Re: mysql isn't match with online users status
I considerd row fields in radacct table. all the fields even duration time is correct but stop field is zero for some users that we know they are disconnected so they cann't to be conected until passing random time that thay go to be stoped but the stop-time field is the same as start-time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql isn't match with online users status
Zahra Bahar wrote: I considerd row fields in radacct table. all the fields even duration time is correct but stop field is zero for some users that we know they are disconnected so they cann't to be conected until passing random time that thay go to be stoped but the stop-time field is the same as start-time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html As Alan said, it's a problem with your NAS. It's failing to send an Accounting-Request with an Acct-Status-Type attribute of 'Stop'. Unless your NAS tells FreeRADIUS to close the session, the session will stay open in the database. FreeRADIUS does not keep track of accounting session state internally. Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing FreeRaduis
Hi all sorry for my english. i'm running a freeradius server on FreeBSD and i wanted to test it but it doesn't work and i don't know why. i have tried this command : *radtest yhsina yhsina @IPserver 1 testing123. * *yhsina* is a user who is located in a LDAP server. it give me this thing : radclient: no reponse from server for ID 107 have any idea please thank for your help in advance. Uness - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users advanced configuration [SEC=UNCLASSIFIED]
Thks for your help, it s very interesting. I have a little hard to
understand how it works and it help me much.
But I can t made it run :s
When i try with line you have show me. I can't log with any user.
My server openldap say there isn't any connection from freeradius in his log
here is an exemple of one user :
dn: uid=Thomas01,ou=heure,dc=network,dc=local
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: Thomas01
In freeradius here is result of : freeradius -xxyz
Thread 2 handling request 1, (1 handled so far)
User-Name = "Thomas01"
User-Password = "***"
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.x.3
Calling-Station-Id = "00-18-DE-C8-D9-87"
Called-Station-Id = "00-0C-29-8A-5B-1C"
NAS-Identifier = "nas01"
Acct-Session-Id = "48327d790001"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Message-Authenticator = 0x25d1a7b602061b5167c20539366b1e8d
WISPr-Logoff-URL = "http://192.168.x.1:3990/logoff";
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
modcall[authorize]: module "files" returns notfound for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module "daily" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [Thomas01] (from client hotspot port 1 cli
00-18-DE-C8-D9-87)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 483280f4
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.x.253:59308, id=0,
length=198
Sending Access-Reject of id 0 to 192.168.x.253 port 59308
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 0 with timestamp 483280fa
Nothing to do. Sleeping until we see a request.
If you have any idea it would help me much, i can provide my config files if
u want.
Thks a lot
Thomas
Tribolet
2008/5/20 Ranner, Frank MR <[EMAIL PROTECTED]>:
> UNCLASSIFIED
>
> From:
> [EMAIL PROTECTED]
> g
> [mailto:freeradius-users-bounces+frank.ranner
> [EMAIL PROTECTED]
> adius.org] On Behalf Of Tribes Tom
> Sent: Monday, 19 May 2008 18:33
> To: FreeRadius users mailing list
> Subject: Re: users advanced configuration [SEC=UNCLASSIFIED]
>
>
>
>Can you explain how to do this ?
>
>I have try this :
>
>DEFAULTAuth-Type = ldap,Max-Daily-Session :=
> 3600,Ldap-UserDN := `uid=%{User-Name},ou=heure,dc=network,dc=local`
>
> All three element of your test are assignments that always return true.
> You compare using == not :=
> Try:
> DEFAULTLdap-UserDN ==
> `uid=%{User-Name},ou=heure,dc=network,dc=local`, Max-Daily-Session :=
> 3600
>
> Or
>
> DEFAULTLdap-UserDN =~ "^uid=.*,ou=heure,dc=network,dc=local$",
> Max-Daily-Session := 3600
>
> Matching is done from left to right, so Max-Daily-Session is only set if
> the Ldap-UserDN matches. It is probably unnecessary to set Auth-Type.
