Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
William Hegardt wrote: EAP-TLS authentication fails with the fatal unknown ca message. The server cert may need to be marked with CA:true If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. That can work, too. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? It's OpenSSL on both ends. wpa_supplicant FreeRADIUS are just wrappers to get the SSL data back and forth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris with openssl 0.9.8h [SEC=UNCLASSIFIED]
Rafiqul Ahsan wrote: Thank you for your responses, and I appreciate for your time. I have few Sun machines, T2000, V210 - all of them has Solaris 10 with /usr/sfw/ dirs... I would suggest asking Sun for help with this issue. It's a problem specific to Solaris, and in the end, has very little to do with FreeRADIUS. 3. ./configure --prefix=/usr/local --with-openssl-includes=/usr/local/s sl/include --with-openssl-libraries=/usr/local/ssl/lib See the below WARNING : sigh You've just managed to ignore most of the output of configure, and everything related to how it finds OpenSSL. I have no idea why you think this is useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL connection dropped
leopold wrote: I am facing a problem with SQL module that drops connections after some period of time and I have to bounce FreeRadius process in order to establish db connection again. When I am doing netstat I see open connections to DB and then after some time sockets are closed and all radius requests are rejected. I am using the latest Freeradius 2.0.5 with DB2 backend. I don't know of many people using the DB2 backend. I would suggest running it in debugging mode to see why the connections are dropping. It's either the DB2 client library, or some other networking thing. FreeRADIUS does *not* drop the connections itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling-Sattion-Id. Use another ldap attribute name for this. Ivan Kalik Kalik Informatika ISP Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikrotik as NAS with PPPoE - checkval
Hi! I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Please help! Thanks for all!!! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message Datum: Wed, 20 Aug 2008 09:18:57 +0100 Von: Ivan Kalik [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: Problems with EAP and LDAP replyItems (2.0.2) radiusCallingStationId is already mapped as Calling-Sattion-Id. Use another ldap attribute name for this. Ivan Kalik Kalik Informatika ISP I commented the original line containing the mapping between Calling-station-id and radiusCallingStationId out. So there shouldnt be any complications. By the way, its independent from the attribute-name, so even if i change the source-ldap-attribute, the problem still occurs. Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
at least a RFC with a book. 2008/8/20 Do Nguyen Ha [EMAIL PROTECTED]: its good news for everyone who love FreeRadius :) Date: Tue, 19 Aug 2008 09:23:06 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: I've started to put the book online To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 40, Issue 81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Hi Alan, Alan DeKok wrote: :) It's simple... just read 1000's of lines of debugging output, and hordes of miscellaneous unrelated unorganized documentation files. :-P We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more Login incorrect - but with other Options than a correct user. We appended in the config: DEFAULTAuth-Type := Accept ... users: Matched entry DEFAULT at line 2 Is that entry at line 2 of the users file? If not, the server is matching an earlier entry, and not the one with Accept. That's another DEFAULT entry to select between machines. The Accept is at the end after all users. Now we've put the Accept before the users and - Same Problem! Different effect... With PAP everything works - but with CHAP: CHAP Passwords don't get checked and if the username is correct the user gets the wrong Options. Not really better... Why does it work with PAP but not with CHAP? Maybe that's a bug? Greetings Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
