR 1.1.7. Thank you. Guilherme Franco On 9/14/07, Phil Mayers [EMAIL PROTECTED] wrote: On Fri, 2007-09-14 at 00:05 -0300, Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, I've replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in invalid queries like: update radacct set... ...acctiputoctets = 0 32 | 98... Is that not because you put an invalid query template in? You need () around the (val N) bit. You also almost certain want to do: (giga 32) + words ...rather than using bitwise | operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
Hi Mr. DeKok, Ok, I've just asked it because of: http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Acct-Output-Octets_wrap_at_4_GB.3F (which says that it should work in older versions) Also, the rlm_sql_log module version is the same in 1.1.7 as in 1.1.4 (v 1.3.2.2 2005/12/12). Thank you. Guilherme Franco On 9/14/07, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, Upgrade to 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
Alan: Now I am trying to Configuring my FreeRadius to use ntlm_auth for MS-CHAP to authenticate my NT users, ok ? The page does document that. == I am trying to following this document. After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. radtest doesn't do MS-CHAP. The page tries to make this clear. == Sorry ... but I hadn´t understood it (I thought that just radclient doesn´t work). Now I know that radtest too ... The output of my FreeRadius´s console: ... rad_check_password: Found Auth-Type System You've done rather a lot more than just add ntlm_auth to the authenticate section. This means that the config that previously worked... now doesn't work. == I think this configuration is original (FreeRadius instalation´s). Because, in the previous test this configuration was already there. And the previous test works (Configuring FreeRADIUS to use ntlm_auth)! Go back to using the working configuration, and use a client that does MS-CHAP. This usually means trying a real login, without using radtest or radclient. == I tried to use the working configuration with a real login, but the behavior is the same, it appears the message that you mencioned: rad_check_password: Found Auth-Type System Can you help me ? Best Regards, Charles. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
Auth-Type System is coming from the DEFAULT entry towards the end of users file. Comment it out. Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Alan: Now I am trying to Configuring my FreeRadius to use ntlm_auth for MS-CHAP to authenticate my NT users, ok ? The page does document that. == I am trying to following this document. After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. radtest doesn't do MS-CHAP. The page tries to make this clear. == Sorry ... but I hadn´t understood it (I thought that just radclient doesn´t work). Now I know that radtest too ... The output of my FreeRadius´s console: rad_check_password: Found Auth-Type System You've done rather a lot more than just add ntlm_auth to the authenticate section. This means that the config that previously worked... now doesn't work. == I think this configuration is original (FreeRadius instalation´s). Because, in the previous test this configuration was already there. And the previous test works (Configuring FreeRADIUS to use ntlm_auth)! Go back to using the working configuration, and use a client that does MS-CHAP. This usually means trying a real login, without using radtest or radclient. == I tried to use the working configuration with a real login, but the behavior is the same, it appears the message that you mencioned: rad_check_password: Found Auth-Type System Can you help me ? Best Regards, Charles. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
On Thu, Sep 13, 2007 at 07:37:14AM +0200, Alan DeKok wrote: Scott Lambert wrote: I've been instrumenting the heck out of anything I thought might be useful. My coding skills are very rusty, but here's what I've come up with. src/lib/packet.c:lrad_packet_cmp() likes the response packet. src/lib/packet.c:lrad_packet_find_by_reply() seems to be failing. OK.. radclient appears to be using 0.0.0.0 as the source IP address. lrad_packet_cmp appears to be seeing the source IP address as 69.153.112.27. That's pretty much what I expected. radclient doesn't know the IP address, so it sends it from 0.0.0.0. However, the *receiving* code knows the IP, so it gets set. The code in lrad_packet_find_byreply() SHOULD take care of noticing that the socket was bound to 0.0.0.0, and use that as the source IP address. If it isn't working, it's a bug. It MAY be fixable in FreeRADIUS, but I don't have access to a FreeBSD box to test it... If you *want* access to a FreeBSD box, send me an ssh public key, you can have access to this one until we work this out. I could set you up a jail to play with long term if that would be useful. I *think* there might be a work-around. Go to lrad_packet_list_socket_add(), and update the following code: if (*((uint32_t *) ps-ipaddr.ipaddr.ip4addr.s_addr) ==INADDR_ANY) { ps-inaddr_any = 1; } Unfortunately, that didn't change the behavior. I've added some debug prints to lrad_packet_list_socket_add and changed up the printfs in lrad_packet_list_find_byreply. I don't know that they will help. But, just in case In jailed client: radclient: main: radclient_head-request-src_ipaddr.af = 0 radclient: main: client_ipaddr.ipaddr.ip4addr = 0, client_port = 0 lrad_socket: sa-sin_addr = 0 lrad_packet_list_socket_add: src.ss_family == AF_INET lrad_packet_list_socket_add: ps-port = 64551 lrad_packet_list_socket_add: ps-inaddr_any = 0 lrad_packet_list_socket_add: ps-ipaddr.af = 2 lrad_packet_list_socket_add: ps-ipaddr.ipaddr.ip4addr = 460364101 lrad_packet_list_socket_add: ps-ipaddr.ipaddr.ip4addr.s_addr = 460364101 lrad_packet_list_socket_add: *((uint32_t *) ps-ipaddr.ipaddr.ip4addr.s_addr) != INADDR_ANY Sending Access-Request of id 93 to 216.61.218.2 port 1645 User-Name = testuser1 User-Password = testpass NAS-IP-Address = 69.153.112.27 NAS-Port = 1645 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=93, length=336 radclient: recv_one_packet: client_ipaddr.af = 2 radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: lrad_socket_find returned 134833152 lrad_packet_list_find_byreply: ps-inaddr_any = 0 lrad_packet_list_find_byreply: ps-ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: reply-dst_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: reply-src_port = 1645 lrad_packet_list_find_byreply: reply-src_ipaddr.af = 2 lrad_packet_list_find_byreply: reply-src_ipaddr.ipaddr.ip4addr = 47857112 lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 0 radclient: received response to request we did not send. (id=93 socket 3) lrad_packet_cmp: lrad_ipaddr_cmp = 0 lrad_packet_cmp: lrad_ipaddr_cmp = 0 radclient: no response from server for ID 93 socket 3 On jailed client with Packet-Src-IP-Address = jailed client's IP address. radclient: main: radclient_head-request-src_ipaddr.af = 2 radclient: main: client_ipaddr.ipaddr.ip4addr = 460364101, client_port = 0 lrad_socket: sa-sin_addr = 460364101 lrad_packet_list_socket_add: src.ss_family == AF_INET lrad_packet_list_socket_add: ps-port = 58105 lrad_packet_list_socket_add: ps-inaddr_any = 0 lrad_packet_list_socket_add: ps-ipaddr.af = 2 lrad_packet_list_socket_add: ps-ipaddr.ipaddr.ip4addr = 460364101 lrad_packet_list_socket_add: ps-ipaddr.ipaddr.ip4addr.s_addr = 460364101 lrad_packet_list_socket_add: *((uint32_t *) ps-ipaddr.ipaddr.ip4addr.s_addr) != INADDR_ANY Sending Access-Request of id 56 to 216.61.218.2 port 1645 User-Name = testuser1 User-Password = testpass NAS-IP-Address = 69.153.112.27 NAS-Port = 1645 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=56, length=336 radclient: recv_one_packet: client_ipaddr.af = 2 radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 460364101 lrad_packet_list_find_byreply: lrad_socket_find returned 134833152 lrad_packet_list_find_byreply: ps-inaddr_any = 0 lrad_packet_list_find_byreply: ps-ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: reply-dst_ipaddr.ipaddr.ip4addr = 460364101 lrad_packet_list_find_byreply: reply-src_port = 1645 lrad_packet_list_find_byreply: reply-src_ipaddr.af = 2 lrad_packet_list_find_byreply: reply-src_ipaddr.ipaddr.ip4addr = 47857112 lrad_packet_cmp: lrad_ipaddr_cmp = 0 lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 134570772 lrad_packet_cmp: lrad_ipaddr_cmp = 0
Touble configuring SQL data store for users
I have started to experiment with using mysql as the datastore for users and clients instead of the default file method for my relatively small installation. Right now my work is on a test system and all is working well, with one exception: a user that is a member of two or more groups. Based on all I have read, this last thing should be very basic. If I put the user in only groupA (in the usergroup table), the test works great. If I put user1 in only groupB, the test works great. When I put user1 in both groupA and groupB in the usergroup table it will only work against the first record of the two, the second record always returns a failure. I am sure this is probably something really stupid, but I just cannot see it. Any help would be appreciated. I have attatched table dumps, sample commands, and a debug trace. I hope it is helpful Thanks, --Bill FreeRadius version 1.0.1 MySQL version 4.1.20 vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass will sucseed, while vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass fails, but should sucseed The following is a test data set to validate a variety of cases that we need to support in our environment. select * from radcheck into outfile '/tmp/f1'; id usernameattribute op value -- - -- - 1 billPassword== userpass 5 guest01 Auth-Type := Local 6 guest01 Password== password select * from radreply into outfile '/tmp/f4'; id usernameattribute op value -- - -- - 7 guest01 Class := OU=Wireless; 8 guest01 Fall-Through:= No select * from radgroupcheck into outfile '/tmp/f2'; id groupname attribute op value -- - -- - 6 LocalUnix Auth-Type == System 7 LocalUnix Realm == Test 9 LdapCiscoAdmPassword== password 10 LdapCiscoAdmAuth-Type == Local 11 LdapCiscoAdmRealm == cisi 12 LdapHpReho Realm == syst 13 LdapHpReho Auth-Type == Local 14 LdapHpReho Password== password 15 RejectedAuth-Type := Reject select * from radgroupreply into outfile '/tmp/f3'; id groupname attribute op value -- - -- - 8 LocalUnix Service-Type= Login 0 9 LdapCiscoAdmCisco-AVPair= shell:priv-lvl=15 0 10 LdapCiscoAdmClass := OU=cis; 0 11 LdapCiscoAdmFall-Through:= Yes 0 12 LdapCiscoAdmService-Type= 6 0 13 LdapHpReho Class := OU=Proj;0 14 LdapHpReho Fall-Through:= Yes 0 15 RejectedFall-Through:= No 0 17 RejectedReply-Message := Account is locked out. 0 select * from usergroup into outfile '/tmp/f5'; id username groupname -- - 9 rootLocalUnix 10 kparr LdapCiscoAdm 11 kchow LdapHpReho 12 jpage Rejected 13 kparr LdapHpReho 14 bshaver LdapCiscoAdm vm # radiusd -x Starting - reading configuration files ... Module: Loaded exec Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect