Re: Dependencies of Freeradius 2.0.5
i also face this problem for more then one month. because the problem is with module configuration like in radius 1.6 version in raddb/radiusd.conf file .. . module authorize { #pap ... #chap... . there is also a sql configuration which is comment out like #sql you have to uncomment it. #sql -sql *sql ..* } then sql configuration added to the radius but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you BEST REGARDS Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) On Thu, Jul 24, 2008 at 12:41 PM, Leander S. [EMAIL PROTECTED] wrote: Hi, continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html @Alan de Kok ;) Thanks for keeping me so stupid even if I already said that I already got it working a couple of setups on 1.1.7 - but I won't complain because I seriously realy appreciate your help! about my SQL configuration: ### cat sql.conf [...] database = postgresql server = localhost login = radius password = My_OwN_PaSsWoRd radius_db = radius #and also: sqltrace = yes [...] ### AND ### cat radiusd.conf [...] $INCLUDE sql.conf #$INCLUDE sql/mysql/counter.conf $INCLUDE sql/postgresql/counter.conf $INCLUDE sqlippool.conf [...] ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - except the sql querrie samples provided in the [...]/raddb/sql/* folder which I just left like they are - So I guess I configured right - the modules are just still missed I think so. Correct me if you guess something different. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ [...] including configuration file /usr/local/etc/raddb/modules/sql_log [...] including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/postgresql/dialup.conf including configuration file /usr/local/etc/raddb/sql/postgresql/counter.conf including configuration file /usr/local/etc/raddb/sqlippool.conf including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf [...] sadly no querry verboses ... Thanks Continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html @David Thank you very much for your efforts!! Quote: ### After untarring the FreeRADIUS 2.0.5 tarball and changing directory to the root of the untarred tarball, these steps are roughly what you need: LDFLAGS=-L/usr/local/lib -pthread ; \ CFLAGS+=-I/usr/local/include -L/usr/local/lib ; \ ./configure --prefix=/usr/local --libdir=/usr/local/lib \ --localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius \ --with-logdir=/var/log \ --with-openssl-includes=/usr/local/include/openssl \ --with-openssl-libraries=/usr/local/lib gmake install You must add --with-pic to the first command if using FreeBSD amd64. You should omit the two openssl lines if you don't have the OpenSSL port included. I don't recommend this - I really do believe it's better to use the port. ### Even if you suggest to rather use ports to install freeRADIUS on FreeBSD System then compiling I rather compile because of various reasons. But I might not understood you right in the way how to use those commands. are those shell commands? Or might I have to add those 2 lines to an config? bash$ LDFLAGS=-L/usr/local/lib -pthread bash$ CFLAGS+=-I/usr/local/include -L/usr/local/lib well the next one is clear: bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib --localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius --with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/lib and I do have amd64 so I'm guessing if I read right in the ./configure --help that the ./configure command is supposed to look like: bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib --localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius --with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/lib --with-pic ^^ because you mentioned to add
Re: Dependencies of Freeradius 2.0.5
i have setup radius 1.6 with mysql databse and also add the functionlaity of procedure calling.. i you need any help feel free to contact me i am available 10am to 8 pm mon to fri... thanks On Thu, Jul 24, 2008 at 1:00 PM, Yawar Hadi [EMAIL PROTECTED] wrote: i also face this problem for more then one month. because the problem is with module configuration like in radius 1.6 version in raddb/radiusd.conf file .. . module authorize { #pap ... #chap... . there is also a sql configuration which is comment out like #sql you have to uncomment it. #sql -sql *sql ..* } then sql configuration added to the radius but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you BEST REGARDS Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) On Thu, Jul 24, 2008 at 12:41 PM, Leander S. [EMAIL PROTECTED] wrote: Hi, continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html @Alan de Kok ;) Thanks for keeping me so stupid even if I already said that I already got it working a couple of setups on 1.1.7 - but I won't complain because I seriously realy appreciate your help! about my SQL configuration: ### cat sql.conf [...] database = postgresql server = localhost login = radius password = My_OwN_PaSsWoRd radius_db = radius #and also: sqltrace = yes [...] ### AND ### cat radiusd.conf [...] $INCLUDE sql.conf #$INCLUDE sql/mysql/counter.conf $INCLUDE sql/postgresql/counter.conf $INCLUDE sqlippool.conf [...] ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - except the sql querrie samples provided in the [...]/raddb/sql/* folder which I just left like they are - So I guess I configured right - the modules are just still missed I think so. Correct me if you guess something different. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ [...] including configuration file /usr/local/etc/raddb/modules/sql_log [...] including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/postgresql/dialup.conf including configuration file /usr/local/etc/raddb/sql/postgresql/counter.conf including configuration file /usr/local/etc/raddb/sqlippool.conf including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf [...] sadly no querry verboses ... Thanks Continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html @David Thank you very much for your efforts!! Quote: ### After untarring the FreeRADIUS 2.0.5 tarball and changing directory to the root of the untarred tarball, these steps are roughly what you need: LDFLAGS=-L/usr/local/lib -pthread ; \ CFLAGS+=-I/usr/local/include -L/usr/local/lib ; \ ./configure --prefix=/usr/local --libdir=/usr/local/lib \ --localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius \ --with-logdir=/var/log \ --with-openssl-includes=/usr/local/include/openssl \ --with-openssl-libraries=/usr/local/lib gmake install You must add --with-pic to the first command if using FreeBSD amd64. You should omit the two openssl lines if you don't have the OpenSSL port included. I don't recommend this - I really do believe it's better to use the port. ### Even if you suggest to rather use ports to install freeRADIUS on FreeBSD System then compiling I rather compile because of various reasons. But I might not understood you right in the way how to use those commands. are those shell commands? Or might I have to add those 2 lines to an config? bash$ LDFLAGS=-L/usr/local/lib -pthread bash$ CFLAGS+=-I/usr/local/include -L/usr/local/lib well the next one is clear: bash$ ./configure --prefix=/usr/local --libdir=/usr/local/lib --localstatedir=/var --with-docdir=/usr/local/share/doc/freeradius --with-logdir=/var/log --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/lib and I do have amd64 so I'm guessing if I read right in the ./configure --help that the ./configure command is supposed to look like: bash$
Re: Dependencies of Freeradius 2.0.5
Yawar Hadi wrote: but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. raddb/sites-available/default This is documented in radiusd.conf, if you had read it. It's also mentioned nearly daily on this list, if you read posts on this list. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you (1) There is no version 1.6 (2) 2.0.5 is more stable than 1.x (3) 2.0.5 has more documentation than 1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
@Yawar Hadi Thanks. I need the version 2.0.5 because of various reasons. if you talk about this part in radius.conf: ### authorise { preprocess chap mschap suffix eap # We leave files enabled to allow creation of test users in /etc/raddb/users files sql pap } accounting { # We leave detail enabled to _additionally_ log accounting to /var/log/radius/radacct detail sql } ### ^^ it's not there anymore in 2.0.5 radius.conf - I also looked for that without success ;) Quote: there is also a sql configuration which is comment out like #sql you have to uncomment it. #sql -sql *sql .. *^^ what config are you talking about? The only useful sql hint I was able to find in radius.conf was $INCLUDE sql.conf which is already uncommented .. Thank you Yawar Hadi schrieb: i have setup radius 1.6 with mysql databse and also add the functionlaity of procedure calling.. i you need any help feel free to contact me i am available 10am to 8 pm mon to fri... thanks On Thu, Jul 24, 2008 at 1:00 PM, Yawar Hadi [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: i also face this problem for more then one month. because the problem is with module configuration like in radius 1.6 version in raddb/radiusd.conf file .. . module authorize { #pap ... #chap... . there is also a sql configuration which is comment out like #sql you have to uncomment it. #sql -sql *sql ..* } then sql configuration added to the radius but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you BEST REGARDS Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) On Thu, Jul 24, 2008 at 12:41 PM, Leander S. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00677.html @Alan de Kok ;) Thanks for keeping me so stupid even if I already said that I already got it working a couple of setups on 1.1.7 - but I won't complain because I seriously realy appreciate your help! about my SQL configuration: ### cat sql.conf [...] database = postgresql server = localhost login = radius password = My_OwN_PaSsWoRd radius_db = radius #and also: sqltrace = yes [...] ### AND ### cat radiusd.conf [...] $INCLUDE sql.conf #$INCLUDE sql/mysql/counter.conf $INCLUDE sql/postgresql/counter.conf $INCLUDE sqlippool.conf [...] ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - except the sql querrie samples provided in the [...]/raddb/sql/* folder which I just left like they are - So I guess I configured right - the modules are just still missed I think so. Correct me if you guess something different. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ [...] including configuration file /usr/local/etc/raddb/modules/sql_log [...] including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/postgresql/dialup.conf including configuration file /usr/local/etc/raddb/sql/postgresql/counter.conf including configuration file /usr/local/etc/raddb/sqlippool.conf including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf [...] sadly no querry verboses ... Thanks Continueing: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/msg00715.html @David
