Re: radwho radzap problem
Hi again, I think i found a solution I dont know why but i had to give -d parameter to show the default config path, my config path is under freeradius but it searches for radiusd so..it made the problem. So is there a way to change default path for radzap/radwho etc? Hello, I am using rlm_perl script for authentication. And logging radacct in sql. But it is strange that, i couldnt use radwho radzap radlast etc for a while.. had the error file not found etc.. So i manually created the files with touch. Now i can see theres records inside files, but still i cant see any data with radwho or radlast commands. And also, i can not zap staled sessions too with radzap, even i tried to clean sql log with a cleanstale.php script , some of my users still seem online. I am attaching the radiusd.conf file and i wonder if smbody can help me about this situation. Thanks a lot.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho radzap problem
Oguzhan Kayhan wrote: Hello, I am using rlm_perl script for authentication. And logging radacct in sql. But it is strange that, i couldnt use radwho radzap radlast etc for a while.. had the error file not found etc.. So i manually created the files with touch. Now i can see theres records inside files, but still i cant see any data with radwho or radlast commands. The contents of the files are created from accounting packets. Those packets are required to have certain data for them to go in radutmp/radwtmp. See debug mode for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Membership query??
Marc LEURENT wrote: Good evening, I'm sending a group membership query from openser to freeradius... I would like to send a group membership query, but it's a group authorize query that is received... I have no idea what you mean by that. OpenSER sends RADIUS packets to FreeRADIUS. It doesn't send membership queries. . ... auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. You haven't told the server how to authenticate the user. And the packet from OpenSER is *not* compliant with the RADIUS specs. If you want to accept the user, set Auth-Type := Accept, not local. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
Brian Wilson wrote: I tried updating to version 2.0. I like the debug interface much better, it makes it alot easier to read. Nice job! Thanks. It was a fair amount of work, but I think it's worth it. Unfortunately, this upgrade introduced a new issue for me. When doing group ldap searches, it looks like the Ldap-UserDN variable doesn't get populated. The server successfully binds and finds the user, but in the expand section: Hmm... I don't think that code was changed at all in 2.0. I don't use the LDAP module much, so I'm not sure what else to say... Where is the LDAP-UserDN being set from? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + portuguese characters in Active Directory
nikitha george wrote: Please find the debug log below.. rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. +- entering group authorize ++[preprocess] returns ok expand: %{User-Name} - Catónio It looks like it's not doing anything to the characters. Are you sure that the input is UTF-8, and not any other character set? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize/authenticate with LDAP
Hello, I have a small problem a little bit annoying, and it seems to me that a lot of people using LDAP don't know that they have the same problem. I explain : I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: authorize { preprocess suffix eap files Autz-Type LDAP { ldap } } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } It is working. I am not sure it is the minimal configuration, but I don't care too much. My problem is the following: in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. I can partially solve the problem using : Autz-Type LDAP { ldap{ notfound = reject } } Then, the roaming profile must be a valid LDAP name. But I still can use an arbitrary valid LDAP name. In fact, the most important thing to me is that the accounting, and session logger use the good name. Is it a solution to my problem ? Thx, -- Thierry CHICH Equipe Réseaux / Rectorat de Clermont-Ferrand Tel: +33 4 73 99 30 54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: alan's book, or anything new on the horizon
I have been following you since three years and I trust you, so I will buy your book. Date: Tue, 15 Jan 2008 17:03:52 +0100 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: alan's book, or anything new on the horizon Duane Cox wrote: I wonder if Alan ever released that book that he had talked about in 2006? Or did it become a collection of wiki pages? I'm up to 180 pages. There's more content than the O'Reilly book, by a long shot. However, I moved countries in 2007, and various factors meant I couldn't spend much time on the book. I've recently been doing 10 pages a week, so I hope to finish it eventually. Now that 2.0 is out, I'm hoping to feel less guilty about that, and more guilty about the book. Is anyone working on a second revision to Hassell's O'Reilly RADIUS? O'Reilly won't be issuing one. The books sales were high for the first few weeks, and dropped off quickly after that. Everyone figured out that it's pretty much content-free. i.e. one well known O'Reilly author described it to me as The worse book that O'Reilly has published. I've talked with them, too. They're not interested in a second edition, and they're not interested in a FreeRADIUS book. Any other publisher I've talked to projects small amounts of money in sales, so they're not interested either. So... I'm going to self-publish. I think there's enough money to make it worth my time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar siempre a la última Guapos y guapas, clips musicales y estrenos de cine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Groups and Autz-Type
