Somewhat OT: Mac OS self asigned IP issues

[Sergio Belkin]

Hi,

I am using OpenWRT Kamikaze and sometimes there is a problem with Mac
OS clients. Clients get Access-Accept, but Mac OS says that  only gets
a self asigned IP and then it can't surf the web. Problem happens
using either TTLS or PAP.

It is a problem of Mac OS or a OpenWRT one?

I'd be glad to read suggestions and comments...

Thanks in advance
-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Sergio Belkin]

I've upgraded to OpenWRT Kamikaze and problem seems goes away...

2008/11/6 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
>> Alan, thanks, That's really a quite convincing answer :)
>
>  Yup.  I'm not just a random loudmouth on this list.
>
>> Of course I believe you , but please understand me, It's hard to me to
>> realize that either Linksys make non-standard products or OpenWRT
>> (white russian) developers had made such a mistake.
>
>There are many, many, RADIUS client implementations that are
> nearly as bad.
>
>> So, I'd be glad to know what AP's are standard compliant is there a list?
>
>  Nope.  I don't think very many are fully standards compliant.
>
>  I suggest updating the Wiki with any issues you find.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Stephen Bowman]

On Wed, Nov 26, 2008 at 7:44 AM, Phil Mayers <[EMAIL PROTECTED]>wrote:

> Arran Cudbard-Bell wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> [EMAIL PROTECTED] wrote:
>>
>>> now imho cisco switches don't support mac based authentication with
 freeRadius.

  They most certainly do. And when you study for your CCNA you will learn
>>> how.
>>>
>>>
>> Do they support Mac-Based Auth + 802.1X on the same port? As far as I
>>
>
> Yes
>
>  was aware HP ProCurve were the only ones that supported this properly
>>
>
> No. Extreme X250/X450 and 3Com 4400.
>
> -
>

Foundry BigIron & GS series, too, at least.  It's what we use everywhere.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuration sample of a PDSN - FreeRADIUS - MySQL enviroment...

[Aldo]

Hello, does somebody can please provide some FreeRADIUS configuration 
sample of an environment like mine? Which is:

-Wireless Telephony provider that offer EVDO for subscribers (CDMA)
-PDSN
-FreeRADIUS
-MySQL (or Postgres)

Thanks in advance to all

Aldo

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP group checking

[Paul Bartell]

Im having a hard time figuring out how to do group checking with
freeradius. I am trying to authenticate against open directory, but I
have no idea where to give the group name to check for. (modifying the
schema isint really an option)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Group Authorization with FreeRadius

[tnt]

Look at perl and sql modules and unlang. You can probably do this using
groups in sql tables without any programming. If you need to impose some
simple policies unlang should be the answer. If you want to do some
complex checks then use perl.

Ivan Kalik
Kalik Informatika ISP

Dana 26/11/2008, "Mike Diggins" <[EMAIL PROTECTED]> piše:

>
>I would like to not only authenticate my users via FreeRadius, but also
>authorize them by creating some local groups, and running a program to do
>the authorization check, then pass that back to radius as an attribute (I
>think). I would have to write the program myself obviously, but is this
>even possible using the latest FreeRadius software? I'm not sure where to
>start looking.
>
>-Mike
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[tnt]

>if I try mschapv2 in Windons client:
>
>--
>rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
>length=52
>Service-Type = Framed-User
>Framed-Protocol = PPP
>User-Name = "nobody"
>NAS-IP-Address = 1.1.1.1
>NAS-Port = 0

This is not an mschap request.

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_make_Windows_XP_clients_use_only_PAP_.28Not_CHAP.29

In your case, leave only mschapv2. That will force Windows to use it (if
mschapv2 is not enabled on the pptp server connection will fail without
authentication).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: My error:

[tnt]

Ask Intel where does that thing write logs and then read them. Answer is
with the supplicant. Looking at the radius server won't help.

Ivan Kalik
Kalik Informatika ISP


Dana 26/11/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše:

>rad_recv: Access-Request packet from host 10.0.16.4 port 1645, id=6, length=136
>User-Name = "test"
>Framed-MTU = 1400
>Called-Station-Id = "0019.2fdb.9d00"
>Calling-Station-Id = "001f.3c22.44c5"
>Service-Type = Login-User
>Message-Authenticator = 0x8185244a1739d905761d97635ccde126
>EAP-Message = 0x020100090163657274
>NAS-Port-Type = Wireless-802.11
>NAS-Port = 262
>NAS-IP-Address = 10.0.16.4
>NAS-Identifier = "ap"
>+- entering group authorize
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 1 length 9
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns notfound
>users: Matched entry cert at line 76
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: Found existing Auth-Type, not changing it.
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>++[eap] returns handled
>Sending Access-Challenge of id 6 to 10.0.16.4 port 1645
>EAP-Message = 0x010200060d20
>Message-Authenticator = 0x
>State = 0xb7c9adf3b7cba0f54e6f2b406f75dfd7
>Finished request 0.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 0 ID 6 with timestamp +5
>Ready to process requests.
>
>
>
>
>this error is with the supplicant "wire1"
>
>but... when the supplicant is "Intel PROset wireless" the error is this:
>
>
>
>
>
>
>
>rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=2, 
>length=136
>User-Name = "cert"
>Framed-MTU = 1400
>Called-Station-Id = "0019.2fdb.9e00"
>Calling-Station-Id = "001f.3c22.674a"
>Service-Type = Login-User
>Message-Authenticator = 0xba5587f920826e2bd4beb4695b9be3de
>EAP-Message = 0x020100090163657274
>NAS-Port-Type = Wireless-802.11
>NAS-Port = 259
>NAS-IP-Address = 10.0.31.40
>NAS-Identifier = "ap-Reconquista-31"
>+- entering group authorize
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 1 length 9
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns notfound
>users: Matched entry cert at line 76
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: Found existing Auth-Type, not changing it.
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>++[eap] returns handled
>Sending Access-Challenge of id 2 to 10.0.31.40 port 1645
>EAP-Message = 0x010200060d20
>Message-Authenticator = 0x
>State = 0x45047f1b45067264424db5b65333fec0
>Finished request 1.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=3, 
>length=255
>User-Name = "cert"
>Framed-MTU = 1400
>Called-Station-Id = "0019.2fdb.9e00"
>Calling-Station-Id = "001f.3c22.674a"
>Service-Type = Login-User
>Message-Authenticator = 0x565fba63fe92ec25bb27dc9b7cd35351
>EAP-Message =
>0x0202006e0d800064160301005f015b0301492d8813d8442284e62309c1463f24d6bd6dff31a5a199dee31582cbb9fa14043400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
>NAS-Port-Type = Wireless-802.11
>NAS-Port = 259
>State = 0x45047f1b45067264424db5b65333fec0
>NAS-IP-Address = 10.0.31.40
>NAS-Identifier = "ap-Reconquista-31"
>+- entering group authorize
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 2 length 110
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[u

Re: Group Authorization with FreeRadius

[Mike Diggins]

I'm using the NTLM_AUTH authenticator currently, if that helps.

-Mike

On Wed, 26 Nov 2008, Mike Diggins wrote:



I would like to not only authenticate my users via FreeRadius, but also 
authorize them by creating some local groups, and running a program to do the 
authorization check, then pass that back to radius as an attribute (I think). 
I would have to write the program myself obviously, but is this even possible 
using the latest FreeRadius software? I'm not sure where to start looking.


-Mike


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Group Authorization with FreeRadius

[Mike Diggins]

I would like to not only authenticate my users via FreeRadius, but also 
authorize them by creating some local groups, and running a program to do 
the authorization check, then pass that back to radius as an attribute (I 
think). I would have to write the program myself obviously, but is this 
even possible using the latest FreeRadius software? I'm not sure where to 
start looking.


-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> Any idea?

  Use a recent version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

Le 26.11.2008 09:32, Douglas Macedo a écrit :
> Alexandre,
>
> if I try mschapv2 in Windons client:
>
> --
> rad_recv: Access-Request packet from host 150.162.67.254:32839
> , id=46, length=52
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "nobody"
> NAS-IP-Address = 1.1.1.1 
> NAS-Port = 0

Did you truncated the Access-request before posting??? there is no
information about CHAP chalenge so there is no way freeradius can handle
with rlm_chap...