>
> Regards,
> Frank Ranner
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when use Odyssey Client
If I select EAP-TTLS + use only my certificate for auth will cause segmentation fault. Others seems OK. Debug info: rad_recv: Access-Request packet from host 192.168.200.57:32785, id=95, length=325 User-Name = "bbb" NAS-IP-Address = 192.168.200.57 NAS-Identifier = "auth_test" NAS-Port = 0 Called-Station-Id = "00-19-77-02-E6-90:auth-wpa2-tkip-8021x" Calling-Station-Id = "00-1D-7E-03-2B-CF" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02150090158000861603010046104200400d423029041904e4b654b0384c78b56d7490853af607b909c2f54fc376bebac512ebfb7663e9ee2fc7320d175037da31f09e90ad986d539d519d6ef6c39f577914030100010116030100302027f914730434165f520dc31734211631a5c96402b0ddabaf4d815209d07bb6c0f2817ed3a2233822587288715beab6 State = 0x4f6739def5f0e9f45fd60479253cc3cd Message-Authenticator = 0xe06aac6aeeefc91f7920fd60b05ea9ab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 21 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for bbb radius_xlat: '(uid=bbb)' radius_xlat: 'ou=radius,dc=bestgo,dc=aero' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius,dc=bestgo,dc=aero, with filter (uid=bbb) rlm_ldap: checking if remote access for bbb is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "1234" rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id:0 = "1" rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type:0 = IPv4 rlm_ldap: Adding radiusTunnelType as Tunnel-Type:0 = GRE rlm_ldap: user bbb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 95 to 192.168.200.57 port 32785 Tunnel-Private-Group-Id:0 = "1" Tunnel-Medium-Type:0 = IPv4 Tunnel-Type:0 = GRE EAP-Message = 0x011600451580003b1403010001011603010030b081e94e6f9087f3c237216ab3fd9d65fc8311b18e37e66208369fb451d373695f16b167d85e80c870295da3d2f21cf4 Message-Authenticator = 0x State = 0x10aabdcc7ef9ba295475b0706b6e070c Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.57:32785, id=96, length=187 User-Name = "bbb" NAS-IP-Address = 192.168.200.57 NAS-Identifier = "auth_test" NAS-Port = 0 Called-Station-Id = "00-19-77-02-E6-90:auth-wpa2-tkip-8021x" Calling-Station-Id = "00-1D-7E-03-2B-CF" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11
Freeradius and Active directory
Hi.
What am I trying to do:
I would like to authenticate my Windows XP wireless clients against
Active Directory server via Freeradius.
What do I have:
I'm using freeradius 1.1.6 (installed via emerge) on Gentoo, Windows XP Pro
What works:
[WinXP]-->[freeradius]-->[w2003server]
1.)I'm able to send requests from Windows XP to freeradius (using
NTradping). (In an earlier testing phase I was able to authenticate
against "radius users file")
2.)I'm able to authenticate against AD (ntlm_auth).
What doesn't work:
When I try to bind phase 1.) and 2.) (ie. send request from winXP to
radius and let radius to authenticate against AD), it returns:
**
rad_recv: Access-Request packet from host 1.2.3.4:1224, id=1, length=59
User-Name = "MYNTDOMAIN\\user"
CHAP-Password = 0x6036fd239ead000176def7ade553072c87
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '\' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [user/] (from client MYNETWORK port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
NTradping retunrs:
Response: Access-Reject
*
I see the problem in "No authenticate method...", but have no idea how
to repair it:(
Here is radiusd log:
*
notes ~ # radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support
for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rl
Client can't connect "Acquiring Network address"
Hi,
Thanks for the advice..The problem to generae certs was solved.
Now it comes back to existing problem in version 1.1.7 where the client
request to server is on and on and never get connected.
I wonder why NAS-IP-Address = 0.0.0.0 unlike the other as I know got IP
address assigned.
Here the log
Ready to process requests.
User-Name = "MarsNet"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:30:1a:29:03:66"
Calling-Station-Id = "00:1c:f0:10:56:b8"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "127.0.0.1"
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201000c014d6172734e6574
Message-Authenticator = 0x971de64ca91d1afd0e499d63b8b9aff2
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "MarsNet", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry MarsNet at line 91
expand: Hello, %{User-Name} -> Hello, MarsNet
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Reply-Message = "Hello, MarsNet"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x13382f46133a22a47c694fefa3fc3d08
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "MarsNet"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:30:1a:29:03:66"
Calling-Station-Id = "00:1c:f0:10:56:b8"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "127.0.0.1"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x13382f46133a22a47c694fefa3fc3d08
EAP-Message =
0x020200500d8000461603010041013d03014832660e2f0fb111fc67ba57fe53cac5b6e069fba786f0ec44807023b4284a881600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x0fe925603be76e65a1404457ac5412b6
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "MarsNet", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry MarsNet at line 91
expand: Hello, %{User-Name} -> Hello, MarsNet
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 70
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 084c], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Reply-Message = "Hello, MarsNet"
EAP-Message =
0x010304000dc0094b160301004a02460301483265fd7c96a0e9fc9713fe93e9d180d22d37c1ae1a232b02433ecfcf033a34206f7a9cb000aa67272b2e95ac37019ecdc8a5bf6c574b0298bf67ddb71033c027000400160301084c0b0008480008450003a13082039d30820285a003020102020101300d06092a864886f70d0101040500308194310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3127302506035504
EAP-Message =
0x03131e4d617273696e646f20436572746966696361
Re: Testing FreeRaduis
