Re: Dependencies of Freeradius 2.0.5
i also face this problem for more then one month.
because the problem is with module configuration
like in radius 1.6 version
in raddb/radiusd.conf file
..
.
module authorize
{
#pap ...
#chap...
.
there is also a
sql configuration
which is comment out like #sql
you have to uncomment it. #sql -sql
*sql ..*
}
then sql configuration added to the radius
but the problem is in radius 2.0.5 nothing like this in radiusd.conf.
they have move these configuration files to some else place.
my suggetions is to move to version radius 1.6
because more people work on it and it is more stable then radius 2.0.5
hope it will help you
BEST REGARDS
Yawar Hadi Noshahi
QAU Islamabad (+92-0300-5504798)
On Thu, Jul 24, 2008 at 12:41 PM, Leander S. [EMAIL PROTECTED]
wrote:
Hi,
continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html
@Alan de Kok
;) Thanks for keeping me so stupid even if I already said that I already
got it working a couple of setups on 1.1.7 - but I won't complain because I
seriously realy appreciate your help!
about my SQL configuration:
###
cat sql.conf
[...]
database = postgresql
server = localhost
login = radius
password = My_OwN_PaSsWoRd
radius_db = radius
#and also:
sqltrace = yes
[...]
###
AND
###
cat radiusd.conf
[...]
$INCLUDE sql.conf
#$INCLUDE sql/mysql/counter.conf
$INCLUDE sql/postgresql/counter.conf
$INCLUDE sqlippool.conf
[...]
###
^^ There is nothing mor useful to find about SQL in the radiusd.conf -
except the sql querrie samples provided in the [...]/raddb/sql/* folder
which I just left like they are - So I guess I configured right - the
modules are just still missed I think so. Correct me if you guess something
different.
BTW.: radiusd -X says *nothing* about sql or anything which sounds quite
similar like sql or postgres except the config it loads ;/
[...]
including configuration file /usr/local/etc/raddb/modules/sql_log
[...]
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/dialup.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/counter.conf
including configuration file /usr/local/etc/raddb/sqlippool.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/ippool.conf
[...]
sadly no querry verboses ...
Thanks
Continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html
@David
Thank you very much for your efforts!!
Quote:
###
After untarring the FreeRADIUS 2.0.5 tarball and changing directory to the
root of the untarred tarball, these steps are roughly what you need:
LDFLAGS=-L/usr/local/lib -pthread ; \
CFLAGS+=-I/usr/local/include -L/usr/local/lib ; \
./configure --prefix=/usr/local --libdir=/usr/local/lib \
--localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius \
--with-logdir=/var/log \
--with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib
gmake install
You must add --with-pic to the first command if using FreeBSD amd64. You
should omit the two openssl lines if you don't have the OpenSSL port
included. I don't recommend this - I really do believe it's better to use
the port.
###
Even if you suggest to rather use ports to install freeRADIUS on FreeBSD
System then compiling I rather compile because of various reasons.
But I might not understood you right in the way how to use those commands.
are those shell commands? Or might I have to add those 2 lines to an
config?
bash$ LDFLAGS=-L/usr/local/lib -pthread
bash$ CFLAGS+=-I/usr/local/include -L/usr/local/lib
well the next one is clear:
bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib
--localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius
--with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl
--with-openssl-libraries=/usr/local/lib
and I do have amd64 so I'm guessing if I read right in the ./configure
--help that the ./configure command is supposed to look like:
bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib
--localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius
--with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl
--with-openssl-libraries=/usr/local/lib --with-pic
^^ because you mentioned to add
Re: Dependencies of Freeradius 2.0.5
i have setup radius 1.6 with mysql databse and also add the functionlaity
of procedure calling..
i you need any help feel free to contact me i am available 10am to 8 pm mon
to fri...
thanks
On Thu, Jul 24, 2008 at 1:00 PM, Yawar Hadi [EMAIL PROTECTED] wrote:
i also face this problem for more then one month.
because the problem is with module configuration
like in radius 1.6 version
in raddb/radiusd.conf file
..
