Re: 2.0.5 on Solaris
Rafiqul Ahsan wrote: Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However, server is not running, and I see below error when I run radiusd -X. Here is the output. ... make_cert_command = /usr/local/etc/raddb/certs/bootstrap } Exec-Program output: It's trying to run the bootstrap command. It's not working. Run the bootstrap command by hand, and then re-start the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authenticating with mySQL database
Kjell Bruheim wrote: I have been trying to read up on MAC authentication and implementing that into a sql database. The MAC authentication with a userfile was no problem. But i hit the wall when i wanted to use a database instead of text file. Is there any good HOWTO's out there on this one? The schema in SQL mirrors the format of the users file. Do you have a *specific* question about something? i.e. what to put in SQL, how to put it in SQL, etc? Or are you just saying it doesn't work? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does Avenda use freeradius?
paul smith wrote: It does seem to be freeradius underneath on closer inspection. How can you tell? An interesting question comes from this, if they have added additional modules are they required by the freeradius license to opensource the code for these modules as they are compiled with the server? They are required to follow the terms of the GPL, which means giving GPL'd source code to anyone (not just their customers), which also includes any changes or additions *they* made to the GPL'd program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris
I see below error when I execute bootstrap bash-3.00# /usr/local/etc/raddb/certs/bootstrap ... make: Nothing to be done for `ca'. make: Nothing to be done for `server'. make: `dh' is up to date. /bin/sh: test: argument expected make: *** [random] Error 1 On 8/7/08, Alan DeKok [EMAIL PROTECTED] wrote: Rafiqul Ahsan wrote: Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However, server is not running, and I see below error when I run radiusd -X. Here is the output. ... make_cert_command = /usr/local/etc/raddb/certs/bootstrap } Exec-Program output: It's trying to run the bootstrap command. It's not working. Run the bootstrap command by hand, and then re-start the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rafiqul Ahsan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authenticating with mySQL database
hi , i have setup mysql database with free radius server.if you have any quest from building to connecting then let me know.on which stage your are ...and what steps yuor are going to perform.hope you will get reply with in couple of days and connceted to database. best regards yawar hadi On Thu, Aug 7, 2008 at 11:13 AM, Alan DeKok [EMAIL PROTECTED]wrote: Kjell Bruheim wrote: I have been trying to read up on MAC authentication and implementing that into a sql database. The MAC authentication with a userfile was no problem. But i hit the wall when i wanted to use a database instead of text file. Is there any good HOWTO's out there on this one? The schema in SQL mirrors the format of the users file. Do you have a *specific* question about something? i.e. what to put in SQL, how to put it in SQL, etc? Or are you just saying it doesn't work? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authenticating with mySQL database
Alan DeKok skrev: Kjell Bruheim wrote: I have been trying to read up on MAC authentication and implementing that into a sql database. The MAC authentication with a userfile was no problem. But i hit the wall when i wanted to use a database instead of text file. Is there any good HOWTO's out there on this one? The schema in SQL mirrors the format of the users file. Do you have a *specific* question about something? i.e. what to put in SQL, how to put it in SQL, etc? Or are you just saying it doesn't work? Alan DeKok. To clarify a bit. users file have these entries for mac auth: 00-00 Auth-Type := Local, User-Password == 00-00 And i am not sure what to put where in the sql database. How to put data into the sql database, is not the problem. But what. I have inserted all the tables in the sql/mysql folder. So it would be nice if someone knew where to put the data and what of that string above should go in to the database. Or point me to a good HOWTO. Cheers -- Kjell Christian Bruheim Helpdesk Supportingit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authenticating with mySQL database
have you connected freeradius server with mysql databsse ? first ans this then we will move onword On Thu, Aug 7, 2008 at 11:44 AM, Kjell Bruheim [EMAIL PROTECTED]wrote: Alan DeKok skrev: Kjell Bruheim wrote: I have been trying to read up on MAC authentication and implementing that into a sql database. The MAC authentication with a userfile was no problem. But i hit the wall when i wanted to use a database instead of text file. Is there any good HOWTO's out there on this one? The schema in SQL mirrors the format of the users file. Do you have a *specific* question about something? i.e. what to put in SQL, how to put it in SQL, etc? Or are you just saying it doesn't work? Alan DeKok. To clarify a bit. users file have these entries for mac auth: 00-00 Auth-Type := Local, User-Password == 00-00 And i am not sure what to put where in the sql database. How to put data into the sql database, is not the problem. But what. I have inserted all the tables in the sql/mysql folder. So it would be nice if someone knew where to put the data and what of that string above should go in to the database. Or point me to a good HOWTO. Cheers -- Kjell Christian Bruheim Helpdesk Supportingit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 40, Issue 3
... rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password ... --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE. Alan DeKok. I'm sorry I didn't include all the debug, because it was so large... anyway here the debug : Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-16-36-5a-f1-e4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0201000c0174657374696e67 Message-Authenticator = 0xb3af6d24481b168d63e57489e22a2458 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 183 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.7:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.7:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Calling-Station-Id == 00-16-36-5a-f1-e5 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_instance100] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Wk0800-1800' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 14340 ++[logintime] returns ok rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server nispdot1x Framed-Compression = Van-Jacobson-TCP-IP
Re: PEAP mschapv2 using xp native supplicant
rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password ... --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE. Alan DeKok. repost forgot change subject I'm sorry I didn't include all the debug, because it was so large... anyway here the debug : Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-16-36-5a-f1-e4" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0201000c0174657374696e67 Message-Authenticator = 0xb3af6d24481b168d63e57489e22a2458 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 183 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.7:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.7:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == "Wk0800-1800" rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Calling-Station-Id == "00-16-36-5a-f1-e5" rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "101" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_instance100] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Wk0800-1800' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 14340 ++[logintime] returns ok rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server nispdot1x Framed-Compression = Van-Jacobson-TCP-IP Tunnel-Private-Group-Id:0 =
Re: PEAP mschapv2 using xp native supplicant
Ryan Setiawan H wrote: Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE. ... repost forgot change subject I'm sorry I didn't include all the debug, because it was so large... anyway here the debug : As I suspected... you are doing the LDAP lookups *outside* of the tunnel. See raddb/sites-available/inner-tunnel. Ensure that the references to ldap are uncommented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem when using custom attributes for radius extra parameter
I'm trying to configure openser freeradius with AAA. I'm using custom mysql tables for authentication accounting. I've modified queries in sql.conf in raddb folder. Authentication works fine. I've added additional fields in radius_extra parameter of acc module. I've added those parameters in dictionaries of radiusclient-ng freeradius. But I get blank values for custom fields. Any idea what can be wrong? *openser.cfg* modparam(acc, radius_extra,User-Name=$fU; Dialstatus=$avp(s:dialstatus);User-Rate=$avp(i:2016);User-Duration=$avp(i:2016);User-Clid=$fU;User_ClidName=$avp(s:callerid);User_Dst_Name=$avp(s:2014);User_Dst_Code=$avp(i:2015);User_Account_Id=$fU;Lcr_Rate=$avp(i:2030);Lcr_Duration=$avp(i:2016);Lcrtrunk_Id=$avp(i:2027);Lcr_Dst_Name=$avp(s:2028);Lcr_Dst_Code=$avp(i:2029);Real_Duration=$avp(i:2016)) *dictionary.openser* ATTRIBUTE Dialstatus 1073 string ATTRIBUTE User-Rate 1074 string ATTRIBUTE User-Duration 1075 string ATTRIBUTE User-Channel1076 string ATTRIBUTE User-Clid 1077 string ATTRIBUTE User_ClidName 1080 string ATTRIBUTE User_Dst_Name 1081 string ATTRIBUTE User_Dst_Code 1082 string ATTRIBUTE User_Account_Id 1083 string ATTRIBUTE Lcr_Rate1084 string ATTRIBUTE Lcr_Duration1085 string ATTRIBUTE Lcrtrunk_Id 1086 string ATTRIBUTE Lcr_Dst_Name1087 string ATTRIBUTE Lcr_Dst_Code1088 string ATTRIBUTE DialedTime 1089 string ATTRIBUTE Real_Duration 1090 string ATTRIBUTE Startleg1091 string ATTRIBUTE Stopleg 1092 string *dictionary.radius* ATTRIBUTE Dialstatus 1073 string ATTRIBUTE User-Rate1074 string ATTRIBUTE User-Duration1075 string ATTRIBUTE User-Channel 1076 string ATTRIBUTE User-Clid1077 string ATTRIBUTE User_ClidName1080 string ATTRIBUTE User_Dst_Name1081 string ATTRIBUTE User_Dst_Code1082 string ATTRIBUTE User_Account_Id 1083 string ATTRIBUTE Lcr_Rate 1084 string ATTRIBUTE Lcr_Duration 1085 string ATTRIBUTE Lcrtrunk_Id 1086 string ATTRIBUTE Lcr_Dst_Name 1087 string ATTRIBUTE Lcr_Dst_Code 1088 string ATTRIBUTE DialedTime 1089 string ATTRIBUTE Real_Duration1090 string ATTRIBUTE Startleg 1091 string ATTRIBUTE Stopleg 1092 string Thanks in advance -- Krunal Patel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting
We at Bristol have used FreeRADIUS with no problems for some time, but I would like to alter the way that accounting is performed, but I am unsure of how to do it. Currently all the accounting is sent to a MySQL database. The 'radacct' table tells me the start/stop of each session and the amount of traffic passed in that time. However the traffic figures are only updated when the user's session terminates. Is there a way to get up-to-date statistics that can be polled, say, on an hourly basis? What I'm getting at is that I want each user to have a daily/weekly/etc traffic quota so the radius server should repeatedly check to see if it has been exceeded. Appropriate action will be taken elsewhere is this is exceeded. Does anyone have any pointers? e.g. can the radius server be queried intermittently for traffic figures? Can the radacct table be updated hourly without forcing a disconnection? Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Your NAS' need support for Radius Extensions... the Interm-Accounting attributes. Then, once this is working, you can always add a script to the accouting section to process the limits you want to impose. Kind Regards Etienne Pretorius Network Administrator Kingsley Technologies Email: [EMAIL PROTECTED] Tel: 086 11 KTECH Local Fax: 086 611 5001 International Fax: +27 21 761 9930 Email Disclaimer Acceptable Use Policy Jonathan Gazeley wrote: We at Bristol have used FreeRADIUS with no problems for some time, but I would like to alter the way that accounting is performed, but I am unsure of how to do it. Currently all the accounting is sent to a MySQL database. The 'radacct' table tells me the start/stop of each session and the amount of traffic passed in that time. However the traffic figures are only updated when the user's session terminates. Is there a way to get up-to-date statistics that can be polled, say, on an hourly basis? What I'm getting at is that I want each user to have a daily/weekly/etc traffic quota so the radius server should repeatedly check to see if it has been exceeded. Appropriate action will be taken elsewhere is this is exceeded. Does anyone have any pointers? e.g. can the radius server be queried intermittently for traffic figures? Can the radacct table be updated hourly without forcing a disconnection? Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when using custom attributes for radius extra parameter
Thanks for your reply Steven This would help me Now I just need to find out free numbers to map with my own attrubutes. Thanks again:) -- Krunal Patel On Thu, Aug 7, 2008 at 3:01 PM, Stefan Winter [EMAIL PROTECTED]wrote: in radius_extra parameter of acc module. I've added those parameters in dictionaries of radiusclient-ng freeradius. But I get blank values for custom fields. Any idea what can be wrong? This appears to be a question for the openser list. One thing that may be important though: RADIUS attributes go to 255 only. Anything beyond that is only available for internal use in the server, i.e. you cannot transmit information with them. Your dictionaries speak of much higher values. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scour.com invite from yawar hadi noshahi
Hey, Did you hear about Scour? It is the next gen search engine with Google/Yahoo/MSN results and user comments all on one page. Best of all we get paid for using it by earning points with every search, comment and vote. The points are redeemable for Visa gift cards! It's like earning credit card or airline points just for searching! Hit the link below to join for free and we will both get points! http://scour.com/invite/yawar/ I know you'll like it! - yawar hadi noshahi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
On Thu, Aug 07, 2008 at 11:05:00AM +0100, Jonathan Gazeley wrote: We at Bristol have used FreeRADIUS with no problems for some time, but I would like to alter the way that accounting is performed, but I am unsure of how to do it. Currently all the accounting is sent to a MySQL database. The 'radacct' table tells me the start/stop of each session and the amount of traffic passed in that time. However the traffic figures are only updated when the user's session terminates. Is there a way to get up-to-date statistics that can be polled, say, on an hourly basis? Your NAS needs to support interim accounting. If it does already, it might be as simple as adding: DEFAULT Acct-Interim-Interval = 1800, Fall-Through = yes ...to the users file; modify as appropriate of course for your config. The sql.conf file will need to have the interim queries defined of course; the default configs do. If your NAS doesn't support interim accoutning (some ethernet switches don't, irritatingly) then you'll need to resort to something like snmp, netflow or pmacct, and go from ip-mac and then mac (callingstationid) to username. What I'm getting at is that I want each user to have a daily/weekly/etc traffic quota so the radius server should repeatedly check to see if it has been exceeded. Appropriate action will be taken elsewhere is this is exceeded. Yeah, we do this. It works very well. If you want to contact me offline I can give you the details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to put EAP-TLS-Require-Client-Cert = Yes ?