Additionnally your pptp config seems strange to me
You *REQUIRE* chap + mschap + mschapv2!!! Shouldn't a requirement be
uniq? I would just keep require mschapv2 (and so force win client to use it)
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched entry DEFAULT at line 198
>   modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for nobody
> radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
> radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389
> , authentication 0
> rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
> ldap.telemedicina.ufsc.br:389 
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br,
> with filter (&(objectClass=posixAccount)(uid=nobody))
> rlm_ldap: Password header not found in password
> 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sambaNtPassword as NT-Password, value
> 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
> rlm_ldap: Adding sambaLmPassword as LM-Password, value
> 89E0B38AC380D2B8AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_pap: No clear-text password in the request.  Not performing PAP.
>   modcall[authorize]: module "pap" returns noop for request 1
> modcall: leaving group authorize (returns ok) for request 1
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [nobody] (from client access-vpn port 0)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> --
>
> Any idea?
>
> Thanks in advanced,
> Douglas
>
> On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon
> <[EMAIL PROTECTED] > wrote:
>
> trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>> Sorry Alan,
>>
>> but the webpage tells that its don't work. Its impossible? Correct?
>>
>> So, how I can fix that the other way?
>>
>> My pptp-options:
>>
>> ==
>> epiderme:/etc/ppp# cat pptpd-options
>> name pptpd
>> refuse-pap
>> ##refuse-chap
>> require-chap
>> ##refuse-mschap
>> require-mschap
>> require-mschap-v2
>> require-mppe-128
>> proxyarp
>> nodefaultroute
>> debug
>> lock
>> nobsdcomp
>> plugin radius.so
>> #plugin radattr.so
>> radius-config-file /etc/radiusclient/radiusclient.conf
>> auth
>> ==
>>
>> And my radiusd.conf:
>>
>> ==
>> prefix = /usr/local
>> exec_prefix = ${prefix}
>> sysconfdir = ${prefix}/etc
>> localstatedir = /var
>> sbindir = ${exec_prefix}/sbin
>> logdir 

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Alexandre,

if I try mschapv2 in Windons client:

--
rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
length=52
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "nobody"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched entry DEFAULT at line 198
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nobody
radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
ldap.telemedicina.ufsc.br:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br, with
filter (&(objectClass=posixAccount)(uid=nobody))
rlm_ldap: Password header not found in password
5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNtPassword as NT-Password, value
5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
rlm_ldap: Adding sambaLmPassword as LM-Password, value
89E0B38AC380D2B8AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: No clear-text password in the request.  Not performing PAP.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [nobody] (from client access-vpn port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--

Any idea?

Thanks in advanced,
Douglas

On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon <
[EMAIL PROTECTED]> wrote:

>  trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = no
> $INCLUDE  ${confdir}/clients.conf
> snmp= no
> thread poo

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> but the webpage tells that its don't work. Its impossible? Correct?

  Since I wrote that web page... I won't disagee with it.

> So, how I can fix that the other way?

  Do you have questions about the suggestions on the web page?

> My pptp-options:
> 
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2

  Hmm... maybe some of those configuration options could help PPTP meet
the requirements listed on the web page?

  Please read the PPTP documentation for additional information.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

trying forcing windows pptp client to use mschapv2

Le 26.11.2008 09:15, Douglas Macedo a écrit :
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = no
> $INCLUDE  ${confdir}/clients.conf
> snmp= no
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> }
> ldap {
> server = "ldap.telemedicina.ufsc.br
> "
> identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
> password = "XXX"
> basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
> filter = "(&(objectClass=posixAccount)(uid=%u))"
>
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{Cleartext-Password}"
> password_attribute = sambaNTPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> compat = no
> }
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
>   

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Sorry Alan,

but the webpage tells that its don't work. Its impossible? Correct?

So, how I can fix that the other way?

My pptp-options:

==
epiderme:/etc/ppp# cat pptpd-options
name pptpd
refuse-pap
##refuse-chap
require-chap
##refuse-mschap
require-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
debug
lock
nobsdcomp
plugin radius.so
#plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
auth
==

And my radiusd.conf:

==
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
ldap {
server = "ldap.telemedicina.ufsc.br"
identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
password = "XXX"
basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
filter = "(&(objectClass=posixAccount)(uid=%u))"

start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = "{Cleartext-Password}"
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
e

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> how I can fix that?

  Read the web page.  It tells you.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Alan,

how I can fix that?

Thanks in advanced,
Douglas

On Wed, Nov 26, 2008 at 4:54 PM, Alan DeKok <[EMAIL PROTECTED]>wrote:

> Douglas Macedo wrote:
> > i'm trying configure a VPN Server with PPTP, using the 'radiusclient',
> > to connect on a FreeRadius, with auth in a LDAP Server.
> >
> > I "finished" the configure, but when a try connect with a client Windows
> > XP, don't work.
> >
> > The radiusd -X output:
>
>   The client is doing CHAP, and the LDAP database only has NT passwords
> in it.  It is impossible to get this to work.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> > The result of 'radtest':
>
>  Which does PAP authentication.  The above web page shows that the
> combination of PAP and NT passwords will work.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Douglas Macedo
[EMAIL PROTECTED]
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> i'm trying configure a VPN Server with PPTP, using the 'radiusclient',
> to connect on a FreeRadius, with auth in a LDAP Server.
> 
> I "finished" the configure, but when a try connect with a client Windows
> XP, don't work.
> 
> The radiusd -X output:

  The client is doing CHAP, and the LDAP database only has NT passwords
in it.  It is impossible to get this to work.

http://deployingradius.com/documents/protocols/compatibility.html

> The result of 'radtest':

  Which does PAP authentication.  The above web page shows that the
combination of PAP and NT passwords will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

My error:

[Martin Silvero]

rad_recv: Access-Request packet from host 10.0.16.4 port 1645, id=6, length=136
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9d00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x8185244a1739d905761d97635ccde126
EAP-Message = 0x020100090163657274
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
NAS-IP-Address = 10.0.16.4
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.0.16.4 port 1645
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0xb7c9adf3b7cba0f54e6f2b406f75dfd7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +5
Ready to process requests.




this error is with the supplicant "wire1"

but... when the supplicant is "Intel PROset wireless" the error is this:







rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=2, length=136
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.674a"
Service-Type = Login-User
Message-Authenticator = 0xba5587f920826e2bd4beb4695b9be3de
EAP-Message = 0x020100090163657274
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap-Reconquista-31"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.0.31.40 port 1645
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x45047f1b45067264424db5b65333fec0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=3, length=255
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.674a"
Service-Type = Login-User
Message-Authenticator = 0x565fba63fe92ec25bb27dc9b7cd35351
EAP-Message =
0x0202006e0d800064160301005f015b0301492d8813d8442284e62309c1463f24d6bd6dff31a5a199dee31582cbb9fa14043400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
State = 0x45047f1b45067264424db5b65333fec0
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap-Reconquista-31"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 110
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/

PPTP + FreeRadius + LDAP

[Douglas Macedo]

Hey guys,

i'm trying configure a VPN Server with PPTP, using the 'radiusclient', to
connect on a FreeRadius, with auth in a LDAP Server.

I "finished" the configure, but when a try connect with a client Windows XP,
don't work.

The radiusd -X output:

=
[EMAIL PROTECTED] /usr/local/etc/raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded LDAP
 ldap: server = "ldap.telemedicina.ufsc.br"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = "XXX"
 ldap: basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
 ldap: filter = "(&(objectClass=posixAccount)(uid=%u))"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "{Cleartext-Password}"
 ldap: password_attribute = "sambaNTPassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP r

Re: Status Server on RHEL 4 64 bit fails

[thoralf . freitag]

I comment out the authorize section and everything works fine.



