Re: 2.0.5 on Solaris with openssl 0.9.8h
Rafiqul Ahsan wrote: > I am facing some challenges on building Freeradius 2.0.5 (Solaris OS) > with openssl version 0.9.8h. The Solaris 10 come with prebuilt openssl > version, and found at /usr/sfw/bin/openssl, version 0.9.7d. Prior to > building freeradius I built newer version openssl (v.0.9.8h) located > in /usr/local/ssl. here are the two openssl version now I have in my > Solaris. Why not just install the OpenSSL from sunfreeware? They have a package pre-built... > When I built Freeradius 2.0.5 (I simply executed three comands, > ./configure make and make install) , I was expecting that it would > build with my desired openssl version. Why? How does it know what you desire? Did you configure the linker to prefer one version over the other? Did you configure the C "include" references to prefer one over the other? > this. I sent openssl community this question, they wanted me to verify > whether I actualy built the freeradius with this new openssl version. Well... of course. > I am not able to understand what library it is actually built with, > because I could not figure out from build log, nor the configure. But > if I use the configure options as below, I see a rolling error (that > telling me that I must not have built the freeradius with openssl > 0.9.8h ?) : No idea. ... > Text relocation remains referenced > against symbol offset in file >0x0 > /usr/local/ssl/lib/libssl.a(ssl_lib.o) That's a fairly useless error. Are you sure that the libssl.a file is really a library, and not something else? Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: oracle support
Just don't answer that stupid question! :p Alexandre Chapellon a écrit : > Hello, > > I can see that oracle can be used to store accounting data ippool and > others stuff like this but nothing about authenticating request with > users and password stored in oracle database. how can i manage to do > this? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle support
Hello, I can see that oracle can be used to store accounting data ippool and others stuff like this but nothing about authenticating request with users and password stored in oracle database. how can i manage to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error compiling FreeRadius-2.0.5
Hi I have Red Hat Linux release 8.0 and i am trying to install free radius 2.0.5 fresh getting the following errors while doing a make after the ./configure any inpur with be greatly appreciated rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs && gcc -g -O2 -c -fno-builtin -fno-rtti -fno-exceptions "radiusdS.c") rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/radius_snmp.o .libs/session.o .libs/smux.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /freeradius-server-2.0.5/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/libltdl.so -ldl -Wl,--rpath -Wl,/usr/local/lib .libs/threads.o: In function `setup_ssl_mutexes': /freeradius-server-2.0.5/src/main/threads.c:217: undefined reference to `OpenSSL_add_all_algorithms' /freeradius-server-2.0.5/src/main/threads.c:220: undefined reference to `CRYPTO_num_locks' /freeradius-server-2.0.5/src/main/threads.c:226: undefined reference to `CRYPTO_num_locks' /freeradius-server-2.0.5/src/main/threads.c:230: undefined reference to `CRYPTO_set_id_callback' /freeradius-server-2.0.5/src/main/threads.c:231: undefined reference to `CRYPTO_set_locking_callback' .libs/threads.o: In function `request_handler_thread': /freeradius-server-2.0.5/src/main/threads.c:497: undefined reference to `ERR_remove_state' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/freeradius-server-2.0.5/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/freeradius-server-2.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/freeradius-server-2.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/freeradius-server-2.0.5' make: *** [all] Error 2 Thanks much, Ums - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext Password not clear
It said to DOUBLECHECK it. On Aug 12, 2008, at 1:30 PM, Stéven Le Bras wrote: I have already check this and it's ok. If i use the chilli interface i can logon with any problem but i want to know if it's possible to force a clear read 2008/8/12 Chris <[EMAIL PROTECTED]> Read the debug output. On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Attribute checks with sql module
Hello List, I want to set up freeradius as a proxy for cisco management and dot1x. The attribute to check is NAS-Port-Type. If it's "Ethernet" it's a dot1x request and has to be proxied by one realm configured in proxy.conf. Else it has to be proxied to another realm also configured in proxy.conf for one-time-password authentication. Further if a specific NAS requests, the request should be accepted by the proxy itself. I got this already working with the users file looking like DEFAULT NAS-Port-Type==Ethernet,NAS-IP-Address==1.1.1.1,Auth-Type:=Accept DEFAULT NAS-Port-Type==Ethernet,Proxy-To-Realm:=Realm1 DEFAULT NAS-IP-Address==1.1.1.1,Auth-Type:=Accept DEFAULT Proxy-To-Realm:=Realm2 But I doesn't get this working using the sql module. My database structure looks like mysql> select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 2 | testuser | Password | == | test | | 4 | DEFAULT | NAS-Port-Type | =* | | ++--+---++---+ 2 rows in set (0.00 sec) mysql> select * from usergroup; ++--++ | id | UserName | GroupName | ++--++ | 2 | DEFAULT | ProxyMgt | | 3 | DEFAULT | ProxyDOT1x | ++--++ 1 row in set (0.00 sec) mysql> select * from radgroupcheck; +++++--+ | id | GroupName | Attribute | op | Value| +++++--+ | 4 | ProxyMgt | NAS-Port-Type | == | Virtual | | 5 | ProxyMgt | Proxy-To-Realm | := | Mgt | | 6 | ProxyDOT1x | NAS-Port-Type | == | Ethernet | | 7 | ProxyDOT1x | Proxy-To-Realm | := | PortSec | +++++--+ 4 rows in set (0.00 sec) mysql> select * from radgroupreply; Empty set (0.00 sec) With this sql configuration, the server proxy management requests but not dot1x requests. In debug it says "No matching entry in the database for request from user". Despite the acceptance of specific NAS requests. The reason I want to realize this configuration with the sql module is, that changes are possible without HUP the process. I've read the documentation which is available for the sql module but the examples described there are not that complex to help with my problem. Can anyone help me to realize the above mentioned configuration of the users file with the sql module? Thanks in advance Cheers Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clients.conf - identifying a "client" - sql/ldap
