mschap No Cleartext-Password configured

[alois blasbichler]

Hello  list

I am trying to authenticate a windows xp client via a Cisco Wireless  
Router with radius on Linux and behind there a Openldap-DB.


Users have posix and samba-passworts

I installed raius from source : freeradius-server-2.1.0
I configured only :
clients.conf  (shgared secrets)
/sites-availabel/default (enabled ldap)
/modules/ldap  (addes my ldap-settings)

Is this all  i have to do ?
With radtest all works fine - but my windows-client gives me an error :
-
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for ablasbichler with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
--

Somebody can give a a hint?

I have seen in an old mail :

NT-Password is wrong. Try first with plain text one (Cleartext-Password).
Then fix hashing.

Ivan Kalik
Kalik Informatika ISP


How i set plain text passwords ?

i tried to add in users :

ablasbichler Cleartext-Password == "ablasbichler"
With no success

i have a big debug-file if it can help

thank you for a help

luis


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CA.all and CA.certs in Freeradius 2.x

[Vegard Svanberg]

The CA.all and CA.certs scripts seem to not be included in the
Freeradius 2.x tarball anymore. Have they just been forgotten, or have
they been replaced by other scripts, or are there other recommended ways
of handling/generating certs in 2.x?

-- 
Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CA.all and CA.certs in Freeradius 2.x

[Vegard Svanberg]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-10-07 12:13]:

> Perhaps you should bother reading the mysteriously named file README in
> /certs directory before asking questions.

Seems the file got lost during the transition from 1.x. Thanks!

-- 
Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to implement Disconnect Request on Freeradius.

[Piero Santi]

Hi,
Could some body help me to know whether Radius disconnect and Ack messages
are supported in freeradius as defined in RFC 2822 ?

If it's supported how can i implement it on my freeradius ?

Thanks,

piero
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS and use of dynamic vlan

[Guk Victor]

Whether it is possible to use the file "users" for determination of 
attributes at the use of EAP-TLS.


Me interisuet:
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 2

Prompt me as must be described user in this case. Now I get such attributes:
Login OK: [test_user/] (from client 10.0.1.2 
port 117604353 cli 0013-7737-714e)

Sending Access-Accept of id 29 to 10.0.1.2 port 5007
   Framed-IP-Address = 255.255.255.254
   Framed-MTU = 576
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-Compression = Van-Jacobson-TCP-IP
   MS-MPPE-Recv-Key = 
0x7583f59293cfa05710f3c0414baa414818cd7c210e9c03bcd587a0201bbbdf1d
   MS-MPPE-Send-Key = 
0x0eb94c5347aef770fea54e15c6e3b4fa17e638d52e94033b4c6eb55b1405fb41

   EAP-Message = 0x03060004
   Message-Authenticator = 0x
   User-Name = "test_user"
Finished request 4
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement Disconnect Request on Freeradius.

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Piero,

> so are you saying i have to use radclient ? Putting it in a shell
> script and executing it when i need ?
> 

Yes

> There is another way to implement the Disconnect Request ?

The standard 802.1X MIB supports forced re-authentication. There is no
advantage to using a DM over SNMP in a local environment. The FreeRADIUS
server itself cannot send Disconnect or CoA messages.

Regards
Arran

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjrXNMACgkQcaklux5oVKISsQCfcQUo4CAd++O+H2W6HsqqaS3z
/REAn3OAXDQnnncAfM+tz38KqT6UjpSq
=TFkO
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement Disconnect Request on Freeradius.

[Piero Santi]

OK

Thanks a lot!

piero


2008/10/7 Arran Cudbard-Bell <[EMAIL PROTECTED]>:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Piero,
>
>> so are you saying i have to use radclient ? Putting it in a shell
>> script and executing it when i need ?
>>
>
> Yes
>
>> There is another way to implement the Disconnect Request ?
>
> The standard 802.1X MIB supports forced re-authentication. There is no
> advantage to using a DM over SNMP in a local environment. The FreeRADIUS
> server itself cannot send Disconnect or CoA messages.
>
> Regards
> Arran
>
> - --
> Arran Cudbard-Bell ([EMAIL PROTECTED]),
> Authentication, Authorisation and Accounting Officer,
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjrXNMACgkQcaklux5oVKISsQCfcQUo4CAd++O+H2W6HsqqaS3z
> /REAn3OAXDQnnncAfM+tz38KqT6UjpSq
> =TFkO
> -END PGP SIGNATURE-
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[Syed Anwarul Hasan]

Hi Santiago,

 I would suggest you to first try with radtest to see ntlm_auth BIND AS
USER is working or not.

Have a User entry in Users file with Auth-Type := ntlm_auth
Add *ntlm_auth* in Authenticate section of default and inner-tunnel files in
/sites-enabled directory.

Then if radtest returns NT Success Ok or ntlm_auth is being done by Server.
Then Try for RADIUS requests from actual NAS.

I have done this way as of now to check ntlm_auth Bind.

The Experts can show you more light in your problem.

Regards,
SYED



On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V <[EMAIL PROTECTED]>wrote:

>
> Hi all
> I follow the instructions of Alan :
>
> 
>
> to authenticate ntlm_auth with radius but appers the following message:
>
> " WARNING: Unknown value specified for Auth-Type.  Cannot perform requested
> action.
> auth: Failed to validate the user."
>
> what is wrong?
>
> Please help.
> Santiago
>
>
> FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep  3 2008
> at 15:55:02
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including configuration file /usr/local/etc/raddb/snmp.conf
> including configuration file /usr/local/etc/raddb/eap.conf
> including dictionary file /usr/local/etc/raddb/dictionary
> main {
>prefix = "/usr/local"
>localstatedir = "/var"
>logdir = "/var/log/radius"
>libdir = "/usr/local/lib"
>radacctdir = "/var/log/radius/radacct"
>hostname_lookups = no
>max_request_time = 30
>cleanup_delay = 5
>max_requests = 1024
>allow_core_dumps = no
>pidfile = "/var/run/radiusd/radiusd.pid"
>checkrad = "/usr/local/sbin/checkrad"
>debug_level = 0
>proxy_requests = yes
>log_auth = yes
>log_auth_badpass = no
>log_auth_goodpass = no
>log_stripped_names = no
> }
>  client localhost {
>ipaddr = 127.0.0.1
>require_message_authenticator = no
>secret = "testing123"
>nastype = "other"
>  }
>  client 192.100.16.11 {
>require_message_authenticator = no
>secret = "123"
>  }
> radiusd:  Loading Realms and Home Servers 
>  proxy server {
>retry_delay = 5
>retry_count = 3
>default_fallback = no
>dead_time = 120
>wake_all_if_all_dead = no
>  }
>  home_server localhost {
>ipaddr = 127.0.0.1
>port = 1812
>type = "auth"
>secret = "testing123"
>response_window = 20
>max_outstanding = 65536
>zombie_period = 40
>status_check = "status-server"
>ping_check = "none"
>ping_interval = 30
>check_interval = 30
>num_answers_to_alive = 3
>num_pings_to_alive = 3
>revive_interval = 120
>status_check_timeout = 4
>  }
>  home_server_pool my_auth_failover {
>type = fail-over
>home_server = localhost
>  }
>  realm example.com {
>auth_pool = my_auth_failover
>  }
>  realm LOCAL {
>  }
>  realm DOMAIN.LOC {
>authhost = LOCAL
>accthost = LOCAL
>  }
>  realm DOMAIN {
>authhost = LOCAL
>accthost = LOCAL
>  }
> radiusd:  Instantiating modules 
>  instantiate {
>  Module: Linked to module rlm_expr
>  Module: Instantiating expr
>  }
> radiusd:  Loading Virtual Servers 
> server {
>  modules {
>  Module: Checking authenticate {...} for more modules to load
>  Module: Linked to module rlm_mschap
>  Module: Instantiating mschap
>  mschap {
>use_mppe = yes
>require_encryption = no
>require_strong = no
>with_ntdomain_hack = yes
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--domain=%{mschap:NT-Domain:-DOMAIN}
>  --username=%{mschap:User-Name}  --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>  }
>  Module: Checking authorize {...} for more modules to load
>  Module: Linked to module rlm_preprocess
>  Module: Instantiating preprocess
>  preprocess {
>huntgroups = "/usr/local/etc/raddb/huntgroups"
>hints = "/usr/local/etc/raddb/hints"
>with_ascend_hack = no
>ascend_channels_per_line = 23
>with_ntdomain_hack = no
>with_specialix_jetstream_hack = no
>with_cisco_vsa_hack = no
>with_alvarion_vsa_hack = no
>  }
>  Module: Linked to module rlm_realm
>  Module: Instantiating realmslash
>  realm realmslash {
>  

Re: How to implement Disconnect Request on Freeradius.