From:
Alan DeKok <[EMAIL PROTECTED]>
To:
FreeRadius users mailing list 
Date:
26.11.08 17:33
Subject:
Re: Status Server on RHEL 4 64 bit fails
Sent by:
[EMAIL PROTECTED]



[EMAIL PROTECTED] wrote:
> /opt/radius/etc/raddb/sites-enabled/status[63]: Failed to find module 
"ok".
> Wed Nov 26 15:53:18 2008 : Error:
> /opt/radius/etc/raddb/sites-enabled/status[61]: Errors parsing authorize
> section.
> Wed Nov 26 15:53:18 2008 : Debug:  }
> Wed Nov 26 15:53:18 2008 : Debug: }
> Wed Nov 26 15:53:18 2008 : Error: Errors initializing modules
> 
> The same config works fine with REL3 and 32 bit.
> 
> Any ideas what could be wrong ?

  Nope.  I'll see if I have access to a 64-bit system.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





www.biotronik.com




BIOTRONIK GmbH & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK Mess- und Therapiegeräte GmbH
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918
Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, 
Dr. Lothar Krings


This email and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this email, please notify the sender immediately 
and delete the document.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[tnt]

>First freeradius goes to sql and check for the user record... regardless of
>result of sql , request is also fwd to jradius. and jradius also checks for
>the same username in another database over another server (as im using
>jradius for having connectivity to another server)... i want freeradius to
>not go to jradius if sql result is access-accept i dont now that is
>there any conditional statements in configuration file which will help me

Not in 1.1.3. It can be done with unlang in new version. You should
really try to get jradius working on 2.1.1.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication delay in virtual servers

[Alan DeKok]

Oguzhan Kayhan wrote:
> Hello,
> I have two virtual servers on my freeradius installation with one is made
> via mysql and other is via a perl script which is checking an xml page for
> user/pass control.
> What i noticed is, when the xml server is down if somebody tries to login
> from this virtual server, the other virtual server hangs up too before it
> gets a reply from the previous virtual server. Is it smthing suppose to
> happen?

  All of the virtual servers are handled by one pool of threads.  If the
XML database is down, then it's possible for all threads to be blocked
waiting for it to return.

  When that happens, all virtual servers will be blocked.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Status Server on RHEL 4 64 bit fails

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> /opt/radius/etc/raddb/sites-enabled/status[63]: Failed to find module "ok".
> Wed Nov 26 15:53:18 2008 : Error:
> /opt/radius/etc/raddb/sites-enabled/status[61]: Errors parsing authorize
> section.
> Wed Nov 26 15:53:18 2008 : Debug:  }
> Wed Nov 26 15:53:18 2008 : Debug: }
> Wed Nov 26 15:53:18 2008 : Error: Errors initializing modules
> 
> The same config works fine with REL3 and 32 bit.
> 
> Any ideas what could be wrong ?

  Nope.  I'll see if I have access to a 64-bit system.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[tnt]

>Yes that's how I thought it worked. I guess that's ok in some situations
>but it's really inflexible in others.
>
>HP ProCurve switches allow you to enable both methods of authentication
>together on the same port. It's a little weird how it operates, but it
>seems to work very well in most situations.
>
>When a device connects to the port the switch starts sending EAP
>Identity Request packets. If the device responds with an EAP Identity
>Response and successfully completes 802.1X based authentication, the
>port goes into an open state with the PVID set to the VLAN assigned in
>the Access-Accept packet.
>
>If the device does not respond to the Identity request (or fails 802.1X
>authentication) and starts sending non eapol frames to the port, the
>switch writes the src mac of the device into the User-Name field and
>sends a Access-Request packet to the RADIUS server.
>If the RADIUS server responds to the Access-Request with an
>Access-Accept packet and a VLAN assignment, the PVID is changed to that
>VLAN. If the server responds with an Access-Reject, the port either
>remains closed, or if you have an Unauth-Vid configured for Mac-Based
>auth the PVID is changed to that.
>
>If the port is in the unauth state or is authenticated via Mac-Based
>authentication, the switch will continue to send EAP Identity Requests.
>If at any point the device initiates 802.1X authentication and succeeds
>in authenticating, the PVID of the port will change to the one assigned
>in 802.1X authentication.
>
>If the device then sends an EAPOL-Logoff packet the switch will then
>attempt to re-authenticate the device using Mac-Based authentication.
>

I found the flowchart for Cisco:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/122_25_see/configuration/guide/sw8021x.html#wp1170407

Main difference is that it will not attempt mac auth if 802.1x fails.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Phil Mayers]

Arran Cudbard-Bell wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Phil Mayers wrote:

Arran Cudbard-Bell wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



was aware HP ProCurve were the only ones that supported this properly

No. Extreme X250/X450 and 3Com 4400.

They don't publish their manuals online ?! All I can find is a 'getting
started guide' for the 3Com and nothing for the Extreme switches.

http://www.extremenetworks.com/services/software-userguide.aspx

You want the "XOS concepts guide", chapter 21 ("Network Login")

The 4400 is end-of-sale, so I doubt you want to waste time researching
them, but we have them and they work.


Thanks for that. It's still worth looking at how other vendors do it.


From your description of ProCurve, 3Com do it the same way - send 
EAP-Identity, if the 1st packet back is EAP, go into 802.1x mode, else 
do mac-auth.


The 3Com's also have other weird modes where they'll do a PAP request 
with the MAC before the 802.1x, and you can AND or OR the results; 
AFACIT this is for people with crappy radius servers (e.g. IAS) who 
can't easily match on arbitrary fields.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[Alan DeKok]

Saeed Akhtar wrote:

  please...formatyourmessages in a normal way.

  Formatting them badly makes them harder to understand.

> i dont now that is there any conditional statements in
> configuration file which will help me   hopeful for some help :)

  FreeRADIUS 2.x comes with a complete policy language.

$ man unlang

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[schilling]

We did mac-based authentication on our campus resnet with about 5000 unique
MAC addresses. We have dominantly foundry, and some cisco 3550s. Foundry
switches work very good. Their dot1x feature sets are very good, they called
multi-device port authentication.


Cisco 3550 is ok, at lease we get the MAB working as we architected.  You
have to disable 802.1x in order to do MAB. There are some catches though.

Sample cisco switch configuration

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius local
dot1x system-auth-control

interface FastEthernet0/3
 description MAC-AuthC
 switchport access vlan 552
 switchport mode access
 dot1x mac-auth-bypass
 dot1x critical
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout tx-period 1
 dot1x max-reauth-req 1
 spanning-tree portfast
 spanning-tree bpduguard enable


radius vlan instruction policy settings
$RAD_REPLY{'Service-Type'} = "Framed-User";
$RAD_REPLY{'Tunnel-Type'} = "VLAN";
$RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";
$RAD_REPLY{'Tunnel-Private-Group-Id'} = "YourVLANName";





There is one special troubleshooting guide for MAC address authentication,
please make sure student computer does not have 802.1x authentication
enabled on Ethernet network connection when student call and say the network
report no or limited network connection. We found out that Windows XP and
Windows Vista 802.1x authentication is not enabled by default, but we just
want to double check to make sure the 802.1x authentication is disabled on
Ethernet connection.

How to check the 802.1x authentication is off?
In windows XP, Start, Settings, Network Connections, right click Local Area
Connection, select Properties, If you does not see an Authentication tab,
802.1x is not available thus not enabled. If the Authentication tab is
available, please make sure  "Enable IEEE 802.1x for this network" checkbox
is not checked.


More technical details regarding Windows 802.1x authentication for your
information.
In windows XP SP3 and Windows Vista, there is a service which is set to
Manual and Stopped by default
start->run->cmd
services.msc
service: dot2svc
display name: wired autoconfig
description: This service performs IEEE 802.1X authentication on Ethernet
interfaces
If you click right click the service and start the service, the
Authentication tab will show up in your local area connection properties.


Schilling




On Wed, Nov 26, 2008 at 8:42 AM, <[EMAIL PROTECTED]> wrote:

> >Do they support Mac-Based Auth + 802.1X on the same port?
>
> In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
> 802.1x (mac address is sent as user/pass - requires registry hacking on
> XP). And then you can re-authenticate with username/pass.
>
> There is also something called mac authentication bypass for 802.1x. If
> enabled switch will do mac auth if it doesn't get EAPOL packet from the
> supplicant. So, in a matter of speaking, you can have mac auth and
> (probably should say or - the idea is to be able to connect something
> that doesn't do 802.1x, like a network printer) 802.1x on the same port.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Phil Mayers wrote:
> Arran Cudbard-Bell wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
> was aware HP ProCurve were the only ones that supported this properly
 No. Extreme X250/X450 and 3Com 4400.
>>
>> They don't publish their manuals online ?! All I can find is a 'getting
>> started guide' for the 3Com and nothing for the Extreme switches.
> 
> http://www.extremenetworks.com/services/software-userguide.aspx
> 
> You want the "XOS concepts guide", chapter 21 ("Network Login")
> 
> The 4400 is end-of-sale, so I doubt you want to waste time researching
> them, but we have them and they work.

