No EAP Start, assuming it's an on-going EAP conversation
Hello,
- I will look into that book you recommended Alan - "OReilly book
on OpenSSLL" thanks!
- But for right now do you have any clues on what I could/do test,
look at to fix this:
- I have a Linux client trying to connect to the Free Radius, and
on the client side I am getting this error message: "CTRL-EVENT-EAP-FAILURE
EAP authentication failed"
- And on the Free radius console I have this information is shown:
Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal"
Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal"
NAS-Identifier = "MVG-1"
State = 0x73e4f46973e6f0393091c54faaf880fd
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
Message-Authenticator = 0x330b306447495e1a49cd5c7cfe5c1c6d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "easy", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry easy at line 90
expand: Hello, %{User-Name} -> Hello, easy
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Reply-Message = "Hello, easy"
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x73e4f46972e7e1393091c54faaf880fd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +279 Cleaning up request 1 ID
154 with timestamp +279 Ready to process requests.
- And the client don't get/receive an IP address, guessing it has something
to do with EAP authentication "No EAP Start".
Thanks for help,
Best regards,
Johan Nyman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Yes, you can specify a network, not just single IP address.
Ivan Kalik
Kalik Informatika ISP
Dana 12/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi Ivan,
>
> Thanks for the reply. I think its starting to sink in. :)
>I have to test out how we'll do a bit of it, but I think I get the
>jist of it. I don't see how any of the netmask, require_message_authenticator
>or virtual_server fit into it... But since I wasn't using it anyway, I
>won't push my luck. ;) (Unless for netmask your saying the nasname
>could be 192.168.3.0/24)
>
> Thanks, Tuc
>>
>> nasname on your AP goes into NAS-Identifier filed in access request.
>> It's not the same as nasname in nas table which takes NAS IP or FQDN.
>> You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
>> IP address".
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>>
>> >Hi,
>> >
>> >If I choose DNS name, and I don't fully qualify it,
>> >does it follow the standard BIND rules of using the "domain"
>> >setting, or going down the "search" path?
>> >
>> >Reason I'm trying to avoid the IP or the FQDN is that
>> >I was hoping to use the nasname along with the secret in
>> >the UAM program I'm using for a "Secret per NAS" situation.
>> >The hotspots are already using just a nasname currently (Which
>> >is just something like SBC-1427). (Then again, getting the
>> >client to put all the NAS into DNS is going to be a tough
>> >sell too)
>> >
>> >Thanks, Tuc
>> >>
>> >> IP address (or DNS name) goes into nasname field.
>> >>
>> >> Ivan Kalik
>> >> Kalik Informatika ISP
>> >>
>> >>
>> >> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>> >>
>> >> >Hi,
>> >> >
>> >> > I had actually kept this email in my queue to implement
>> >> >someday. Today is someday. But I have a question.
>> >> >
>> >> > The config file contains IP addresses, which the nas.sql
>> >> >doesn't. How do I sync up the format of the clients.conf with
>> >> >the nas.sql?
>> >> >
>> >> >client nas_shortname {
>> >> > ipaddr = ??
>> >> > (or)
>> >> > ipv6addr =
>> >> > netmask =
>> >> > secret = nas_secret
>> >> > require_message_authenticator =
>> >> > shortname = nas_shortname
>> >> > nastype = nas_type
>> >> > virtual_server =
>> >> >}
>> >> >
>> >> > Thanks, Tuc
>> >> >>
>> >> >> Hi,
>> >> >>
>> >> >> in sql.conf it says:
>> >> >>
>> >> >> Set readclients to 'yes' to read radius clients from the database
>> >> >> ('nas' table)
>> >> >> Clients will ONLY be read on server startup. For performance
>> >> >> and security reasons, finding clients via SQL queries CANNOT
>> >> >> be done "live" while the server is running.