CHAP Passwords don't get checked and if the username is correct the user gets the wrong Options. Not really better... Add Fall-Through = Yes to the DEFAULT entry if you want to check entries that come later in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clients.conf - identifying a client - sql/ldap
Johan Meiring wrote: Is there any way to handle clients with dynamic IPs, and use the NAS-Identifier and radius secret to allow/disallow the NAS? The current git tree has functionality that should do this. See git.freeradius.org, and read raddb/sites-available/dynamic-clients. The idea is to define the network 0.0.0.0/0 as you do now, and then dynamically create the client definition the first time the server receives a packet from that client. You can use unlang to check the NAS-Identifier, and then define a shared secret for that NAS. There are limitations, of course. See the configuration file for details. Hi Alan, I seems exactly what I want, but I'm getting there but not quite. Using the sites-available as an example I created the following: A Virtual Server with a authorize section that will create the client. Tested working using static info. --- server dymamic_nas { authorize { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = test-secret FreeRADIUS-Client-Shortname = %{Packet-Src-IP-Address} FreeRADIUS-Client-NAS-Type = other FreeRADIUS-Client-Virtual-Server = hotspot } ok } } Works perfectly. No I replace the static info above with a SQL query, again using the example - server dymamic_nas { authorize { if (%{sql: select NasID from Nas where Identifier='%{NAS-Identifier}'}) { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = %{sql: select RadiusSecret from Nas where Identifier='%{NAS-Identifier}'} FreeRADIUS-Client-Shortname = %{NAS-Identifier} FreeRADIUS-Client-NAS-Type = other FreeRADIUS-Client-Virtual-Server = hotspot } ok } } } - The problem is that %{NAS-Identifier} expands to nothing. This seems to be confirmed by the documentation. - # The request that is processed through this section # is EMPTY. There are NO attributes. The request is fake, # and is NOT the packet that triggered the lookup of # the dynamic client. # # The ONLY piece of useful information is either # # Packet-Src-IP-Address (IPv4 clients) # Packet-Src-IPv6-Address (IPv6 clients) - The documentation however mentions that I can somehow get hold of the NAS-Identifier and use it to set the shared secret. - # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than - How do I get hold of the NAS-Identifier in order to find the required secret. Thanks!!! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik as NAS with PPPoE - checkval
Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Ivan Kalik wrote: Add Fall-Through = Yes to the DEFAULT entry if you want to check entries that come later in users file. Fall-Through is active. With PAP it works - but not with CHAP. That's the problem ... I think the CHAP module handles wrong passwords and auth-type different than the rlm_pap module. Config looks like this: DEFAULTAuth-Type := Accept ERX-Virtual-Router-Name = vpn:XXX, ERX-Egress-Policy-Name = XXX, ERX-Local-Loopback-Interface = loopback 255, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Test100 Password = Test100 ERX-Virtual-Router-Name := YYY, ERX-Egress-Policy-Name := YYY We're using Version 1.1.6 and give 2.0.5 a try... -- Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Config looks like this: DEFAULTAuth-Type := Accept That would make any protocol irrelevant. pap or chap. ERX-Virtual-Router-Name = vpn:XXX, ERX-Egress-Policy-Name = XXX, ERX-Local-Loopback-Interface = loopback 255, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Test100 Password = Test100 That is not a correct password attribute for 1.1.6. You should use Cleartext-Password. Read instructions in users file. Password is deprecated ages ago and no wonder chap is not using it. ERX-Virtual-Router-Name := YYY, ERX-Egress-Policy-Name := YYY We're using Version 1.1.6 and give 2.0.5 a try... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TNC supported?