My authentication worked fine, thanks for your help Alan, and I apologize for having bothered you. BR, Cristian Novac. Alan DeKok wrote: Cristian Novac wrote: I would like to ask client to provide certificate during TTLS. I saw in eap.conf that I have to set EAP-TLS-Require-Client-Cert = Yes in the contol items for a request. Does this mean that I have to set this in my users file for the user entry that interests me? Could you provide a little sample of how to be used this setting? $ man users Or $ man unlang The method of updating a control item is documented. PLEASE read the documentation. It's not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Slow Starting..
Where would you think the dns problem is .. Is their a debug mode that is more verbose that can show the exact thing that freeradius us looking for? All the naming is by IP not a dns name .. Also there are not a lot of places in the freeradius to put in dns servers numbers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Lambert Sent: Wednesday, August 06, 2008 10:58 PM To: FreeRadius users mailing list Subject: Re: Slow Starting.. On Wed, Aug 06, 2008 at 05:18:51PM -0400, Cris Boisvert wrote: Been using Freeradius for years.. Have dual mysql databases running .. One has all the user data and the other gets all the accounting. The server takes about 20-30 seconds to start.. Where on the previous servers old P3 500mhz it took only 2-3 seconds.. It works and responds perfectly fine.. But just takes a while to finish reading the configs.. Running debugging it loads. To the point where it says --Cut--- main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients ---end Cut Then after about 30 seconds blasts out the rest of the normal load.. Attaching to all the databases etc..etc... Anyone have any Ideas what this may be waiting around for? DNS? -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.12/1597 - Release Date: 8/7/2008 5:54 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto log wrong-password ( and other attempts ) to radacct ( sql_log ? )
Hi again everybody Ok, it seems my freeradius only wants to log access-accept stuff to sql .. but when I login with wrong password .. it doesn't insert it in sql .. anyone can tell what do I need to have in what section please? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius does not assign IP from main_pool
Xiaochen Jing wrote: I went through the comments for the ippool module in radiusd.conf but couldn't get any clue. All versions of the server contain comments in the ippool module that say users file. The text that follows it is supposed to go into the users file. Why it keeps saying +- entering group post-auth rlm_ippool: Could not find Pool-Name attribute. Because you didn't configure the users file correctly. In users file I have testuser Cleartext-Password := testing Pool-Name == main_pool, Which doesn't match the example given in the ippool module. (1) You put the Pool-Name attribute on the SECOND line, not the FIRST See man users for the format of the users file. (2) You use == as the operator, not :=. See man users for the format of the users file. Again, this is documented in the comments in the ippool module, and in the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto log wrong-password ( and other attempts ) to radacct ( sql_log ? )
You'll find your answer in Freeradius FAQ section. S Adrian wrote: Hi again everybody Ok, it seems my freeradius only wants to log access-accept stuff to sql .. but when I login with wrong password .. it doesn't insert it in sql .. anyone can tell what do I need to have in what section please? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Starting..
Hi, Where would you think the dns problem is .. Is their a debug mode that is more verbose that can show the exact thing that freeradius us looking for? All the naming is by IP not a dns name .. Also there are not a lot of places in the freeradius to put in dns servers numbers. clients.conf proxy.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does Avenda use freeradius?
paul smith wrote: I've installed it and looked on the disk, all the config files are freeradius. Nice! Does this include any modules that are written for freeradius? Yes. They use the API from the server core, which is GPL'd. I'd think running external scripts is OK as these are not compiled against or linked to the freeradius code, but what about modules? Don't these require compilation, would this mean that if you write modules for freeradius and sell the solution you need to provide the source for the modules? Yes. If they've added features such as PEAPv2 and EAP-Fast, that code would likely fall under the terms of the GPL. If they don't agree, then they are not following the terms of the FreeRADIUS license. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA fast-reauth support
I am trying to test the fast re-authentication using the freeradius. From the email below looks like free radius supports fast re-authentication. I am using the freeradius 2.0.5 version. I successfully tested EAP-SIM and EAP-AKA. Can some one help me with the radius configuration to test the fast re-authentication with EAP-SIM or with EAP-AKA and also how to use eap2 module. Help is greatly appreciated. Thank you Indira On Tue, Jul 8, 2008 at 4:21 AM, Alan DeKok [EMAIL PROTECTED]wrote: Geoffroy Arnoud wrote: I have a question about EAP-SIM and EAP-AKA authentication. Is fast-reauthentication supported (in eap or eap2 module)? Fast re-authentication is supported only in the eap2 module, so far as I know. We should add the EAP-AKA patches to rlm_eap at some point. I've bene avoiding it because the patches do a *lot* of cut paste of existing code, rather than re-using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to assign default gatway?
