Re: unable to write 'random state' when starting freeradius
Hi John, Thanks for the response, here is my settings. I am basically running this as root since am just testing right now. In my radiusd.conf the user/group is commented out. # #user = radius #group = radius And the permission on the certs directory is 770 [EMAIL PROTECTED] sbin]# ls -ld ../etc/raddb/certs *drwxrwx--- 2 root root 4096 Oct 3 18:00 ../etc/raddb/certs* [EMAIL PROTECTED] sbin]# I've also tried the same thing on ubuntu and I have the same error message. AM John Dennis wrote: Madwifi Wireless wrote: Has anyone come across this error? This happens when I start freeradius for the first time. Platform: RedHat ES 4.0 Version: FreeRadius 2.1.1 random_file = "/usr/local/freeradius-2.1.1/etc/raddb/certs/random" What are the ownership and permissions and ownership on the directory /usr/local/freeradius-2.1.1/etc/raddb/certs? Do they match the user and group specified in /usr/local/freeradius-2.1.1/etc/radiusd.conf? Assuming the user/group is either radius or radiusd the does the directory permissions allow an owner or group to write into that directory? For example it should be something this (this example assumes installation with prefix=/usr): sudo ls -ld /etc/raddb/certs drwxrwx--- 2 root radiusd 4096 2008-09-25 15:29 /etc/raddb/certs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to write 'random state' when starting freeradius
Madwifi Wireless wrote: Has anyone come across this error? This happens when I start freeradius for the first time. Platform: RedHat ES 4.0 Version: FreeRadius 2.1.1 random_file = "/usr/local/freeradius-2.1.1/etc/raddb/certs/random" What are the ownership and permissions and ownership on the directory /usr/local/freeradius-2.1.1/etc/raddb/certs? Do they match the user and group specified in /usr/local/freeradius-2.1.1/etc/radiusd.conf? Assuming the user/group is either radius or radiusd the does the directory permissions allow an owner or group to write into that directory? For example it should be something this (this example assumes installation with prefix=/usr): sudo ls -ld /etc/raddb/certs drwxrwx--- 2 root radiusd 4096 2008-09-25 15:29 /etc/raddb/certs -- John Dennis <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to write 'random state' on startup
Has anyone come across this error? This happens when I start freeradius for the first time. Platform: RedHat ES 4.0 Version: FreeRadius 2.1.1 I have highlighted the message in read. It doesn't matter if I run this command as root. Thanks for you help. Sorry if this is posted twice. AM sudo ./radiusd - Fri Oct 3 14:34:04 2008 : Info: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct 3 2008 at 14:30:11 Fri Oct 3 14:34:04 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Fri Oct 3 14:34:04 2008 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Oct 3 14:34:04 2008 : Info: PARTICULAR PURPOSE. Fri Oct 3 14:34:04 2008 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Oct 3 14:34:04 2008 : Info: GNU General Public License v2. Fri Oct 3 14:34:04 2008 : Info: Starting - reading configuration files ... Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/radiusd.conf Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/proxy.conf Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/clients.conf Fri Oct 3 14:34:04 2008 : Debug: including files in directory /usr/local/freeradius-2.1.1/etc/raddb/modules/ Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/attr_filter Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/always Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/expiration Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/digest Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/echo Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/exec Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail.log Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/sradutmp Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/wimax Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/checkval Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/acct_unique Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/preprocess Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/linelog Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mac2vlan Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/counter Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/etc_group Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/ippool Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/radutmp Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/pap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/krb5 Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mac2ip Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail.example.com Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/ldap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/files Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/passwd Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/inner-eap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mschap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/expr Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/attr_rewrite Fri Oct 3 14:34:04 2008 : Debug: including configurati
unable to write 'random state' when starting freeradius
Has anyone come across this error? This happens when I start freeradius for the first time. Platform: RedHat ES 4.0 Version: FreeRadius 2.1.1 I have highlighted the message in read. It doesn't matter if I run this command as root. Thanks for you help. AM sudo ./radiusd - Fri Oct 3 14:34:04 2008 : Info: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct 3 2008 at 14:30:11 Fri Oct 3 14:34:04 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Fri Oct 3 14:34:04 2008 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Oct 3 14:34:04 2008 : Info: PARTICULAR PURPOSE. Fri Oct 3 14:34:04 2008 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Oct 3 14:34:04 2008 : Info: GNU General Public License v2. Fri Oct 3 14:34:04 2008 : Info: Starting - reading configuration files ... Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/radiusd.conf Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/proxy.conf Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/clients.conf Fri Oct 3 14:34:04 2008 : Debug: including files in directory /usr/local/freeradius-2.1.1/etc/raddb/modules/ Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/attr_filter Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/always Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/expiration Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/digest Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/echo Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/exec Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail.log Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/sradutmp Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/wimax Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/checkval Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/acct_unique Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/preprocess Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/linelog Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mac2vlan Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/counter Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/etc_group Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/ippool Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/radutmp Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/pap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/krb5 Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mac2ip Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail.example.com Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/ldap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/files Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/passwd Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/inner-eap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/mschap Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/expr Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/detail Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.1.1/etc/raddb/modules/attr_rewrite Fri Oct 3 14:34:04 2008 : Debug: including configuration file /usr/local/freeradius-2.