Hello everybody, I've got two questions: - I read in wikipedia, that the spring 2008 release of FreeRadius has experimental EAP-TNC support. I couldn't find any information on the FreeRadius homepage or wiki, that this information is correct. Has FreeRadius EAP-TNC support? And how experimental is the EAP-TNC support? - In case FreeRadius supports EAP-TNC, is it possible to run EAP-TNC inside a EAP-TTLS tunnel? EAP-TTLS as outer method and EAP-TNC as inner method? Hope anybody can help me! Thank you in advance Regards Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
I want to check by the pppd 3 attributes that must match: -Login -Password -MAC Address So if someone on another machine who uses the login and the password will be rejected. The mikrotik NAS doc shows that there is a Calling-Station-ID http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php I want EVERYONE to be checked for the calling station id. Thank you for the reply. On Wed, 20 Aug 2008 11:26:05 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik as NAS with PPPoE - checkval
Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
id - username - attribute - op 1139 gojko Calling-Station-Id 00:50:70:AE:04:54 == Mikrotik wants uppercase MAC address and OP must be == It works for me and you need to insert this in radcheck table On Wed, Aug 20, 2008 at 2:34 PM, Maciej Drobniuch [EMAIL PROTECTED]wrote: Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
It works now properly! BIG THANKS! On Wed, 20 Aug 2008 14:40:12 +0200, Marinko Tarlac [EMAIL PROTECTED] wrote: id - username - attribute - op 1139 gojko Calling-Station-Id 00:50:70:AE:04:54 == Mikrotik wants uppercase MAC address and OP must be == It works for me and you need to insert this in radcheck table On Wed, Aug 20, 2008 at 2:34 PM, Maciej Drobniuch [EMAIL PROTECTED]wrote: Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration or session-timeot
Hi, here is something i can't understand. If i set some user Expiration attribute for example 23.08.2008, and this user is connected to my NAS, how NAS will stop that user. Better explanation. I have setup mikrotik hotspot with radius authorization. Authorization works. User have access with given username and password, but i want to give user access to service for example for 7 days. Expiration attribute give me ability to set date when account expires. What happen on that give date. How radius will tell NAS to unsubscribe(cancel) access of that user. Thanks ps. sorry for bad english :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration or session-timeot
It calculates maximal session time and sends it to NAS as Session-Timeout. If your NAS supports Session-Timeout attribute (and most do) user will be signed off by the NAS if he is still logged on at the expiration time. Ivan Kalik Kalik Informatika ISP Dana 20/8/2008, Bozhan Boiadzhiev [EMAIL PROTECTED] piše: Hi, here is something i can't understand. If i set some user Expiration attribute for example 23.08.2008, and this user is connected to my NAS, how NAS will stop that user. Better explanation. I have setup mikrotik hotspot with radius authorization. Authorization works. User have access with given username and password, but i want to give user access to service for example for 7 days. Expiration attribute give me ability to set date when account expires. What happen on that give date. How radius will tell NAS to unsubscribe(cancel) access of that user. Thanks ps. sorry for bad english :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TNC supported?
Martin Schneider wrote: - I read in wikipedia, that the spring 2008 release of FreeRadius has experimental EAP-TNC support. I couldn't find any information on the FreeRadius homepage or wiki, that this information is correct. Has FreeRadius EAP-TNC support? And how experimental is the EAP-TNC support? It's very experimental. Some people have gotten it to work, but I don't think it's ready for production use. - In case FreeRadius supports EAP-TNC, is it possible to run EAP-TNC inside a EAP-TTLS tunnel? EAP-TTLS as outer method and EAP-TNC as inner method? No. EAP-TNC is designed to be run as an authorization method *after* the user has been authenticated. It *cannot* be run all by itself inside of a TTLS tunnel. You can run it inside of the TTLS tunnel after another EAP method has been executed. You may have to edit the source code to get this to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.0.5 AD PEAP
Brooks, Kyle wrote: I have run the test as recommended and attached the results. eapol_test does fail ... EAP-MSCHAPV2: Invalid authenticator response in success request That's pretty definitive. Hmm... it means that the MSCHAP-Success attribute sent by the server is wrong. Perhaps try it with a Cleartext-Password in the users file. i.e. *Without* using ntlm_auth. That works for me, including with eapol_test, and TTLS/EAP-MSCHAPv2. If that still fails, then there's something wrong with the system that breaks the server in 2.0.5. FYI: Unknown network block for the CA_CERT with regards to the eapol test config file What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Thomas Buchberger wrote: With PAP it works - but not with CHAP. That's the problem ... I think the CHAP module handles wrong passwords and auth-type different than the rlm_pap module. No. It doesn't. Config looks like this: DEFAULTAuth-Type := Accept This completely bypasses any password checks. ERX-Virtual-Router-Name = vpn:XXX, ERX-Egress-Policy-Name = XXX, ERX-Local-Loopback-Interface = loopback 255, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Test100 Password = Test100 Use: Test100 Cleartext-Password := Test100 That's been documented since at least 1.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf - identifying a client - sql/ldap