>> >> >>
>> >> >> Best,
>> >> >> Walter
>> >> >>
>> >> >>
>> >> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>> >> >>
>> >> >> > Hi there
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > Everything works fine so far, but after adding a new NAS to DB,
>> >> >> > radius server need restart to read this data, I am trying to
>> >> >> > manipulate nas list without restarting freeradius, but due to lack
>> >> >> > od documentation could you help me with that please.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > Pawel Cieplinski
>> >
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate the SSL certs
Hi, recommend that you get eg OReilly book on OpenSSL. with a basic undertsanding of OpenSSL all of these files and processes become much more transparent. > 1. To make a successful EAP/TLS connection I need the following > certificates: correct > 2. And those files are: with SSL you get various types of files - all of them hold the same information but show them in different ways. some platforms need a .pkcs12, others need a .der or a .crt etc if you read the eap.conf you will clearly see the different files that FreeRADIUS needs. what you need to give to your clients depends on the platform involved. > And then also another file is needed, what does this file do?: > > dh diffie-hellman - http://en.wikipedia.org/wiki/Diffie-Hellman > And also this, what does this file do?: > > Random random - a squawking bird typed the minutes of the last blood-alien intrenational chess competition meeting. how random can you get? its a way of ensuring that the keying material really is random. for some people a large file of junk is ranom, for others a device will generate random stuff - either a software device eg /dev/random or a crpytographic card with a random engine. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Alan DeKok wrote: Arran Cudbard-Bell wrote: Ok take eduroam for example. A change in user authorisation at their home site may result in the generation of a CoA request for the user to be disconnected at the remote site, this would be proxied by the remote sites RADIUS server. That same server may also wish to generate it's own CoA request for the same user, because a local IDS system / traffic analysis probe has detected a bot net etc.. running on their equipment. Not at the same time. The packets will be ordered. e.g CoA by local server because of botnet, to put them into a quarantine VLAN. Then, a CoA from the remote server, saying that they've just been fired, and they should be disconnected. If it's the other way around, the local system proxies the disconnect request. There's no need to put them into a quarantine vlan, because they've been disconnected. The requests *may* rarely happen at about the same time. But that's for the NAS to figure out. It's possible for the NAS to disconnect the user, ACK that, and then send a NAK to the CoA request, because the user has been disconnected. New identifiers are assigned when forwarding RADIUS packets anyway (i'm guessing), so there's no problem with conflicts between remotely generated and locally generated CoA messages. You might need logic on the server to handle these corner cases, but it's really not much different than out of order accounting packets, for example. Quite. So in your implementation, we'll be able to fork off a CoA request on reciept of new accounting data. Or if we need to tie it in with a monitoring server, we can just use the RADIUS client and send a CoA request to the server which will then proxy it on to the correct NAS. I guess proxying behavior is arbitrary and decided on by local configuration. Routing CoA request through proxy chains is pretty much identical as routing standard requests. Arran Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SPAM(6.5) Re: NAS list update without restarting radius server.
Hello,
- Anyone can point me in the right direction if I am getting this error,
from the client:
"CTRL-EVENT-EAP-FAILURE EAP authentication failed"
- And on the freeradius console I have this:
Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal"
Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal"
NAS-Identifier = "MVG-1"
State = 0x73e4f46973e6f0393091c54faaf880fd
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
Message-Authenticator = 0x330b306447495e1a49cd5c7cfe5c1c6d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "easy", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry easy at line 90
expand: Hello, %{User-Name} -> Hello, easy
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Reply-Message = "Hello, easy"
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x73e4f46972e7e1393091c54faaf880fd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +279
Cleaning up request 1 ID 154 with timestamp +279
Ready to process requests.
- And the client don't get an IP address, guessing it has something to do
with EAP authentication "No EAP Start".
Thanks very much for help!
Best regards,
Johan Nyman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi Ivan,
Thanks for the reply. I think its starting to sink in. :)
I have to test out how we'll do a bit of it, but I think I get the
jist of it. I don't see how any of the netmask, require_message_authenticator
or virtual_server fit into it... But since I wasn't using it anyway, I
won't push my luck. ;) (Unless for netmask your saying the nasname
could be 192.168.3.0/24)
Thanks, Tuc
>
> nasname on your AP goes into NAS-Identifier filed in access request.
> It's not the same as nasname in nas table which takes NAS IP or FQDN.
> You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
> IP address".
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> pi?e:
>
> >Hi,
> >
> > If I choose DNS name, and I don't fully qualify it,
> >does it follow the standard BIND rules of using the "domain"
> >setting, or going down the "search" path?
> >
> > Reason I'm trying to avoid the IP or the FQDN is that
> >I was hoping to use the nasname along with the secret in
> >the UAM program I'm using for a "Secret per NAS" situation.
> >The hotspots are already using just a nasname currently (Which
> >is just something like SBC-1427). (Then again, getting the
> >client to put all the NAS into DNS is going to be a tough
> >sell too)
> >
> > Thanks, Tuc
> >>
> >> IP address (or DNS name) goes into nasname field.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> pi?e:
> >>
> >> >Hi,
> >> >
> >> > I had actually kept this email in my queue to implement
> >> >someday. Today is someday. But I have a question.
> >> >
> >> > The config file contains IP addresses, which the nas.sql
> >> >doesn't. How do I sync up the format of the clients.conf with
> >> >the nas.sql?
> >> >
> >> >client nas_shortname {
> >> > ipaddr = ??
> >> > (or)
> >> > ipv6addr =
> >> > netmask =
> >> > secret = nas_secret
> >> > require_message_authenticator =
> >> > shortname = nas_shortname
> >> > nastype = nas_type
> >> > virtual_server =
> >> >}
> >> >
> >> > Thanks, Tuc
> >> >>
> >> >> Hi,
> >> >>
> >> >> in sql.conf it says:
> >> >>
> >> >> Set readclients to 'yes' to read radius clients from the database
> >> >> ('nas' table)
> >> >> Clients will ONLY be read on server startup. For performance
> >> >> and security reasons, finding clients via SQL queries CANNOT
> >> >> be done "live" while the server is running.