Re: Dependencies of Freeradius 2.0.5
A *bing* *raddb/sites-available/default* There we go ... let me check this out before continueing ... I guess that's what I was looking for wothout success yet ... Thanks Alan DeKok schrieb: Yawar Hadi wrote: but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. raddb/sites-available/default This is documented in radiusd.conf, if you had read it. It's also mentioned nearly daily on this list, if you read posts on this list. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you (1) There is no version 1.6 (2) 2.0.5 is more stable than 1.x (3) 2.0.5 has more documentation than 1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - READ radiusd.conf. The last 20-30 lines tell you what's changed, why, and where the new configurations are located. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ Because... you didn't read radiusd.conf, and you didn't enable sql in the authorize/accounting sections. You are putting a LOT of work into reading the output of configure, trying various things... and NOT reading the documentation in the configuration files. Go read radiusd.conf. The last 30 lines or so tell you what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Thanks - *raddb/sites-available/default* - was what I was searching for ;) now I do get the SQL queries when I turn on radus -X BUT, there still seems something wrong or better said missed. rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[152]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } } Errors initializing modules I still just have to figure out how to fix that Thanks, Leander Alan DeKok schrieb: Leander S. wrote: ### ^^ There is nothing mor useful to find about SQL in the radiusd.conf - READ radiusd.conf. The last 20-30 lines tell you what's changed, why, and where the new configurations are located. BTW.: radiusd -X says *nothing* about sql or anything which sounds quite similar like sql or postgres except the config it loads ;/ Because... you didn't read radiusd.conf, and you didn't enable sql in the authorize/accounting sections. You are putting a LOT of work into reading the output of configure, trying various things... and NOT reading the documentation in the configuration files. Go read radiusd.conf. The last 30 lines or so tell you what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: Thanks - *raddb/sites-available/default* - was what I was searching for ;) Again, why search when you can read the documentation? rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. This is in the FAQ. Read it. Look for Could not link. I still just have to figure out how to fix that Read the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
I read the FAQ. But I think I might be able to fix this with those to commands told by David before I start compiling: LDFLAGS=-L/usr/local/lib -pthread CFLAGS+=-I/usr/local/include -L/usr/local/lib ^^ BUT I don't know how and where to use them ?! Alan DeKok schrieb: Leander S. wrote: Thanks - *raddb/sites-available/default* - was what I was searching for ;) Again, why search when you can read the documentation? rlm_sql (sql): Could not link driver rlm_sql_postgresql: Shared object libpq.so.5 not found, required by rlm_sql_postgresql-2.0.5.so rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. This is in the FAQ. Read it. Look for Could not link. I still just have to figure out how to fix that Read the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Leander S. wrote: I read the FAQ. But I think I might be able to fix this with those to commands told by David before I start compiling: LDFLAGS=-L/usr/local/lib -pthread CFLAGS+=-I/usr/local/include -L/usr/local/lib ^^ BUT I don't know how and where to use them ?! I'm sorry, but this is Unix sysadmin 101. You can try editing the top-level Make.inc. Look for similar text. *Learn*. Stop trying to get detailed instructions for every little thing. You *can* figure it out for yourself. It's what most people do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