Thanks for that. It's still worth looking at how other vendors do it.

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkta9kACgkQcaklux5oVKLh8ACeJ+Yunk0jeY9F/LIEWjfCdQGL
h40AnjE5mF42uLHByQUsvSZwIDX231Q6
=Vxbt
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[Saeed Akhtar]

Thanks It worked but here comes another issue where im
stuck ... using both sql and jradius for authorization creates a problem
First freeradius goes to sql and check for the user record... regardless of
result of sql , request is also fwd to jradius. and jradius also checks for
the same username in another database over another server (as im using
jradius for having connectivity to another server)... i want freeradius to
not go to jradius if sql result is access-accept i dont now that is
there any conditional statements in configuration file which will help me
  hopeful for some help :)  Thanks
Regards,

Saeed Akhtar



2008/11/26 <[EMAIL PROTECTED]>

> 1.1.3 doesn't use Cleartext-Password. That came in 1.1.4. Read the users
> file. It should be User-Password.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 26/11/2008, "Saeed Akhtar" <[EMAIL PROTECTED]> piše:
>
> >Thanks for ur help setting sql in authorize section of
> radiusd.conf
> >solved the problem But now when sql checks for username and password
> it
> >gives error Unknow Attribute "Cleartext-Password".. I am not
> >upgrading to 2.x because i  tried to configure jradius with 2.1.1 it gave
> >errors... so best choice left for me was to degrade to 1.1.3 ... as a
> patch
> >was available for this version but now im facing problems regarding
> >mysql Can you people suggest me anything.. Thanks for the help
> >Regards,
> >
> >Saeed Akhtar
> >
> >
> >
> >On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok <[EMAIL PROTECTED]
> >wrote:
> >
> >> Saeed Akhtar wrote:
> >> > Debug Trace:
> >>
> >>  You're not running 2.x.  You should upgrade.
> >>
> >>  You haven't configured the SQL module.  You need to do this for it to
> >> work.
> >>
> >>  Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
>> Do they support Mac-Based Auth + 802.1X on the same port?
>
> In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
> 802.1x (mac address is sent as user/pass - requires registry hacking on
> XP). And then you can re-authenticate with username/pass.
>
> There is also something called mac authentication bypass for 802.1x. If
> enabled switch will do mac auth if it doesn't get EAPOL packet from the
> supplicant. So, in a matter of speaking, you can have mac auth and
> (probably should say or - the idea is to be able to connect something
> that doesn't do 802.1x, like a network printer) 802.1x on the same port.
>

Yes that's how I thought it worked. I guess that's ok in some situations
but it's really inflexible in others.

HP ProCurve switches allow you to enable both methods of authentication
together on the same port. It's a little weird how it operates, but it
seems to work very well in most situations.

When a device connects to the port the switch starts sending EAP
Identity Request packets. If the device responds with an EAP Identity
Response and successfully completes 802.1X based authentication, the
port goes into an open state with the PVID set to the VLAN assigned in
the Access-Accept packet.

If the device does not respond to the Identity request (or fails 802.1X
authentication) and starts sending non eapol frames to the port, the
switch writes the src mac of the device into the User-Name field and
sends a Access-Request packet to the RADIUS server.
If the RADIUS server responds to the Access-Request with an
Access-Accept packet and a VLAN assignment, the PVID is changed to that
VLAN. If the server responds with an Access-Reject, the port either
remains closed, or if you have an Unauth-Vid configured for Mac-Based
auth the PVID is changed to that.

If the port is in the unauth state or is authenticated via Mac-Based
authentication, the switch will continue to send EAP Identity Requests.
If at any point the device initiates 802.1X authentication and succeeds
in authenticating, the PVID of the port will change to the one assigned
in 802.1X authentication.

If the device then sends an EAPOL-Logoff packet the switch will then
attempt to re-authenticate the device using Mac-Based authentication.

Arran

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktXH0ACgkQcaklux5oVKJQpQCfQi6mORqjWYIJm1vP2To8AnNJ
CpAAnj9TejutfbwcxBnmETyyd2xwjIPz
=qzzN
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: RSASecurid and PEAP

[David Mitton]

I should know better to ask "what are you thinking?"  but let me attempt to 
explain.

The RSA SecurID RADIUS server can authenticate plain text OTPs inside of PEAP
(or if you load our EAP client, use SecurID-EAP or Protected-OTP)

FreeRADIUS should have no problem proxying that.
But as Alan points out, EAP & RADIUS don't work the way you want.

The EAP authentication end-to-end.   The RADIUS server itself doesn't know how 
the EAP method did it's thing.  It relays EAP messages as opaque blobs, and 
gets a success/failure indication (and the encryption keys) when it's done.
To a certain extent so does the access point.   APs should be able to support 
any EAP method that follows RFC 3748 message formats.

So you cannot alter this conversation without changing the EAP method protocol.
What piece of software on the client is going to respond to this challenge out 
of thin air?
PEAP on the client doesn't work that way.

Dave.


On Nov 26, 2008, [EMAIL PROTECTED] wrote:


Paul TAVERNIER wrote:
> 1) i want to authorize/authenticate a user with a couple
> username/OTPpassword (RSASecurid) through a Freeradius server (i proxy
> the acces-request to a RSARadius-Securid server). It's ok.

 What do you mean "It's OK"?  Have you tested this with
cleartext-passwords, MS-CHAP, PEAP, or ...?

> 2) (then, if i get an Access-Accept) (in a post-proxy section?) i want
> to initiate an EAP Challenge between my XP-Wireless-supplicant client
> and FREERADIUS (not the RSA radius)...

 That's not how EAP works.  The supplicant and NAS control how the
protocol works, and you can't change things on the RADIUS server.


> Can i configure something like that

 No.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Status Server on RHEL 4 64 bit fails

[thoralf . freitag]

Hi,

I enabled the status server and the freeradius 2.1.1 does not start:

Wed Nov 26 15:43:59 2008 : Error: 
/opt/radius/etc/raddb/sites-enabled/status[63]: Failed to find module 
"ok".
Wed Nov 26 15:43:59 2008 : Error: 
/opt/radius/etc/raddb/sites-enabled/status[61]: Errors parsing authorize 
section.
Wed Nov 26 15:43:59 2008 : Error: Errors initializing modules

or

Wed Nov 26 15:53:18 2008 : Debug: radiusd:  Loading Virtual Servers 

Wed Nov 26 15:53:18 2008 : Debug: server status {
Wed Nov 26 15:53:18 2008 : Debug:  modules {
Wed Nov 26 15:53:18 2008 : Debug:  Module: Checking authorize {...} for 
more modules to load
Wed Nov 26 15:53:18 2008 : Error: 
/opt/radius/etc/raddb/sites-enabled/status[63]: Failed to find module 
"ok".
Wed Nov 26 15:53:18 2008 : Error: 
/opt/radius/etc/raddb/sites-enabled/status[61]: Errors parsing authorize 
section.
Wed Nov 26 15:53:18 2008 : Debug:  }
Wed Nov 26 15:53:18 2008 : Debug: }
Wed Nov 26 15:53:18 2008 : Error: Errors initializing modules



The same config works fine with REL3 and 32 bit.

Any ideas what could be wrong ?

--
Thoralf Freitag
Manager Health Services System Administration

Phone:  +49 (0) 30 68905-4611
Cellular:+49 (0) 151 1631-4611
Fax:+49 (0) 30 68905-2940
Mail:  [EMAIL PROTECTED]



From:
"Paul Bartell" <[EMAIL PROTECTED]>
To:
"FreeRadius users mailing list" 
Date:
26.11.08 15:39
Subject:
Re: Supported Acesspoints
Sent by:
[EMAIL PROTECTED]



I find that my WRT54G-L works well with DD-WRT flashed on it. I know
some weird linksys voip box from T-mobile supports WPA-ENT
authentication, making me think that maybe in Linksys' enterprise
products they would have some kind of WPA enterprise authentication
possibility. Usually is it in the specifications weather or not an AP
will work with radius.

