Radrelay Locking Issues

[Brian De Wolf]

Hello, I'm using freeradius 1.1.7 on a RHEL4 (built by pkgsrc, though) amd64 box
as a logger/relay for accounting packets.  Unfortunately, it looks like it's not
relaying all the accounting packets it receives, since lines such as these
appear in its logs:

Fri Nov 16 17:12:31 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:12:44 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:12:47 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:12:56 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:13:01 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:13:27 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:13:45 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate2.log, giving up
Fri Nov 16 17:15:00 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate2.log, giving up
Fri Nov 16 17:15:00 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up
Fri Nov 16 17:15:03 2007 : Error: rlm_detail: Failed to aquire filelock for
/var/log/radiusd/replicate1.log, giving up

Currently I'm trying to replicate the accounting logs to two separate servers
using two separate files and two separate instances of radrelay, but as you can
see, I appear to be losing some packets.  While a majority of the accounting is
passing, I'd much prefer all of it to pass.  It's logged on the box, but other
devices need to use the accounting packets as well.

Are there any obvious fixes to resolve the locking contention that appears
between radrelay and rlm_detail that causes rlm_detail to give up on logging?  I
may have missed something, finding radrelay itself was a journey (it's not in
the wiki or on the site anywhere and the source distribution's doc/radrelay is
pretty old).  /var on the box is an ext3 partition, if that makes any 
difference.

Thanks!
Brian De Wolf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.17 compilation errors

[Paul Bartell]

ah thanks. seems it hasent been indexed by google yet. sorry for not
searching the archives.

On Nov 16, 2007 5:33 PM, <[EMAIL PROTECTED]> wrote:
> You had this answered yesterday:
>
> http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
"If you are savvy and smart about the choices you make in life, The
sky is not the limit!"
Mark Shuttleworth

Random quote of the week/month/whenever i get to updating it: "This is
an incline plane. You roll stuff down it." Or is it one of those
"incline planes have been used throughout the millenia, from the
Egyptian pyramids to this stupid science class" videos?"
- Jasmine Lee
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.17 compilation errors

[tnt]

You had this answered yesterday:

http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Mikrotik and PPPoE queue prioirties

[tnt]

That's not standard radius but VSA teritory.

You can dynamically assign filtering (firewall) type ACL on Mikrotik but
not rate-limiting (shaping) ones. Queue definition will accept multiple
source addresses (sort of an IP address list - it will take more than
one, but how many ...).

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Matthew Neumark" <[EMAIL PROTECTED]> piše:

>Ivan,
>
>I wish that was a option, but the problem is all my customers already have
>ip addresses assigned to them. The ip addresses aren't done by the packet
>they order it was done based upon when they signed up. Is there a way to do
>a dynamic priority based on per user basis? Like a group setting or address
>list group?
>
>Thank You,
>Matt
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of
>[EMAIL PROTECTED]
>Sent: Friday, November 16, 2007 3:26 PM
>To: freeradius-users@lists.freeradius.org
>Subject: Re: Mikrotik and PPPoE queue prioirties
>
>Assign that priority to a queue for [an IP address | a subnet]. Assign
>the user [that static IP address | to the pool with addresses from that
>subnet].
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 16/11/2007, "Matthew Neumark" <[EMAIL PROTECTED]> piše:
>
>>Hello,
>>
>>
>>
>>I use PPPoE connections through freeradius and mikrotik. What I would like
>>to do is setup the customer's dynamic queue that is setup through the
>>radgroupreply table setup so that when the customers log in I can also
>>assign that queue to a priority based upon the group the customer is put
>in.
>>Is this possible and how?
>>
>>
>>
>>Matt
>>
>>
>>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.17 compilation errors

[Paul Bartell]

Hello.
when trying to compile freeradius under ubuntu 7.10, i get the following error:

 gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall
-D_GNU_SOURCE -DNDEBUG
-I/home/paulb/build/freeradius-1.1.7/src/include
-I/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql -c
rlm_sqlippool.c  -fPIC -DPIC -o .libs/rlm_sqlippool.o
In file included from rlm_sqlippool.c:37:
/home/paulb/build/freeradius-1.1.7/src/include/modpriv.h:7:18: error:
ltdl.h: No such file or directory
In file included from rlm_sqlippool.c:37:
/home/paulb/build/freeradius-1.1.7/src/include/modpriv.h:16: error:
expected specifier-qualifier-list before 'lt_dlhandle'
In file included from rlm_sqlippool.c:39:
/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18:
error: ltdl.h: No such file or directory
In file included from rlm_sqlippool.c:39:
/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68:
error: expected specifier-qualifier-list before 'lt_dlhandle'
rlm_sqlippool.c: In function 'sqlippool_command':
rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_query1':
rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_postauth':
rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of
'strNcpy' differ in signedness
rlm_sqlippool.c:526: warning: unused variable 'self'
make[6]: *** [rlm_sqlippool.lo] Error 1
make[6]: Leaving directory
`/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sqlippool'
make[5]: *** [common] Error 2
make[5]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src/modules'
make[4]: *** [all] Error 2
make[4]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src/modules'
make[3]: *** [common] Error 2
make[3]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src'
make[1]: *** [common] Error 2
make[1]: Leaving directory `/home/paulb/build/freeradius-1.1.7'
make: *** [all] Error 2


I simply have no idea what it is referring to, and what i can do to
fix it. Sorry if it seems a bit noobtistic, i haven't ever compiled
something this complex.

Thanks,

Paul
-- 
"If you are savvy and smart about the choices you make in life, The
sky is not the limit!"
Mark Shuttleworth

Random quote of the week/month/whenever i get to updating it: "This is
an incline plane. You roll stuff down it." Or is it one of those
"incline planes have been used throughout the millenia, from the
Egyptian pyramids to this stupid science class" videos?"
- Jasmine Lee
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Mikrotik and PPPoE queue prioirties

[Matthew Neumark]

Ivan,

I wish that was a option, but the problem is all my customers already have
ip addresses assigned to them. The ip addresses aren't done by the packet
they order it was done based upon when they signed up. Is there a way to do
a dynamic priority based on per user basis? Like a group setting or address
list group?

Thank You,
Matt

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, November 16, 2007 3:26 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Mikrotik and PPPoE queue prioirties

Assign that priority to a queue for [an IP address | a subnet]. Assign
the user [that static IP address | to the pool with addresses from that
subnet].