> >> >>
> >> >> Best,
> >> >> Walter
> >> >>
> >> >>
> >> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> >> >>
> >> >> > Hi there
> >> >> >
> >> >> >
> >> >> >
> >> >> > Everything works fine so far, but after adding a new NAS to DB,
> >> >> > radius server need restart to read this data, I am trying to
> >> >> > manipulate nas list without restarting freeradius, but due to lack
> >> >> > od documentation could you help me with that please.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Pawel Cieplinski
> >
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
e ID MAY be inconsistent
rlm_acct_unique: Hashing ',,'
rlm_acct_unique: Acct-Unique-Session-ID = "101e73bfbe542522".
++[acct_unique] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.3.84/detail-20080412
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.3.84/detail-20080412
expand: %t -> Sat Apr 12 19:07:58 2008
++[detail] returns ok
+- entering group pre-proxy
expand:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.3.84/pre-proxy-detail-20080412
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.3.84/pre-proxy-detail-20080412
expand: %t -> Sat Apr 12 19:07:58 2008
++[pre_proxy_log] returns ok
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x30
Proxying request 0 to home server 192.168.3.86 port 1813
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
Proxy-State = 0x30
+- entering group post-proxy
expand:
/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.3.84/post-proxy-detail-20080412
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.3.84/post-proxy-detail-20080412
expand: %t -> Sat Apr 12 19:07:58 2008
++[post_proxy_log] returns ok
Finished request 0.
Cleaning up request 0 ID 0 with timestamp +10
Going to the next request
Ready to process requests.
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
+- entering group preacct
rlm_realm: Looking up realm "test.domain" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "test.domain"
rlm_realm: Proxying request from user test to realm test.domain
rlm_realm: Adding Realm = "test.domain"
rlm_realm: Preparing to proxy accounting request to realm "test.domain"
++[suffix] returns updated
+- entering group accounting
rlm_acct_unique: WARNING: Attribute 3GPP2-Correlation-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute Calling-Station-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',,'
rlm_acct_unique: Acct-Unique-Session-ID = "101e73bfbe542522".
++[acct_unique] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.3.84/detail-20080412
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.3.84/detail-20080412
expand: %t -> Sat Apr 12 19:07:59 2008
++[detail] returns ok
+- entering group pre-proxy
expand:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.3.84/pre-proxy-detail-20080412
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.3.84/pre-proxy-detail-20080412
expand: %t -> Sat Apr 12 19:07:59 2008
++[pre_proxy_log] returns ok
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x30
Proxying request 1 to home server 192.168.3.86 port 1813
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
Ignoring request from unknown home server 192.168.3.86 port 1813
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
Discarding duplicate request from client localhost port 1349 - ID: 0 due to
unfinished request 1
Waking up in 27.0 seconds.
Discarding duplicate request from client localhost port 1349 - ID: 0 due to
unfinished request 1
Waking up in 24.1 seconds.
Alan DeKok-4 wrote:
>
> banga wrote:
>> AnyOne?
>>
>> Error: Rejecting request 20696 due to lack of any response from home
>> server
>> X.X.X.X port 1646
>> Error: Ignoring request from unknown home server X.X.X.X port 1646
>> How I can fix that ?
>
> I think what's happening is that the home server is sending the
> response from the wrong port. You would have to show *more* of the
> debug log to be sure.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://www.nabble.com/Problem-with-proxy-radius-function-tp16610498p16654065.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generate the SSL certs
Hello again, Thanks for that information, Read the "README" in the "/raddb/certs" directory and found some very clear instruction on how to compile/make the certificates. Could you help me clarify this, so I have understand correctly: 1. To make a successful EAP/TLS connection I need the following certificates: - Root certificate (stored on the radius server as default in the directory "/raddb/certs") - Server certificate (stored on the radius server as default in the directory "/raddb/certs") - Client certificate (the user connecting to the radius has this certificate installed on his computer) 2. And those files are: Root: ca.cnf ca.der ca.key ca.pem Client: client.cnf client.crt client.csr client.key client.p12 client.pem Server: server.cnf server.crt server.csr server.key server.p12 server.pem And then also another file is needed, what does this file do?: dh And also this, what does this file do?: Random Best regards, Johan Nyman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of [EMAIL PROTECTED] Sent: den 12 april 2008 19:06 To: FreeRadius users mailing list Subject: Re: Generate the SSL certs Hi, > Hello all, > > There should be a place on the net that hosts official tutorials for > FreeRadius that are up-to date. > > Then many problems would disappear. there are several. the best place is wiki.freeradius.org > I was about to follow this post to get "EAP/TTLS" to work: > http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/ some random page from 2005. useful for FreeRADIUS 0.9 if you get the FreeRADIUS 2.0.3 source code, extract it and look in the directories, you will find within the raddb/certs directory a set of useful files... such as bootstrap and Makefile these 2 will, together, create a set of working 30 day demo certs for a first time install of the server. of course, if you read them and modify them and /etc/openssl.conf (or whereever your SSL configuration is held in your distro) you can have much much more - eg certs that last for as long as you want with the descriptions you want. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate the SSL certs
