Re: last hurdle...windows clients
Craig White wrote: > I realize that freeradius has little control over the supplicant but I'm > wondering if it's something in my setup of tls that the authentication > should/shouldn't be part of the tunnel because it just assumes a login > of anonymous instead of the Windows User/Password or never asks me for a > User/Password... Because you've likely configured an anonymous outer identity, and it's not proceeding to the inner session. So it's not asking for the username or password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Hi all : I have install freeradius-server-2.1.1 and I want use LDAP to do authentication. But when I using "radius -X" to start the radius The server shown the message : [ldap] performing user authorization for ldapuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldapuser) expand: dc=mydomain,dc=com -> dc=mydomain,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mydomain,dc=com/hsuan to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=com, with filter (uid=ldapuser) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 245 to 127.0.0.1 port 33059 What's the problem ? how can I to fix the error ? Please help me! Regards, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for therequest: Rejecting the user
>rlm_ldap: performing search in dc=mydomain,dc=com, with filter >(uid=ldapuser) > >rlm_ldap: object not found or got ambiguous search result > >[ldap] search failed > Either you don't have ldapuser or the user is not unique (there are several users with that username). Do ldapsearch and see what it returns. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
hsuan wrote: > But when I using “radius -X” to start the radius You've conveniently deleted most of the debugging output. > The server shown the message : ... > rlm_ldap: object not found or got ambiguous search result Fix that. The LDAP module is not able to find the users password. > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. Because the LDAP search failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
>> Nothing will go through the switch if mac filtering is enabled. You need >> to see if packets are leaving the AP. >How can I check that? Does the WAP54G have the option to check that? As >far as I can see, I can only check if any data gets to the >FreeRadius-server. > Connect it directly to the AP (no switch or anything). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
>According to this thread, the problem occures as soon as one of the >requests of the WAP54G is unsuccessful (a package is lost): >http://www.linksysinfo.org/forums/archive/index.php?t-36702.html > So what is the situation? Does the AP start working when you switch it off and on again? Or not? Can you come up with a clear statement of facts and not point to conclusions of somebody else (who might not have the same problem as you do)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_filter issue
Hi Folk, I have activated attr_filter for a realm (dr4.cnrs.fr) and want users from that realm to have 2 possible values of VLANs (VISITEUR or SIRC) Here is my attr_file: dr4.cnrs.fr Service-Type == Login-User, Framed-IP-Address == 255.255.255.254, Framed-MTU >= 576, Proxy-State =* ANY, Reply-Message =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, State =* ANY, Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2, Proxy-State =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, User-Name =* ANY, Called-Station-Id =* ANY, Calling-Station-Id =* ANY, NAS-Port-Type =* ANY, NAS-Port =* ANY, NAS-IP-Address =* ANY, NAS-Identifier =* ANY, Framed-Filter-ID =* ANY, Tunnel-Type == VLAN, # Tunnel-Type =* ANY, Tunnel-Medium-Type == IEEE-802, #Tunnel-Medium-Type =* ANY, Trapeze-VLAN-Name == VISITEUR, Trapeze-VLAN-Name == SIRC, #Trapeze-VLAN-Name =* ANY, Tunnel-Private-Group-Id == VISITEUR, Tunnel-Private-Group-Id == SIRC #Tunnel-Private-Group-Id =* ANY When i test the connexion with my account (my attribute Tunnel-Private-Group-Id = Trapeze-VLAN-Name = VISITEUR), the authentification is OK but radius server do not send this attribute to the NAS: they are filtered and they should not. When I set those attributes to * ANY, every thing works well. I don't understand this behaviour. Thanks for any ideas/help -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_filter issue