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Matthew Neumark" <[EMAIL PROTECTED]> piše:

>Hello,
>
>
>
>I use PPPoE connections through freeradius and mikrotik. What I would like
>to do is setup the customer's dynamic queue that is setup through the
>radgroupreply table setup so that when the customers log in I can also
>assign that queue to a priority based upon the group the customer is put
in.
>Is this possible and how?
>
>
>
>Matt
>
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mikrotik and PPPoE queue prioirties

[tnt]

Assign that priority to a queue for [an IP address | a subnet]. Assign
the user [that static IP address | to the pool with addresses from that
subnet].

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Matthew Neumark" <[EMAIL PROTECTED]> piše:

>Hello,
>
>
>
>I use PPPoE connections through freeradius and mikrotik. What I would like
>to do is setup the customer's dynamic queue that is setup through the
>radgroupreply table setup so that when the customers log in I can also
>assign that queue to a priority based upon the group the customer is put in.
>Is this possible and how?
>
>
>
>Matt
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mikrotik and PPPoE queue prioirties

[Matthew Neumark]

Hello,

 

I use PPPoE connections through freeradius and mikrotik. What I would like
to do is setup the customer's dynamic queue that is setup through the
radgroupreply table setup so that when the customers log in I can also
assign that queue to a priority based upon the group the customer is put in.
Is this possible and how?

 

Matt

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DH and random

[stefek143]

Hi.

When i've configured my freeradius i've seen 2 metods to create files DH and 
random:

first: 
DH:
openssl dhparam -check -text -5 512 -out dh
Random:
dd if=/dev/urandom of=random count=2

second:
DH:
date >/etc/1x/DH
Random
date > /etc/1x/random

And I wondering what is different in theory and practice? my freeradius is 
acting, but i wanna understand for what i need this two file and is it never 
mind when i use instead of first, second method.

THX for answers-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.

[OLIVER Patrice]

Hello,

I did inspect event viewer log --> nothing bad for me.
About the root certificate, I used the .der file. Is there a problem with .der 
files ?

Cordialement,


Patrice OLIVER
Chef du Projet Ville Hôpital
Responsable Réseaux & Sécurité

HOSPICES CIVILS DE BEAUNE
Service Informatique
BP 104
21203 BEAUNE CEDEX

Tél. 33 3 80 24 44 09
Fax  33 3 80 24 45 90



-Original Message-
From: <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Date: Fri, 16 Nov 2007 13:31:42 +0100
Subject: Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.

> Sort of. "Official" CA is already in the store. You just have to add
> yours in there. Windows doesn't get on with .pem very well so import
> p12 version. Is your root certificate listed in Trusted Root CA store?
> Also your client cert should be in Personal.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> pi¹e:
> 
> >I self-generated my certificates, and created my own AC, not dependent 
> >of an official AC. Do you think it can be the origin of my problem ?
> >
> >Best regards.
> >
> >
> >
> >[EMAIL PROTECTED] a écrit :
> >> Problem is not with the server but with Windows XP. Have you imported the
> >> correct certificate? Is it in the correct store? What's Windows XP
> >> complaining about in Event Viewer?
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> pi¹e:
> >>
> >>   
> >>> Alan DeKok a écrit :
> >>> 
>  Patrice Oliver wrote:
>  
>    
>    
> >>   Ok.  Did you install the CA (or root) cert on the Windows machine?
> >>   
> >>   
> >>   
> > Yes, and the client certificate too.
> > 
> > 
>    Then there isn't much else that can go wrong.
> 
>    
>    
> >>   Because the TLS method has not finished.  The Windows machine 
> >> received
> >> the server certificate, and decided it did not want to continue 
> >> EAP-TLS.
> >>   
> >>   
> >>   
> > How do I work around this ?
> > 
> > 
>    Convince the Windows machine to accept the server certificate.
> 
>    eap.conf has pointers to Windows knowledge base articles.  Maybe those
>  will help.
> 
>    Alan DeKok.
>  -
>  List info/subscribe/unsubscribe? See 
>  http://www.freeradius.org/list/users.html
>    
>    
> >>> If you refer to xpextensions, I used it to create the certificates.
> >>> May I send you my eap.conf file ? Reading it should determine a mistake ..
> >>>
> >>> Patrice
> >>>
> >>> -- 
> >>> *Hospices Civils de Beaune*
> >>> *Patrice OLIVER*
> >>> /Chef de Projet Ville Hôpital/
> >>> /Responsable Réseau & Sécurité/
> >>> BP 104
> >>> 21203 BEAUNE CedexTél. 03 80 24 44 09
> >>> Fax. 03 80 24 45 90
> >>>
> >>> 
> >>> Ce message, y compris les pièces jointes, est établi à l'attention 
> >>> exclusive de son ou ses destinataires et est confidentiel. Toute 
> >>> utilisation non conforme à sa destination, toute diffusion ou 
> >>> publication, totale ou partielle, est interdite sauf autorisation 
> >>> expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
> >>> message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
> >>> de le détruire.
> >>> Tout message électronique est susceptible d'altération et son intégrité 
> >>> ne peut être assurée. L'expéditeur décline toute responsabilité dans 
> >>> l'hypothèse où il aurait été modifié ou falsifié.
> >>>
> >>>
> >>> 
> >>
> >> -
> >> List info/subscribe/unsubscribe? See 
> >> http://www.freeradius.org/list/users.html
> >>   
> >
> >
> >-- 
> >*Hospices Civils de Beaune*
> >*Patrice OLIVER*
> >/Chef de Projet Ville Hôpital/
> >/Responsable Réseau & Sécurité/
> >BP 104
> >21203 BEAUNE Cedex   Tél. 03 80 24 44 09
> >Fax. 03 80 24 45 90
> >
> >
> >Ce message, y compris les pie`ces jointes, est établi a` l'attention 
> >exclusive de son ou ses destinataires et est confidentiel. Toute 
> >utilisation non conforme a` sa destination, toute diffusion ou 
> >publication, totale ou partielle, est interdite sauf autorisation 
> >expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce 
> >message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
> >de le détruire.
> >Tout message électronique est susceptible d'altération et son intégrité 
> >ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans 
> >l'hypothe`se ou` il aurait été modifié ou falsifié.
> >
> >
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscr

Re: DEFAULT entry in users file (1.0.5-->1.1.7)

[tnt]

>
>So how do I direct the server to use LDAP without setting Auth-Type?
>Or is radtest somehow the wrong test tool in the new scenario??
>

Uncomment ldap in authorize and authenticate sections of radiusd.conf.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: variables in 1.1.7

[Alan DeKok]

Norbert Wegener wrote:
...
> rlm_ldap: Adding mobile as Huntgroup-Name == "VL-SBS-AD02-0001"

  You can't add the Huntgroup-Name attribute.  It's like "Group", which
means Unix group, and do lookups in a unix group.  Huntgroup-Name means
do lookups in a huntgroup.