On Wed, Nov 26, 2008 at 6:35 AM, M.K. ten Napel <[EMAIL PROTECTED]> 
wrote:
> Hi,
>
> Previously I asked if anyone had trouble with the Linksys WAP54G, Like I
> did. I'm think about trying another type of Accesspoint. Before buying
> one, I would like to know what AP's are being used with FreeRadius.
>
> Any tips/suggestions on buying an AP that works wel in WPA-enterprise
> (EAP-TLS) with FreeRadius?
>
> Thanks! :)
>
> Mariourk
>
> -
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
>



-- 
Random quote of the week/month/whenever i get to updating it:
"Opportunity knocked. My doorman threw him out." - Adrienne Gusoff

"At school you don't get parole, good behavior only brings a longer
sentence." - The History Boys
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





www.biotronik.com




BIOTRONIK GmbH & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK Mess- und Therapiegeräte GmbH
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918
Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, 
Dr. Lothar Krings


This email and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this email, please notify the sender immediately 
and delete the document.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Supported Acesspoints

[Paul Bartell]

I find that my WRT54G-L works well with DD-WRT flashed on it. I know
some weird linksys voip box from T-mobile supports WPA-ENT
authentication, making me think that maybe in Linksys' enterprise
products they would have some kind of WPA enterprise authentication
possibility. Usually is it in the specifications weather or not an AP
will work with radius.

On Wed, Nov 26, 2008 at 6:35 AM, M.K. ten Napel <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Previously I asked if anyone had trouble with the Linksys WAP54G, Like I
> did. I'm think about trying another type of Accesspoint. Before buying
> one, I would like to know what AP's are being used with FreeRadius.
>
> Any tips/suggestions on buying an AP that works wel in WPA-enterprise
> (EAP-TLS) with FreeRadius?
>
> Thanks! :)
>
> Mariourk
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
Random quote of the week/month/whenever i get to updating it:
"Opportunity knocked. My doorman threw him out." - Adrienne Gusoff

"At school you don't get parole, good behavior only brings a longer
sentence." - The History Boys
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Supported Acesspoints

[M.K. ten Napel]

Hi,

Previously I asked if anyone had trouble with the Linksys WAP54G, Like I
did. I'm think about trying another type of Accesspoint. Before buying
one, I would like to know what AP's are being used with FreeRadius.

Any tips/suggestions on buying an AP that works wel in WPA-enterprise
(EAP-TLS) with FreeRadius?

Thanks! :)

Mariourk

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Phil Mayers]

Arran Cudbard-Bell wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



was aware HP ProCurve were the only ones that supported this properly

No. Extreme X250/X450 and 3Com 4400.


They don't publish their manuals online ?! All I can find is a 'getting
started guide' for the 3Com and nothing for the Extreme switches.


http://www.extremenetworks.com/services/software-userguide.aspx

You want the "XOS concepts guide", chapter 21 ("Network Login")

The 4400 is end-of-sale, so I doubt you want to waste time researching 
them, but we have them and they work.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[tnt]

1.1.3 doesn't use Cleartext-Password. That came in 1.1.4. Read the users
file. It should be User-Password.

Ivan Kalik
Kalik Informatika ISP


Dana 26/11/2008, "Saeed Akhtar" <[EMAIL PROTECTED]> piše:

>Thanks for ur help setting sql in authorize section of radiusd.conf
>solved the problem But now when sql checks for username and password it
>gives error Unknow Attribute "Cleartext-Password".. I am not
>upgrading to 2.x because i  tried to configure jradius with 2.1.1 it gave
>errors... so best choice left for me was to degrade to 1.1.3 ... as a patch
>was available for this version but now im facing problems regarding
>mysql Can you people suggest me anything.. Thanks for the help
>Regards,
>
>Saeed Akhtar
>
>
>
>On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok <[EMAIL PROTECTED]>wrote:
>
>> Saeed Akhtar wrote:
>> > Debug Trace:
>>
>>  You're not running 2.x.  You should upgrade.
>>
>>  You haven't configured the SQL module.  You need to do this for it to
>> work.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[tnt]

sql is commented out in radiusd.conf by default. Enable it somewhere.

This is the old server version. Use the latest one. Even for testing.
It's so much better.

Ivan Kalik
Kalik Informatika ISP


Dana 26/11/2008, "Saeed Akhtar" <[EMAIL PROTECTED]> piše:

>Debug Trace:
>
>Starting - reading configuration files ...
>reread_config: reading radiusd.conf
>Config: including file: /usr/local/etc/raddb/proxy.conf
>Config: including file: /usr/local/etc/raddb/clients.conf
>Config: including file: /usr/local/etc/raddb/snmp.conf
>Config: including file: /usr/local/etc/raddb/jradius.conf
>Config: including file: /usr/local/etc/raddb/eap.conf
>Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files: reading dictionary
>read_config_files: reading naslist
>Using deprecated naslist file. Support for this will go away soon.
>read_config_files: reading clients
>read_config_files: reading realms
>radiusd: entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded PAP
> pap: encryption_scheme = "crypt"
>Module: Instantiated pap (pap)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "(null)"
>Module: Instantiated mschap (mschap)
>Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
>rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
>rlm_eap: Loaded and initialized type mschapv2
>Module: Instantiated eap (eap)
>Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
>Module: Instantiated files (files)
>Module: Loaded jradius
> jradius: name = "example"
> jradius: primary = "127.0.0.1"
> jradius: secondary = "192.168.1.2:1815"
> jradius: tertiary = "192.168.1.2:1816"
> jradius: timeout = 1
> jradius: onfail = "NOOP"
> jradius: keepalive = yes
> jradius: connections = 8
>rlm_jradius: configuring jradius server 127.0.0.1:1814
>rlm_jradius: configuring jradius server 192.168.1.2:1815
>rlm_jradius: configuring jradius server 192.168.1.2:1816
>rlm_jradius: starting JRadius connection 0
>rlm_jradius: starting JRadius connection 1
>rlm_jradius: starting JRadius connection 2
>rlm_jradius: starting JRadius connection 3
>rlm_jradius: starting JRadius connection 4
>rlm_jradius: starting JRadius connection 5
>rlm_jradius: starting JRadius connection 6
>rlm_jradius: starting JRadius connection 7
>Module: Instantiated jradius (jradius)
>Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Addres

Re: MAC based auth

[Hegedus Gabor]

[EMAIL PROTECTED] wrote:

Do they support Mac-Based Auth + 802.1X on the same port?



In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
802.1x (mac address is sent as user/pass - requires registry hacking on
XP). And then you can re-authenticate with username/pass.

There is also something called mac authentication bypass for 802.1x. If
enabled switch will do mac auth if it doesn't get EAPOL packet from the
supplicant. So, in a matter of speaking, you can have mac auth and
(probably should say or - the idea is to be able to connect something
that doesn't do 802.1x, like a network printer) 802.1x on the same port.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

thanks everybody,

yes, I find the mac auth bypass but it works just on some cisco devices,
I will try this win hack cos it might be usable.
and tell if i have solutions.

Gabor






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[Saeed Akhtar]

Thanks for ur help setting sql in authorize section of radiusd.conf
solved the problem But now when sql checks for username and password it
gives error Unknow Attribute "Cleartext-Password".. I am not
upgrading to 2.x because i  tried to configure jradius with 2.1.1 it gave
errors... so best choice left for me was to degrade to 1.1.3 ... as a patch
was available for this version but now im facing problems regarding
mysql Can you people suggest me anything.. Thanks for the help
Regards,

Saeed Akhtar



On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok <[EMAIL PROTECTED]>wrote:

> Saeed Akhtar wrote:
> > Debug Trace:
>
>  You're not running 2.x.  You should upgrade.
>
>  You haven't configured the SQL module.  You need to do this for it to
> work.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[tnt]

>Do they support Mac-Based Auth + 802.1X on the same port?

