Re: EAP-TTLS/PAP tunneling issue
Hi Alan, I've configured with the following options: ./configure --enable- debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options? Thx Edwin On 12 Feb 2008, at 5:57 PM, Alan DeKok wrote: Edwin van Zyl wrote: Hi Alan, This is the debug trace It doesn't include the raw dump of the contents of the TLS session. You'll need to re-build the server from source in order to get that, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send the Accounting to two servers
Dear All, im using freeradius as a proxy radius and need to proxy the accounting to two different servers, can i do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
UNCLASSIFIED
> Config as requested - I did uncomment and configure the identity
> section
> - is this not required?
>
> ldap {
> #
> # Note that this needs to match the name in the LDAP
> # server certificate, if you're using ldaps.
> server = "localhost"
> identity = "cn=Administrator,dc=dxi,dc=net"
> password = trPic4n03
> basedn = "dc=dxi,dc=net"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> #base_filter = "(objectclass=radiusprofile)"
>
> # How many connections to keep open to the LDAP
> server.
> # This saves time over opening a new LDAP socket for
> # every authentication request.
> ldap_connections_number = 5
>
> # seconds to wait for LDAP query to finish.
> default: 20
> timeout = 4
>
> # seconds LDAP server has to process the query
> (server-side
> # time limit). default: 20
> #
> # LDAP_OPT_TIMELIMIT is set to this value.
> timelimit = 3
>
> #
> # seconds to wait for response of the server.
> (network
> # failures) default: 10
> #
> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
> net_timeout = 1
> tls {
> # Set this to 'yes' to use TLS encrypted
> connections
> # to the LDAP database by using the StartTLS
> extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = no
>
> # cacertfile= /path/to/cacert.pem
> # cacertdir = /path/to/ca/dir/
> # certfile = /path/to/radius.crt
> # keyfile = /path/to/radius.key
> # randfile = /path/to/rnd
>
> # Certificate Verification requirements. Can
> be:
> #"never" (don't even bother trying)
> #"allow" (try, but don't fail if
> the cerificate
> # can't be verified)
> #"demand" (fail if the
> certificate doesn't
> verify.)
> #
> # The default is "allow"
> # require_cert = "demand"
> }
>
> # default_profile =
> "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
>
> # Set password_attribute = nspmPassword to get the
> # user's password from a Novell eDirectory
> # backend. This will work ONLY IF FreeRADIUS has been
> # built with the --with-edir configure option.
> #
> # password_attribute = userPassword
I think you need to un-comment this line --^
Regards,
Frank Ranner
Classification=UNCLASSIFIED
Precedence=ROUTINE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Hi!
Situation gets more clear if eap module is being called in post-proxy section of
proxy-inner-tunnel:
Wed Feb 13 01:31:41 2008 : Debug: +- entering group post-proxy
Wed Feb 13 01:31:41 2008 : Debug: modsingle[post-proxy]: calling eap
(rlm_eap) for request 7
Wed Feb 13 01:31:41 2008 : Debug: rlm_eap_mschapv2: Passing reply from proxy back into
the tunnel 0x8185f20 2.
Wed Feb 13 01:31:41 2008 : Debug: rlm_eap_mschapv2: Authentication succeeded.
Wed Feb 13 01:31:41 2008 : Debug: MSCHAP Success
Wed Feb 13 01:31:41 2008 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for
request 7
Wed Feb 13 01:31:41 2008 : Debug: ++[eap] returns ok
Wed Feb 13 01:31:41 2008 : Debug: POST-PROXY 2
Wed Feb 13 01:31:41 2008 : Debug: POST-AUTH 2
But it still fails to authorize:
Wed Feb 13 03:17:19 2008 : Debug: rlm_eap_peap: Session established. Decoding tunneled
attributes.
PEAP tunnel data in : 1a 03
Wed Feb 13 03:17:19 2008 : Debug: rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020a00061a03
Wed Feb 13 03:17:19 2008 : Debug: PEAP: Setting User-Name to aaa
PEAP: Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
State = 0x29fd9dc228f787186321d63394dc60d5
Framed-MTU = 1466
NAS-IP-Address = 192.168.2.3
NAS-Identifier = "D-Link"
Service-Type = Framed-User
NAS-Port = 33
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether3_33"
Called-Station-Id = "00-15-e9-b8-79-dd"
Calling-Station-Id = "00-a9-40-0f-83-a5"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Wed Feb 13 03:17:19 2008 : Debug: +- entering group authorize
Wed Feb 13 03:17:19 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
PEAP: Got tunneled reply RADIUS code 0
Wed Feb 13 03:17:19 2008 : Debug: PEAP: Calling authenticate in order to initiate
tunneled EAP session.