It's possible when you are using PPPoE, but it's rather not posible to do that with freeradius(or any radius) On Thu, 7 Aug 2008 13:25:05 -0400, Xiaochen Jing [EMAIL PROTECTED] wrote: Hello all, Is that possible to assign users a default gateway while allocating dynamic IP addresses from IP pool? Thank you -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users from specific nas
Hi, You can use huntgroups and sql groups that check those huntgroups: DIALUP NAS-Identifier == akl-grafton-diallns3 DIALUP NAS-Identifier == akl-grafton-diallns4 and then in the db - create groups that match the huntgroups. radbackend= select * from radgroupcheck; id | groupname | attribute| op | value +--+++ 5 | DIALUP | Huntgroup-Name | == | DIALUP and set up user accounts like this so they use groups: radbackend= select * from radusergroup where username='przem'; username | groupname | priority --+---+-- przem| ADSL |1 przem| DIALUP|2 kind regards Pshem 2008/8/8 Cris Boisvert [EMAIL PROTECTED]: Using freeradius with mysql backend. Currently lets all nas devices authenticate user/pass. Want to set it up so that specific users can authenticate only from specific nas devices. Like huntgroups but need to have it setup in mysql Does anyone have a reccomended config for this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Ivan. While negotiating, XP SP3 and switch shows this traffic: [1 User-name ] [26] [host/pccen115.cosmart.bo] [32 NAS-Identifier ] [14] [001cc5363882] [5 NAS-Port] [6 ] [268439553] [87 NAS_Port_Id ] [34] [unit=1;subslot=0;port=1;vlanid=1] [61 NAS-Port-Type ] [6 ] [15] [31 Caller-ID ] [16] [303030352D356437622D38643561] *0.40057968 5500G-EI RDS/8/DEBUG:- 1 - [40 Acct-Status-Type] [6 ] [2] [45 Acct-Authentic ] [6 ] [1] [44 Acct-Session-Id ] [15] [110500011106f] [4 NAS-IP-Address ] [6 ] [192.168.100.245] [55 Event-Timestamp ] [6 ] [1104577657] [3com-26 Connect_ID ] [6 ] [35] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [3com-29 Input_Peak_Rate ] [6 ] [0] [3com-2 Input_Average_Rate ] [6 ] [0] [3com-4 Output_Peak_Rate ] [6 ] [0] [3com-5 Output_Average_Rate ] [6 ] [0] [3com-22 Priority ] [6 ] [0] [3com-60 Ip-Host-Addr ] [27] [0.0.0.0 00:05:5d:7b:8d:5a] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [46 Acct-Session-Time ] [6 ] [97] [41 Acct-Delay-Time ] [6 ] [0] [42 Acct-Input-Octets ] [6 ] [93000] [47 Acct-Input-Packets ] [6 ] [352] [43 Acct-Output-Octets ] [6 ] [126726] [48 Acct-Output-Packets ] [6 ] [698] *0.40057970 5500G-EI RDS/8/DEBUG:- 1 - [52 Acct_Input_Gigawords] [6 ] [0] [53 Acct_Output_Gigawords ] [6 ] [0] [49 Terminate-Cause ] [6 ] [2] I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Regards. Oxiel El Martes 08 Jul 2008, Ivan Kalik escribió: As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Hello Gennadiy. I'm trying hard to achieve what you did, but with no success. Could you please let me know which firmware were you using on this switch, against what clients (native windows xp service pack 3 or windows vista radius client maybe ?) I'm trying to authenticate through PEAP with native radius client on windows xp sp3 and windows vista with FR2.0.5 with PEAP, and this model of 3com 5500G-EI : 5500G-EIdis version 3Com Corporation SuperStack 4 Switch 5500G-EI Software Version 3Com OS V3.02.04s168 Copyright (c) 2004-2007 3Com Corporation and its licensors, All rights reserved. SuperStack 4 Switch 5500G-EI uptime is 0 week, 0 day, 11 hours, 41 minutes 3Com SuperStack 4 Switch 5500G-EI 24-Port with 1 MIPS Processor 128Mbytes SDRAM 16384K bytes Flash Memory Config Register points to FLASH Hardware Version is REV.C CPLD Version is 002 Bootrom Version is 4.03 [Subslot 0] 24GE+4SFP Hardware Version is REV.C [Subslot 2] 2 STACK Hardware Version is REV.C Did you change something else on your switches or is only what you uploaded on the list, maybe something on windows or FR ? Best regards. Oxiel El Miércoles 11 Jun 2008, Gennadiy Redko escribió: Krzysztof Olędzki wrote: OK, we absolutely need some more info: - display vlan - display vlan ... (2?) - display interface ... (G7/0/40?) - display port-security interface ... (G7/0/40) Hi,Krzysztof Viktor Guk wrote: skip All too most, only with the letter G. [5500G-EI]disp vlan