Hi all, Received no responses to the post below. Any ideas would be greatly appreciated! Thanks, Johan Meiring Cape PC Services CC / Amobia Communications Tel: (021) 883-8271 / (0861) AMOBIA Fax: (021) 886-7782 / (0861) AMOFAX > -Original Message- > From: Johan Meiring [mailto:[EMAIL PROTECTED] > Sent: 28 July 2008 11:55 AM > To: 'freeradius-users@lists.freeradius.org' > Subject: clients.conf - identifying a "client" - sql/ldap > > > Hi, > > I have the following setup. > > Various clients (chillispot) behind broadband (read: dynamic > IP) connections. > Basically I am selling AAA services. > > I would like to authotize a nas to use my services in the > first place by using the NAS-Identifier and the radius secret. > > Both the NAS SQL table and the clients.conf file seem to > identify the client by IP address. > > As my clients can be from ANY address, it seems that the only > way is to create an entry in clients.conf is as follows: > > client 0.0.0.0/0 { > shortname = myclient > secret = abcde > } > > This now implies again that all clients have to have the same secret. > > I am using the perl modules, but according to another post > you cannot use perl as replacement for clients.conf. > Also the sql nas table simply mimics the clients. (I.e. > still uses IP address to find entry). > > Is there any way to handle clients with dynamic IPs, and use > the NAS-Identifier and radius secret to allow/disallow the NAS? > > Thanks! > > Cheers, > > Johan Meiring > Cape PC Services CC / Amobia Communications > Tel: (021) 883-8271 / (0861) AMOBIA > Fax: (021) 886-7782 / (0861) AMOFAX > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
I tried this with no change, both with using the hints file and without. -SW Ivan Kalik writes: > > You need to add User-Name := Stripped-User-Name to your users file entry > in order to replace it with stripped value. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 12/8/2008, "Steve Weaver" <[EMAIL PROTECTED]> pi¹e: > > >I'm having a strange problem I hope you can help me figure out. We're > >finally moving from an ancient Livingston RADIUS to FreeRADIUS. > > > >I compiled and installed version 2.0.5 on a freshly installed CentOS 5 > >box, read all the documentation I could find, installed our old users > >file and adapted it until it now (mostly) works correctly. > > > >System info: > > > ># radiusd -v > >radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu, > >built on Aug 5 2008 at 15:40:15 > > > ># uname -a > >Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT > >2008 i686 i686 i386 GNU/Linux > > > >The problem I'm having is that we have a lot of legacy users still > >logging in with "Pusername" for PPP connections. I've tried to set it > >up in both the users file and the hints file (separately) and get the > >same result. No matter what I do, it tries to authenticate (System > >auth type) the username "Pusername" instead of "username". > > > >If I add a user named "Pusername" everything works correctly. It hits > >the right default entry and authenticates fine, so it's just not > >stripping off the "P" when authenticating. I have also tried suffixes > >(".ppp") to test if it was just the prefix that wasn't working. Same > >problem. > > > >We're not using any realms, proxying, LDAP, SQL, etc at this time. > >Just a very simple single RADIUS server reading from a users file and > >authenticating against the system password file. > > > >I first tried to set it up in the users file. I commented out > >everything in the hints file. Here's what the DEFAULT entry looks like > >in the users file: > > > >DEFAULT Auth-Type := System, Prefix == "P" > >User-Service-Type = Framed-User, > >Session-Timeout = 36000, > >Idle-Timeout = 600, > >Port-Limit = 1, > >Framed-Protocol = PPP, > >Framed-Address = 255.255.255.254, > >Framed-Netmask = 255.255.255.255, > >Framed-Routing = None, > >Framed-MTU = 1500, > >Framed-Compression = Van-Jacobsen-TCP-IP > > > >I attempt to authenticate: > > > ># radtest Psweaver localhost 0 testing123 > >Sending Access-Request of id 43 to 127.0.0.1 port 1645 > >User-Name = "Psweaver" > >User-Password = "" > >NAS-IP-Address = 127.0.0.1 > >NAS-Port = 0 > >rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43, > >length=20 > > > >Things are working otherwise; without the "P" it works fine: > > > ># radtest sweaver localhost 0 testing123 > >Sending Access-Request of id 223 to 127.0.0.1 port 1645 > >User-Name = "sweaver" > >User-Password = "" > >NAS-IP-Address = 127.0.0.1 > >NAS-Port = 0 > >rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223, > >length=56 > >Session-Timeout = 36000 > >Idle-Timeout = 600 > >Port-Limit = 1 > >Service-Type = Login-User > >Login-IP-Host = ***.***.***.*** > >Login-Service = Rlogin > > > >With the "P", here's the output of radiusd -X > > > >rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175, > >length=6 > >0 > >User-Name = "Psweaver" > >User-Password = "" > >NAS-IP-Address = 127.0.0.1 > >NAS-Port = 0 > >+- entering group authorize > >++[preprocess] returns ok > >expand: > > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > >-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 > >rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > >expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 > >expand: %t -> Tue Aug 12 10:10:44 2008 > >++[auth_log] returns ok > >++[chap] returns noop > >++[mschap] returns noop >