Johan Meiring wrote: Using the sites-available as an example I created the following: A Virtual Server with a authorize section that will create the client. Tested working using static info. ... Works perfectly. As designed. No I replace the static info above with a SQL query, again using the example - server dymamic_nas { authorize { if (%{sql: select NasID from Nas where Identifier='%{NAS-Identifier}'}) { OK... The problem is that %{NAS-Identifier} expands to nothing. This seems to be confirmed by the documentation. Ah... good point. Hmm... it's probably worth copying the NAS-Identifier to the fake packet. It's just useful enough to be worth it. The documentation however mentions that I can somehow get hold of the NAS-Identifier and use it to set the shared secret. That's the intent, but the code doesn't match. - # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than - How do I get hold of the NAS-Identifier in order to find the required secret. Give me a bit, and I'll go poke the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: expiration or session-timeot
ok thanks one more thing. is it possible to set timestamps instead date as Expiration attribute. I need this for example if i want to give a given customer access to internet for one day. As i understand Expiration attribute can get only date values. Can i set timestamp and radius to send Session-Timeout to NAS at that time, for example instead on 00:00 on given date on 13;45 on that date? Оригинално писмо От: Ivan Kalik Относно: Re: expiration or session-timeot До: FreeRadius users mailing list Изпратено на: Сряда, 2008, Август 20 16:52:18 EEST It calculates maximal session time and sends it to NAS as Session-Timeout. If your NAS supports Session-Timeout attribute (and most do) user will be signed off by the NAS if he is still logged on at the expiration time. Ivan Kalik Kalik Informatika ISP Dana 20/8/2008, Bozhan Boiadzhiev pi?e: Hi, here is something i can't understand. If i set some user Expiration attribute for example 23.08.2008, and this user is connected to my NAS, how NAS will stop that user. Better explanation. I have setup mikrotik hotspot with radius authorization. Authorization works. User have access with given username and password, but i want to give user access to service for example for 7 days. Expiration attribute give me ability to set date when account expires. What happen on that give date. How radius will tell NAS to unsubscribe(cancel) access of that user. Thanks ps. sorry for bad english :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate problem on Windows XP clinet ...
Hi, Regarding the above mentioned subject, we are facing the problem of Windows was unable to find the certificate to log on to the network Roaming test2. Though the certificates are installed properly, and when we are using the same certificates for 'PEAP-MSCHAPv2' with 'validate server certificate' working fine. Can any one look into the same and respond me back please. regards, Venkat cacert.der Description: Binary data clinet.p12 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performance report?
Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance report?
It is not likely your actually putting too much strain on the server side. You¹ll need quite a lot of machines hammering the RADIUS server before it¹ll break into a sweat. The client side would have higher CPU utilization then the server side, per request. Comparing one program to another is not exactly comparing apples with apples. It¹s more like comparing a duck with a fork lift. One flies, the other just doesn¹t (or rather, when it does, you don¹t want to be there to see it) ... //anders On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote: Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Alan DeKok a écrit : Alexandre Chapellon wrote: Ok the modules compils great. and it creates rlm_sql_oracle-2.0.5.so (and its symlink). I copy thoose two files in /usr/lib/freeradius but when launching freeradius -X i get: ... freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sql_oracle.so: undefined symbol: OCIEnvCreate And we now see the reason why the configure script didn't work. Of course I installed the Oracle instantclient. I also added /opt/oracle/instantclient_11_1 in ld.so.conf and ran ldconfig afterwards. Is the library in that directory, or in /opt/oracle/instantclient_11_1/lib ? There is no lib/ in /opt/oracle/instantclient_11_1 as you can see: ~$ ls /opt/oracle/instantclient_11_1/ adrci BASIC_README genezi libclntsh.so libclntsh.so.11.1 libnnz11.so libocci.so libocci.so.11.1 libociei.so libocijdbc11.so ojdbc5.jar ojdbc6.jar sdk In any case, use the *same* library path here that you used in the Makefile, as the -L argument, It should then