Re: Freeradius proxy
Siumafua Moala wrote: Everything is fine but I want to use the current server to 1. allocate ip address 2. use cisco-avpairs to allocate vrf Then send to another server to check only the username and password. That is possible. I have gone through the proxy configuration and it seems you can proxy either the auth or acct but I cannot seems to find how to split the authentication. You don't. You proxy the request, and allocate IP addresses Cisco AVPairs in the post-auth section. Its seems on the users file you can use pass-through but I am not using the users file! Then read man unlang. Also, the IP pool allocation is *already* done in the post-auth section. So it should be possible to get that working with proxying... simply by configuring IP pool allocation normally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Tim Palmer wrote: Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. === Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius working as a ProxyRadius using PAP protocol
Hello,
I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP
protocol.
peap,eap,pap
pap
Client -- AP - FreeRadius
-- Radius server
There's what i have had in my conf files:
client.conf:
client ***.***.***.*** {
secret = pass
shortname = LinksysWRT54G
nastype = other
}
proxy.conf:
realm NULL {
authhost= ***.***.***.***:1645
accthost= ***.***.***.***:1646
secret = pass
}
users:
DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP
I don't think my proxy radius use the right protocol. I want it to use
PAP protocol whe it tries to contact radius server.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1645
}
listen {
type = acct
ipaddr = *
port = 1646
}
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Listening on proxy address * port 1647
Ready to process requests.
rad_recv: Access-Request packet from host ***.***.***.*** port 1405,
id=0, length=180
Message-Authenticator = 0x1ad77a29ef17ee966a8521f57795f231
Service-Type = Framed-User
User-Name = enguyend\000
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = enguyend, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = enguyend
[suffix] Adding Realm = NULL
[suffix] Proxying request from user enguyend to realm NULL
[suffix] Preparing to proxy authentication request to realm NULL
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 210 to ***.***.***.*** port 1645
Message-Authenticator = 0x
Service-Type = Framed-User
User-Name = enguyend
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
Proxy-State = 0x30
Proxying request 0 to home server ***.***.***.*** port 1645
Sending Access-Request of id 210 to ***.***.***.*** port 1645
Message-Authenticator = 0x
Service-Type = Framed-User
User-Name = enguyend
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
Waking up in 13.0 seconds.
rad_recv: Access-Request packet from host ***.***.***.*** port 1405,
id=0, length=180
Sending duplicate proxied request to home server ***.***.***.*** port
1645 - ID: 210
Sending Access-Request of id 210 to ***.***.***.*** port 1645
Message-Authenticator = 0x
Service-Type = Framed-User
User-Name = enguyend
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
Proxy-State = 0x30
Waking up in 11.0 seconds.
Rejecting request 0 due to lack of any response from home server
***.***.***.*** port 1645
There was no response configured: rejecting request 0
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - enguyend
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns
Re: sqlcounter returning wrong value?
liran tal wrote:
Waiting for that traffic limitation patch, Venkatesh.
Thanks.
Hi,
I was stuck with this problem too, and I came up with this solution,
which works in my test environment.
The idea is to store allowed bytes in Tmp-Integer-0, than just use
unlang to compare user's allowed and actual traffic bytes.
btw, maximum traffic count is 2^31 bytes, if you do it this way.
if(control:Tmp-Integer-0) {
if(%{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct
WHERE UserName='%{User-Name}' } %{control:Tmp-Integer-0} ) {
# traffic bytes limit reached
reject
}
}
Regards,
Flamur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Thanks again! I amended it and it works. But that is only for testing... Yes. Now you go on with the manual. Can I use the MSCHAP method? Or I have to create a module of my own for users to authenticate? No, you configure the ntlm_auth line in raddb/modules/mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sqltrace log
default sql.conf claims opposite:
# Print all SQL statements when in debug mode (-x)
sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql
But to check your statement, I started radiusd in demonmode (rc
script), and I still dont get queries logged in the tracefile
That's -x not -X.
man 8 radiusd:
-X Debugging mode. Equivalent to -sfxx -l stdout
but nothing should be un-tested, so followed your suggestion:
radiusd -x
radiusd -xx
radiusd -f -x
but still no output in sqltrace.log
Has anyone actually got sqltrace-output in 2.x ? The few mentions I find
on the net all seems to relate to 1.x configurations.
in the sourcecode I find:
src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c:
if (config-sqltrace)
radlog(L_DBG,rlm_sql_mysql: query: %s, querystr);
Doesnt that mean that its written to the L_DBG (radius.log) file and not
to sqltrace.log ? I do see those in the radius.log:
/var/log/radius/radius.log:rlm_sql_mysql: query: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'blabla' ORDER BY id
I think sqltrace has defacto been depricated
--
Søren Schrøder, Tecnical Innovation, Cybercity (a Telenor Company).
[EMAIL PROTECTED], (+45) 60503045.