The client does not connect _*_*_*_
I apologize to you for not knowing English well, I live in Argentina and my native language is spanish (I doubt you know Spanish), if you are unable to interpret what I am trying to say is your problem with your gray matter , but please if I express ticket that I am not wrong understanding and can write differently, but stay on the sidelines and do not interfere because the kids have no trouble understanding what I write. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
* Martin Silvero <[EMAIL PROTECTED]> [2008-10-03 21:02]: >yes, I imported "client.p12" and "ca.der" to the notebook, the checked >again and are fine Can you please learn to quote and reply properly. Thanks. -- Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The client does not connect _*_*_*_
yes, I imported "client.p12" and "ca.der" to the notebook, the checked again and are fine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use:
--username=%{mschap:User-Name}
and it should work.
Ivan Kalik
Kalik Informatika ISP
Dana 3/10/2008, "Vieri" <[EMAIL PROTECTED]> piše:
>--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote:
>
>> I'm running freeradius-2.0.5 on Linux.
>>
>> My setup is as follows:
>>
>> Windows Vista native client - Linksys AP - FreeRadius Linux
>> server (PEAP/mschapv2) - Active Directory Windows server
>>
>> Everything works smoothly with the following ntlm_auth
>> parameters in the mschap module:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> However, user authentication is rejected when I add the
>> --domain parameter:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> (from the Windows Vista client I obviously set the DOMAIN
>> filed; besides, if I run the freeradius daemon with debug
>> enabled I see that it "correclty" reeives
>> 'DOMAIN\username')
>>
>> For starters, I don't understand why authentication
>> fails if I add --domain. How can I find out why?
>>
>> Then, adding --require-membership-of with or without
>> --domain also fails.
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --require-membership-of='DOMAIN\\WIFI'
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> Finally, running ntlm_auth from the command line yields:
>>
>> # ntlm_auth --request-nt-key --domain=DOMAIN
>> --username=myuser
>> --require-membership-of='DOMAIN\\WIFI'
>> password:
>> NT_STATUS_OK: Success (0x0)
>
>I found this in the radiusd debug log:
>
>[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
> Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
>
>so I removed the '' in the ntlm_auth string like this:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
>--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
>--nt-response=%{mschap:NT-Response:-00}"
>
>and now it works.
>
>So this leads me to ask how I can specify group names with spaces such as
>'WIFI 1'.
>
>Also, I had to specify the domain explicitly either via --domain=DOMAIN or
>--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
>succeeds only if the client does NOT specify a domain in the domain or user
>field.
>So I'm attaching some debug outputs with the hope that someone can shed some
>light on this aspect which I obviously don't grasp.