Hello List, I have a question regarding the ability of rlm_sql setting of the Autz-Type attribute. I am attempting to assign/add to the Autz-Type attribute for processing of sqlcounter instances based on the groups the user belongs to. User [EMAIL PROTECTED] belongs to a group DSL-LOCAL for local only DSL service. In the authorize section after the sql statement I have a sqlcounter called MonthlyOctetsLocal that need to be executed if the user belongs to the DSL-LOCAL group. # # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql Autz-Type DSL-LOCAL { MonthlyOctetsLocal } debian:/etc/freeradius# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf cut Module: Instantiated sql (sql) Module: Loaded SQL Counter sqlcounter: counter-name = Monthly-Session-Octets-Local sqlcounter: check-name = Max-Monthly-Octets-Local sqlcounter: reply-name = (null) sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets) ???FROM radacct WHERE UserName='%{%k}' ???AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' sqlcounter: reset = monthly sqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / cut Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32768, id=178, length=62 User-Name = [EMAIL PROTECTED] User-Password = hello Access-Type = DSL Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm testing for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm testing modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password hello rlm_pap: Using clear text password hello. rlm_pap: User authenticated successfully modcall[authenticate]: module pap returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 178 to 127.0.0.1 port 32768 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Umm, nothing was executed within the Autz-Type section at all. So to test if the rlm_sql module is actually attempting to set the Autz-Type attribute I did this in the authorize section. # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql # Autz-Type DSL-LOCAL { # MonthlyOctetsLocal # } MonthlyOctetsLocal Started the server again in debug mode: cut Module: Instantiated sql (sql) Module: Loaded SQL Counter sqlcounter: counter-name = Monthly-Session-Octets-Local sqlcounter: check-name = Max-Monthly-Octets-Local sqlcounter: reply-name = (null) sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets) ???FROM radacct WHERE UserName='%{%k}' ???AND
Re: SQL Groups and Autz-Type
I am an idiot, The Autz-Type and the like are configuration items that are processed in their own sections. The sql module changes reply and check items. Sorry for the waisted bandwith. Kind Regards Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP User/machine accounts
On 16/01/2008, Ian Begg [EMAIL PROTECTED] wrote: Hi Dont know if this is the correct place to ask but I have a problem. I have got freeradius working with eap/tls and can load the certs to XP laptops and connect. The problem I have is that if I log onto the laptop using a different user, no log on, I think the certs are for user and not machine. Anyone know of a fix. Ian ps I have used http://wiki.freeradius.org/WPA_HOWTO for the setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try importing the Certificate to the Local Computer Certificate Store rather than the User one.. On XP, go Start - Run, and run mmc. Then, go File - Add/Remove Snap-In and add the Certificates Snap in and rather than selecting My User Account select Computer Account. You should then be able to import the cert into the local computers Personal Cert store, and use it on whatever login you want. I've not trying this for WPA Auth, but it's worked for a similar application. Rupes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + portuguese characters in Active Directory
hi Catónio if its converted to UTF-8 then it should look like below in hex format. Try to get ur hex data and compare it with below data. If you are not getting the UTF-8 decoded information as shown in below then there must be an issue with encoding mechanism of free radius. C- 0x43 a- 0x61 t - 0x74 ó- 0xC3 b3 n-0x6e i-0x69 o-0x6f -gnr On Jan 16, 2008 2:17 PM, Alan DeKok [EMAIL PROTECTED] wrote: nikitha george wrote: Please find the debug log below.. rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. +- entering group authorize ++[preprocess] returns ok expand: %{User-Name} - Catónio It looks like it's not doing anything to the characters. Are you sure that the input is UTF-8, and not any other character set? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-mschapv2
Josh Howlett wrote: ... Sending Access-Challenge of id 3 to x.x.x.x port 1812 MS-CHAP2-Success = ... EAP-Message = ... That looks like a bug to me. It's a violation of RFC2548: No. The bug is different: EAP-MSCHAPv2 is *not* MS-CHAPv2. The MS-CHAP2-Success attribute has no business being in *any* packet that also contains EAP. I've committed a fix for that to CVS head. How and when do I get this fix Also does thi fix the reply as type Access-Accept instead of Access-challenge Alan DeKok. - List info/subscribe/unsubscribe? See * http://www.freeradius.org/list/users.html*http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + portuguese characters in Active Directory