Wed Feb 13 03:17:19 2008 : Debug: +- entering group authenticate
Wed Feb 13 03:17:19 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for
request 8
Wed Feb 13 03:17:19 2008 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Feb 13 03:17:19 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to
an unknown EAP-request
Wed Feb 13 03:17:19 2008 : Debug: rlm_eap: Failed in handler
Wed Feb 13 03:17:19 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap)
for request 8
Wed Feb 13 03:17:19 2008 : Debug: ++[eap] returns invalid
In normal case inner tunnel has "EAP-Type = MS-CHAP-V2" and Auth-Type = EAP in
check_items:
Wed Feb 13 03:09:51 2008 : Debug: EAP-Message = 0x020a00061a03
Wed Feb 13 03:09:51 2008 : Debug: FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:09:51 2008 : Debug: User-Name = "aaa"
Wed Feb 13 03:09:51 2008 : Debug: State =
0xe314f6cee21eecffcdeca66afa541172
Wed Feb 13 03:09:51 2008 : Debug: Framed-MTU = 1466
Wed Feb 13 03:09:51 2008 : Debug: NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:09:51 2008 : Debug: NAS-Identifier = "D-Link"
Wed Feb 13 03:09:51 2008 : Debug: Service-Type = Framed-User
Wed Feb 13 03:09:51 2008 : Debug: NAS-Port = 33
Wed Feb 13 03:09:51 2008 : Debug: NAS-Port-Type = Ethernet
Wed Feb 13 03:09:51 2008 : Debug: NAS-Port-Id = "ether3_33"
Wed Feb 13 03:09:51 2008 : Debug: Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:09:51 2008 : Debug: Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:09:51 2008 : Debug: Connect-Info = "CONNECT Ethernet 100Mbps Full
duplex"
Wed Feb 13 03:09:51 2008 : Debug: EAP-Type = MS-CHAP-V2
In this (proxied) case inner tunnel contains only following attributes:
(gdb) p vp_listdebug(request->packet->vps)
Wed Feb 13 03:15:10 2008 : Debug: EAP-Message = 0x020a00061a03
Wed Feb 13 03:15:10 2008 : Debug: FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:15:10 2008 : Debug: User-Name = "aaa"
Wed Feb 13 03:15:10 2008 : Debug: State =
0x7f6817377e620dc906c84fac864d0550
Wed Feb 13 03:15:10 2008 : Debug: Framed-MTU = 1466
Wed Feb 13 03:15:10 2008 : Debug: NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:15:10 2008 : Debug: NAS-Identifier = "D-Link"
Wed Feb 13 03:15:10 2008 : Debug: Service-Type = Framed-User
Wed Feb 13 03:15:10 2008 : Debug: NAS-Port = 33
Wed Feb 13 03:15:10 2008 : Debug: NAS-Port-Type = Ethernet
Wed Feb 13 03:15:10 2008 : Debug: NAS-Port-Id = "ether3_33"
Wed Feb 13 03:15:10 2008 : Debug: Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:15:10 2008 : Debug: Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:15:10 2008 : Debug: Connect-Info = "CONNECT Ethernet 100Mbps Full
duplex"
request->check_items contain only Proxy-To-Realm AVPair.
Dmitry Sergienko wrote:
Thanks for committing patches.
But I have to return to
Re: FR2 - proxying inner tunnel
Hi!
Alan DeKok wrote:
Dmitry Sergienko wrote:
Thanks for the tip.
successfully_proxied_request() also needs patching:
Fixed, thanks.
Thanks for committing patches.
But I have to return to the question of proxying EAP-PEAP-MS-CHAPv2. I've spent several
nights with gdb, radsniff and xsupplicant to figure out why authentication passes on
eapol_test and fails on WinXP supplicant. Even tried Juniper Odissey 802.1x client :)
The reason why authentication fails is missing EAP-MSCHAP Success packet inside EAP-PEAP
response.