.
module authorize
{
#pap ...
#chap...
.
there is also a
sql configuration
which is comment out like #sql
you have to uncomment it. #sql -sql
*sql ..*
}
then sql configuration added to the radius
but the problem is in radius 2.0.5 nothing like this in radiusd.conf.
they have move these configuration files to some else place.
my suggetions is to move to version radius 1.6
because more people work on it and it is more stable then radius 2.0.5
hope it will help you
BEST REGARDS
Yawar Hadi Noshahi
QAU Islamabad (+92-0300-5504798)
On Thu, Jul 24, 2008 at 12:41 PM, Leander S. [EMAIL PROTECTED]
wrote:
Hi,
continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html
@Alan de Kok
;) Thanks for keeping me so stupid even if I already said that I already
got it working a couple of setups on 1.1.7 - but I won't complain because I
seriously realy appreciate your help!
about my SQL configuration:
###
cat sql.conf
[...]
database = postgresql
server = localhost
login = radius
password = My_OwN_PaSsWoRd
radius_db = radius
#and also:
sqltrace = yes
[...]
###
AND
###
cat radiusd.conf
[...]
$INCLUDE sql.conf
#$INCLUDE sql/mysql/counter.conf
$INCLUDE sql/postgresql/counter.conf
$INCLUDE sqlippool.conf
[...]
###
^^ There is nothing mor useful to find about SQL in the radiusd.conf -
except the sql querrie samples provided in the [...]/raddb/sql/* folder
which I just left like they are - So I guess I configured right - the
modules are just still missed I think so. Correct me if you guess something
different.
BTW.: radiusd -X says *nothing* about sql or anything which sounds quite
similar like sql or postgres except the config it loads ;/
[...]
including configuration file /usr/local/etc/raddb/modules/sql_log
[...]
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/dialup.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/counter.conf
including configuration file /usr/local/etc/raddb/sqlippool.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/ippool.conf
[...]
sadly no querry verboses ...
Thanks
Continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html
@David
Thank you very much for your efforts!!
Quote:
###
After untarring the FreeRADIUS 2.0.5 tarball and changing directory to the
root of the untarred tarball, these steps are roughly what you need:
LDFLAGS=-L/usr/local/lib -pthread ; \
CFLAGS+=-I/usr/local/include -L/usr/local/lib ; \
./configure --prefix=/usr/local --libdir=/usr/local/lib \
--localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius \
--with-logdir=/var/log \
--with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib
gmake install
You must add --with-pic to the first command if using FreeBSD amd64. You
should omit the two openssl lines if you don't have the OpenSSL port
included. I don't recommend this - I really do believe it's better to use
the port.
###
Even if you suggest to rather use ports to install freeRADIUS on FreeBSD
System then compiling I rather compile because of various reasons.
But I might not understood you right in the way how to use those commands.
are those shell commands? Or might I have to add those 2 lines to an
config?
bash$ LDFLAGS=-L/usr/local/lib -pthread
bash$ CFLAGS+=-I/usr/local/include -L/usr/local/lib
well the next one is clear:
bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib
--localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius
--with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl
--with-openssl-libraries=/usr/local/lib
and I do have amd64 so I'm guessing if I read right in the ./configure
--help that the ./configure command is supposed to look like:
bash$
Re: Dependencies of Freeradius 2.0.5
Yawar Hadi wrote: but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. raddb/sites-available/default This is documented in radiusd.conf, if you had read it. It's also mentioned nearly daily on this list, if you read posts on this list. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you (1) There is no version 1.6 (2) 2.0.5 is more stable than 1.x (3) 2.0.5 has more documentation than 1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
@Yawar Hadi
Thanks. I need the version 2.0.5 because of various reasons.
if you talk about this part in radius.conf:
###
authorise {
preprocess
chap
mschap
suffix
eap
# We leave files enabled to allow creation of test users in
/etc/raddb/users
files
sql
pap
}
accounting {
# We leave detail enabled to _additionally_ log accounting to
/var/log/radius/radacct
detail
sql
}
###
^^ it's not there anymore in 2.0.5 radius.conf - I also looked for that
without success ;)
Quote:
there is also a
sql configuration
which is comment out like #sql
you have to uncomment it. #sql -sql
*sql ..