Re: Cleartext Password not clear
I have already check this and it's ok. If i use the chilli interface i can logon with any problem but i want to know if it's possible to force a clear read 2008/8/12 Chris <[EMAIL PROTECTED]> > Read the debug output. > > On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: > > WARNING: Unprintable characters in the password. Double-check the >> shared secret on the server and the NAS! >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext Password not clear
Read the debug output. On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext Password not clear
Hi there, I'm attempting to log in chillispot with freeradius but when I send the couple username / password with a cleartext password in user-password to freeradius through chillispot, radiusd respond : rad_recv: Access-Request packet from host 127.0.0.1 port 36710, id=47, length=263 ChilliSpot-Version = "1.0.12" User-Name = "testuser" User-Password = "\177\326=\343\017\021e\247B4ޣ\202<6\001" NAS-IP-Address = 10.1.0.1 Service-Type = Login-User Framed-IP-Address = 10.1.0.4 Calling-Station-Id = "00-13-CE-8C-0F-AF" Called-Station-Id = "00-09-6B-D8-9A-C6" NAS-Identifier = "nas01" Acct-Session-Id = "48a18af50001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=SYS_TECH," WISPr-Location-Name = "HotSpot" WISPr-Logoff-URL = "http://10.1.0.1:3990/logoff"; Message-Authenticator = 0x8bd17fcc4a6acc6cac5026615e4545b5 [...] auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject (the password is "plop") but i want that freeradius can read the password without transform it. Is it possible or do you think it could be chillispot that transform it ? Thank's -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the certificate that I installed on the notebook?
/certs/ in the folder many licences, what is that I installed on the notebook and as set? thanks!!! -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.5 on Solaris with openssl 0.9.8h
Alan, and all , I am facing some challenges on building Freeradius 2.0.5 (Solaris OS) with openssl version 0.9.8h. The Solaris 10 come with prebuilt openssl version, and found at /usr/sfw/bin/openssl, version 0.9.7d. Prior to building freeradius I built newer version openssl (v.0.9.8h) located in /usr/local/ssl. here are the two openssl version now I have in my Solaris. bash-3.00# openssl version OpenSSL 0.9.8h 28 May 2008 bash-3.00# /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) When I built Freeradius 2.0.5 (I simply executed three comands, ./configure make and make install) , I was expecting that it would build with my desired openssl version. Aparantly, I found that certain has algorithm (sha256) is not supporting when I work with freeradius (I mean with SSL version that it was built with). However openssl version 0.9.8h should support this. I sent openssl community this question, they wanted me to verify whether I actualy built the freeradius with this new openssl version. I am not able to understand what library it is actually built with, because I could not figure out from build log, nor the configure. But if I use the configure options as below, I see a rolling error (that telling me that I must not have built the freeradius with openssl 0.9.8h ?) : ... (see portion of my out when I executed make, after ./configure ./configure \ --prefix=/usr/local/freeradius \ --with-openssl=yes \ --with-openssl-dir=/usr/local/ssl \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib ) RB5 -c peap.c -o peap.o >/dev/null 2>&1 /export/home/dev/freeradius-server-2.0.5/libtool --mode=link gcc -release 2.0.5 \ -module -export-dynamic -o rlm_eap_peap.la \ -rpath /usr/local/lib rlm_eap_peap.lo peap.lo rlm_eap_peap.c peap.c /export/home/dev/f radius-server-2.0.5/src/lib/libfreeradius-radius.la ../../libeap/libfreeradius-eap.la usr/local/ssl/lib -lcrypto -lssl -lcrypto -ldl -lnsl -lresolv -lsocket -lposix4 -lpth d gcc -shared -Wl,-h -Wl,rlm_eap_peap-2.0.5.so -o .libs/rlm_eap_peap-2.0.5.so .libs/rlm p_peap.o .libs/peap.o -R/export/home/dev/freeradius-server-2.0.5/src/lib/.libs -R/exp /home/dev/freeradius-server-2.0.5/src/modules/rlm_eap/libeap/.libs -R/usr/local/lib -L port/home/dev/freeradius-server-2.0.5/src/lib/.libs /export/home/dev/freeradius-server 0.5/src/lib/.libs/libfreeradius-radius.so ../../libeap/.libs/libfreeradius-eap.so -L/u local/ssl/lib -lssl -lcrypto -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lc Text relocation remains referenced against symbol offset in file 0x0 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x4 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x8 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0xc /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x10 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x14 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x18 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x1c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x20 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x24 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x28 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x2c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x30 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x34 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x38 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x3c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x40 /usr/local/ssl/lib/libssl.a(ssl_lib.o) On 