Johan Nyman wrote: > There should be a place on the net that hosts official tutorials for > FreeRadius that are up-to date. > > Then many problems would disappear. There *is* a place. It's on the main web page. It's up to date. Yet many people *still* use third-party "howto's" that are years out of date. Is there some secret documentation saying "don't read the FreeRADIUS documentation"? > Can anyone help me sort out what not to follow in his guide, since it has > been posted 2005: Don't follow any of it. Read the documentation that comes with FreeRADIUS, and with the Wiki. > 1. Generate a new unsigned certificate and its corresponding private key: The "INSTALL" file that comes with the server describes how it automatically creates certificates. Maybe the binaries for your distribution don't include this file... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate the SSL certs
Hi, > Hello all, > > There should be a place on the net that hosts official tutorials for > FreeRadius that are up-to date. > > Then many problems would disappear. there are several. the best place is wiki.freeradius.org > I was about to follow this post to get "EAP/TTLS" to work: > http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/ some random page from 2005. useful for FreeRADIUS 0.9 if you get the FreeRADIUS 2.0.3 source code, extract it and look in the directories, you will find within the raddb/certs directory a set of useful files... such as bootstrap and Makefile these 2 will, together, create a set of working 30 day demo certs for a first time install of the server. of course, if you read them and modify them and /etc/openssl.conf (or whereever your SSL configuration is held in your distro) you can have much much more - eg certs that last for as long as you want with the descriptions you want. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hi, > Charlie B wrote: >> Has no one else experienced this issue where reset password confuses >> WinXP? I really don't want to use IAS. Anyone ideas? > > Let me get this straight: You have machines in the domain, users doing > domain logins, and wired 802.1x using the domain credentials. When you > change a users password, the username/password cached on the client is no > longer valid, and they fall off the network. > > It's hard to see what else could happen; you've changed their password and > given the machine they're logged onto no way of knowing that. Why don't you > just let them change their password? > > Very likely many resources would continue to be accessible because the > credential cache includes a valid kerberos TGT but that isn't used for > 802.1x/MS-CHAP - it's the plain username/password. > > Whatever happens, the client machine would have to prompt the user for > their new username/password. > > Does this work with IAS? If so, it may be that there's an error code which > can be put in an MS-CHAP-Error attribute. However, very likely Samba would > have to generate the error code. > > In short, I don't think it's going to work any time soon. we see the same issue with using machine credentials for wireless login. the AD will update the password of the machine within the time frame set in the AD - for us, 90 days..and then when the client attempts to validate against AD, they have a small discussion to get things back into sync. On the wired this works as it seems that the client will do this over an 'open' link, however the partnering wont happen over an encrypted link(!) - go figure - perhaps to stop it happening over a PPTP VPN link when user is away from work? and therefore the next time the user tries to associate to wifi they cannot log in. the only fix is for them to plug into a wired socket... magically wifi works again. a fix? none that i have struggled to come up with i'm afraid. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't make a rpm from radius sources
Hi, > I have downloaded freeradius-server-2.0.0.tar.gz and after intalling it, I > made some code modifications to meet my expectations. > Than I compiled again from the "src" directory using make && make install; > after this, freeradius worked fine, as I intended; > Now I would like to make a rpm from this modified version that I have. > Could someone please tell me what steps should I follow in order to achieve > this, a rpm from the modified sources. > I would also like to preserve the modified configurations from the > following files: eap.conf and users; and also two dictionaries that I > manually added to the share/freeradius directory. you will need to ensure that you create a .tar.gz file that contains all of your files as changed. ie untar a native freeradius-server-2.0.0.tar.gz then into that directory, copy all of the files you've edited and plyed with. then ensure that if dictionaries are named in the Makefile for install - then add yours to those little files too. then take the required spec file and on a 3rd party system, copy that tar file into the SOURCES location and run rpmbuild on the spec file. if you have problems, then get the latest spec file from CVS version of freeradius - or check the archives of this mailing list and grab the working copy i posted about a week ago. et voila. your own custom RPM version. now just update it all to work with 2.0.3 will you please? :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generate the SSL certs