Here is a debug output from CVS current snapshot:
Tue Feb 12 23:45:21 2008 : Debug: PEAP: Tunneled authentication was
successful.
Tue Feb 12 23:45:21 2008 : Debug: rlm_eap_peap: SUCCESS
Tue Feb 12 23:45:21 2008 : Debug: PEAP: Reply was handled
Tue Feb 12 23:45:21 2008 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for
request 7
Tue Feb 12 23:45:21 2008 : Debug: ++[eap] returns ok
Tue Feb 12 23:45:21 2008 : Debug: +- entering group authorize
.
Tue Feb 12 23:45:21 2008 : Debug: ++[pap] returns noop
Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Found Auth-Type EAP
Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Found Auth-Type
Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request for user
'[EMAIL PROTECTED]'
Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept,
accepting the user
Tue Feb 12 23:45:21 2008 : Auth: Login OK: [EMAIL PROTECTED]/] (from
client sw-local port 33 cli 00-a9-40-0f-83-a5)
Sending Access-Challenge of id 207 to 192.168.2.3 port 8021
EAP-Message =
0x010a003b190017030100302dab2609196723fb8eeb007a902318e351b22e5da4aae2777dbb6d788504c8528a4e3950e2239c1a37793f835ff8ce46
Message-Authenticator = 0x
State = 0x2fdece8d28d4d781421b7dc8777de66c
1. We have duplicate Auth-Type which seems to be incorrect.
2. We haven't finished EAP-MSCHAPv2 challenge and return empty EAP request to
supplicant:
/sending EAP-MS-CHAPv2 challenge/
[AUTH TYPE] (EAP-MSCHAPv2) Challenge
[AUTH TYPE] (EAP-MS-CHAPv2) ID : 09
[AUTH TYPE] Authenticator Challenge : 02 71 99 df 1a 3e 5e 4f 5e e6 02 44 46 55
13 b9
[AUTH TYPE] Generated PeerChallenge : a0 50 6b 66 b1 af ef af c2 cd 19 93 93 fd
d8 e9
[AUTH TYPE] PeerChallenge : a0 50 6b 66 b1 af ef af
[AUTH TYPE] AuthenticatorChallenge : 02 71 99 df 1a 3e 5e 4f
[AUTH TYPE] Username : aaa
[AUTH TYPE] Challenge : a2 6e 27 64 a4 25 5d 34
[AUTH TYPE] PasswordHash : 75 f1 d2 3f 3a 25 27 c6 bf aa da 3e 93 b3 2a 8b
[AUTH TYPE] Response : a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18 07 6e 90 53
5f b1
[AUTH TYPE] myvars->NtResponse = a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18 07
6e 90 53 5f b1
[AUTH TYPE] response->NT_Response = a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18
07 6e 90 53 5f b1
[AUTH TYPE] Unencrypted return frame :
[AUTH TYPE] Encrypted return frame :
[STATE] [backend_sm] REQUEST -> RESPONSE
[ALL] Frame to be sent (162) :
[STATE] [backend_sm] RESPONSE -> RECEIVE
/receiving response from FreeRADIUS/
[ALL] Got Frame (77) :
000 | 00 a9 40 0f 83 a5 00 15 e9 b8 79 dd 88 8e 01 00 | [EMAIL PROTECTED]
010 | 00 3b 01 0a 00 3b 19 00 17 03 01 00 30 2d ab 26 | .;...;..0-.&
020 | 09 19 67 23 fb 8e eb 00 7a 90 23 18 e3 51 b2 2e | ..g#z.#..Q..
030 | 5d a4 aa e2 77 7d bb 6d 78 85 04 c8 52 8a 4e 39 | ]...w}.mx...R.N9
040 | 50 e2 23 9c 1a 37 79 3f 83 5f f8 ce 46 | P.#..7y?._..F
[ALL] Got EAP-Request for type 25 (EAP_PEAP).
[ALL] Got EAP-Request-Authentication.
[STATE] [backend_sm] RECEIVE -> REQUEST
[ALL] Got EAP-Request for type 25 (EAP_PEAP).
[ALL] Got EAP-Request-Authentication.
[STATE] Building EAPOL-Response-Authentication
[AUTH TYPE] Packet in (54) :
000 | 00 17 03 01 00 30 2d ab 26 09 19 67 23 fb 8e eb | .0-.&..g#...