8/7/08, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: > I changed the Makefile for random file creation step (as a fix for my > earlier posted error)... > > This is what I found at Makefile : > > random: >@if [ -e /dev/urandom ] ; then \ >dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \ >else \ >date > ./random; \ >fi > > I Changed to ... > > random > date > ./random; > > That solved my earlier problem, and now my server is listening. > > Thanks, > Rafi > > > > > > > > On 8/7/08, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: > > I see below error when I execute bootstrap > > > > bash-3.00# /usr/local/etc/raddb/certs/bootstrap > > ... > > make: Nothing to be done for `ca'. > > make: Nothing to be done for `server'. > > make: `dh' is up to date. > > /bin/sh: test: argument expected > > make: *** [random] Error 1 > > > > On 8/7/08, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > Rafiqul Ahsan wrote: > > > > Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However, > > > > server is not running,
Re: Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
You need to add User-Name := Stripped-User-Name to your users file entry in order to replace it with stripped value. Ivan Kalik Kalik Informatika ISP Dana 12/8/2008, "Steve Weaver" <[EMAIL PROTECTED]> piše: >I'm having a strange problem I hope you can help me figure out. We're >finally moving from an ancient Livingston RADIUS to FreeRADIUS. > >I compiled and installed version 2.0.5 on a freshly installed CentOS 5 >box, read all the documentation I could find, installed our old users >file and adapted it until it now (mostly) works correctly. > >System info: > ># radiusd -v >radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu, >built on Aug 5 2008 at 15:40:15 > ># uname -a >Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT >2008 i686 i686 i386 GNU/Linux > >The problem I'm having is that we have a lot of legacy users still >logging in with "Pusername" for PPP connections. I've tried to set it >up in both the users file and the hints file (separately) and get the >same result. No matter what I do, it tries to authenticate (System >auth type) the username "Pusername" instead of "username". > >If I add a user named "Pusername" everything works correctly. It hits >the right default entry and authenticates fine, so it's just not >stripping off the "P" when authenticating. I have also tried suffixes >(".ppp") to test if it was just the prefix that wasn't working. Same >problem. > >We're not using any realms, proxying, LDAP, SQL, etc at this time. >Just a very simple single RADIUS server reading from a users file and >authenticating against the system password file. > >I first tried to set it up in the users file. I commented out >everything in the hints file. Here's what the DEFAULT entry looks like >in the users file: > >DEFAULT Auth-Type := System, Prefix == "P" >User-Service-Type = Framed-User, >Session-Timeout = 36000, >Idle-Timeout = 600, >Port-Limit = 1, >Framed-Protocol = PPP, >Framed-Address = 255.255.255.254, >Framed-Netmask = 255.255.255.255, >Framed-Routing = None, >Framed-MTU = 1500, >Framed-Compression = Van-Jacobsen-TCP-IP > >I attempt to authenticate: > ># radtest Psweaver localhost 0 testing123 >Sending Access-Request of id 43 to 127.0.0.1 port 1645 >User-Name = "Psweaver" >User-Password = "" >NAS-IP-Address = 127.0.0.1 >NAS-Port = 0 >rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43, >length=20 > >Things are working otherwise; without the "P" it works fine: > ># radtest sweaver localhost 0 testing123 >Sending Access-Request of id 223 to 127.0.0.1 port 1645 >User-Name = "sweaver" >User-Password = "" >NAS-IP-Address = 127.0.0.1 >NAS-Port = 0 >rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223, >length=56 >Session-Timeout = 36000 >Idle-Timeout = 600 >Port-Limit = 1 >Service-Type = Login-User >Login-IP-Host = ***.***.***.*** >Login-Service = Rlogin > >With the "P", here's the output of radiusd -X > >rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175, >length=6 >0 >User-Name = "Psweaver" >User-Password = "" >NAS-IP-Address = 127.0.0.1 >NAS-Port = 0 >+- entering group authorize >++[preprocess] returns ok >expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 >rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 >expand: %t -> Tue Aug 12 10:10:44 2008 >++[auth_log] returns ok >++[chap] returns noop >++[mschap] returns noop >rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL >rlm_realm: No such realm "NULL" >++[suffix] returns noop > rlm_eap: No EAP-Message, not doing EAP >++[eap] returns noop >++[unix] returns notfound >users: Matched entry DEFAULT at line 3526 >++[files] returns ok >++[expiration] returns noop >++[logintime] returns noop >rlm_pap: WARNING! No "known good" password found for the user. >Authentication may fail because of this. >++[pap] returns noop > rad_check_password: Found Auth-Type System >auth: type "System" >+- e
Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