Hello all, There should be a place on the net that hosts official tutorials for FreeRadius that are up-to date. Then many problems would disappear. I was about to follow this post to get "EAP/TTLS" to work: http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/ Can anyone help me sort out what not to follow in his guide, since it has been posted 2005: The SSL create certificate steps that tutorial mentions is the same for all versions, and still up to date? 1. Generate a new unsigned certificate and its corresponding private key: openssl req -new -days 365 -newkey rsa:1024 \ -keyout /etc/pki/CA/sslkey.pem -out /etc/pki/CA/sslcert.pem 2. To sign this certificate: openssl ca -in /etc/pki/CA/sslcert.pem -out /etc/pki/CA/cert.pem 3. Installing the RADIUS X.509 certificate The certificate and its corresponding private key, plus the CA certificate, must be installed into /etc/raddb/certs in order to use EAP-TLS or EAP-TTLS: Install the RADIUS private key: mv /etc/pki/CA/sslkey.pem /etc/raddb/certs/RADIUS-key.pem Install the RADIUS signed X.509 certificate: mv /etc/pki/CA/cert.pem /etc/raddb/certs/RADIUS-cert.pem Install the CA certificate: cp /etc/pki/CA/cacert.pem /etc/raddb/certs/cacert.pem /etc/pki/CA/sslcert.pem holds the unsigned X.509 RADIUS certificate, so it can be safely removed: rm /etc/pki/CA/sslcert.pem Best regards, Johan Nyman Media Vision Group | MVG Stureplan 4C, 4tr 114 35 Stockholm Sweden Tfn: +46-8-463 10 58 Cell:+46-70-992 31 51 Fax: +46-8-463 10 10 E-mail: [EMAIL PROTECTED] Web: http://www.mediavisiongroup.se CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail, including any attachments, is confidential and intended only for the addressee. If you are not the intended recipient, please notify us immediately and delete this e-mail from your system. Any use or disclosure of the information contained herein is strictly prohibited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: den 12 april 2008 17:45 To: FreeRadius users mailing list Subject: SPAM-LOW: SPAM(5.0) Re: EAP/TTLS Johan Nyman wrote: > - I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" > files, so I can start over again with clean files. Good idea. > - Some tutorials I have followed are old, compared to the new version that I > have 2.0.3. I wish all old tutorial disappeared off of the net. Since most started out wrong, getting rid of them isn't a bad idea. > - Can you give me an example on how I should configure these three files > "users" "eap.con" "radius.conf". > > - The authentication method I am looking for to use is "EAP/TTLS" You do nothing. See doc/ChangeLog, for version 2.0.0. > - I have all the certificates ready to go. Put them in raddb/certs, in the files mentioned in eap.conf. Or, edit eap.conf to point to your certificates. The whole point of 2.0 is that you start the server... and almost everything works. The tutorials that described endless steps to configure things were usually wrong to begin with, and are completely unnecessary in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS
Johan Nyman wrote: > - I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" > files, so I can start over again with clean files. Good idea. > - Some tutorials I have followed are old, compared to the new version that I > have 2.0.3. I wish all old tutorial disappeared off of the net. Since most started out wrong, getting rid of them isn't a bad idea. > - Can you give me an example on how I should configure these three files > "users" "eap.con" "radius.conf". > > - The authentication method I am looking for to use is "EAP/TTLS" You do nothing. See doc/ChangeLog, for version 2.0.0. > - I have all the certificates ready to go. Put them in raddb/certs, in the files mentioned in eap.conf. Or, edit eap.conf to point to your certificates. The whole point of 2.0 is that you start the server... and almost everything works. The tutorials that described endless steps to configure things were usually wrong to begin with, and are completely unnecessary in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All attributes in rlm_sql_log or rlm_sql ?
Dean Smith wrote: > Ultimately for the same reasons that rlm_detail exists. I'd like to give my > ops guys the ability to see all attributes in requests and replies when > they're debugging or monitoring. We want to maintain all records in a single > SQL database with access via our existing web frontends...so I'd like the > same detail as rlm_detail via the SQl modules. SQL isn't really the best way to store dozens of lines of text per request. > Obviously many ways to achieve it (parse and upload the detail log, > dedicated perl module etc.) but my scripting/coding is weak so that will > take me longer. rlm_perl, and a special SQL table would likely be best for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation With Freeradius
>Dear Friends,
>
>Right now I have setup working of freeradius with mysql authentication. I have
>static & dynamic group created in mysql and all seems working. Currently
>static IPs are provided by radius with mysql backend. But dynamic IP is
>provided by Cisco Router. Cisco router is configured as PPPOE/PPPOA. Cisco
>does all authentication with freeradius.
>
>Now what I want is to provided Dynamic IPs with freeradius instead of Cisco. I
>have searched alot and tried few setting but that didnt worked. Is it possible
>to configure USERS file and have all dynamic users get dynamically using USERS
>file ? I checked but wasnt sucessful. Or a solution in mysql itself.
>
>For testing i had activated below config in radiusd.conf
>
> ippool main_pool {
>
># range-start,range-stop: The start and end ip
># addresses for the ip pool
>range-start = 192.168.1.1
>range-stop = 192.168.3.254
>
># netmask: The network mask used for the ip's
>netmask = 255.255.255.0
>
># cache-size: The gdbm cache size for the db
># files. Should be equal to the number of ip's
># available in the ip pool
>cache-size = 800
>
># session-db: The main db file used to allocate ip's to clients
>session-db = ${raddbdir}/db.ippool
>
># ip-index: Helper db index file used in multilink
>ip-index = ${raddbdir}/db.ipindex
>
># override: Will this ippool override a Framed-IP-Address
> already set
>override = no
>
># maximum-timeout: If not zero specifies the maximum time in
> seconds an
># entry may be active. Default: 0
>maximum-timeout = 0
>}
>
>
>main_pool in accounting & post-auth modules.