[Evgeniy Kozhuhovskiy]

Piero Santi wrote:

Hi Evgeniy,

so are you saying i have to use radclient ? Putting it in a shell
script and executing it when i need ?

There is another way to implement the Disconnect Request ?



Yes. Write patch to freeradius and send it to Alan.

Btw, how do you want to use them from radius?

--
With best regards, Evgeniy Kozhuhovskiy,
Leader of Services team,
Minsk State Phony Network, RUE Beltelecom.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement Disconnect Request on Freeradius.

[Piero Santi]

Hi Evgeniy,

so are you saying i have to use radclient ? Putting it in a shell
script and executing it when i need ?

There is another way to implement the Disconnect Request ?

Thanks,

Piero



2008/10/7 Evgeniy Kozhuhovskiy <[EMAIL PROTECTED]>
>
> Piero Santi wrote:
>
> http://wiki.freeradius.org/DM
>
>> Could some body help me to know whether Radius disconnect and Ack messages 
>> are supported in freeradius as defined in RFC 2822 ?
>> If it's supported how can i implement it on my freeradius ?
>
>
> --
> With best regards, Evgeniy Kozhuhovskiy,
> Leader of Services team,
> Minsk State Phony Network, RUE Beltelecom.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschap No Cleartext-Password configured

[tnt]

>i tried to add in users :
>
>ablasbichler Cleartext-Password == "ablasbichler"
>With no success
>

Should be := not ==.

>i have a big debug-file if it can help
>

Change the operator. If it doesn't help, post the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement Disconnect Request on Freeradius.

[Piero Santi]

Hi,

the idea is to use radius + jradius and jradius, in some situations,
should send a Disconnect Request to the NAS IP.

This is the ideabut i have to talk with other developer guys to
understand how this system has to work.

Thanks,

Piero


2008/10/7 Evgeniy Kozhuhovskiy <[EMAIL PROTECTED]>:
> Piero Santi wrote:
>>
>> Hi Evgeniy,
>>
>> so are you saying i have to use radclient ? Putting it in a shell
>> script and executing it when i need ?
>>
>> There is another way to implement the Disconnect Request ?
>
>
> Yes. Write patch to freeradius and send it to Alan.
>
> Btw, how do you want to use them from radius?
>
> --
> With best regards, Evgeniy Kozhuhovskiy,
> Leader of Services team,
> Minsk State Phony Network, RUE Beltelecom.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[Santiago Matiz V]

Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" 
appears the error :

"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: 
Unknown value ntlm_auth for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users"

thanks again...

Santiago Matiz ([EMAIL PROTECTED])
Systems Engineer
Bogotá, Colombia (South America)


--- On Tue, 10/7/08, Syed Anwarul Hasan <[EMAIL PROTECTED]> wrote:

> From: Syed Anwarul Hasan <[EMAIL PROTECTED]>
> Subject: Re: NTLM_auth active directory - what is wrong?
> To: [EMAIL PROTECTED], "FreeRadius users mailing list" 
> 
> Date: Tuesday, October 7, 2008, 2:20 PM
> Hi Santiago,
> 
>  I would suggest you to first try with radtest to see
> ntlm_auth BIND AS
> USER is working or not.
> 
> Have a User entry in Users file with Auth-Type := ntlm_auth
> Add *ntlm_auth* in Authenticate section of default and
> inner-tunnel files in
> /sites-enabled directory.
> 
> Then if radtest returns NT Success Ok or ntlm_auth is being
> done by Server.
> Then Try for RADIUS requests from actual NAS.
> 
> I have done this way as of now to check ntlm_auth Bind.
> 
> The Experts can show you more light in your problem.
> 
> Regards,
> SYED
> 
> 
> 
> On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V
> <[EMAIL PROTECTED]>wrote:
> 
> >
> > Hi all
> > I follow the instructions of Alan :
> >
> >
> 
> >
> > to authenticate ntlm_auth with radius but appers the
> following message:
> >
> > " WARNING: Unknown value specified for Auth-Type.
>  Cannot perform requested
> > action.
> > auth: Failed to validate the user."
> >
> > what is wrong?
> >
> > Please help.
> > Santiago
> >
> >
> > FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu,
> built on Sep  3 2008
> > at 15:55:02
> > Copyright (C) 1999-2008 The FreeRADIUS server project
> and contributors.
> > There is NO warranty; not even for MERCHANTABILITY or
> FITNESS FOR A
> > PARTICULAR PURPOSE.
> > You may redistribute copies of FreeRADIUS under the
> terms of the
> > GNU General Public License v2.
> > Starting - reading configuration files ...
> > including configuration file
> /usr/local/etc/raddb/radiusd.conf
> > including configuration file
> /usr/local/etc/raddb/proxy.conf
> > including configuration file
> /usr/local/etc/raddb/clients.conf
> > including configuration file
> /usr/local/etc/raddb/snmp.conf
> > including configuration file
> /usr/local/etc/raddb/eap.conf
> > including dictionary file
> /usr/local/etc/raddb/dictionary
> > main {
> >prefix = "/usr/local"
> >localstatedir = "/var"
> >logdir = "/var/log/radius"
> >libdir = "/usr/local/lib"
> >radacctdir =
> "/var/log/radius/radacct"
> >hostname_lookups = no
> >max_request_time = 30
> >cleanup_delay = 5
> >max_requests = 1024
> >allow_core_dumps = no
> >pidfile =
> "/var/run/radiusd/radiusd.pid"
> >checkrad = "/usr/local/sbin/checkrad"
> >debug_level = 0
> >proxy_requests = yes
> >log_auth = yes
> >log_auth_badpass = no
> >log_auth_goodpass = no
> >log_stripped_names = no
> > }
> >  client localhost {
> >ipaddr = 127.0.0.1
> >require_message_authenticator = no
> >secret = "testing123"
> >nastype = "other"
> >  }
> >  client 192.100.16.11 {
> >require_message_authenticator = no
> >secret = "123"
> >  }
> > radiusd:  Loading Realms and Home Servers 
> >  proxy server {
> >retry_delay = 5
> >retry_count = 3
> >default_fallback = no
> >dead_time = 120
> >wake_all_if_all_dead = no
> >  }
> >  home_server localhost {
> >ipaddr = 127.0.0.1
> >port = 1812
> >type = "auth"
> >secret = "testing123"
> >response_window = 20
> >max_outstanding = 65536
> >zombie_period = 40
> >status_check = "status-server"
> >ping_check = "none"
> >ping_interval = 30
> >check_interval = 30
> >num_answers_to_alive = 3
> >num_pings_to_alive = 3
> >revive_interval = 120
> >status_check_timeout = 4
> >  }
> >  home_server_pool my_auth_failover {
> >type = fail-over
> >home_server = localhost
> >  }
> >  realm example.com {
> >auth_pool = my_auth_failover
> >  }
> >  realm LOCAL {
> >  }
> >  realm DOMAIN.LOC {
> >authhost = LOCAL
> >accthost = LOCAL
> >  }
> >  realm DOMAIN {
> >authhost = LOCAL
> >accthost = LOCAL
> >  }
> > radiusd:  Instantiating modules 
> >  instantiate {
> >  Module: Linked to module rlm_expr
> >  Module: Instantiating expr
> >  }
> > radiusd:  Loading Virtual Servers 
> > server {
> >  modules {
> >  Module: Checking authenticate {...} for more modules
> to load
> >  Module: Linked to module rlm_mschap
> >  Module: Instantiating mschap
> >  mschap {

Re: Linksys SLM248G

[Alan DeKok]

David Blackman wrote:
> I have a lab that has wired ports that connect to a Linksys SLM248G
> switch that supports 802.1x.  What I want to do do is to set this switch
> up to make the users authenticate to gain access to the network.  The
> users will have an accounts on the radius server which is a FreeBSD 7.0
> system running FreeRadius 2.06.

  There is no version 2.0.6.

> I would like them to be able to enter
> their username and password to access the network.  Should this be
> possible?

  Well... yes.

> I get nothing from the radiusd -X if I have the windows xp EAP type: set
> to MD5-Challenge or Smart card or other Certificates.

  So... the switch isn't forwarding the EAP packets to the server.  Why
is this the fault of the server?

> I get the following if I have the windows xp supplicant EAP type: set to
> Protected EAP (PEAP) and Select Authentication Method: set to Secured
> password (EAP-MSCHAP v2) configured to automatically use my windows
> logon name...
...
> Sending Access-Challenge of id 0 to 128.227.232.133 port 49154
> EAP-Message = 0x010700061900
> Message-Authenticator = 0x
> State = 0xec6255ece9654c13c816ac1ff80419e2
> Finished request 17.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 17 ID 0 with timestamp +190
> Ready to process requests.

