Programatically provision users to server.
Hi everyone, I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. I am thinking I would have to either: 1. Use some sort of API 2. Run a script that uses a command line interface Your thoughts and suggestions on this architecture would be appreciated. Thanks Matthew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Logging eap protocols
Sorry for my previous email;) I was meaning: %{control:Auth-Type} In my configuration, I use two different auth-type, one for PAP, one for MS-CHAP. Regards, Vincent Vincent Magnin [EMAIL PROTECTED] a écrit : Bonjour, Avez-vous essayé d'utiliser %{Auth-Type} ? Salutations, Vincent Magnin Richard Timsit [EMAIL PROTECTED] a écrit : Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beating a dead horse, or freeradius 2.1.1 and active directory
Ben Little wrote: Yeah, I'm not sure I want to use LDAP (clear text) for authentication. LDAP is a database, not a password management system. If the incoming Access-Requests contain clear-text passwords, then there is no additional security problem when you check them against LDAP. I'm starting to think that I can just use md5 passwords in a database or a flat file to manage it, there's really not that many administrative users for the cisco equipment. It's either that or pony up several thousands for the Cisco ACS server...it was worth beating my head against a wall for a few days though :-) Use LDAP. Configure it, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1
Hi John, Nice to meet you ;-) John Dennis a écrit : John Dennis wrote: Thibault Le Meur wrote: T I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/modulename.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ... I don't know if I should report this to the package maintainer or not. What do you think ? I'm here :-) The files under /etc/raddb/modules are configuration files. Configuration files by definition are available for editing. It is usually considered bad practice for rpm during an upgrade to overwrite user modified configuration files. I agree ;-) If rpm thinks a configuration file has been modified instead of overwriting the configuration file with the version from the new package it instead lays a new copy of that file down with the .rpmnew extension. I understand, and this runs great _for most other softwares because the xxx.rpmnew files are not read_ by the application at startup: * the applications are correctly updated, * the configuration files that were customized by the system administrator are not overwritten and are still read at the application startup, * _usually_ the updated applications are working well, despite having old configuration files. This is because new configuration files usually have new optional parameters (for which a default value is assumed by the application). However, as far as FR is concerned, all files in /etc/raddb/modules/ matching the regex /[a-zA-Z0-9_.]+/ are read, this includes any xxx.rpmnew file: In fact adding an xxx.rpmnew file in /etc/raddb/modules has the same effect as to modify the configuration files ! This will cause most Freeradius 2.x upgrades (using RPM) to end up with an updated server which is not working anymore It's your job as a system administrator to pay attention to the presence of .rpmnew files, during installation it will warn you such files were created which is your signal to investigate. This may mean that automatic updates of FR should be disabled by default in the OS, maybe in /etc/yum.conf for Fedora ? If you miss the warnings you should still periodically check under /etc for the presence of .rpmnew files and .rpmsave by the same token. No need to do this: I've been warned immediately by my users that the network access wasn't possible anymore ;-) Now having said that, it's entirely possible there is a packaging problem and the .rpmnew files should not have been created, I'll go off and take a look at that issue. My recollection is that rpm is smart enough to detect the case where the old version of a config file differs from the new version but the old version was not locally edited. I believe this is case you're describing. No, I've modified the old configuration file, the problem is that the .rpmnew files is read by the server at startup and thus this overwrites my old customizations. I've looked at the packaging with respect to how the .rpmnew files are being handled and I believe everything is correct. What is probably missing is documentation on this so I've updated the FreeRADIUS Red Hat FAQ (http://wiki.freeradius.org/Red_Hat_FAQ) and added a section describing what happens to configuration files during a RPM upgrade (http://wiki.freeradius.org/Red_Hat_FAQ#How_are_configuration_files_handled_during_an_RPM_upgrade.3F) Thanks this is very valuable. Maybe 'we' should add a specific paragraph concerning /etc/raddb/modules configuration .rpmnew files as they are read by FR at startup? Do you want me to do so? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