010 | 00 7a 90 23 18 e3 51 b2 2e 5d a4 aa e2 77 7d bb | .z.#..Q..]...w}.
020 | 6d 78 85 04 c8 52 8a 4e 39 50 e2 23 9c 1a 37 79 | mx...R.N9P.#..7y
030 | 3f 83 5f f8 ce 46 | ?._..F
[AUTH TYPE] Decrypted dump :
000 | 01 0a 00 0b 21 80 03 00 02 00 01| !..
[AUTH TYPE] Decrypted packet returned 11 byte(s)
[AUTH TYPE] Doing PEAP v0!
[AUTH TYPE] Inner packet :
000 | 01 0a 00 0b 21 80 03 00 02 00 01| !..
[AUTH TYPE] Got an EAP extension frame!
[AUTH TYPE] Unencrypted return frame :
000 | 02 0a 00 0b 21 80 03 00 02 00 01| !..
[AUTH TYPE] Encrypted return frame :
000 | 00 17 03 01 00 20 dd 2e 66 ce be ad ab 66 4b 56 | . ..ffKV
010 | 22 21 6e 8f 2c a9 89 fe 3f 99 63 50 da 24 25 9b | "!n.,...?.cP.$%.
020 | 38 56 03 cb 05 1a 17 03 01 00 30 74 f0 f7 c5 09 | 8V0t
030 | 75 c0 ab ec f6 84 9e 97 11 ae ce 63 64 6f e4 27 | u..cdo.'
040 | 4c dc c0 54 b5 b3 23 72 99 96 74 8f 23 dd 8b 45 | L..T..#r..t.#..E
050 | ce dc 7b c0 cf 05 dc 47 b6 ac 8d| ..{G...
[STATE] [backend_sm] REQUEST -> RESPONSE
And here is correct
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both
locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the
field "userPassword" the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base with scope subtree
# fi
Re: multiple NAS's and Mysql
hi, a single FreeRADIUS server can do this. simply put each range of NASs into different groups and then use the group and groupreply tables in the SQL to do your return code work. if you cant google for "SQL howto freeradius" then http://wiki.freeradius.org/SQL_HOWTO#Configuring_FreeRadius_to_use_SQL if that document does help you enough, then please post to the list with its weaknesses so that it may be strenghtened that HOWTO link is posted each week on this list. how can we make it more obvious? (open question to others who struggle with the SQL and FReeRADIUS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting - no huntgroups
I've never had cause to look at it before, but I discovered today that accouting doesn't support huntgroups; specifically, an attempt to match on Huntgroup-Name in acct_users Is this expected? How does one normally specify Acct-Type based on a huntgroup, if (say) the Class attribute is already being used? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple NAS's and Mysql
Hello List I'm in the process of setting up a freeradius server to replace the old icradius box we have. I can get the server running just fine with Mysql and it's all work really well but I'm stumped on how to do the following. I have checked the lists and google for pointers but frankly I'm lost What I need to be able to do is send back different info based on the incoming request from a set of NAS's. We have L2TP interconnects from multiple providers, most of them are very simple but one is different in that they only require a certain response. They need the following info Standard Framed-Protocol PPP Standard User-Service Framed-User Standard Tunnel-Server-Endpoirt "82.*.*.*" Cisco Cisco-AVPair "vpdn:tunnel-id=provider.net" Standard Tunnel-Type L2TP Standard Tunnel-Medium-Type IP How do I send back just this info for this provider? my SQL foo is rubbish. all other providers send the request direct to my NAS which then grabs the relevant info from my radius ok. I could not get this to work in icradius so we had 2 radius server setup, one for this provider and one for all others Current versions are (running on Debian sarge at the mo) freeradius = 1.0.2-4sarge3 freeradius-mysql = 1.0.2-4sarge3 mysql-server = 4.0.24-10sarge Thanks for your time. Wayne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connecting to mysql with free radius 2.0.0
johnson elangbam wrote:
>I am using free radius Server 2.0.0 with mysql 4.1.2. I want
> to put the user name and the password in mysql database. I've
> uncommented all the related statements in radiusd.conf and sql.conf,
See the bottom of radiusd.conf: it loads more configuration files, too.