Gopinath Reddy N wrote: Catónio if its converted to UTF-8 then it should look like below in hex format. Try to get ur hex data and compare it with below data. If I cut paste that from my mailer to the config files test cases, it works. It doesn't mangle the name at all. If you are not getting the UTF-8 decoded information as shown in below then there must be an issue with encoding mechanism of free radius. That's what I see... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Le mercredi 16 janvier 2008, Alan DeKok a écrit : Thierry CHICH wrote: I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: ... in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. Yes. The outer identity is often anonymous, and does not matter for authentication. If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity. Thanks for your answer. I am happy to see that it is not totally weird. But what can I do in order to set the User-Name in the Access-Accept ? When I watch the logs, I see the following events First, all is going well : rlm_ldap: user GOOD.NAME authenticated succesfully modcall[authenticate]: module ldap returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 radius_xlat: '[EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' TTLS: Got tunneled reply RADIUS code 2 Reply-Message = [EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6 But after that good beginning, I come back to the FAKE.NAME I have written as my outer identity : radius_xlat: '[EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' Sending Access-Accept of id 13 to 172.30.87.66 port 3689 Reply-Message = [EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand MS-MPPE-Recv-Key = 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633 MS-MPPE-Send-Key = 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae EAP-Message = 0x030d0004 Message-Authenticator = 0x User-Name = FAKE.NAME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Alan DeKok Wrote: No. The bug is different: EAP-MSCHAPv2 is *not* MS-CHAPv2. The MS-CHAP2-Success attribute has no business being in *any* packet that also contains EAP. I've committed a fix for that to CVS head. Thank you verymuch for the response How and when do I get this fix Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong Indi - List info/subscribe/unsubscribe? See *http://www.freeradius.org/list/users.html*http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
indira kolli wrote: Thank you verymuch for the response How and when do I get this fix The web site contains instructions for obtaining code via CVS. Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong You are interpreting it wrong. I said that the MS-CHAP2-Success attribute does not belong. I did *not* say that the packet should be Access-Accept instead of Access-Challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Thierry CHICH wrote: Le mercredi 16 janvier 2008, Alan DeKok a écrit : Thierry CHICH wrote: I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: ... in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. Yes. The outer identity is often anonymous, and does not matter for authentication. If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity. Thanks for your answer. I am happy to see that it is not totally weird. But what can I do in order to set the User-Name in the Access-Accept ? When I watch the logs, I see the following events First, all is going well : rlm_ldap: user GOOD.NAME authenticated succesfully modcall[authenticate]: module ldap returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 radius_xlat: '[EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' TTLS: Got tunneled reply RADIUS code 2 Reply-Message = [EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6 But after that good beginning, I come back to the FAKE.NAME I have written as my outer identity : radius_xlat: '[EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' Sending Access-Accept of id 13 to 172.30.87.66 port 3689 Reply-Message = [EMAIL PROTECTED] vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand MS-MPPE-Recv-Key = 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633 MS-MPPE-Send-Key = 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae EAP-Message = 0x030d0004 Message-Authenticator = 0x User-Name = FAKE.NAME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What version of FR are you running ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
Alan DeKok wrote: Brian Wilson wrote: I tried updating to version 2.0. I like the debug interface much better, it makes it alot easier to read. Nice job! Thanks. It was a fair amount of work, but I think it's worth it. Unfortunately, this upgrade introduced a new issue for me. When doing group ldap searches, it looks like the Ldap-UserDN variable doesn't get populated. The server successfully binds and finds the user, but in the expand section: Hmm... I don't think that code was changed at all in 2.0. I don't use the LDAP module much, so I'm not sure what else to say... Where is the LDAP-UserDN being set from? It is set by rlm_ldap by performing an LDAP search on the USER_NAME attribute. If the search succeeds the ldap-userdn is set to the dn the user name was found under. This dn can then be used to efficiently point to the user data in the LDAP tree, think of it as a pointer (cursor) to be used in future LDAP queries in subsequent processing. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for some Ascend Max TNT documentation
Hello, I run a few NAS devices, all Lucent/Ascend Max TNT with a freeradius server. Im trying to locate some documentation on the Max TNT to change some options and the site I used to use - hal-pc.org/~ascend doesnt seem to be available any longer. Thought I might try my luck here. What I am needing to do is simply turn off radius authentication for one of the boxes and let anything that connects - connect. -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular (601) 519-4172 Pager [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
John Dennis wrote: Where is the LDAP-UserDN being set from? It is set by rlm_ldap by performing an LDAP search on the USER_NAME attribute. If the search succeeds the ldap-userdn is set to the dn the user name was found under. This dn can then be used to efficiently point to the user data in the LDAP tree, think of it as a pointer (cursor) to be used in future LDAP queries in subsequent processing. Ah. In 2.0, it's stored in the control items, not in the incoming request: %{control:LDAP-UserDn} ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL query length