Hi, > Hi all > sorry for my english. > i'm running a freeradius server on FreeBSD and i wanted to test it but it > doesn't work and i don't know why. > i have tried this command : > *radtest yhsina yhsina @IPserver 1 testing123. radtest username password servername 1812 serversecret eg radtest yhsina yhsina IPserver 1812 testing123 > radclient: no reponse from server for ID 107 > have any idea please firewall? Is FreeRADIUS actually running? I would advise that you have 2 terminal windows open, one running radiusd -X the other running your radtest. then you can see whats happening alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Thanks for reply. Is there any specific HOW-TO? -- Tomáš Janeček - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Tomáš Janeček wrote: > I would like to authenticate my Windows XP wireless clients against > Active Directory server via Freeradius. ,,, > What doesn't work: > When I try to bind phase 1.) and 2.) (ie. send request from winXP to > radius and let radius to authenticate against AD), it returns: > > ** > rad_recv: Access-Request packet from host 1.2.3.4:1224, id=1, length=59 > User-Name = "MYNTDOMAIN\\user" > CHAP-Password = 0x6036fd239ead000176def7ade553072c87 It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when use Odyssey Client
Hangjun He wrote: > If I select EAP-TTLS + use only my certificate for auth will cause > segmentation fault. Others seems OK. Which version of FreeRADIUS are you using? Can you put the certificates on a web page where others can test them? See also doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi again,i don't have a graphic mode so i can't run 2 terminal. i think that my freeradius server is running cause when i make this command : *# /usr/local/etc/rc.d/radiusd status* *Th Mai 24 12:32:00 2008: Info: Starting - reading configuration files ... *normaly it is running but i still have the same probelem i can't test my server. for the firewall i don't know how can i verify if there is a firewall or not thank you for your help again uness. 2008/5/20 <[EMAIL PROTECTED]>: > Hi, > > Hi all > > sorry for my english. > > i'm running a freeradius server on FreeBSD and i wanted to test it but it > > doesn't work and i don't know why. > > i have tried this command : > > *radtest yhsina yhsina @IPserver 1 testing123. > > > radtest username password servername 1812 serversecret > > eg > > radtest yhsina yhsina IPserver 1812 testing123 > > > radclient: no reponse from server for ID 107 > > have any idea please > > firewall? Is FreeRADIUS actually running? I would advise that > you have 2 terminal windows open, one running > > radiusd -X > > the other running your radtest. then you can see whats happening > > alan > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql isn't match with online users status
but another fields are true. could radius have true session-duration but didn't receive stop time? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Do you mean something like: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Have a nice day! Am 20.05.2008 um 12:54 schrieb Tomáš Janeček: Thanks for reply. Is there any specific HOW-TO? -- Tomáš Janeček - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi Alan, Can't it be applied to 1.1.7 release, as there are many changes in the conf. files between 1.1.7 and 2.0 ?? Thanks Amr [EMAIL PROTECTED] wrote: hi, just a quick check... the smux.c patches ARE applied to the 2.0.x smux.c (but not part of the last 1.1.7 release). the radius_snmp.c patches - converting an int to a long (handling 64 bit better I'd guess)... havent been incorporated into the 2.0.x tree. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql isn't match with online users status
Zahra Bahar wrote: > but another fields are true. could radius have true session-duration but > didn't receive stop time? The server has session duration until the NAS stops sending packets. The session MAY continue for a short time after the last packet. In short, we've been doing this for 10 years. If the server isn't getting a stop packet, then it's the fault of the NAS. Don't try to fix the server. You can't. The server isn't broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Amr el-Saeed wrote: > Can't it be applied to 1.1.7 release, as there are many changes in the > conf. files between 1.1.7 and 2.0 ?? Ask redhat, or whoever is packaging your version of 1.1.7. All new development, including bug fixes, are on the 2.0 release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Tomáš Janeček wrote: > Yes, something like that, but working. I've walked through this exact > article about 10 times during last two months, but never made it:-( > > I'm really looking for working howto for months... Please explain what's going wrong. Use debug output. If the NAS is doing CHAP, then authenticating to AD is *impossible*. See the following web page: http://deployingradius.com/documents/protocols/compatibility.html Fix the NAS so that it uses one of the support authentication types. Stop trying to re-configure the server to do something impossible. It's *impossible*. For the supported authentication types, it's easy. Follow the HOW-TO's, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Yes, something like that, but working. I've walked through this exact article about 10 times during last two months, but never made it:-( I'm really looking for working howto for months... -- Tomáš Janeček - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi, > Hi again,i don't have a graphic mode so i can't run 2 terminal. > i think that my freeradius server is running cause when i make this command who uses graphics? "man screen" - you can pop between multiple console sessions with ease...with a single window. you MUST run radiusd in proper, full debug mode...otherwise you cannot see why it is failing. and to be honest I think its probably a directory/file permission error..and its dying without you knowing. test this thoery easily, run your radiusd startup script...and then ps aux | grep radius see a process running? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Hi, > Yes, something like that, but working. I've walked through this exact > article about 10 times during last two months, but never made it:-( > > I'm really looking for working howto for months... I checked through it and had a working config. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy.conf problem: username send with suffix
Hi,
what is wrong in this configuration:
# A standard realm entry. A request from "[EMAIL PROTECTED]" will be
# sent to radius.company.com as "user", unless the 'nostrip'
# configuration item is specified. If the 'nostrip' configuration
# item is specified, then the request will be proxied as
# "[EMAIL PROTECTED]"
#
realm tu-dortmund.de {
type= radius
authhost= LOCAL
accthost= LOCAL
}
but freeradius takes [EMAIL PROTECTED] to check against radcheck.