> including configuration file /usr/local/etc/raddb/sites-enabled/default
Look in this file for "sql", and un-comment it there, too.
> radiusd: Loading Virtual Servers
> server {
> modules {
And no reference to the "sql" module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working
also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you
sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the
field "userPassword" the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld,
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> The only place I found reference to the IP Pool is in the site-enabled
> config file. So I added:
>
> if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
Sorry, that should be "proxy-reply", not "proxy_reply".
> There is an error in the debug when a user tries to login, but it seems to
> run the rule. But it still doesn't seem to assign from the IP pool.
Again, the debug output makes it clear what is happening:
...
> +- entering group post-auth
> ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254")
> WARNING: Unknown module "proxy_reply" in string expansion
Yup. That's a typo.
> "%{proxy_reply:Framed-IP-Address}"
> expand: %{proxy_reply:Framed-IP-Address} ->
i.e. nothing.
> ? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") ->
> FALSE
Nothing doesn't match the string "255.255.255.254".
Again, reading the debug output helps. There is no magic required to
see a WARNING, and conclude that maybe something is wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error after updating to freeradius 2.0.1
>> > Check that nothing is listening on port 1812, even for IPv6. >> >> Nothing listening except for ssh. >Since ssh is TCP, you know that radius is UDP and you need to check with >"netstat -ulnp" Oops, thanks! There was indeed another radius-service running. Killed it and the error's gone :) (I now have another error, but I should be able to work that one out myself) Thanks again, Joep Ruiter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: > Hi Alan, > > This is the debug trace It doesn't include the raw dump of the contents of the TLS session. You'll need to re-build the server from source in order to get that, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conneting to mysql
Hi, > hi, > In order to connect to mysql what are the necessary configuration files > to be changed. 1.x or 2.x ? generally, you need to edit radiusd.conf and.or sites-enabled/* to ensure that the sql.conf is loaded. then you need to edit sql.conf appropriately alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conneting to mysql
http://wiki.freeradius.org/SQL_HOWTO JB johnson elangbam (12.02.2008): hi, In order to connect to mysql what are the necessary configuration files to be changed. regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
conneting to mysql
hi, In order to connect to mysql what are the necessary configuration files to be changed. regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
The only place I found reference to the IP Pool is in the site-enabled
config file. So I added:
if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
main_pool
}
Since it should only assign from the pool if the Framed-IP-Address we get
back is 255.255.255.254, and not a statically assigned IP.
There is an error in the debug when a user tries to login, but it seems to
run the rule. But it still doesn't seem to assign from the IP pool.
Please could you take a look at the debug and comment/suggest?
rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=155,
length=77
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "dsl.realm.co.uk"
rlm_realm: Proxying request from user grahamdr to realm dsl.realm.co.uk
rlm_realm: Adding Realm = "dsl.realm.co.uk"
rlm_realm: Preparing to proxy authentication request to realm
"dsl.realm.co.uk"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '[EMAIL PROTECTED]'
ORDER BY id
expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname
FROM usergroup WHERE username = '[EMAIL PROTECTED]'
ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User [EMAIL PROTECTED] not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d -> /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
expand: %t -> Tue Feb 12 13:22:36 2008
++[pre_proxy_log] returns ok
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Proxy-State = 0x313535
Proxying request 0 to home server 10.0.0.18 port 1645
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Realm = "dsl.realm.co.uk"
Realm = "dsl.realm.co.uk"
Proxy-State = 0x313535
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.0.0.18 port 1645, id=222,
length=107
Class =
0x5342522d434c20444e3d2232303533363041543d22323030222055533d2053493d
22323838312200
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254 << this should match the rule.