Matthew Carriere wrote: I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. FreeRADIUS authenticates users... databases provision them. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Install FreeRADIUS *and* MySQL. Use a RoR app to provision the database. Use FreeRADIUS to pull user information out of the database, and authenticate the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beating a dead horse, or freeradius 2.1.1 and active directory
There is an entry in the users file that states (according to the how to this can be used for testing) rtest Auth-type := ntlm_auth But not on the first line. The debug you posted suggests that the first line is: rtest Auth-Type := Local [files] users: Matched entry rtest at line 1 ++[files] returns ok .. Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' If the line setting ntlm_auth is after that - it will not work. Ivan Kalik Kalik Informatika - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Yes. I am thinking I would have to either: 1. Use some sort of API 2. Run a script that uses a command line interface No. Much simpler than that. You can store users, passwords and radius attributes for freeradius in a MySQL database. Use Ruby on Rails application to manage user/group entries in the database. Ruby is quite good for that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beating a dead horse, or freeradius 2.1.1 and active directory
PS. What is the error that you get when you remove quote around ntlm_auth. For users file entry as is in the howto. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Server Version 2.1.2 has been released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We are pleased to announce the release of version 2.1.2 of the FreeRADIUS server. The focus of this release is stability. ftp://ftp.freeradius.org:/pub/freeradius/freeradius-server-2.1.2.tar.bz2 ftp://ftp.freeradius.org:/pub/freeradius/freeradius-server-2.1.2.tar.bz2.sig We have also created a stable tree on git.freeradius.org. This tree will be used to release versions 2.1.2 and following. The master tree will be used for additional, experimental features. There are a number of important new features coming over the next year. Splitting development in this way helps to manage the trade-off of features versus stability. We would like to thank Coverity for providing static analysis scanning that highlighted a number of issues. These issues do not have security implications, but they can affect stability. Alan DeKok Project Leader The complete changelog is below. - - Feature Improvements: * Allow running with user=radiusd and binding to secure sockets. * Start sending Status-Server are you alive messages earlier, which helps with proxying multiple realms to a home server. * Removed thread pool code from rlm_perl. It's not necessary. * Added example Perl configuration to raddb/modules/perl * Force OpenSSL to support certificates with SHA256. This seems to be necessary for WiMAX certs. Bug fixes: * Fix Debian patch to allow it to build. * Fix potential NULL dereference in debugging mode on certain platforms for TTLS and PEAP inner tunnels. * Fix uninitialized memory in handling of vendor definitions * Fix parsing of quoted (but non-string) attributes in the users file. * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 * use SUN_LEN in control socket, to avoid truncation on some platforms. * Correct internal handling of debug condition to prevent it from being over-written. * Check return code of regcomp in unlang, so that invalid regular expressions are caught rather than mishandled. * Make rlm_sql use ltdl.h. Addresses bug #610. * Document list type = status better. Closes bug #580. * Set default days for certificates, because OpenSSL won't do it. This closes bug #615. * Reference correct list in example raddb/modules/ldap. Closes #596. * Increase default schema size for Acct-Session-Id to 64. Closes #540. * Fix use of temporary files in dialup-admin. Closes #605 and addresses CVE-2008-4474. * Addressed a number of minor issues found by Coverity. * Added DHCP option 150 to the dictionary. Closes #618. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBSTezVakul4vkAkl9AQJLJQP/bFRE4r9EJHfSbdiqe0WBdJF1PudwHs97 JwlI/cF8D2AkNULWP9wAWruCrInEPlj9AjqLNjtfq+7ap5tfJC0diAFm7cMfiX2y SlbOfeoDmnAJ8q7tCZa5Q3t5gRuGmyjR9ANa0dqSemz6p+whgM9KPDvM8xX8fH8r uaoy5OdZYEo= =73eF -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/3 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Because you configured the ldap module *outside* of the tunnel, too. If you don't list it in sites-enabled/default, it will only do queries for inside of the TLS tunnel. Thanks Alan! That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:07:51 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:10:41 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:10:41 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:12:14 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:12:14 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:14:30 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:14:30 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:18:09 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:18:09 2008 : Info: rlm_ldap: Attempting reconnect What are these problem from? radius or ldap? ldap module config is as follows: ldap { server = ldap.palermo.edu identity = cn=freeradius,ou=applications,dc=palermo,dc=edu password = somepass basedn = ou=people,dc=palermo,dc=edu filter = (uid=%u) ldap_connections_number = 1 timeout = 60 timelimit = 120 net_timeout = 10 tls { cacertfile = /etc/raddb/cacert.pem randfile= /dev/urandom } access_attr = radiusAllowed dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no EOF Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy - wrong IP