Obey Gravity It's the LAW!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on
Nov 10 2008 at 13:18:51
Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/mschap.org
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir
= /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 172.16.8.0/24 {
require_message_authenticator = no
secret = testing123
shortname = testing
}
client 192.168.1.1/32 {
require_message_authenticator = no
secret = w1f1netw0rk
shortname = ArubaController
}
radiusd: Loading Realms and Home Servers
proxy server {
Re: VMPS - Initial project ideas
Hairy51 wrote: Is there any documentation out there on how to get a basic VMPS system up and running? I am purely in the testing stages at the moment, but would like to get the box attached to a switch and begin responding to VMPS requests as quick as possible... There's no quick guide. See also raddb/sites-available/vmps for additional configuration information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
pap against LDAP works fine chap against LDAP works fine (With ntradping) They used different password. Do you mean chap and MSCHAPv2 require passwords in different formats or something? No. There is a clear text password stored somewhere. I can auth CHAP, but with the same username and password can't auth CHAPv2 (with no config change on freeradius) My two debugs show that Debug: rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637412341393742303139423034323445363933373332 So the NT-Password is being retrieved from LDAP in both cases. Yes. But chap wasn't using it. A coorect password. Do you think the has being retrieved from LDAP is wrong then? Yes. If I do put in an incorrect password I do get the same error message. No surprise. * Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password ommitted for user testuser authentication. * Where did that come from? I don't know - inside tha chap module? No. It's retrieved from LDAP. Not that I can see. Post the whole debug and I will tell you where is clear text password possibly stored. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
NGUYEN DANG LUAN, Eric wrote: In my radius log file: *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.66.51, port=24670 send_reject() Your main server is rejecting the request. Fix it. And it isn't FreeRADIUS. I think the problem is the protocol I use : PAP. The problem is that you haven't configured the OTHER RADIUS server properly. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. FreeRADIUS doesn't control the authentication protocol. The end user machine controls it. And is it normal that I can't see any password when I use a sniffer? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
I think the problem is the protocol I use : PAP. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. And is it normal that I can't see any password when I use a sniffer? No, the protocol you (or should I say the user) are using is eap not pap. Freeradius recieved eap request and proxied eap. It is normal not to have a password in eap packet. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning wrong value?
Hi, On Wed, Nov 12, 2008 at 2:06 AM, liran tal [EMAIL PROTECTED] wrote: Waiting for that traffic limitation patch, Venkatesh. Thanks. I am sorry. I had few busy days this week. You can expect a patch tomorrow. On Sun, Nov 9, 2008 at 6:00 AM, Venkatesh K [EMAIL PROTECTED] wrote: Hi Liran, On Sun, Nov 9, 2008 at 4:16 AM, liran tal [EMAIL PROTECTED] wrote: Hey Venkatesh, On Fri, Oct 31, 2008 at 2:26 AM, Venkatesh K [EMAIL PROTECTED] wrote: 2008/10/31 [EMAIL PROTECTED]: It does make sense. rlm_sqlcounterworks like this toward the time of the reset: lets say you have an hour left, your limit is 20 hours and you have signed in 15 minutes before counter reset time. When code calculates that you can be online at reset time it doesn't return your allowance (1 hour) but adds the limit for the next conting period (20 hours) to the remaining time (15 minutes) and returns that value (20 hours and 15 minutes). Reasoning is that your session shouldn't be discontinued after an hour becouse 15 minutes into the session new limit should come into force (and session limit can't be changed during the session). In your case there is about 2,000,000 left on the counter but only a few thousand seconds left to the end of the reset period, so code will add those few thousands to the next period limit (26,000,000) and return that value. Code doesn't know are you counting data or time as there is no such configuration item. Venkatesh had posted the patch that switches off this peace of code for data counters by introducing that configuration item. You should try it. rlm_sqlcounter has one more limitation. In version 1.1.7, the maximum counter value was limited to 2G whereas in 2.1.1 it seems to be 4G. This imposes an artificial limitation of maximum of 4GB of downloads. I had a workaround where I patched rlm_sqlcounter to limit the per session downloads to 4GB if allowed usage exceeds 4GB. Except this issue, I think, with the patch I posted earlier, one should be fine with rlm_sqlcounter. If someone needs a patch to work around the 2GB/4GB limit, I will post the patch. Sorry for the late reply. I applied your patch and now data counters work as expected with a minor exception, the 2Gb limit as you have stated previously. Possibly you could also post the patch for the 2Gb/4Gb limit? I'm hoping it's compatible with FR 1.1.7 as well. It is ok. I am happy to know it works for you. I will email you a patch for 1.1.7 in couple of days. The patch is going to impose certain limitations on you. The maximum return value should be less than unsigned integer(32bit). The maximum reply value for data will be limited to 4GB even if actual value is more than 4GB. So, there will be a per session limit of 4GB though user is authorized to transfer more data. Regards, Venkatesh. K - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, -- Venkatesh. K - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
Dalo radius is very good There is only 1 bug I have found and that is a problem when editing a user and adding a extra Cisco-AVpair, it will overwrite the first Cisco-AVPair. You can add multiple Cisco-AVPairs when you first add the user with no problems, it's just when editing Other than that it is very good, running it here with over 3000 users Regards Wayne On Wed, Nov 12, 2008 at 3:44 PM, Paul Bartell [EMAIL PROTECTED] wrote: I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird logic issue...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Got a weird condition evaluation issue