debug? It could be that they just haven't been copied from inner to outer reply. Ivan Kalik Kalik Informatika ISP Dana 25/11/2008, "Mustapha Bouikhif" <[EMAIL PROTECTED]> piše: >Hi Folk, > >I have activated attr_filter for a realm (dr4.cnrs.fr) and want users >from that realm to have 2 possible values of VLANs (VISITEUR or SIRC) >Here is my attr_file: >dr4.cnrs.fr >Service-Type == Login-User, >Framed-IP-Address == 255.255.255.254, >Framed-MTU >= 576, >Proxy-State =* ANY, >Reply-Message =* ANY, >EAP-Message =* ANY, >Message-Authenticator =* ANY, >State =* ANY, >Session-Timeout <= 28800, >Idle-Timeout <= 600, >Port-Limit <= 2, >Proxy-State =* ANY, >MS-MPPE-Recv-Key =* ANY, >MS-MPPE-Send-Key =* ANY, >User-Name =* ANY, >Called-Station-Id =* ANY, >Calling-Station-Id =* ANY, >NAS-Port-Type =* ANY, >NAS-Port =* ANY, >NAS-IP-Address =* ANY, >NAS-Identifier =* ANY, >Framed-Filter-ID =* ANY, > Tunnel-Type == VLAN, ># Tunnel-Type =* ANY, > Tunnel-Medium-Type == IEEE-802, >#Tunnel-Medium-Type =* ANY, >Trapeze-VLAN-Name == VISITEUR, > Trapeze-VLAN-Name == SIRC, >#Trapeze-VLAN-Name =* ANY, > Tunnel-Private-Group-Id == VISITEUR, >Tunnel-Private-Group-Id == SIRC >#Tunnel-Private-Group-Id =* ANY > >When i test the connexion with my account (my attribute >Tunnel-Private-Group-Id = Trapeze-VLAN-Name = VISITEUR), the >authentification is OK but radius server do not send this attribute to >the NAS: they are filtered and they should not. >When I set those attributes to * ANY, every thing works well. >I don't understand this behaviour. >Thanks for any ideas/help > > >-- >Mustapha BOUIKHIF >Service Systčmes d'Information >CNRS - DR4 > >tel: +33 1 69 82 33 97 >fax: +33 1 69 82 33 39 > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type) configuration found for therequest: Rejecting the user
Hi all : When I use ldapsearch (ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)'),return as follows : # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # mydomain.com dn: dc=mydomain,dc=com objectClass: dcObject objectClass: organization o: network dc: mydomain # ldapuser, mydomain.com dn: cn=ldapuser,dc=mydomain,dc=com objectClass: organizationalRole cn: ldapuser # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 25, 2008 6:38 PM To: FreeRadius users mailing list Subject: Re: No authenticate method (Auth-Type) configuration found for therequest: Rejecting the user >rlm_ldap: performing search in dc=mydomain,dc=com, with filter >(uid=ldapuser) > >rlm_ldap: object not found or got ambiguous search result > >[ldap] search failed > Either you don't have ldapuser or the user is not unique (there are several users with that username). Do ldapsearch and see what it returns. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Dear Alan: So how can I set the ldapuser's password? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, November 25, 2008 6:42 PM To: FreeRadius users mailing list Subject: Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user hsuan wrote: > But when I using “radius -X” to start the radius You've conveniently deleted most of the debugging output. > The server shown the message : ... > rlm_ldap: object not found or got ambiguous search result Fix that. The LDAP module is not able to find the users password. > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. Because the LDAP search failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
>I have 1 WAP54G that works sometimes. Read the thread in the links I >included for more details. I used tcpdump to see if any data got >through. > Nothing will go through the switch if mac filtering is enabled. You need to see if packets are leaving the AP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type) configuration foundfor therequest: Rejecting the user
>When I use ldapsearch (ldapsearch -x -b 'dc=mydomain,dc=com' >'(objectclass=*)'),return as follows : > Do the same search freeradius does: >>rlm_ldap: performing search in dc=mydomain,dc=com, with filter >>(uid=ldapuser) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
Right now I have 1 FreeRadius-server and 3 WAP54G AccessPoints. When I configure the AP's with WPA-Enterprise and point them to the FreeRadius-server, the FreeRadius-server doesn't get any data from the AP's. I have one WAP54G that works most of the time, regardless where I put in in my network. One other has worked once. The third has never worked. All WAP54G AP's are the same. Same version, same firmware. Searching for a solution for this problem, I bumped in more complaints about the WAP54G with FreeRadius. For some reason, they stop working when some request-packages get lost. I posted my problem on the Linksys support forums. More information about my problem can be found there: http://forums.linksys.com/linksys/board/message?board.id=Access_Points&thread.id=8846 I was wondering if more FreeRadius users experience these problems with the WAP54G Op dinsdag 25-11-2008 om 11:53 uur [tijdzone +0100], schreef [EMAIL PROTECTED]: > >According to this thread, the problem occures as soon as one of the > >requests of the WAP54G is unsuccessful (a package is lost): > >http://www.linksysinfo.org/forums/archive/index.php?t-36702.html > > > > So what is the situation? Does the AP start working when you switch it > off and on again? Or not? Can you come up with a clear statement of > facts and not point to conclusions of somebody else (who might not have > the same problem as you do)? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