I'm having a strange problem I hope you can help me figure out. We're finally moving from an ancient Livingston RADIUS to FreeRADIUS. I compiled and installed version 2.0.5 on a freshly installed CentOS 5 box, read all the documentation I could find, installed our old users file and adapted it until it now (mostly) works correctly. System info: # radiusd -v radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu, built on Aug 5 2008 at 15:40:15 # uname -a Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 i686 i386 GNU/Linux The problem I'm having is that we have a lot of legacy users still logging in with "Pusername" for PPP connections. I've tried to set it up in both the users file and the hints file (separately) and get the same result. No matter what I do, it tries to authenticate (System auth type) the username "Pusername" instead of "username". If I add a user named "Pusername" everything works correctly. It hits the right default entry and authenticates fine, so it's just not stripping off the "P" when authenticating. I have also tried suffixes (".ppp") to test if it was just the prefix that wasn't working. Same problem. We're not using any realms, proxying, LDAP, SQL, etc at this time. Just a very simple single RADIUS server reading from a users file and authenticating against the system password file. I first tried to set it up in the users file. I commented out everything in the hints file. Here's what the DEFAULT entry looks like in the users file: DEFAULT Auth-Type := System, Prefix == "P" User-Service-Type = Framed-User, Session-Timeout = 36000, Idle-Timeout = 600, Port-Limit = 1, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I attempt to authenticate: # radtest Psweaver localhost 0 testing123 Sending Access-Request of id 43 to 127.0.0.1 port 1645 User-Name = "Psweaver" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43, length=20 Things are working otherwise; without the "P" it works fine: # radtest sweaver localhost 0 testing123 Sending Access-Request of id 223 to 127.0.0.1 port 1645 User-Name = "sweaver" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223, length=56 Session-Timeout = 36000 Idle-Timeout = 600 Port-Limit = 1 Service-Type = Login-User Login-IP-Host = ***.***.***.*** Login-Service = Rlogin With the "P", here's the output of radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175, length=6 0 User-Name = "Psweaver" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 expand: %t -> Tue Aug 12 10:10:44 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 3526 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type System auth: type "System" +- entering group authenticate ++[unix] returns notfound auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> Psweaver attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 175 to 127.0.0.1 port 35915 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 175 with timestamp +1013 Ready to process requests. Note that it's matching line 3526, which is indeed the DEFAULT entry I listed above. If I move prefix information to the hints file, I end up with this in the hints file: DEFA
Re: Help needed for radrelay under 1.1.3
Ryan wrote: > Need some help on radrelay for 1.1.3 if possible. Upgrade to 2.0.5. The radrelay functionality is integrated into the server core, and works much better than 1.1.x. > Have tried running radrelay in debug mode but was not able to find any > error other than the following > rad_verify: Received Accounting-Response packet from client > xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared > secret is incorrect.) Well... fix that. Really. It's making radrelay not work. > Both radius are running 1.1.3. > > The error is rather strange as I'm sure that the shared secret is correct. (a) the shared secret is wrong. (b) the MD5 libraries on the system are broken (c) the memory on the system is corrupt. Pick one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
sphaero wrote: > Thanks for that Alan, that does work as well. However I still don'y know why > freeradius didn't try pap in the first place. It did. Read the debug output. > I need to work with the 1.1 serie since eventually I need to implement this > HP procurve agent for freeradius and I haven't found any support for 2.0 > series yet. Ask them. It shouldn't be too hard to port any module from 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed for radrelay under 1.1.3
Hi All, Need some help on radrelay for 1.1.3 if possible. I have a radius setup whereby there are two radius, one for authorization/authentication and one for accounting. The one doing authorization/authentication will relay the accounting detail using radrelay to the other radius which will update to sql. Currently I'm having some problem with the relaying, it does not seems to be working as the detail file which is suppose to be cleared as entries are relayed is getting filled up. I noticed that the radrelay process is not forking the detail.work file at all. Have tried running radrelay in debug mode but was not able to find any error other than the following rad_verify: Received Accounting-Response packet from client xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared secret is incorrect.) Both radius are running 1.1.3. The error is rather strange as I'm sure that the shared secret is correct. Best Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Evgeniy Kozhuhovskiy wrote: > And what can you say about rlm_caching? Not much. I've never used it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost entries from reply with multiple instances of the same attribute
Konstantin KABASSANOV wrote: Konstantin KABASSANOV wrote: Some months ago I mentioned a problem observed while sending Access- Accept with multiple Cisco-AVPair="ssid=..." entries. Even if fields are correctly retrieved from the LDAP server, only the first occurrence of the attribute is sent in the packet. Can you tell me if recent developments have solved this issue? This issue has been solved for almost 4 years now. Read ldap.attrmap. Alan, I'd be very happy if it was true, but: Even if my radius server gets the following from the rlm_ldap: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi2" Read the comments in "ldap.attrmap". Specifically you're going to want: replyItem Cisco-AVPair wireless += i.e. you need to use the "operator" field - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Jonathan Gazeley wrote: Phil Mayers wrote: Your NAS needs to support interim accounting. If it does already, it might be as simple as adding: DEFAULT Acct-Interim-Interval = 1800, Fall-Through = yes ...to the "users" file; modify as