Re: openLDAP & freeRADIUS
William E. Russell a écrit :
All,
I am currently working with openLDAP and freeRADIUS.
I have correctly set up freeRADIUS to read from my openLDAP. I can't
seem to authenticate my user. I have narrowed down the error to a single
line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of
searching online, I have realized that all this means is that there was an
error in the response packet. I have no idea what error could have occurred.
I believe it may have to do with the password_attribute. I read something
documentation that said there was some issue with LDAP and passing a
cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP.
Any body have any insight in to this type of thing? If I could just get some
help on how to set up the LDAP and RADIUS, that would be great - I have read
just about every single tutorial so please don't direct me to one of those.
I need someone who has a similar set up - what did you use for password
attribute?
William
William E. W. Russell
Member of Technical Staff (Software Development)
198 Brighton Avenue
Long Branch, New Jersey 07740
Home #: 732-752-2037
Cell #: 732-744-6483
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I have nearly the same installation as you. If you want tu use EAP/{PEAP
or TTLS} with MSCHAPv2, the userPassword attribute in LDAP must be
crypted before loading it in ldap database. Also Freeradius (via the
module MSCHAP) needs to get the userPassword attribute (via NT-password
mapping in ldap.attrmap file).
To encrypt a password, use "smbencrypt" to generate two type of hashes:
LM hash and NT hash. you must use the NT hash for MSCHAPv2 to work properly
hope this may help...
--
Mustapha BOUIKHIF
Service Systèmes d'Information
CNRS - DR4
tel: +33 1 69 82 33 97
fax: +33 1 69 82 33 39
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP & freeRADIUS
William E. Russell wrote: > I have correctly set up freeRADIUS to read from my openLDAP. I can't > seem to authenticate my user. I have narrowed down the error to a single > line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of > searching online, I have realized that all this means is that there was an > error in the response packet. Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet. > I have no idea what error could have occurred. > I believe it may have to do with the password_attribute. I read something > documentation that said there was some issue with LDAP and passing a > cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. > Any body have any insight in to this type of thing? If I could just get some > help on how to set up the LDAP and RADIUS, that would be great - I have read > just about every single tutorial so please don't direct me to one of those. > I need someone who has a similar set up - what did you use for password > attribute? userPassword. Step 1: Get PEAP working with an entry in the "users" file. Step 2: Get LDAP working with PAP (radclient). Verify that it is NOT doing "bind as user" Step 3: Verify that PEAP works against LDAP. PLEASE show the debug output. The reason we ask for it is because it is the DEFINITIVE explanation of what's going on, and the ONLY way to help you solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Mysql Problem Solaris
Hi, > > I tried to install FreeeRadius 2 on Solaris 10_X86. But it got error on make > here is the error. firstly, this is 2.0.3 - use 2.0.5 secondly, dd you specify the location / PATH for the mysql link libraries on the configure line? are you building as a static or dynamic? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP failure since upgrade
Hello, Until a couple of days ago, my FreeRadius setup was working perfectly normally - running FreeRadius 2.0.1 on a Centos 5 server. FreeRadius was compiled from source, not installed from a repository. Two days ago I received some automatic updates from standard Centos repo, and since then Radius has not worked. Running eapol test gives some output, including this (more of the output can be supplied on demand): EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=9 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 09 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 43 9e 23 c8 74 b1 a0 9f 8c 3b 83 be e8 36 a8 30 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.20 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE I checked and verified all the Freeradius configs. I recompiled 2.0.1 , and later compiled and installed 2.0.5 but this shows identical symptoms. I have attached the relevant section of my yum.log to show which packages were updated. The Radius server was tested once every minute by authenticating with a test account. This was first reported to fail at 10:48 I do not know which package could have caused this behaviour - has anyone else seen anything like this? It is quite urgent that I get this fixed asap as it is a production box at Bristol university. Currently we are running on the backup box, where I was luckily able to disable automatic updates before they were applied. Any advice will be gratefully received. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol Jun 24 13:45:09 Updated: libgcc.i386 4.1.2-42.el5 Jun 24 13:45:25 Updated: glibc-common.i386 2.5-24 Jun 24 13:45:32 Updated: glibc.i686 2.5-24 Jun 24 13:45:34 Updated: bash.i386 3.2-21.el5 Jun 24 13:45:35 Updated: libselinux.i386 1.33.4-5.el5 Jun 24 13:45:36 Updated: chkconfig.i386 1.3.30.1-2 Jun 24 13:45:37 Updated: audit-libs.i386 1.6.5-9.el5 Jun 24 13:45:37 Updated: popt.i386 1.10.2-48.el5 Jun 24 13:45:42 Updated: shadow-utils.i386 2:4.0.17-13.el5 Jun 24 13:45:43 Updated: device-mapper.i386 1.02.24-1.el5 Jun 24 13:45:44 Updated: e2fsprogs-libs.i386 1.39-15.el5 Jun 24 13:45:44 Updated: libstdc++.i386 4.1.2-42.el5 Jun 24 13:45:51 Updated: perl.i386 4:5.8.8-10.el5_2.3 Jun 24 13:45:52 Updated: dbus.i386 1.0.0-7.el5 Jun 24 13:45:53 Updated: libX11.i386 1.0.3-9.el5 Jun 24 13:45:54 Updated: nspr.i386 4.7.0.99.2-1.el5 Jun 24 13:46:14 Updated: nss.i386 3.11.99.5-2.el5.centos Jun 24 13:46:15 Updated: freetype.i386 2.2.1-20.el5_2 Jun 24 13:46:16 Updated: cairo.i386 1.2.4-5.el5 Jun 24 13:46:16 Updated: libacl.i386 2.2.39-3.el5 Jun 24 13:46:20 Updated: coreutils.i386 5.97-14.el5 Jun 24 13:46:22 Updated: pam.i386 0.99.6.2-3.27.el5 Jun 24 13:46:23 Updated: krb5-libs.i386 1.6.1-25.el5 Jun 24 13:46:25 Updated: openssl.i686 0.9.8b-10.el5 Jun 24 13:46:30 Updated: python.i386 2.4.3-21.el5 Jun 24 13:46:31 Updated: module-init-tools.i386 3.3-0.pre3.1.37.el5 Jun 24 13:46:31 Updated: newt.i386 0.52.2-10.el5 Jun 24 13:46:32 Updated: cups-libs.i386 1:1.2.4-11.18.el5_2.1 Jun 24 13:46:36 Updated: gtk2.i386 2.10.4-20.el5 Jun 24 13:46:37 Updated: udev.i386 095-14.16.el5 Jun 24 13:46:39 Updated: util-linux.i386 2.13-0.47.el5 Jun 24 13:46:41 Updated: binutils.i386 2.17.50.0.6-6.el5 Jun 24 13:46:42 Updated: bind-libs.i386 30:9.3.4-6.P1.el5 Jun 24 13:46:43 Updated: mysql.i386 5.0.45-7.el5 Jun 24 13:46:44 Updated: kpartx.i386 0.4.7-17.el5 Jun 24 13:46:45 Updated: procps.i386 3.2.7-9.el5 Jun 24 13:46:45 Updated: hwdata.noarch 0.213.6-1.el5 Jun 24 13:46:46 Updated: pciutils.i386 2.2.3-5 Jun 24 13:46:47 Updated: e2fsprogs.i386 1.39-15.el5 Jun 24 13:46:48 Updated: iptables.i386 1.3.5-4.el5 Jun 24 13:46:49 Updated: psmisc.i386 22.2-6 Jun 24 13:46:49 Updated: make.i386 1:3.81-3.el5 Jun 24 13:46:50 Updated: diffutils.i386 2.8.1-15.2.3.el5 Jun 24 13:46:51 Updated: iproute.i386 2.6.18-7.el5 Jun 24 13:46:52 Updated: pcsc-lite-libs.i386 1.4.4-0.1.el5 Jun 24 13:46:53 Updated: dmraid.i386 1.0.0.rc13-9.el5 Jun 24 13:46:56 Updated: libgcj.i386 4.1.2-42.el5 Jun 24 13:46:57 Updated: libuser.i386 0.54.7-2.el5.5 Jun 24 13:46:58 Updated: usermode.i386 1.88-3.el5.1 Jun
Re: EAP failure since upgrade
Jonathan Gazeley wrote: I have attached the relevant section of my yum.log to show which packages were updated. The Radius server was tested once every minute by authenticating with a test account. This was first reported to fail at 10:48 Sorry - please read that as 13:48, i.e. halfway through the update process. Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about eap_handler
> > Both. I have committed a fix to CVS head that: I tried to make a patch for FR-1.1.7 like that fix. but, When it continue to receive EAP-Identity only(Dos Attack), 1) growing up memory usage of radiusd. 2) over max_sessions, growing up memory usage stopped. it is ok. 3) but, starting expiring old handler and add new handler, growing up memory usage of radiusd, again. to expiring eap handler, only call eap_handler_free() ? is there other memory leak still ? do you have any idea ? another question, do you think about that... to ignoring EAP-Identity when over max_sessions, what kind of state is should return at eap_authenticate()? PW_MODULE_FAIL or NOOP or REJECT ? # I'm sorry, do you understand my english? --- [EMAIL PROTECTED] wrote: > Alan DeKok <[EMAIL PROTECTED]> wrote: > > > Both. I have committed a fix to CVS head that: > > > > - limits the number of sessions (2k is the default) > > - expires sessions in eaplist_add() > > thank you. > I will try to make a patch for FR-1.1.7. > > > > -- > GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! > http://pr.mail.yahoo.co.jp/ganbare-nippon/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Power up the Internet with Yahoo! Toolbar. http://pr.mail.yahoo.co.jp/toolbar/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP failure since upgrade
And what does your Freeradius server tell? (i.e. the classical email of this mailing list: "What is the ouput of radiusd -X ?") Have a nice day! Am 26.06.2008 um 11:41 schrieb Jonathan Gazeley: Hello, Until a couple of days ago, my FreeRadius setup was working perfectly normally - running FreeRadius 2.0.1 on a Centos 5 server. FreeRadius was compiled from source, not installed from a repository. Two days ago I received some automatic updates from standard Centos repo, and since then Radius has not worked. Running eapol test gives some output, including this (more of the output can be supplied on demand): EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=9 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 09 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 43 9e 23 c8 74 b1 a0 9f 8c 3b 83 be e8 36 a8 30 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.20 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE I checked and verified all the Freeradius configs. I recompiled 2.0.1 , and later compiled and installed 2.0.5 but this shows identical symptoms. I have attached the relevant section of my yum.log to show which packages were updated. The Radius server was tested once every minute by authenticating with a test account. This was first reported to fail at 10:48 I do not know which package could have caused this behaviour - has anyone else seen anything like this? It is quite urgent that I get this fixed asap as it is a production box at Bristol university. Currently we are running on the backup box, where I was luckily able to disable automatic updates before they were applied. Any advice will be gratefully received. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol Jun 24 13:45:09 Updated: libgcc.i386 4.1.2-42.el5 Jun 24 13:45:25 Updated: glibc-common.i386 2.5-24 Jun 24 13:45:32 Updated: glibc.i686 2.5-24 Jun 24 13:45:34 Updated: bash.i386 3.2-21.el5 Jun 24 13:45:35 Updated: libselinux.i386 1.33.4-5.el5 Jun 24 13:45:36 Updated: chkconfig.i386 1.3.30.1-2 Jun 24 13:45:37 Updated: audit-libs.i386 1.6.5-9.el5 Jun 24 13:45:37 Updated: popt.i386 1.10.2-48.el5 Jun 24 13:45:42 Updated: shadow-utils.i386 2:4.0.17-13.el5 Jun 24 13:45:43 Updated: device-mapper.i386 1.02.24-1.el5 Jun 24 13:45:44 Updated: e2fsprogs-libs.i386 1.39-15.el5 Jun 24 13:45:44 Updated: libstdc++.i386 4.1.2-42.el5 Jun 24 13:45:51 Updated: perl.i386 4:5.8.8-10.el5_2.3 Jun 24 13:45:52 Updated: dbus.i386 1.0.0-7.el5 Jun 24 13:45:53 Updated: libX11.i386 1.0.3-9.el5 Jun 24 13:45:54 Updated: nspr.i386 4.7.0.99.2-1.el5 Jun 24 13:46:14 Updated: nss.i386 3.11.99.5-2.el5.centos Jun 24 13:46:15 Updated: freetype.i386 2.2.1-20.el5_2 Jun 24 13:46:16 Updated: cairo.i386 1.2.4-5.el5 Jun 24 13:46:16 Updated: libacl.i386 2.2.39-3.el5 Jun 24 13:46:20 Updated: coreutils.i386 5.97-14.el5 Jun 24 13:46:22 Updated: pam.i386 0.99.6.2-3.27.el5 Jun 24 13:46:23 Updated: krb5-libs.i386 1.6.1-25.el5 Jun 24 13:46:25 Updated: openssl.i686 0.9.8b-10.el5 Jun 24 13:46:30 Updated: python.i386 2.4.3-21.el5 Jun 24 13:46:31 Updated: module-init-tools.i386 3.3-0.pre3.1.37.el5 Jun 24 13:46:31 Updated: newt.i386 0.52.2-10.el5 Jun 24 13:46:32 Updated: cups-libs.i386 1:1.2.4-11.18.el5_2.1 Jun 24 13:46:36 Updated: gtk2.i386 2.10.4-20.el5 Jun 24 13:46:37 Updated: udev.i386 095-14.16.el5 Jun 24 13:46:39 Updated: util-linux.i386 2.13-0.47.el5 Jun 24 13:46:41 Updated: binutils.i386 2.17.50.0.6-6.el5 Jun 24 13:46:42 Updated: bind-libs.i386 30:9.3.4-6.P1.el5 Jun 24 13:46:43 Updated: mysql.i386 5.0.45-7.el5 Jun 24 13:46:44 Updated: kpartx.i386 0.4.7-17.el5 Jun 24 13:46:45 Updated: procps.i386 3.2.7-9.el5 Jun 24 13:46:45 Updated: hwdata.noarch 0.213.6-1.el5 Jun 24 13:46:46 Updated: pciutils.i386 2.2.3-5 Jun 24 13:46:47 Updated: e2fsprogs.i386 1.39-15.el5 Jun 24 13:46:48 Updated: iptables.i386 1.3.5-4.el5 Jun 24 13:46:49 Updated: psmisc.i386 22.2-6 Jun 24 13:46:49 Updated: make.i386 1:3.81-3.el5 Jun 24 13:46:50 Updated: diffutils.i386 2.8.1-15.2.3.el5 Jun 24 13:46:51 Updated: iproute.i386 2.6.18-7.el5 Jun 24 13:46:52 Updated: pcsc-lite-libs.i386 1.4.4
tnc
Hi, Finally EAP-TNC is working with wpa_supplicant and freeradius over TTLS, but No user autentication only TTLS and TNC. Is posible execute TTLS-MSCHAPv2-TNC? Thanks, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP failure since upgrade
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Fix that and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP failure since upgrade
Jonathan Gazeley wrote: > Yes of course, the output of radiusd -X is attached to this email. This is the reason we ask for debug output: ... Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) ... READ the debug output. We really can't emphasize that enough. It's not a FreeRADIUS problem. Part of the upgrade modified the permissions on your system, and FreeRADIUS has been trying to tell you that. Since you weren't reading the debug output, you were looking everywhere *else* for the cause of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tnc
Fernando wrote: > Finally EAP-TNC is working with wpa_supplicant and freeradius over TTLS, > but No user autentication only TTLS and TNC. Is posible execute > TTLS-MSCHAPv2-TNC? You will have to modify the code to get this to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about eap_handler
[EMAIL PROTECTED] wrote: > I tried to make a patch for FR-1.1.7 like that fix. > > but, When it continue to receive EAP-Identity only(Dos Attack), > 1) growing up memory usage of radiusd. > 2) over max_sessions, growing up memory usage stopped. >it is ok. > 3) but, starting expiring old handler and add new handler, >growing up memory usage of radiusd, again. > > to expiring eap handler, > only call eap_handler_free() ? Yes. > is there other memory leak still ? No idea. Use "valgrind" to see what's going on. And please don't spend effort on 1.1.7. It is old, unsupported, and all new development is on the 2.0 branch. > to ignoring EAP-Identity when over max_sessions, > what kind of state is should return at eap_authenticate()? > PW_MODULE_FAIL or NOOP or REJECT ? FAIL. > # I'm sorry, do you understand my english? Your english is fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP failure since upgrade
Hi Ivan, This worked perfectly - thanks very much. I guess you have sharper eyes than me because I mised those lines in the debug output. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol Ivan Kalik wrote: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Fix that and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/25 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
>> I use freeradius 2.0.2, and people can use either ttls or peap as they
>> want (or can). I'd want to know if it's possible to see what EAP
>> methodare using users through radius logs...
