a newbie testing freeradius need help
Hi,
I am newbie trying to test free radius for my master thesis, i installed
free radius two days ago and did some initial testing, the initial test was
through so the radius server is running properly, before i move on i wanted
to test the eap modules, so i tried to test with the help of eapol_test tool
that comes with the wpasupplicant, i cannot succeed i get failure message. i
am really very new to linux and to free radius, can some one help me what i
should do, because i can only move one further with my thesis if and only if
i figure this out.
Thank you for the help, really appreciate any kind of help or suggestion.
Thanks once again, below are my conf files and screen output.
HERE IS MY SCREEN OUTPUT FROM THE RADIUS SERVER
Ready to process requests.
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020e01616e6f6e796d6f7573
Message-Authenticator = 0x948a064fcafc2f8442938817c4f353d7
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
EAP-Message = 0x010100160410a3803def371cc0ea374b74fd8923747b
Message-Authenticator = 0x
State = 0x47545c0a47555820cf82ad36ba08594f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020100060319
State = 0x47545c0a47555820cf82ad36ba08594f
Message-Authenticator = 0x0d125e124530442dfbf043c5d6e55468
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [anonymous/via Auth-Type = EAP] (from client localhost
port 0 cli 02-00-00-00-00-01)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
EAP-Message = 0x04010004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +28
Waking up in 0.9 seconds.
Cleaning up request 1 ID 1 with timestamp +28
Ready to process requests.
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020e01616e6f6e796d6f7573
Message-Authenticator = 0xfbfadf8ca2d1f2729ac2cabcc17dee20
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Re: a newbie testing freeradius need help
jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of attribute in tunnelled reply
Arran Cudbard-Bell wrote:
Hi,
We formulate our reply inside of the virtual server dealing with EAP and
send it back to the outer server. This is the only way I could think of
to insert the Inner identity into the Access-Accept.
...
update outer.reply {
User-Name := foo
}
...
It all works
fine... however it seems there's a bug when dealing with multiple
instances of the same attribute.
Ah the code in unlang was fixed to correct this problem. The
basic API used in the basic RADIUS library wasn't fixed.
Ok... I'll take a look at it when I get back from my current trip.
What's really weird is in the previous rounds of EAP, the attributes
retain the += operator, it's only in the one where the EAP-Success
message is returned where all the operators are stripped out.
Yes. copy everything, versus merge via operators.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of attribute in tunnelled reply
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Hi,
We formulate our reply inside of the virtual server dealing with EAP and
send it back to the outer server. This is the only way I could think of
to insert the Inner identity into the Access-Accept.
...
update outer.reply {
User-Name := foo
}
...
Hmm, it's complicated... there are authorisation issues too.
It all works
fine... however it seems there's a bug when dealing with multiple
instances of the same attribute.
Ah the code in unlang was fixed to correct this problem. The
basic API used in the basic RADIUS library wasn't fixed.
Ok... I'll take a look at it when I get back from my current trip.
Ok that helps, didn't realise it was fixed in unlang; least I can get
some dynamic ACL testing done.
What's really weird is in the previous rounds of EAP, the attributes
retain the += operator, it's only in the one where the EAP-Success
message is returned where all the operators are stripped out.
Yes. copy everything, versus merge via operators.
Yep.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks,
Arran
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Thank you alan for your time, As i mentioned before i am new to linux too. I had installed openssl already and the libraries are in /usr/local/lib folder. i dont know how to enable this (path) in the server, because i guess there is another openssl (older version) installed, i had this problem when making eapol_test tool then i installed newer version in the specified directory. Then how can i restart the radiusd, is it ok to kill the demon and then start it again sorry for this naive question. thank you once again for the time you are taking for me, BR, Jreuben Alan DeKok [EMAIL PROTECTED] wrote: jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x+WLAN and radtest
Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain radtest and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše: Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain radtest and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-KnĂśll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Am 23.04.2008 um 10:56 schrieb jennie susan: Thank you alan for your time, As i mentioned before i am new to linux too. I had installed openssl already and the libraries are in /usr/local/lib folder. i dont know how to enable this (path) in the server, because i guess there is another openssl (older version) installed, i had this problem when making eapol_test tool then i installed newer version in the specified directory. You could use the LD_LIBRARY_PATH environment varaible to set the path where to find a library. Be careful that this feature might be disabled by the linux distribution that you are using (mainly due to security reasons). In that case you have to change /etc/ld.so.conf (or something like that). Then how can i restart the radiusd, is it ok to kill the demon and then start it again sorry for this naive question. As far as I know it is the recommended way. thank you once again for the time you are taking for me, BR, Jreuben Alan DeKok [EMAIL PROTECTED] wrote: jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap certificate problems?