*^^ what config are you talking about? The only useful sql hint I was
able to find in radius.conf was $INCLUDE sql.conf which is already
uncommented ..
Thank you
Yawar Hadi schrieb:
i have setup radius 1.6 with mysql databse and also add the
functionlaity of procedure calling..
i you need any help feel free to contact me i am available 10am to 8
pm mon to fri...
thanks
On Thu, Jul 24, 2008 at 1:00 PM, Yawar Hadi [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
i also face this problem for more then one month.
because the problem is with module configuration
like in radius 1.6 version
in raddb/radiusd.conf file
..
.
module authorize
{
#pap ...
#chap...
.
there is also a
sql configuration
which is comment out like #sql
you have to uncomment it. #sql -sql
*sql ..*
}
then sql configuration added to the radius
but the problem is in radius 2.0.5 nothing like this in radiusd.conf.
they have move these configuration files to some else place.
my suggetions is to move to version radius 1.6
because more people work on it and it is more stable then radius 2.0.5
hope it will help you
BEST REGARDS
Yawar Hadi Noshahi
QAU Islamabad (+92-0300-5504798)
On Thu, Jul 24, 2008 at 12:41 PM, Leander S.
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:
Hi,
continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html
@Alan de Kok
;) Thanks for keeping me so stupid even if I already said that
I already got it working a couple of setups on 1.1.7 - but I
won't complain because I seriously realy appreciate your help!
about my SQL configuration:
###
cat sql.conf
[...]
database = postgresql
server = localhost
login = radius
password = My_OwN_PaSsWoRd
radius_db = radius
#and also:
sqltrace = yes
[...]
###
AND
###
cat radiusd.conf
[...]
$INCLUDE sql.conf
#$INCLUDE sql/mysql/counter.conf
$INCLUDE sql/postgresql/counter.conf
$INCLUDE sqlippool.conf
[...]
###
^^ There is nothing mor useful to find about SQL in the
radiusd.conf - except the sql querrie samples provided in the
[...]/raddb/sql/* folder which I just left like they are - So
I guess I configured right - the modules are just still missed
I think so. Correct me if you guess something different.
BTW.: radiusd -X says *nothing* about sql or anything which
sounds quite similar like sql or postgres except the config
it loads ;/
[...]
including configuration file /usr/local/etc/raddb/modules/sql_log
[...]
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/dialup.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/counter.conf
including configuration file /usr/local/etc/raddb/sqlippool.conf
including configuration file
/usr/local/etc/raddb/sql/postgresql/ippool.conf
[...]
sadly no querry verboses ...