Hello everyone, I am trying to do a more complicated query for a custom session time counter, but I am running into problems. Can someone please answer the following questions? Problem: When I have the attribute Session-Timeout in the radcheck table, I get a Segmentation Fault after the query as run, no matter if it returns results or not. a) I've noticed that freeradius performs Accounting-Request when this attribute is set, is this normal? b) Is there a limit to the sql query length? c) Is there a limit to the field name, i.e., should I use SELECT This_is_a_very_long_field_name_having_ifs_nulls_etc AS ShortFieldName or is it irrelevant? d) The particular query performs a join to another table, may this be the source of the problem? e) Is it mandatory that a query returns results? f) Can I use multiple 'query' in radius.conf, using the values from a first query to feed the next one? Thank you !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Thierry CHICH wrote: freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ? In 1.1.x you can set the User-Name inside of the tunnel, and then set use_tunneled_reply = yes in the EAP config. This will use that User-Name in the Access-Accept. In 2.0, you can just write logic that runs only in the inner tunnel, and sets the outer tunnel user name directly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Spam Eater wrote: Problem: When I have the attribute Session-Timeout in the radcheck table, I get a Segmentation Fault after the query as run, no matter if it returns results or not. doc/bugs a) I've noticed that freeradius performs Accounting-Request when this attribute is set, is this normal? I have no idea what you mean by that. FreeRADIUS doesn't magically create Accounting-Requests if it sees a Session-Timeout. b) Is there a limit to the sql query length? In 1.1.x, yes. About 253 octets in many cases. If the queries are in the configuration (e.g. rlm_sql_ippool), then the queries can be very long. In 2.0, the queries in unlang can be about 7k in length. c) Is there a limit to the field name, i.e., should I use SELECT This_is_a_very_long_field_name_having_ifs_nulls_etc AS ShortFieldName or is it irrelevant? There is no limit to field names imposed by FreeRADIUS. d) The particular query performs a join to another table, may this be the source of the problem? Maybe, if you're using MySQL and an old version of the server. See doc/ChangeLog in 1.1.7. e) Is it mandatory that a query returns results? Yes. f) Can I use multiple 'query' in radius.conf, using the values from a first query to feed the next one? Yes, so long as the output from a query goes into a RADIUS attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Hello Alan, What is the expected callflow for EAP-MSCAHPv2 Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again ..Indi On Jan 16, 2008 10:30 AM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: Thank you verymuch for the response How and when do I get this fix The web site contains instructions for obtaining code via CVS. Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong You are interpreting it wrong. I said that the MS-CHAP2-Success attribute does not belong. I did *not* say that the packet should be Access-Accept instead of Access-Challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Hello Alan, Thank you so much for your quick response! Please check my comments inline below: Problem: When I have the attribute Session-Timeout in the radcheck table, I get a Segmentation Fault after the query as run, no matter if it returns results or not. doc/bugs a) I've noticed that freeradius performs Accounting-Request when this attribute is set, is this normal? I have no idea what you mean by that. FreeRADIUS doesn't magically create Accounting-Requests if it sees a Session-Timeout. I think I've might misinterpreted a log. I've just tried to duplicate this behaviour without success, now I see only Access-Request packets. If this happens again, I'll try to be more informative. b) Is there a limit to the sql query length? In 1.1.x, yes. About 253 octets in many cases. If the queries are in the configuration (e.g. rlm_sql_ippool), then the queries can be very long. Ok, this is certainly a problem for me. I can't change freeradius version (at least not now, maybe in the future) so I assume the only option is to 'exec' external scripts to perform more complex queries, am I right? In 2.0, the queries in unlang can be about 7k in length. c) Is there a limit to the field name, i.e., should I use SELECT This_is_a_very_long_field_name_having_ifs_nulls_etc AS ShortFieldName or is it irrelevant? There is no limit to field names imposed by FreeRADIUS. d) The particular query performs a join to another table, may this be the source of the problem? Maybe, if you're using MySQL and an old version of the server. See doc/ChangeLog in 1.1.7. e) Is it mandatory that a query returns results? Yes. f) Can I use multiple 'query' in radius.conf, using the values from a first query to feed the next one? Yes, so long as the output from a query goes into a RADIUS attribute. Can you please elaborate, Alan, maybe with a small example or pointer to documentation? Thank you for your time! :-) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