All you have to do is add Pool-Name := main_pool as a check item in user
configuration. Doesn't matter is it in users or sql. It makes sense to
make a group for dynamic users and add this to radgroupcheck. You should
also consider netmask 255.255.255.255 for PPP users. There is no reason
why would they see each other on the network.
>
>
>doing this and starting the radius gives me segmentation error.
>
start or HUP?
Ivan Kalik
Kalik informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SPAM-LOW: Re: EAP/TTLS
Thanks Ivan! - Some tutorials I have been following required some settings to be changed in all those files. - But probably for older version of FreeRadius then. - I will re-try again! Thanks for help, Best regards, Johan Nyman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Ivan Kalik Sent: den 12 april 2008 16:35 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: EAP/TTLS Just make entries for the users in users file. Instructions are in the file. There is nothing to configure in radiusd.conf or eap.conf. You might want to read through eap.conf if you are thinking of replacing default certificates or perhaps to copy request to tunnel and reply out. Only other thing you *need* to configure is clients.conf. Ivan Kalik Kalik Informatika ISP Dana 12/4/2008, "Johan Nyman" <[EMAIL PROTECTED]> piše: >Hello Alan, > > >- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" >files, so I can start over again with clean files. > >- Some tutorials I have followed are old, compared to the new version that I >have 2.0.3. > >- Can you give me an example on how I should configure these three files >"users" "eap.con" "radius.conf". > >- The authentication method I am looking for to use is "EAP/TTLS" > >- I have all the certificates ready to go. > > >Thanks very much for help! > >Best regards, >Johan Nyman > > > > > > >-Original Message- >From: >[EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] . >org] On Behalf Of Alan DeKok >Sent: den 12 april 2008 10:18 >To: FreeRadius users mailing list >Subject: SPAM-LOW: Re: FW: Hello, > >divisionmd wrote: >> - How do i check if the clients are using PEAP? > > Read the debug log as suggested in the FAQ, README, INSTALL, and daily >on this list. > >> - Dont know if this is the answer to you password question, i have a >> password in the USERS file and on the client i have entered in the >> WPA_Supplicant.conf, clear text word. >> >> - Then what type of password how do i check that? > > Read the entry you configured in the "users" file? > > Alan DeKok. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS
Just make entries for the users in users file. Instructions are in the file. There is nothing to configure in radiusd.conf or eap.conf. You might want to read through eap.conf if you are thinking of replacing default certificates or perhaps to copy request to tunnel and reply out. Only other thing you *need* to configure is clients.conf. Ivan Kalik Kalik Informatika ISP Dana 12/4/2008, "Johan Nyman" <[EMAIL PROTECTED]> piše: >Hello Alan, > > >- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" >files, so I can start over again with clean files. > >- Some tutorials I have followed are old, compared to the new version that I >have 2.0.3. > >- Can you give me an example on how I should configure these three files >"users" "eap.con" "radius.conf". > >- The authentication method I am looking for to use is "EAP/TTLS" > >- I have all the certificates ready to go. > > >Thanks very much for help! > >Best regards, >Johan Nyman > > > > > > >-Original Message- >From: >[EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] >org] On Behalf Of Alan DeKok >Sent: den 12 april 2008 10:18 >To: FreeRadius users mailing list >Subject: SPAM-LOW: Re: FW: Hello, > >divisionmd wrote: >> - How do i check if the clients are using PEAP? > > Read the debug log as suggested in the FAQ, README, INSTALL, and daily >on this list. > >> - Dont know if this is the answer to you password question, i have a >> password in the USERS file and on the client i have entered in the >> WPA_Supplicant.conf, clear text word. >> >> - Then what type of password how do i check that? > > Read the entry you configured in the "users" file? > > Alan DeKok. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Allocation With Freeradius
Dear Friends,
Right now I have setup working of freeradius with mysql authentication. I have
static & dynamic group created in mysql and all seems working. Currently static
IPs are provided by radius with mysql backend. But dynamic IP is provided by
Cisco Router. Cisco router is configured as PPPOE/PPPOA. Cisco does all
authentication with freeradius.
Now what I want is to provided Dynamic IPs with freeradius instead of Cisco. I
have searched alot and tried few setting but that didnt worked. Is it possible
to configure USERS file and have all dynamic users get dynamically using USERS
file ? I checked but wasnt sucessful. Or a solution in mysql itself.
For testing i had activated below config in radiusd.conf
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address
already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
main_pool in accounting & post-auth modules.
doing this and starting the radius gives me segmentation error.
Any suggestion please ?
Regards,
Joel-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: All attributes in rlm_sql_log or rlm_sql ?
