Re: Freeradius proxy
Siumafua Moala wrote: Everything is fine but I want to use the current server to 1. allocate ip address 2. use cisco-avpairs to allocate vrf Then send to another server to check only the username and password. That is possible. I have gone through the proxy configuration and it seems you can proxy either the auth or acct but I cannot seems to find how to split the authentication. You don't. You proxy the request, and allocate IP addresses Cisco AVPairs in the post-auth section. Its seems on the users file you can use pass-through but I am not using the users file! Then read man unlang. Also, the IP pool allocation is *already* done in the post-auth section. So it should be possible to get that working with proxying... simply by configuring IP pool allocation normally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Tim Palmer wrote: Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. === Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius working as a ProxyRadius using PAP protocol
Hello, I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP protocol. peap,eap,pap pap Client -- AP - FreeRadius -- Radius server There's what i have had in my conf files: client.conf: client ***.***.***.*** { secret = pass shortname = LinksysWRT54G nastype = other } proxy.conf: realm NULL { authhost= ***.***.***.***:1645 accthost= ***.***.***.***:1646 secret = pass } users: DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP I don't think my proxy radius use the right protocol. I want it to use PAP protocol whe it tries to contact radius server. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1645 } listen { type = acct ipaddr = * port = 1646 } Listening on authentication address * port 1645 Listening on accounting address * port 1646 Listening on proxy address * port 1647 Ready to process requests. rad_recv: Access-Request packet from host ***.***.***.*** port 1405, id=0, length=180 Message-Authenticator = 0x1ad77a29ef17ee966a8521f57795f231 Service-Type = Framed-User User-Name = enguyend\000 Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = enguyend, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = enguyend [suffix] Adding Realm = NULL [suffix] Proxying request from user enguyend to realm NULL [suffix] Preparing to proxy authentication request to realm NULL ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm NULL. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 210 to ***.***.***.*** port 1645 Message-Authenticator = 0x Service-Type = Framed-User User-Name = enguyend Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 Proxy-State = 0x30 Proxying request 0 to home server ***.***.***.*** port 1645 Sending Access-Request of id 210 to ***.***.***.*** port 1645 Message-Authenticator = 0x Service-Type = Framed-User User-Name = enguyend Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. Waking up in 13.0 seconds. rad_recv: Access-Request packet from host ***.***.***.*** port 1405, id=0, length=180 Sending duplicate proxied request to home server ***.***.***.*** port 1645 - ID: 210 Sending Access-Request of id 210 to ***.***.***.*** port 1645 Message-Authenticator = 0x Service-Type = Framed-User User-Name = enguyend Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 Proxy-State = 0x30 Waking up in 11.0 seconds. Rejecting request 0 due to lack of any response from home server ***.***.***.*** port 1645 There was no response configured: rejecting request 0 Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - enguyend attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns
Re: sqlcounter returning wrong value?
liran tal wrote: Waiting for that traffic limitation patch, Venkatesh. Thanks. Hi, I was stuck with this problem too, and I came up with this solution, which works in my test environment. The idea is to store allowed bytes in Tmp-Integer-0, than just use unlang to compare user's allowed and actual traffic bytes. btw, maximum traffic count is 2^31 bytes, if you do it this way. if(control:Tmp-Integer-0) { if(%{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct WHERE UserName='%{User-Name}' } %{control:Tmp-Integer-0} ) { # traffic bytes limit reached reject } } Regards, Flamur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Thanks again! I amended it and it works. But that is only for testing... Yes. Now you go on with the manual. Can I use the MSCHAP method? Or I have to create a module of my own for users to authenticate? No, you configure the ntlm_auth line in raddb/modules/mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sqltrace log
default sql.conf claims opposite: # Print all SQL statements when in debug mode (-x) sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql But to check your statement, I started radiusd in demonmode (rc script), and I still dont get queries logged in the tracefile That's -x not -X. man 8 radiusd: -X Debugging mode. Equivalent to -sfxx -l stdout but nothing should be un-tested, so followed your suggestion: radiusd -x radiusd -xx radiusd -f -x but still no output in sqltrace.log Has anyone actually got sqltrace-output in 2.x ? The few mentions I find on the net all seems to relate to 1.x configurations. in the sourcecode I find: src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c: if (config-sqltrace) radlog(L_DBG,rlm_sql_mysql: query: %s, querystr); Doesnt that mean that its written to the L_DBG (radius.log) file and not to sqltrace.log ? I do see those in the radius.log: /var/log/radius/radius.log:rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'blabla' ORDER BY id I think sqltrace has defacto been depricated -- Søren Schrøder, Tecnical Innovation, Cybercity (a Telenor Company). [EMAIL PROTECTED], (+45) 60503045. Obey Gravity It's the LAW! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Nov 10 2008 at 13:18:51 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/mschap.org including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 172.16.8.0/24 { require_message_authenticator = no secret = testing123 shortname = testing } client 192.168.1.1/32 { require_message_authenticator = no secret = w1f1netw0rk shortname = ArubaController } radiusd: Loading Realms and Home Servers proxy server {