elsif(\
(%{Supplicant-Flags} =~ /^10$/) || \
((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local')
(%{Huntgroup-Name} != 'auth-proxy') \
((%{Service-Type} == 'Framed-User') || (%{Service-Type} ==
'Call-Check'))) \
){
Gets processed as:
++? if (%{Supplicant-Flags} == 'notfound')
expand: %{Supplicant-Flags} -
? Evaluating (%{Supplicant-Flags} == 'notfound') - FALSE
++? if (%{Supplicant-Flags} == 'notfound') - FALSE
++? if (%{Supplicant-Flags} =~ /^.1$/)
expand: %{Supplicant-Flags} -
? Evaluating (%{Supplicant-Flags} =~ /^.1$/) - FALSE
++? if (%{Supplicant-Flags} =~ /^.1$/) - FALSE
++? elsif ((%{Supplicant-Flags} =~ /^10$/) ||
((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local')
(%{Huntgroup-Name} != 'auth-proxy') ((%{Service-Type} ==
'Framed-User') || (%{Service-Type} == 'Call-Check')) ))
expand: %{Supplicant-Flags} -
?? Evaluating (%{Supplicant-Flags} =~ /^10$/) - FALSE
expand: %{Supplicant-Flags} -
??? Evaluating (%{Supplicant-Flags} == 'notfound') - FALSE
??? Skipping (%{Realm} == 'local')
??? Skipping (%{Huntgroup-Name} != 'auth-proxy')
Skipping (%{Service-Type} == 'Framed-User')
Skipping (%{Service-Type} == 'Call-Check')
++? elsif ((%{Supplicant-Flags} =~ /^10$/) ||
((%{Supplicant-Flags} == 'notfound') (%{Realm} == 'local')
(%{Huntgroup-Name} != 'auth-proxy') ((%{Service-Type} ==
'Framed-User') || (%{Service-Type} == 'Call-Check')) )) - TRUE
So the first condition:
(%{Supplicant-Flags} =~ /^10$/)
returns false
Instead of processing the rest of the conditions FR skips the rest of
the conditions and returns true for the entire condition...
Interestingly if you take out the nested:
((%{Service-Type} == 'Framed-User') || (%{Service-Type} ==
'Call-Check'))
Condition and replace it with:
(%{Service-Type} == 'Framed-User')
All is well.
So only happens with multiple levels of nesting. This has been a bug
since at least version 2.0.4.
Thanks,
Arran
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkka/MsACgkQcaklux5oVKI5DQCfVWJqHf8uOWsVqEKHWPZpFHvc
FlcAn14qXPIwsHOOme+q7jT7cNqy9TkK
=JXk/
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client windows xp machine-only authentication
Hello I implemented successfully a wireless-access for clients windows xp with authentication of the machine (in a samba domain) and the users (in a samba-domain) to my openldap-DB with freeradius. This works fine. My question : somebody have configured windows xp(SP3) to make only a machine authentication ? I was not able to restrict this. My windows xp-clients makes first a machine-authentication and then allways a user- authentication. It is more a windows-question for a microsoft-mailinglist - i now - but i think a lot of freeradius-users use like me windows-clients and certainly somebody have a solution for me. by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple database and virtual server
Hi, I want to use multiple database to sort different kind of radius authentification (dialup, wireless, router login, etc). I don't know if i'm using it the right way, but I have try to run freeradius with two virtual server using two different sql instance. Those sql instance are configured the same way except for the database: one use radius_db = radius_dialup and the other one radius_db = radius_login. If I load only one of those virtual server at radiusd startup (I remove sites-enabled links for one of those server), everything works fine. If I try them together, I got this error: Adding client 172.16.0.2 (gw-calma.digicom.ca, server=MT-Login-User) to clients list Failed to add duplicate client gw-calma.digicom.ca rlm_sql (sql_MT): Failed to add client 172.16.0.2 (gw-calma.digicom.ca) to clients list. Maybe there's a duplicate? Failed to load clients from SQL. The previous Virtual server client list contain: rlm_sql (sql_dialup): Read entry nasname=172.16.0.113,shortname=test,secret=secret rlm_sql (sql_dialup): Adding client 172.16.0.113 (test, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=172.16.0.2,shortname=calma,secret=xx rlm_sql (sql_dialup): Adding client 172.16.0.2 (calma, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=10.0.0.2,shortname=PowerAP-test,secret=x rlm_sql (sql_dialup): Adding client 10.0.0.2 (PowerAP-test, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=10.10.0.5,shortname=395scott,secret=xx rlm_sql (sql_dialup): Adding client 10.10.0.5 (395scott, server=dialup) to clients list rlm_sql (sql_dialup): Read entry nasname=172.16.0.237,shortname=calma2,secret=xx rlm_sql (sql_dialup): Adding client 172.16.0.237 (calma2, server=dialup) to clients list Doesn't each virtual server had his own clients list ? Why duplicate entry ? How can I force freeradius to use one client list per virtual server taken from SQL table ? Regards, Michael Plourde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple database and virtual server
Michael Plourde wrote: I want to use multiple database to sort different kind of radius authentification (dialup, wireless, router login, etc). I don't know if i'm using it the right way, but I have try to run freeradius with two virtual server using two different sql instance. Those sql instance are configured the same way except for the database: one use radius_db = radius_dialup and the other one radius_db = radius_login. You don't have to do that. You can use one SQL instance, and change the radius_db on the fly. But for now, it's likely good enough. If I load only one of those virtual server at radiusd startup (I remove sites-enabled links for one of those server), everything works fine. If I try them together, I got this error: Adding client 172.16.0.2 (gw-calma.digicom.ca, server=MT-Login-User) to clients list Failed to add duplicate client gw-calma.digicom.ca rlm_sql (sql_MT): Failed to add client 172.16.0.2 (gw-calma.digicom.ca) to clients list. Maybe there's a duplicate? Failed to load clients from SQL. ... Doesn't each virtual server had his own clients list ? Why duplicate entry ? How can I force freeradius to use one client list per virtual server taken from SQL table ? See the sample SQL queries schema. 2.1.1 allows you to define a server column. That entry is used to associate one client with a particular server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning wrong value?