work. here is the modified Makefile: include ../../../../../Make.inc TARGET = rlm_sql_oracle SRCS = sql_oracle.c RLM_SQL_CFLAGS = -I/opt/oracle/instantclient_11_1/sdk/include RLM_SQL_LIBS = -L/opt/oracle/instantclient_11_1 include ../rules.mak As you can see i have here the same path in lib path and in the makefile: ~$ cat /etc/ld.so.conf.d/oracle.conf /opt/oracle/instantclient_11_1 I am wondering if something is not missing in the oracle libs i installed...? Do you have any clue that can help me to findout what is hapenning? I have to say that no oracle instance is installed on the server (only the client libs shipped in the basic.zip file, provided by oracle) and so the instance freeradius is trying to connect to doesn't exist yet but i doubt this should be a problem for starting freeradius. That's fine. The error above is much earlier in the startup process than the connect to Oracle phase. Ok I was pretty sure of that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance report?
I still do ... I¹ve had 10 multi core boxes hammering one server, still not enough .. You need more clients .. ;) RADIUS as such requires very little from the server side in terms of CPU. All it really does is compare x with y and then respond yes or no, once you strip down all the various variants of auth protocols. That¹s not a high requirement. I¹m confident if you use a SSL enabled protocol, your CPU on the server is spending more time per request doing the necessary SSL stuff than RADIUS related work .. A pint of unspecified beverage says you¹ll need more client CPU .. I¹ll agree with the pint .. //anders On 20/08/2008 20:45, Kevin J [EMAIL PROTECTED] wrote: Well, that's why I am saying we used the nas simulation tool. We can hammer a lot of traffic with this multi-threaded tool and also we tried at least three client boxes so don't assume our traffic was not enough. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:25:19 PM Subject: Re: performance report? Re: performance report? It is not likely your actually putting too much strain on the server side. You¹ll need quite a lot of machines hammering the RADIUS server before it¹ll break into a sweat. The client side would have higher CPU utilization then the server side, per request. Comparing one program to another is not exactly comparing apples with apples. It¹s more like comparing a duck with a fork lift. One flies, the other just doesn¹t (or rather, when it does, you don¹t want to be there to see it) ... //anders On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote: Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.0.5 AD PEAP
Here we go, TTLS/PAP works STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): c5 bd 3a 25 91 1b fa 82 01 4c d2 d3 0f 50 b9 69 57 32 5c 19 73 03 2a 02 d2 47 36 bd 0d 79 a7 09 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08 fd fa 5c 6a e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15 decapsulated EAP packet (code=3 id=7 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 PMK from EAPOL - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08 fd fa 5c 6a e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS TTLS/MSCHAPV2 fails STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.02 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=8 len=111) from RADIUS server: EAP-Request-TTLS (21) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=8 method=21 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=111) - Flags 0x80 SSL: TLS Message Length: 101 EAP-TTLS: received 101 bytes encrypted data for Phase 2 EAP-TTLS: Decrypted Phase 2 AVPs - hexdump(len=56): 00 00 00 1a c0 00 00 37 00 00 01 37 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43 38 45 45 34 30 30 38 45 00 EAP-TTLS: AVP: code=26 flags=0xc0 length=55 EAP-TTLS: AVP vendor_id 311 EAP-TTLS: AVP data - hexdump(len=43): 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43 38 45 45 34 30 30 38 45 EAP-TTLS: MS-CHAP2-Success - hexdump_ascii(len=43): 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 IS=BF24DDCCD1F7D 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 6972E34700BFD054 43 39 43 38 45 45 34 30 30 38 45 C9C8EE4008E EAP-TTLS: Invalid authenticator response in Phase 2 MSCHAPV2 success request EAP: method process - ignore=FALSE methodState=DONE decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: startWhen -- 0 EAPOL test timed out EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE Perhaps try it with a Cleartext-Password in the users file. i.e. *Without* using ntlm_auth. That works for me, including with eapol_test, and TTLS/EAP-MSCHAPv2. Can you clarify this setup/change to test? I was pretty sure I needed to use ntlm_auth to auth against AD to test mschapv2 If that still fails, then there's something wrong with the system that breaks the server in 2.0.5. Running Samba 3.2.0 on Fedora 9 FYI: Unknown network block for the CA_CERT with regards to the eapol test config file What does that mean? Within the config you provided to for eapol_test at the bottom is a ca_cert declaration that errors out when uncommented Anyone using FC9 with freeradius 2.0.5 against AD working that I can use to compare? Thanks much appreciated - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server ans NAS keys don't match! ?