>
> The EAP type is available in the EAP-Type attribute. You can use it
> just like anything else: %{EAP-Type} ...
>
Alan, Do I need to use rlm_perl anyway?
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
Sergio Belkin wrote: > Alan, Do I need to use rlm_perl anyway? No. The EAP-Type attribute is added by the EAP module. Once the attribute is there, it can be used, edited, updated, etc. just like User-Name, or NAS-IP-Address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Mysql Problem Solaris
Hi Thanks for your reply. After using 2.0.5 problem is solved but there is another problem and that is rlm_eap_tls checking for OpenSSL support... no configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: creating ./config.status I have installed openssl from sunfreeware.com and the path is (/usr/local/ssl). I don't know why freeradius did not found ssl library. Please tell me what should i do? Regards, Umar Draz A.L.M.Buxey wrote: > > Hi, >> >> I tried to install FreeeRadius 2 on Solaris 10_X86. But it got error on >> make >> here is the error. > > firstly, this is 2.0.3 - use 2.0.5 > secondly, dd you specify the location / PATH > for the mysql link libraries on the configure > line? are you building as a static or dynamic? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/FreeRadius-Mysql-Problem-Solaris-tp18126620p18132739.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radrelay.conf in freeradius 2.0.5
Hi,
I have two machines
1) Linux server ( freeradius-2.0.5)
2) Machine (172.xx.xx.xxx)
I would like to configure the 2nd machine as virtual server.
I am trying configure the virtual servers, but could not succeed.
I made sym-link in the sites-enable/ to the copy-acct-to-home-server.
Inside this file it says
"You will have to configure
realms, home_server_pool, and home_server in proxy.conf
for this to work.
"
I made entry into proxy.conf
home_server virtual_server {
type = auth
ipaddr = 172.16.47.105
port = 1815
secret = testing123
.
...
...
}
The output of radiusd -X is as follows
home_server virtual_server {
ipaddr = 172.16.47.105
port = 1815
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
/usr/local/etc/raddb/proxy.conf[354]: Fallback home_server virtual_server does
NOT contain a virtual_server directive.
}
I would request you all to help me to configure the virtual server. Also I
would like to know the whether radiusd (server) has to be run on the virtual
server as well?
Thanks & Regards
Sanjeev
-Original Message-
From: [EMAIL PROTECTED] on behalf of Sanjeeva Rao
Sent: Wed 6/25/2008 3:17 PM
To: FreeRadius users mailing list
Subject: RE: radrelay.conf in freeradius 2.0.5
Hi Alan
Thanks for the reply.
I have run radiusd -X and I got the following output.
# ./radiusd -X
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jun 24
2008 at 15:33:46
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including files in directory /usr/local/etc/raddb/modules/
...
...
...
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
.
I could see it has not read
"raddb/sites-available/copy-acct-to-home-server". I think through this
file we can configure the virtual servers? Thanks for your patience and
insight in advance?
Regards
Sanjeev
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2008 2:53 PM
To: FreeRadius users mailing list
Subject: Re: radrelay.conf in freeradius 2.0.5
Hi,
> Thanks for the reply. Actually in the freeradius-1.x the radrelay is
> Separate executable (process), so as per the release notes of 2.x,
> radrelay functionality is clubbed with radius core server (radiusd).
>
> How can I check whether radrelay is running or not, when I am running
> radiusd (freeradius-2.0.5)?
configure the virtual server you require and then see if
the stuff you have configured - eg dumping accounting to
a database...is working...as alys radiusd -X is Very Very useful
alan
Very Very useful
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Mysql Problem Solaris
Umar wrote: > Thanks for your reply. After using 2.0.5 problem is solved but there is > another problem and that is rlm_eap_tls > > checking for OpenSSL support... no ... > I have installed openssl from sunfreeware.com and the path is > (/usr/local/ssl). I don't know why freeradius did not found ssl library. Because it is a *compiler* issue, and not a *freeradius* issue. You put SSL into a place where the compiler and/or dynamic linker can't find it. You likely need to add /usr/local/ssl to the dynamic linker path. See "man crle". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay.conf in freeradius 2.0.5
Sanjeeva Rao wrote: > I have two machines > 1) Linux server ( freeradius-2.0.5) > 2) Machine (172.xx.xx.xxx) > I would like to configure the 2nd machine as virtual server. What? The virtual servers in 2.0 are configurations, not virtual machines. > I am trying configure the virtual servers, but could not succeed. > I made sym-link in the sites-enable/ to the copy-acct-to-home-server. > Inside this file it says > "You will have to configure > realms, home_server_pool, and home_server in proxy.conf > for this to work. Thank you for quoting the documentation to the people who wrote it. You were already told it wasn't necessary. STOP IT. ... > I would request you all to help me to configure the virtual server. Also > I would like to know the whether radiusd (server) has to be run on the > virtual server as well? You have misunderstood the virtual server functionality in FreeRADIUS. You were ALREADY told it was not a virtual machine like vmware. Go back and read the documentation again. Go read raddb/sites-available/README. If you've used virtual hosts in Apache, this is almost the same functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radrelay.conf in freeradius 2.0.5
>I have two machines
> 1) Linux server ( freeradius-2.0.5)
> 2) Machine (172.xx.xx.xxx)
>I would like to configure the 2nd machine as virtual server.
>
>I am trying configure the virtual servers, but could not succeed.