Hey,
Thanks for the tip, though that's FR2-specific solution and I'd like to be
able to get this sort out with older deployments
running 1.1.7 or earlier (god forbid! :-) )
That patch for rlm_sqlcounter would be ideal I think.
I think this should also be already pushed into the formal release, this
entire support for data information too.
Regards,
Liran.
On Wed, Nov 12, 2008 at 11:02 AM, Flamur Rogova [EMAIL PROTECTED] wrote:
liran tal wrote:
Waiting for that traffic limitation patch, Venkatesh.
Thanks.
Hi,
I was stuck with this problem too, and I came up with this solution, which
works in my test environment.
The idea is to store allowed bytes in Tmp-Integer-0, than just use unlang
to compare user's allowed and actual traffic bytes.
btw, maximum traffic count is 2^31 bytes, if you do it this way.
if(control:Tmp-Integer-0) {
if(%{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct
WHERE UserName='%{User-Name}' } %{control:Tmp-Integer-0} ) {
# traffic bytes limit reached
reject
}
}
Regards,
Flamur
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
NGUYEN DANG LUAN, Eric wrote: My radius server (which is not freeradius) rejects my authentication when i'm using a ProxyRadius (freeradius). But it's ok when I use NTRadping or a cisco ACS. I'm currently using SecureW2 software for the end user machine. Does anyone know where is the problem? The end RADIUS server. Go fix it. Read it's debugging output (if it has any). Don't ask *us* how to fix it. It's not a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
My radius server (which is not freeradius) rejects my authentication ... So why are you asking the questions here? Freeradius proxy has nothing to do with this. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Referencing a redundant-load-balance set within users file
Version: freeradius-2.1.1
I cannot get a redundant-load-balance set to work within a variable
expansion in the users file.
I added this to the bottom of the instantiate section of radiusd.conf:
redundant-load-balance redundant_ldap {
ldap1
ldap2
ldap3
}
and this to the authorize section of sites-enabled/default:
redundant_ldap
and I defined the 3 ldap instances in modules/ldap, and this part
works fine.
But I cannot figure out how to reference redundant_ldap from within
the users file.
I tried
Connect-Info = %{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u};
but the debug output shows:
WARNING: Unknown module redundant_ldap in string expansion
%{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u};
I attached the start of the debug output. The whole output was over
the 100k limit.
Tod Sandman
Sr. Systems Administrator
Middleware Development Integration
Rice University
Voice: 713.348.5816
FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct 16 2008 at
13:34:21
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/opt/freeradius/radiusd.conf
including configuration file /etc/opt/freeradius/proxy.conf
including configuration file /etc/opt/freeradius/clients.conf
including files in directory /etc/opt/freeradius/modules/
including configuration file /etc/opt/freeradius/modules/expr
including configuration file /etc/opt/freeradius/modules/smbpasswd
including configuration file /etc/opt/freeradius/modules/unix
including configuration file /etc/opt/freeradius/modules/mschap
including configuration file /etc/opt/freeradius/modules/preprocess
including configuration file /etc/opt/freeradius/modules/always
including configuration file /etc/opt/freeradius/modules/echo
including configuration file /etc/opt/freeradius/modules/krb5
including configuration file /etc/opt/freeradius/modules/checkval
including configuration file /etc/opt/freeradius/modules/passwd
including configuration file /etc/opt/freeradius/modules/sql_log
including configuration file /etc/opt/freeradius/modules/attr_filter
including configuration file /etc/opt/freeradius/modules/pap
including configuration file /etc/opt/freeradius/modules/logintime
including configuration file /etc/opt/freeradius/modules/perl
including configuration file /etc/opt/freeradius/modules/mac2vlan
including configuration file /etc/opt/freeradius/modules/pam
including configuration file /etc/opt/freeradius/modules/counter
including configuration file /etc/opt/freeradius/modules/ippool
including configuration file /etc/opt/freeradius/modules/detail.example.com
including configuration file /etc/opt/freeradius/modules/files
including configuration file /etc/opt/freeradius/modules/chap
including configuration file /etc/opt/freeradius/modules/inner-eap
including configuration file /etc/opt/freeradius/modules/attr_rewrite
including configuration file /etc/opt/freeradius/modules/detail
including configuration file /etc/opt/freeradius/modules/digest
including configuration file /etc/opt/freeradius/modules/radutmp
including configuration file /etc/opt/freeradius/modules/realm
including configuration file /etc/opt/freeradius/modules/mac2ip
including configuration file /etc/opt/freeradius/modules/ldap
including configuration file /etc/opt/freeradius/modules/linelog
including configuration file /etc/opt/freeradius/modules/exec
including configuration file /etc/opt/freeradius/modules/acct_unique
including configuration file /etc/opt/freeradius/modules/etc_group
including configuration file /etc/opt/freeradius/modules/sradutmp
including configuration file /etc/opt/freeradius/modules/expiration
including configuration file /etc/opt/freeradius/modules/policy
including configuration file /etc/opt/freeradius/modules/wimax
including configuration file /etc/opt/freeradius/modules/detail.log
including configuration file /etc/opt/freeradius/eap.conf
including configuration file /etc/opt/freeradius/policy.conf
including files in directory /etc/opt/freeradius/sites-enabled/
including configuration file /etc/opt/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/opt/freeradius/sites-enabled/req.txt
including configuration file /etc/opt/freeradius/sites-enabled/default
group = radius
user = radius
including dictionary file /etc/opt/freeradius/dictionary
main {
prefix = /usr/site/freeradius-2.1.1
localstatedir = /var/opt/freeradius
logdir = /var/opt/freeradius
libdir = /usr/site/freeradius-2.1.1/lib
radacctdir = /var/opt/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
Re: LDAP MSCHAP errors
pap against LDAP works fine
chap against LDAP works fine (With ntradping)
They used different password.