In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
802.1x (mac address is sent as user/pass - requires registry hacking on
XP). And then you can re-authenticate with username/pass.

There is also something called mac authentication bypass for 802.1x. If
enabled switch will do mac auth if it doesn't get EAPOL packet from the
supplicant. So, in a matter of speaking, you can have mac auth and
(probably should say or - the idea is to be able to connect something
that doesn't do 802.1x, like a network printer) 802.1x on the same port.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

[Alan DeKok]

Aldo wrote:
> -In FreeRADIUS I have to connect it with sql database server (such as
> mysql), then create a database, then I dont know how to interconnect it
> with the NAS (my PDSN)

  Um... via the RADIUS protocol?

  See your NAS documentation for what it needs in a RADIUS response.

> -For the PDSN, I think I must enable a interface which connects to the
> RADIUS server and then authenticate them with a shared secret and then
> setup a ip pool in the PDSN, please tell me what steps i miss.

  Quite possibly, yes.

  Again, see your NAS documentation for how to configure your NAS to do
RADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[Alan DeKok]

Saeed Akhtar wrote:
> Debug Trace:

  You're not running 2.x.  You should upgrade.

  You haven't configured the SQL module.  You need to do this for it to
work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


>>> was aware HP ProCurve were the only ones that supported this properly
>> No. Extreme X250/X450 and 3Com 4400.
> 

They don't publish their manuals online ?! All I can find is a 'getting
started guide' for the 3Com and nothing for the Extreme switches.

Does anyone have an advanced security guide or equivalent for either of
these switches they could mail me ?

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktS3YACgkQcaklux5oVKIa+wCeOk0bh7xxN5UyxYz6a26U450o
WDsAnRj55f4RZyz2xllmXLX7QrR4lZ+I
=nmjy
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re:Re: Read radius client from database

[mj mailing lists user]

Hi seems to me you are missing rlm_sql, when I start radiusd -X I get the 
following lines:

rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
..
rlm_sql_mysql: query:  SELECT id, nasname, shortname, type, secret FROM nas

this last line is then followed by 
rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secretpw
..

Maybe you didn't configure sql right. 
In freeradius2
Uncomment sql in raddb/sites-enabled/default
Check you raddb/sql.conf file 

in freeradius1 uncomment sql (authorize section) in radiusd.conf and adapt 
sql.conf


Michel


>Debug Trace:
>
>Starting - reading configuration files ...
>reread_config: reading radiusd.conf
>Config: including file: /usr/local/etc/raddb/proxy.conf
>Config: including file: /usr/local/etc/raddb/clients.conf
>Config: including file: /usr/local/etc/raddb/snmp.conf
>Config: including file: /usr/local/etc/raddb/jradius.conf
>Config: including file: /usr/local/etc/raddb/eap.conf
>Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files: reading dictionary
>read_config_files: reading naslist
>Using deprecated naslist file. Support for this will go away soon.
>read_config_files: reading clients
>read_config_files: reading realms
>radiusd: entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded PAP
> pap: encryption_scheme = "crypt"
>Module: Instantiated pap (pap)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "(null)"
>Module: Instantiated mschap (mschap)
>Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
>rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
>rlm_eap: Loaded and initialized type mschapv2
>Module: Instantiated eap (eap)
>Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
>Module: Instantiated files (files)
>Module: Loaded jradius
> jradius: name = "example"
> jradius: primary = "127.0.0.1"
> jradius: secondary = "192.168.1.2:1815"
> jradius: tertiary = "192.168.1.2:1816"
> jradius: timeout = 1
> jradius: onfail = "NOOP"
> jradius: keepalive = yes
> jradius: connections = 8
>rlm_jradius: configuring jradius server 127.0.0.1:1814
>rlm_jradius: configuring jradius server 192.168.1.2:1815
>rlm_jradius: configuring jradius server 192.168.1.2:1816
>rlm_jradius: starting JRadius connection 0
>rlm_jradius: starting JRadius connection 1
>rlm_jradius: starting JRadius connection 2
>rlm_jradius: starting

Re: MAC based auth

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Phil Mayers wrote:
> Arran Cudbard-Bell wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> [EMAIL PROTECTED] wrote:
 now imho cisco switches don't support mac based authentication with
 freeRadius.

>>> They most certainly do. And when you study for your CCNA you will learn
>>> how.
>>>
>>
>> Do they support Mac-Based Auth + 802.1X on the same port? As far as I
> 
> Yes

As in the port can dynamically transition between the two? I thought
there was a caveat that Mac-Based auth would only work if the supplicant
didn't respond to the Identity-Request or send an EAP-Start packet? and
that if EAP based authentication failed the port would remain blocked?

> 
>> was aware HP ProCurve were the only ones that supported this properly
> 
> No. Extreme X250/X450 and 3Com 4400.

Ok i'll check them out.

Thanks,
Arran

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktSMYACgkQcaklux5oVKJIuQCeLhwXhCGyy/ZVLqD1HBUyTrbs
gTIAnjxKCRQocIRmZhatPuFC5dGBFnRl
=kDKy
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[A . L . M . Buxey]

Hi,
> >now imho cisco switches don't support mac based authentication with
> >freeRadius.
> >
> 
> They most certainly do. And when you study for your CCNA you will learn
> how.

well, it depends on which Cisco switches you are talking about ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Phil Mayers]

Arran Cudbard-Bell wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:

now imho cisco switches don't support mac based authentication with
freeRadius.


They most certainly do. And when you study for your CCNA you will learn
how.



Do they support Mac-Based Auth + 802.1X on the same port? As far as I


Yes


was aware HP ProCurve were the only ones that supported this properly


No. Extreme X250/X450 and 3Com 4400.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
>> now imho cisco switches don't support mac based authentication with
>> freeRadius.
>>
> 
> They most certainly do. And when you study for your CCNA you will learn
> how.
> 

Do they support Mac-Based Auth + 802.1X on the same port? As far as I
was aware HP ProCurve were the only ones that supported this properly
(and that's only been after a lot of tedious bug reports and shouting).

Arran

- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktQ4kACgkQcaklux5oVKI1zwCaAiYzahOHsPrxNIlbcVpZf+F6
0V0AoIee/fv7FGlb9pJ7wtL5EcNM9bx7
=w4Tj
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[Saeed Akhtar]

Debug Trace:

Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/jradius.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded jradius
 jradius: name = "example"
 jradius: primary = "127.0.0.1"
 jradius: secondary = "192.168.1.2:1815"
 jradius: tertiary = "192.168.1.2:1816"
 jradius: timeout = 1
 jradius: onfail = "NOOP"
 jradius: keepalive = yes
 jradius: connections = 8
rlm_jradius: configuring jradius server 127.0.0.1:1814
rlm_jradius: configuring jradius server 192.168.1.2:1815
rlm_jradius: configuring jradius server 192.168.1.2:1816
rlm_jradius: starting JRadius connection 0
rlm_jradius: starting JRadius connection 1
rlm_jradius: starting JRadius connection 2
rlm_jradius: starting JRadius connection 3
rlm_jradius: starting JRadius connection 4
rlm_jradius: starting JRadius connection 5
rlm_jradius: starting JRadius connection 6
rlm_jradius: starting JRadius connection 7
Module: Instantiated jradius (jradius)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: u

Re: MAC based auth

[tnt]

>now imho cisco switches don't support mac based authentication with
>freeRadius.
>

They most certainly do. And when you study for your CCNA you will learn
how.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Read radius client from database

[tnt]

Post the debug of the server startup.

Ivan Kalik
Kalik Informatika ISP


Dana 26/11/2008, "Saeed Akhtar" <[EMAIL PROTECTED]> piše:

>Hi all,
>
>   I am having problem to configure Radius to read client information from
>mysql database table "nas". I found an option at last line of sql.conf
>
>readclients = yes
>
>i uncommented it ... then added record in nas table... then tried to send
>request from newly added client but it says unknown client Can anyone
>help me in this regard??? Thank you
>Regards,
>
>Saeed Akhtar
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Hegedus Gabor]

Hi,

now imho cisco switches don't support mac based authentication with 
freeRadius.


Have any solutions for my problem?:
i have server machines,  if  the power fails and returns,  this server  
boot up, and  the server services continues(nobody log in).
I want 802.1x security on the network. I have a freeradius, and a cisco 
switch.