Great , but it was not the case of freeradius 1.x which i was using and discussing about all the time. Regards, D. 2008/4/22 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: i did a lot of reading about certificate generation, This just kills me. 2.0 ships with scripts to create certificates, and documentation saying that this is what it does. The Wiki also has a page describing certificate creation. Go to the find dialog, and type certificates. You'll be taken directly to a page documenting these things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Hi,
enclose the output from radiusd -X
first using radtest, the switching on the WLAN with the
same useranme and password:
=radiusd -X out
rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228,
length=68
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Looking up realm ice.mpg.de for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Proxying request from user pkoch to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module suffix returns updated for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
Sending Access-Request of id 6 to 193.174.75.134 port 1812
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Proxy-State = 0x323238
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6,
length=25
Proxy-State = 0x323238
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
attr_filter: Matched entry DEFAULT at line 103
modcall[post-proxy]: module attr_filter returns updated for request 7
modcall[post-proxy]: module eap returns noop for request 7
modcall: leaving group post-proxy (returns updated) for request 7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module suffix returns noop for request 7
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns ok) for request 7
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 7
modcall[post-auth]: module ldap returns noop for request 7
modcall: leaving group post-auth (returns noop) for request 7
Sending Access-Accept of id 228 to 141.5.16.151 port 2234
Finished request 7
Going to the next request
Waking up in 6 seconds...
===Now the same over WLAN===
--- Walking the entire request list ---
Cleaning up request 7 ID 228 with timestamp 480f2719
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173,
length=201
User-Name = [EMAIL PROTECTED]
MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa
MS-CHAP2-Response
Nas IP address in logs
Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
This is the debug from the proxy not home server. You need a debug from
the home server to see why is first one accepted and second one rejected.
Since first one was pap request and second mschap usual problem is that
password stored on home server is encrypted.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše:
Hi,
enclose the output from radiusd -X
first using radtest, the switching on the WLAN with the
same useranme and password:
=radiusd -X out
rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228,
length=68
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Looking up realm ice.mpg.de for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Proxying request from user pkoch to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module suffix returns updated for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
Sending Access-Request of id 6 to 193.174.75.134 port 1812
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Proxy-State = 0x323238
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6,
length=25
Proxy-State = 0x323238
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
attr_filter: Matched entry DEFAULT at line 103
modcall[post-proxy]: module attr_filter returns updated for request 7
modcall[post-proxy]: module eap returns noop for request 7
modcall: leaving group post-proxy (returns updated) for request 7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module suffix returns noop for request 7
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns ok) for request 7
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 7
modcall[post-auth]: module ldap returns noop for request 7
modcall: leaving group post-auth (returns noop) for request 7
Sending Access-Accept of id 228 to 141.5.16.151 port 2234
Finished request 7
Going to the next request
Waking up in 6 seconds...
===Now the same over WLAN===
--- Walking the entire request
Re: Nas IP address in logs
From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the problem about the session key
Hello,I learn that there is a MK that need to pass to the AP after the auth is complete.Do you know how to generate the key? Are they generated differently in different way of auth? Xingtom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb: This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory anonymous rebinding when following references
Numerous posts about Active Directory OU searching and FreeRadius can be found
easily via Google, but none seem to have the definitive answer/workaround for
the Windows 2003 rebind failure when searching the root of the active
directory
On the latest freeradius-2.0.3 compiled from source, I get the the rlm_ldap
errors below whenever I use the
basedn = dc=my,dc=domainname,dc=com
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
I am binding to LDAP with a username/password (not anonymous)
All seem to point back to bug 183, which has been open for a long time:
http://bugs.freeradius.org/show_bug.cgi?id=183
Is this bug still considered valid? What further needs to be done to get the
patch or a similar fix integrated into the main code tree, especially the 2.0
release? I see the patch there, and have applied it to my old freeradius-1.0.1
installation, but stability issues prompted me to investigate an upgrade, and I
am not entirely sure that the patch didn't *cause* my stability problems to
begin with (the comment by Alan DeKok in the bugzilla entry sounds a little
ominous).
FWIW, my specific stability problem is the following:
Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
And the server rejects all requests until it is restarted. The server is not
under a high load. The errors only occur after the server has been running for
a few weeks. I could increase ldap_connections_number, but I suspect that will
only band-aid the problem so it runs for a few more weeks before failing.