Do you mean chap and MSCHAPv2 require passwords in different formats or
something?
I can auth CHAP, but with the same username and password can't auth
CHAPv2
(with no config change on freeradius)
My two debugs show that
Debug: rlm_ldap: sambaNtPassword - NT-Password ==
0x414539434130363637412341393742303139423034323445363933373332
So the NT-Password is being retrieved from LDAP in both cases.
BUT - MSCHAPv2 gives FAILED: MS-CHAP2-Response is incorrect
Am I missing something required for MSCHAP to work? The NT-Password
seems to be retrieved...
A coorect password.
Do you think the has being retrieved from LDAP is wrong then?
If I do put in an incorrect password I do get the same error message.
Does anyone have Freeradius working with MSCHAP against eDir?
Working CHAP debug from ntradping:
Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
directory...
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -
SMB-Account-CTRL-TEXT == [UX ]
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -
NT-Password ==
0x414539434130363637413341393742303139423034323645363933373332
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -
LM-Password ==
0x363542393930304434314234453336383139463130413944343836384443
Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
directory...
Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to
use
remote access
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn:
Release
Id: 0
Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from
hex
encoding
Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from
hex
encoding
Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
changing it.
Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by testuser
with CHAP password
*
Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
ommitted for user testuser authentication.
*
Where did that come from?
I don't know - inside tha chap module? It's retrieved from LDAP. I'm
using the default modules/chap - it just says:
chap {
# no configuration
}
Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
authenticated succesfully
Default configuration in modules/mschap and modules/chap
In sites-enabled/default
authorize {
ldap
}
That is obviously untrue from your debug.
Just checked again, modules/mschap has nothing unhashed.
modules/chap has as above with # no configuration
Try doing pap with that NT-Password from ldap (remove clear text
password
entry wherever it is).
Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't.
Thanks
Ivan Kalik
Kalik Informatika ISP
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr.
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
[EMAIL PROTECTED]
Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to
whom they are addressed. Any views or opinions expressed are solely
those of the author an
d do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
[EMAIL PROTECTED]
Please consider the environment - do you really need to print this
email?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failing to authenticate users
Hmy eyes are bugging out. This is a new freeradius
install/mysql/daloradius/ubuntu. I fail to find any specific as to why my
users are failing to authenticate, via a simple radcheck. anyone have
another eye and take a peek, and see somthing I'm missing.the first part
of this is all config loading. the access request is located towards the
bottem... I'm pretty sure everything is talking to everything it needs
to, but I'm obviously missing somthing most likely obvious. if anyone sees
anything.please let me know.
thanks guys
cg
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = XXX
sql: radius_db = radius
sql: nas_table = nas
sql: sqltrace = no
sql: sqltracefile = /var/log/freeradius/sqltrace.sql
sql: readclients = yes
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id, UserName,
Re: hostapd + freeradius + windows users problem
I've setup hostapd 0.5.10-1(with bridge) + freeradius 2.1.1(with mysql) and it works pretty good except one thing: Windows(vista sp1) users when turn their machines off, radacct mess up (this doesn't happened when user request disconnect manually) User goa connects and when he turns machine off, new user host/filteria(his machine name) appears. Maybe the problems is inside hostapd(which I can't find), but I don't understand why host/filteria is updated with goa info. Start packet with one user name, stop with another for the same session - NAS (hostapd) is broken. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failing to authenticate users
You've got: modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 ...and modcall[authorize]: module sql returns ok for request 0 And finally rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Something is setting Auth-Type to System. It's either the users file on line 153, or your SQL. Fix it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
snmp problem
Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con and remove comment on line smux_password = verysecret and added the line on snmpd.conf of snmpdaemon smuxpeer .1.3.6.1.4.1.11344.1.1.1 verysecret Enabled smux on snmpd too by removing -smux parameter. But i got the following error on freeradius debug.. SMUX connect try 1 SMUX SMUX open oid: 1.3.6.1.4.1.11344.1.1.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register message send failed: Broken pipe And also snmpd gives the following error: refused smux peer: oid SNMPv2-SMI::enterprises.11344.1.1.1, descr radiusd Is it a bug regarding to snmp or freeradius? Or did i miss something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 12 novembre 2008 15:48 À : FreeRadius users mailing list Objet : Re: FreeRadius working as a ProxyRadius using PAP protocol NGUYEN DANG LUAN, Eric wrote: In my radius log file: *** Incoming RADIUS packet: *** radrecv: Packet from host 10.226.66.51, port=24670 send_reject() Your main server is rejecting the request. Fix it. And it isn't FreeRADIUS. I think the problem is the protocol I use : PAP. The problem is that you haven't configured the OTHER RADIUS server properly. I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server. FreeRADIUS doesn't control the authentication protocol. The end user machine controls it. And is it normal that I can't see any password when I use a sniffer? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My radius server (which is not freeradius) rejects my authentication when i'm using a ProxyRadius (freeradius). But it's ok when I use NTRadping or a cisco ACS. I'm currently using SecureW2 software for the end user machine. Does anyone know where is the problem? NGUYEN Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