Thanks
Continueing:
http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html
@David
Re: Dependencies of Freeradius 2.0.5
A *bing* *raddb/sites-available/default* There we go ... let me check this out before continueing ... I guess that's what I was looking for wothout success yet ... Thanks Alan DeKok schrieb: Yawar Hadi wrote: but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. raddb/sites-available/default This is documented in radiusd.conf, if you had read it. It's also mentioned nearly daily on this list, if you read posts on this list. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you (1) There is no version 1.6 (2) 2.0.5 is more stable than 1.x (3) 2.0.5 has more documentation than 1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - READ radiusd.conf. The last 20-30 lines tell you what's changed, why, and where the new configurations are located. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ Because... you didn't read radiusd.conf, and you didn't enable sql in the authorize/accounting sections. You are putting a LOT of work into reading the output of configure, trying various things... and NOT reading the documentation in the configuration files. Go read radiusd.conf. The last 30 lines or so tell you what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Thanks - *raddb/sites-available/default* - was what I was searching for ;) now I do get the SQL queries when I turn on radus -X BUT, there still seems something wrong or better said missed. rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[152]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } } Errors initializing modules I still just have to figure out how to fix that Thanks, Leander Alan DeKok schrieb: Leander S. wrote: ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - READ radiusd.conf. The last 20-30 lines tell you what's changed, why, and where the new configurations are located. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ Because... you didn't read radiusd.conf, and you didn't enable sql in the authorize/accounting sections. You are putting a LOT of work into reading the output of configure, trying various things... and NOT reading the documentation in the configuration files. Go read radiusd.conf. The last 30 lines or so tell you what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: Thanks - *raddb/sites-available/default* - was what I was searching for ;) Again, why search when you can read the documentation? rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. This is in the FAQ. Read it. Look for Could not link. I still just have to figure out how to fix that Read the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
I read the FAQ. But I think I might be able to fix this with those to commands told by David before I start compiling: LDFLAGS=-L/usr/local/lib -pthread CFLAGS+=-I/usr/local/include -L/usr/local/lib ^^ BUT I don't know how and where to use them ?! Alan DeKok schrieb: Leander S. wrote: Thanks - *raddb/sites-available/default* - was what I was searching for ;) Again, why search when you can read the documentation? rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. This is in the FAQ. Read it. Look for Could not link. I still just have to figure out how to fix that Read the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: I read the FAQ. But I think I might be able to fix this with those to commands told by David before I start compiling: LDFLAGS=-L/usr/local/lib -pthread CFLAGS+=-I/usr/local/include -L/usr/local/lib ^^ BUT I don't know how and where to use them ?! I'm sorry, but this is Unix sysadmin 101. You can try editing the top-level Make.inc. Look for similar text. *Learn*. Stop trying to get detailed instructions for every little thing. You *can* figure it out for yourself. It's what most people do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
thanks alan dekok
for more information you provided.
i worked out on 2.0.5 for morethen a month but
with out success.
then i switch to radius 1.1.6.
1: setup with mysql database
2: now i want to use storeprocedure to interact with databse...
3: guid me in this scenario.
like
rlm_sql module
two files of interest rlm_sql.cand sql.c
rlm_sql (module)
--drivers
--rlm_sql_mysql
-- sql_mysql.c
(file)
{
..
here is the
interaction with database
i have wrote a
function
sql_authen()
{
;;
}
}
sql.c call this sql_authen()
function
rlm_sql.c call a function which is in
sql.c file [function authenticatcall() ]
so i get the result back.
is this approch is good to interact with database or more secure and
reliable way is there ...?
hope you got my point
Yawar Hadi Noshahi
QAU Islamabad
On Thu, Jul 24, 2008 at 1:08 PM, Alan DeKok [EMAIL PROTECTED]
wrote:
Yawar Hadi wrote:
but the problem is in radius 2.0.5 nothing like this in radiusd.conf.
they have move these configuration files to some else place.
raddb/sites-available/default
This is documented in radiusd.conf, if you had read it. It's also
mentioned nearly daily on this list, if you read posts on this list.
my suggetions is to move to version radius 1.6
because more people work on it and it is more stable then radius 2.0.5
hope it will help you
(1) There is no version 1.6
(2) 2.0.5 is more stable than 1.x
(3) 2.0.5 has more documentation than 1.x
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Yawar Hadi Noshahi
QAU Islamabad (+92-0300-5504798)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Yawar Hadi wrote: i worked out on 2.0.5 for morethen a month but with out success. That's what this list is for. If takes too long, ask questions. And I just don't understand why it's so difficult to find the authorize and authenticate sections in 2.0. Yes, they have been removed from radiusd.conf. But this is CLEARLY STATED in radiusd.conf... if you read it. then i switch to radius 1.1.6. http://1.1.6. 1: setup with mysql database 2: now i want to use storeprocedure to interact with databse... The MySQL module in 2.0 supports stored procedures. You don't need to edit anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] eaphost.txt.gz Description: GNU Zip compressed data onex.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sorry, I'll do the things right jeje
Log using default configuration except:
-default_eap_type = tls into eap.conf
-client 192.168.0.0/24 {
secret = testing123
shortname = kely
}
into clients.conf, and ap configuration ok (still not in the garbage)
-wpa_supplicant with
cert [EMAIL PROTECTED]
private key pass whatever
ca cert ca.pem
Identity = user, because if I put Identity = [EMAIL PROTECTED]
I got
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
from radius debug
go!