debug output:
rad_recv: Access-Request packet from host 129.217.169.191:32769, id=14,
length=280
User-Name = "[EMAIL PROTECTED]"
Calling-Station-Id = "00-19-D2-CF-E5-50"
Called-Station-Id = "00-0B-85-60-39-10:ITMC-WPA2"
NAS-Port = 29
NAS-IP-Address = 129.217.157.246
NAS-Identifier = "mh-wlc4"
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3503"
EAP-Message =
0x02100050198000461603010041013d03014832b93a0818b6073bdbd9b486630753af0d0f2e0469e2b071963d5240815fae1600040005000a000900640062000300060013001200630100
State = 0x622cbb3df28c136e779e7cacb89d1a8d
Message-Authenticator = 0xc969e31716dd9b76025be36ae5e396e4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 81
modcall[authorize]: module "preprocess" returns ok for request 81
modcall[authorize]: module "chap" returns noop for request 81
modcall[authorize]: module "mschap" returns noop for request 81
rlm_realm: Looking up realm "tu-dortmund.de" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "tu-dortmund.de"
rlm_realm: Adding Stripped-User-Name = "mhanborn"
rlm_realm: Proxying request from user mhanborn to realm
tu-dortmund.de
rlm_realm: Adding Realm = "tu-dortmund.de"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 81
rlm_eap: EAP packet type response id 16 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 81
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '[EMAIL PROTECTED]'
ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
Thanks
Hans
--
Hans Bornemann
Universitaet Dortmund - ITMC
Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf problem: username send with suffix
Hi,
> what is wrong in this configuration:
you havent configured your SQL to use the Stripped-UserName,
you have the default configuration that uses the UserName
SQL-User-Name = "%{User-Name}" or somesuch.
depending on your version of radiusd, simply check the sql.conf
or dialup.conf file to find the line that sets
it, if you are lucky, you will see the very handy line to use instead
which will set it to
stripped username, if not stripped, then username, if not username
then DEFAULT value from engine.
et voila! it will work
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Hi. I didn't want to say, that this howto is somehow wrong or bad... It just didn't worked in my case. (understand: I did/I'm doing something wrong) Now I'm focusing on what you wrote in first e-mail: do MS-CHAP instead of CHAP for AD auth. (Thanks for advice) I see a progress, because I have 0xC06A error in my AD log (wrong password). That is a good message, because radius server (understand: my wrong configuration of the server) finally communicates with AD. Hurray! -- Tomáš Janeček - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory
Hi, > I see a progress, because I have 0xC06A error in my AD log (wrong > password). That is a good message, because radius server (understand: my > wrong configuration of the server) finally communicates with AD. > Hurray! yay! now , dont forgert, depending on how you talk to you rAD< you'll either use the radiusd username/password or you'll be using the login EAP username/password to join the AD for LDAP lookups etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, > Can't it be applied to 1.1.7 release, as there are many changes in the > conf. files between 1.1.7 and 2.0 ?? it probably could be applied to 1.1.7 source archive if you build it yourself. your distro package maintainer, otherwise, could release a 1.1.7 package with these patches in. It could be applied to the main source - as that would then be a 1.1.8 release - which isnt likely to happen(*) alan (*) from what main developers have hinted: all work/effort is to be done on 2.0.x tree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
thank for you response. i started my radiusd and then i tried : ps aux | grep radius i have no proccess running even radiusd server is starting regards, uness 2008/5/20 <[EMAIL PROTECTED]>: > Hi, > > Hi again,i don't have a graphic mode so i can't run 2 terminal. > > i think that my freeradius server is running cause when i make this > command > > who uses graphics? "man screen" - you can pop between multiple > console sessions with ease...with a single window. > > you MUST run radiusd in proper, full debug mode...otherwise > you cannot see why it is failing. and to be honest I think > its probably a directory/file permission error..and its dying > without you knowing. test this thoery easily, run your > radiusd startup script...and then > > ps aux | grep radius > > see a process running? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- HSINA Youness Etudiant R&T - IUT--Velizy 78140 Tél : 06.28.73.76.75 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi, > thank for you response. > > i started my radiusd and then i tried : ps aux | grep radius > i have no proccess running even radiusd server is starting okay. now run, as the user that you have configured radiusd to run as (eg 'radiusd') the radiusd eg >su - radiusd >radiusd -x this will show you why its failing. as said before, suspect 100% file permissions - either on eg /var/log/radiusd type files or /var/run/radiusd/ directory etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
> > Whene i run this command : > >radiusd -x > in the end i have : *Ready to process requests* it means that the server is running corrcetly and waiting for requests . but i still don't know why the test doesnt work > > this will show you why its failing. as said before, suspect > 100% file permissions - either on eg /var/log/radiusd type files > or /var/run/radiusd/ directory etc which permission shoud i give to these files and how can i do it ? thank you for your help > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi, > > > > Whene i run this command : > > >radiusd -x > > > in the end i have : *Ready to process requests* did you do that as root, or as the user defined in radiusd.conf? if done as root, then it would work. > which permission shoud i give to these files and how can i do it ? > thank you for your help none, until you know what is going wrong! dont make changes unless you know the issue. blindly making config and permission changes will mess things up. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