My LDAP configuration block is below:
ldap {
server = xxx
identity = [EMAIL PROTECTED]
password = zzz
basedn = dc=my,dc=domain,dc=com
filter = (SamAccountName=%U)
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
#
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupmembership_filter =
((objectClass=Group)(member=%{Ldap-UserDn}))
}
I would be happy to produce more configuration files upon request, if it would
help.
Thoughts are appreciated
Scott
Sr. Network Engineer
Great River Energy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
raddb/sqlippool.conf
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
## pool-key = %{NAS-Port}
pool-key = %{Calling-Station-Id}
What I suggest is that we take the NAS that send fixed NAS-Port
condition off from RLM_SQLIPPOOL module.
Because, as I said before it is NOT a must to send the NAS-Port always
(e.g. some GGSNs)
What would be the consequences of taking it off?
Thanks,
On Tue, Apr 22, 2008 at 9:43 PM, rsg [EMAIL PROTECTED] wrote:
On Tue, Apr 22, 2008 at 9:24 PM, Alan DeKok [EMAIL PROTECTED] wrote:
rsg wrote:
In my opinion it should be open to be decided between NAS-Port and
Calling-Station-Id depending on the service.
Which is why you can edit the queries in the SQL ippool module.
If the non-SQL ippool module doesn't do what you want, fix it, and
supply a patch.
Alan DeKok.
No I'm referring to the SQL ippool;
The following entry gives the result what I've indicated in my first mail.
From sqlippool.c
:
if (pairfind(request-packet-vps, PW_NAS_PORT) == NULL) {
DEBUG(rlm_sqlippool: unknown NAS-Port);
return RLM_MODULE_NOOP;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: is okay
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your confirmation is required to join the Freeradius-Users mailing list Date: Wed, 23 Apr 2008 17:25:45 +0200 Mailing list subscription confirmation notice for mailing list Freeradius-Users We have received a request from 200.0.112.129 for subscription of your email address, [EMAIL PROTECTED], to the freeradius-users@lists.freeradius.org mailing list. To confirm that you want to be added to this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page: http://lists.freeradius.org/mailman/confirm/freeradius-users/207f898fd4ffaa48bbe50ae10f48767ca4f802a7 Or include the following line -- and only the following line -- in a message to [EMAIL PROTECTED]: confirm 207f898fd4ffaa48bbe50ae10f48767ca4f802a7 Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional Re: text in the Subject: is okay). If you do not wish to be subscribed to this list, please simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, send them to [EMAIL PROTECTED] _ Juega y gana, tenemos 3 Xbox a la semana. http://club.prodigymsn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open Directory and freeRadius
I currently have freeRadius running on a Macintosh 10.5 server. freeRadius is using opendirectory for authentication and authorization. This is working successfully. What I would like to do next is have the PrimaryGroupID or the gidNumber in Opendirectory for that particular user passed back to, in this case an Aruba Controller, so that the Aruba Controller can authorize the user based on the group membership. Any suggestions? Thank you, Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
No idea. That check must have some purpose.
Usual workaround for this is to rewrite (update in freeradius speak)
NAS-Port attribute with the value of Calling-Station-Id (in unlang,
perl, ...). That sorts out missing NAS-Port in the request.
There are way too many places where NAS-Port needs to be changed in the
configuration, and you might need to alter code as well - hence ONLY
change this if you know what you are doing!.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, rsg [EMAIL PROTECTED] piše:
raddb/sqlippool.conf
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
## pool-key = %{NAS-Port}
pool-key = %{Calling-Station-Id}
What I suggest is that we take the NAS that send fixed NAS-Port
condition off from RLM_SQLIPPOOL module.
Because, as I said before it is NOT a must to send the NAS-Port always
(e.g. some GGSNs)
What would be the consequences of taking it off?
Thanks,
On Tue, Apr 22, 2008 at 9:43 PM, rsg [EMAIL PROTECTED] wrote:
On Tue, Apr 22, 2008 at 9:24 PM, Alan DeKok [EMAIL PROTECTED] wrote:
rsg wrote:
In my opinion it should be open to be decided between NAS-Port and
Calling-Station-Id depending on the service.
Which is why you can edit the queries in the SQL ippool module.
If the non-SQL ippool module doesn't do what you want, fix it, and
supply a patch.
Alan DeKok.
No I'm referring to the SQL ippool;
The following entry gives the result what I've indicated in my first mail.