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=223
Cleaning up request 0 ID 0 with timestamp +6
User-Name = user
NAS-IP-Address = 192.168.0.3
Called-Station-Id = 0014c145956f
Calling-Station-Id = 001cf01294dd
NAS-Identifier = 0014c145956f
NAS-Port = 27
Framed-MTU = 1400
State = 0x8bca9aca8bcb976abb82dcb4bf9a7d57
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201005d0d001603010052014e030141454c2a2c04490a119ee1bb01bef71f545786cfb41f565c94aa2fbc5c3b2600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
Message-Authenticator = 0xe217e8279c4d42c9d30581d3ac0869a1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: TLS 1.0 Handshake [length 0052], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: TLS 1.0 Handshake [length 00a8], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.3 port 3072
EAP-Message =
0x010204000dc00b71160301004a024603014145e969e014c8d53d557333896438fb1df53b86d7e20c01469331a3648020f970bd1fb576a0d44b1165ead8575f867d7090de73650f60ce84182204f7f555003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732343131343934305a170d3039303732343131343934305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7fc7dd827525278ce75a5ee68879408cd1f69f6d592986a78ad710e3220
EAP-Message =
0xb24cfc219249e8d7fe66b34fd4de5960084cb2e4a30acd37b7332566b6eb936573a2d67d62518b625f042483d352fbebae8e7c3e44bcaa5ca9da6e514f2e7bd98c0093d85a1de29109cb810d9e25d7f9fc6870da8374f7149a843e9b17beda237e3a54b89d1ae47c6101efe4f1e0e929423e123db4a41b98129e6aa2ba04843cdbe9a266dc6e5b19cfbd7bdeb3db3d120ed527b8d1c3715aeeb27608ae31850f62238ad36dc6b6444e59d80641a623c3d7aa0c5ec49bc7f196f76258c35a9b7ded30005f2d04d597e388664e48b8469d6baba1047b8a16f5895082e7c5bebcc90203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. It looks to me like the authentication is succeeding in those latest files; onex.txt says (at line 1367): [4924] 12:03:49.152 Port(38): Received an Eap packet length=4, type=EapSuccess, identifier=10, eapType=0 ..then a few lines later: [2896] 12:03:49.202 Port(38): MPPE-Send/Recv-Keys derived by supplicant snip [2896] 12:03:49.202 Port(38): The auth succeeded. Deleting all cached UI Responses snip [2896] 12:03:49.284 Port(38): Start processing local event: (PAESuppSuccess) [2896] 12:03:49.284 Port(38): Completed the 802.1X authentication successfully So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 snip [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Also, I see in your windows logs reference to the securew2 supplicant; are you sure you haven't broken the EAP stack on the windows box? Maybe got it confused? Can you get a trace from both the windows machine and FreeRadius run under -X at the *same time*? The freeradius.log in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. I'm not in the office this week so can't try to reproduce it, but I have have a try next week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: Hi, I noticed that the EAP debug speaks about quarantine states and such. XP3 and Vista have Network Access Protection. Is that checkbox checked in your supplicant config? If yes, try unchecking it. I've tried to use netsh nap offline to disable Network Access Protection however the problem still occurs. I'm using Windows' built-in supplicant (for PEAP) which doesn't work probably because of a wrong certificate and secureW2 EAP suite 1.0.6 which doesn't have Network Access Protection checkbox. To be honest built-in PEAP doesn't have it as well. Or at least I couldn't find it. I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Protected EAP Properties Window has three checkboxes near the bottom. The relevant one is labelled Enable Quarantine Checks. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió:
Sergio wrote:
Sorry, I'll do the things right jeje
I haven't been reading all your emails, but what I have read is very
confusing. So I'm sorry if I misunderstand.