appropriate of course for your config. I have added the lines above to my "users" file, replacing 1800 with a value of 20. However, the updates do not occur every 20 minutes. Do I also need to enable something on my NAS (Cisco WiSMs) to allow it to provide accounting on demand? Not sure. It definitely works; we have it working here. Are you getting *any* accounting from the WISM? You'll need: radius acct add $server_id $server 1813 ascii secret wlan radius_server acct add $wlan_id $server_id I notice we've got: wlan session-timeout $wlan_id 1800 ...statements in our config, but I'm not an expert on the WISMs so I don't know if that's required. I did also try to edit the config on my WiSMs to push the accounting every 20 minutes but was unable to get that to work. The guy who primarily looks after the WiSMs is away at the moment. How is interim accounting normally done? I don't mind if the accounting is pushed or pulled, whatever works. Accounting is always pushed from the NAS to the Radius server. Thanks, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost entries from reply with multiple instances of the same attribute
> Konstantin KABASSANOV wrote: > > Some months ago I mentioned a problem observed while sending Access- > Accept > > with multiple Cisco-AVPair="ssid=..." entries. Even if fields are > correctly > > retrieved from the LDAP server, only the first occurrence of the > attribute > > is sent in the packet. Can you tell me if recent developments have > solved > > this issue? > > This issue has been solved for almost 4 years now. Read > ldap.attrmap. > Alan, I'd be very happy if it was true, but: Even if my radius server gets the following from the rlm_ldap: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi2" the outgoing access-accept packet contains only the first entry: rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" FYI the version I use for radius is 2.0.4 so I don't think it is more than 4 years old. In an email sent in April 2008, I saw somebody with a similar problem with another attribute and there was an information that the bug was corrected only in unlang. Am I wrong? Konstantin smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
Alan DeKok-2 wrote: > > > List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules. > >> This is all done on freeradius 1.1.6 (OSS 10.3) > > Ugh. 2.0 is much better. > > Alan DeKok. > Thanks for that Alan, that does work as well. However I still don'y know why freeradius didn't try pap in the first place. I need to work with the 1.1 serie since eventually I need to implement this HP procurve agent for freeradius and I haven't found any support for 2.0 series yet. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18943719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trivial patch for rlm_acctlog in 2.0.5
Hello to everyone. As we are preparing for migration to 2.X version in some of our production systems, I took a closer look at the sources and found the rlm_acctlog module that allows for the logging of various types of accounting messages in the radius logs. Moreover I saw that syslog support in 2.X is vastly improved over 1.X series. My minor request is, could you include the following patch in later releases (so as to not maintain it internally)? --- rlm_acctlog.c.orig 2007-11-12 00:11:51.0 +0200 +++ rlm_acctlog.c 2008-08-08 13:54:34.0 +0300 @@ -79,7 +79,7 @@ rlm_acctlog_t *inst; VALUE_PAIR *pair; - charlogstr[MAX_STRING_LEN]; + charlogstr[1024]; int acctstatustype = 0; The idea is to have a bigger buffer than 253 characters for logging. Some old syslog implementations can have a 1024 character limit I think, so I guess that would be enough :) Thanks and keep up the good work. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not working as expected on 2.0.5
On Tue, August 12, 2008 11:08 am, Ivan Kalik wrote: > You haven't got > > Auth-Type Perl { > perl > } > > in authentication section of inner-tunnel virtual server. You probably > added it just to default one. In default configuration users file is > common for all virtual servers. Excellent! Thanks, Ivan. I must have missed that requirement in the docs. Regards Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
20 would mean 20 seconds not 20 minutes. Does the interim attribute appear in the Access-Accept packet? You can set up interim accounting by passing that radius attribute or it can be fixed in the NAS configuration. Ivan Kalik Kalik Informatika ISP Dana 12/8/2008, "Jonathan Gazeley" <[EMAIL PROTECTED]> piše: >Phil Mayers wrote: >> Your NAS needs to support interim accounting. >> >> If it does already, it might be as simple as adding: >> >> DEFAULT >> Acct-Interim-Interval = 1800, >> Fall-Through = yes >> >> ...to the "users" file; modify as appropriate of course for your config. > >I have added the lines above to my "users" file, replacing 1800 with a >value of 20. However, the updates do not occur every 20 minutes. Do I >also need to enable something on my NAS (Cisco WiSMs) to allow it to >provide accounting on demand? > >I did also try to edit the config on my WiSMs to push the accounting >every 20 minutes but was unable to get that to work. The guy who >primarily looks after the WiSMs is away at the moment. > >How is interim accounting normally done? I don't mind if the accounting >is pushed or pulled, whatever works. > >Thanks, >Jonathan > > >Jonathan Gazeley >Systems Support Specialist >ResNet | Wireless & VPN Team >Information Services >University of Bristol > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Alan DeKok wrote: Does anyone know of RadiusServer denying access for a particular user after a configurable number of invalid login attempts. You need to track this information yourself. It requires a DB, and some custom code on the server. I suggest