  This is in the FAQ, and in BIG LETTERS in eap.conf.  Please read those
files.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschap No Cleartext-Password configured

[Nicolas Goutte]

Am 07.10.2008 um 11:48 schrieb alois blasbichler:


Hello  list

I am trying to authenticate a windows xp client via a Cisco  
Wireless Router with radius on Linux and behind there a Openldap-DB.


Users have posix and samba-passworts




[...]


Somebody can give a a hint?

I have seen in an old mail :
NT-Password is wrong. Try first with plain text one (Cleartext- 
Password).

Then fix hashing.

Ivan Kalik
Kalik Informatika ISP


How i set plain text passwords ?

i tried to add in users :

ablasbichler Cleartext-Password == "ablasbichler"


Try := instaed of == (Think of "setiing" the password instead of  
"comparing" it.)


For example:

foo Cleartext-Password := "foo"


With no success

i have a big debug-file if it can help

thank you for a help

luis


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have  a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $ORIGIN run-time path & libtool problem

[Alan DeKok]

John Center wrote:
> I'm having a problem compiling FreeRADIUS 2.1.1 on Solaris 10 using the
> Sun Studio 12 compiler.  I'm trying to specify the run-time library path
> like:
> 
> -R'$ORIGIN/../lib'

  Er... don't.  Use absolute paths.

> But I'm getting the following error:
> 
> libtool: link: only absolute run-paths are allowed

  See?

> If I remove the $ORIGIN run-time option, it compiles.  Is there a
> setting for libtool I can make to fix this?

  No.

  Or, edit "ORIGIN" to do the path mangling yourself.  Create a new
environment variable called ORIGINLIB, with the correct absolute path.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[Alan DeKok]

Santiago Matiz V wrote:
> Syed thanks for your answer, when i configure the file "users" with 
> "ntlm_auth" appears the error :
> 
> "/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: 
> Unknown value ntlm_auth for attribute Auth-Type
> Errors reading /usr/local/etc/raddb/users"

  If it does that, it's because you haven't followed the guide.  Among
other things, the guide says to add the entry at the TOP of the "users"
file.  And you obviously haven't done that.

  Which files have you edited, and why?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Primary key in radacct table

[Marinko Tarlac]

acctuniqueid is not unique in default configuration. according to my
experience, problem with duplicated session is very strange. My NAS (Mtik
2.9.x and Mtik 3.x) sends duplicated session ids but almost in the same
time. For example one session is started now and the second one is
transfered 1 second later.

On Tue, Oct 7, 2008 at 8:54 AM, Santiago Balaguer García <
[EMAIL PROTECTED]> wrote:

> I have a script to delete duplicate entries and stale session. But the
> duplicate accounting records were created in real time, I have to create a
> trigger in the database to detect these entries or activate a exec in
> accounting module.
>
> Is the 'acctuniqueid'  attribute unique in all database in a default
> freeradius configuration?
>
>
>
>
> --
>
> Date: Mon, 6 Oct 2008 17:53:32 +0200
> From: [EMAIL PROTECTED]
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Primary key in radacct table
>
>
>
> You can do it and it will solve your problem but it can create small
> overhead because radius tries to write into database and it will be
> rejected. you will see this in your log files.
>
> Another idea is to change NAS or you can create cron script to delete
> duplicated entries.
>
> MT
>
> On Mon, Oct 6, 2008 at 5:35 PM, Santiago Balaguer García <
> [EMAIL PROTECTED]> wrote:
>
> Hi,
>
>I am using a freeradius 1.1.7 + postgres since 3 years ago. The AAA
> service works fine, however my radacct table has sonetimes duplicate
> registers.
> I realize that it happens when a NAS does not have a realiable Internet
> conection, so NAS send the accounting packets several times.
>
>   My radacct table has 'radacctid' as primary key. I realize that two (or
> more) duplicate registers share  'acctsessionid' and 'acctuniqueid' fields
> amog others.
> I know  'acctsessionid' field can be the same in diferent NASes.
> Would be a good idea change the primery key by 'acctuniqueid' ?
>
>  Santiago
>
> --
> La cartera, las gafas. ¿te falta algo? Ahora llévate Messenger en tu 
> móvil
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> --
> Ahora llévate lo mejor de MSN y Windows Live, en tu 
> móvil
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius compiled again, same trouble with AD

[A . L . M . Buxey]

Hi,

> at the end of the output i see:
> /etc/openradius/raddb/users[1]: Parse error (check) for entry users: Unknown 
> value ntlm_auth for attribute Auth-Type
> Errors reading /etc/openradius/raddb/users
> /etc/openradius/raddb/modules/files[7]: Instantiation failed for module 
> "files"
> /etc/openradius/raddb/sites-enabled/inner-tunnel[111]: Failed to find module 
> "files".
> /etc/openradius/raddb/sites-enabled/inner-tunnel[34]: Errors parsing 
> authorize section.
>  }
> }
> Errors initializing modules

you've edited the default files in wrong and bad ways that
has then caused the failure of the server. because you have an error
in the users file, the 'files' module has failed...and because
the 'files' module has failed, the inner-tunnel virtual
server which has got the 'files' module configured has also failed.

failed virtual servers or read server = no working daemon

just fix the users entry

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius compiled again, same trouble with AD

[tnt]

>i did now all following step by step 
>http://deployingradius.com/documents/configuration/active_directory.html
>
>and when y type radiusd -X
>
>at the end of the output i see:
>/etc/openradius/raddb/users[1]: Parse error (check) for entry users: Unknown 
>value ntlm_auth for attribute Auth-Type
>Errors reading /etc/openradius/raddb/users
>/etc/openradius/raddb/modules/files[7]: Instantiation failed for module "files"
>/etc/openradius/raddb/sites-enabled/inner-tunnel[111]: Failed to find module 
>"files".
>/etc/openradius/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize 
>section.
> }
>}

Add ntlm_auth to athenticate section of inner-tunnel virual server as
well. You have probably added it just to default virtual server.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[tnt]

Add ntlm_auth to inner-tunnel virtual server as well. Or add it to
instatiate section of radiusd.conf.

Ivan Kalik
Kalik Informatika ISP


Dana 7/10/2008, "Santiago Matiz V" <[EMAIL PROTECTED]> piše:

>
>Syed thanks for your answer, when i configure the file "users" with 
>"ntlm_auth" appears the error :
>
>"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: 
>Unknown value ntlm_auth for attribute Auth-Type
>Errors reading /usr/local/etc/raddb/users"
>
>thanks again...
>
>Santiago Matiz ([EMAIL PROTECTED])
>Systems Engineer
>Bogotá, Colombia (South America)
>
>
>--- On Tue, 10/7/08, Syed Anwarul Hasan <[EMAIL PROTECTED]> wrote:
>
>> From: Syed Anwarul Hasan <[EMAIL PROTECTED]>
>> Subject: Re: NTLM_auth active directory - what is wrong?
>> To: [EMAIL PROTECTED], "FreeRadius users mailing list" 
>> 
>> Date: Tuesday, October 7, 2008, 2:20 PM
>> Hi Santiago,
>> 
>>  I would suggest you to first try with radtest to see
>> ntlm_auth BIND AS
>> USER is working or not.
>> 
>> Have a User entry in Users file with Auth-Type := ntlm_auth
>> Add *ntlm_auth* in Authenticate section of default and
>> inner-tunnel files in
>> /sites-enabled directory.
>> 
>> Then if radtest returns NT Success Ok or ntlm_auth is being
>> done by Server.
>> Then Try for RADIUS requests from actual NAS.
>> 
>> I have done this way as of now to check ntlm_auth Bind.
>> 
>> The Experts can show you more light in your problem.
>> 
>> Regards,
>> SYED
>> 
>> 
>> 
>> On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V
>> <[EMAIL PROTECTED]>wrote:
>> 
>> >
>> > Hi all
>> > I follow the instructions of Alan :
>> >
>> >
>> 
>> >
>> > to authenticate ntlm_auth with radius but appers the
>> following message:
>> >
>> > " WARNING: Unknown value specified for Auth-Type.
>>  Cannot perform requested
>> > action.
>> > auth: Failed to validate the user."
>> >
>> > what is wrong?
>> >
>> > Please help.
>> > Santiago
>> >
>> >
>> > FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu,
>> built on Sep  3 2008
>> > at 15:55:02
>> > Copyright (C) 1999-2008 The FreeRADIUS server project
>> and contributors.
>> > There is NO warranty; not even for MERCHANTABILITY or
>> FITNESS FOR A
>> > PARTICULAR PURPOSE.
>> > You may redistribute copies of FreeRADIUS under the
>> terms of the
>> > GNU General Public License v2.
>> > Starting - reading configuration files ...
>> > including configuration file
>> /usr/local/etc/raddb/radiusd.conf
>> > including configuration file
>> /usr/local/etc/raddb/proxy.conf
>> > including configuration file
>> /usr/local/etc/raddb/clients.conf
>> > including configuration file
>> /usr/local/etc/raddb/snmp.conf
>> > including configuration file
>> /usr/local/etc/raddb/eap.conf
>> > including dictionary file
>> /usr/local/etc/raddb/dictionary
>> > main {
>> >prefix = "/usr/local"
>> >localstatedir = "/var"
>> >logdir = "/var/log/radius"
>> >libdir = "/usr/local/lib"
>> >radacctdir =
>> "/var/log/radius/radacct"
>> >hostname_lookups = no
>> >max_request_time = 30
>> >cleanup_delay = 5
>> >max_requests = 1024
>> >allow_core_dumps = no
>> >pidfile =
>> "/var/run/radiusd/radiusd.pid"
>> >checkrad = "/usr/local/sbin/checkrad"
>> >debug_level = 0
>> >proxy_requests = yes
>> >log_auth = yes
>> >log_auth_badpass = no
>> >log_auth_goodpass = no
>> >log_stripped_names = no
>> > }
>> >  client localhost {
>> >ipaddr = 127.0.0.1
>> >require_message_authenticator = no
>> >secret = "testing123"
>> >nastype = "other"
>> >  }
>> >  client 192.100.16.11 {
>> >require_message_authenticator = no
>> >secret = "123"
>> >  }
>> > radiusd:  Loading Realms and Home Servers 
>> >  proxy server {
>> >retry_delay = 5
>> >retry_count = 3
>> >default_fallback = no
>> >dead_time = 120
>> >wake_all_if_all_dead = no
>> >  }
>> >  home_server localhost {
>> >ipaddr = 127.0.0.1
>> >port = 1812
>> >type = "auth"
>> >secret = "testing123"
>> >response_window = 20
>> >max_outstanding = 65536
>> >zombie_period = 40
>> >status_check = "status-server"
>> >ping_check = "none"
>> >ping_interval = 30
>> >check_interval = 30
>> >num_answers_to_alive = 3
>> >num_pings_to_alive = 3
>> >revive_interval = 120
>> >status_check_timeout = 4
>> >  }
>> >  home_server_pool my_auth_failover {
>> >type = fail-over
>> >home_server = localhost
>> >  }
>> >  realm example.com {
>> >auth_pool = my_auth_failover
>> >  }
>> >  realm LOCAL {
>> >  }
>> >  realm DOMAIN.LOC {
>> >authhost = LOCAL
>> >accthost = LOCAL
>> >  }
>> >  realm DOMAIN {
>> >authhost = LOCAL
>> >accthost = LOCAL
>> >  }
>> >

NTLM_auth active directory - what is wrong?

[Santiago Matiz V]

Hi all
I follow the instructions of Alan :



to authenticate ntlm_auth with radius but appers the following message:

" WARNING: Unknown value specified for Auth-Type.  Cannot perform requested 
action.
auth: Failed to validate the user."

what is wrong?

Please help.
Santiago


FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep  3 2008 at 
15:55:02
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
}
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }
 client 192.100.16.11 {
require_message_authenticator = no
secret = "123"
 }
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm DOMAIN.LOC {
authhost = LOCAL
accthost = LOCAL
 }
 realm DOMAIN {
authhost = LOCAL
accthost = LOCAL
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 }
radiusd:  Loading Virtual Servers 
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-DOMAIN}
--username=%{mschap:User-Name}  --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating realmslash
  realm realmslash {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
  }
 Module: Instantiating suffix
  realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
challenge = "Password: "
auth_type = "PAP"
   }
 Module: Linked to sub-mo

Re: NTLM_auth active directory - what is wrong?

[Santiago Matiz V]

Hi Alan, thank for your help

I configured my users file with your direction :

userAuth-Type := ntlm_auth

DEFAULT   Auth-Type = MSCHAP
  Fall-Through = 1,
  Reply-Message = "MsChap user"



but when i run radiusd -X appears :

"/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown 
value ntlm_auth for attribute Auth-Type"






Santiago Matiz ([EMAIL PROTECTED])
Systems Engineer
Pontificia Universidad Javeriana
http://www.javeriana.edu.co
Bogotá, Colombia (South America)


--- On Tue, 10/7/08, Alan DeKok <[EMAIL PROTECTED]> wrote:

> From: Alan DeKok <[EMAIL PROTECTED]>
> Subject: Re: NTLM_auth active directory - what is wrong?
> To: [EMAIL PROTECTED], "FreeRadius users mailing list" 
> 
> Date: Tuesday, October 7, 2008, 3:24 PM
> Santiago Matiz V wrote:
> > Syed thanks for your answer, when i configure the file
> "users" with "ntlm_auth" appears the
> error :
> > 
> > "/usr/local/etc/raddb/users[230]: Parse error
> (check) for entry DEFAULT: Unknown value ntlm_auth for
> attribute Auth-Type
> > Errors reading /usr/local/etc/raddb/users"
> 
>   If it does that, it's because you haven't
> followed the guide.  Among
> other things, the guide says to add the entry at the TOP of
> the "users"
> file.  And you obviously haven't done that.
> 
>   Which files have you edited, and why?
> 
>   Alan DeKok.


  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[Alan DeKok]

Santiago Matiz V wrote:
> Hi Alan, thank for your help
> 
> I configured my users file with your direction :

  Hmm... no.

> user  Auth-Type := ntlm_auth

  That's supposed to be at the TOP of the "users" file.  You didn't do that.

> DEFAULT   Auth-Type = MSCHAP
> Fall-Through = 1,
> Reply-Message = "MsChap user"

  I have no idea why you added that.  The documentation doesn't say to
add that.

> but when i run radiusd -X appears :

  Which you've already said many times.  Stop repeating that information
on the list.  It's useless.

  Instead, follow the directions.  Edit the "authenticate" section as
described in the documentation.

  Really, it's not hard.  The guide says WHICH files to edit, WHERE in
the files the edits should take place, and WHAT to change.  There are a
series of steps to follow, with examples.

  You are not following the directions.  Why?

  If you don't follow the directions, there's no reason for anyone to
keep answering your questions on this list.  I've already written the
documentation that you need to follow.  Duplicating it here is useless.
 Especially if you make it clear that you have no intention of reading
the documentation on the web site, or of following the instructions on
the web site.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Linksys SLM248G

[David Blackman]

I have a lab that has wired ports that connect to a Linksys SLM248G 
switch that supports 802.1x.  What I want to do do is to set this switch 
up to make the users authenticate to gain access to the network.  The 
users will have an accounts on the radius server which is a FreeBSD 7.0 
system running FreeRadius 2.06. I would like them to be able to enter 
their username and password to access the network.  Should this be possible?


I get nothing from the radiusd -X if I have the windows xp EAP type: set 
to MD5-Challenge or Smart card or other Certificates.


I get the following if I have the windows xp supplicant EAP type: set to 
Protected EAP (PEAP) and Select Authentication Method: set to Secured 
password (EAP-MSCHAP v2) configured to automatically use my windows 
logon name...


rad_recv: Access-Request packet from host 128.227.232.133 port 49154, 
id=0, length=83

NAS-IP-Address = 128.227.232.133
NAS-Port-Type = Ethernet
NAS-Port = 2
User-Name = "DB3\\dblac"
EAP-Message = 0x0201000e014442335c64626c6163
Message-Authenticator = 0x829bab10f0c399313b4946fc47f6aa9c
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DB3\dblac", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DB3\dblac at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 128.227.232.133 port 49154
EAP-Message = 0x01020016041081b9c6b3f031cce93aac863f3383a0c1
Message-Authenticator = 0x
State = 0xec6255ecec605113c816ac1ff80419e2
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.227.232.133 port 49154, 
id=0, length=93

Cleaning up request 12 ID 0 with timestamp +190
NAS-IP-Address = 128.227.232.133
NAS-Port-Type = Ethernet
NAS-Port = 2
User-Name = "DB3\\dblac"
State = 0xec6255ecec605113c816ac1ff80419e2
EAP-Message = 0x020200060319
Message-Authenticator = 0x3156b6e297a2d81c38042450074ffa81
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DB3\dblac", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DB3\dblac at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 128.227.232.133 port 49154
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0xec6255eced614c13c816ac1ff80419e2
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.227.232.133 port 49154, 
id=0, length=167

Cleaning up request 13 ID 0 with timestamp +190
NAS-IP-Address = 128.227.232.133
NAS-Port-Type = Ethernet
NAS-Port = 2
User-Name = "DB3\\dblac"
State = 0xec6255eced614c13c816ac1ff80419e2
EAP-Message = 
0x02030050198000461603010041013d030148eb44b1c52d912b11d4d2bbd04b61fd302b03d22ba373beb33f2aa37b2424821600040005000a000900640062000300060013001200630100

Message-Authenticator = 0xd3f4489233cacc67f8a062f7e24b05f7
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DB3\dblac", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  

Re: NTLM_auth active directory - what is wrong?