indira kolli wrote: What is the expected callflow for EAP-MSCAHPv2 Read the specification, or the source code. Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again You're not saying which supplicant you're using. Let me guess: you're writing your own, and trying to debug it using FreeRADIUS. If that's true, I suggest that you go read the wpa_supplicant source code. It implements EAP-MSCHAPv2 correctly. If you're not writing your own supplicant, then the server is working correctly. You may be surprised that more than one Access-Challenge is being sent, but that is the Way It Works. If you care to know why, go read the source code in rlm_eap_mschapv2.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Hi, Thierry CHICH wrote: freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ? In 1.1.x you can set the User-Name inside of the tunnel, and then set use_tunneled_reply = yes in the EAP config. This will use that User-Name in the Access-Accept. In 2.0, you can just write logic that runs only in the inner tunnel, and sets the outer tunnel user name directly. both covered a couple of times in the mailing list archive. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help Needed Please freeradius traffic limiting
Hi, Do you provide co-location service in Sth Africa ? I am looking to have a rackspace or half down there. Regards, Abdul Hakeem IPEX Telecom +447931800952 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Dovale Sent: 15 January 2008 16:41 To: 'FreeRadius users mailing list' Subject: FW: Help Needed Please freeradius traffic limiting Regards Keith Dovale http://www.hostworx.co.za/ LogoNBG From: Keith Dovale Sent: Tuesday, January 15, 2008 6:24 PM To: 'FreeRadius users mailing list' Subject: Help Needed Please freeradius traffic limiting Ok I need to do this and if someone could help I would appreciate it as I am new to this 1. I Need to limit users by traffic and NOT session time (I setup the monthly counters to check but the counters cannot go beyond 2,148,000,000 and they fail I think this is due to the counters using the type as integer. If I can get this value to go beyond this this then sorts out my problem based on traffic.) 2. I need to execute a query to check the clients total traffic usage and compare it to their limit, if they have gone beyond their limit I need to be able to execute a disconnect. (The disconnect side I have got working manually, so if there is a way to trigger / execute a program on a interim update which will force a discon that will help, else if this can be done another way please let me know. 3. Any recommendations on how to go about the above issues which will do this in an easier way please let me know. Regards Keith Dovale http://www.hostworx.co.za/ LogoNBG image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: alan's book, or anything new on the horizon
then dont keep it under 400. more info is better. ( and real examples too ) thanx. On 16/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: alan , can we have the TOC of the book ? It's still in development, and I'm re-arranging it occasionally. At a high level: Introduction Concepts Participants and their roles User Devices NAS RADIUS Servers Databases AAA Overview Authentication Authorization Accounting Auditing Conversations Protocol overview Message contents Dictionaries Security Participants in more detail User devices NAS RADIUS Servers Databases Authentication The basics PAP CHAP MS-CHAP Digest Managing passwords hashes protocol compatibility EAP EAP-GTC EAP-MD5 EAP-MSCHAPv2 LEAP EAP and password storage EAP-TLS Methods EAP-TLS Microsoft Windows requirements PEAP EAP-TTLS Wireless and wired security with EAP Other authentication protocols Authorizations Principles for policy creating Logging Role-based authorization Policy maintenance Chained policies Examples Accounting Interaction with authorization Generation of data Logging of data Relaying of packets Simultaneous-Use RADIUS Server implementations ACS OAS Juniper OCS Radiator FreeRADIUS Others Recommendations - And now we get into FreeRADIUS-specific text. :) Basic deployments Installing FreeRADIUS Configuration files radiusd.conf clients.conf proxy.conf virtual servers Starting the server Debugging Tracking configuration changes Test methodology radiusd.conf Layout Processing of requests authentication accounting proxying Modules Multiple instances of a module Redundant and load-balanced modules simple flow control unlang Introduction Interaction with modules Examples clients.conf proxy.conf virtual servers users file format sample entries Dictionaries ATTRIBUTE definitions VALUE definitions VENDOR definitions Loading other dictionary files Creating a dictionary file Special considerations Debugging a deployment Tools Test methods and procedures EAP testing with eapol_test Databases LDAP Active Directory considerations SQL MySQL Postgresql Common deployment issues Windows AP implementations RADIUS Servers LDAP Servers Security Network security Physical security Configuration security Methods for policy creation RADIUS protocol reference Attributes Data types VSA's Packet types Module overview rlm_chap rlm_digest ... If you've read this far, I'm impressed. With each topic on a single line like that, it starts to look silly after a while. The intent, though, is to be the *definitive* reference for not only FreeRADIUS, but also for the protocol, and common use cases. Where other books say things like Access-Request packets contain requests for access, this one says that, and more. Like common problems people see, common mistakes vendors make, common misunderstandings and how to correct them, and how to work around various issues in practice. I'm going to try to keep it under 400 pages, but I do think there's enough material to make 400 pages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
b) Is there a limit to the sql query length? In 1.1.x, yes. About 253 octets in many cases. If the queries are in the configuration (e.g. rlm_sql_ippool), then the queries can be very long. Ok, this is certainly a problem for me. I can't change freeradius version (at least not now, maybe in the future) so I assume the only option is to 'exec' external scripts to perform more complex queries, am I right? Or use a SQL stored proceedure. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use both 1645 and 1812?