The error message seems very very clear.
FreeRadius cannot verify the client certificate.
This means you have not given it the correct CA certificate.
You keep talking about c_rehash - to the best of my knowledge,
FreeRadius doesn't make use of a certificate directory with the
openssl-style .0 - real.pem symlinks. Forget about that.
Can you please provide:
* a copy of your eap.conf
* a copy of the files from the eap { tls {} } section:
* certificate_file
* CA_file
* a copy of the client cert:
* [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
ok :) I provide certificate files and eap.conf in a tar ball to not to
post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know what
I'm doing wrong.
Thanks for your attention.
files.tar
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this confuses the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Lech Karol Pawlaszek Verzonden: donderdag 24 juli 2008 13:23 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(SOLVED) Re: PEAP or TTLS and Microsoft Vista.
Phil Mayers wrote: Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. :-) [...] So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 snip [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Ok. You rock. It's 3com's fault. At least I believe so. I've upgraded 3com 4500 switch firmware to the newest version on my test switch and when user handshaking is disabled everything works. FWIW the previous firmware (which I use on production atm) doesn't have an option to disable user handshaking. Pity. And to be clear - ALL OTHER OSes (namely MacOsX 10.4 Tiger, MacOsX 10.5 Leopard, GNU/Linux a few ubuntu, fedora and debian systems and MS Windows XP exluding SP3) work with this feature enabled. [...] Can you get a trace from both the windows machine and FreeRadius run under -X at the *same time*? The freeradius.log in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. Hm. The original freeradius.log contains logs when I tried to authenticate using Vista's built-in PEAP supplicant. Which - I suppose - says that Vista doesn't like my certificate. OTOH freeradius-securew2.log contains logs when I tried to use secureW2 EAP suite which showed server-side of this issue. I was able to connect. Work for a minute or so. And suddenly... switch sends 'handshake packet' which confuses Vista... and connection is dropped. Anyway. Thanks everyone for help. I'll make some more testing and try to update firmware on production. I'll let you know if everything will be ok. Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this confuses the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) No. Vista works fine with (PEAP/TTLS) MSCHAPv2 + MPPE keys with 802.1x on wired interfaces. The ~1000 or so Vista users on the 802.1x authenticated portion of our wired network would agree (most using Vista native supplicant). I've not seen any issues with XP SP3 either, on wired or wireless. This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for 2.05 and i've not had a chance to 'adjust' our configuration files yet). Were using certificates signed by 'Thawte Premium Server CA', and performing, CA and certificate CN validation... all just works with the exception of the odd vista box that *refuses* to do user authentication and tries to perform machine authentication , ugh. For those we use SecureW2, which also generally works fine with a *near* default configuration. BTW from those traces your NAS looks broken if it's sending EAP Ident requests after authentication has succeeded. Arran Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Lech Karol Pawlaszek Verzonden: donderdag 24 juli 2008 13:23 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Protected EAP Properties Window has three checkboxes near the bottom. The relevant one is labelled Enable Quarantine Checks. Hm. This doesn't help. At least for Vista's built-in PEAP authentication. I do have those checkbox unchecked however it doesn't matter if they are checked or not - process stops after sending Access-Challenge. I'll try to debug this issue more with netsh ;-) later. OTOH i'll recommend my users to use secureW2 EAP suite (which works). Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
Hi there, I have a question about prefix realms and stripping them. I have a provider that allows roaming dialup for our customers. They require the username to be in a format of idm/something/username. I get the whole idm/something/username delivered to me as the authentication. I have tried using the IPASS prefix to remove the idm/something, but it just returns the realm of idm and I am still left with stripped-user-name of something/username, I have also tried just adding a realm of idm/something to the proxy.conf and it didn't work. I am currently running freeradius 2.0.5 with a SQL (mysql) back end. Can I strip the idm/something/ somehow? Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
Hi,
Can I strip the idm/something/ somehow?