Re: VMPS - Initial project ideas
Hairy51 wrote: Is there any documentation out there on how to get a basic VMPS system up and running? I am purely in the testing stages at the moment, but would like to get the box attached to a switch and begin responding to VMPS requests as quick as possible... There's no quick guide. See also raddb/sites-available/vmps for additional configuration information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
pap against LDAP works fine chap against LDAP works fine (With ntradping) They used different password. Do you mean chap and MSCHAPv2 require passwords in different formats or something? No. There is a clear text password stored somewhere. I can auth CHAP, but with the same username and password can't auth CHAPv2 (with no config change on freeradius) My two debugs show that Debug: rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637412341393742303139423034323445363933373332 So the NT-Password is being retrieved from LDAP in both cases. Yes. But chap wasn't using it. A coorect password. Do you think the has being retrieved from LDAP is wrong then? Yes. If I do put in an incorrect password I do get the same error message. No surprise. * Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password ommitted for user testuser authentication. * Where did that come from? I don't know - inside tha chap module? No. It's retrieved from LDAP. Not that I can see. Post the whole debug and I will tell you where is clear text password possibly stored. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
NGUYEN DANG LUAN, Eric wrote: In my radius log file: *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.66.51, port=24670 send_reject() Your main server is rejecting the request. Fix it. And it isn't FreeRADIUS. I think the problem is the protocol I use : PAP. The problem is that you haven't configured the OTHER RADIUS server properly. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. FreeRADIUS doesn't control the authentication protocol. The end user machine controls it. And is it normal that I can't see any password when I use a sniffer? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
I think the problem is the protocol I use : PAP. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. And is it normal that I can't see any password when I use a sniffer? No, the protocol you (or should I say the user) are using is eap not pap. Freeradius recieved eap request and proxied eap. It is normal not to have a password in eap packet. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning wrong value?
Hi, On Wed, Nov 12, 2008 at 2:06 AM, liran tal [EMAIL PROTECTED] wrote: Waiting for that traffic limitation patch, Venkatesh. Thanks. I am sorry. I had few busy days this week. You can expect a patch tomorrow. On Sun, Nov 9, 2008 at 6:00 AM, Venkatesh K [EMAIL PROTECTED] wrote: Hi Liran, On Sun, Nov 9, 2008 at 4:16 AM, liran tal [EMAIL PROTECTED] wrote: Hey Venkatesh, On Fri, Oct 31, 2008 at 2:26 AM, Venkatesh K [EMAIL PROTECTED] wrote: 2008/10/31 [EMAIL PROTECTED]: It does make sense. rlm_sqlcounterworks like this toward the time of the reset: lets say you have an hour left, your limit is 20 hours and you have signed in 15 minutes before counter reset time. When code calculates that you can be online at reset time it doesn't return your allowance (1 hour) but adds the limit for the next conting period (20 hours) to the remaining time (15 minutes) and returns that value (20 hours and 15 minutes). Reasoning is that your session shouldn't be discontinued after an hour becouse 15 minutes into the session new limit should come into force (and session limit can't be changed during the session). In your case there is about 2,000,000 left on the counter but only a few thousand seconds left to the end of the reset period, so code will add those few thousands to the next period limit (26,000,000) and return that value. Code doesn't know are you counting data or time as there is no such configuration item. Venkatesh had posted the patch that switches off this peace of code for data counters by introducing that configuration item. You should try it. rlm_sqlcounter has one more limitation. In version 1.1.7, the maximum counter value was limited to 2G whereas in 2.1.1 it seems to be 4G. This imposes an artificial limitation of maximum of 4GB of downloads. I had a workaround where I patched rlm_sqlcounter to limit the per session downloads to 4GB if allowed usage exceeds 4GB. Except this issue, I think, with the patch I posted earlier, one should be fine with rlm_sqlcounter. If someone needs a patch to work around the 2GB/4GB limit, I will post the patch. Sorry for the late reply. I applied your patch and now data counters work as expected with a minor exception, the 2Gb limit as you have stated previously. Possibly you could also post the patch for the 2Gb/4Gb limit? I'm hoping it's compatible with FR 1.1.7 as well. It is ok. I am happy to know it works for you. I will email you a patch for 1.1.7 in couple of days. The patch is going to impose certain limitations on you. The maximum return value should be less than unsigned integer(32bit). The maximum reply value for data will be limited to 4GB even if actual value is more than 4GB. So, there will be a per session limit of 4GB though user is authorized to transfer more data. Regards, Venkatesh. K - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, -- Venkatesh. K - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