i did this as root . for information i have an ldap server wich contains my users. i have find an error in my log file : *rlm_ldap: connection attempt failed* *rlm_ldap: could not start TLS can't contact ldap server* regards, uness - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi, > i did this as root . do you run the server as root though? what does radiusd.conf say? what do your init scripts say? > for information i have an ldap server wich contains my users. > i have find an error in my log file : > *rlm_ldap: connection attempt failed* > *rlm_ldap: could not start TLS can't contact ldap server* that wont help... and if your users are only available by that method..and its cannot be contacted then you will get timeouts alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Active directory (An aside)
Alan DeKok said: > It is impossible to use CHAP to authenticate to AD. You MUST use > MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql isn't match with online users status
@Zahra Check the connection between NAS and your radius server. Problem can be caused if your connection is unstable and sometimes radius server didn't receive stop packages. So, just like Alan said.. RS server works fine and you don't need to fix it :) On Tue, May 20, 2008 at 1:09 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Zahra Bahar wrote: > > but another fields are true. could radius have true session-duration but > didn't receive stop time? > > The server has session duration until the NAS stops sending packets. > The session MAY continue for a short time after the last packet. > > In short, we've been doing this for 10 years. If the server isn't > getting a stop packet, then it's the fault of the NAS. Don't try to fix > the server. You can't. The server isn't broken. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
i run the server as root . i can't give you c coupy f my radiusd.conf file, because i'm running the server in a machine with no graphic mode. for init script, i hav this thing : Tue May 20 16:06:03 2008: Info: Starting - reading configuration files ... thank for your help , uness - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory (An aside)
Am 20.05.2008 um 16:05 schrieb Dean, Barry: Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE. So if you have only a password for MS-CHAP, you do not have a MD5 version of the password. --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory (An aside)
Dean, Barry wrote: Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? EAP-MD5 won't work either... Ok the basic requirement for most Authentication schemes transferring the users credentials as a none reversible hash, is that the password is available RADIUS side as either a clear-text string, or as a reversible hash which can be transformed back into a clear-text string. I say most because there is of course a few exceptions, the most notable being MSCHAP & MSCHAPv2 which allow you to store the password directory side as an MD4 hash of the passphrase encoded as a 16bit unicode string (NT Password) or a LANMAN password (can't remember the encoding for that). I believe that AD uses NT Password hashes, which is why PEAP just works out of the box with Microsoft IAS. So no MD5/ CHAP won't work with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work just fine. Thanks, Arran --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing FreeRaduis
Hi, > i can't give you c coupy f my radiusd.conf file, because i'm running the > server in a machine with no graphic mode. I dont want a copy of the radiusd.conf - just what the user/group entries state in that file. and to send someone a copy, simply copy the config to the system you are emailing from and then 'insert' it - with my emailer (mutt) i use 'vi' as my editor, esc :a filename.txt - done. config in file, or use mutt, sending email page. press a to attach. cant blame technology when its capable of doing the task! :-) > for init script, i hav this thing : > > Tue May 20 16:06:03 2008: Info: Starting - reading configuration files ... thats not the init script, thats the output - once again, what does the rc.d/radiusd script DO? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory (An aside)
Nicolas Goutte wrote: Am 20.05.2008 um 16:05 schrieb Dean, Barry: Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE. So if you have only a password for MS-CHAP, you do not have a MD5 version of the password. That's correct. We don't use AD so didn't have the NT Hash of the users password in out LDAP directory. We used transparent credential capture on one of our major web applications over a few months to populate the NT Password field. Here is a nice one-liner (well three with the example) in PHP $hash = bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str,'UCS-2LE','auto'),0,128))); echo $hash; ?> --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Active directory (An aside)
Am 20.05.2008 um 16:20 schrieb Arran Cudbard-Bell: Dean, Barry wrote: Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? EAP-MD5 won't work either... Ok the basic requirement for most Authentication schemes transferring the users credentials as a none reversible hash, is that the password is available RADIUS side as either a clear-text string, or as a reversible hash which can be transformed back into a clear-text string. I say most because there is of course a few exceptions, the most notable being MSCHAP & MSCHAPv2 which allow you to store the password directory side as an MD4 hash of the passphrase encoded as a 16bit unicode string (NT Password) or a LANMAN password (can't remember the encoding for that). For those interested how the passwords are made, see the man page for smbpasswd(5). e.g.: http://samba.org/samba/docs/man/manpages-3/ smbpasswd.5.html I believe that AD uses NT Password hashes, which is why PEAP just works out of the box with Microsoft IAS. So no MD5/ CHAP won't work with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work just fine. Thanks, Arran --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth type change when it called through asterisk.