thanks alan dekok for more information you provided. i worked out on 2.0.5 for morethen a month but with out success. then i switch to radius 1.1.6. 1: setup with mysql database 2: now i want to use storeprocedure to interact with databse... 3: guid me in this scenario. like rlm_sql module two files of interest rlm_sql.cand sql.c rlm_sql (module) --drivers --rlm_sql_mysql -- sql_mysql.c (file) { .. here is the interaction with database i have wrote a function sql_authen() { ;; } } sql.c call this sql_authen() function rlm_sql.c call a function which is in sql.c file [function authenticatcall() ] so i get the result back. is this approch is good to interact with database or more secure and reliable way is there ...? hope you got my point Yawar Hadi Noshahi QAU Islamabad On Thu, Jul 24, 2008 at 1:08 PM, Alan DeKok [EMAIL PROTECTED] wrote: Yawar Hadi wrote: but the problem is in radius 2.0.5 nothing like this in radiusd.conf. they have move these configuration files to some else place. raddb/sites-available/default This is documented in radiusd.conf, if you had read it. It's also mentioned nearly daily on this list, if you read posts on this list. my suggetions is to move to version radius 1.6 because more people work on it and it is more stable then radius 2.0.5 hope it will help you (1) There is no version 1.6 (2) 2.0.5 is more stable than 1.x (3) 2.0.5 has more documentation than 1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
Yawar Hadi wrote: i worked out on 2.0.5 for morethen a month but with out success. That's what this list is for. If takes too long, ask questions. And I just don't understand why it's so difficult to find the authorize and authenticate sections in 2.0. Yes, they have been removed from radiusd.conf. But this is CLEARLY STATED in radiusd.conf... if you read it. then i switch to radius 1.1.6. http://1.1.6. 1: setup with mysql database 2: now i want to use storeprocedure to interact with databse... The MySQL module in 2.0 supports stored procedures. You don't need to edit anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] eaphost.txt.gz Description: GNU Zip compressed data onex.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sorry, I'll do the things right jeje Log using default configuration except: -default_eap_type = tls into eap.conf -client 192.168.0.0/24 { secret = testing123 shortname = kely } into clients.conf, and ap configuration ok (still not in the garbage) -wpa_supplicant with cert [EMAIL PROTECTED] private key pass whatever ca cert ca.pem Identity = user, because if I put Identity = [EMAIL PROTECTED] I got rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler from radius debug go! Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0, length=223 Cleaning up request 0 ID 0 with timestamp +6 User-Name = user NAS-IP-Address = 192.168.0.3 Called-Station-Id = 0014c145956f Calling-Station-Id = 001cf01294dd NAS-Identifier = 0014c145956f NAS-Port = 27 Framed-MTU = 1400 State = 0x8bca9aca8bcb976abb82dcb4bf9a7d57 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201005d0d001603010052014e030141454c2a2c04490a119ee1bb01bef71f545786cfb41f565c94aa2fbc5c3b2600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0xe217e8279c4d42c9d30581d3ac0869a1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 00a8], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.3 port 3072 EAP-Message = 0x010204000dc00b71160301004a024603014145e969e014c8d53d557333896438fb1df53b86d7e20c01469331a3648020f970bd1fb576a0d44b1165ead8575f867d7090de73650f60ce84182204f7f555003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732343131343934305a170d3039303732343131343934305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7fc7dd827525278ce75a5ee68879408cd1f69f6d592986a78ad710e3220 EAP-Message = 0xb24cfc219249e8d7fe66b34fd4de5960084cb2e4a30acd37b7332566b6eb936573a2d67d62518b625f042483d352fbebae8e7c3e44bcaa5ca9da6e514f2e7bd98c0093d85a1de29109cb810d9e25d7f9fc6870da8374f7149a843e9b17beda237e3a54b89d1ae47c6101efe4f1e0e929423e123db4a41b98129e6aa2ba04843cdbe9a266dc6e5b19cfbd7bdeb3db3d120ed527b8d1c3715aeeb27608ae31850f62238ad36dc6b6444e59d80641a623c3d7aa0c5ec49bc7f196f76258c35a9b7ded30005f2d04d597e388664e48b8469d6baba1047b8a16f5895082e7c5bebcc90203010001a317301530130603551d25040c300a06082b06010505 EAP-Message =
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. It looks to me like the authentication is succeeding in those latest files; onex.txt says (at line 1367): [4924] 12:03:49.152 Port(38): Received an Eap packet length=4, type=EapSuccess, identifier=10, eapType=0 ..then a few lines later: [2896] 12:03:49.202 Port(38): MPPE-Send/Recv-Keys derived by supplicant snip [2896] 12:03:49.202 Port(38): The auth succeeded. Deleting all cached UI Responses snip [2896] 12:03:49.284 Port(38): Start processing local event: (PAESuppSuccess) [2896] 12:03:49.284 Port(38): Completed the 802.1X authentication successfully So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 snip [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Also, I see in your windows logs reference to the securew2 supplicant; are you sure you haven't broken the EAP stack on the windows box? Maybe got it confused? Can you get a trace from both the windows machine and FreeRadius run under -X at the *same time*? The freeradius.log in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. I'm not in the office this week so can't try to reproduce it, but I have have a try next week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: Hi, I noticed that the EAP debug speaks about quarantine states and such. XP3 and Vista have Network Access Protection. Is that checkbox checked in your supplicant config? If yes, try unchecking it. I've tried to use netsh nap offline to disable Network Access Protection however the problem still occurs. I'm using Windows' built-in supplicant (for PEAP) which doesn't work probably because of a wrong certificate and secureW2 EAP suite 1.0.6 which doesn't have Network Access Protection checkbox. To be honest built-in PEAP doesn't have it as well. Or at least I couldn't find it. I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Protected EAP Properties Window has three checkboxes near the bottom. The relevant one is labelled Enable Quarantine Checks. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: Sergio wrote: Sorry, I'll do the things right jeje I haven't been reading all your emails, but what I have read is very confusing. So I'm sorry if I misunderstand. The error message seems very very clear. FreeRadius cannot verify the client certificate. This means you have not given it the correct CA certificate. You keep talking about c_rehash - to the best of my knowledge, FreeRadius doesn't make use of a certificate directory with the openssl-style .0 - real.pem symlinks. Forget about that. Can you please provide: * a copy of your eap.conf * a copy of the files from the eap { tls {} } section: * certificate_file * CA_file * a copy of the client cert: * [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. files.tar Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this confuses the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Lech Karol Pawlaszek Verzonden: donderdag 24 juli 2008 13:23 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(SOLVED) Re: PEAP or TTLS and Microsoft Vista.
Phil Mayers wrote: Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. :-) [...] So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 snip [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Ok. You rock. It's 3com's fault. At least I believe so. I've upgraded 3com 4500 switch firmware to the newest version on my test switch and when user handshaking is disabled everything works. FWIW the previous firmware (which I use on production atm) doesn't have an option to disable user handshaking. Pity. And to be clear - ALL OTHER OSes (namely MacOsX 10.4 Tiger, MacOsX 10.5 Leopard, GNU/Linux a few ubuntu, fedora and debian systems and MS Windows XP exluding SP3) work with this feature enabled. [...] Can you get a trace from both the windows machine and FreeRadius run under -X at the *same time*? The freeradius.log in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. Hm. The original freeradius.log contains logs when I tried to authenticate using Vista's built-in PEAP supplicant. Which - I suppose - says that Vista doesn't like my certificate. OTOH freeradius-securew2.log contains logs when I tried to use secureW2 EAP suite which showed server-side of this issue. I was able to connect. Work for a minute or so. And suddenly... switch sends 'handshake packet' which confuses Vista... and connection is dropped. Anyway. Thanks everyone for help. I'll make some more testing and try to update firmware on production. I'll let you know if everything will be ok. Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this confuses the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) No. Vista works fine with (PEAP/TTLS) MSCHAPv2 + MPPE keys with 802.1x on wired interfaces. The ~1000 or so Vista users on the 802.1x authenticated portion of our wired network would agree (most using Vista native supplicant). I've not seen any issues with XP SP3 either, on wired or wireless. This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for 2.05 and i've not had a chance to 'adjust' our configuration files yet). Were using certificates signed by 'Thawte Premium Server CA', and performing, CA and certificate CN validation... all just works with the exception of the odd vista box that *refuses* to do user authentication and tries to perform machine authentication , ugh. For those we use SecureW2, which also generally works fine with a *near* default configuration. BTW from those traces your NAS looks broken if it's sending EAP Ident requests after authentication has succeeded. Arran Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Lech Karol Pawlaszek Verzonden: donderdag 24 juli 2008 13:23 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's pdb pdbpath? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used netsh lan instead netsh wlan. I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: I've tried to follow Microsoft document[1] however I wasn't able to locate Configuration Manager console. Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Protected EAP Properties Window has three checkboxes near the bottom. The relevant one is labelled Enable Quarantine Checks. Hm. This doesn't help. At least for Vista's built-in PEAP authentication. I do have those checkbox unchecked however it doesn't matter if they are checked or not - process stops after sending Access-Challenge. I'll try to debug this issue more with netsh ;-) later. OTOH i'll recommend my users to use secureW2 EAP suite (which works). Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