sure. a simple strip in the config would work...
or unlang of course.
eg in radiusd.conf
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-junk {
attribute = Stripped-User-Name
searchfor = /idm\/something\/
searchin = packet
new_attribute = no
replacewith =
}
then in sites-enabled/default (or usual server) add
copy.user-name
remove-junk
in the authorize section alongside prefix, suffix, ntrealm etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I say, with fear and respect, that default radius PKI doesn't work?. Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? what do you think about this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I I think so. say, with fear and respect, that default radius PKI doesn't work?. Hmm. Maybe; I guess most people test PEAP which just uses CA server certs, no client certs. I'm by no means an expert, and Makefile's make my brain hurt, so I could be misreading it. Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? I don't think so. Again, I think the CRL is signed with the CA key. Of course, you'll need run your own crl commands, the FreeRadius stuff doesn't come with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL module mixes up packets when putting it to database
Hi all! I'm using 'sql' module in accounting to log all the radius packets
from remote radius client (cisco 2600). I've investigated, that accounting
packets are received in right order (Start then Stop), but putted into
DB log table in wrong order (Stop then Start). Here are the logs:
/var/log/radius/radacct/x.y.z.a/detail-20080724
=
Thu Jul 24 09:48:26 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
User-Name = 4959636156
Cisco-AVPair = connect-progress=Call Up
Acct-Status-Type = *Start*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
Client-IP-Address = 89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878506
Thu Jul 24 09:48:27 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 0
h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-cause = 1
h323-remote-address = 89.208.190.4
Cisco-AVPair = release-source=4
h323-voice-quality = 0
Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937
Cisco-AVPair =
gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
User-Name = 4959636156
Acct-Status-Type = *Stop*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
release-source = 4
gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
gw-final-xlated-cdn = ton:0,npi:0,#:74955891937
gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
Client-IP-Address = 89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878507
=== /var/log/radius/sqltrace.sql
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN,
CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID,
SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME,
SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME,
H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME,
H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3,
H323-CONF-ID) VALUES ('*Start*', '89.208.190.6', 'originate',
'74955891937', '4959636156', '570008F7', '
[EMAIL PROTECTED]', '', '', '', '4959636156',
'', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '', '', '', '', '', '',
'F0FF23AA 587A11DD B8009A2D 9B5B4497');
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN,
CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID,
SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME,
SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME,
H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME,
H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3,
H323-CONF-ID) VALUES ('*Stop*', '89.208.190.6', 'originate',
'74955891937', '4959636156', '570008F7', '
[EMAIL PROTECTED]', '', '', '', '4959636156',
'', '', '0', '.09:48:16.371 MSD Thu Jul 24 2008', '.09:48:16.191 MSD Thu Jul
24 2008', '.09:48:16.371 MSD Thu Jul 24 2008', '1', '', '', '', '',
'F0FF23AA 587A11DD B8009A2D 9B5B4497
Re: SQL module mixes up packets when putting it to database
Khalukhin Alexander wrote:
Hi all! I'm using 'sql' module in accounting to log all the radius
packets from remote radius client (cisco 2600). I've investigated, that
accounting packets are received in right order (Start then Stop),
but putted into DB log table in wrong order (Stop then Start). Here
are the logs:
/var/log/radius/radacct/x.y.z.a/detail-20080724
=
Thu Jul 24 09:48:26 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair =
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
User-Name = 4959636156
Cisco-AVPair = connect-progress=Call Up
Acct-Status-Type = *Start*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
Client-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878506
Thu Jul 24 09:48:27 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair =
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 0
h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-cause = 1
h323-remote-address = 89.208.190.4 http://89.208.190.4
Cisco-AVPair = release-source=4
h323-voice-quality = 0
Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937
Cisco-AVPair =
gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
User-Name = 4959636156
Acct-Status-Type = *Stop*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
release-source = 4
gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
gw-final-xlated-cdn = ton:0,npi:0,#:74955891937
gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
Client-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878507