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313535
+- entering group post-proxy
expand: %{Realm} -> dsl.realm.co.uk
attr_filter: Matched entry DEFAULT at line 103
++[attr_filter.post-proxy] returns updated
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}&#
Re: EAP-TTLS/PAP tunneling issue
Hi Alan, This is the debug trace rad_recv: Access-Request packet from host 127.0.0.1:49483, id=24, length=69 User-Name = "edwinvanzyl" EAP-Message = 0x021001656477696e76616e7a796c Message-Authenticator = 0xed79f4cc7febfa2e6a5b68d140ee542b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 24 to 127.0.0.1 port 49483 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0x59994c8086dcf4cfeabfc31438dbba9d Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=25, length=135 User-Name = "edwinvanzyl" State = 0x59994c8086dcf4cfeabfc31438dbba9d EAP-Message = 0x020100401580003a1603010031012d030147b19e11c55051203e70a3b34b02f2af7f42fa8345639d44c65c8f5773ba94aa06002f003300320100 Message-Authenticator = 0x073d25f7a7bfc79e5cfe9044951bf879 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 1 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0031], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 024f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 25 to 127.0.0.1 port 49483 EAP-Message = 0x010202b21500160301004a0246030147b19e119f75aea0f1e09e68fba01f980f72263176ebf126951ca3453fd32e9f207f7fffa1bc92784cdb75d44eeec70d263fbc8e6578b680cff8e74e7d9f58737c002f00160301024f0b00024b00024800024530820241308201aa020311300d06092a864886f70d0101040500307431173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158310c300a06035504071303465344310f300d0603550408130670756e6a6162310b300906035504061302706b311d301b060355040313146161617365727665722e616c636174656c2e706b301e170d303730 EAP-Message = 0x3531343131353334365a170d3038303531333131353334365a305c310b300906035504061302706b310f300d0603550408130670756e6a616231173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158311330110603550403130a7a7978656c2e7573657230819f300d06092a864886f70d010101050003818d0030818902818100baaf122e60946da7ee1dc1101854e1836e848c0f3d5372be31e29eef2566a673f138809b9a118846e6846280408d822960c6345a6ce922155463fe3a267bc8d047aa8a435f506d9df7670e9d5dcc381f48d99662943546c4acca0db93665023181924fa574b52fb8ec EAP-Message = 0x7a05a85edf77fc408350e82f41536fb4584afe6671fd5f0203010001300d06092a864886f70d01010405000381810065c020869992c43b685a15a53ffee8ea31743ac9fe71a741b5265dbc1caa2d01e614820b4d05d2f5bd5bf04804259abfdad4d492877574946c10afba0c07a04304876701ac9e29a8297b2a9f1d6bb5e080d2fc5b633d63433f63e4be896dc4bd9db1606e80af636c2a1eabba9e0c3d73059bfc66efc9d06b8af35a8d28629714160
RE: Different IP Pool per proxied realm
The only other place the main ip pool is mentioned is in the site-enabled
file.
Within post-auth.
post-auth {
main_pool
sql
Post-Auth-Type REJECT {
attr_filter.access_reject
sql
}
}
I'll try and see if I can work it out by "man unlang" if not then I maybe
posting back.
Sorry...
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 12:41
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
>
> I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get
allocated *somewhere* via a reference to the "main_pool" module. You
must have edited the configuration files to do this, because it is *not*
enabled in the default configuration.
> I've tried adding the statement before and inside this but even static
> assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for
*processing* packets. It does not apply to module configurations.
See the default configuration files for examples of how to use "if()".
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: > I'm looking for some help with regards to setting up EAP-TTLS. I've > managed to make some progress, but can't get past the following problem > which gets printed in the debug logs: > > "rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not > supported" > > The message gets generated when attribute length > 255, but none of the > attributes I send through are that large. Then (a) the code in FreeRADIUS is buggy, or (b) the code in jradius is buggy, or (c) you actually are sending attributes that are that large. > I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are > sending through the following when receiving the message. Is jradius sending this? Because that message *only* gets printed out for data inside of the TTLS tunnel. And the sample packet you show does not contain enough data to form anything inside of the TTLS tunnel. And... most importantly... if the server was built with debugging symbols (like it usually is), then running in debugging mode would show you the raw data inside of the TLS tunnel, which would give you (and me) enough information to decide definitively what's going on. > Can anyone please assist? Can you post the debug log, as suggested in the FAQ, README, INSTALL, and daily on this list? Honestly... I'm still amazed at the number of people who careful post what the client is sending... and then ask "Why does the server not do what I expect?" If your car is broken, it is totally pointless to go examine the road. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > > I currently have this in radiusd.conf. That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. > I've tried adding the statement before and inside this but even static > assigned users get an address from the pool. Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
> Norbert Wegener wrote: > > As usually, Alan has made a great job. After more than 7 eap > > authentications everything is still working fine. > > The bug is obviously fixed. > > ! > > Thanks for the testing. We can release 2.0.2 this week. > > Alan DeKok. > After 6 "login oks" i stopped my 4 perl-scripts. not a single "login incorrect"! nice job, alan. i am waiting for the official version 2.0.2. :-) Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
I currently have this in radiusd.conf.
ippool main_pool {
range-start = 10.0.0.1
range-stop = 10.0.0.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${sysconfdir}/raddb/db.ippool
ip-index = ${sysconfdir}/raddb/db.ipindex
override = yes
maximum-timeout = 0
}
I've tried adding the statement before and inside this but even static
assigned users get an address from the pool.