Hi there, I have a question about prefix realms and stripping them. I have a provider that allows roaming dialup for our customers. They require the username to be in a format of idm/something/username. I get the whole idm/something/username delivered to me as the authentication. I have tried using the IPASS prefix to remove the idm/something, but it just returns the realm of idm and I am still left with stripped-user-name of something/username, I have also tried just adding a realm of idm/something to the proxy.conf and it didn't work. I am currently running freeradius 2.0.5 with a SQL (mysql) back end. Can I strip the idm/something/ somehow? Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
Hi, Can I strip the idm/something/ somehow? sure. a simple strip in the config would work... or unlang of course. eg in radiusd.conf attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-junk { attribute = Stripped-User-Name searchfor = /idm\/something\/ searchin = packet new_attribute = no replacewith = } then in sites-enabled/default (or usual server) add copy.user-name remove-junk in the authorize section alongside prefix, suffix, ntrealm etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I say, with fear and respect, that default radius PKI doesn't work?. Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? what do you think about this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I I think so. say, with fear and respect, that default radius PKI doesn't work?. Hmm. Maybe; I guess most people test PEAP which just uses CA server certs, no client certs. I'm by no means an expert, and Makefile's make my brain hurt, so I could be misreading it. Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? I don't think so. Again, I think the CRL is signed with the CA key. Of course, you'll need run your own crl commands, the FreeRadius stuff doesn't come with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL module mixes up packets when putting it to database
Hi all! I'm using 'sql' module in accounting to log all the radius packets from remote radius client (cisco 2600). I've investigated, that accounting packets are received in right order (Start then Stop), but putted into DB log table in wrong order (Stop then Start). Here are the logs: /var/log/radius/radacct/x.y.z.a/detail-20080724 = Thu Jul 24 09:48:26 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = call-id= [EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 User-Name = 4959636156 Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = *Start* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 Client-IP-Address = 89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878506 Thu Jul 24 09:48:27 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = call-id= [EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 0 h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-cause = 1 h323-remote-address = 89.208.190.4 Cisco-AVPair = release-source=4 h323-voice-quality = 0 Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937 Cisco-AVPair = gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 User-Name = 4959636156 Acct-Status-Type = *Stop* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 release-source = 4 gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 gw-final-xlated-cdn = ton:0,npi:0,#:74955891937 gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 Client-IP-Address = 89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878507 === /var/log/radius/sqltrace.sql INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3, H323-CONF-ID) VALUES ('*Start*', '89.208.190.6', 'originate', '74955891937', '4959636156', '570008F7', ' [EMAIL PROTECTED]', '', '', '', '4959636156', '', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '', '', '', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497'); INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3, H323-CONF-ID) VALUES ('*Stop*', '89.208.190.6', 'originate', '74955891937', '4959636156', '570008F7', ' [EMAIL PROTECTED]', '', '', '', '4959636156', '', '', '0', '.09:48:16.371 MSD Thu Jul 24 2008', '.09:48:16.191 MSD Thu Jul 24 2008', '.09:48:16.371 MSD Thu Jul 24 2008', '1', '', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497
Re: SQL module mixes up packets when putting it to database
Khalukhin Alexander wrote: Hi all! I'm using 'sql' module in accounting to log all the radius packets from remote radius client (cisco 2600). I've investigated, that accounting packets are received in right order (Start then Stop), but putted into DB log table in wrong order (Stop then Start). Here are the logs: /var/log/radius/radacct/x.y.z.a/detail-20080724 = Thu Jul 24 09:48:26 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 User-Name = 4959636156 Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = *Start* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 Client-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878506 Thu Jul 24 09:48:27 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 0 h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-cause = 1 h323-remote-address = 89.208.190.4 http://89.208.190.4 Cisco-AVPair = release-source=4 h323-voice-quality = 0 Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937 Cisco-AVPair = gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 