Great - thanks, Absolutely outstanding help thanks! :) I hashed from ldap.attrmap as below #checkItem LM-Password sambaLmPassword #checkItem NT-Password sambaNtPassword And it all worked! :) Thanks very much! Simon [EMAIL PROTECTED] 12/11/2008 13:46 [ldap] Added the eDirectory password password in check items as Cleartext-Password OK. Here is the clear text password. [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: acctFlags - SMB-Account-CTRL-TEXT == [UX ] rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637413341393742303139423034323645363933373332 rlm_ldap: sambaLmPassword - LM-Password == 0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius/MySQL - Dynamic IP address, help pls? - FIXED
Hi Ivan;
Got it sorted!
I had two files on the sites-enabled directory, one was the default and
another one called defaul.bak, which i had created and tested with some configs.
By starting the radius server with -X option and piping the output to a file:
radiusd -X file
i was able to verify that radiusd was reading both files and giving preference
to the .bak file, so i deleted the .bak file and it worked at first time.
Thanks a lot for your help.
Lucio
To: freeradius-users@lists.freeradius.org Subject: RE: Freeradius/MySQL -
Dynamic IP address, help pls? Date: Wed, 12 Nov 2008 12:36:59 +0100 From:
[EMAIL PROTECTED] Thank you for the quick response. I though on
Freeradius version 2.x i needed to work only on the SQL tables, and that i
needed to specify on the file raddb/sites-enabled/default as: authorize {
sql} authenticate { sql} preacct { acct_unique} accounting {
sqlippool} session { sql} post-auth { sqlippool} In accountung
and post-auth you add pool name (main_pool) not sqlippool. There should be
entries for main_pool already there (commented out).then populate
the table radippool with:
id;pool_name;FramedIPAddress;NASIPAddress;CalledStationId;CallingStationID;expiry_time;username;pool_key2;main_pool;192.168.6.40/0/;;3;main_pool;192.168.6.50/0/;;4;main_pool;192.168.6.60/0/;;5;main_pool;192.168.6.70/0/;;
You just need to add the pool name and the IP address. Then the table
radgroupcheck with: GroupName: dynamic Attribute: Pool-Name op:
:= Value: main_poolOK.Then the table radusergroup
UserName: macaco GroupName: dynamic priority: 0 Nothing on the table
radgroupreply or radreply Is this right? Yes. Ivan Kalik
Kalik Informatika ISP - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
BigSnapSearch.com - 24 prizes a day, every day - Search Now!
http://clk.atdmt.com/UKM/go/117442309/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control panel
Paul Bartell wrote: I could recomend dalo radius. Its interface looks pretty nice from here. I havent been able to evaluate it yet though. On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz [EMAIL PROTECTED] wrote: Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks We are in process of converting to FreeRadius from ICRadius and we installed ARA which seems to work fine and does what we need. DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS - Initial project ideas
Excellent, thanks for all your comments guys - i have managed to successfully download, compile and install the Freeradius 2.1.1 application and have delved into the vmpsd.conf.inf file Is there any documentation out there on how to get a basic VMPS system up and running? I am purely in the testing stages at the moment, but would like to get the box attached to a switch and begin responding to VMPS requests as quick as possible... Any inout much appreciated, Cheers Jon Hairy51 wrote: Hi all, I am just about to start a project to remove the VMPS system from an aging catalyst switch and i would like to investigate the possibilty of using FreeRadius for this. We currently have about 1500 hosts that rely on VMPS for dynamic assignment and an ideal solution would be to move the VMPS service onto a server (Or multiple servers) with as little interuptions to users as possible. Also, for simplicities sake it would be great if we could re-use the current Static VMPS file that the catalyst switch uses. I have looked into FreeNAC as a solution, but want to investigate other ways of acheiving this. We do not really need to do anything other than assign (or block) VLANs, so the extra functionality of FreeNAC is not needed at this point. Considering i am coming from a limited Linux background, how hard would it be for me to acheive this using FreeRADIUS? Does it sound feasible? I am really looking for a bit of advice from those with experience of the FreeRADIUS application and who know of the potential pit-falls and complications that we may face! Many thanks - any comments or idea's much appreciated... Cheers Jonathan -- View this message in context: http://www.nabble.com/VMPS---Initial-project-ideas-tp20264221p20457684.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius working as a ProxyRadius using PAP protocol
I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP
protocol.