  Create and use another attribute for this.
> sql.conf:
>authorize_check_query = "call firstif
> ('0','%{SQL-User-Name}','%{Huntgroup-Name}',  '%{NAS-IP-Address}','=','2')"
> 
> I would have expected the %{Huntgroup-Name} to be "VL-SBS-AD02-0001",
> but this is not true.
> 
> Is the desired assignment possible at all in 1.1.7 ?

  Yes.

sql.conf becomes:
... %{My-Other-Attribute:-%{Huntgroup-Name}}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius doesn't work with ldap

[Alan DeKok]

Eduardo Lima wrote:
> So I'll have to unencrypt all the ldap passwords to use mschapv2???

  Yes.  See the web page for your options.

> What about the ldap database security??

  The LDAP database has to be kept secure.

  Please go read the web page again.

  If you want to use MS-CHAP, your options are limited for how to store
passwords.  If you don't like those options, then don't use MS-CHAP.

  If you want to store passwords via a different method than is
permitted in the table, AND you want to use MS-CHAP, then you need to
change your requirements to match reality.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DEFAULT entry in users file (1.0.5-->1.1.7)

[Martin Pauly]

Hi everybody,

sorry to ask, but I don' get it.
I'm still trying to upgrade from 1.0.5 to 1.1.7.
Previously, my users fiel looked like this:

[some static entries for special users]
[some entries with Auth-Type=Reject for special conditions]

DEFAULT Auth-Type = LDAP, Called-Station-Id == "our-dialup-number"
Service-Type = Framed-User,
Framed-Protocol = PPP,
[more reply-items for dialup users]

# All other requests: simply match against LDAP
# Replace 'outer' attribute User-Name with value from variable
# ==> This yields the true username from inside the tunnel in case of
# anonymous outer identification with 802.1x
DEFAULT Auth-Type = LDAP
User-Name = `%{User-Name}`,
Reply-Message = "Matched DEFAULT user entry in staff-RADIUS"


So all my normal users' passwords are checked against LDAP, 
using LDAP bind-as-user. There's a properly configured LDAP section in 
radiusd.conf, of course. 

With 1.1.7 (and perhaps with any version >=1.1.4), Auth-Type = LDAP
seems to be gone, but what on earth do put there instead?
The static entries (with cleartext-password for 1.1.7) work fine,

With a users file like 
DEFAULT 
User-Name = `%{User-Name}`

the server complains loudly about the missing Auth-Type when asking with
radtest:

rad_recv: Access-Request packet from host 127.0.0.1:41995, id=59, length=58
User-Name = "martin"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "pauly0", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pauly0"
rlm_realm: Proxying request from user pauly0 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 69
radius_xlat:  'pauly0'
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.

So how do I direct the server to use LDAP without setting Auth-Type?
Or is radtest somehow the wrong test tool in the new scenario??

Thanks, Martin

-- 
  Dr. Martin Pauly Fax:49-6421-28-26994
  HRZ Univ. MarburgPhone:  49-6421-28-23527
  Hans-Meerwein-Str.   E-Mail: [EMAIL PROTECTED]  
  D-35032 Marburg   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius doesn't work with ldap

[Eduardo Lima]

So I'll have to unencrypt all the ldap passwords to use mschapv2???

What about the ldap database security??



[EMAIL PROTECTED] escreveu: >
>Ldap authentication work with radping (wired connection) but on the wireless, 
>it keeps failing.
>
>I don't understand this:
>
>"  Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 6
> rlm_mschap: No User-Password configured.  Cannot create LM-Password.
> rlm_mschap: No User-Password configured.  Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password
> rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "
>
>
>MS-CHAPv2 doesn't work with openLDAP???
>

It does. But it doesn't work with encrypted passwords. Ntradping sends a
pap request and that protocol can use encrypted passwords.

http://deployingradius.com/documents/protocols/compatibility.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   
-
Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

variables in 1.1.7

[Norbert Wegener]

With version 1.1.7 I want to achieve the following, which is probably 
easy in 2.0:

In the authorize section I have an ldap module and an sql module sp1.

group {
ldap1
sp1
}

I want to get an attribute from AD and use the value of that attribute 
in a later call to a database


radiusd -AX shows:


rlm_ldap: looking for check items in directory...
rlm_ldap: Adding mobile as Huntgroup-Name == "VL-SBS-AD02-0001"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user host/28tef003.ww006.company.net authorized to use remote 
access

rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap1" returns ok for request 1
radius_xlat:  'host/28tef003.ww006.company.net'
rlm_sql (sp1): sql_set_user escaped user --> 
'host/28tef003.ww006.company.net'
radius_xlat:  'call firstif ('0','host/28tef003.ww006.company.net','',  
'1.2.3.4','=','2')'



Retrieving an attribute from AD  obviously works.

In sql.conf I have changed authorize_check_query to use a stored procedure:


sql.conf:
   authorize_check_query = "call firstif 
('0','%{SQL-User-Name}','%{Huntgroup-Name}',  '%{NAS-IP-Address}','=','2')"



I would have expected the %{Huntgroup-Name} to be "VL-SBS-AD02-0001", 
but this is not true.


Is the desired assignment possible at all in 1.1.7 ?