[tnt]

For some reason some systems process inner-tunnel virtual server before
default. Since that server knows nothing about ntlm_auth this error
occurs. Best solution is probably to add ntlm_auth to instatiate section
of radiusd.conf as well. Just in case. And add that step to
configuration instructions in the HOWTO.

Ivan Kalik
Kalik Informatika ISP

Dana 7/10/2008, "Santiago Matiz V" <[EMAIL PROTECTED]> piše:

>Hi Alan, thank for your help
>
>I configured my users file with your direction :
>
>user   Auth-Type := ntlm_auth
>
>DEFAULT   Auth-Type = MSCHAP
> Fall-Through = 1,
> Reply-Message = "MsChap user"
>
>
>
>but when i run radiusd -X appears :
>
>"/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown 
>value ntlm_auth for attribute Auth-Type"
>
>
>
>
>
>
>Santiago Matiz ([EMAIL PROTECTED])
>Systems Engineer
>Pontificia Universidad Javeriana
>http://www.javeriana.edu.co
>Bogotá, Colombia (South America)
>
>
>--- On Tue, 10/7/08, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
>> From: Alan DeKok <[EMAIL PROTECTED]>
>> Subject: Re: NTLM_auth active directory - what is wrong?
>> To: [EMAIL PROTECTED], "FreeRadius users mailing list" 
>> 
>> Date: Tuesday, October 7, 2008, 3:24 PM
>> Santiago Matiz V wrote:
>> > Syed thanks for your answer, when i configure the file
>> "users" with "ntlm_auth" appears the
>> error :
>> > 
>> > "/usr/local/etc/raddb/users[230]: Parse error
>> (check) for entry DEFAULT: Unknown value ntlm_auth for
>> attribute Auth-Type
>> > Errors reading /usr/local/etc/raddb/users"
>> 
>>   If it does that, it's because you haven't
>> followed the guide.  Among
>> other things, the guide says to add the entry at the TOP of
>> the "users"
>> file.  And you obviously haven't done that.
>> 
>>   Which files have you edited, and why?
>> 
>>   Alan DeKok.
>
>
>  
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement Disconnect Request on Freeradius.

[Evgeniy Kozhuhovskiy]

Piero Santi wrote:

http://wiki.freeradius.org/DM

Could some body help me to know whether Radius disconnect and 
Ack messages are supported in freeradius as defined in RFC 2822 ?

If it's supported how can i implement it on my freeradius ?



--
With best regards, Evgeniy Kozhuhovskiy,
Leader of Services team,
Minsk State Phony Network, RUE Beltelecom.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $ORIGIN run-time path & libtool problem

[John Center]

Hi Alan,

"Doctor, it hurts when I do this..."

"Well, don't do that..."  ;-)


I was hoping there was another way around this, but I guess not.  I 
finally found an old discussion on the Libtool list about this being a 
known problem with no easy fix.  Oh, well...


Thanks.

-John


Alan DeKok wrote:

John Center wrote:

I'm having a problem compiling FreeRADIUS 2.1.1 on Solaris 10 using the
Sun Studio 12 compiler.  I'm trying to specify the run-time library path
like:

-R'$ORIGIN/../lib'


  Er... don't.  Use absolute paths.


But I'm getting the following error:

libtool: link: only absolute run-paths are allowed


  See?


If I remove the $ORIGIN run-time option, it compiles.  Is there a
setting for libtool I can make to fix this?


  No.

  Or, edit "ORIGIN" to do the path mangling yourself.  Create a new
environment variable called ORIGINLIB, with the correct absolute path.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about Jradius

[Piero Santi]

Hi,

i would like to know the compatibility of the latest stable version of
Jradius with FreeRadius 2.x.

Thanks,

Piero
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CA.all and CA.certs in Freeradius 2.x

[tnt]

Perhaps you should bother reading the mysteriously named file README in
/certs directory before asking questions.

Ivan Kalik
Kalik Informatika ISP


Dana 7/10/2008, "Vegard Svanberg" <[EMAIL PROTECTED]> piše:

>The CA.all and CA.certs scripts seem to not be included in the
>Freeradius 2.x tarball anymore. Have they just been forgotten, or have
>they been replaced by other scripts, or are there other recommended ways
>of handling/generating certs in 2.x?
>
>--
>Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

$ORIGIN run-time path & libtool problem

[John Center]

Hi,

I'm having a problem compiling FreeRADIUS 2.1.1 on Solaris 10 using the 
Sun Studio 12 compiler.  I'm trying to specify the run-time library path 
like:


-R'$ORIGIN/../lib'

But I'm getting the following error:

libtool: link: only absolute run-paths are allowed

If I remove the $ORIGIN run-time option, it compiles.  Is there a 
setting for libtool I can make to fix this?


Thanks.

-John


--
John Center
Villanova University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and use of dynamic vlan

[tnt]

>Whether it is possible to use the file "users" for determination of
>attributes at the use of EAP-TLS.
>
>Me interisuet:
>Tunnel-Type = 13,
>Tunnel-Medium-Type = 6,
>Tunnel-Private-Group-Id = 2
>

Yes. Just add them to users file entry for that user.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius compiled again, same trouble with AD

[luis a]

hello again friends 

i did now all following step by step 
http://deployingradius.com/documents/configuration/active_directory.html

and when y type radiusd -X

at the end of the output i see:
/etc/openradius/raddb/users[1]: Parse error (check) for entry users: Unknown 
value ntlm_auth for attribute Auth-Type
Errors reading /etc/openradius/raddb/users
/etc/openradius/raddb/modules/files[7]: Instantiation failed for module "files"
/etc/openradius/raddb/sites-enabled/inner-tunnel[111]: Failed to find module 
"files".
/etc/openradius/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize 
section.
 }
}
Errors initializing modules


thanks in advise , 
sorry for my insistence but who don't seek , will never going to get the truth.

 
Luis




  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Newbie question

[Jair Santos]

Alan,

I understand and I am really gratefull for all the work you guys have done
in this project.

Please understand that when we, as users, go to  a site to download  a
program,  the site structure and distribution of information is completely
new. We , (I)  try to understand it but we have no time to read everything.
I believe that this is normal and yes , we make mistakes. Don't you ? 

So please, don't try to give us (me) lessons about how to look for
information. I am an old guy and I stiil need much more time to learn  new
things . I don't need one more person to criticise my mistakes or laziness
to read a 200 pages web site in order to understand the whole picture.

You are guessing too much and you are guessing wrong.

Yes I did click on the link 2.1.1 on the main web page. That was the first
thing I did. These files didn't compile. It was  NOT because   the linker on
my system chooses the wrong libs as you can see from the log. There is
another reason and I don't know it.

configure:21137: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS   conftest.c -lnsl -lresolv  -lpthread -lreadline
>&5
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `PC'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tgetflag'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tgetent'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `UP'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tputs'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tgoto'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tgetnum'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `BC'
/usr/lib/gcc/x86_64-redhat-linux/4.1.2/../../../../lib64/libreadline.so:
undefined reference to `tgetstr'
collect2: ld returned 1 exit status
configure:21143: $? = 1


I am still trying to make this work and I thank very much all of you who are
helping me out.

Jair Santos


 
 
 


> -Original Message-
> From: 
> [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
us.org] On Behalf Of Alan DeKok
> Sent: Monday, October 06, 2008 11:12 PM
> To: FreeRadius users mailing list
> Subject: Re: Newbie question
> 
> 
> Jair Santos wrote:
> > Well guys, let's clarify.
> 
>   You didn't click on the link for 2.1.1 on the main web 
> page: freeradius.org.  Instead, you clicked on the "download" 
> link.  You didn't click on the "tar" file link for 2.1.1 on 
> that page, either.  You didn't click on the 
> "git.freeradius.org" link for the new server source.  
> Instead, you followed the instructions for "other projects".
> 
>   And when you're wandering around the net looking for why 
> there are issues with SNMP, you don't read the "changelog" in 
> the most recent version.
> 
>   Honestly... there *is* a lot of effort put into documenting 
> the server.  Yet sometimes people put a lot of effort into 
> *ignoring* that documentation.  They look everywhere else 
> *but* the main web page... and the files that come with the server.
> 
>   Can you explain why?  I've never been able to understand it.
> 
> > I have no control about the files that are there. I would 
> like to have 
> > the latest version, that is AFAIK 2.1.1.
> 
>   Which is available from the links above.
> 
> > The point is that when I tried to download from 
> www.freeradius.org it 
> > didn't compile for my Read Hat ES version 5.2,  64 bits.
> 
>   Because your system has both 32-bit && 64-bit libraries.  
> When the build system asks to link to a library, the linker 
> on your system chooses the wrong one... and then complains.  Nice!
> 
> > I'll be really grateful if someone could tell exacly where I can 
> > download v 2.1.1 from that will  work for my linux distribution.
> 
>   If you look at the main "download" page, there's a link to 
> pre-built binaries for Fedora.  There's even an x86_64 link, 
> which has RPM's for an older version (2.0.5)
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie question

[Alan DeKok]

Jair Santos wrote:
> Please understand that when we, as users, go to  a site to download  a
> program,  the site structure and distribution of information is completely
> new. We , (I)  try to understand it but we have no time to read everything.
> I believe that this is normal and yes , we make mistakes. Don't you ? 