The following VLANs exist: 1(default), 2 [5500G-EI]disp vlan 2 VLAN ID: 2 VLAN Type: static Route Interface: not configured Description: vlan2 Name: vlan2 Tagged Ports: none Untagged Ports: GigabitEthernet7/0/39GigabitEthernet7/0/47 [5500G-EI]display interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 001a-c147-8e68 Media type is twisted pair, loopback not set Port hardware type is 1000_BASE_T Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 1522 Broadcast MAX-pps: 3000 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Forbid jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 7 bytes/sec Last 300 seconds output: 0 packets/sec 48 bytes/sec Input(total): 23 packets, 2240 bytes 2 broadcasts, 12 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC - frame, - overruns, 0 aborts, - ignored, - parity errors Output(total): 151 packets, 14501 bytes 89 broadcasts, 50 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier [5500G-EI]display port-security interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 is link-down Port mode is noRestriction NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is permit With the options offered by you the stand too has not earned BTW: There is no need to add and use TMT802, freeradius already comes with all what you need here: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = ... Best regards, Krzysztof Olędzki Best regards. Gennadii Redko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris
I changed the Makefile for random file creation step (as a fix for my earlier posted error)... This is what I found at Makefile : random: @if [ -e /dev/urandom ] ; then \ dd if=/dev/urandom of=./random count=10 /dev/null 21; \ else \ date ./random; \ fi I Changed to ... random date ./random; That solved my earlier problem, and now my server is listening. Thanks, Rafi On 8/7/08, Rafiqul Ahsan [EMAIL PROTECTED] wrote: I see below error when I execute bootstrap bash-3.00# /usr/local/etc/raddb/certs/bootstrap ... make: Nothing to be done for `ca'. make: Nothing to be done for `server'. make: `dh' is up to date. /bin/sh: test: argument expected make: *** [random] Error 1 On 8/7/08, Alan DeKok [EMAIL PROTECTED] wrote: Rafiqul Ahsan wrote: Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However, server is not running, and I see below error when I run radiusd -X. Here is the output. ... make_cert_command = /usr/local/etc/raddb/certs/bootstrap } Exec-Program output: It's trying to run the bootstrap command. It's not working. Run the bootstrap command by hand, and then re-start the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rafiqul Ahsan -- Rafiqul Ahsan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius MAC address authorization (no authentication)
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius. After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept. Here is my radiusd -X output: Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=183, length=199 User-Name = PIDEL-3C5B30E9C\\Administrator NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = 00-1E-E5-9D-61-85:DEL_LR1 Calling-Station-Id = 00-21-00-0B-68-E3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 +- entering group authorize ++[preprocess] returns ok rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Sending Access-Reject of id 183 to 10.0.0.2 port 1027 Finished request 0. Thanks in advance. Ramot Lubis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login incorrect (Home Server says so)... - But why?
well, problem is solved. The IP for the my realm was wrong. Now everything works without any problem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA fast-reauth support
indira kolli wrote: I am trying to test the fast re-authentication using the freeradius. From the email below looks like free radius supports fast re-authentication. With the eap2 module. I am using the freeradius 2.0.5 version. I successfully tested EAP-SIM and EAP-AKA. Can some one help me with the radius configuration to test the fast re-authentication with EAP-SIM or with EAP-AKA and also how to use eap2 module. See raddb/experimental.conf, and look for eap2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html