Is there a way to open two ports (1645 and 1812) for auth at the same time? We want to find a way to open 1645, 1812, 1646, and 1813 for auth and acct in parallel. Thanks, Kevin - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 1.0.2 to 2.0.0 problems
Greetings, I have looked at the documentation included with the 2.0 distribution for setting up radius 2.0 and I am either blind, or it doesn't have when I am looking for. What I am trying to do is set up my main realm to handle either no realm or deal with the default realm, The problem I am having is that I do not wish to proxy it back to itself to handle the realm (puts it in my log twice, and debug shows it re-submitting it back to itself). Where do I look to solve this? I tried in proxy.conf adding: realm myrealm.com { } and tried, at a different time: realm myrealm.com { auth_pool = my_auth_failover } Trying to use the configuration provided as a template. The first causes [EMAIL PROTECTED] to fail, and the second causes it to re-submit it to the server for authentication. How do I fix this, or where is there some detailed documentation on how to configure this? Thank you Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Spam Eater wrote: Ok, this is certainly a problem for me. I can't change freeradius version (at least not now, maybe in the future) so I assume the only option is to 'exec' external scripts to perform more complex queries, am I right? It's an option, but not the only one. You can use Perl or Python, too. f) Can I use multiple 'query' in radius.conf, using the values from a first query to feed the next one? Yes, so long as the output from a query goes into a RADIUS attribute. Can you please elaborate, Alan, maybe with a small example or pointer to documentation? There are no variables in the server, so you cannot put values from one query into another. There ARE radius attributes. You can put values from one query into a radius attribute, and use that attribute in another query. This is much, much, easier in 2.0. See man unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: alan's book, or anything new on the horizon
orion wrote: then dont keep it under 400. more info is better. ( and real examples too ) It's a lot of typing, and a lot of copy-editing. The main issue with examples is that adding NAS examples is almost impossible. There are dozens of manufacturers, and hundreds of possible configurations. Adding *FreeRADIUS* examples is easy. But knowing *which* examples are useful to a reader is hard. The best approach I've seen that works is to cover the concepts, and to document the oddities and things that confuse most people. Add a few simple examples to that, and the book is quickly up to 400 pages. i.e. no complex examples, but the tools to figure it out on your own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use both 1645 and 1812?
Kevin J wrote: Is there a way to open two ports (1645 and 1812) for auth at the same time? We want to find a way to open 1645, 1812, 1646, and 1813 for auth and acct in parallel. See the listen directive in radiusd.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
William wrote: What I am trying to do is set up my main realm to handle either no realm or deal with the default realm, I'm not sure what you mean by that. Do you want those requests to both be proxied, or handled in the local server? Talking about the local server as a main realm confuses things. The problem I am having is that I do not wish to proxy it back to itself to handle the realm (puts it in my log twice, and debug shows it re-submitting it back to itself). Where do I look to solve this? I'm not sure I see a problem. If you have N realms, you can configure each one to be proxied. By default, anything *not* proxied is handled locally. Trying to use the configuration provided as a template. The first causes [EMAIL PROTECTED] to fail, and the second causes it to re-submit it to the server for authentication. How do I fix this, or where is there some detailed documentation on how to configure this? Configure... what, exactly? I think you're getting stuck on trying to make particular configurations work. You should instead state the requirements as clearly as possible. Odds are that a simple configuration will be straightforward. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Wednesday 16 January 2008 16:39:38 Alan DeKok wrote: Configure... what, exactly? I think you're getting stuck on trying to make particular configurations work. You should instead state the requirements as clearly as possible. Odds are that a simple configuration will be straightforward. Fair enough. What I have is one local radius server. We will need to proxy later, but for now, I just want to get local users properly authenticated. The situation is that we have a lot of legacy users who only enter a username, without realm information, and passwords for their connections. Those work fine. When newer users enter [EMAIL PROTECTED] for their password I need to strip off the realm, and authenticate that user. Our old system used the strip directive to do this. I cannot figure out how 2.0 does this. The problem becomes that if they put a different realm on the username, we will need to either proxy it (later configuration issue, not for now) or reject it. We currently use the Linux system password file for authentication, though that is planned for migration to SQL at a later date. Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
William wrote: The situation is that we have a lot of legacy users who only enter a username, without realm information, and passwords for their connections. Those work fine. When newer users enter [EMAIL PROTECTED] for their password I need to strip off the realm, and authenticate that user. In 2.0, add the following to proxy.conf: realm example.com { } Once that's done, the default configuration in 2.0 will treat [EMAIL PROTECTED] the same as user. See the debug output, where it shows it stripping the realm. Our old system used the strip directive to do this. I cannot figure out how 2.0 does this. The problem becomes that if they put a different realm on the username, we will need to either proxy it (later configuration issue, not for now) or reject it. Later, add a home server configuration to the realm, and it will be proxied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Wednesday 16 January 2008 16:58:09 Alan DeKok wrote: William wrote: The situation is that we have a lot of legacy users who only enter a username, without realm information, and passwords for their connections. Those work fine. When newer users enter [EMAIL PROTECTED] for their password I need to strip off the realm, and authenticate that user. In 2.0, add the following to proxy.conf: realm example.com { } Once that's done, the default configuration in 2.0 will treat [EMAIL PROTECTED] the same as user. See the debug output, where it shows it stripping the realm. Our old system used the strip directive to do this. I cannot figure out how 2.0 does this. The problem becomes that if they put a different realm on the username, we will need to either proxy it (later configuration issue, not for now) or reject it. That causes anyone using [EMAIL PROTECTED] to fail, yet if they just use username it works. (Debug output below) rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=35, length=62 User-Name = test User-Password = mytest4 NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop WARNING: Deprecated conditional expansion :-. See man unlang for details expand: %{Stripped-User-Name:-%{User-Name}} - test users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password mytest4 rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test/mytest4] (from client flyer port 0) Sending Access-Accept of id 35 to 192.168.1.64 port 32775 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 35 with timestamp +7 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=43, length=76 User-Name = [EMAIL PROTECTED] User-Password = mytest4 NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: Looking up realm netonecom.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm netonecom.net rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm netonecom.net rlm_realm: Adding Realm = netonecom.net rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop WARNING: Deprecated conditional expansion :-. See man unlang for details expand: %{Stripped-User-Name:-%{User-Name}} - test users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/mytest4] (from client flyer port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 43 to 192.168.1.64 port 32775 Waking up in 4.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Ok, this is certainly a problem for me. I can't change freeradius version (at least not now, maybe in the future) so I assume the only option is to 'exec' external scripts to perform more complex queries, am I right? It's an option, but not the only one. You can use Perl or Python, too. Sorry if this seems studpid, but, do you mean that I can embed Perl in radiusd.conf? f) Can I use multiple 'query' in radius.conf, using the values from a first query to feed the next one? Yes, so long as the output from a query goes into a RADIUS attribute. Can you please elaborate, Alan, maybe with a small example or pointer to documentation? There are no variables in the server, so you cannot put values from one query into another. There ARE radius attributes. You can put values from one query into a radius attribute, and use that attribute in another query. How do I set one radius attribute with a value from a query? I think I really need an example here :-/ This is much, much, easier in 2.0. See man unlang. Thanks for the tip, I'll try to force into the upgrade asap. Cheers! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: alan's book, or anything new on the horizon
Hi Alan, I am curious about your book. When will it be available? Will it be sold at Amazon or other online store? Thanks! On Jan 16, 2008 9:23 PM, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: then dont keep it under 400. more info is better. ( and real examples too ) It's a lot of typing, and a lot of copy-editing. The main issue with examples is that adding NAS examples is almost impossible. There are dozens of manufacturers, and hundreds of possible configurations. Adding *FreeRADIUS* examples is easy. But knowing *which* examples are useful to a reader is hard. The best approach I've seen that works is to cover the concepts, and to document the oddities and things that confuse most people. Add a few simple examples to that, and the book is quickly up to 400 pages. i.e. no complex examples, but the tools to figure it out on your own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Hi, option is to 'exec' external scripts to perform more complex queries, am I right? It's an option, but not the only one. You can use Perl or Python, too. Sorry if this seems studpid, but, do you mean that I can embed Perl in radiusd.conf? no - you can call PERL from pre-auth, auth, post-auth, accounting etc at which point the chosen script defined in the PERL section of experimental.conf will be run and the subroutine associated with the call will be run - at which point you can inspect any RADIUS attribute, make a decision and return updated attributes, ok, reject and so on. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
Hi, the first request looks like this.NOTE the test order... rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=35, User-Name = test +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated ^^^ ++[suffix] returns noop ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password mytest4 rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test/mytest4] (from client flyer port 0) second test looks like this: rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=43, User-Name = [EMAIL PROTECTED] +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound ^^^ rlm_realm: Looking up realm netonecom.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm netonecom.net rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm netonecom.net rlm_realm: Adding Realm = netonecom.net rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop WARNING: Deprecated conditional expansion :-. See man unlang for details expand: %{Stripped-User-Name:-%{User-Name}} - test users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user you are calling the unix auth module before suffix - therefore the magic hasnt yet happened. I'd try putting the unix module after the modules that play around with User-Name alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
OK, since that's correct I had a look at the debug. You are not doing group checking at all. You have done something to sql.conf to break it. Go back to the original sql.conf and just alter the connection details (user, pass, server). Leave rest as it is (we will sort out sumultaneous use later). Default configuration will do group checking. Remove Auth-Type from the radcheck table - let the server sort it out. Put := as an operator for Simultaneous-Use. Ivan Kalik Kalik Informatika ISP Dana 16/1/2008, Arlinelson Fernandes dos Santos [EMAIL PROTECTED] piše: Sorry! I was writing this post and correcting the align spaces when press the e for accident. In my usergroup is test-pap. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP User/machine accounts