User-Name = 4959636156 Acct-Status-Type = *Stop* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 release-source = 4 gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 gw-final-xlated-cdn = ton:0,npi:0,#:74955891937 gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 Client-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878507 === /var/log/radius/sqltrace.sql INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3, H323-CONF-ID) VALUES ('*Start*', '89.208.190.6 http://89.208.190.6', 'originate', '74955891937', '4959636156', '570008F7', '[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]', '', '', '', '4959636156', '', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '', '', '', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497'); INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2
Re: SQL module mixes up packets when putting it to database
On Thu, Jul 24, 2008 at 10:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: Khalukhin Alexander wrote: Hi all! I'm using 'sql' module in accounting to log all the radius packets from remote radius client (cisco 2600). I've investigated, that accounting packets are received in right order (Start then Stop), but putted into DB log table in wrong order (Stop then Start). Here are the logs: /var/log/radius/radacct/x.y.z.a/detail-20080724 = Thu Jul 24 09:48:26 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = call-id= [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 User-Name = 4959636156 Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = *Start* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED]mailto: [EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 Client-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878506 Thu Jul 24 09:48:27 2008 Acct-Session-Id = 570008F7 Calling-Station-Id = 4959636156 Called-Station-Id = 74955891937 Cisco-AVPair = call-id= [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] h323-setup-time = .09:48:16.191 MSD Thu Jul 24 2008 h323-gw-id = voice5.di-net.ru http://voice5.di-net.ru h323-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 h323-call-origin = originate h323-call-type = VoIP Cisco-AVPair = h323-incoming-conf-id=F0FF23AA 587A11DD B8009A2D 9B5B4497 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:74955891937 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 0 h323-connect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-time = .09:48:16.371 MSD Thu Jul 24 2008 h323-disconnect-cause = 1 h323-remote-address = 89.208.190.4 http://89.208.190.4 Cisco-AVPair = release-source=4 h323-voice-quality = 0 Cisco-AVPair = gw-rxd-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 Cisco-AVPair = gw-final-xlated-cdn=ton:0,npi:0,#:74955891937 Cisco-AVPair = gw-final-xlated-cgn=ton:0,npi:0,pi:1,si:0,#:4959636156 User-Name = 4959636156 Acct-Status-Type = *Stop* Service-Type = Login-User NAS-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Delay-Time = 0 call-id = [EMAIL PROTECTED]mailto: [EMAIL PROTECTED] h323-incoming-conf-id = F0FF23AA 587A11DD B8009A2D 9B5B4497 subscriber = Unknown session-protocol = sipv2 gw-rxd-cdn = ton:0,npi:0,#:74955891937 release-source = 4 gw-rxd-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 gw-final-xlated-cdn = ton:0,npi:0,#:74955891937 gw-final-xlated-cgn = ton:0,npi:0,pi:1,si:0,#:4959636156 Client-IP-Address = 89.208.190.6 http://89.208.190.6 Acct-Unique-Session-Id = 51b334248c332b3b Timestamp = 1216878507 === /var/log/radius/sqltrace.sql INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323-SETUP-TIME, H323-DISCONNECT-TIME, H323-DISCONNECT-CAUSE, IPHOP-COUNT, IPHOP1, IPHOP2, IPHOP3, H323-CONF-ID) VALUES ('*Start*', '89.208.190.6 http://89.208.190.6', 'originate', '74955891937', '4959636156', '570008F7', ' [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]', '', '', '', '4959636156', '', '', '', '', '.09:48:16.191 MSD Thu Jul 24 2008', '', '', '', '', '', '', 'F0FF23AA 587A11DD B8009A2D 9B5B4497'); INSERT INTO ACC (ACCT-STATUS-TYPE, NAS-IP-ADDRESS, H323-CALL-ORIGIN, CALLED-STATION-ID, CALLING-STATION-ID, ACCT-SESSION-ID, CALL-ID, SIP-TO-TAG, SIP-FROM-TAG, SIP-TRANSLATED-REQUEST-URI, USER-NAME, SIP-SOURCE-IP-ADDRESS, SIP-SOURCE-PORT, ACCT-SESSION-TIME, H323-CONNECT-TIME, H323
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute make client.pem to make it. I also assume that it is normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dependencies of Freeradius 2.0.5
thanks alan i will work in this direction. so nice of you . On Thu, Jul 24, 2008 at 3:28 PM, Alan DeKok [EMAIL PROTECTED] wrote: Yawar Hadi wrote: i worked out on 2.0.5 for morethen a month but with out success. That's what this list is for. If takes too long, ask questions. And I just don't understand why it's so difficult to find the authorize and authenticate sections in 2.0. Yes, they have been removed from radiusd.conf. But this is CLEARLY STATED in radiusd.conf... if you read it. then i switch to radius 1.1.6. http://1.1.6. 1: setup with mysql database 2: now i want to use storeprocedure to interact with databse... The MySQL module in 2.0 supports stored procedures. You don't need to edit anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html