>I made sym-link in the sites-enable/ to the copy-acct-to-home-server.
>Inside this file it says
>"You will have to configure
> realms, home_server_pool, and home_server in proxy.conf
> for this to work.
>"
>I made entry into proxy.conf
>
>home_server virtual_server {
>type = auth
>ipaddr = 172.16.47.105
>port = 1815
>secret = testing123
>.
You are totally mixed up. You haven't managed to master the basic things
like what's home and what's virtual server, do you want to proxy
authentication or accounting etc. Sit down, take a deep breath and get
those things clear in your mind. Then you might ask (and even do)
something that makes sense.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/26 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
>> Alan, Do I need to use rlm_perl anyway?
>
> No. The EAP-Type attribute is added by the EAP module. Once the
> attribute is there, it can be used, edited, updated, etc. just like
> User-Name, or NAS-IP-Address.
>
> Alan DeKok.
I edited so radiusd.conf:
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
and added "EAP-Message =* ANY" to attrs file, but I see no difference
(any file witt a new name wasn't created)
What am I doing wrong?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
Sergio Belkin wrote:
> I edited so radiusd.conf:
>
> detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
>
> and added "EAP-Message =* ANY" to attrs file, but I see no difference
> (any file witt a new name wasn't created)
>
> What am I doing wrong?
You are running auth_log BEFORE eap?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/26 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
>> I edited so radiusd.conf:
>>
>> detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
>>
>> and added "EAP-Message =* ANY" to attrs file, but I see no difference
>> (any file witt a new name wasn't created)
>>
>> What am I doing wrong?
>
> You are running auth_log BEFORE eap?
>
> Alan DeKok.
I have the following in sites-enabled/default :
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
Sergio Belkin wrote: >>> What am I doing wrong? >> You are running auth_log BEFORE eap? > >> Alan DeKok. > I have the following in sites-enabled/default : Which has auth_log BEFORE eap, which is WRONG. How do you expect to log the EAP type when the EAP module hasn't been run yet? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle server->freeradius->ssl->ldap
Oracle advanced security product supports external radius authentication. I would like to use this external auth for oracle clients connecting to an oracle db server. The radius server would need to talk to an external ldap over ssl. I've installed freeradius on the db server, but have no idea how to configure this. Can you please get me going. I am a complete novice. I'm sorry to ask such a uninformed question. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/26 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
What am I doing wrong?
>>> You are running auth_log BEFORE eap?
>>
>>> Alan DeKok.
>> I have the following in sites-enabled/default :
>
> Which has auth_log BEFORE eap, which is WRONG.
>
> How do you expect to log the EAP type when the EAP module hasn't been
> run yet?
>
> Alan DeKok.
> -
OK, but this the *default* order in the file I didn't know that order
matters in this case.
I've changed order and this the debug output:
FreeRADIUS Version 2.0.2, for host x86_64-unknown-linux-gnu, built on
Mar 5 2008 at 16:09:30
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radiusd"
group = "radiusd"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.30.0.101 {
require_message_authenticator = no
secret = "stopnene-Green-22"
shortname = "oficina"
}
client 10.128.255.100 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-PB"
}
client 10.128.255.10 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-SS"
}
client 10.128.255.11 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-1"
}
client 10.128.255.12 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-2"
}
client 10.128.255.13 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-3"
}
client 10.128.255.14 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-4"
}
client 10.128.255.15 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-5"
}
client 10.128.255.16 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-6"
}
client 10.128.255.17 {
require_message_authenticator = no
secret = "stopnene-Red-3"
shortname = "DOWNI-7"
}
client 10.128.255.80 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-PB"
}
client 10.128.255.81 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-I"
}
client 10.128.255.82 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-II"
}
client 10.128.255.83 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-III"
}
client 10.128.255.84 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-IV"
}
client 10.128.255.85 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "DOWNVIII-V"
}
client 10.128.255.86 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
shortname = "10.128.255.86"
}
client 10.128.255.87 {
require_message_authenticator = no
secret = "stopnene-Red-398952"
}
client 201.231.128.53 {
require_message_authenticator = no
secret = "stopnene-Green-22"
shortname = "Pa"
}
client 200.123.132.1 {
require_message_authenticator = no
secret = "stopnene-black-54"
RE: openLDAP & freeRADIUS
How can I get the log or the out of it? It is so long that the terminal doesn't allow me to scroll all the way back to the top. Is there a log? I found radius.log, but it had nothing. Is there a command to generate the log? Thanks. I know I am close here... William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Thursday, June 26, 2008 4:36 AM To: FreeRadius users mailing list Subject: Re: openLDAP & freeRADIUS William E. Russell wrote: > I have correctly set up freeRADIUS to read from my openLDAP. I can't > seem to authenticate my user. I have narrowed down the error to a single > line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of > searching online, I have realized that all this means is that there was an > error in the response packet. Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet. > I have no idea what error could have occurred. > I believe it may have to do with the password_attribute. I read something > documentation that said there was some issue with LDAP and passing a > cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. > Any body have any insight in to this type of thing? If I could just get some > help on how to set up the LDAP and RADIUS, that would be great - I have read > just about every single tutorial so please don't direct me to one of those. > I need someone who has a similar set up - what did you use for password > attribute? userPassword. Step 1: Get PEAP working with an entry in the "users" file. Step 2: Get LDAP working with PAP (radclient). Verify that it is NOT doing "bind as user" Step 3: Verify that PEAP works against LDAP. PLEASE show the debug output. The reason we ask for it is because it is the DEFINITIVE explanation of what's going on, and the ONLY way to help you solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: openLDAP & freeRADIUS