Dalo radius is very good There is only 1 bug I have found and that is a problem when editing a user and adding a extra Cisco-AVpair, it will overwrite the first Cisco-AVPair. You can add multiple Cisco-AVPairs when you first add the user with no problems, it's just when editing Other than that it is very good, running it here with over 3000 users Regards Wayne On Wed, Nov 12, 2008 at 3:44 PM, Paul Bartell [EMAIL PROTECTED] wrote: I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird logic issue...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Got a weird condition evaluation issue elsif(\ (%{Supplicant-Flags} =~ /^10$/) || \ ((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local') (%{Huntgroup-Name} != 'auth-proxy') \ ((%{Service-Type} == 'Framed-User') || (%{Service-Type} == 'Call-Check'))) \ ){ Gets processed as: ++? if (%{Supplicant-Flags} == 'notfound') expand: %{Supplicant-Flags} - ? Evaluating (%{Supplicant-Flags} == 'notfound') - FALSE ++? if (%{Supplicant-Flags} == 'notfound') - FALSE ++? if (%{Supplicant-Flags} =~ /^.1$/) expand: %{Supplicant-Flags} - ? Evaluating (%{Supplicant-Flags} =~ /^.1$/) - FALSE ++? if (%{Supplicant-Flags} =~ /^.1$/) - FALSE ++? elsif ((%{Supplicant-Flags} =~ /^10$/) || ((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local') (%{Huntgroup-Name} != 'auth-proxy') ((%{Service-Type} == 'Framed-User') || (%{Service-Type} == 'Call-Check')) )) expand: %{Supplicant-Flags} - ?? Evaluating (%{Supplicant-Flags} =~ /^10$/) - FALSE expand: %{Supplicant-Flags} - ??? Evaluating (%{Supplicant-Flags} == 'notfound') - FALSE ??? Skipping (%{Realm} == 'local') ??? Skipping (%{Huntgroup-Name} != 'auth-proxy') Skipping (%{Service-Type} == 'Framed-User') Skipping (%{Service-Type} == 'Call-Check') ++? elsif ((%{Supplicant-Flags} =~ /^10$/) || ((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local') (%{Huntgroup-Name} != 'auth-proxy') ((%{Service-Type} == 'Framed-User') || (%{Service-Type} == 'Call-Check')) )) - TRUE So the first condition: (%{Supplicant-Flags} =~ /^10$/) returns false Instead of processing the rest of the conditions FR skips the rest of the conditions and returns true for the entire condition... Interestingly if you take out the nested: ((%{Service-Type} == 'Framed-User') || (%{Service-Type} == 'Call-Check')) Condition and replace it with: (%{Service-Type} == 'Framed-User') All is well. So only happens with multiple levels of nesting. This has been a bug since at least version 2.0.4. Thanks, Arran - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkka/MsACgkQcaklux5oVKI5DQCfVWJqHf8uOWsVqEKHWPZpFHvc FlcAn14qXPIwsHOOme+q7jT7cNqy9TkK =JXk/ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client windows xp machine-only authentication
Hello I implemented successfully a wireless-access for clients windows xp with authentication of the machine (in a samba domain) and the users (in a samba-domain) to my openldap-DB with freeradius. This works fine. My question : somebody have configured windows xp(SP3) to make only a machine authentication ? I was not able to restrict this. My windows xp-clients makes first a machine-authentication and then allways a user- authentication. It is more a windows-question for a microsoft-mailinglist - i now - but i think a lot of freeradius-users use like me windows-clients and certainly somebody have a solution for me. by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple database and virtual server
Hi, I want to use multiple database to sort different kind of radius authentification (dialup, wireless, router login, etc). I don't know if i'm using it the right way, but I have try to run freeradius with two virtual server using two different sql instance. Those sql instance are configured the same way except for the database: one use radius_db = radius_dialup and the other one radius_db = radius_login. If I load only one of those virtual server at radiusd startup (I remove sites-enabled links for one of those server), everything works fine. If I try them together, I got this error: Adding client 172.16.0.2 (gw-calma.digicom.ca, server=MT-Login-User) to clients list Failed to add duplicate client gw-calma.digicom.ca rlm_sql (sql_MT): Failed to add client 172.16.0.2 (gw-calma.digicom.ca) to clients list. Maybe there's a duplicate? Failed to load clients from SQL. The previous Virtual server client list contain: rlm_sql (sql_dialup): Read entry nasname=172.16.0.113,shortname=test,secret=secret rlm_sql (sql_dialup): Adding client 172.16.0.113 (test, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=172.16.0.2,shortname=calma,secret=xx rlm_sql (sql_dialup): Adding client 172.16.0.2 (calma, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=10.0.0.2,shortname=PowerAP-test,secret=x rlm_sql (sql_dialup): Adding client 10.0.0.2 (PowerAP-test, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=10.10.0.5,shortname=395scott,secret=xx rlm_sql (sql_dialup): Adding client 10.10.0.5 (395scott, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=172.16.0.237,shortname=calma2,secret=xx rlm_sql (sql_dialup): Adding client 172.16.0.237 (calma2, server=dialup) to clients list Doesn't each virtual server had his own clients list ? Why duplicate entry ? How can I force freeradius to use one client list per virtual server taken from SQL table ? Regards, Michael Plourde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple database and virtual server