If you ment to proxy only pap requests, your configuration is not going
to work.
proxy.conf:
realm NULL {
authhost= ***.***.***.***:1645
accthost= ***.***.***.***:1646
secret = pass
}
users:
DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP
It was an eap request so that didn't match.
Proxying request 0 to home server ***.***.***.*** port 1645
Sending Access-Request of id 210 to ***.***.***.*** port 1645
Message-Authenticator = 0x
Service-Type = Framed-User
User-Name = enguyend
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
Proxy-State = 0x30
Going to the next request
..
Rejecting request 0 due to lack of any response from home server
***.***.***.*** port 1645
There was no response configured: rejecting request 0
Request was proxied but home server didn't respond. You will have to
debug the home server and see did it recieve the request.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius/MySQL - Dynamic IP address, help pls?
Thank you for the quick response. I though on Freeradius version 2.x i needed
to work only on the SQL tables, and that i needed to specify on the file
raddb/sites-enabled/default as:
authorize {sql}
authenticate {sql}
preacct {acct_unique}
accounting {sqlippool}
session {sql}
post-auth {
sqlippool}
In accountung and post-auth you add pool name (main_pool) not sqlippool.
There should be entries for main_pool already there (commented out).
then populate the table radippool with:
id;pool_name;FramedIPAddress;NASIPAddress;CalledStationId;CallingStationID;expiry_time;username;pool_key2;main_pool;192.168.6.40/0/;;3;main_pool;192.168.6.50/0/;;4;main_pool;192.168.6.60/0/;;5;main_pool;192.168.6.70/0/;;
You just need to add the pool name and the IP address.
Then the table radgroupcheck with:
GroupName: dynamic
Attribute: Pool-Name
op: :=
Value: main_pool
OK.
Then the table radusergroup
UserName: macaco
GroupName: dynamic
priority: 0
Nothing on the table radgroupreply or radreply
Is this right?
Yes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failing to authenticate users
Hmy eyes are bugging out. This is a new freeradius install/mysql/daloradius/ubuntu. New? This is an ancient version. I fail to find any specific as to why my users are failing to authenticate, via a simple radcheck. anyone have another eye and take a peek, and see somthing I'm missing.the first part of this is all config loading. the access request is located towards the bottem... I'm pretty sure everything is talking to everything it needs to, but I'm obviously missing somthing most likely obvious. if anyone sees anything.please let me know. 1.1.x default users file has a DEFAULT entry setting Auth-Type System. Comment it out. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp problem
Oguzhan Kayhan wrote: Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 Why are you running 2.0.5? It was the default package for debian. Ok we will recompile the new version and give a try. Thank you. I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con SNMP doesn't work in 2.0.5. The functionality has been replaced, and expanded, in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Zithromax is your choice to fight any bacteria.
About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice. ©2008 Microsoft | Unsubscribe | More Newsletters | Privacy Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP errors
[ldap] Added the eDirectory password password in check items as Cleartext-Password OK. Here is the clear text password. [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: acctFlags - SMB-Account-CTRL-TEXT == [UX ] rlm_ldap: sambaNtPassword - NT-Password == 0x414539434130363637413341393742303139423034323645363933373332 rlm_ldap: sambaLmPassword - LM-Password == 0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius working as a ProxyRadius using PAP protocol
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL
PROTECTED]
Envoyé : mercredi 12 novembre 2008 12:15
À : FreeRadius users mailing list
Objet : Re: FreeRadius working as a ProxyRadius using PAP protocol
I'm trying to use FreeRadius (server-2.1.1) as a Proxy Radius with PAP
protocol.
If you ment to proxy only pap requests, your configuration is not going
to work.
proxy.conf:
realm NULL {
authhost= ***.***.***.***:1645
accthost= ***.***.***.***:1646
secret = pass
}
users:
DEFAULT FreeRADIUS-Proxied-To == ***.***.***.***, Auth-Type := PAP
It was an eap request so that didn't match.
Proxying request 0 to home server ***.***.***.*** port 1645
Sending Access-Request of id 210 to ***.***.***.*** port 1645
Message-Authenticator = 0x
Service-Type = Framed-User
User-Name = enguyend
Framed-MTU = 1488
Called-Station-Id = 00-1D-7E-5F-F7-39:SogetiNET
Calling-Station-Id = 00-16-6F-AA-80-DD
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01656e677579656e64
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
NAS-Port-Id = STA port # 1
Proxy-State = 0x30
Going to the next request
..
Rejecting request 0 due to lack of any response from home server
***.***.***.*** port 1645
There was no response configured: rejecting request 0
Request was proxied but home server didn't respond. You will have to
debug the home server and see did it recieve the request.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My request are proxied : i got this the following respond :
rad_recv: Access-Reject packet from host 205.223.235.196 port 1645, id=186,
length=23
Proxy-State = 0x30
In my radius log file:
*** Incoming RADIUS packet: ***
radrecv: Packet from host 10.226.66.51, port=24670
send_reject()
*** Incoming RADIUS packet: ***
radrecv: Packet from host 10.226.65.52, port=25433
send_reject()
I think the problem is the protocol I use : PAP.
I'm not sure that FreeRadius use PAP protocol to communicate with Radius Server.
And is it normal that I can't see any password when I use a sniffer?