Use the script command. man script > How can I get the log or the out of it? It is so long that the terminal > doesn't allow me to scroll all the way back to the top. Is there a log? I > found radius.log, but it had nothing. Is there a command to generate the > log? Thanks. I know I am close here... > > > William E. W. Russell > Member of Technical Staff (Software Development) > 198 Brighton Avenue > Long Branch, New Jersey 07740 > Home #: 732-752-2037 > Cell #: 732-744-6483 > > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > rg] On Behalf Of Alan DeKok > Sent: Thursday, June 26, 2008 4:36 AM > To: FreeRadius users mailing list > Subject: Re: openLDAP & freeRADIUS > > William E. Russell wrote: >> I have correctly set up freeRADIUS to read from my openLDAP. I can't >> seem to authenticate my user. I have narrowed down the error to a single >> line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of >> searching online, I have realized that all this means is that there was >> an >> error in the response packet. > > Code 4 is MS-CHAP failure. It means that the client told the server > it didn't like the previous packet. > >> I have no idea what error could have occurred. >> I believe it may have to do with the password_attribute. I read >> something >> documentation that said there was some issue with LDAP and passing a >> cleartext password. Also, as you can see, I am using EAP/PEAP with >> MSCHAP. >> Any body have any insight in to this type of thing? If I could just get > some >> help on how to set up the LDAP and RADIUS, that would be great - I have > read >> just about every single tutorial so please don't direct me to one of > those. >> I need someone who has a similar set up - what did you use for password >> attribute? > > userPassword. > > Step 1: Get PEAP working with an entry in the "users" file. > Step 2: Get LDAP working with PAP (radclient). Verify that it > is NOT doing "bind as user" > Step 3: Verify that PEAP works against LDAP. > > PLEASE show the debug output. The reason we ask for it is because it > is the DEFINITIVE explanation of what's going on, and the ONLY way to > help you solve the problem. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth accounting configuration
I am using pam_radius_auth 1.3.17 and I am having difficulty getting accounting to work. I have defined a service called openvpn in /etc/pam.d and the config lines are below auth required /lib/security/pam_radius_auth.so debug sessionrequired /lib/security/pam_radius_auth.so debug accountrequired /lib/security/pam_radius_auth.so debug I have also created /etc/raddb/server and put in radius_server_ip:port secret time_out. The authentication piece works fine, but we don't see any accounting packets being forwarded to the radius server (Microsoft IAS 2003). Thanks, BW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy help
I've having a problem getting the proper attributes set on my response packets when using a proxy. If I authenticate locally with something like this in users: username Cleartext-Password password Service-Type = Administrative-User, Reply-Message = "Authorized Users Only", it works fine. The Service-Type and Reply-Message get sent off to the NAS and life is good. However, if I activate a NULL realm and proxy the authentications out, it no longer works. My users file looks more like this: DEFAULT Service-Type = Administrative-User, Reply-Message = "Authorized Users Only", Judging from the post-proxy-detail and reply-detail logs it looks like the proxy server is dropping all the attributes and my server doesn't put them back? Is that correct? And is that the way it's supposed to work? Thanks in advance, -David Mitchell -- - | David Mitchell ([EMAIL PROTECTED]) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
I should probably add that I can get the Service-Type added using the 'attrs' file in the post-proxy section. But I want to set the Service-Type based on the user and huntgroup so that users have either Administrative-User or Login-User access depending on the user and device. This doesn't seem to be possible in the attrs file. -David David Mitchell wrote: > I've having a problem getting the proper attributes set on my response > packets when using a proxy. > > If I authenticate locally with something like this in users: > username Cleartext-Password password > Service-Type = Administrative-User, > Reply-Message = "Authorized Users Only", > > it works fine. The Service-Type and Reply-Message get sent off to the > NAS and life is good. However, if I activate a NULL realm and proxy the > authentications out, it no longer works. My users file looks more like this: > DEFAULT > Service-Type = Administrative-User, > Reply-Message = "Authorized Users Only", > > Judging from the post-proxy-detail and reply-detail logs it looks like > the proxy server is dropping all the attributes and my server doesn't > put them back? Is that correct? And is that the way it's supposed to > work? Thanks in advance, > > -David Mitchell > > -- - | David Mitchell ([EMAIL PROTECTED]) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
Update reply with unlang: http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 26/6/2008, "David Mitchell" <[EMAIL PROTECTED]> piše: >I should probably add that I can get the Service-Type added using the >'attrs' file in the post-proxy section. But I want to set the >Service-Type based on the user and huntgroup so that users have either >Administrative-User or Login-User access depending on the user and >device. This doesn't seem to be possible in the attrs file. > >-David > >David Mitchell wrote: >> I've having a problem getting the proper attributes set on my response >> packets when using a proxy. >> >> If I authenticate locally with something like this in users: >> username Cleartext-Password password >> Service-Type = Administrative-User, >> Reply-Message = "Authorized Users Only", >> >> it works fine. The Service-Type and Reply-Message get sent off to the >> NAS and life is good. However, if I activate a NULL realm and proxy the >> authentications out, it no longer works. My users file looks more like this: >> DEFAULT >> Service-Type = Administrative-User, >> Reply-Message = "Authorized Users Only", >> >> Judging from the post-proxy-detail and reply-detail logs it looks like >> the proxy server is dropping all the attributes and my server doesn't >> put them back? Is that correct? And is that the way it's supposed to >> work? Thanks in advance, >> >> -David Mitchell >> >> > > >-- >- >| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV | >| Tel: (303) 497-1845 National Center for | >| FAX: (303) 497-1818 Atmospheric Research | >- >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
Ivan Kalik wrote:
> Update reply with unlang:
>
> http://freeradius.org/radiusd/man/unlang.html
Sure, but where? In the 'attrs' file? I tried adding something there and
it complains:
DEFAULT
Service-Type := %{proxy-request:Service-Type},
# Service-Type == Framed-User,
# Service-Type == Login-User,
Login-Service == Telnet,
results in
/home/mitchell/fr/etc/raddb/attrs[104]: Parse error (reply) for entry
DEFAULT: Expected end of line or comma
Errors reading /home/mitchell/fr/etc/raddb/attrs
Is attrs not using unlang? If not, what should I be using instead? It
does look like unlang gives me what I want, but it's not clear where I
can use it.