Michael Plourde wrote: I want to use multiple database to sort different kind of radius authentification (dialup, wireless, router login, etc). I don't know if i'm using it the right way, but I have try to run freeradius with two virtual server using two different sql instance. Those sql instance are configured the same way except for the database: one use radius_db = radius_dialup and the other one radius_db = radius_login. You don't have to do that. You can use one SQL instance, and change the radius_db on the fly. But for now, it's likely good enough. If I load only one of those virtual server at radiusd startup (I remove sites-enabled links for one of those server), everything works fine. If I try them together, I got this error: Adding client 172.16.0.2 (gw-calma.digicom.ca, server=MT-Login-User) to clients list Failed to add duplicate client gw-calma.digicom.ca rlm_sql (sql_MT): Failed to add client 172.16.0.2 (gw-calma.digicom.ca) to clients list. Maybe there's a duplicate? Failed to load clients from SQL. ... Doesn't each virtual server had his own clients list ? Why duplicate entry ? How can I force freeradius to use one client list per virtual server taken from SQL table ? See the sample SQL queries schema. 2.1.1 allows you to define a server column. That entry is used to associate one client with a particular server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning wrong value?
Hey, Thanks for the tip, though that's FR2-specific solution and I'd like to be able to get this sort out with older deployments running 1.1.7 or earlier (god forbid! :-) ) That patch for rlm_sqlcounter would be ideal I think. I think this should also be already pushed into the formal release, this entire support for data information too. Regards, Liran. On Wed, Nov 12, 2008 at 11:02 AM, Flamur Rogova [EMAIL PROTECTED] wrote: liran tal wrote: Waiting for that traffic limitation patch, Venkatesh. Thanks. Hi, I was stuck with this problem too, and I came up with this solution, which works in my test environment. The idea is to store allowed bytes in Tmp-Integer-0, than just use unlang to compare user's allowed and actual traffic bytes. btw, maximum traffic count is 2^31 bytes, if you do it this way. if(control:Tmp-Integer-0) { if(%{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct WHERE UserName='%{User-Name}' } %{control:Tmp-Integer-0} ) { # traffic bytes limit reached reject } } Regards, Flamur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
NGUYEN DANG LUAN, Eric wrote: My radius server (which is not freeradius) rejects my authentication when i'm using a ProxyRadius (freeradius). But it's ok when I use NTRadping or a cisco ACS. I'm currently using SecureW2 software for the end user machine. Does anyone know where is the problem? The end RADIUS server. Go fix it. Read it's debugging output (if it has any). Don't ask *us* how to fix it. It's not a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
My radius server (which is not freeradius) rejects my authentication ... So why are you asking the questions here? Freeradius proxy has nothing to do with this. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Referencing a redundant-load-balance set within users file
Version: freeradius-2.1.1 I cannot get a redundant-load-balance set to work within a variable expansion in the users file. I added this to the bottom of the instantiate section of radiusd.conf: redundant-load-balance redundant_ldap { ldap1 ldap2 ldap3 } and this to the authorize section of sites-enabled/default: redundant_ldap and I defined the 3 ldap instances in modules/ldap, and this part works fine. But I cannot figure out how to reference redundant_ldap from within the users file. I tried Connect-Info = %{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u}; but the debug output shows: WARNING: Unknown module redundant_ldap in string expansion %{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u}; I attached the start of the debug output. The whole output was over the 100k limit. Tod Sandman Sr. Systems Administrator Middleware Development Integration Rice University Voice: 713.348.5816 FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct 16 2008 at 13:34:21 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/opt/freeradius/radiusd.conf including configuration file /etc/opt/freeradius/proxy.conf including configuration file /etc/opt/freeradius/clients.conf including files in directory /etc/opt/freeradius/modules/ including configuration file /etc/opt/freeradius/modules/expr including configuration file /etc/opt/freeradius/modules/smbpasswd including configuration file /etc/opt/freeradius/modules/unix including configuration file /etc/opt/freeradius/modules/mschap including configuration file /etc/opt/freeradius/modules/preprocess including configuration file /etc/opt/freeradius/modules/always including configuration file /etc/opt/freeradius/modules/echo including configuration file /etc/opt/freeradius/modules/krb5 including configuration file /etc/opt/freeradius/modules/checkval including configuration file /etc/opt/freeradius/modules/passwd including configuration