>
>Thanks,
>
>Vieri
>
>
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0384], Certificate >--> verify error:num=20:unable to get local issuer certificate > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca >TLS Alert write:fatal:unknown CA >TLS_accept:error in SSLv3 read client certificate B >rlm_eap: SSL error error:140890B2:SSL >routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. > eaptls_process returned 13 Have you imported CA certificate onto the users machine? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The client does not connect _*_*_*_
Well, monitoring and testing in the log have this: Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=68, length=144 User-Name = "msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0xb7ec9c58aef5995fa1beeaf9fb22d535 EAP-Message = 0x0201000d016d73696c7665726f NAS-Port-Type = Wireless-802.11 NAS-Port = 278 NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap-Reconquista-31" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "msilvero", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry msilvero at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 68 to 10.0.31.40 port 1645 EAP-Message = 0x0102001604100150e2e5a3af2f9bf6b494482cd5b15c Message-Authenticator = 0x State = 0xc4723e07c4703a0f252b64ab3b8aac1c Finished request 63. Going to the next request Waking up in 2.5 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=69, length=155 User-Name = "msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x32c823b2ce943c46fe0003306353f899 EAP-Message = 0x02020006030d NAS-Port-Type = Wireless-802.11 NAS-Port = 278 State = 0xc4723e07c4703a0f252b64ab3b8aac1c NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap-Reconquista-31" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "msilvero", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry msilvero at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 69 to 10.0.31.40 port 1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0xc4723e07c571330f252b64ab3b8aac1c Finished request 64. Going to the next request Waking up in 2.5 seconds. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=70, length=259 User-Name = "msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x81272adb33bde6be5f5504b71ab4a408 EAP-Message = 0x0203006e0d800064160301005f015b030148e6393e196c12f7838dcd0d7a1694260cf59192b892175d80ab559c8c0d2a2c3400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 278 State = 0xc4723e07c571330f252b64ab3b8aac1c NAS-IP-Address = 10.0.31.40 NAS-Identifier = "ap-Reconquista-31" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "msilvero", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 110 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry msilvero at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate
The client does not connect _*_*_*_
ok tnt, I try that with the application, testing and do you notice. Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Get Wireshark and start looking at what happens to radius packets. Staring at it is not going to make it work. You will find out that you do have a firewall after all. Or your AP is sending packets to the wrong address. Or your routing is messed up. Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše: >the problem is... > >when I want to connect from the notebook to the network radius, asking me to >configure the profile to the type of authentication, and so on. >what set everything is ready and when I try to connect but does not connect >to the server and are not recorded requests. > >on the server are not recorded movements, and the notebook does not show any >error. I have no firewall either. Got it? > >the ping's respond well in both directions. > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The client does not connect _*_*_*_
the problem is... when I want to connect from the notebook to the network radius, asking me to configure the profile to the type of authentication, and so on. what set everything is ready and when I try to connect but does not connect to the server and are not recorded requests. on the server are not recorded movements, and the notebook does not show any error. I have no firewall either. Got it? the ping's respond well in both directions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS first connection works, other won't
Alan DeKok wrote: Giovanni Lovato wrote: I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, "heruan") connect successfully, but subsequent users (e.g. "jamila") won't. If I restart freeradius, and try to connect first with "jamila" and then with "heruan", "jamila" connects and "heruan" doesn't. The only error I'm able to see on the log is: 798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed. ? Session resumption is done on a per-user basis. Session resumption for one user does NOT affect other users. The only way that this can happen is if you use one user name for the first session, and then using the *same* SSL data, try to authenticate using a different User-Name. All I can say is I can't reproduce this on my system. Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, "luis a" <[EMAIL PROTECTED]> piše: >pal if you are using freeradius binary version as i was using before > >you can debug typing freeradius -X > >if you are using the compiled version as i did a few days ago , should work >only tipping radiusd -X > >PD: >my freeradius still does not authenticating against AD :-( > > >--- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribiĂł: >De: Nicolas Goutte <[EMAIL PROTECTED]> >Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of >Para: "FreeRadius users mailing list" >Fecha: jueves, 2 octubre, 2008 6:09 > >Am 02.10.2008 um 19:46 schrieb Vieri: > >> >> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >>> As with every other freeradius problem - when it doesn't >>> work - debug >>> (radiusd -X). >> >> That's how I'm running it. Does the list mind if I post the debug > >> lines? > >Asking for the output of radiusd -X is the most frequent answer on >this mailing list and so it is not a problem to see such outputs on >this mailing list. > >However please check first by yourself that you do not have missed an >error message that would bring you in the right direction. (Because >that is probably the second frequent answer.) > >> >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ >> users.html > > >Have a nice day! > >Nicolas Goutte > > >extragroup GmbH - Karlsruhe >Waldstr. 49 >76133 Karlsruhe >Germany > >GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle >Registergericht: Amtsgericht MĂźnster / HRB: 5624 >Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribió: De: Nicolas Goutte <[EMAIL PROTECTED]> Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: "FreeRadius users mailing list" Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: > > --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> As with every other freeradius problem - when it doesn't >> work - debug >> (radiusd -X). > > That's how I'm running it. Does the list mind if I post the debug > lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control-socket name one character short
I have installed version 2.1.1 on FreeBSD 7.0 from source obtained at download
link on www.freeradius.org. The server "just works"! Thank you Mr. DeKok
et. al.
I wanted to try radmin, so I copied control-socket from sites-available to
sites-enabled. When I started the server I received
# radiusd -X
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
Failed setting permissions on /usr/local/var/run/radiusd/radiusd.sock: No such
file or directory
#
# ls /usr/local/var/run/radiusd
radiusd.soc
The socket was created but the name was missing a character
I tried on a FreeBSD 6.2 box with the same results. Other than not being able
to enable control-socket, everything else works fine.