Op dinsdag 25-11-2008 om 11:01 uur [tijdzone +0100], schreef [EMAIL PROTECTED]: > >I have 1 WAP54G that works sometimes. Read the thread in the links I > >included for more details. I used tcpdump to see if any data got > >through. > > > > Nothing will go through the switch if mac filtering is enabled. You need > to see if packets are leaving the AP. How can I check that? Does the WAP54G have the option to check that? As far as I can see, I can only check if any data gets to the FreeRadius-server. Besides, no filtering is enabled. All data from the internal network van reach the radius-server. That's proven, because in some cases, the Radius-server recieves data from the AP and I get a successfull logon. According to this thread, the problem occures as soon as one of the requests of the WAP54G is unsuccessful (a package is lost): http://www.linksysinfo.org/forums/archive/index.php?t-36702.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type) configuration foundfor therequest: Rejecting the user
Hi ivan: Are you mean using " ldapsearch -x -b 'dc=mydomain,dc=com,uid=ldapuser' '(objectclass =*)' " ? When I using " ldapsearch -x -b 'dc=mydomain,dc=com,uid=ldapuser' '(objectclass =*)' ",then reply as follows : # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 25, 2008 7:44 PM To: FreeRadius users mailing list Subject: RE: No authenticate method (Auth-Type) configuration foundfor therequest: Rejecting the user >When I use ldapsearch (ldapsearch -x -b 'dc=mydomain,dc=com' >'(objectclass=*)'),return as follows : > Do the same search freeradius does: >>rlm_ldap: performing search in dc=mydomain,dc=com, with filter >>(uid=ldapuser) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failure to compile 2.1.1 on Redhat ES3
>A.L.M.Buxey at lboro.ac.uk wrote: >> just tried to compile FR 2.1.1 on a more vintage system >> than what I normally find myself on - RedHat ES 3 >> >> Theres a compile issue with Python module which didnt >> exist on the same platform with 2.0.5 - but I'll ignore >> that one for now - the important part is the base daemon >> itself: >> >> /usr/src/freeradius-server-2.1.1/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall >-D_GNU_SOURCE -DNDEBUG -I/usr/src/freeradius-server-2.1.1/src -DHOSTINFO=\"i686-pc-linux-gnu\" >-DRADIUSD_VERSION=\"2.1.1\" -DOPENSSL_NO_KRB5 -c listen.c >> gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG >-I/usr/src/freeradius-server-2.1.1/src -DHOSTINFO=\"i686-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.1\" -DOPENSSL_NO_KRB5 >-c listen.c -fPIC -DPIC -o .libs/listen.o >> listen.c:99:1: directives may not be used inside a macro argument > > Yuck. That assert can simply be deleted. > > Alan DeKok. Hi Alan, pls. give me a little hint, what exact can be deleted ? -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: [EMAIL PROTECTED] www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP2 configuration
Alan DeKok wrote: Fernando wrote: Yes, I read the file but it only says that the module libeap.so is needed. I don't know how build it :(. I've downloaded the hosapd 0.6.1 but there is no way to obtain the library. So can you provide me with some tips to build libeap.so? Edit the Makefiles that refer to libeap.a, and add a libeap.so target. This module IS experimental. It DOES require some Unix compiler skills to get working. You MAY get this to work more easily in a later version of hostapd. It MAY include support for building libeap.so. But I haven't tried. Thanks for the tips. I have obtained libeap.so and I have compiled rlm_eap2. But now for using the eap2 module must it be configured in some place?... radiusd.conf or eap.conf... include experimental.conf in radiusd.conf... I have been trying some things without result... can you help me with the configuration? Thanks, Fernando. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type)configuration foundfor therequest: Rejecting the user
># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (objectclass=*) ># requesting: ALL ># > ># search result >search: 2 >result: 32 No such object > So you don't have a user entries (uid, userPassword etc.) for ldapuser. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to interpret rlm_ippool_tool output ?