Hi, My server has two interfaces, A and B. My NAS is on interface A and I'm proxying to another Radius on interface B. My problem is that FreeRadius is sending packets to the Radius at interface B with the IP of interface A (the listening interface to my NAS). I'm running FreeRadius v2.1.1. I've tried to add another listening interface with the IP from interface B, but no difference (shot in the dark really). How can I force FreeRadius to use another IP for the proxying? Cheers, Jørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beating a dead horse, or freeradius 2.1.1 and active directory
Here is the first line in the users file (quotes removed) rtest Auth-Type := ntlm_auth And here is the error that generates: /etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module files /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module files. /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules With a frst line of this: rtest Auth-Type := ntlm_auth Radiusd starts normally. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 04, 2008 2:14 AM To: freeradius-users@lists.freeradius.org Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active directory PS. What is the error that you get when you remove quote around ntlm_auth. For users file entry as is in the howto. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - wrong IP
Jørn Kostøl wrote: My server has two interfaces, A and B. My NAS is on interface A and I'm proxying to another Radius on interface B. My problem is that FreeRadius is sending packets to the Radius at interface B with the IP of interface A (the listening interface to my NAS). You can control this. Read radiusd.conf, and look for the documentation in the listen section. I'm running FreeRadius v2.1.1. I've tried to add another listening interface with the IP from interface B, but no difference (shot in the dark really). Did you set the listen type to proxy? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile error on 2.1.2: library libltdl/libltdlc.la
Hi, I just downloaded the new version for testing, but I got a compile error. Di somebody get something similar? I'm building debian packages, on Debian Lenny-RC1. To compile, I had to remove --with-system-libtool from debian/rules. Running dpkg-buildpackage -b -uc, I got the following error bellow after some time. Any ideas about how to proceed? Tks, Roberto . libtool: compile: gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server-2.1.2/src -I/root/freeradius-server-2.1.2/libltdl -I/root/freeradius-server-2.1.2/libltdl -Ilibeap -c mem.c -fPIC -DPIC -o .libs/mem.o libtool: compile: gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server-2.1.2/src -I/root/freeradius-server-2.1.2/libltdl -I/root/freeradius-server-2.1.2/libltdl -Ilibeap -c mem.c -o mem.o /dev/null 21 /bin/sh /root/freeradius-server-2.1.2/libtool --mode=link gcc -release 2.2.0 \ -module -export-dynamic -o rlm_eap.la \ -rpath /usr/lib/freeradius rlm_eap.lo eap.lo mem.lo rlm_eap.c eap.c mem.c /root/freeradius-server-2.1.2/src/lib/libfreeradius-radius.la libeap/libfreeradius-eap.la /root/freeradius-server-2.1.2/libltdl/libltdlc.la -lnsl -lresolv -ldl -lpthread libtool: link: cannot find the library `/root/freeradius-server-2.1.2/libltdl/libltdlc.la' or unhandled argument `/root/freeradius-server-2.1.2/libltdl/libltdlc.la' make[7]: *** [rlm_eap.la] Error 1 make[7]: Leaving directory `/root/freeradius-server-2.1.2/src/modules/rlm_eap' make[6]: *** [common] Error 2 make[6]: Leaving directory `/root/freeradius-server-2.1.2/src/modules' make[5]: *** [all] Error 2 make[5]: Leaving directory `/root/freeradius-server-2.1.2/src/modules' make[4]: *** [common] Error 2 make[4]: Leaving directory `/root/freeradius-server-2.1.2/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/freeradius-server-2.1.2/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/root/freeradius-server-2.1.2' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/freeradius-server-2.1.2' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error on 2.1.2: library libltdl/libltdlc.la
rgreiner wrote: Hi, I just downloaded the new version for testing, but I got a compile error. Di somebody get something similar? I'm building debian packages, on Debian Lenny-RC1. To compile, I had to remove --with-system-libtool from debian/rules. Running dpkg-buildpackage -b -uc, I got the following error bellow after some time. Any ideas about how to proceed? I'm getting an error that I suspect is related, however I'm building with --with-system-libtool and --disable-ltdl-install error: conditional INSTALL_LTDL was never defined. I'm in the process of trying to track this down, but it's slow going because the machine generated autotools scripts are just plain nasty ;-) -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with wifi authentication: [mschap] No Cleartext-Password configured...