  The difficulty is that there are 3-4 places where the correct thing is
documented.  You managed to miss them *all*.  You read one thing on a
page, and missed other things written on the same page.

  This is actually pretty common.  I don't understand why it happens,
though.

> So please, don't try to give us (me) lessons about how to look for
> information. I am an old guy and I stiil need much more time to learn  new
> things . I don't need one more person to criticise my mistakes or laziness
> to read a 200 pages web site in order to understand the whole picture.

  Uh... no.  You read the page with the CVS instructions.  One page.
You missed the text right above the CVS instructions saying "see
git.freeradius.org".

  It's about *us* putting huge amounts of effort into creating the
server, documenting it, and answering questions on this list.  And
yet... it's never enough.  No matter how much documentation is written,
some people still ignore it... and get upset when told they're ignoring it.

> Yes I did click on the link 2.1.1 on the main web page. That was the first
> thing I did. These files didn't compile. It was  NOT because   the linker on
> my system chooses the wrong libs as you can see from the log. There is
> another reason and I don't know it.
> 
> configure:21137: gcc -o conftest -g -O2 -D_REENTRANT

  I'll call bait & switch on this one.  The ORIGINAL problem you posted
was from the output of "make", not "configure":

/usr/lib/libreadline.so: could not read symbols: File in wrong format

  i.e. it's a 32/64-bit problem.

  The output you posted from "configure" is different, and meaningless.
 Pretending it's the same problem is disingenuous.  The "errors" are
part of the tests configure does to figure out which libraries are
needed.  Part of the tests involves *failed* compilations... so that it
knows that a particular combination of libraries didn't work.  And it
then tries other libraries.

> I am still trying to make this work and I thank very much all of you who are
> helping me out.

  Another message in the same thread was from someone at Redhat.  Who
posted a link to pre-built RPM's for fedora.  Which includes 64-bit
versions.

  If you had checked the link, you would have discovered this.  Instead,
you asked on the email list if the link included a 64-bit version.

  And if you read the list, you know that I help a *lot* of people here.
 I'm also trying to help you.  Convincing you to read the documentation
I've already written is one of the ways I can help you.  If this is too
painful, feel free to ignore all of my messages to the list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM_auth active directory - what is wrong?

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> For some reason some systems process inner-tunnel virtual server before
> default.

  That can (and likely should) be fixed.

> Since that server knows nothing about ntlm_auth this error
> occurs. Best solution is probably to add ntlm_auth to instatiate section
> of radiusd.conf as well. Just in case. And add that step to
> configuration instructions in the HOWTO.

  I don't think that will work here.  It needs to have an "auth-type"
defined dynamically, and adding it to the instantiate section won't do that.

  The default configuration should also be updated to define an "inner"
users file, and an "outer" one.  That would help address this issue, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic Clients with FreeRADIUS

[Alan DeKok]

Johan Meiring wrote:
> Now that 2.1.1 is out, is it still on the cards for 2.1.2?

  Maybe.  My priorities these days are slightly different.

> If you could let me know when it has been comitted to git, I would love to
> test it.

  I'll send a message to the list if && when it's done.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Newbie question

[Jair Santos]

You might be right but my subject line should give you a clue about who  I
am. A complete beginner. I guess this list is not only for experts. I
already recognized  the huge amounts of effort you put into creating the
server and I really mean it.

I also recognize that you tried to help me , but Alan, just because someone
is an expert this doesn't mean that he/she have the right to criticize the
ones that are not.  I am here for help not to be criticized, and may be the
mistakes I made can help you to change things that will save you time when
other beginner arrives.

Anyway we are wasting our time and bandwidth. I am  going to try to figure
out then I'll be the only one to blame myself for my mistakes.


Jair Santos

 
 
 


> -Original Message-
> From: 
> [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
us.org] On Behalf Of Alan DeKok
> Sent: Tuesday, October 07, 2008 10:06 AM
> To: FreeRadius users mailing list
> Subject: Re: Newbie question
> 
> 
> Jair Santos wrote:
> > Please understand that when we, as users, go to  a site to 
> download  a 
> > program,  the site structure and distribution of information is 
> > completely new. We , (I)  try to understand it but we have 
> no time to 
> > read everything. I believe that this is normal and yes , we make 
> > mistakes. Don't you ?
> 
>   The difficulty is that there are 3-4 places where the 
> correct thing is documented.  You managed to miss them *all*. 
>  You read one thing on a page, and missed other things 
> written on the same page.
> 
>   This is actually pretty common.  I don't understand why it 
> happens, though.
> 
> > So please, don't try to give us (me) lessons about how to look for 
> > information. I am an old guy and I stiil need much more 
> time to learn  
> > new things . I don't need one more person to criticise my 
> mistakes or 
> > laziness to read a 200 pages web site in order to 
> understand the whole 
> > picture.
> 
>   Uh... no.  You read the page with the CVS instructions.  
> One page. You missed the text right above the CVS 
> instructions saying "see git.freeradius.org".
> 
>   It's about *us* putting huge amounts of effort into 
> creating the server, documenting it, and answering questions 
> on this list.  And yet... it's never enough.  No matter how 
> much documentation is written, some people still ignore it... 
> and get upset when told they're ignoring it.
> 
> > Yes I did click on the link 2.1.1 on the main web page. 
> That was the first
> > thing I did. These files didn't compile. It was  NOT 
> because   the linker on
> > my system chooses the wrong libs as you can see from the 
> log. There is 
> > another reason and I don't know it.
> > 
> > configure:21137: gcc -o conftest -g -O2 -D_REENTRANT
> 
>   I'll call bait & switch on this one.  The ORIGINAL problem 
> you posted was from the output of "make", not "configure":
> 
> /usr/lib/libreadline.so: could not read symbols: File in wrong format
> 
>   i.e. it's a 32/64-bit problem.
> 
>   The output you posted from "configure" is different, and 
> meaningless.  Pretending it's the same problem is 
> disingenuous.  The "errors" are part of the tests configure 
> does to figure out which libraries are needed.  Part of the 
> tests involves *failed* compilations... so that it knows that 
> a particular combination of libraries didn't work.  And it 
> then tries other libraries.
> 
> > I am still trying to make this work and I thank very much 
> all of you 
> > who are helping me out.
> 
>   Another message in the same thread was from someone at 
> Redhat.  Who posted a link to pre-built RPM's for fedora.  
> Which includes 64-bit versions.
> 
>   If you had checked the link, you would have discovered 
> this.  Instead, you asked on the email list if the link 
> included a 64-bit version.
> 
>   And if you read the list, you know that I help a *lot* of 
> people here.  I'm also trying to help you.  Convincing you to 
> read the documentation I've already written is one of the 
> ways I can help you.  If this is too painful, feel free to 
> ignore all of my messages to the list.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unresponsive Child in component authorize

[kesm0724]

Does the "Unresponsive Child in module files component authorize" allude to
something I have misconfigured in the virtual server or a process that is
hung?  I can certainly post the debug if it is necessary to troubleshoot
this issue...


Tue Oct  7 12:14:26 2008 : Error: Discarding duplicate request from client
PCS port 1645 - ID: 4 due to unfinished request 8
Tue Oct  7 12:14:43 2008 : Error: WARNING: Unresponsive child (id
3054615440) for request 8, in module files component authorize
Tue Oct  7 12:15:13 2008 : Error: Discarding duplicate request from client
Chambersburg-Switch port 1645 - ID: 3 due to unfinished request 9
Tue Oct  7 12:15:19 2008 : Error: Discarding duplicate request from client
Chambersburg-Switch port 1645 - ID: 3 due to unfinished request 9
Tue Oct  7 12:15:24 2008 : Error: Discarding duplicate request from client
Chambersburg-Switch port 1645 - ID: 3 due to unfinished request 9
Tue Oct  7 12:15:40 2008 : Error: WARNING: Unresponsive child (id
3044125584) for request 9, in module files component authorize

-- 
View this message in context: 
http://www.nabble.com/Unresponsive-Child-in-component-authorize-tp19864007p19864007.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 2 problem

[donaldbjames]

Hi,

I have a working  radius server using freeradius 1.1.7.