Hmm, nobody knows it ? -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: FreeRadius users mailing list Date: 24.11.08 14:31 Subject: How to interpret rlm_ippool_tool output ? Sent by: [EMAIL PROTECTED] Hi, I am using the ipppol modul. To check, wether IPs will put back to the pool, after them freed, sometimes I take a look to the IP-Pool. sudo /opt/radius/bin/rlm_ippool_tool -av /opt/radius/etc/raddb/db.ippool.one /opt/radius/etc/raddb/db.ipindex.one shows something like this: KEY: '9680138403a6e74f3b73aac7df6999b0' - ipaddr:10.0.194.251 active:1 cli:0 num:1 KEY: '713fff05450587a3211ea1f508fa8aeb' - ipaddr:10.0.194.32 active:1 cli:0 num:0 In my understanding the first is th unique key build as configured. TSsecond is very clear. But then active:1 means this IP is used ? cli:0 I saw no other then 0 ? num: 0|1 I have no idea what this means Can anybody help me ? -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: [EMAIL PROTECTED] www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementaerin: BIOTRONIK Mess- und Therapiegeraete GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschaeftsfuehrer: Dr. Max Schaldach, Christoph Boehmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP2 configuration
Hi all, Alan you can ignore the message before. But, what is the information needed to put in LD_PRELOAD? Thanks. Fernando wrote: Alan DeKok wrote: Fernando wrote: Yes, I read the file but it only says that the module libeap.so is needed. I don't know how build it :(. I've downloaded the hosapd 0.6.1 but there is no way to obtain the library. So can you provide me with some tips to build libeap.so? Edit the Makefiles that refer to libeap.a, and add a libeap.so target. This module IS experimental. It DOES require some Unix compiler skills to get working. You MAY get this to work more easily in a later version of hostapd. It MAY include support for building libeap.so. But I haven't tried. Thanks for the tips. I have obtained libeap.so and I have compiled rlm_eap2. But now for using the eap2 module must it be configured in some place?... radiusd.conf or eap.conf... include experimental.conf in radiusd.conf... I have been trying some things without result... can you help me with the configuration? Thanks, Fernando. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC based auth
Hi, read manuals but i don't know how can i use mac based authentication. I used eap-tls and username/pass. It worked good. but when I not log on to the Windows server, I want to authenticate the computer, cos my server services have to reachable. pc try authenticate using name like host/PCNAME but i don't know what is a password... I think if i use mac address based auth., i don't need username/pass, simply enough a mac address. or is it a wrong idea? how can i set it to use just mac addresses to authentication?I want authenticate the hardware not the user(cos the user is not logged on). configuration: newest freeRadius, cisco switch, win xp thanks GH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
> If that's the issue I know about, you restart the AP (switch it off and > on again) and it starts working again. That doesn't sound like your > problem. With one AP (the one that works most of the time) this is the case. Sometimes nothing comes through. After a hard reset (power off) it works again. For a while... > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP2 configuration
Fernando wrote: > Alan you can ignore the message before. > > But, what is the information needed to put in LD_PRELOAD? Whatever is needed to get the dynamic linker to load the libraries from where you installed them. It's your system... you can read the "man" page for the linker. You can remember where you installed the libraries. This list isn't the place to learn Unix development. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang / Username modification
Hello list; our freeradius is used to authenticate MAC-addresses (locally) and "humans" (against the windows AD). Therefor I would to like use unlang to seperate MAC-addresses from humans as they need to be treated differentely; the MAC-address authentication works fine; so does the proxying to the realm called "office". However I am stuck with these two tasks: a) Append the "office" prefix to the username (since we are lazy and do not want to type in the domain name when we log on to one of our switches) b) proxy the request to the AD I have placed the following lines of code in the radiusd.conf file: if (User-Name="nemec") { %{User-Name}:=office\nemec Proxy-To-Realm := "office" } However they are not being executed. Do they need to be at the top of the file? Is the syntax correct? radiusd -X runs with no errors and correctly processes all other requests, but does not proxy to the "office" realm. Christopher Oesterreichische Lotterien Gesellschaft m.b.H., Rennweg 44, A-1038 Wien, FN 54472 g, Handelsgericht Wien, DVR-Nr: 0476706 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
>Right now I have 1 FreeRadius-server and 3 WAP54G AccessPoints. When I >configure the AP's with WPA-Enterprise and point them to the >FreeRadius-server, the FreeRadius-server doesn't get any data from the >AP's. > >I have one WAP54G that works most of the time OK. >One other has worked once. The third has never worked. Connect those two directly to radius server (or whatever runs tcpdump/wireshark). If you still can't get anthing, retun them and ask for your money back. >Searching for a solution for this problem, I bumped in more complaints >about the WAP54G with FreeRadius. For some reason, they stop working >when some request-packages get lost. > If that's the issue I know about, you restart the AP (switch it off and on again) and it starts working again. That doesn't sound like your problem. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang / Username modification