file /etc/opt/freeradius/modules/sql_log including configuration file /etc/opt/freeradius/modules/attr_filter including configuration file /etc/opt/freeradius/modules/pap including configuration file /etc/opt/freeradius/modules/logintime including configuration file /etc/opt/freeradius/modules/perl including configuration file /etc/opt/freeradius/modules/mac2vlan including configuration file /etc/opt/freeradius/modules/pam including configuration file /etc/opt/freeradius/modules/counter including configuration file /etc/opt/freeradius/modules/ippool including configuration file /etc/opt/freeradius/modules/detail.example.com including configuration file /etc/opt/freeradius/modules/files including configuration file /etc/opt/freeradius/modules/chap including configuration file /etc/opt/freeradius/modules/inner-eap including configuration file /etc/opt/freeradius/modules/attr_rewrite including configuration file /etc/opt/freeradius/modules/detail including configuration file /etc/opt/freeradius/modules/digest including configuration file /etc/opt/freeradius/modules/radutmp including configuration file /etc/opt/freeradius/modules/realm including configuration file /etc/opt/freeradius/modules/mac2ip including configuration file /etc/opt/freeradius/modules/ldap including configuration file /etc/opt/freeradius/modules/linelog including configuration file /etc/opt/freeradius/modules/exec including configuration file /etc/opt/freeradius/modules/acct_unique including configuration file /etc/opt/freeradius/modules/etc_group including configuration file /etc/opt/freeradius/modules/sradutmp including configuration file /etc/opt/freeradius/modules/expiration including configuration file /etc/opt/freeradius/modules/policy including configuration file /etc/opt/freeradius/modules/wimax including configuration file /etc/opt/freeradius/modules/detail.log including configuration file /etc/opt/freeradius/eap.conf including configuration file /etc/opt/freeradius/policy.conf including files in directory /etc/opt/freeradius/sites-enabled/ including configuration file /etc/opt/freeradius/sites-enabled/inner-tunnel including configuration file /etc/opt/freeradius/sites-enabled/req.txt including configuration file /etc/opt/freeradius/sites-enabled/default group = radius user = radius including dictionary file /etc/opt/freeradius/dictionary main { prefix = /usr/site/freeradius-2.1.1 localstatedir = /var/opt/freeradius logdir = /var/opt/freeradius libdir = /usr/site/freeradius-2.1.1/lib radacctdir = /var/opt/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5
Re: LDAP MSCHAP errors
pap against LDAP works fine chap against LDAP works fine (With ntradping) They used different password. Do you mean chap and MSCHAPv2 require passwords in different formats or something? I can auth CHAP, but with the same username and password can't auth CHAPv2 (with no config change on freeradius) My two debugs show that Debug: rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637412341393742303139423034323445363933373332 So the NT-Password is being retrieved from LDAP in both cases. BUT - MSCHAPv2 gives FAILED: MS-CHAP2-Response is incorrect Am I missing something required for MSCHAP to work? The NT-Password seems to be retrieved... A coorect password. Do you think the has being retrieved from LDAP is wrong then? If I do put in an incorrect password I do get the same error message. Does anyone have Freeradius working with MSCHAP against eDir? Working CHAP debug from ntradping: Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in directory... Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags - SMB-Account-CTRL-TEXT == [UX ] Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637413341393742303139423034323645363933373332 Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword - LM-Password == 0x363542393930304434314234453336383139463130413944343836384443 Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in directory... Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use remote access Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex encoding Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex encoding Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not changing it. Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...} Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by testuser with CHAP password * Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password ommitted for user testuser authentication. * Where did that come from? I don't know - inside tha chap module? It's retrieved from LDAP. I'm using the default modules/chap - it just says: chap { # no configuration } Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser authenticated succesfully Default configuration in modules/mschap and modules/chap In sites-enabled/default authorize { ldap } That is obviously untrue from your debug. Just checked again, modules/mschap has nothing unhashed. modules/chap has as above with # no configuration Try doing pap with that NT-Password from ldap (remove clear text password entry wherever it is). Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't. Thanks Ivan Kalik Kalik Informatika ISP Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author an d do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failing to authenticate users