using rlm_perl. And what can you say about rlm_caching? -- With best regards, Evgeniy Kozhuhovskiy, Leader of Services team, Minsk State Phony Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Phil Mayers wrote: Your NAS needs to support interim accounting. If it does already, it might be as simple as adding: DEFAULT Acct-Interim-Interval = 1800, Fall-Through = yes ...to the "users" file; modify as appropriate of course for your config. I have added the lines above to my "users" file, replacing 1800 with a value of 20. However, the updates do not occur every 20 minutes. Do I also need to enable something on my NAS (Cisco WiSMs) to allow it to provide accounting on demand? I did also try to edit the config on my WiSMs to push the accounting every 20 minutes but was unable to get that to work. The guy who primarily looks after the WiSMs is away at the moment. How is interim accounting normally done? I don't mind if the accounting is pushed or pulled, whatever works. Thanks, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not working as expected on 2.0.5
You haven't got Auth-Type Perl { perl } in authentication section of inner-tunnel virtual server. You probably added it just to default one. In default configuration users file is common for all virtual servers. Ivan Kalik Kalik Informatika ISP Dana 11/8/2008, "Henry" <[EMAIL PROTECTED]> piše: >Greetings, > >I'm busy trying out Freeradius 2.0.5 before upgrading from 1.1.0, and so >far everything looks good. I would like to try out rlm_perl since it >presents some interesting possibilities, but am having a spot of bother. > >I followed the howto here: http://wiki.freeradius.org/Rlm_perl > >rlm_perl isn't event loaded/instantiated unless I add 'perl' to the >instantiate section of radiusd.conf. > >Even if I do, however, I keep getting this error: > >"Parse error (check) for entry DEFAULT: Unknown value Perl for attribute >Auth-Type" > >Any pointers on what I'm missing/doing wrong would be appreciated. > >Thanks >Henry > > >Here's the debug: > >Mon Aug 11 15:58:53 2008 : Info: FreeRADIUS Version 2.0.5, for host >i686-pc-linux-gnu, built on Aug 8 2008 at 18:56:21 >Mon Aug 11 15:58:53 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS >server project and contributors. >Mon Aug 11 15:58:53 2008 : Info: There is NO warranty; not even for >MERCHANTABILITY or FITNESS FOR A >Mon Aug 11 15:58:53 2008 : Info: PARTICULAR PURPOSE. >Mon Aug 11 15:58:53 2008 : Info: You may redistribute copies of FreeRADIUS >under the terms of the >Mon Aug 11 15:58:53 2008 : Info: GNU General Public License v2. >Mon Aug 11 15:58:53 2008 : Info: Starting - reading configuration files ... >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/radiusd.conf >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/proxy.conf >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/clients.conf >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/snmp.conf >Mon Aug 11 15:58:53 2008 : Debug: including files in directory >/usr/local/freeradius-2.0.5/etc/raddb/modules/ >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/policy >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/acct_unique >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/unix >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/chap >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/preprocess >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/expiration >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/mac2vlan >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/mschap >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/ippool >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/files >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/krb5 >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/passwd >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/radutmp >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/attr_rewrite >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/echo >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/etc_group >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/pap >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/realm >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/pam >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/always >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/exec >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/logintime >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/sql_log >Mon Aug 11 15:58:53 2008 : Debug: including configuration file >/usr/local/freeradius-2.0.5/etc/raddb/modules/sm
Re: get problem with freeradius with LDAP authenticate
chenweiting wrote: rlm_ldap: (re)connect to ldap.icpdd.neca.nec.com.au:389, authentication 0 ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_ldap-1.1.7.so: symbol ldap_int_tls_config: referenced symbol not found Killed Any idea for this issue? A couple. Do you have more than one installation of freeradius ? How did you build the server ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP
thanks On Tue, Aug 12, 2008 at 5:24 PM, Maurizio Cimaschi <[EMAIL PROTECTED]> wrote: > Tried to find one, but they are all about the old 1.x version. > > Having just done a similar configuration I can suggest you to read some of > them, most of the information still apply. If you're interested in > authenticate wi-fi users there some specific information on the > wiki.freeradius.org. > > Remember to check the "modules/ldap" configuration file. > > I have a limited expirience, but you can ask if you have any problems. > >Bye. > > Ivan . wrote: >> >> Hi >> >> Does any have any links to some decent "how tos" for integrating >> OpenLDAP into freeradius for user management? >> >> Thanks >> Ivan >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in shipped configuration file.