Nemec Christopher wrote: > However I am stuck with these two tasks: > > a) Append the "office" prefix to the username (since we are lazy and do > not want to type in the domain name when we log on to one of our switches) > > b) proxy the request to the AD That should be easy. > I have placed the following lines of code in the radiusd.conf file: > > if (User-Name="nemec") { > %{User-Name}:=office\nemec > Proxy-To-Realm := "office" > } > > However they are not being executed. Do they need to be at the top of > the file? Is the syntax correct? No. PLEASE read the documentation. In this case, "man unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failure to compile 2.1.1 on Redhat ES3
[EMAIL PROTECTED] wrote: > />>/ listen.c:99:1: directives may not be used inside a macro argument/ >> >> Yuck. That assert can simply be deleted. ... > pls. give me a little hint, what exact can be deleted ? Read "listen.c". Go to line 99. See that it contains the word "assert". Delete the entire text, all the way to the closing ")". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC based auth
Hegedus Gabor wrote: > read manuals but i don't know how can i use mac based authentication. MAC based authentication is just configuring the server to accept the user if the MAC is known. > I used eap-tls and username/pass. It worked good. > but when I not log on to the Windows server, I want to authenticate the > computer, cos my server services have to reachable. > > pc try authenticate using name like host/PCNAME but i don't know what > is a password... It's in the Active Directory database. Configure the server to do MS-CHAP, and it should work for machine authentication. > I think if i use mac address based auth., i don't need username/pass, > simply enough a mac address. > > or is it a wrong idea? It might not work. > how can i set it to use just mac addresses to authentication?I want > authenticate the hardware not the user(cos the user is not logged on). Just return an Access-Accept if the MAC is OK... but that means the users won't be authenticated, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
[EMAIL PROTECTED] wrote: >> There is also an unrelated problem that causes the CA to only last 30 >> days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 >> > > Hm, I was under the impression that this was sorted: No. I've just pushed some fixes to git.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP2 configuration
Alan DeKok wrote: Fernando wrote: Alan you can ignore the message before. But, what is the information needed to put in LD_PRELOAD? Whatever is needed to get the dynamic linker to load the libraries from where you installed them. Yes, it's works now, but I cann't execute any method... I'm trying eap-md5 but nothing happens. I put in authentication section (eap2) I remove eap module and I add experimentation.conf to radiusd.conf do I need do anything more? Thank you very much, Fernando. Here the request... Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.5 port 32771, id=0, length=174 User-Name = "fernando" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "fernando.atica.um.es" NAS-Port = 0 Called-Station-Id = "00-40-96-B2-13-4E:test" Calling-Station-Id = "00-13-F7-23-FB-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02c6000d016665726e616e646f Message-Authenticator = 0x702236655925bc2e878dce8dba4dad53 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "fernando", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[unix] returns updated users: Matched entry fernando at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [fernando/] (from client 192.168.1.5 port 0 cli 00-13-F7-23-FB-E3) It's your system... you can read the "man" page for the linker. You can remember where you installed the libraries. This list isn't the place to learn Unix development. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WAP54G
M.K. ten Napel wrote: If that's the issue I know about, you restart the AP (switch it off and on again) and it starts working again. That doesn't sound like your problem. With one AP (the one that works most of the time) this is the case. Sometimes nothing comes through. After a hard reset (power off) it works again. For a while... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html As my two cents, I have a W54GS using FreeRadius in a rather complex setup, but your basic troubleshooting should be the same. I have read it a few times on the post, while you can prove there is some communication between your WAP and your FreeRadius install, the problem remains on how MUCH is actually happening. Is the WAP only sending 1 in 5 authentications? Is it sending all? or less? The best way to prove this is to wire it directly to a box so you can do a packet capture, and see if it is doing exactly as you expect. That can remove the WAP on the communication side, as well as give you a little insight to what is broken from that point on. Providing the information you get back (Minus the dump file itself, unless someone asks for it specifically) will help people on the list find out what this AP is doing. As well, is it at the latest firmware? If you want to get a little more hands on, there are a few things out there on how to create a passive tap, and you can use that basically anywhere, in your current infrastructure to see if it is the network between the two devices that is broken. With Linksys it is kind of silly, but you usually have to power cycle it, if it loses the Radius server, so it is forced to re-negotiate its connection, and allow authentication. I have seen this personally, and read a lot about it online, though I haven't come across anything from linksys themselves about it. Regards, Seann smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP2 configuration