My  ideas: 
- freeradius get request (Host/pass + mac address) form server through 
switch.  The fRadius use JUST mac address for authenticate this 
machine(username not = MAC).


another idea:
- when server boot up send host/pass + mac, and in the freeRadius chech 
hostname and pass and accept the request if equals. It is seems good but 
i don't know the password.  what  password does the server send? nothing?

If i can set this password (once at all) it will be a good security.

I have no more ideas...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Methods not supported by freeradius source code

[Fernando]

Hi all,

after configure EAP2 module and test it with EAP-MD5 (it works properly) 
I want use the EAP-PSK and/or EAP-GPSK . But if I add in eap2 module ...


eap2 {
   psk {
   }
}

When I run radiusd... it fails showing that  "psk is unknown",  how can 
these not native freeradius methods provided by libeap.so (hostap) be used?



Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Read radius client from database

[Saeed Akhtar]

Hi all,

   I am having problem to configure Radius to read client information from
mysql database table "nas". I found an option at last line of sql.conf

readclients = yes

i uncommented it ... then added record in nas table... then tried to send
request from newly added client but it says unknown client Can anyone
help me in this regard??? Thank you
Regards,

Saeed Akhtar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP2 configuration

[Fernando]

Alan DeKok wrote:

Fernando wrote:
  

Alan DeKok wrote:


  You deleted "eap", but didn't add "eap2".
  
  

Yes, I added eap2 in authentication section, see this...



  Are you really sure you know what you're doing?

  

Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap2
Module: Instantiating eap2
 eap2 {
   timer_expire = 60
   cisco_accounting_username_bug = no



  These are not configuration items for the "eap2" module.  Why did you
add them?

  

I added eap2 to the radiusd.conf too and I added a user in users file.

Do I need  to do anything else?



  
Ok, thanks for your time :) I was missing AN IMPORTANT thing in the 
users file, it was making me crazy "AUTH-TYPE := EAP2" I forgot it. Now 
EAP-MD5 using EAP2 works properly.


Thanks a lot :), If you want some kind of guide for configuring EAP2 
properly for the rest of the freeradius's user let me know and I'll 
provide it to you.



  Yes:

  

  Please familiarize yourself with the configuration files before
editing them.
  


  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RSASecurid and PEAP

[Alan DeKok]

Paul TAVERNIER wrote:
> 1) i want to authorize/authenticate a user with a couple
> username/OTPpassword (RSASecurid) through a Freeradius server (i proxy
> the acces-request to a RSARadius-Securid server). It's ok.

  What do you mean "It's OK"?  Have you tested this with
cleartext-passwords, MS-CHAP, PEAP, or ...?

> 2) (then, if i get an Access-Accept) (in a post-proxy section?) i want
> to initiate an EAP Challenge between my XP-Wireless-supplicant client
> and FREERADIUS (not the RSA radius)...

  That's not how EAP works.  The supplicant and NAS control how the
protocol works, and you can't change things on the RADIUS server.


> Can i configure something like that

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RSASecurid and PEAP

[Paul TAVERNIER]

Hi

i would like to know if this thing (scenario) is possible...

1) i want to authorize/authenticate a user with a couple
username/OTPpassword (RSASecurid) through a Freeradius server (i proxy
the acces-request to a RSARadius-Securid server). It's ok.

2) (then, if i get an Access-Accept) (in a post-proxy section?) i want
to initiate an EAP Challenge between my XP-Wireless-supplicant client
and FREERADIUS (not the RSA radius)...

Can i configure something like that

authorize {
...
suffix
...
}

post-proxy {
(if access-accept...)
eap
}


Hope this mail is not too obfuscated...and then is able to be decoded...

Regards
Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

[Aldo]

Well, you are right I shouldn't post about the MMSC if I know that dont 
support RADIUS, but as I wrote in the input, the NAS (Huawei PDSN 9660) 
support RADIUS, and I need to set it up the headsets to being authorized 
with FreeRADIUS to use EVDO, I think I have a very basic idea, please 
correct me and give some guidance if you can,


-In FreeRADIUS I have to connect it with sql database server (such as 
mysql), then create a database, then I dont know how to interconnect it 
with the NAS (my PDSN)
-For the PDSN, I think I must enable a interface which connects to the 
RADIUS server and then authenticate them with a shared secret and then 
setup a ip pool in the PDSN, please tell me what steps i miss.


Thanks again,
Aldo

--

Date: Wed, 26 Nov 2008 01:02:00 -0800
From: Aldo <[EMAIL PROTECTED]>
Subject: Re: Re: Can FreeRadius server as AAA for MMSC and EVDO as
well?

Well, the my NAS (Huawei PDSN 9660) does support RADIUS actually, the 
MMSC is a older Huawei MMSC (based on Sun) and documentation doesn't say 
nothing about RAIUS.
I know HLR can handle the Phone authorization for data usage, but that 
will enable/disable MMSC and EVDO in bundle, lets say I configure the 
PDSN with the FreeRADIUS for the EVDO, what do you recommend me to 
authenticate MMSC?


Thanks again.

  

--

Date: Wed, 26 Nov 2008 08:30:38 +0100
From: Alan DeKok <[EMAIL PROTECTED]>
Subject: Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

Aldo Zavala wrote:
  


Hello, I in our network we have two data services:
1.- MMSC (Multimedia Message Service Center)
2.- EVDO (Evolution-Data Optimized)

I just downloaded and installed the FreeRADIUS in a FreeBSD server, this is my 
first time trying to configure it, but first of all I would like to know if 
mine is a common usage of FreeRADIUS, the MMSC is served trough a Solaris based 
server and EVDO is served trough a propietary PDSN appliance.

Are there more people who figured out how to make possible this 
configuration-like?

  

  If those services use RADIUS for authentication, then it's possible.
See their documentation for the list of features that they support.

  Alan DeKok.

  



--


Date: Wed, 26 Nov 2008 11:14:19 +0100
From: Alan DeKok <[EMAIL PROTECTED]>
Subject: Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

Aldo wrote:
  

Well, the my NAS (Huawei PDSN 9660) does support RADIUS actually, the
MMSC is a older Huawei MMSC (based on Sun) and documentation doesn't say
nothing about RAIUS.
I know HLR can handle the Phone authorization for data usage, but that
will enable/disable MMSC and EVDO in bundle, lets say I configure the
PDSN with the FreeRADIUS for the EVDO, what do you recommend me to
authenticate MMSC?



  If your MMSC doesn't support RADIUS, then you can't do RADIUS.

  If you're not using RADIUS, there's no point asking questions on this
list.

  Alan DeKok.

  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool

[thoralf . freitag]

Maybe you can define your pools similiar like this (not tested)

DEFAULT Called-Station-Id == ", Pool-Name 
:="pool_1"
Fall-Through = Yes


DEFAULT Called-Station-Id == ", Pool-Name 
:="pool_2"
Fall-Through = Yes


Ciao

TF




From:
sugiarto tjahyono <[EMAIL PROTECTED]>
To:
freeradius-users@lists.freeradius.org
Date:
26.11.08 10:30
Subject:
ip pool
Sent by:
[EMAIL PROTECTED]



Dear all,

I have a few problem. i use ip pool and it's works fine if i define ip 
pool in mysql.

779084,"test","password","=","test123"
779085,"test","Pool-Name",":=","main_pool1"
779086,"test","Called-Station-Id","=","hostpot1"

The problem happened if i have 2 access point in the same area and IP the 
different is only at called-station-id.
what should i set in radius if any user can go to AP 1 with 
Called-Station-Id 1 or AP 2 with Called-Station-Id 2.
if user logged in AP1 they will get main_pool1 and if user logged in AP2 
they will get main_pool2

sorry for my bad language:)


 
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





www.biotronik.com




BIOTRONIK GmbH & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK Mess- und Therapiegeräte GmbH
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918
Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, 
Dr. Lothar Krings


This email and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this email, please notify the sender immediately 
and delete the document.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP2 configuration

[Alan DeKok]

Fernando wrote:
> Alan DeKok wrote:
>>   You deleted "eap", but didn't add "eap2".
>>   
> Yes, I added eap2 in authentication section, see this...