From sqlippool.c
:
if (pairfind(request-packet-vps, PW_NAS_PORT) == NULL) {
DEBUG(rlm_sqlippool: unknown NAS-Port);
return RLM_MODULE_NOOP;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
That will be logged in your accounting log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius.org 2.0.3 on Red Hat 7.3
I'm trying to compile freeradius.org version 2.0.3 on Red Hat 7.3, and I'm getting the following error: /usr/local/src/radius/freeradius-server-2.0.3/src/freeradius-devel/rad_assert.h:26: warning: `used' attribute directive ignored In file included from ../../eap.h:34, from eap_tnc.c:58: ../../libeap/eap_types.h:30: warning: `used' attribute directive ignored eap_tnc.c: In function `eaptnc_extract': eap_tnc.c:137: parse error before `unsigned' eap_tnc.c:141: parse error before `int' eap_tnc.c:147: `ptr' undeclared (first use in this function) eap_tnc.c:147: (Each undeclared identifier is reported only once eap_tnc.c:147: for each function it appears in.) eap_tnc.c:153: `thisDataLength' undeclared (first use in this function) eap_tnc.c:154: `dataStart' undeclared (first use in this function) eap_tnc.c: In function `eaptnc_compose': eap_tnc.c:212: parse error before `unsigned' eap_tnc.c:214: `swappedDataLength' undeclared (first use in this function) eap_tnc.c:217: parse error before `thisDataLength' eap_tnc.c:220: parse error before `int' eap_tnc.c:224: `offset' undeclared (first use in this function) eap_tnc.c:225: `thisDataLength' undeclared (first use in this function) gmake[9]: *** [eap_tnc.lo] Error 1 gmake[9]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types/rlm_eap_tnc' gmake[8]: *** [common] Error 2 gmake[8]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types' gmake[7]: *** [all] Error 2 gmake[7]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types' gmake[6]: *** [common] Error 2 gmake[6]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3' make: *** [all] Error 2 I've searched the wiki site and the mailing list archives and not found much on this error. Yes, I know that RH 7.3 is old/etc., so I'm not looking for pat answers like upgrade to the latest O/S version. In searching for the error message (`used' attribute directive ignored) I haven't come up with anything helpful. Thanks for any assistance you can provide! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Install SecureW2 and try EAP-TTLS/PAP. If that works then passwords are encrypted and PEAP won't work. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše: Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb: This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan that I did'n know :) also, I had disabled accounting, now,
I enabled that and detailed auth log
Now I get something as follow in radacct/10.128.255.80/auth-detail-20080423 :
Wed Apr 23 14:16:22 2008
Packet-Type = Access-Request
User-Name = quelocoquesoyche
NAS-IP-Address = 10.128.255.80
Called-Station-Id = 005d7edc25de
Calling-Station-Id = 005cb37ae2ee
NAS-Identifier = 005d7edc25de
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020c0167736965727232
Message-Authenticator = 0x955e4a648595f3ae5dd7f3486dea99f4
Great!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
That will be logged in your accounting log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-Error
All, We're rolling out a password-expiry policy here, and it's been suggested that it would be helpful for the VPN to prompt a user to change their password, rather than just lock them out. The VPN is poptop on Linux, authing to FreeRadius, which current talks to winbind and then to our w2k3 servers but may be moving to proxy the final inner mschap to IAS (all the policy checks and interesting stuff will be staying on FreeRadius - but using FR2 and a proxy plus pool of home servers seems like to give us better failure and recovery characteristics when an AD controller goes away) When we MS-CHAP an expired account we get a MS-CHAP-Error packet in the reply as expected: Sending Access-Request of id 7 to 192.168.29.34 port 1812 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0xSNIP MS-CHAP2-Response = 0xSNIP Calling-Station-Id = 192.168.55.55 NAS-IP-Address = 192.168.54.54 NAS-Port = 0 Proxy-State = 0x3633 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = \000E=648 R=0 V=3 ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd radius.so plugin) so my patches to pppd are unable to act on the error code. Am I wasting my time? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius.org 2.0.3 on Red Hat 7.3
Robert Haskins wrote: I'm trying to compile freeradius.org version 2.0.3 on Red Hat 7.3, and I'm getting the following error: Wow. That's a seriously OLD os install. Please consider upgrading. /usr/local/src/radius/freeradius-server-2.0.3/src/freeradius-devel/rad_assert.h:26: warning: `used' attribute directive ignored In file included from ../../eap.h:34, from eap_tnc.c:58: ../../libeap/eap_types.h:30: warning: `used' attribute directive ignored Assuming you don't need it, just remove the rlm_eap/types/rlm_eap_tnc sub-directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Hi, Sending Access-Request of id 7 to 192.168.29.34 port 1812 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0xSNIP MS-CHAP2-Response = 0xSNIP Calling-Station-Id = 192.168.55.55 NAS-IP-Address = 192.168.54.54 NAS-Port = 0 Proxy-State = 0x3633 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = \000E=648 R=0 V=3 ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd radius.so plugin) so my patches to pppd are unable to act on the error code. how about using ulang to check for the MS-CHAP-Error - and if that code exists, create a new attribute that WILL be sent back to the radius client. ...one on which other bits of code could act. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can unlang do this?