-David
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 26/6/2008, "David Mitchell" <[EMAIL PROTECTED]> piše:
>
>> I should probably add that I can get the Service-Type added using the
>> 'attrs' file in the post-proxy section. But I want to set the
>> Service-Type based on the user and huntgroup so that users have either
>> Administrative-User or Login-User access depending on the user and
>> device. This doesn't seem to be possible in the attrs file.
>>
>> -David
>>
>> David Mitchell wrote:
>>> I've having a problem getting the proper attributes set on my response
>>> packets when using a proxy.
>>>
>>> If I authenticate locally with something like this in users:
>>> username Cleartext-Password password
>>> Service-Type = Administrative-User,
>>> Reply-Message = "Authorized Users Only",
>>>
>>> it works fine. The Service-Type and Reply-Message get sent off to the
>>> NAS and life is good. However, if I activate a NULL realm and proxy the
>>> authentications out, it no longer works. My users file looks more like this:
>>> DEFAULT
>>> Service-Type = Administrative-User,
>>> Reply-Message = "Authorized Users Only",
>>>
>>> Judging from the post-proxy-detail and reply-detail logs it looks like
>>> the proxy server is dropping all the attributes and my server doesn't
>>> put them back? Is that correct? And is that the way it's supposed to
>>> work? Thanks in advance,
>>>
>>> -David Mitchell
>>>
>>>
>>
>> --
>> -
>> | David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
>> | Tel: (303) 497-1845 National Center for |
>> | FAX: (303) 497-1818 Atmospheric Research |
>> -
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
-
| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
David Mitchell wrote:
> Ivan Kalik wrote:
>> Update reply with unlang:
>>
>> http://freeradius.org/radiusd/man/unlang.html
>
> Sure, but where? In the 'attrs' file? I tried adding something there and
> it complains:
>
> DEFAULT
> Service-Type := %{proxy-request:Service-Type},
> # Service-Type == Framed-User,
> # Service-Type == Login-User,
> Login-Service == Telnet,
>
> results in
> /home/mitchell/fr/etc/raddb/attrs[104]: Parse error (reply) for entry
> DEFAULT: Expected end of line or comma
> Errors reading /home/mitchell/fr/etc/raddb/attrs
>
> Is attrs not using unlang? If not, what should I be using instead? It
> does look like unlang gives me what I want, but it's not clear where I
> can use it.
So I'm closer. I can update things in post-auth using for example:
update reply {
Service-Type := "%{control:Service-Type}"
Reply-Message := "Go Away %{request:User-Name}"
}
But I can't get %{Service-Type} to expand. I have no idea what happened
to the value I set earlier in the users file. It almost seems like I
should not be using the users file at all and trying to implement my
authz in post-auth using unlang? That doesn't really seem right though.
-David
>
> -David
>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 26/6/2008, "David Mitchell" <[EMAIL PROTECTED]> piše:
>>
>>> I should probably add that I can get the Service-Type added using the
>>> 'attrs' file in the post-proxy section. But I want to set the
>>> Service-Type based on the user and huntgroup so that users have either
>>> Administrative-User or Login-User access depending on the user and
>>> device. This doesn't seem to be possible in the attrs file.
>>>
>>> -David
>>>
>>> David Mitchell wrote:
I've having a problem getting the proper attributes set on my response
packets when using a proxy.
If I authenticate locally with something like this in users:
username Cleartext-Password password
Service-Type = Administrative-User,
Reply-Message = "Authorized Users Only",
it works fine. The Service-Type and Reply-Message get sent off to the
NAS and life is good. However, if I activate a NULL realm and proxy the
authentications out, it no longer works. My users file looks more like
this:
DEFAULT
Service-Type = Administrative-User,
Reply-Message = "Authorized Users Only",
Judging from the post-proxy-detail and reply-detail logs it looks like
the proxy server is dropping all the attributes and my server doesn't
put them back? Is that correct? And is that the way it's supposed to
work? Thanks in advance,
-David Mitchell
>>> --
>>> -
>>> | David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
>>> | Tel: (303) 497-1845 National Center for |
>>> | FAX: (303) 497-1818 Atmospheric Research |
>>> -
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
--
-
| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
>Sure, but where? Read the first sentence of man unlang. Same place you are calling attrs from. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy help
Service-Type is in the request.
Ivan Kalik
Kalik Informatika ISP
Dana 26/6/2008, "David Mitchell" <[EMAIL PROTECTED]> piše:
>David Mitchell wrote:
>> Ivan Kalik wrote:
>>> Update reply with unlang:
>>>
>>> http://freeradius.org/radiusd/man/unlang.html
>>
>> Sure, but where? In the 'attrs' file? I tried adding something there and
>> it complains:
>>
>> DEFAULT
>> Service-Type := %{proxy-request:Service-Type},
>> # Service-Type == Framed-User,
>> # Service-Type == Login-User,
>> Login-Service == Telnet,
>>
>> results in
>> /home/mitchell/fr/etc/raddb/attrs[104]: Parse error (reply) for entry
>> DEFAULT: Expected end of line or comma
>> Errors reading /home/mitchell/fr/etc/raddb/attrs
>>
>> Is attrs not using unlang? If not, what should I be using instead? It
>> does look like unlang gives me what I want, but it's not clear where I
>> can use it.