Norbert Wegener




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: please help not allow the many connections from single user

[tnt]

>
>how can we prevent it?
>

Restrict the user to a single session. Have a look at the (check)
attribute Simultaneous-Use. If you are using sql accounting you will
need to make slight adjustments to radiusd.conf and sql.conf. Read
instructions in them.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius doesn't work with ldap

[tnt]

>
>Ldap authentication work with radping (wired connection) but on the wireless, 
>it keeps failing.
>
>I don't understand this:
>
>"  Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 6
> rlm_mschap: No User-Password configured.  Cannot create LM-Password.
> rlm_mschap: No User-Password configured.  Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password
> rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "
>
>
>MS-CHAPv2 doesn't work with openLDAP???
>

It does. But it doesn't work with encrypted passwords. Ntradping sends a
pap request and that protocol can use encrypted passwords.

http://deployingradius.com/documents/protocols/compatibility.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: please help not allow the many connections from single user

[Alan DeKok]

ann kok wrote:
> We has big problem to have many connections from
> single user in DSL clients
>
> A single user can authenticate on the different LNS
> server to use the internet connection.
> 
> how can we prevent it?

  doc/Simultaneous-Use

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

please help not allow the many connections from single user

[ann kok]

Hi

We has big problem to have many connections from
single user in DSL clients

A single user can authenticate on the different LNS
server to use the internet connection.

how can we prevent it?

As our users are using the dynamic ip, the ip address
is assigned by the LNS not the radius

in this case, the ip pool can't be defined in the
radius setting. Right?

Can you help to give us detail info?

thank you so much




  

Be a better pen pal. 
Text or chat with friends inside Yahoo! Mail. See how.  
http://overview.mail.yahoo.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius doesn't work with ldap

[Eduardo Lima]

Thanks Alan.

I'll update to 1.1.7 but I don't think it will solve the problem.

Ldap authentication work with radping (wired connection) but on the wireless, 
it keeps failing.

I don't understand this:

"  Processing the authenticate section of radiusd.conf
 modcall: entering group MS-CHAP for request 6
 rlm_mschap: No User-Password configured.  Cannot create LM-Password.
 rlm_mschap: No User-Password configured.  Cannot create NT-Password.
 rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password
 rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "


MS-CHAPv2 doesn't work with openLDAP???

Please help.

Alan DeKok <[EMAIL PROTECTED]> escreveu: Eduardo Lima wrote:
> Hi, I've been using Freeradius 1.1.3 

  Please upgrade to 1.1.7...

> with PEAP/MSCHAPv2 authentication
> with no problem. But now, I need to use it with LDAP too and it doesn't
> work at all.
> 
> The client is windows xp without a domain. The LDAP is for the email
> directory.
> 
> The user should type your user name (email) and password stored in LDAP.

  Can you retrieve the password from LDAP?  If so, it should be easy to
make it work.

> Probably, the error is in:
> 
>  Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 6
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  Yes.

...
> [/etc/raddb/users]:10 WARNING! Check item "Simultaneous-Use" ?found in
> reply item list for user "cidadao". ?This attribute MUST go on the first
> line with the other check items

  You also want to fix this.  See "man users".

...
>   Processing the authorize section of radiusd.conf
...
> modcall: leaving group authorize (returns updated) for request 0

  And there are NO references to the LDAP module.

  i.e. you have not configured the server to read "known good" passwords
from LDAP.  See radiusd.conf for how to do this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   
-
Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any ideas on this compile error ??

[Alan DeKok]

Willem Gerber wrote:
> I cant get radius to compile :/
...
> /home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h:
> No such file or directory

  That file is included with FreeRADIUS.  The build works if you use the
recommend method of:

$ ./configure
$ make
$ make install

  If you're using another method, perhaps it would have been good to say
so.  Any other method you're using is platform-specific, and thus has
little to do with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any ideas on this compile error ??

[Norbert Wegener]

maybe it would help to install libltdl3-dev or something like that?

Norbert Wegener



Willem Gerber wrote:

Hey Guys

I cant get radius to compile :/

Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686
i686 i386 GNU/Linux


/home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h:
No such file or directory
In file included from rlm_sqlippool.c:37:
/home/willem/freeradius-1.1.7/src/include/modpriv.h:16: error: expected
specifier-qualifier-list before 'lt_dlhandle'
In file included from rlm_sqlippool.c:39:
/home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18:
error: ltdl.h: No such file or directory
In file included from rlm_sqlippool.c:39:
/home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error:
expected specifier-qualifier-list before 'lt_dlhandle'
rlm_sqlippool.c: In function 'sqlippool_command':
rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_query1':
rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_postauth':
rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of
'strNcpy' differ in signedness
rlm_sqlippool.c:526: warning: unused variable 'self'
gmake[6]: *** [rlm_sqlippool.lo] Error 1
gmake[6]: Leaving directory
`/home/willem/freeradius-1.1.7/src/modules/rlm_sqlippool'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/home/willem/freeradius-1.1.7/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/home/willem/freeradius-1.1.7/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/home/willem/freeradius-1.1.7'
make: *** [all] Error 2

  
-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Any ideas on this compile error ??

[Willem Gerber]

Hey Guys

I cant get radius to compile :/

Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686
i686 i386 GNU/Linux


/home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h:
No such file or directory
In file included from rlm_sqlippool.c:37:
/home/willem/freeradius-1.1.7/src/include/modpriv.h:16: error: expected
specifier-qualifier-list before 'lt_dlhandle'
In file included from rlm_sqlippool.c:39:
/home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18:
error: ltdl.h: No such file or directory
In file included from rlm_sqlippool.c:39:
/home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error:
expected specifier-qualifier-list before 'lt_dlhandle'
rlm_sqlippool.c: In function 'sqlippool_command':
rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_query1':
rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module'
rlm_sqlippool.c: In function 'sqlippool_postauth':
rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of
'strNcpy' differ in signedness
rlm_sqlippool.c:526: warning: unused variable 'self'
gmake[6]: *** [rlm_sqlippool.lo] Error 1
gmake[6]: Leaving directory
`/home/willem/freeradius-1.1.7/src/modules/rlm_sqlippool'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/home/willem/freeradius-1.1.7/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/home/willem/freeradius-1.1.7/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/home/willem/freeradius-1.1.7'
make: *** [all] Error 2

-- 
"The casing said 'Windows XP or better'... so I installed Linux"
-- Anonymous

begin:vcard
fn:Willem Gerber
n:Gerber;Willem
email;internet:[EMAIL PROTECTED]
note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A=
	=0D=0A=
	www.e-destiny.co.za=0D=0A=
	=0D=0A=
	011 695 5500 phone=0D=0A=
	086 660 2933 fax
x-mozilla-html:TRUE
version:2.1
end:vcard

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Patrice Oliver]

Alan DeKok a écrit :

Patrice Oliver wrote:
  

If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ...



  No.

  It is not a problem with configuring FreeRADIUS.