Hi guys, I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve. I want to use the NIS user database. Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it) With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users: Example: [EMAIL PROTECTED]:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = leonardo User-Password = radius1234 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 [EMAIL PROTECTED]:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = usuario1 User-Password = senha1 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 [EMAIL PROTECTED]:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = localradius User-Password = radius1234 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20 Until here, everything was ok, the problems begins when I try authenticate through wireless access point: The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users. Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. I've uploaded the /etc/raddb/radiusd.conf,/ etc/raddb/eap.conf, module /etc/raddb/modules/mschap and also a log from the radiusd -X with a login try which generates the above error and the radiusd startup on the server: http://ivete.fis.unb.br/fradius/ I've found on google a discussion, on this list (http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg48660.html), which a guy had the same error than me, but he was using the ldap database as user's database. And I don't understood what procedures he used to solve his problems. Please, if somebody have some tip, tell me, I don't know what to do anymore :/ Sorry for the poor english. Thanks in advance, -- --- Leonardo Marques --- Blog: BeNerd.analyx.org Website: www.analyx.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is cygwin compiled Freeradius.net stable?
Is cygwin compiled Freeradius.net stable enough to be used in a corporate environment with a few hundred access-requests daily? Any thoughts? Thanks. _ Join the Fantasy Football club and win cash prizes here! http://fantasyfootball.sg.msn.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beating a dead horse, or freeradius 2.1.1 and active directory
Here is the first line in the users file (quotes removed) rtest Auth-Type := ntlm_auth And here is the error that generates: /etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module files /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module files. /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules OK. Howto needs updating. Freeradius in default configuration has default and inner-tunnel virtual servers. You should add ntlm_auth to authenticate section of both (not just default as in howto). This issue is probably going to be resolved with virtual server specific users file but at present if Auth-Type is listed in users file it has to exist in all enabled virtual servers. So, add ntlm_auth to authenticate section of inner-tunnel virtual server and leave user entry without quotes. Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with wifi authentication: [mschap] No Cleartext-Passwordconfigured...
I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve. I want to use the NIS user database. That's your problem right there. Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it) With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users: Example: [EMAIL PROTECTED]:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = leonardo User-Password = radius1234 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 [EMAIL PROTECTED]:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = usuario1 User-Password = senha1 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 [EMAIL PROTECTED]:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = localradius User-Password = radius1234 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20 Crypted passwords and pap work fine. Until here, everything was ok, the problems begins when I try authenticate through wireless access point: The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users. Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. But not with mschap: http://deployingradius.com/documents/protocols/compatibility.html You can't use passwords from /etc/passwd for mschap. You will find it that thread that he had NT hashed passwords to use. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
This is great thank you. I was trying to find something in the documentation about doing this. Could anyone point me in the direction of documentation that outlines using a MySQL database for authenticating users? Is there some kind of schema that the users table must follow? Thanks Matthew On 4-Dec-08, at 1:44 AM, Alan DeKok wrote: Matthew Carriere wrote: I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. FreeRADIUS authenticates users... databases provision them. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Install FreeRADIUS *and* MySQL. Use a RoR app to provision the database. Use FreeRADIUS to pull user information out of the database, and authenticate the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
http://wiki.freeradius.org/SQL_HOWTO http://wiki.freeradius.org/Rlm_sql_mysql Le 04.12.2008 09:03, Matthew Carriere a écrit : This is great thank you. I was trying to find something in the documentation about doing this. Could anyone point me in the direction of documentation that outlines using a MySQL database for authenticating users? Is there some kind of schema that the users table must follow? Thanks Matthew On 4-Dec-08, at 1:44 AM, Alan DeKok wrote: Matthew Carriere wrote: I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. FreeRADIUS authenticates users... databases provision them. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Install FreeRADIUS *and* MySQL. Use a RoR app to provision the database. Use FreeRADIUS to pull user information out of the database, and authenticate the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - wrong IP