Hi all, In message [EMAIL PROTECTED], Rupert Finnigan [EMAIL PROTECTED] writes Try importing the Certificate to the Local Computer Certificate Store rather than the User one.. On XP, go Start - Run, and run mmc. Then, go File - Add/Remove Snap-In and add the Certificates Snap in and rather than selecting My User Account select Computer Account. You should then be able to import the cert into the local computers Personal Cert store, and use it on whatever login you want. That's most of the job done. You may also need to go into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global and set AuthMode to 2 (this is a REG_SZ). For documentation on this see http://support.microsoft.com/kb/309448 (the hotfix mentioned is long since obsolete - the fix is in Windows XP SP1 and later). Best wishes, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Thierry CHICH wrote: I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: ... in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. Yes. The outer identity is often anonymous, and does not matter for authentication. If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for some Ascend Max TNT documentation
DEFAULT NAS-IP-Address == so.me.bo.x, Auth-Type := Accept Ivan Kalik Kalik Informatika ISP Dana 16/1/2008, Chad Whitten [EMAIL PROTECTED] piše: Hello, I run a few NAS devices, all Lucent/Ascend Max TNT with a freeradius server. Im trying to locate some documentation on the Max TNT to change some options and the site I used to use - hal-pc.org/~ascend doesnt seem to be available any longer. Thought I might try my luck here. What I am needing to do is simply turn off radius authentication for one of the boxes and let anything that connects - connect. -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular (601) 519-4172 Pager [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: alan's book, or anything new on the horizon
orion wrote: alan , can we have the TOC of the book ? It's still in development, and I'm re-arranging it occasionally. At a high level: Introduction Concepts Participants and their roles User Devices NAS RADIUS Servers Databases AAA Overview Authentication Authorization Accounting Auditing Conversations Protocol overview Message contents Dictionaries Security Participants in more detail User devices NAS RADIUS Servers Databases Authentication The basics PAP CHAP MS-CHAP Digest Managing passwords hashes protocol compatibility EAP EAP-GTC EAP-MD5 EAP-MSCHAPv2 LEAP EAP and password storage EAP-TLS Methods EAP-TLS Microsoft Windows requirements PEAP EAP-TTLS Wireless and wired security with EAP Other authentication protocols Authorizations Principles for policy creating Logging Role-based authorization Policy maintenance Chained policies Examples Accounting Interaction with authorization Generation of data Logging of data Relaying of packets Simultaneous-Use RADIUS Server implementations ACS OAS Juniper OCS Radiator FreeRADIUS Others Recommendations - And now we get into FreeRADIUS-specific text. :) Basic deployments Installing FreeRADIUS Configuration files radiusd.conf clients.conf proxy.conf virtual servers Starting the server Debugging Tracking configuration changes Test methodology radiusd.conf Layout Processing of requests authentication accounting proxying Modules Multiple instances of a module Redundant and load-balanced modules simple flow control unlang Introduction Interaction with modules Examples clients.conf proxy.conf virtual servers users file format sample entries Dictionaries ATTRIBUTE definitions VALUE definitions VENDOR definitions Loading other dictionary files Creating a dictionary file Special considerations Debugging a deployment Tools Test methods and procedures EAP testing with eapol_test Databases LDAP Active Directory considerations SQL MySQL Postgresql Common deployment issues Windows AP implementations RADIUS Servers LDAP Servers Security Network security Physical security Configuration security Methods for policy creation RADIUS protocol reference Attributes Data types VSA's Packet types Module overview rlm_chap rlm_digest ... If you've read this far, I'm impressed. With each topic on a single line like that, it starts to look silly after a while. The intent, though, is to be the *definitive* reference for not only FreeRADIUS, but also for the protocol, and common use cases. Where other books say things like Access-Request packets contain requests for access, this one says that, and more. Like common problems people see, common mistakes vendors make, common misunderstandings and how to correct them, and how to work around various issues in practice. I'm going to try to keep it under 400 pages, but I do think there's enough material to make 400 pages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Oh my God!!! This problem is killing me!I back the original sql.conf and have no Auth-Type in radcheck and other no in tables too.I put := in Simultaneous-Use.I test the connection and no groups table was read. The radius log is the same.I did install freeradius in other server and do the same. No radgroupreply.If you are using the freeradius version 2.0.0-pre1 working with reply attributes to NAS (same mine), PLEASE!!! Send me the config files. I need to know what is buggy. OK, since that's correct I had a look at the debug. You are not doing group checking at all. You have done something to sql.conf to break it. Go back to the original sql.conf and just alter the connection details (user, pass, server). Leave rest as it is (we will sort out sumultaneous use later). Default configuration will do group checking. Remove Auth-Type from the radcheck table - let the server sort it out. Put := as an operator for Simultaneous-Use. Ivan Kalik Kalik Informatika ISP Dana 16/1/2008, Arlinelson Fernandes dos Santos pie: Sorry! I was writing this post and correcting the align spaces when press the e for accident. In my usergroup is test-pap. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Acelerador POP Acelere a sua conexo discada em at 19 x. Use o Acelerador POP. grtis, pegue j o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
[EMAIL PROTECTED] wrote: you are calling the unix auth module before suffix - therefore the magic hasnt yet happened. I'd try putting the unix module after the modules that play around with User-Name i.e. the order in the default configuration is wrong, too. I've fixed it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html