  And please fix your mailer so it doesn't add "SPAM" to every subject line.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Sorry pour the Spam tag.
I did setup spamassassin to tag all mails which are not written in 
French. In my society, we receive essentiels french mails. I just 
deactivate this setup. Hope this helps.


Best regards.
:)

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pièces jointes, est établi à l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme à sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut être assurée. L'expéditeur décline toute responsabilité dans 
l'hypothèse où il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not sendan accessOK.

[tnt]

And have a look at the Event Viewer. Is anything recorded when
conversation stops?

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

>[EMAIL PROTECTED] a écrit :
>> Sort of. "Official" CA is already in the store. You just have to add
>> yours in there. Windows doesn't get on with .pem very well so import
>> p12 version. Is your root certificate listed in Trusted Root CA store?
>> Also your client cert should be in Personal.
>>
>>   
>Yes for trusted root ca store.
>I will try with .p12 file.
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Alan DeKok]

Patrice Oliver wrote:
> If you refer to xpextensions, I used it to create the certificates.
> May I send you my eap.conf file ? Reading it should determine a mistake ...

  No.

  It is not a problem with configuring FreeRADIUS.

  And please fix your mailer so it doesn't add "SPAM" to every subject line.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.

[Patrice Oliver]

[EMAIL PROTECTED] a écrit :

Sort of. "Official" CA is already in the store. You just have to add
yours in there. Windows doesn't get on with .pem very well so import
p12 version. Is your root certificate listed in Trusted Root CA store?
Also your client cert should be in Personal.

  

Yes for trusted root ca store.
I will try with .p12 file.



Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

  
I self-generated my certificates, and created my own AC, not dependent 
of an official AC. Do you think it can be the origin of my problem ?


Best regards.



[EMAIL PROTECTED] a écrit :


Problem is not with the server but with Windows XP. Have you imported the
correct certificate? Is it in the correct store? What's Windows XP
complaining about in Event Viewer?

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

  
  

Alan DeKok a écrit :



Patrice Oliver wrote:

  
  
  

  Ok.  Did you install the CA (or root) cert on the Windows machine?
  
  
  
  

Yes, and the client certificate too.




  Then there isn't much else that can go wrong.

  
  
  

  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.
  
  
  
  

How do I work around this ?




  Convince the Windows machine to accept the server certificate.

  eap.conf has pointers to Windows knowledge base articles.  Maybe those
will help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
  
  

If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ..

Patrice

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pičces jointes, est établi ŕ l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme ŕ sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut ętre assurée. L'expéditeur décline toute responsabilité dans 
l'hypothčse oů il aurait été modifié ou falsifié.






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
  

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pie`ces jointes, est établi a` l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme a` sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans 
l'hypothe`se ou` il aurait été modifié ou falsifié.






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pie`ces jointes, est établi a` l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme a` sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans 
l'hypothe`se ou` il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.

[tnt]

Sort of. "Official" CA is already in the store. You just have to add
yours in there. Windows doesn't get on with .pem very well so import
p12 version. Is your root certificate listed in Trusted Root CA store?
Also your client cert should be in Personal.

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

>I self-generated my certificates, and created my own AC, not dependent 
>of an official AC. Do you think it can be the origin of my problem ?
>
>Best regards.
>
>
>
>[EMAIL PROTECTED] a écrit :
>> Problem is not with the server but with Windows XP. Have you imported the
>> correct certificate? Is it in the correct store? What's Windows XP
>> complaining about in Event Viewer?
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:
>>
>>   
>>> Alan DeKok a écrit :
>>> 
 Patrice Oliver wrote:
 
   
   
>>   Ok.  Did you install the CA (or root) cert on the Windows machine?
>>   
>>   
>>   
> Yes, and the client certificate too.
> 
> 
   Then there isn't much else that can go wrong.

   
   
>>   Because the TLS method has not finished.  The Windows machine received
>> the server certificate, and decided it did not want to continue EAP-TLS.
>>   
>>   
>>   
> How do I work around this ?
> 
> 
   Convince the Windows machine to accept the server certificate.

   eap.conf has pointers to Windows knowledge base articles.  Maybe those
 will help.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
   
   
>>> If you refer to xpextensions, I used it to create the certificates.
>>> May I send you my eap.conf file ? Reading it should determine a mistake ..
>>>
>>> Patrice
>>>
>>> -- 
>>> *Hospices Civils de Beaune*
>>> *Patrice OLIVER*
>>> /Chef de Projet Ville Hôpital/
>>> /Responsable Réseau & Sécurité/
>>> BP 104
>>> 21203 BEAUNE Cedex  Tél. 03 80 24 44 09
>>> Fax. 03 80 24 45 90
>>>
>>> 
>>> Ce message, y compris les pičces jointes, est établi ŕ l'attention 
>>> exclusive de son ou ses destinataires et est confidentiel. Toute 
>>> utilisation non conforme ŕ sa destination, toute diffusion ou 
>>> publication, totale ou partielle, est interdite sauf autorisation 
>>> expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce 
>>> message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
>>> de le détruire.
>>> Tout message électronique est susceptible d'altération et son intégrité 
>>> ne peut ętre assurée. L'expéditeur décline toute responsabilité dans 
>>> l'hypothčse oů il aurait été modifié ou falsifié.
>>>
>>>
>>> 
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>
>
>-- 
>*Hospices Civils de Beaune*
>*Patrice OLIVER*
>/Chef de Projet Ville Hôpital/
>/Responsable Réseau & Sécurité/
>BP 104
>21203 BEAUNE Cedex Tél. 03 80 24 44 09
>Fax. 03 80 24 45 90
>
>
>Ce message, y compris les pie`ces jointes, est établi a` l'attention 
>exclusive de son ou ses destinataires et est confidentiel. Toute 
>utilisation non conforme a` sa destination, toute diffusion ou 
>publication, totale ou partielle, est interdite sauf autorisation 
>expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce 
>message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
>de le détruire.
>Tout message électronique est susceptible d'altération et son intégrité 
>ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans 
>l'hypothe`se ou` il aurait été modifié ou falsifié.
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Patrice Oliver]

I self-generated my certificates, and created my own AC, not dependent 
of an official AC. Do you think it can be the origin of my problem ?


Best regards.



[EMAIL PROTECTED] a écrit :

Problem is not with the server but with Windows XP. Have you imported the
correct certificate? Is it in the correct store? What's Windows XP
complaining about in Event Viewer?