Hi, I successfully done my authentication and authorization with the perl and digest with mix mode, and it reply access accept packets from the radius server. But when i tried to call through asterisk, the server again try to authenticate again and rejected. The auth type is turned into local again though i put perl and digest. How the auth type will be into perl and digest when I called through asterisk. *This is the output log after the server authenticate a user: * rad_recv: Access-Request packet from host 192.168.1.227 port 32958, id=215, length=259 User-Name = "[EMAIL PROTECTED]" Digest-Attributes = "\n\005100" Digest-Attributes = "\001\017192.168.1.227" Digest-Attributes = "\002*4832e5db308756e206b4536810ea3e70cf300c66" Digest-Attributes = "\004\023sip:192.168.1.227" Digest-Attributes = "\003\nREGISTER" Digest-Response = "805279e87b5ef1a7bc640350165079ff" Service-Type = SIP Sip-URI-User = "100" Cisco-AVPair = "call-id= [EMAIL PROTECTED]" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x98c2a88 asigned new request. Handled so far: 1 found interpetator at address 0x98c2a88 rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = 100 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\005100 rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Cleartext-Password = 100 perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x98c2a88 ++[perl] returns ok rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.227" for User-Name = " [EMAIL PROTECTED]" rlm_realm: No such realm "192.168.1.227" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type DIGEST auth: type "digest" +- entering group authenticate rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "100" Digest-Realm = "192.168.1.227" Digest-Nonce = "4832e5db308756e206b4536810ea3e70cf300c66" Digest-URI = "sip:192.168.1.227" Digest-Method = "REGISTER" A1 = 100:192.168.1.227:100 A2 = REGISTER:sip:192.168.1.227 H(A1) = fc0ea6eaea4a4b50ad280e803f4bd6a2 H(A2) = fbf27b090821dd0f71c0a0dda09e5e8e KD = fc0ea6eaea4a4b50ad280e803f4bd6a2:4832e5db308756e206b4536810ea3e70cf300c66:fbf27b090821dd0f71c0a0dda09e5e8e EXPECTED 805279e87b5ef1a7bc640350165079ff RECEIVED 805279e87b5ef1a7bc640350165079ff ++[digest] returns ok Login OK: [EMAIL PROTECTED]/] (from client 192.168.1.227 port 5060) +- entering group post-auth perl_pool: item 0x9997960 asigned new request. Handled so far: 1 found interpetator at address 0x9997960 rlm_perl: Added pair Digest-User-Name = 100 rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Digest-URI = sip:192.168.1.227 rlm_perl: Added pair Digest-Realm = 192.168.1.227 rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair Digest-Method = REGISTER rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = 100 rlm_perl: Added pair Digest-Nonce = 4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\005100 rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Cleartext-Password = 100 rlm_perl: Added pair Auth-Type = digest perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9997960 ++[perl] returns ok Sending Access-Accept of id 215 to 192.168.1.227 port 32958 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 214 with timestamp +5 Cleaning up request 1 ID 215 with timestamp +5 Ready to process requests. *This is the output log after the server reject a user when it is call through asterisk *rad_recv: Access-Request packet from host 192.168.1.227 port 33036, id=222, length=104 Called-Station-Id = "200" Calling-Station-Id = "100"
Java client for Radius
Hey, I need a java client for Radius. it need to work with all vendors. I saw two open sources: JRadius, radius-client. Does someone compare them? Does someone can recommend? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple configuration for authoriazation
Hey, I need to have simple Radius server in order to test a Radius client. I want to test authentication and authorization. I add a new user in the user file and test authentication and it work. Now i need to test authorization, where I assign role to this user and how? can someone give me a simple configuration for this? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java client for Radius
Hi Avihai, I use the client that comes with the jradius server on my Mac and it's great. I don't use a particularly wide range of the features, I'm sure I barely scratch the surface, if I'm honest, but it does what I need (and it works flawlessly on my Mac :-) I've not tried radius-client so I cannot make a comparison. Rgds, Guy 2008/5/20 avihai marchiano <[EMAIL PROTECTED]>: > Hey, > > I need a java client for Radius. it need to work with all vendors. > I saw two open sources: JRadius, radius-client. > Does someone compare them? > Does someone can recommend? > > Thank you > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java client for Radius