=== /var/log/radius/sqltrace.sql
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS,
H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID,
ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG,
SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS,
SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME,
H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE,
IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3, H323-CONF-ID) VALUES
('*Start*', '89.208.190.6 http://89.208.190.6', 'originate',
'74955891937', '4959636156', '570008F7',
'[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]', '', '', '',
'4959636156', '', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '',
'', '', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497');
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS,
H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID,
ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG,
SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS,
SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME,
H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE,
IPHOP-COUNT, IPHOP1, IPHOP2
Re: SQL module mixes up packets when putting it to database
On Thu, Jul 24, 2008 at 10:01 PM, Phil Mayers [EMAIL PROTECTED]
wrote:
Khalukhin Alexander wrote:
Hi all! I'm using 'sql' module in accounting to log all the radius packets
from remote radius client (cisco 2600). I've investigated, that accounting
packets are received in right order (Start then Stop), but putted into
DB log table in wrong order (Stop then Start). Here are the logs:
/var/log/radius/radacct/x.y.z.a/detail-20080724
=
Thu Jul 24 09:48:26 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair = call-id=
[EMAIL PROTECTED] mailto:
[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
User-Name = 4959636156
Cisco-AVPair = connect-progress=Call Up
Acct-Status-Type = *Start*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]mailto:
[EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
Client-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878506
Thu Jul 24 09:48:27 2008
Acct-Session-Id = 570008F7
Calling-Station-Id = 4959636156
Called-Station-Id = 74955891937
Cisco-AVPair = call-id=
[EMAIL PROTECTED] mailto:
[EMAIL PROTECTED]
h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008
h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru
h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
h323-call-origin = originate
h323-call-type = VoIP
Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D
9B5B4497
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 0
h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008
h323-disconnect-cause = 1
h323-remote-address = 89.208.190.4 http://89.208.190.4
Cisco-AVPair = release-source=4
h323-voice-quality = 0
Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937
Cisco-AVPair =
gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156
User-Name = 4959636156
Acct-Status-Type = *Stop*
Service-Type = Login-User
NAS-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Delay-Time = 0
call-id = [EMAIL PROTECTED]mailto:
[EMAIL PROTECTED]
h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497
subscriber = Unknown
session-protocol = sipv2
gw-rxd-cdn = ton:0,npi:0,#:74955891937
release-source = 4
gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
gw-final-xlated-cdn = ton:0,npi:0,#:74955891937
gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156
Client-IP-Address = 89.208.190.6 http://89.208.190.6
Acct-Unique-Session-Id = 51b334248c332b3b
Timestamp = 1216878507
=== /var/log/radius/sqltrace.sql
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN,
CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID,
SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME,
SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME,
H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME,
H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3,
H323-CONF-ID) VALUES ('*Start*', '89.208.190.6 http://89.208.190.6',
'originate', '74955891937', '4959636156', '570008F7', '
[EMAIL PROTECTED] mailto:
[EMAIL PROTECTED]', '', '', '',
'4959636156', '', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '', '',
'', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497');
INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN,
CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID,
SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME,
SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME,
H323-CONNECT-TIME, H323
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute make client.pem to make it. I also assume that it is normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
thanks alan i will work in this direction. so nice of you . On Thu, Jul 24, 2008 at 3:28 PM, Alan DeKok [EMAIL PROTECTED] wrote: Yawar Hadi wrote: i worked out on 2.0.5 for morethen a month but with out success. That's what this list is for. If takes too long, ask questions. And I just don't understand why it's so difficult to find the authorize and authenticate sections in 2.0. Yes, they have been removed from radiusd.conf. But this is CLEARLY STATED in radiusd.conf... if you read it. then i switch to radius 1.1.6. http://1.1.6. 1: setup with mysql database 2: now i want to use storeprocedure to interact with databse... The MySQL module in 2.0 supports stored procedures. You don't need to edit anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