Maurizio Cimaschi wrote: I'm not an expert in this application and I don't know why that part was uncommented, but, may I suggest to uncomment that part in the configuration file ? I mean, may I suggest to *comment* that part in the default configuration file. (Sorry for the mistype). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
get problem with freeradius with LDAP authenticate
Dear all, I am tying to configure freeradius 1.1.7 on Solaris10 to authenticate with ldap server. After I configure it, radiusd -X -A running well, once I run radtest I got the error as below: == ./radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: lo! g_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config! _files: reading dictionary read_config_files: reading n aslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "ldap.icpdd.neca.nec.com.au" ldap: port = 389 ldap: net_timeout = 10 ldap: timeout = 30 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)"! ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=icpdd,dc=neca,dc=nec,dc=com,dc=au" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 &nbs! p;ldap: compare_check_items = no ldap: access_attr_used_for_a llow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS! -IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped t
Re: Freeradius + OpenLDAP
Tried to find one, but they are all about the old 1.x version. Having just done a similar configuration I can suggest you to read some of them, most of the information still apply. If you're interested in authenticate wi-fi users there some specific information on the wiki.freeradius.org. Remember to check the "modules/ldap" configuration file. I have a limited expirience, but you can ask if you have any problems. Bye. Ivan . wrote: Hi Does any have any links to some decent "how tos" for integrating OpenLDAP into freeradius for user management? Thanks Ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLDAP
Hi Does any have any links to some decent "how tos" for integrating OpenLDAP into freeradius for user management? Thanks Ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Iam sorry , i think i found similar reference in the mailing list. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-November/msg00057.html thanks all. On Tue, Aug 12, 2008 at 12:34 PM, Sudarshan Soma <[EMAIL PROTECTED]> wrote: > Hi All, > Does anyone know of RadiusServer denying access for a particular user > after a configurable number of invalid login attempts. I know this can > be done on the client side with pam modules. But i thought since > radius users are same across multple nodes connected to radiusserver, > it would be an useful option to lockout at radius server level. > > Please let me know if anyone is aware of this scenario. > > Regards, > Pavan. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in shipped configuration file.
Hi, I don't know if this has been reported/discussed before, but it happened to me last week. I was trying to setup a freeradius (2.0.5) to authenticate requests from my access point (using WPA Enterprise) aganist an LDAP server. It was working fine using the "radclient", but the requests from the AP were buonced claiming that no authentication metod was set. I checked the configuration file more than once, googled a lot but was unable to solve. After almost a day of trying, I noticed a line in the debug (radiusd -X) that said something about proxying. So I remembered to have seen a statement in the "inner-server" configuration: #update control { # Proxy-To-Realm := LOCAL #} In the configuration file installed by the installation procedure that part was uncommented; adding the comments was enough to make the server work. I'm not an expert in this application and I don't know why that part was uncommented, but, may I suggest to uncomment that part in the configuration file ? Thank you for your great work. Bye. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Sudarshan Soma wrote: > Does anyone know of RadiusServer denying access for a particular user > after a configurable number of invalid login attempts. You need to track this information yourself. It requires a DB, and some custom code on the server. I suggest using rlm_perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
sphaero wrote: > In a previous post "PAP what password encryption is used?" I managed to get > authentication working with a msssql backend however I need to force > Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was > wondering what I could do to let freeradius figure the authentication > itself. List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules. > This is all done on freeradius 1.1.6 (OSS 10.3) Ugh. 2.0 is much better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid login attempts user lockout
Hi All, Does anyone know of RadiusServer denying access for a particular user after a configurable number of invalid login attempts. I know this can be done on the client side with pam modules. But i thought since radius users are same across multple nodes connected to radiusserver, it would be an useful option to lockout at radius server level. Please let me know if anyone is aware of this scenario. Regards, Pavan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html