Thanks
Tony
-Original Message-
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 11:17
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Where do I put this statement
Where is your current "ippool" module referenced?
> and does override have to be yes or no?
"yes"
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS/PAP tunneling issue
Hi, FreeRadius Version 1.1.7 I'm looking for some help with regards to setting up EAP-TTLS. I've managed to make some progress, but can't get past the following problem which gets printed in the debug logs: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. "rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported" The message gets generated when attribute length > 255, but none of the attributes I send through are that large. I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are sending through the following when receiving the message. Sending RADIUS Packet: -- Class: class net.sf.jradius.packet.AccessRequest Attributes: User-Name = edwinvanzyl Tunnel-Password = edwinvzyl09 State = [Binary Data (length=16)] EAP-Message = [Binary Data (length=79)] Message-Authenticator = [Binary Data (length=16)] Can anyone please assist? Kind Regards, Edwin- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > Where do I put this statement Where is your current "ippool" module referenced? > and does override have to be yes or no? "yes" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Where do I put this statement and does override have to be yes or no?
Thanks in advance
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 10:33
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Is there a way to tell Freeradius to only assign from the pool for the
user
> if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
Joep Ruiter wrote:
...
> This is the full log:
...
> radiusd: Opening IP addresses and Ports
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> ERROR: Failed to open socket:
> /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port
> 1812
There's a call to "getsockname" which tries to get the *real* IP
address that the server is listening on. That call is failing.
I'm not sure why. I've added a little more logging in CVS head
(2.0.2) which may give some insight, but it won't fix the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Is there a way to tell Freeradius to only assign from the pool for the user
> if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tnc.c source not stricly C
Alan DeKok wrote: > Andrew Hood wrote: > >>I know good style says newbies should lurk before posting, but anyway: >> >>Is freeradius supposed to be C89? > > > It's supposed to be as portable as possible. > > >>src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c >> >>Is full of C++ comments and C99isms. > > > Yes. Most of those should be fixed. > > As always, patches are welcome. OK -- REALITY.SYS not found: Universe halted. eap_tnc.c.diff.gz Description: application/gzip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Everything seems to be working fine with the new upgraded version of
Freeradius.
I've also made progress in assigning from an IP pool for a realm.
However it seems to be all or nothing, if the reply comes back with a
Framed-IP-Address already set it gets ignored if I set:
override = yes
in the IP pool section of radiusd.conf.
However some users are supposed to have a static IP address and some dynamic
IP assignment.
Those with no static set come back from with the reply:
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313832
Is there a way to tell Freeradius to only assign from the pool for the user
if the Framed-IP-Address comes back as 255.255.255.254?
Thanks
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 11 February 2008 20:42
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Right I've now managed to get v2.0.1 working on our radius server.
> Although for some reason its not logging to radiusd.log.
> Previously we have logged accounting to the log file and the radacct
table.
> If anyone can spare a thought on why this isn't now logging to the
> radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
> Onto the different IP pool per realm...
> This still doesn't seem to work.
> The debug doesn't show the IP pool being loaded.
> Does this still need to be put into radiusd.conf or the sites-enabled
file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius AUTH - Please Read!!!
On 12/02/2008, azizbaba <[EMAIL PROTECTED]> wrote: > > if your iptable service is running it is not see any info.You try iptables > service stop for linux Not the best idea... Turn off the firewall and leave your box open for everyone/anyone to abuse?? If the iptables service is running (and it should be...) then you just need to create the necessary rules to let the radius traffic in. Doing a "man iptables" should give a good starting point.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius AUTH - Please Read!!!
if your iptable service is running it is not see any info.You try iptables service stop for linux -- View this message in context: http://www.nabble.com/Freeradius-AUTH---Please-Read%21%21%21-tp4474716p15429280.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