Should I expect something like this to do the right thing?
ldap-localhost {
server = 127.0.0.1
basedn = switch %{Huntgroup-Name} {
case dsl {
ou=dsl,ou=radius,dc=viptalk,dc=net
}
case {
ou=accounts,ou=viptalk,ou=net
}
}
}
etc
Basically, I want to set certain ldap variables based on the Huntgroup-
Name. Without defining a bunch of different ldap servers, that is.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed Auth using users file (sometimes)
Hi Guys
I have an account which I want to auth locally on our 2 proxy radius
machine.
The problem is that sometimes the connection authenticates and other
times it does not, there are warning in the log's below so I'm sure I
have something wrong. But I can not work out what I should be doing instead.
Also how would I create a feature which would temporally authenticate
all users for a realm as allowed ?
The user file entry is
nyp2inter Realm == 'xxx.com', User-Password == 'xxx',
Proxy-To-Realm := LOCAL
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = xxx.xx.216.40,
Framed-IP-Netmask = 255.255.255.255,
Framed-Route = xxx.xx.10.128/25 0.0.0.0 1,
Framed-MTU = 1492,
Framed-Compression = Van-Jacobsen-TCP-IP
Failed Auth:
rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=155,
length=106
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = xxx
NAS-Port-Type = Virtual
NAS-Port = 328
Calling-Station-Id = sfy713300200187
Service-Type = Framed-User
NAS-IP-Address = xxx.xx.208.165
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1647
modcall[authorize]: module preprocess returns ok for request 1647
radius_xlat: '/var/log/radius/radacct/xxx.xx.208.165/auth-detail-20080424'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/xxx.xx.208.165/auth
-detail-20080424
modcall[authorize]: module auth_log returns ok for request 1647
modcall[authorize]: module attr_filter returns noop for request 1647
modcall[authorize]: module chap returns noop for request 1647
modcall[authorize]: module mschap returns noop for request 1647
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm xxx.com
rlm_realm: Proxying request from user nyp2inter to realm xxx.com
rlm_realm: Adding Realm = xxx.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1647
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1647
modcall[authorize]: module files returns notfound for request 1647
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 1647
2008-04-24T11:29:37.613507: Verbose: RLM_PYTHON: handling Authorize
request...
modcall[authorize]: module python returns ok for request 1647
modcall: leaving group authorize (returns ok) for request 1647
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/nyp4inter] (from client lns1.ade
port 328 cli sfy713300200187)
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 1647
rlm_sql_log (sql_log): Processing sql_log_postauth
radius_xlat: 'INSERT INTO radpostauth (user, password, reply, date,
reply_message) VALUES ('[EMAIL PROTECTED]', 'xxx', '
Access-Reject', '2008-04-24 11:29:37', '');'
radius_xlat: '/var/log/radius/radacct/sql-relay'
modcall[post-auth]: module sql_log returns ok for request 1647
modcall: leaving group REJECT (returns ok) for request 1647
Delaying request 1647 for 1 seconds
Finished request 1647
With no Changes this Connected:
rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=167,
length=106
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = xxx
NAS-Port-Type = Virtual
NAS-Port = 315
Calling-Station-Id = sfy713300200187
Service-Type = Framed-User
NAS-IP-Address = xxx.xx.208.165
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1675
modcall[authorize]: module preprocess returns ok for request 1675
radius_xlat: '/var/log/radius/radacct/xxx.xx208.165/auth-detail-20080424'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/xxx.xx208.165/auth
-detail-20080424
modcall[authorize]: module auth_log returns ok for request 1675
modcall[authorize]: module attr_filter returns noop for request 1675
modcall[authorize]: module chap returns noop for request 1675
modcall[authorize]: module mschap returns noop for request 1675
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm xxx.com
rlm_realm: Adding Stripped-User-Name = nyp2inter
rlm_realm: Proxying request from user nyp2inter to realm xxx.com
rlm_realm: Adding Realm = xxx.com
rlm_realm: Preparing to proxy authentication request to realm xxx.com