Ultimately for the same reasons that rlm_detail exists. I'd like to give my ops guys the ability to see all attributes in requests and replies when they're debugging or monitoring. We want to maintain all records in a single SQL database with access via our existing web frontends...so I'd like the same detail as rlm_detail via the SQl modules. Obviously many ways to achieve it (parse and upload the detail log, dedicated perl module etc.) but my scripting/coding is weak so that will take me longer. Many thanks for the answers and other suggestions given. Dean Dean Smith wrote: > I guess I?m asking is there an unlang equivalent to this snippet from > rlm_detail.c. .. No. I don't see why it makes sense to log all of the attributes as one big line of text in SQL. If you need that, it shouldn't be hard to write a Perl plugin that does it. Alan DeKok. -- Message: 8 Date: Thu, 10 Apr 2008 23:30:12 +0200 From: Alan DeKok <[EMAIL PROTECTED]> Subject: Re: "Users" accounts file - was: Re: EAP-TTLS (PAP) not working withNT domain - debian freeradius 1.1.7 To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 James McOrmond wrote: > So, I figured the users file was a logical place.. Yes, if it's used, and if the rest of the policy is fine. > I added a line like this: > > radiustester User-Password := "xoageifo" > > but it's complaining it's not in ldap.. Run it in debugging mode: radiusd -X. Alan DeKok. -- Message: 9 Date: Thu, 10 Apr 2008 18:45:15 -0400 (EDT) From: "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> Subject: Re: Restrict to initial NAS used to logon To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii > > Tuc at T-B-O-H.NET wrote: > > Looking to restrict a user to only be able to log in > > and re-log in to the initial NAS they first ever logged onto. > > (Hotspot) Looking at the radacct file where it looks like > > the check-items normally go against, I'm not seeing anything I > > can use as an identifier. The nasipaddress is always 0.0.0.0. > > Maybe calledstationid, except if we swap equipment out during > > the lifetime of a users id it won't match. > > > > Is anyone doing anything like this already? > > They usually use equipment that sends a NAS identifier. > Hrm I just originally went on the assumption that the sending side was partially braindead, and wasn't sending it. Your comment made me dump a session on 1812 and 1813... 1812: Radius Protocol Code: Access-Request (1) Packet identifier: 0x0 (0) Length: 216 Authenticator: A9A4B05B3C01784A8DF58849DB987135 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=5 t=User-Name(1): tuc AVP: l=18 t=CHAP-Challenge(60): 894209E703975A194529D13926790197 AVP: l=19 t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=6 t=Service-Type(6): Login-User(1) AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=18 t=Acct-Session-Id(44): 47fe006e AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=18 t=Message-Authenticator(80): F0AE0A9EE7DAC32F9AA6089A5A9C3A70 AVP: l=40 t=Vendor-Specific(26) v=WISPr(14122) 1813: Radius Protocol Code: Accounting-Request (4) Packet identifier: 0x6 (6) Length: 142 Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=6 t=Acct-Status-Type(40): Start(1) AVP: l=5 t=User-Name(1): tuc AVP: l=11 t=Class(25): 303730333435363738 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=10 t=NAS-Port-Id(87): AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=18 t=Acct-Session-Id(44): 47fe006e So it looks like its sending it, just not making it into the radacct files. :-/ So where to start looking for that? > > Or, use the "Packet-Src-IP-Address" attribute. > Thats gonna take a bit of headscratching to figure out about. :) But thanks for the lead. Tuc -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 36, Issue 76 **
EAP/TTLS
Hello Alan, - I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files. - Some tutorials I have followed are old, compared to the new version that I have 2.0.3. - Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf". - The authentication method I am looking for to use is "EAP/TTLS" - I have all the certificates ready to go. Thanks very much for help! Best regards, Johan Nyman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: den 12 april 2008 10:18 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: FW: Hello, divisionmd wrote: > - How do i check if the clients are using PEAP? Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list. > - Dont know if this is the answer to you password question, i have a > password in the USERS file and on the client i have entered in the > WPA_Supplicant.conf, clear text word. > > - Then what type of password how do i check that? Read the entry you configured in the "users" file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
nasname on your AP goes into NAS-Identifier filed in access request.
It's not the same as nasname in nas table which takes NAS IP or FQDN.
You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
IP address".
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi,
>
> If I choose DNS name, and I don't fully qualify it,
>does it follow the standard BIND rules of using the "domain"
>setting, or going down the "search" path?
>
> Reason I'm trying to avoid the IP or the FQDN is that
>I was hoping to use the nasname along with the secret in
>the UAM program I'm using for a "Secret per NAS" situation.
>The hotspots are already using just a nasname currently (Which
>is just something like SBC-1427). (Then again, getting the
>client to put all the NAS into DNS is going to be a tough
>sell too)
>
> Thanks, Tuc
>>
>> IP address (or DNS name) goes into nasname field.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>>
>> >Hi,
>> >
>> >I had actually kept this email in my queue to implement
>> >someday. Today is someday. But I have a question.
>> >
>> >The config file contains IP addresses, which the nas.sql
>> >doesn't. How do I sync up the format of the clients.conf with
>> >the nas.sql?
>> >
>> >client nas_shortname {
>> >ipaddr = ??