Do you know if its also support other vendors? I understand (and i might understand wrong) that you need to configure (or install) something in the server side in order to work with JRadius. I need to work against all Radius servers and i cant change or add to the Raidus server. - Original Message From: Guy Davies <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Tuesday, May 20, 2008 10:35:40 PM Subject: Re: Java client for Radius Hi Avihai, I use the client that comes with the jradius server on my Mac and it's great. I don't use a particularly wide range of the features, I'm sure I barely scratch the surface, if I'm honest, but it does what I need (and it works flawlessly on my Mac :-) I've not tried radius-client so I cannot make a comparison. Rgds, Guy 2008/5/20 avihai marchiano <[EMAIL PROTECTED]>: > Hey, > > I need a java client for Radius. it need to work with all vendors. > I saw two open sources: JRadius, radius-client. > Does someone compare them? > Does someone can recommend? > > Thank you > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java client for Radius
2008/5/20 avihai marchiano <[EMAIL PROTECTED]>: > Do you know if its also support other vendors? JRadius client is java. I initially had some problems because of the environment used to build jradius-client but I contacted the author and he fixed it really quickly. I don't know of any reason why jradius-client won't work on any java engine. > I understand (and i might understand wrong) that you need to configure (or > install) something in the server side in order to work with JRadius. I need > to work against all Radius servers and i cant change or add to the Raidus > server. JRadius is a frontend to FreeRADIUS and requires FR to operate properly. However, the client doesn't require any of that. You can download the whole package and just get the client bit and run it. There's a shell script that fires everything up correctly. Rgds, Guy > > - Original Message > From: Guy Davies <[EMAIL PROTECTED]> > To: FreeRadius users mailing list > Sent: Tuesday, May 20, 2008 10:35:40 PM > Subject: Re: Java client for Radius > > Hi Avihai, > > I use the client that comes with the jradius server on my Mac and it's > great. I don't use a particularly wide range of the features, I'm > sure I barely scratch the surface, if I'm honest, but it does what I > need (and it works flawlessly on my Mac :-) > > I've not tried radius-client so I cannot make a comparison. > > Rgds, > > Guy > > 2008/5/20 avihai marchiano <[EMAIL PROTECTED]>: >> Hey, >> >> I need a java client for Radius. it need to work with all vendors. >> I saw two open sources: JRadius, radius-client. >> Does someone compare them? >> Does someone can recommend? >> >> Thank you >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius: AuthRadiusCookieValid problem
Hello list, I use the mod_auth_radius module in both Apache1 and Apache2. These modules work fine, but a remarkable difference between the two is that the variable "AuthRadiusCookieValid" (which is set to "1", which means one minute) is working well when the Apache1 is visited, but is not working at all when viewing a page on Apache2. I realize that this issue may not be related to freeradius, but does anyone have a hint? R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.04 + python + mysqldb python module on Debian 4.0
>From the subject, you can probably guess that its just barely a Freeradius >problem :) Anyway... Using the Build (http://wiki.freeradius.org/Build) instructions for Debian, i have compiled FreeRADIUS with python support. I copied the example module configuration for python out of experimental.conf. using the provided test script, the server runs fine. and any other simple script works until i try to import MySQLdb for python. However, when you try to "import MySQLdb", it blows it stops, and throws the following: : /var/lib/python-support/python2.5/_mysql.so: undefined symbol: PyExc_ImportError Failed to import python module "pyrad_auth" /etc/freeradius/radiusd.conf[608]: Instantiation failed for module "python" Errors initializing modules Which, i think, means that it can't load the mysql module for some reason, and i don't know much else. from the command prompt, i can execute the .py script that i am using. In fact, it is the same script that works on a SuSE 10.1 server that i have, so i think the script is not likely to be the problem. Any pointers/hints/need more info? Much appreciated. --Jester Purtteman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN and FreeRadius
All, I am trying to get the RADIUS server to not only authenticating the supplicant, but providing the NAS with a VLAN ID. I have tried certain resources and haven't been able to receive the VLAN ID. Can any provide any help in this area? Thanks William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.0.4 + OpenLDAP Problem (Cleartext-Password)
Hello everybody!!
I have FreeRADIUS 1.1.7 + openldap using EAP-PEAP authentication, perfectly
working.