Hmy eyes are bugging out. This is a new freeradius install/mysql/daloradius/ubuntu. I fail to find any specific as to why my users are failing to authenticate, via a simple radcheck. anyone have another eye and take a peek, and see somthing I'm missing.the first part of this is all config loading. the access request is located towards the bottem... I'm pretty sure everything is talking to everything it needs to, but I'm obviously missing somthing most likely obvious. if anyone sees anything.please let me know. thanks guys cg Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = XXX sql: radius_db = radius sql: nas_table = nas sql: sqltrace = no sql: sqltracefile = /var/log/freeradius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName,
Re: hostapd + freeradius + windows users problem
I've setup hostapd 0.5.10-1(with bridge) + freeradius 2.1.1(with mysql) and it works pretty good except one thing: Windows(vista sp1) users when turn their machines off, radacct mess up (this doesn't happened when user request disconnect manually) User goa connects and when he turns machine off, new user host/filteria(his machine name) appears. Maybe the problems is inside hostapd(which I can't find), but I don't understand why host/filteria is updated with goa info. Start packet with one user name, stop with another for the same session - NAS (hostapd) is broken. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failing to authenticate users
You've got: modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 ...and modcall[authorize]: module sql returns ok for request 0 And finally rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Something is setting Auth-Type to System. It's either the users file on line 153, or your SQL. Fix it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
snmp problem
Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con and remove comment on line smux_password = verysecret and added the line on snmpd.conf of snmpdaemon smuxpeer .1.3.6.1.4.1.11344.1.1.1 verysecret Enabled smux on snmpd too by removing -smux parameter. But i got the following error on freeradius debug.. SMUX connect try 1 SMUX SMUX open oid: 1.3.6.1.4.1.11344.1.1.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register message send failed: Broken pipe And also snmpd gives the following error: refused smux peer: oid SNMPv2-SMI::enterprises.11344.1.1.1, descr radiusd Is it a bug regarding to snmp or freeradius? Or did i miss something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 12 novembre 2008 15:48 À : FreeRadius users mailing list Objet : Re: FreeRadius working as a ProxyRadius using PAP protocol NGUYEN DANG LUAN, Eric wrote: In my radius log file: *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.66.51, port=24670 send_reject() Your main server is rejecting the request. Fix it. And it isn't FreeRADIUS. I think the problem is the protocol I use : PAP. The problem is that you haven't configured the OTHER RADIUS server properly. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. FreeRADIUS doesn't control the authentication protocol. The end user machine controls it. And is it normal that I can't see any password when I use a sniffer? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My radius server (which is not freeradius) rejects my authentication when i'm using a ProxyRadius (freeradius). But it's ok when I use NTRadping or a cisco ACS. I'm currently using SecureW2 software for the end user machine. Does anyone know where is the problem? NGUYEN Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
Great - thanks, Absolutely outstanding help thanks! :) I hashed from ldap.attrmap as below #checkItem LM-Password sambaLmPassword #checkItem NT-Password sambaNtPassword And it all worked! :) Thanks very much! Simon [EMAIL PROTECTED] 12/11/2008 13:46 [ldap] Added the eDirectory password password in check items as Cleartext-Password OK. Here is the clear text password. [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: acctFlags - SMB-Account-CTRL-TEXT == [UX ] rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637413341393742303139423034323645363933373332 rlm_ldap: sambaLmPassword - LM-Password == 0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius/MySQL - Dynamic IP address, help pls? - FIXED
Hi Ivan; Got it sorted! I had two files on the sites-enabled directory, one was the default and another one called defaul.bak, which i had created and tested with some configs. By starting the radius server with -X option and piping the output to a file: radiusd -X file i was able to verify that radiusd was reading both files and giving preference to the .bak file, so i deleted the .bak file and it worked at first time. Thanks a lot for your help. Lucio To: freeradius-users@lists.freeradius.org Subject: RE: Freeradius/MySQL - Dynamic IP address, help pls? Date: Wed, 12 Nov 2008 12:36:59 +0100 From: [EMAIL PROTECTED] Thank you for the quick response. I though on Freeradius version 2.x i needed to work only on the SQL tables, and that i needed to specify on the file raddb/sites-enabled/default as: authorize { sql} authenticate { sql} preacct { acct_unique} accounting { sqlippool} session { sql} post-auth { sqlippool} In accountung and post-auth you add pool name (main_pool) not sqlippool. There should be entries for main_pool already there (commented out).then populate the table radippool with: id;pool_name;FramedIPAddress;NASIPAddress;CalledStationId;CallingStationID;expiry_time;username;pool_key2;main_pool;192.168.6.40/0/;;3;main_pool;192.168.6.50/0/;;4;main_pool;192.168.6.60/0/;;5;main_pool;192.168.6.70/0/;; You just need to add the pool name and the IP address. Then the table radgroupcheck with: GroupName: dynamic Attribute: Pool-Name op: := Value: main_poolOK.Then the table radusergroup UserName: macaco GroupName: dynamic priority: 0 Nothing on the table radgroupreply or radreply Is this right? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ BigSnapSearch.com - 24 prizes a day, every day - Search Now! http://clk.atdmt.com/UKM/go/117442309/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