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

  

Alan DeKok a écrit :


Patrice Oliver wrote:

  
  

  Ok.  Did you install the CA (or root) cert on the Windows machine?
  
  
  

Yes, and the client certificate too.



  Then there isn't much else that can go wrong.

  
  

  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.
  
  
  

How do I work around this ?



  Convince the Windows machine to accept the server certificate.

  eap.conf has pointers to Windows knowledge base articles.  Maybe those
will help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
  

If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ...

Patrice

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pičces jointes, est établi ŕ l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme ŕ sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut ętre assurée. L'expéditeur décline toute responsabilité dans 
l'hypothčse oů il aurait été modifié ou falsifié.






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pie`ces jointes, est établi a` l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme a` sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans 
l'hypothe`se ou` il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius auto-vlan 3com switch 4500G

[pbreton]

Hi Krzysztof,

Thanks for sharing your experience. 
>Please add here:
>  vlan-assignment-mode string
>  accounting optional
An 3Com product engineer gave me the same instruction,
unfortunqtly the 4500G does not support the
vlan-assignment-mode and accounting does not take optional
as argument. 
Maybe it shoud. The 4500G is new, and like many new product
it must go thru a real world user trial phase to uncover
birth defects. This said 3com is going to replace my 4500G
with a 5500G at no cost. And this is a solution to my
problem -which is not a freeradius one anymore.
Thanks again, enjoy the day,

Philippe.

- Original Message -
From: Krzysztof Olędzki
<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: FreeRadius users mailing list

Subject: Re: freeradius auto-vlan 3com switch 4500G
Date: Fri, 16 Nov 2007 00:10:23 +0100

>On 2007-11-11 18:27, Philippe Breton wrote:
>> On Sun, 2007-11-11 at 17:37 +0100, Krzysztof Olędzki
>>> wrote: On 2007-11-10 17:30, Philippe Breton wrote:
> Did you setup your switch properly:
>
> domain (...)
>  vlan-assignment-mode string
 Hard to give a 100% answer on this question. I believe
 I did with the  help of 3com support.
>>> This is the most important part. Please make sure it is
>>> set up (display  current-configuration).
>> 
>> ... I agree with you. The 4500G is new to me. I believe I
>> got it right. One important fact to keep in mind is the
>> semantic is a litle different between the 5500g and 4500G
>> , i.e. what's in this doc does not apply in the 4500G
>>
>http://www.3com.hu/download/switch_radius_setup.doc/switch_radius_setup.doc
>> 
>> This is my current config:
>
>Please excuse me for the long delay. A day should be longer
>than 24h. ;)
>
>> description VLAN181
>> #
>> radius scheme system
>> server-type extended
>> primary authentication 127.0.0.1 1645
>> primary accounting 127.0.0.1 1646
>> user-name-format without-domain
>
>> radius scheme radius1
>> server-type standard
>> primary authentication 192.168.181.18
>> key authentication sdfsdfsfsf
>> user-name-format without-domain
>> #
>> domain system
>> access-limit disable
>> state active
>> idle-cut disable
>> self-service-url disable
>
>
>> domain wustl.edu
>> authentication default radius-scheme radius1
>> access-limit disable
>> state active
>> idle-cut disable
>> self-service-url disable
>
>Please add here:
>  vlan-assignment-mode string
>  accounting optional
>
>It is required for 3c5500G, so it should also solve the
>problem on  3c4500G. If not, please enable
>radius/mac-authentication/port-security  debugging on the
>switch.
>
>Best regards,
>
>Krzysztof Olędzki
>-- 
>Krzysztof Olędzki
>Axel Springer Polska Sp. z o.o.
>tel: +48-22-2320969
>fax: +48-22-2325530

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems With Radwho

[Willem Gerber]

Ahh i found the problem thank you very much for all the trouble.

We have 3 radius servers looks like all the accounting requests are only
going to the first one. The other 2 are both backup
servers :D

[EMAIL PROTECTED] wrote:
> It's not Access-Request but Accounting-Request. If you don't see them
> after the Access-Accept then your NAS is not sending accounting data.
>
> Ivan Kalik
> Kalik Informatika iSP
>
>
> Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:
>
>   
>> Im seeing the authentication requests from the server and the reply
>> packets.
>> What would a accounting packet look like ?
>>
>> Sorry for asking.
>>
>> The traffic looks right to me if i do radius -X
>>
>>
>> Regards
>>
>> Willem Gerber
>>
>> [EMAIL PROTECTED] wrote:
>> 
>>> Are you getting accounting packets from those access servers? Or just
>>> authentication? If nAS is not sending ...
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:
>>>
>>>
>>>   
 Hi Guys/Gals

 I have problem where radwho only shows users logged in for two nas'es.
 Aswell as only their accounting info goes into the radacct table.

 I can see the other users authenticating and i can log into them.
 So they must be dailing up No idea why its happening.

 Im using

 radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built
 on Oct 10 2007 at 08:13:06


 Regards

 Willem Gerber

 --
"The casing said 'Windows XP or better'... so I installed Linux"
-- Anonymous




 
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>>   
>> --
>>  "The casing said 'Windows XP or better'... so I installed Linux"
>>  -- Anonymous
>>
>>
>>
>> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   


-- 
"The casing said 'Windows XP or better'... so I installed Linux"
-- Anonymous

begin:vcard
fn:Willem Gerber
n:Gerber;Willem
email;internet:[EMAIL PROTECTED]
note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A=
	=0D=0A=
	www.e-destiny.co.za=0D=0A=
	=0D=0A=
	011 695 5500 phone=0D=0A=
	086 660 2933 fax
x-mozilla-html:TRUE
version:2.1
end:vcard

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Patrice Oliver]

Alan DeKok a écrit :

Patrice Oliver wrote:

  

  Ok.  Did you install the CA (or root) cert on the Windows machine?
  
  

Yes, and the client certificate too.



  Then there isn't much else that can go wrong.

  

  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.
  
  

How do I work around this ?



  Convince the Windows machine to accept the server certificate.

  eap.conf has pointers to Windows knowledge base articles.  Maybe those
will help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ...

Patrice

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pièces jointes, est établi à l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme à sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut être assurée. L'expéditeur décline toute responsabilité dans 
l'hypothèse où il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.

[tnt]

Problem is not with the server but with Windows XP. Have you imported the
correct certificate? Is it in the correct store? What's Windows XP
complaining about in Event Viewer?