Now, I want to use the same openldap database, but with FreeRADIUS 2.0.4, but I
can't get success authentication.
is it necesary additional parameters of configuration for Freeradius 2.0.4?
How or Where can I configure User-Password instead Cleartext-Password?
OpenLDAP database needs changes for FreeRADIUS 2.0.4?
---
Similar error I got, when I configured EAP-PEAP without OpenLDAP database(Using
users file), like in FreeRADIUS 1.1.7:
"temporal1" User-Password == "temporal1"
But, when I changed User-Password with Cleartext-Password:
"temporal1" Cleartext-Password := "temporal1"
I got success authentication.
---
But,I need to continue using my OpenLDAP database, somebody can help me how to
achieve that?
Thanks in advance!
German
-
Yahoo! Deportes Beta
¡No te pierdas lo último sobre el torneo clausura 2008!
Entérate aquí http://deportes.yahoo.comUser-Name = "temporal1"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-20-a6-53-a6-a0:WLAN"
Calling-Station-Id = "00-0e-9b-d3-72-7c"
NAS-Identifier = "Avaya-AP-8-53-a6-a0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000e0174656d706f72616c31
Message-Authenticator = 0x55f6f02dad97274f983156eb619450fb
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx ->
ou=users,ou=radius,dc=wireless,dc=mired,dc=mx
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.2:389, authentication 0
rlm_ldap: bind as uid=riu,ou=admin mail,dc=server,dc=mired,dc=mx/mypass to
192.168.1.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx,
with filter (uid=temporal1)
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx,
with filter
(&(cn=academicos)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
cn=RETY750916,ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group academicos
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 139
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for temporal1
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1)
expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx ->
ou=users,ou=radius,dc=wireless,dc=mired,dc=mx
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx,
with filter (uid=temporal1)
rlm_ldap: Added User-Password = TEMPORAL1 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user temporal1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
Re: freeradius not working with AD
Alan, I reconfigured freeradius from scratch and when generated the ca.der certificate it generates the certificate valid for only 30 days. The default days mentioned in ca.cnf has been modified to 730 days, but still no luck. Additionally modified openssl.cnf too for 730 days. default_days= 730 default_crl_days= 30 Pls let me know if this validity matters ? On 5/19/08, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Karthik R wrote: > > I'm trying to configure freeradius to authenticate against AD for > > wireless users. Attached the entire log message for reference. > > > > I was able to narrow down the issue but could not fix it, can someone > > help me here. > > You edited the default configuration and broke it. > > DON'T DO THAT. > > The default configuration WORKS for wireless users. Add a user as per > the FAQ, uncheck "validate server certificate" on the wireless client, > and wireless authentication WILL WORK. > > Then, configure the MSCHAP module, and Samba. See my web site for > detailed instructions.: http://deployingradius.com > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Regards, Kartthik R - Success is a journey, Not a destination. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.04 + python + mysqldb python module on Debian 4.0
Hi Jester A few things. 1. I've never been able to get python to work correct on a debian system, this is for both Sarge and Etch. We currently have to use Centos 5 for our proxy radius systems which use python. 2. I do not believe that loading a mysql connection each time you recived a radius packet is going to be a good idea. I would instead create a very small shim which calls a python daemon via a unix socket. Cheers Mike [EMAIL PROTECTED] wrote: >From the subject, you can probably guess that its just barely a Freeradius problem :) Anyway... Using the Build (http://wiki.freeradius.org/Build) instructions for Debian, i have compiled FreeRADIUS with python support. I copied the example module configuration for python out of experimental.conf. using the provided test script, the server runs fine. and any other simple script works until i try to import MySQLdb for python. However, when you try to "import MySQLdb", it blows it stops, and throws the following: : /var/lib/python-support/python2.5/_mysql.so: undefined symbol: PyExc_ImportError Failed to import python module "pyrad_auth" /etc/freeradius/radiusd.conf[608]: Instantiation failed for module "python" Errors initializing modules Which, i think, means that it can't load the mysql module for some reason, and i don't know much else. from the command prompt, i can execute the .py script that i am using. In fact, it is the same script that works on a SuSE 10.1 server that i have, so i think the script is not likely to be the problem. Any pointers/hints/need more info? Much appreciated. --Jester Purtteman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN and FreeRadius
William E. Russell schrieb: > All, > > I am trying to get the RADIUS server to not only authenticating the > supplicant, but providing the NAS with a VLAN ID. I have tried certain > resources and haven't been able to receive the VLAN ID. Can any provide any > help in this area? > > Thanks > > > William E. W. Russell > Member of Technical Staff (Software Development) > 198 Brighton Avenue > Long Branch, New Jersey 07740 > Home #: 732-752-2037 > Cell #: 732-744-6483 > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html See: http://www.linux-magazine.com/issue/52/Freeradius_802.1X.pdf If you have further questions, please come back to this list or to me. Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