I did try building from the github sources, but received an error:
. . .
gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE
-DNDEBUG -D_LIBRADIUS -I/usr/home/tester/Work/RADIUS/radius-2.1.1z/src -c
valuepair.c -fPIC -DPIC -o .libs/valuepair.o
valuepair.c: In function `pairread':
valuepair.c:1737: error: `pair' undeclared (first use in this function)
valuepair.c:1737: error: (Each undeclared identifier is reported only once
valuepair.c:1737: error: for each function it appears in.)
valuepair.c:1742: error: break statement not within loop or switch
valuepair.c:1747: error: case label not within a switch statement
valuepair.c:1762: error: break statement not within loop or switch
valuepair.c: At top level:
valuepair.c:1768: error: syntax error before "if"
gmake[4]: *** [valuepair.lo] Error 1
gmake[4]: Leaving directory
`/usr/home/tester/Work/RADIUS/radius-2.1.1z/src/lib'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z'
gmake: *** [all] Error 2
Judging from the commit times, I believe valuepair.c was in the process of
being changed and may already be fixed.
When do you sleep Mr. DeKok?
--
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make Install Errot : FreeRadius V 2.1.1 on Suse
Hi Alan, I tried by the Prefix option --prefix =/usr in Configure step to Install files in /usr rather than /usr/local which is default. *Still, I got the same error*. And to inform you, when I build the freeradius rpm package from freeradius.spec file. I have removed the autoreconf line to avoid RPM errors as I described yesterday in the post. Please help me in this regard. SYED On Fri, Oct 3, 2008 at 12:02 PM, Alan DeKok <[EMAIL PROTECTED]>wrote: > Syed Anwarul Hasan wrote: > > I have compiled FreeRadius V 2.1.1 on SLES 10 SP2 .And after config and > > make steps when I tried the 'make Install' to install the binaries. I > > got an libtool error and Installation stopped. > ... > > libtool: install: error: cannot install rlm_acctlog.la > > to a directory not ending in /usr/lib/freeradius > > Libtool is insane. I have *no* idea why it does that. It's annoying, > and I don't know of any real way to fix it. > > The only work-around is to install all of the files in /usr... rather > than somewhere else. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Again, what's the debug output? Does the client manage to send a RADIUS packet that actually arrives at the server? //anders 2008/10/1 Martin Silvero <[EMAIL PROTECTED]> > sorry > what they say is ... > > > > The access point has an IP 10.0.31.x and is included within > raddb/client.conf, forget the IP 10.0.42.250 because I connect to that > network to another topic. > The server is in the 10.30.1.x , we do not need to be on the same network > because they are VLAN ruteables. Pinging responds well. > > What could be the problem? > > -- > -- > > Silvero Martin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.1 --enable-developer core dump
Hello Alan,
FR 2.1.1 and Solaris 10 x86
1. ./configure --enable-developer --without-rlm_perl
2. radtest test test localhost 0 testing123
Core dump created when running server with default configuration.
Chris Howley
FreeRADIUS Version 2.1.1, for host i386-pc-solaris2.10, built on Sep 25
2008 at 12:42:55
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time =
Re: Make Install Errot : FreeRadius V 2.1.1 on Suse
Syed Anwarul Hasan wrote: > I have compiled FreeRadius V 2.1.1 on SLES 10 SP2 .And after config and > make steps when I tried the 'make Install' to install the binaries. I > got an libtool error and Installation stopped. ... > libtool: install: error: cannot install rlm_acctlog.la > to a directory not ending in /usr/lib/freeradius Libtool is insane. I have *no* idea why it does that. It's annoying, and I don't know of any real way to fix it. The only work-around is to install all of the files in /usr... rather than somewhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Make Install Errot : FreeRadius V 2.1.1 on Suse
Dear Alan,Ivan and all,
I have compiled FreeRadius V 2.1.1 on SLES 10 SP2 .And after config and make
steps when I tried the 'make Install' to install the binaries. I got an
libtool error and Installation stopped.
Please help in this regard.