>
>So I'm closer. I can update things in post-auth using for example:
>update reply {
>Service-Type := "%{control:Service-Type}"
>Reply-Message := "Go Away %{request:User-Name}"
>}
>
>But I can't get %{Service-Type} to expand. I have no idea what happened
>to the value I set earlier in the users file. It almost seems like I
>should not be using the users file at all and trying to implement my
>authz in post-auth using unlang? That doesn't really seem right though.
>
>-David
>
>>
>> -David
>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 26/6/2008, "David Mitchell" <[EMAIL PROTECTED]> piše:
>>>
I should probably add that I can get the Service-Type added using the
'attrs' file in the post-proxy section. But I want to set the
Service-Type based on the user and huntgroup so that users have either
Administrative-User or Login-User access depending on the user and
device. This doesn't seem to be possible in the attrs file.
-David
David Mitchell wrote:
> I've having a problem getting the proper attributes set on my response
> packets when using a proxy.
>
> If I authenticate locally with something like this in users:
> username Cleartext-Password password
> Service-Type = Administrative-User,
> Reply-Message = "Authorized Users Only",
>
> it works fine. The Service-Type and Reply-Message get sent off to the
> NAS and life is good. However, if I activate a NULL realm and proxy the
> authentications out, it no longer works. My users file looks more like
> this:
> DEFAULT
> Service-Type = Administrative-User,
> Reply-Message = "Authorized Users Only",
>
> Judging from the post-proxy-detail and reply-detail logs it looks like
> the proxy server is dropping all the attributes and my server doesn't
> put them back? Is that correct? And is that the way it's supposed to
> work? Thanks in advance,
>
> -David Mitchell
>
>
--
-
| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/usershtml
>>
>>
>
>
>--
>-
>| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
>| Tel: (303) 497-1845 National Center for |
>| FAX: (303) 497-1818 Atmospheric Research |
>-
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Mysql Problem Solaris
hi Dear Alen I already have done it crle -u -v -l /usr/local/ssl/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/etc/lib:/usr/share/l ib:/etc/security/lib:/usr/sfw/lib:/usr/openwin/lib:/usr/css/lib:/usr/xpg4/lib:/usr/dt/lib:/usr/loca l/mysql/lib/mysql Regards, Umar Alan DeKok-4 wrote: > > Umar wrote: >> Thanks for your reply. After using 2.0.5 problem is solved but there is >> another problem and that is rlm_eap_tls >> >> checking for OpenSSL support... no > ... >> I have installed openssl from sunfreeware.com and the path is >> (/usr/local/ssl). I don't know why freeradius did not found ssl library. > > Because it is a *compiler* issue, and not a *freeradius* issue. You > put SSL into a place where the compiler and/or dynamic linker can't find > it. > > You likely need to add /usr/local/ssl to the dynamic linker path. See > "man crle". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/FreeRadius-Mysql-Problem-Solaris-tp18126620p18147768.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use of libtool-2.2.4 causes install error
Hello, I have successfully compiled FreeRadius 2.0.5 from source onto a fresh FreeBSD 7.0 box, but have run into an install glitch. The glitch appears to have been caused by the addition of `--with-system-libtool` to work around a bug ( http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=225725) created by the presence of libtool-2.2.4 on the system. Make completes with only a few minor warnings. However, make install fails with: ...snip make[6]: Leaving directory `/var/tmp/freeradius-server-2 .0.5/src/modules/rlm_eap' Making install in rlm_mschap... make[6]: Entering directory `/var/tmp/freeradius-server-2.0.5/src/modules/rlm_mschap' make[7]: Entering directory `/var/tmp/freeradius-server-2.0.5/src/modules/rlm_mschap' /var/tmp/freeradius-server-2.0.5/install-sh -c -d -m 755 /var/tmp/freeradius-BUILD/bin /usr/bin/libtool --mode=install /var/tmp/freeradius-server-2.0.5/install-sh -c -m 755 \ smbencrypt /var/tmp/freeradius-BUILD/bin libtool: install: invalid libtool wrapper script `smbencrypt' make[7]: *** [smbencrypt-install] Error 1 make[7]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src/modules/rlm_mschap' make[6]: *** [install] Error 2 make[6]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src/modules/rlm_mschap' make[5]: *** [common] Error 2 make[5]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src/modules' make[4]: *** [install] Error 2 make[4]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/var/tmp/freeradius-server-2.0.5/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/var/tmp/freeradius-server-2.0.5' make: *** [install] Error 2 It's apparent that the `smbencrypt` script is incompatible with libtool-2.2.4, but I'm unsure how to proceed. Searches turn up nothing useful. Configure options are included below. ./configure --prefix=/var/tmp/freeradius-BUILD --enable-strict-dependencies --with-system-libtool --with-modules="rlm_acctlog rlm_attr_rewrite rlm_checkval rlm_eap rlm_mschap rlm_pam rlm_passwd rlm_unix" --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_krb5 --without-rlm_ldap --without-rlm_otp --without-rlm_perl --without-rlm_python --without-rlm_sql --without-rlm_unixodbc --without-rlm_sql_iodbc --without-rlm_sql_mysql --without-rlm_sql_postgresql --without-rlm_sql_oracle --without-rlm_sqlcounter --without-rlm_sqlippool --without-rlm_eap_tnc Any help would be appreciated. Thanks, D Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