Paul Bartell wrote: I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks We are in process of converting to FreeRadius from ICRadius and we installed ARA which seems to work fine and does what we need. DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS - Initial project ideas
Excellent, thanks for all your comments guys - i have managed to successfully download, compile and install the Freeradius 2.1.1 application and have delved into the vmpsd.conf.inf file Is there any documentation out there on how to get a basic VMPS system up and running? I am purely in the testing stages at the moment, but would like to get the box attached to a switch and begin responding to VMPS requests as quick as possible... Any inout much appreciated, Cheers Jon Hairy51 wrote: Hi all, I am just about to start a project to remove the VMPS system from an aging catalyst switch and i would like to investigate the possibilty of using FreeRadius for this. We currently have about 1500 hosts that rely on VMPS for dynamic assignment and an ideal solution would be to move the VMPS service onto a server (Or multiple servers) with as little interuptions to users as possible. Also, for simplicities sake it would be great if we could re-use the current Static VMPS file that the catalyst switch uses. I have looked into FreeNAC as a solution, but want to investigate other ways of acheiving this. We do not really need to do anything other than assign (or block) VLANs, so the extra functionality of FreeNAC is not needed at this point. Considering i am coming from a limited Linux background, how hard would it be for me to acheive this using FreeRADIUS? Does it sound feasible? I am really looking for a bit of advice from those with experience of the FreeRADIUS application and who know of the potential pit-falls and complications that we may face! Many thanks - any comments or idea's much appreciated... Cheers Jonathan -- View this message in context: http://www.nabble.com/VMPS---Initial-project-ideas-tp20264221p20457684.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP protocol. If you ment to proxy only pap requests, your configuration is not going to work. proxy.conf: realm NULL { authhost= ***.***.***.***:1645 accthost= ***.***.***.***:1646 secret = pass } users: DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP It was an eap request so that didn't match. Proxying request 0 to home server ***.***.***.*** port 1645 Sending Access-Request of id 210 to ***.***.***.*** port 1645 Message-Authenticator = 0x Service-Type = Framed-User User-Name = enguyend Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 Proxy-State = 0x30 Going to the next request .. Rejecting request 0 due to lack of any response from home server ***.***.***.*** port 1645 There was no response configured: rejecting request 0 Request was proxied but home server didn't respond. You will have to debug the home server and see did it recieve the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius/MySQL - Dynamic IP address, help pls?
Thank you for the quick response. I though on Freeradius version 2.x i needed to work only on the SQL tables, and that i needed to specify on the file raddb/sites-enabled/default as: authorize {sql} authenticate {sql} preacct {acct_unique} accounting {sqlippool} session {sql} post-auth { sqlippool} In accountung and post-auth you add pool name (main_pool) not sqlippool. There should be entries for main_pool already there (commented out). then populate the table radippool with: id;pool_name;FramedIPAddress;NASIPAddress;CalledStationId;CallingStationID;expiry_time;username;pool_key2;main_pool;192.168.6.40/0/;;3;main_pool;192.168.6.50/0/;;4;main_pool;192.168.6.60/0/;;5;main_pool;192.168.6.70/0/;; You just need to add the pool name and the IP address. Then the table radgroupcheck with: GroupName: dynamic Attribute: Pool-Name op: := Value: main_pool OK. Then the table radusergroup UserName: macaco GroupName: dynamic priority: 0 Nothing on the table radgroupreply or radreply Is this right? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failing to authenticate users
Hmy eyes are bugging out. This is a new freeradius install/mysql/daloradius/ubuntu. New? This is an ancient version. I fail to find any specific as to why my users are failing to authenticate, via a simple radcheck. anyone have another eye and take a peek, and see somthing I'm missing.the first part of this is all config loading. the access request is located towards the bottem... I'm pretty sure everything is talking to everything it needs to, but I'm obviously missing somthing most likely obvious. if anyone sees anything.please let me know. 1.1.x default users file has a DEFAULT entry setting Auth-Type System. Comment it out. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp problem
Oguzhan Kayhan wrote: Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 Why are you running 2.0.5? It was the default package for debian. Ok we will recompile the new version and give a try. Thank you. I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con SNMP doesn't work in 2.0.5. The functionality has been replaced, and expanded, in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Zithromax is your choice to fight any bacteria.