>> >(or)
>> >ipv6addr =
>> >netmask =
>> >secret = nas_secret
>> >require_message_authenticator =
>> >shortname = nas_shortname
>> >nastype = nas_type
>> >virtual_server =
>> >}
>> >
>> >Thanks, Tuc
>> >>
>> >> Hi,
>> >>
>> >> in sql.conf it says:
>> >>
>> >> Set readclients to 'yes' to read radius clients from the database
>> >> ('nas' table)
>> >> Clients will ONLY be read on server startup. For performance
>> >> and security reasons, finding clients via SQL queries CANNOT
>> >> be done "live" while the server is running.
>> >>
>> >> Best,
>> >> Walter
>> >>
>> >>
>> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>> >>
>> >> > Hi there
>> >> >
>> >> >
>> >> >
>> >> > Everything works fine so far, but after adding a new NAS to DB,
>> >> > radius server need restart to read this data, I am trying to
>> >> > manipulate nas list without restarting freeradius, but due to lack
>> >> > od documentation could you help me with that please.
>> >> >
>> >> >
>> >> >
>> >> > Pawel Cieplinski
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Hello,
divisionmd wrote: > - How do i check if the clients are using PEAP? Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list. > - Dont know if this is the answer to you password question, i have a > password in the USERS file and on the client i have entered in the > WPA_Supplicant.conf, clear text word. > > - Then what type of password how do i check that? Read the entry you configured in the "users" file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Not sure what "max access-period" would be? If it relates to single
session then use Session-Timeout to fix max length. If it relates to
total time allowed then use sqlcounter (which will set Session-Timeout
dinamically). If you are setting a Session-Timeout that will be the same
for lagre number of users use groups and set it (once) in radgroupcheck.
You don't have access to nasname (from clients.conf) and it is not
logged in radacct anyway. What you are describing would work if you add
NAS-Identifier to the schema. If you don't want to alter sql schema you
will have to add NAS-Identifier check into radcheck at first logon.
Every other time script will run without doing anything - not very
efficient but ...
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi,
>
> I will have to consider the NAS-Identifier replacing NAS-IP-Address.
>This is not for our use, this is at a customer site. I'm leary about using
>a field for something other than its intention (Or adding a field that is
>unexpected) due to the possibility of them installing a package later on
>that has certainly expectations of the data being a certain way).
>
> I later realized that SOMETHING would need to be set in the
>radcheck , but was hoping for it to be a bit "self contained". I
>see things like the Simultaneous use, and the ability to check max
>access-period, and was hoping I could somehow tell the system
>to SELECT the nasname (if that field existed) from radacct, and
>compare against the current nasname from the record. If there was
>no current, go ahead. If there was a current, if it matched go
>ahead. Maybe even something with the COUNT of unique nasname,
>and if it was 0 , its ok. If its 1, better match the current one.
>>
>> NAS-Identifier is not stored in radacct by default. But you can add it to
>> or replace NAS-IP-Address with it in radacct table and accounting
>> queries.
>>
>> radacct is used for - accounting. You need to put NAS-Identifier check in
>> radcheck to stop users from connecting from other APs. You can a script
>> at logon to insert it or run outside script at certain intervals that
>> will set it up for you. Anyway you need to:
>>
>> - check radacct if user has logged on before
>> - if not insert NAS-Identifier check into radcheck table with the value
>> of the current request
>>
>> If you add NAS-Identifier field into radacct table you don't need to add
>> anything into radcheck. Just run a script at logon that will:
>>
>> - check radacct to see if user had logged on before
>> - if he had check that value of NAS-Identifier in the request matches the
>> one in radacct table
>>
> I was trying to avoid as much outside stuff as possible. I guess I
>could perl it if it means that much to me. I was just hopinf after seeing
>some of the "sqlcounter" stuff, if there was some way to accomplish it
>that way.
>
> Thanks, Tuc
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>>
>> Dana 10/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>>
>> >> > Is anyone doing anything like this already?
>> >>
>> >> They usually use equipment that sends a NAS identifier.
>> >>
>> >Hi,
>> >
>> >Sorry for a second followup, but I just looked over
>> >the radacct file and don't see anywhere that NAS-Identifier would
>> >be stored. Or are you saying that I need to still use the
>> >%{NAS-Identifier} in some sort of check-name?
>> >
>> >Thanks, Tuc
>> >-
>> >List info/subscribe/unsubscribe? See
>> >http://www.freeradius.org/list/usershtml
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Hello,
Hello Alan, Thanks for answering. - How do i check if the clients are using PEAP? - Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word. - Then what type of password how do i check that? Best regards, Johan A.L.M.Buxey wrote: > > hi, > > client using PEAP? how have you stored the password > and what type of password are you trying to use? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/FW%3A-Hello%2C-tp16614715p16646511.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Stale Sessions
>Thanks for the reply. However, these are Internet customers coming from >DSL or Dial up. I assume the Cisco and portmasters are sending unique >session IDs. > Don't assume. Use debug to see what's happening with accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