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Patrice Oliver" <[EMAIL PROTECTED]> piše:

>Alan DeKok a écrit :
>> Patrice Oliver wrote:
>> 
>>   
   Ok.  Did you install the CA (or root) cert on the Windows machine?
   
   
>>> Yes, and the client certificate too.
>>> 
>>
>>   Then there isn't much else that can go wrong.
>>
>>   
   Because the TLS method has not finished.  The Windows machine received
 the server certificate, and decided it did not want to continue EAP-TLS.
   
   
>>> How do I work around this ?
>>> 
>>
>>   Convince the Windows machine to accept the server certificate.
>>
>>   eap.conf has pointers to Windows knowledge base articles.  Maybe those
>> will help.
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>If you refer to xpextensions, I used it to create the certificates.
>May I send you my eap.conf file ? Reading it should determine a mistake ...
>
>Patrice
>
>-- 
>*Hospices Civils de Beaune*
>*Patrice OLIVER*
>/Chef de Projet Ville Hôpital/
>/Responsable Réseau & Sécurité/
>BP 104
>21203 BEAUNE Cedex Tél. 03 80 24 44 09
>Fax. 03 80 24 45 90
>
>
>Ce message, y compris les pičces jointes, est établi ŕ l'attention 
>exclusive de son ou ses destinataires et est confidentiel. Toute 
>utilisation non conforme ŕ sa destination, toute diffusion ou 
>publication, totale ou partielle, est interdite sauf autorisation 
>expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce 
>message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
>de le détruire.
>Tout message électronique est susceptible d'altération et son intégrité 
>ne peut ętre assurée. L'expéditeur décline toute responsabilité dans 
>l'hypothčse oů il aurait été modifié ou falsifié.
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Alan DeKok]

Patrice Oliver wrote:
...
>>   Ok.  Did you install the CA (or root) cert on the Windows machine?
>>   
> Yes, and the client certificate too.

  Then there isn't much else that can go wrong.

>>   Because the TLS method has not finished.  The Windows machine received
>> the server certificate, and decided it did not want to continue EAP-TLS.
>>   
> How do I work around this ?

  Convince the Windows machine to accept the server certificate.

  eap.conf has pointers to Windows knowledge base articles.  Maybe those
will help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems With Radwho

[Willem Gerber]

Im seeing the authentication requests from the server and the reply
packets.
What would a accounting packet look like ?

Sorry for asking.

The traffic looks right to me if i do radius -X


Regards

Willem Gerber

[EMAIL PROTECTED] wrote:
> Are you getting accounting packets from those access servers? Or just
> authentication? If nAS is not sending ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:
>
>   
>> Hi Guys/Gals
>>
>> I have problem where radwho only shows users logged in for two nas'es.
>> Aswell as only their accounting info goes into the radacct table.
>>
>> I can see the other users authenticating and i can log into them.
>> So they must be dailing up No idea why its happening.
>>
>> Im using
>>
>> radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built
>> on Oct 10 2007 at 08:13:06
>>
>>
>> Regards
>>
>> Willem Gerber
>>
>> --
>>"The casing said 'Windows XP or better'... so I installed Linux"
>>-- Anonymous
>>
>>
>>
>> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   


-- 
"The casing said 'Windows XP or better'... so I installed Linux"
-- Anonymous

begin:vcard
fn:Willem Gerber
n:Gerber;Willem
email;internet:[EMAIL PROTECTED]
note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A=
	=0D=0A=
	www.e-destiny.co.za=0D=0A=
	=0D=0A=
	011 695 5500 phone=0D=0A=
	086 660 2933 fax
x-mozilla-html:TRUE
version:2.1
end:vcard

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems With Radwho

[tnt]

It's not Access-Request but Accounting-Request. If you don't see them
after the Access-Accept then your NAS is not sending accounting data.

Ivan Kalik
Kalik Informatika iSP


Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:

>Im seeing the authentication requests from the server and the reply
>packets.
>What would a accounting packet look like ?
>
>Sorry for asking.
>
>The traffic looks right to me if i do radius -X
>
>
>Regards
>
>Willem Gerber
>
>[EMAIL PROTECTED] wrote:
>> Are you getting accounting packets from those access servers? Or just
>> authentication? If nAS is not sending ...
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:
>>
>>
>>> Hi Guys/Gals
>>>
>>> I have problem where radwho only shows users logged in for two nas'es.
>>> Aswell as only their accounting info goes into the radacct table.
>>>
>>> I can see the other users authenticating and i can log into them.
>>> So they must be dailing up No idea why its happening.
>>>
>>> Im using
>>>
>>> radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built
>>> on Oct 10 2007 at 08:13:06
>>>
>>>
>>> Regards
>>>
>>> Willem Gerber
>>>
>>> --
>>>"The casing said 'Windows XP or better'... so I installed Linux"
>>>-- Anonymous
>>>
>>>
>>>
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
>--
>   "The casing said 'Windows XP or better'... so I installed Linux"
>   -- Anonymous
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems With Radwho

[tnt]

Are you getting accounting packets from those access servers? Or just
authentication? If nAS is not sending ...

Ivan Kalik
Kalik Informatika ISP


Dana 16/11/2007, "Willem Gerber" <[EMAIL PROTECTED]> piše:

>Hi Guys/Gals
>
>I have problem where radwho only shows users logged in for two nas'es.
>Aswell as only their accounting info goes into the radacct table.
>
>I can see the other users authenticating and i can log into them.
>So they must be dailing up No idea why its happening.
>
>Im using
>
>radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built
>on Oct 10 2007 at 08:13:06
>
>
>Regards
>
>Willem Gerber
>
>--
>"The casing said 'Windows XP or better'... so I installed Linux"
>-- Anonymous
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Patrice Oliver]

Alan DeKok a écrit :

Patrice Oliver wrote:
  

The certificats are created with xpextensions and installed.
I use freeradius.



  Ok.  Did you install the CA (or root) cert on the Windows machine?

  

I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for
more SSL data.'
I don't understand why freeradius sends an access challenge instead of
an access ok since the certificates are OK.



  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Do I need to send you ma configuration ? Maybe you will see something wrong.

Best regards,

Patrice.

--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pièces jointes, est établi à l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme à sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut être assurée. L'expéditeur décline toute responsabilité dans 
l'hypothèse où il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: EAP-TLS does not send an access OK.