About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice. ©2008 Microsoft | Unsubscribe | More Newsletters | Privacy Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
[ldap] Added the eDirectory password password in check items as Cleartext-Password OK. Here is the clear text password. [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: acctFlags - SMB-Account-CTRL-TEXT == [UX ] rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637413341393742303139423034323645363933373332 rlm_ldap: sambaLmPassword - LM-Password == 0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : mercredi 12 novembre 2008 12:15 À : FreeRadius users mailing list Objet : Re: FreeRadius working as a ProxyRadius using PAP protocol I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP protocol. If you ment to proxy only pap requests, your configuration is not going to work. proxy.conf: realm NULL { authhost= ***.***.***.***:1645 accthost= ***.***.***.***:1646 secret = pass } users: DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP It was an eap request so that didn't match. Proxying request 0 to home server ***.***.***.*** port 1645 Sending Access-Request of id 210 to ***.***.***.*** port 1645 Message-Authenticator = 0x Service-Type = Framed-User User-Name = enguyend Framed-MTU = 1488 Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET Calling-Station-Id = 00-16-6F-AA-80-DD NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01656e677579656e64 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 Proxy-State = 0x30 Going to the next request .. Rejecting request 0 due to lack of any response from home server ***.***.***.*** port 1645 There was no response configured: rejecting request 0 Request was proxied but home server didn't respond. You will have to debug the home server and see did it recieve the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My request are proxied : i got this the following respond : rad_recv: Access-Reject packet from host 205.223.235.196 port 1645, id=186, length=23 Proxy-State = 0x30 In my radius log file: *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.66.51, port=24670 send_reject() *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.65.52, port=25433 send_reject() I think the problem is the protocol I use : PAP. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. And is it normal that I can't see any password when I use a sniffer? Regards NGUYEN Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Alan DeKok wrote: Tim Palmer wrote: Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. === Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To no one's surprise, you all are correct that auto_header shouldn't be needed in the ldap module. The Cleartext-Password mapping didn't help, but my base, original problem was carrying over a password_header = {crypt} entry in the ldap module from our old (1.0.1) configuration. Thanks for making it clear I shouldn't accept something just because it works, if it isn't how it should work. -- Tim Palmer BestWeb Support - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp problem
Oguzhan Kayhan wrote: Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 Why are you running 2.0.5? I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con SNMP doesn't work in 2.0.5. The functionality has been replaced, and expanded, in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control panel
Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
In site-enable/default under authorize I've uncommented ldap. You don't need ldap there. Uncomment ldap in sites-enabled/inner-tunnel virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Thanks CJ To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP Date: Thu, 13 Nov 2008 00:04:41 +0100 From: [EMAIL PROTECTED] In site-enable/default under authorize I've uncommented ldap. You don't need ldap there. Uncomment ldap in sites-enabled/inner-tunnel virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Yes, you can use any eap method you want. default_eap_type will be tried first. If refused, server and suppicant will try to agree on another. It just means one extra eap exchange. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. I removed the password_attribute field from modules/ldap and everything seems to be working with PEAP and GTC. Thank you again! CJ To: freeradius-users@lists.freeradius.org Subject: RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP Date: Thu, 13 Nov 2008 01:07:18 +0100 From: [EMAIL PROTECTED] That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Yes, you can use any eap method you want. default_eap_type will be tried first. If refused, server and suppicant will try to agree on another. It just means one extra eap exchange. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Referencing a redundant-load-balance set within users file
Version: freeradius-2.1.1 I cannot get a redundant-load-balance set to work within a variable expansion in the users file. No. It's not a module, it's a group. You can list different modules inside the group - they don't have to be the same type (all ldap or all sql; they can be mixed). I added this to the bottom of the instantiate section of radiusd.conf: redundant-load-balance redundant_ldap { ldap1 ldap2 ldap3 } and this to the authorize section of sites-enabled/default: redundant_ldap and I defined the 3 ldap instances in modules/ldap, and this part works fine. But I cannot figure out how to reference redundant_ldap from within the users file. I tried Connect-Info = %{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u}; Why don't you map that in ldap.attrmap? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_counter: Failed to open file /etc/raddb/db.daily: Permission denied
Any idea how to fix this? Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file /etc/raddb/db.daily: Permission denied Wed Nov 12 21:29:16 2008 : Error: /etc/raddb/radiusd.conf[152]: Instantiation failed for module daily Wed Nov 12 21:29:16 2008 : Error: Errors initializing modules This is an rpmbuild on Centos 5.2 radiusd: FreeRADIUS Version 2.1.1, for host i686-redhat-linux-gnu, built on Nov 11 2008 at 10:29:34 /etc drwxrwxr-x 7 root radiusd 4096 Nov 12 21:29 raddb /etc/raddb -rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily This works: # /usr/sbin/radiusd -X This works: # strace /usr/sbin/radiusd This does not work: # service radiusd start Starting RADIUS server:[FAILED] This does not work: counter daily { filename = ${raddbdir}/db.daily . . . This does not work: counter daily { filename = /tmp/db.daily . . . -Ted- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
CJ O wrote: Good Afternoon - I've read through a lot of threads and documents and have piced information together, however I am still having issues. We are running an OpenLDAP with the passwords encrypted. I know that PEAP requires the clear text password to be stored in the LDAP Server, No. See: http://deployingradius.com/documents/protocols/compatibility.html however, I've read also that as long as FreeRadius can get the NTLM Password from LDAP PEAP should work. We have also created a custom attribute call ntPasswd that hold the NTLM Hash of the users password. I have configured FreeRadius to authenicate to the LDAP server and set the password_attribute = ntPasswd. In the ldap.attrmap I've added to entries checkItem LM-Password ntPasswd and checkItem NT-Password ntPasswd. In eap.conf i've set default_eap_type = peap In site-enable/default under authorize I've uncommented ldap. You need to uncomment it in raddb/sites-enabled/inner-tunnel. See the debug output. It's running the inner-tunnel method, but LDAP isn't used there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html