SYED
pc1138:/usr/src/packages/BUILD/freeradius-server-2.1.1 #* make install*
gmake[1]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1'
Making install in src...
gmake[2]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src'
gmake[3]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src'
Making install in include...
gmake[4]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/include'
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -d -m 755
/usr/local/include/freeradius
for i in hash.h libradius.h md4.h md5.h missing.h packet.h radius.h
radpaths.h sha1.h token.h udpfromto.h vqp.h ident.h ; do \
sed 's/^#include
.inst.$$ ; \
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -m 644
.inst.$$ /usr/local/include/freeradius/$i; \
rm -f .inst.$$ ; \
done
gmake[4]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/include'
Making install in lib...
gmake[4]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/lib'
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -d -m 755
/usr/local/lib
/usr/src/packages/BUILD/freeradius-server-2.1.1/libtool --mode=install
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -c
libfreeradius-radius.la \
/usr/local/lib/libfreeradius-radius.la
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -c .libs/
libfreeradius-radius-2.1.1.so /usr/local/lib/libfreeradius-radius-2.1.1.so
(cd /usr/local/lib && { ln -s -f
libfreeradius-radius-2.1.1.solibfreeradius-radius.so || { rm -f
libfreeradius-radius.so && ln -s
libfreeradius-radius-2.1.1.so libfreeradius-radius.so; }; })
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -c
.libs/libfreeradius-radius.lai /usr/local/lib/libfreeradius-radius.la
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -c
.libs/libfreeradius-radius.a /usr/local/lib/libfreeradius-radius.a
chmod 644 /usr/local/lib/libfreeradius-radius.a
ranlib /usr/local/lib/libfreeradius-radius.a
PATH="$PATH:/sbin" ldconfig -n /usr/local/lib
--
Libraries have been installed in:
/usr/local/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
--
rm -f /usr/local/lib/libfreeradius-radius-2.1.1.la;
ln -s libfreeradius-radius.la /usr/local/lib/libfreeradius-radius-2.1.1.la
gmake[4]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/lib'
Making install in modules...
gmake[4]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules'
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -d -m 755
/usr/local/lib
gmake[5]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules'
Making install in rlm_acctlog...
gmake[6]: Entering directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules/rlm_acctlog'
if [ "xrlm_acctlog" != "x" ]; then \
/usr/src/packages/BUILD/freeradius-server-2.1.1/libtool --mode=install
/usr/src/packages/BUILD/freeradius-server-2.1.1/install-sh -c -c \
rlm_acctlog.la /usr/local/lib/rlm_acctlog.la || exit $?; \
rm -f /usr/local/lib/rlm_acctlog-2.1.1.la; \
ln -s rlm_acctlog.la /usr/local/lib/rlm_acctlog-2.1.1.la || exit $?; \
fi
li*btool: install: error: cannot install `rlm_acctlog.la' to a directory not
ending in /usr/lib/freeradius
gmake[6]: *** [install] Error 1
gmake[6]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules/rlm_acctlog'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules'
gmake[4]: *** [install] Error 2
gmake[4]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src'
gmake[2]: *** [install] Error 2
gmake[2]: Leaving directory
`/usr/src/packages/BUILD/freeradius-server-2.1.1/src'
gmake[1]: *** [common] Error 2
gmake[
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote:
> I'm running freeradius-2.0.5 on Linux.
>
> My setup is as follows:
>
> Windows Vista native client - Linksys AP - FreeRadius Linux
> server (PEAP/mschapv2) - Active Directory Windows server
>
> Everything works smoothly with the following ntlm_auth
> parameters in the mschap module:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> However, user authentication is rejected when I add the
> --domain parameter:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> (from the Windows Vista client I obviously set the DOMAIN
> filed; besides, if I run the freeradius daemon with debug
> enabled I see that it "correclty" reeives
> 'DOMAIN\username')
>
> For starters, I don't understand why authentication
> fails if I add --domain. How can I find out why?
>
> Then, adding --require-membership-of with or without
> --domain also fails.
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --require-membership-of='DOMAIN\\WIFI'
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> Finally, running ntlm_auth from the command line yields:
>
> # ntlm_auth --request-nt-key --domain=DOMAIN
> --username=myuser
> --require-membership-of='DOMAIN\\WIFI'
> password:
> NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
and now it works.
So this leads me to ask how I can specify group names with spaces such as 'WIFI
1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
succeeds only if the client does NOT specify a domain in the domain or user
field.
So I'm attaching some debug outputs with the hope that someone can shed some
light on this aspect which I obviously don't grasp.
Thanks,
Vieri
radiusd.log.tar.gz
Description: GNU Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange rlm_expiration behavior
Flamur Rogova wrote: > I am having strange behavior of rlm_expiration where it always returns > "userlock", no matter what I put as expiration value. It looks like a bug in the parser for the "users" file. I'll commit a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