Regards
NGUYEN Eric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Alan DeKok wrote:
Tim Palmer wrote:
Full disclosure - I did try an install from ports, then removed the port
and rerun ldconfig. I did not recompile/install freeradius after the
port excercise.
===
Why yes, I did map Cleartext-Password, since the debug error ( and
various list postings) seemed clear on that:
ldap.attrmap:
checkItem Cleartext-Password userPassword
Don't do this. Delete this line. It's the SOURCE of all the problems.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To no one's surprise, you all are correct that auto_header shouldn't be
needed in the ldap module. The Cleartext-Password mapping didn't help,
but my base, original problem was carrying over a password_header =
{crypt} entry in the ldap module from our old (1.0.1) configuration.
Thanks for making it clear I shouldn't accept something just because it
works, if it isn't how it should work.
--
Tim Palmer
BestWeb Support
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp problem
Oguzhan Kayhan wrote: Hi, I am trying snmp on debian 32 bit. With freeradius 2.0.5. and net-snmp 5.4.1 Why are you running 2.0.5? I did all just like on http://wiki.freeradius.org/SNMP_HOWTO. Changed radiusd.conf as snmp= yes $INCLUDE snmp.con SNMP doesn't work in 2.0.5. The functionality has been replaced, and expanded, in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control panel
Hello how are? I would some indication of the control panel, use the dial_up admin, but it is bad, I tested the phpradmin. Outside the two anyone could spend some more? Thanks Allan Patrick Ksiaskiewcz Brazil Guarapuava/PR Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
In site-enable/default under authorize I've uncommented ldap. You don't need ldap there. Uncomment ldap in sites-enabled/inner-tunnel virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Thanks CJ To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP Date: Thu, 13 Nov 2008 00:04:41 +0100 From: [EMAIL PROTECTED] In site-enable/default under authorize I've uncommented ldap. You don't need ldap there. Uncomment ldap in sites-enabled/inner-tunnel virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Yes, you can use any eap method you want. default_eap_type will be tried first. If refused, server and suppicant will try to agree on another. It just means one extra eap exchange. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. I removed the password_attribute field from modules/ldap and everything seems to be working with PEAP and GTC. Thank you again! CJ To: freeradius-users@lists.freeradius.org Subject: RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP Date: Thu, 13 Nov 2008 01:07:18 +0100 From: [EMAIL PROTECTED] That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Yes, you can use any eap method you want. default_eap_type will be tried first. If refused, server and suppicant will try to agree on another. It just means one extra eap exchange. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Referencing a redundant-load-balance set within users file
Version: freeradius-2.1.1
I cannot get a redundant-load-balance set to work within a variable
expansion in the users file.
No. It's not a module, it's a group. You can list different modules
inside the group - they don't have to be the same type (all ldap or all
sql; they can be mixed).
I added this to the bottom of the instantiate section of radiusd.conf:
redundant-load-balance redundant_ldap {
ldap1
ldap2
ldap3
}
and this to the authorize section of sites-enabled/default:
redundant_ldap
and I defined the 3 ldap instances in modules/ldap, and this part
works fine.
But I cannot figure out how to reference redundant_ldap from within
the users file.
I tried
Connect-Info =
%{redundant_ldap:ldap:///dc=rice,dc=edu?riceClass?sub?uid=%u};
Why don't you map that in ldap.attrmap?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_counter: Failed to open file /etc/raddb/db.daily: Permission denied
Any idea how to fix this?
Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file
/etc/raddb/db.daily: Permission denied
Wed Nov 12 21:29:16 2008 : Error: /etc/raddb/radiusd.conf[152]:
Instantiation failed for module daily
Wed Nov 12 21:29:16 2008 : Error: Errors initializing modules
This is an rpmbuild on Centos 5.2
radiusd: FreeRADIUS Version 2.1.1, for host i686-redhat-linux-gnu, built
on Nov 11 2008 at 10:29:34
/etc
drwxrwxr-x 7 root radiusd 4096 Nov 12 21:29 raddb
/etc/raddb
-rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily
This works:
# /usr/sbin/radiusd -X
This works:
# strace /usr/sbin/radiusd
This does not work:
# service radiusd start
Starting RADIUS server:[FAILED]
This does not work:
counter daily {
filename = ${raddbdir}/db.daily
.
.
.
This does not work:
counter daily {
filename = /tmp/db.daily
.
.
.
-Ted-
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
CJ O wrote: Good Afternoon - I've read through a lot of threads and documents and have piced information together, however I am still having issues. We are running an OpenLDAP with the passwords encrypted. I know that PEAP requires the clear text password to be stored in the LDAP Server, No. See: http://deployingradius.com/documents/protocols/compatibility.html however, I've read also that as long as FreeRadius can get the NTLM Password from LDAP PEAP should work. We have also created a custom attribute call ntPasswd that hold the NTLM Hash of the users password. I have configured FreeRadius to authenicate to the LDAP server and set the password_attribute = ntPasswd. In the ldap.attrmap I've added to entries checkItem LM-Password ntPasswd and checkItem NT-Password ntPasswd. In eap.conf i've set default_eap_type = peap In site-enable/default under authorize I've uncommented ldap. You need to uncomment it in raddb/sites-enabled/inner-tunnel. See the debug output. It's running the inner-tunnel method, but LDAP isn't used there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