Fernando wrote: > Yes, it's works now, but I cann't execute any method... I'm trying > eap-md5 but nothing happens. I put in authentication section (eap2) I > remove eap module and I add experimentation.conf to radiusd.conf do I > need do anything more? You deleted "eap", but didn't add "eap2". Please familiarize yourself with the configuration files before editing them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failure to compile 2.1.1 on Redhat ES3
I comment out these lines in src/main/listen.c: /* rad_assert((listener->type == RAD_LISTEN_AUTH) #ifdef WITH_STATS || (listener->type == RAD_LISTEN_NONE) #endif #ifdef WITH_ACCOUNTING || (listener->type == RAD_LISTEN_ACCT) #endif #ifdef WITH_VMPS || (listener->type == RAD_LISTEN_VQP) #endif #ifdef WITH_DHCP || (listener->type == RAD_LISTEN_DHCP) #endif ); */ Hope that is OK. And all works without these lines ? -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: [EMAIL PROTECTED] From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Date: 25.11.08 14:54 Subject: Re: failure to compile 2.1.1 on Redhat ES3 Sent by: [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: > />>/ listen.c:99:1: directives may not be used inside a macro argument/ >> >> Yuck. That assert can simply be deleted. ... > pls. give me a little hint, what exact can be deleted ? Read "listen.c". Go to line 99. See that it contains the word "assert". Delete the entire text, all the way to the closing ")". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC based auth
Alan DeKok wrote: Hegedus Gabor wrote: read manuals but i don't know how can i use mac based authentication. MAC based authentication is just configuring the server to accept the user if the MAC is known. I used eap-tls and username/pass. It worked good. but when I not log on to the Windows server, I want to authenticate the computer, cos my server services have to reachable. pc try authenticate using name like host/PCNAME but i don't know what is a password... It's in the Active Directory database. Configure the server to do MS-CHAP, and it should work for machine authentication. I don't use AD the pc is not in domain (jet). my freeradius do ms-chap. I think if i use mac address based auth., i don't need username/pass, simply enough a mac address. or is it a wrong idea? It might not work. how can i set it to use just mac addresses to authentication?I want authenticate the hardware not the user(cos the user is not logged on). Just return an Access-Accept if the MAC is OK... but that means the users won't be authenticated, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This is my problem, what can you suggest to me : I want use 802.1x port auth, although the machines are servers, and users logging in rarely. the machines will automaticly do the authentication(this is the goal), but how can i set the pass, cos i set the name of the pc and it will be sent, but the pass... This u/p seem better security than use just mac address. Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Tue, 2008-11-25 at 10:06 +0100, Alan DeKok wrote: > Craig White wrote: > > I realize that freeradius has little control over the supplicant but I'm > > wondering if it's something in my setup of tls that the authentication > > should/shouldn't be part of the tunnel because it just assumes a login > > of anonymous instead of the Windows User/Password or never asks me for a > > User/Password... > > Because you've likely configured an anonymous outer identity, and it's > not proceeding to the inner session. So it's not asking for the > username or password. OK perhaps I am just looking in the wrong place and I'm using an older version of freeradius (part or RHEL/CentOS 5) but eap.conf, in peap section only has these options and I haven't found any combination that works... copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes proxy_tunneled_request_as_eap = no and I have the ttls section commented out. Am I in the right place? Am I missing something really obvious? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
>Am I in the right place? No. You are looking at the radius server for something configured on the suppicant. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC based auth
>This is my problem, what can you suggest to me : >I want use 802.1x port auth, although the machines are servers, and >users logging in rarely. >the machines will automaticly do the authentication(this is the goal), What is the Authenticator (NAS)? You should find in it's documentation how to set mac authentication before 802.1x. >but how can i set the pass, cos i set the name of the pc and it will >be sent, but the pass... >This u/p seem better security than use just mac address. > For that you need AD. It can be set manually using netdom resetpwd but only for machines in the domain. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth v1.3.17 missing a define???