Hi, I am trying to work with Radius on a FreeBSD machine. When I try radlogin on the client machine , I get the following message from the server Ready to process requests. Service-Type = 0x0001 User-Name = xxx User-Password = \240\365\313ħ\255\371\r\203\300.\275ܤ NAS-Port = 0x NAS-IP-Address = 0x0a2a009b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = xxx, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry xxx at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password ?õËħù ?À.½Ü?¤ rlm_pap: Using clear text password xxx rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [*kavita*/\240\365\313ħ\255\371\r\203\300.\275Ü?¤] (from client hwq5 port 0) WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - xxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Waking up in 4.9 seconds. Cleaning up request 1 ID 127 with timestamp +24 Ready to process requests. I have checked the secret key on the server and the client and it is the same! Is there any setting to be done in /radiusclient-ng-0.5.6/etc/servers radius_server_ipsecret_key and /radiusclient-ng/radiusclient.conf authserver radius_server_ip:1812 My Radius server is a 32 bit freeBSD machine where as the client is 64 bit FreeBSD Thank you, *Kavita* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance report?
Well, Radius protocol is not just machine-to-machine issue. I think you don't understand how request protocol can be simulated by hammering with our tool. We have tested various protocols by this tool. Per our test results, radius can reach the limit of requests by hammering easily but CPU was still low. We have various statistics on all these. My point is that radius was not able to use full cpu resource until reaching max number of handful requests. Your point with more clients does not make sense because we already reached max reqeusts hammering by our tool and that was same regardless of adding more clients under multi-threaded enviroment. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:52:20 PM Subject: Re: performance report? Re: performance report? I still do ... I’ve had 10 multi core boxes hammering one server, still not enough .. You need more clients .. ;) RADIUS as such requires very little from the server side in terms of CPU. All it really does is compare x with y and then respond yes or no, once you strip down all the various variants of auth protocols. That’s not a high requirement. I’m confident if you use a SSL enabled protocol, your CPU on the server is spending more time per request doing the necessary SSL stuff than RADIUS related work .. A pint of unspecified beverage says you’ll need more client CPU .. I’ll agree with the pint .. //anders On 20/08/2008 20:45, Kevin J [EMAIL PROTECTED] wrote: Well, that's why I am saying we used the nas simulation tool. We can hammer a lot of traffic with this multi-threaded tool and also we tried at least three client boxes so don't assume our traffic was not enough. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:25:19 PM Subject: Re: performance report? Re: performance report? It is not likely your actually putting too much strain on the server side. You’ll need quite a lot of machines hammering the RADIUS server before it’ll break into a sweat. The client side would have higher CPU utilization then the server side, per request. Comparing one program to another is not exactly comparing apples with apples. It’s more like comparing a duck with a fork lift. One flies, the other just doesn’t (or rather, when it does, you don’t want to be there to see it) ... //anders On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote: Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: expiration or session-timeot
As i understand Expiration attribute can get only date values. No, date and time: August 20 2008 13:45:00 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html