I am trying to upgrade to freeradius 2.  Using radtest, I get a reply, but
the radgroup reply data is not included in the reply.

I probably have one of the configuration files done wrong.

My question is: which configuration files are necessary when using
freeradius 2?

Sincerely,

Don James

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

finally its working, but still no authentication againts AD

[luis a]

hello again , 
finally my freeradius its working following all the steps from 
http://deployingradius.com/documents/configuration/active_directory.html

but i have the same issue 
check my radius debug ,
thanks for read 
Luis.


radiusd -X
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Sep 27 
2008 at 11:05:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/openradius/raddb/radiusd.conf
including configuration file /etc/openradius/raddb/proxy.conf
including configuration file /etc/openradius/raddb/clients.conf
including files in directory /etc/openradius/raddb/modules/
including configuration file /etc/openradius/raddb/modules/exec
including configuration file /etc/openradius/raddb/modules/etc_group
including configuration file /etc/openradius/raddb/modules/mschap
including configuration file /etc/openradius/raddb/modules/files
including configuration file /etc/openradius/raddb/modules/logintime
including configuration file /etc/openradius/raddb/modules/digest
including configuration file /etc/openradius/raddb/modules/pap
including configuration file /etc/openradius/raddb/modules/radutmp
including configuration file /etc/openradius/raddb/modules/preprocess
including configuration file /etc/openradius/raddb/modules/detail.example.com
including configuration file /etc/openradius/raddb/modules/attr_filter
including configuration file /etc/openradius/raddb/modules/always
including configuration file /etc/openradius/raddb/modules/detail
including configuration file /etc/openradius/raddb/modules/mac2ip
including configuration file /etc/openradius/raddb/modules/smbpasswd
including configuration file /etc/openradius/raddb/modules/krb5
including configuration file /etc/openradius/raddb/modules/passwd
including configuration file /etc/openradius/raddb/modules/detail.log
including configuration file /etc/openradius/raddb/modules/sradutmp
including configuration file /etc/openradius/raddb/modules/attr_rewrite
including configuration file /etc/openradius/raddb/modules/echo
including configuration file /etc/openradius/raddb/modules/ippool
including configuration file /etc/openradius/raddb/modules/checkval
including configuration file /etc/openradius/raddb/modules/acct_unique
including configuration file /etc/openradius/raddb/modules/pam
including configuration file /etc/openradius/raddb/modules/expr
including configuration file /etc/openradius/raddb/modules/sql_log
including configuration file /etc/openradius/raddb/modules/inner-eap
including configuration file /etc/openradius/raddb/modules/mac2vlan
including configuration file /etc/openradius/raddb/modules/unix
including configuration file /etc/openradius/raddb/modules/policy
including configuration file /etc/openradius/raddb/modules/realm
including configuration file /etc/openradius/raddb/modules/linelog
including configuration file /etc/openradius/raddb/modules/wimax
including configuration file /etc/openradius/raddb/modules/ldap
including configuration file /etc/openradius/raddb/modules/chap
including configuration file /etc/openradius/raddb/modules/expiration
including configuration file /etc/openradius/raddb/modules/counter
including configuration file /etc/openradius/raddb/eap.conf
including configuration file /etc/openradius/raddb/sql.conf
including configuration file /etc/openradius/raddb/sql/mysql/dialup.conf
including configuration file /etc/openradius/raddb/sql/mysql/counter.conf
including configuration file /etc/openradius/raddb/policy.conf
including files in directory /etc/openradius/raddb/sites-enabled/
including configuration file /etc/openradius/raddb/sites-enabled/default
including configuration file /etc/openradius/raddb/sites-enabled/inner-tunnel
including dictionary file /etc/openradius/raddb/dictionary
main {
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    logdir = "/usr/local/var/log/radius"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    allow_core_dumps = no
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    nastype = "other"
 }
radiusd:  Loading Realms and Home Servers 
 proxy server {
    retry_delay = 

Sql-Group value

[donaldbjames]

Hi,

In freeradius 2, where is the  value of "Sql-Group" set?

I am using the mysql database.  Is the value of Sql-Group set in one of the
tables?

Sincerely,

Don James

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sql-Group value

[tnt]

radusergroup

Ivan Kalik
Kalik Informatika ISP


Dana 7/10/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>Hi,
>
>In freeradius 2, where is the  value of "Sql-Group" set?
>
>I am using the mysql database.  Is the value of Sql-Group set in one of the
>tables?
>
>Sincerely,
>
>Don James
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: finally its working, but still no authentication againts AD

[tnt]

>finally my freeradius its working following all the steps from 
>http://deployingradius.com/documents/configuration/active_directory.html
>

That tells you to use Cleartext-Password.

>but i have the same issue 
>check my radius debug ,

And you have used...

>[pap] login attempt with password "test"
>[pap] Using CRYPT encryption.
>[pap] Passwords don't match

Is it that difficult to follow instructions? What possesses you to do
things you haven't been told.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: finally its working, but still no authentication againts AD

[luis a]

--- El mar, 7/10/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> escribió:
De: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Asunto: Re: finally its working, but still no authentication againts AD
Para: freeradius-users@lists.freeradius.org
Fecha: martes, 7 octubre, 2008 6:56

>finally my freeradius its working following all the steps from 
>http://deployingradius.com/documents/configuration/active_directory.html
>

That tells you to use Cleartext-Password.

>but i have the same issue 
>check my radius debug ,

And you have used...

>[pap] login attempt with password "test"
>[pap] Using CRYPT encryption.
>[pap] Passwords don't match
if i disable pap i believe freeradius is not going to run 
besides in the manual there is no places talling that enable or disable pap
or mschap :-/

anyway i have a coin to show 

as the manual said 

Start the server and use a test client to send an MS-CHAP
authentication request.  The radclient cannot currently
be used to send this request, unfortunately, which makes testing a
little difficult If everything goes well


---

i believe everything is going well , but what client i have to use to test if 
mschap with AD succefully 
is working as the guide ?.

thanks for read .
Luis
 
Is it that difficult to follow instructions? What possesses you to do
things you haven't been told.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: finally its working, but still no authentication againts AD

[tnt]

>That tells you to use Cleartext-Password.
>
>>but i have the same issue 
>>check my radius debug ,
>
>And you have used...
>
>>[pap] login attempt with password "test"
>>[pap] Using CRYPT encryption.
>>[pap] Passwords don't match
>if i disable pap i believe freeradius is not going to run 
>besides in the manual there is no places talling that enable or disable pap
>or mschap :-/

No, the manual doesn't say anything about enabling pap or mschap. So,
why are you talking about it?

The manual instructs to use CLEARTEXT-PASSWORD. It doesn't say USE CRYPT
PASSWORD. There is a reason for that. mschap doesn't work with crypt
passwords.

The problem you have is nothing to do with pap or mschap. It comes *only*
and *only* because you are not doing what manual instructs (using
Cleartext-Password).

>
>anyway i have a coin to show 
>
>as the manual said 
>
>Start the server and use a test client to send an MS-CHAP
>authentication request.  The radclient cannot currently
>be used to send this request, unfortunately, which makes testing a
>little difficult If everything goes well
>
>
>---
>
>i believe everything is going well , but what client i have to use to test if 
>mschap with AD succefully 
>is working as the guide ?.

It's not going well but I think that you will get the message: use
Cleartext-Password!!! For testing with mschap requests you can use
JRadius Simulator.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2 problem

[tnt]

>I have a working  radius server using freeradius 1.1.7.
>
>I am trying to upgrade to freeradius 2.  Using radtest, I get a reply, but
>the radgroup reply data is not included in the reply.
>
>I probably have one of the configuration files done wrong.
>

sql is not enabled by default. Debug (radiusd -X) will tell you if
database is being used.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to forward MAC-authentiation-requests over a FreeRADIUS-proxy to a FreeRADIUS-server?

[r . bruengel]

Hello everyone,

I use MAC-authentication and got some problems by using a FreeRADIUS as a proxy 
to tunnel requests and answers between my switch and my ‘normal’ 
FreeRADIUS-server.

When I tested MAC-authentication with my switch and FreeRADIUS-server without 
anything between it worked fine. The MAC-address has been used as username and 
cleartext-password.

Well, when I set up my FreeRADIUS-proxy and want to use it the following 
message appears in the radius.log of my FreeRADIUS-proxy:

Error: Invalid packet code 1 sent to a proxy port from home server 192.168.1.58 
port 1864 - ID 177 : IGNORED

The port and the ID vary – the port is counted up by every try and the ID… 
well, I don’t know.