  Are you really sure you know what you're doing?

> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_eap2
> Module: Instantiating eap2
>  eap2 {
>timer_expire = 60
>cisco_accounting_username_bug = no

  These are not configuration items for the "eap2" module.  Why did you
add them?

> I added eap2 to the radiusd.conf too and I added a user in users file.
> 
> Do I need  to do anything else?

  Yes:

>>   Please familiarize yourself with the configuration files before
>> editing them.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Understanding stats

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> 
> (i wonder me why the Acc data are marked as
> FreeRADIUS-Total-*Proxy*-Accounting-Requests)

  It's a bug.  I'll fix it in the next release.

  The accounting stats *are* the client statistics.  They're just put
into the wrong attribute.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP2 configuration

[Fernando]

Alan DeKok wrote:

Fernando wrote:
  

Yes, it's works now, but I cann't execute any method... I'm trying
eap-md5 but nothing happens. I put in authentication section (eap2) I
remove eap module and I add experimentation.conf to radiusd.conf  do I
need  do anything more?



  You deleted "eap", but didn't add "eap2".
  

Yes, I added eap2 in authentication section, see this...

Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap2
Module: Instantiating eap2
 eap2 {
   timer_expire = 60
   cisco_accounting_username_bug = no
 }

but there isn't eap method showed. see my eap2 module...

eap2 {
   md5 {
   }
   }

I added eap2 to the radiusd.conf too and I added a user in users file.

Do I need  to do anything else?

My objective is to test EAP-GSPK but before I want to test EAP-MD5.

Thanks,
Fernando.


  Please familiarize yourself with the configuration files before
editing them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

[Alan DeKok]

Aldo wrote:
> Well, the my NAS (Huawei PDSN 9660) does support RADIUS actually, the
> MMSC is a older Huawei MMSC (based on Sun) and documentation doesn't say
> nothing about RAIUS.
> I know HLR can handle the Phone authorization for data usage, but that
> will enable/disable MMSC and EVDO in bundle, lets say I configure the
> PDSN with the FreeRADIUS for the EVDO, what do you recommend me to
> authenticate MMSC?

  If your MMSC doesn't support RADIUS, then you can't do RADIUS.

  If you're not using RADIUS, there's no point asking questions on this
list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ip pool

[sugiarto tjahyono]

Dear all,

I have a few problem. i use ip pool and it's works fine if i define ip pool in 
mysql.

779084,"test","password","=","test123"
779085,"test","Pool-Name",":=","main_pool1"
779086,"test","Called-Station-Id","=","hostpot1"

The problem happened if i have 2 access point in the same area and IP the 
different is only at called-station-id.
what should i set in radius if any user can go to AP 1 with Called-Station-Id 1 
or AP 2 with Called-Station-Id 2.
if user logged in AP1 they will get main_pool1 and if user logged in AP2 they 
will get main_pool2

sorry for my bad language:)


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: No authenticatemethod (Auth-Type)configuration foundfor therequest: Rejectingthe user

[tnt]

>If I don't have the new entry "ldapuser", so how can I add the new entries ?
>

Do you actually know how to use ldap?

Ivan Kalik
Kalik informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authentication delay in virtual servers

[Oguzhan Kayhan]

Hello,
I have two virtual servers on my freeradius installation with one is made
via mysql and other is via a perl script which is checking an xml page for
user/pass control.
What i noticed is, when the xml server is down if somebody tries to login
from this virtual server, the other virtual server hangs up too before it
gets a reply from the previous virtual server. Is it smthing suppose to
happen?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dan Schaffer is out of the office.

[Dan Schaffer]

I will be out of the office starting  11/26/2008 and will not return until
12/01/2008.

Thank you and have a nice day,
Dan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC based auth

[Hegedus Gabor]

[EMAIL PROTECTED] wrote:

This is my problem, what can you suggest to me :
I want use 802.1x port auth, although the machines are servers, and
users logging in rarely.
the machines will automaticly do the authentication(this is the goal),




What is the Authenticator (NAS)? You should find in it's documentation
how to set mac authentication before 802.1x.

  
I have a cisco switch, and i still don't know support or not  mac based 
auth.

but i think not support with freeradius, i have to use something else.
I'll write it to here.

but how can i set the pass, cos  i set the name of the pc and  it will
be sent,  but the  pass...
This u/p seem better security than use just mac address.




For that you need AD. It can be set manually using netdom resetpwd but
only for machines in the domain.

  

I will try this way,it seems good escurity if i have  password.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Can FreeRadius server as AAA for MMSC and EVDO as well?

[Aldo]

Well, the my NAS (Huawei PDSN 9660) does support RADIUS actually, the 
MMSC is a older Huawei MMSC (based on Sun) and documentation doesn't say 
nothing about RAIUS.
I know HLR can handle the Phone authorization for data usage, but that 
will enable/disable MMSC and EVDO in bundle, lets say I configure the 
PDSN with the FreeRADIUS for the EVDO, what do you recommend me to 
authenticate MMSC?


Thanks again.


--

Message: 1
Date: Wed, 26 Nov 2008 08:30:38 +0100
From: Alan DeKok <[EMAIL PROTECTED]>
Subject: Re: Can FreeRadius server as AAA for MMSC and EVDO as well?
To: FreeRadius users mailing list

Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

Aldo Zavala wrote:
  

Hello, I in our network we have two data services:
1.- MMSC (Multimedia Message Service Center)
2.- EVDO (Evolution-Data Optimized)

I just downloaded and installed the FreeRADIUS in a FreeBSD server, this is my 
first time trying to configure it, but first of all I would like to know if 
mine is a common usage of FreeRADIUS, the MMSC is served trough a Solaris based 
server and EVDO is served trough a propietary PDSN appliance.

Are there more people who figured out how to make possible this 
configuration-like?



  If those services use RADIUS for authentication, then it's possible.
See their documentation for the list of features that they support.

  Alan DeKok.

  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Understanding stats

[thoralf . freitag]

Hello,

I am trying to get statistics information from the freeradius 2.1.1. As I 
understand the attribute "FreeRADIUS-Statistics-Type" represents the type 
of information wich will given back by the server. The value ist bit 
oriented.

bit 0 = 1 --> give me Auth stats
bit 1 = 1 -->  give me Acc stats
bit 0 = 1 and bit 1= 1 --> give me  Auth stats and Acc stats
...
bit 5 = 1--> give me client stats (according the to bit 1 and bit 2)


IMHO 

bit 1 =1 and bit 2= 1 and bit 5 =1 --> should give me Auth stats and Acc 
stats from a specified client like this


hostname> echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 
35, FreeRADIUS-Stats-Client-IP-Address = 10.0.8.2" 
|/opt/radius/bin/radclient localhost:18120 status adminsecret


 FreeRADIUS-Stats-Client-IP-Address = 10.0.8.2
FreeRADIUS-Total-Access-Requests = 55
FreeRADIUS-Total-Access-Accepts = 54
FreeRADIUS-Total-Access-Rejects = 1
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Proxy-Accounting-Requests = 108
FreeRADIUS-Total-Proxy-Accounting-Responses = 108
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0

(i wonder me why the Acc data are marked as FreeRADIUS-Total-Proxy
-Accounting-Requests) but i get the full server stats too.

FreeRADIUS-Total-Access-Requests = 56
FreeRADIUS-Total-Access-Accepts = 118
FreeRADIUS-Total-Access-Rejects = 1
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 119
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Accounting-Requests = 110
FreeRADIUS-Total-Accounting-Responses = 110
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Acct-Unknown-Types = 0
FreeRADIUS-Stats-Client-IP-Address = 10.0.8.2
FreeRADIUS-Total-Access-Requests = 55
FreeRADIUS-Total-Access-Accepts = 54
FreeRADIUS-Total-Access-Rejects = 1
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Proxy-Accounting-Requests = 108
FreeRADIUS-Total-Proxy-Accounting-Responses = 108
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0




 Is this a bug or a feature. Is my understanding wrong ? What can i do get 
only the client specific stats ?


www.biotronik.com




BIOTRONIK GmbH & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK Mess- und Therapiegeräte GmbH
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918
Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, 
Dr. Lothar Krings


This email and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this email, please notify the sender immediately 
and delete the document.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html