[Patrice Oliver]

Alan DeKok a écrit :

Patrice Oliver wrote:
  

The certificats are created with xpextensions and installed.
I use freeradius.



  Ok.  Did you install the CA (or root) cert on the Windows machine?
  

Yes, and the client certificate too.
  

I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for
more SSL data.'
I don't understand why freeradius sends an access challenge instead of
an access ok since the certificates are OK.



  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.
  

How do I work around this ?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


Best regards.
--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex  Tél. 03 80 24 44 09
Fax. 03 80 24 45 90


Ce message, y compris les pièces jointes, est établi à l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme à sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut être assurée. L'expéditeur décline toute responsabilité dans 
l'hypothèse où il aurait été modifié ou falsifié.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems With Radwho

[Willem Gerber]

Hi Guys/Gals

I have problem where radwho only shows users logged in for two nas'es.
Aswell as only their accounting info goes into the radacct table.

I can see the other users authenticating and i can log into them.
So they must be dailing up No idea why its happening.

Im using

radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built
on Oct 10 2007 at 08:13:06


Regards

Willem Gerber

-- 
"The casing said 'Windows XP or better'... so I installed Linux"
-- Anonymous

begin:vcard
fn:Willem Gerber
n:Gerber;Willem
email;internet:[EMAIL PROTECTED]
note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A=
	=0D=0A=
	www.e-destiny.co.za=0D=0A=
	=0D=0A=
	011 695 5500 phone=0D=0A=
	086 660 2933 fax
x-mozilla-html:TRUE
version:2.1
end:vcard

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS does not send an access OK.

[Alan DeKok]

Patrice Oliver wrote:
> The certificats are created with xpextensions and installed.
> I use freeradius.

  Ok.  Did you install the CA (or root) cert on the Windows machine?

> I see no OK, and no 'not OK'.
> I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for
> more SSL data.'
> I don't understand why freeradius sends an access challenge instead of
> an access ok since the certificates are OK.

  Because the TLS method has not finished.  The Windows machine received
the server certificate, and decided it did not want to continue EAP-TLS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS does not send an access OK.

[Patrice Oliver]

Hello,

Hello,

I work on a WIFI authentication project, dealing with EAP/TLS on Freeradius.
I allready read a lots of docs on the net

The certificats are created with xpextensions and installed.
I use freeradius.

My config files are joined.
Client : windows XP pro sp2.

Here is the freeradius log when I try to connect :

rad_recv: Access-Request packet from host 172.17.5.100:32778 
, id=168, length=150

  User-Name = "mobile"
  NAS-IP-Address = 172.17.5.100 
  NAS-Identifier = "172.17.5.100 "
  NAS-Port = 1
  NAS-Port-Type = Wireless-802.11
  Calling-Station-Id = "000F20957BB7"
  Called-Station-Id = "000B8641C660"
  Framed-MTU = 1100
  EAP-Message = 0x0201000b016d6f62696c65
  Aruba-Essid-Name = "eole"
  Aruba-Location-Id = "2.1.1"
  Message-Authenticator = 0x4b5ee61553ec73cc454c403ec873ad24
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 168 to 172.17.5.100  
port 32778

  Aruba-User-Vlan = 200
  Aruba-User-Role = "eole"
  EAP-Message = 0x010200060d20
  Message-Authenticator = 0x
  State = 0xf1d8d2c72aac139bb25089361b94918e
rad_recv: Access-Request packet from host 172.17.5.100:32778 
, id=169, length=269

  User-Name = "mobile"
  NAS-IP-Address = 172.17.5.100 
  NAS-Identifier = "172.17.5.100 "
  NAS-Port = 1
  NAS-Port-Type = Wireless-802.11
  Calling-Station-Id = "000F20957BB7"
  Called-Station-Id = "000B8641C660"
  Framed-MTU = 1100
  EAP-Message = 
0x020200700d8000661603010061015d0301473c2a4b426528392f0efd1946172b375ed92f04360eb7068b276ad02f65df942002bc6aa8929e3855237d44cfed0de9e0eef6830330686250346b2a2141ff2f66001600040005000a000900640062000300060013001200630100

  State = 0xf1d8d2c72aac139bb25089361b94918e
  Aruba-Essid-Name = "eole"
  Aruba-Location-Id = "2.1.1"
  Message-Authenticator = 0xd4944b76a67263b3c6431530b33522d1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 169 to 172.17.5.100  
port 32778

  Aruba-User-Vlan = 200
  Aruba-User-Role = "eole"
  EAP-Message = 
0x0103040a0dc00411160301004a02460301473c2a46804b2c3888c0fcb80af8456213cc201aedf4dbc513dcc2f8dc0d7a2520c39aea56359ef81ae4da7be8959b0abee59ccc86f23934883ad976089ed8db2700040016030102fa0b0002f60002f30002f0308202ec30820255a003020102020101300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e667231193017060355040313104348
  EAP-Message = 
0x2d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303635395a170d3137313030313036303635395a3081b2310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e66723120301e06035504031317667265657261646975732e63682d626561756e652e66723128302606092a864886f70d010901161961646d696e2e726573
  EAP-Message = 
0x6561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100b0dbd8779b2d0041264551b5a97c4860c2fdec4c953a8d6f00839eadfccced93c100d3d832cb2e7432ebf888ccae4183baa244042116d38a5f31f31e475bfa0ada5047795d30b4b14b79585dc719f95eb361efecb1efef87b1c832dbf69380a46375e46f3eb88df40ab35ebed329e35978ab394989e7114ca11c1444ae1f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810053a216c3ab1d7895dd006da7dbc281c4fd6159869c212aa97e72cf29c5b109
  EAP-Message = 
0x2468002d3c9d510561b12ce489d0bfb8e227fe9d02d96d7c740c57cbeac880d50d39983db03e46e9705ad0b915d2d9dd166fa746a7043e0af9f483213b43276d1822469d97c73074cb5d0225e8d9709a7a04303495279eda4dca1c44284997705216030100be0db60301024000b000ae3081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a

  EAP-Message = 0x864886f70d010901161961646d696e2e726573656175
  Message-Authenticator = 0x
  State = 0x3086036a150a272bec4609fc740fdb2d
rad_recv: Access-Request packet from host 172.17.5.100:32778 
, id=170, length=163

  User-Name = "mobile"
  NAS-IP-Address = 172.17.5.100 
  NAS-Identifier = "172.17.5.100 "
  NAS-Port = 1