I just want to forward the MAC-address and the cleartext-password to my 
FreeRADIUS-server. When this data arrives at my FreeRADIUS-server it should be 
checked and the authentication answer should be sent back to my 
FreeRADIUS-proxy which forwards it to my switch.

I hope that you can help me – I just started to work with FreeRADIUS, so I’m 
just a rookie.

Here’s some data:
FreeRADIUS: V 2.0.4
Operating System:   Debian Lenny (testing)
Kernel: 2.6.25-2-686
Switch: Foundry EdgeIron 2402CF
FreeRADIUS-server:  192.168.1.61
FreeRADIUS-proxy:   192.168.1.80
Switch: 192.168.1.58

The following configuration belongs to my FreeRADIUS-server:

radiusd.conf
listen {
type = auth
ipaddr = 192.168.1.61   #FreeRADIUS-server IP
port = 1812
}
[…]
proxy_requests = no

clients.conf
client 192.168.1.80 {
secret = testing123
}

The following configuration belongs to my FreeRADIUS-proxy:

radiusd.conf
listen {
type = proxy
ipaddr = 192.168.1.80   #FreeRADIUS-proxy IP
port = 1812
}

proxy.conf
proxy server {
default_fallback = no
}

home_server RADIUS_SERVER {
type = auth
ipaddr = 192.168.1.61   #FreeRADIUS-server IP
port = 1812
secret = testing123
[…]
}

home_server_pool RADIUS_SERVER_POOL {
type = fail-over
home_server = RADIUS_SERVER
}

realm RADIUS_REALM {
auth_pool = RADIUS_SERVER_POOL
}

The following configuration belongs to my switch:
RADIUS-Server:  192.168.1.80#FreeRADIUS-proxy
Port:   1812
Key:testing123

So, that should be the way:
Switch  ->  FR-proxy->  FR-server
192.168.1.58192.168.1.80192.168.1.61

In advance: Thanks a lot for your help!


Best regards from Germany,
Raphael Brüngel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to forward MAC-authentiation-requests over a FreeRADIUS-proxy toa FreeRADIUS-server?

[tnt]

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21

Ivan Kalik
Kalik Informatika ISP


Dana 7/10/2008, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše:

>Hello everyone,
>
>I use MAC-authentication and got some problems by using a FreeRADIUS as a 
>proxy to tunnel requests and answers between my switch and my 
>�normal� FreeRADIUS-server.
>
>When I tested MAC-authentication with my switch and FreeRADIUS-server without 
>anything between it worked fine. The MAC-address has been used as username and 
>cleartext-password.
>
>Well, when I set up my FreeRADIUS-proxy and want to use it the following 
>message appears in the radius.log of my FreeRADIUS-proxy:
>
>Error: Invalid packet code 1 sent to a proxy port from home server 192.168.158 
>port 1864 - ID 177 : IGNORED
>
>The port and the ID vary � the port is counted up by every try and the 
>ID� well, I don�t know.
>
>I just want to forward the MAC-address and the cleartext-password to my 
>FreeRADIUS-server. When this data arrives at my FreeRADIUS-server it should be 
>checked and the authentication answer should be sent back to my 
>FreeRADIUS-proxy which forwards it to my switch.
>
>I hope that you can help me � I just started to work with FreeRADIUS, 
>so I�m just a rookie.
>
>Here�s some data:
>FreeRADIUS: V 2.0.4
>Operating System:   Debian Lenny (testing)
>Kernel: 2.6.25-2-686
>Switch: Foundry EdgeIron 2402CF
>FreeRADIUS-server:  192.168.1.61
>FreeRADIUS-proxy:   192.168.1.80
>Switch: 192.168.1.58
>
>The following configuration belongs to my FreeRADIUS-server:
>
>radiusd.conf
>listen {
>type = auth
>ipaddr = 192.168.1.61   #FreeRADIUS-server IP
>port = 1812
>}
>[�]
>proxy_requests = no
>
>clients.conf
>client 192.168.1.80 {
>secret = testing123
>}
>
>The following configuration belongs to my FreeRADIUS-proxy:
>
>radiusd.conf
>listen {
>type = proxy
>ipaddr = 192.168.1.80   #FreeRADIUS-proxy IP
>port = 1812
>}
>
>proxy.conf
>proxy server {
>default_fallback = no
>}
>
>home_server RADIUS_SERVER {
>type = auth
>ipaddr = 192.168.1.61   #FreeRADIUS-server IP
>port = 1812
>secret = testing123
>[�]
>}
>
>home_server_pool RADIUS_SERVER_POOL {
>type = fail-over
>home_server = RADIUS_SERVER
>}
>
>realm RADIUS_REALM {
>auth_pool = RADIUS_SERVER_POOL
>}
>
>The following configuration belongs to my switch:
>RADIUS-Server:  192.168.1.80#FreeRADIUS-proxy
>Port:   1812
>Key:testing123
>
>So, that should be the way:
>Switch  ->  FR-proxy->  FR-server
>192.168.1.58192.168.1.80192.168.1.61
>
>In advance: Thanks a lot for your help!
>
>
>Best regards from Germany,
>Raphael Brüngel
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sql-Group value

[donaldbjames]

Hi Ivan,

That seems to have fixed it.

I greatly appreciate your help.

Sincerely,

Don James
Henderson, Texas USA
- Original Message - 
From: <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, October 07, 2008 1:47 PM
Subject: Re: Sql-Group value


radusergroup

Ivan Kalik
Kalik Informatika ISP


Dana 7/10/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>Hi,
>
>In freeradius 2, where is the  value of "Sql-Group" set?
>
>I am using the mysql database.  Is the value of Sql-Group set in one of the
>tables?
>
>Sincerely,
>
>Don James
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html







No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.6/1712 - Release Date: 10/7/2008
9:41 AM

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to forward MAC-authentiation-requests over a FreeRADIUS-proxy to a FreeRADIUS-server?

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> Well, when I set up my FreeRADIUS-proxy and want to use it the following 
> message appears in the radius.log of my FreeRADIUS-proxy:
> 
> Error: Invalid packet code 1 sent to a proxy port from home server 
> 192.168.1.58 port 1864 - ID 177 : IGNORED

  The client is sending Access-Requests to the proxy port.  This isn't
good.  It's also hard to do, because the proxy port *isn't* 1812.  It's
usually 1814.  And the client doesn't send packets to port 1814 unless
you've edited it's configuration, and told it that the server port is 1814.

> So, that should be the way:
> Switch  ->  FR-proxy->  FR-server
> 192.168.1.58192.168.1.80192.168.1.61

  Except you haven't done that.  You've configured 192.168.1.58 as a
home server for the proxy.  Instead, you need to configure that IP as a
client.

  And the configuration you posted does NOT match the error message.
That error message occurs ONLY when the proxy has 192.168.1.57 listed as
a "home_server".

  Please double-check your configuration, and post the full debug log.
If you don't know what's going wrong, you don't know what part of the
debug log can be used to help solve this problem.  There's a REASON that
the FAQ, README, INSTALL, "man page", radiusd.conf, and daily messages
on this list say to post the debug log.  We really need it.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie question

[Alan DeKok]

Jair Santos wrote:
> I also recognize that you tried to help me , but Alan, just because someone
> is an expert this doesn't mean that he/she have the right to criticize the
> ones that are not.  I am here for help not to be criticized,

  Help often involves pointing out what you're doing wrong.  If this is
too painful, I'm sorry.

  When you don't follow the instructions, and then ask for help, the
response is "follow the instructions".  If this is too painful, there's
little I can do to help.

> and may be the
> mistakes I made can help you to change things that will save you time when
> other beginner arrives.

  Since you haven't answered my questions about WHY you ignored the
existing documentation... no.  I still have no idea what else I can do
to convince people to read the documentation.  When I write
documentation... certain people ignore it.  If I tell them to go read
the documentation... they get upset at being criticized.

  Why?  Damned if I know.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unresponsive Child in component authorize

[Alan DeKok]

kesm0724 wrote:
> Does the "Unresponsive Child in module files component authorize" allude to
> something I have misconfigured in the virtual server or a process that is
> hung? 

  The server is blocked somewhere.

> Tue Oct  7 12:14:43 2008 : Error: WARNING: Unresponsive child (id
> 3054615440) for request 8, in module files component authorize

  Hm... that's a little surprising.  The "files" module doesn't take
much CPU time.  It doesn't use locks.  So there's no reason for it to
block for long periods of time.

  That may be a side-effect of something else taking long amounts of
time.  Usually, this is SQL.

  Or, if you're putting hostnames in the "users" file, instead of
numerical IP addresses... and your DNS server is down.  The server won't
be able to create the reply because it needs the IP address.  It won't
be able to create the IP address because DNS is down.

  Don't use hostnames.  Or, fix DNS so that it works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html