Alan DeKok-2 wrote: > > David Ly wrote: >> I've been looking into the source code of pam radius, due to >> authentication failure without a entry in the local /etc/passwd file, > > That's the PAM value add... > Could you explain what "PAM value add" means/is? Alan DeKok-2 wrote: > > > You haven't said which OS this is on. There *is* more than one > implementation of PAM. And IIRC, that requirement wasn't there when the > module was originally written. > > I'm using Linux 2.6.27-7-generic (on ubuntu 8.10) Alan DeKok-2 wrote: > > Fix the Makefile to > reference the correct libraries with this function. > That worked. Thanks. (make file required some editing, because of gcc i think) -- View this message in context: http://www.nabble.com/pam_radius_auth-v1.3.17-missing-a-definetp20629756p20689780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radmin dies on freebsd 6.1 amd64 using debug command
Hello, Using the latest stable git release, I've noticed the following. radmin> debug file /usr/home/tfa/radius.log radmin> debug condition '(User-Name == "bob")' > At that time the file radius.log begins to be written by radiusd, but it seems to log each request without taking care about the condition ? Then while doing radmin> debug condition radiusd dies Am I using the radmin command properly ? (the server is a little bit loaded about 5 requests/seconds). Thomas Alan DeKok wrote: Norbert Wegener wrote: When those commands have been executed and some debugging shows up int the logfile, I want to switch to another log. changing the radmin input file to debug file /var/log/radius/nw3.log debug condition '(NAS-IP-Address == "172.31.110.147") || (NAS-IP-Address == "172.31.110.149") || (NAS-IP-Address == "149.246.185.169")' and executing the commands, freeradius in the actual 2.1.1 version dies. OK. I've committed a fix, and pushed it to the "master" and "stable" trees. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can FreeRadius server as AAA for MMSC and EVDO as w ell?
Hello, I in our network we have two data services: 1.- MMSC (Multimedia Message Service Center) 2.- EVDO (Evolution-Data Optimized) I just downloaded and installed the FreeRADIUS in a FreeBSD server, this is my first time trying to configure it, but first of all I would like to know if mine is a common usage of FreeRADIUS, the MMSC is served trough a Solaris based server and EVDO is served trough a propietary PDSN appliance. Are there more people who figured out how to make possible this configuration-like? Thanks in advance Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No authenticate method (Auth-Type)configuration foundfor therequest: Rejecting the user
Dear ivan: But the search results have shown "># base with scope subtree". If I don't have the new entry "ldapuser", so how can I add the new entries ? Regards, vicky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 25, 2008 8:38 PM To: FreeRadius users mailing list Subject: RE: No authenticate method (Auth-Type)configuration foundfor therequest: Rejecting the user ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (objectclass=*) ># requesting: ALL ># > ># search result >search: 2 >result: 32 No such object > So you don't have a user entries (uid, userPassword etc.) for ldapuser. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login incorrect (rlm_ldap: User not found)
Dear all: I have install freeradius-server-2.1.1 and I want use LDAP to do authentication. And I have add a new ldap user "hoyo" and set the user password But when I using "radius -X" to start the radius The server shown the message : . [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect (rlm_ldap: User not found): [hoyo/hoyo] (from client my_radius_client_pc port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> hoyo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated . .. ... I have set the user "hoyo " password by "ldappasswd -S -x -W -D "cn=Manager,dc=mydomain,dc=com" "cn=hoyo,dc=mydomain,dc=com"" and response as follows : "New password: Re-enter new password: Enter LDAP Password: Result: Success (0)" But why still have error ? how can I to solve the problem ? Regards, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type)configuration foundfor therequest: Rejecting the user
I'm fairly positive there are pointers in the documentation for your specific LDAP server on how to add data into it. //anders hsuan wrote: Dear ivan: But the search results have shown "># base with scope subtree". If I don't have the new entry "ldapuser", so how can I add the new entries ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login incorrect (rlm_ldap: User not found)
ldappasswd is unlikely to use the encryption scheme that is expected by PAP (or just about any other module). Use an LDIF file, or some other means to set the data to be what you want it to be, not something you're not sure what it might be. //anders hsuan wrote: Dear all: I have install freeradius-server-2.1.1 and I want use LDAP to do authentication. And I have add a new ldap user "hoyo" and set the user password But when I using "radius -X" to start the radius The server shown the message : ... [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect (rlm_ldap: User not found): [hoyo/hoyo] (from client my_radius_client_pc port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> hoyo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated . .. ... I have set the user "hoyo " password by "ldappasswd -S -x -W -D "cn=Manager,dc=mydomain,dc=com" "cn=hoyo,dc=mydomain,dc=com"" and response as follows : "New password: Re-enter new password: Enter LDAP Password: Result: Success (0)" But why still have error ? how can I to solve the problem ? Regards, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin dies on freebsd 6.1 amd64 using debug command
Thomas Fagart wrote: > Using the latest stable git release, I've noticed the following. > > > radmin> debug file /usr/home/tfa/radius.log > radmin> debug condition '(User-Name == "bob")' > >> At that time the file radius.log begins to be written by radiusd, but > it seems to log each request without taking care about the condition ? Hmm... I'm not seeing that. > Then while doing > > radmin> debug condition > > radiusd dies Please see doc/bugs. There was an issue with "debug condition", but it was fixed about 3 weeks ago. Please ensure you're using the version with the fix (see "git log" for details). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Login incorrect (rlm_ldap: User not found)
Hi anders: Do you have the other the set the ldap user password ? how to do ? Regards, vicky From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Holm Sent: Wednesday, November 26, 2008 3:00 PM To: FreeRadius users mailing list Subject: Re: Login incorrect (rlm_ldap: User not found) ldappasswd is unlikely to use the encryption scheme that is expected by PAP (or just about any other module). Use an LDIF file, or some other means to set the data to be what you want it to be, not something you're not sure what it might be. //anders hsuan wrote: Dear all: I have install freeradius-server-2.1.1 and I want use LDAP to do authentication. And I have add a new ldap user "hoyo" and set the user password But when I using "radius -X" to start the radius The server shown the message : . [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect (rlm_ldap: User not found): [hoyo/hoyo] (from client my_radius_client_pc port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> hoyo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated . .. ... I have set the user "hoyo " password by "ldappasswd -S -x -W -D "cn=Manager,dc=mydomain,dc=com" "cn=hoyo,dc=mydomain,dc=com"" and response as follows : "New password: Re-enter new password: Enter LDAP Password: Result: Success (0)" But why still have error ? how can I to solve the problem ? Regards, Vicky _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRadius server as AAA for MMSC and EVDO as well?
Aldo Zavala wrote: > Hello, I in our network we have two data services: > 1.- MMSC (Multimedia Message Service Center) > 2.- EVDO (Evolution-Data Optimized) > > I just downloaded and installed the FreeRADIUS in a FreeBSD server, this is > my first time trying to configure it, but first of all I would like to know > if mine is a common usage of FreeRADIUS, the MMSC is served trough a Solaris > based server and EVDO is served trough a propietary PDSN appliance. > > Are there more people who figured out how to make possible this > configuration-like? If those services use RADIUS for authentication, then it's possible. See their documentation for the list of features that they support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html