On Thu, 2008-12-04 at 18:07 +0100, Alan DeKok wrote: You can control this. Read radiusd.conf, and look for the documentation in the listen section. What this means in a nutshell is that there is no direct way to tell freeradius what source IP address to use when proxying (I'll be happy if I'm proven wrong on that). The only way to accomplish this is to force freeradius to listen on only a single IP address (which I think is what Alan is suggesting). This will cause freeradius to use that IP as the source for anything it sends. I have run into this issue on multihomed servers and it's the only way I found to solve it. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beating a dead horse, or freeradius 2.1.1 and active directory
Well I'll be a son of a gun :-) It worked! Awesome, thanks a ton, ok now to see if I can make my silly switch work with this authentication! Alan, if you're reading this you should add the inner-tunnel addition to the how to. Now I just have to figure out the authorization piece of the puzzle and I'll be golden. Thanks Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53912, id=223, length=57 User-Name = rtest User-Password = SEKRAT NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = rtest, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry rtest at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rtest [ntlm_auth] expand: --password=%{User-Password} - --password=SEKRAT Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 223 to 127.0.0.1 port 53912 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 223 with timestamp +19 Ready to process requests. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 04, 2008 10:35 AM To: FreeRadius users mailing list Subject: RE: Beating a dead horse, or freeradius 2.1.1 and active directory Here is the first line in the users file (quotes removed) rtest Auth-Type := ntlm_auth And here is the error that generates: /etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module files /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module files. /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules OK. Howto needs updating. Freeradius in default configuration has default and inner-tunnel virtual servers. You should add ntlm_auth to authenticate section of both (not just default as in howto). This issue is probably going to be resolved with virtual server specific users file but at present if Auth-Type is listed in users file it has to exist in all enabled virtual servers. So, add ntlm_auth to authenticate section of inner-tunnel virtual server and leave user entry without quotes. Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows supplicant
I've been working on this on/off for 2 weeks now and I'm confused. I found on this Windows laptop I've been playing with that I can't connect via the built-in Windows XP SP3 supplicant but one connection I can make is using the Intel ProSet (it's a 2100) but the only way that I've been able to connect is using TTLS. The Intel Pro-Set suggests that my connection is: Security Mode: WPA Encryption Algorithm: TKIP 802.11 Authentication: Open 802.1x Authentication: TTLS (MS-CHAP) and I note that MS-CHAPv2 doesn't work here So I'm now wondering if the problem is my setup of eap.conf the MS-CHAPv2 I am authenticating RRAS from a Windows server and Macintosh and iPhone clients without issue. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error on 2.1.2: library libltdl/libltdlc.la
rgreiner wrote: Running dpkg-buildpackage -b -uc, I got the following error bellow after some time. Any ideas about how to proceed? ... libtool: link: cannot find the library `/root/freeradius-server-2.1.2/libltdl/libltdlc.la' or unhandled Bizarre. Nothing in the source or Makefiles references a libltdlc.la. There's a libltdl.la without the C, but that's it. I don't know what to suggest. Maybe it's time for me to set up a Debian build vmware image. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beating a dead horse, or freeradius 2.1.1 and active directory
Now I just have to figure out the authorization piece of the puzzle and I'll be golden. Service-Type you should use and priv level avpairs should be described in switch documentation. There is also a common Cisco configuration described on freeradius wiki: http://wiki.freeradius.org/index.php/Cisco Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error on 2.1.2: library libltdl/libltdlc.la
John Dennis wrote: I'm getting an error that I suspect is related, however I'm building with --with-system-libtool and --disable-ltdl-install error: conditional INSTALL_LTDL was never defined. I'm in the process of trying to track this down, but it's slow going because the machine generated autotools scripts are just plain nasty ;-) If it's coming from the libltdl directory... I have large amounts of cursing for them. I can't find anywhere else in the source that references that name... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is cygwin compiled Freeradius.net stable?
Joshua Lim wrote: Is cygwin compiled Freeradius.net stable enough to be used in a corporate environment with a few hundred access-requests daily? Any thoughts? It's 1.1.7, which is *very* old. It may be stable, but it's unsupported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error on 2.1.2: library libltdl/libltdlc.la
John Dennis wrote: rgreiner wrote: Hi, I just downloaded the new version for testing, but I got a compile error. Di somebody get something similar? I'm building debian packages, on Debian Lenny-RC1. To compile, I had to remove --with-system-libtool from debian/rules. Running dpkg-buildpackage -b -uc, I got the following error bellow after some time. Any ideas about how to proceed? I'm getting an error that I suspect is related, however I'm building with --with-system-libtool and --disable-ltdl-install error: conditional INSTALL_LTDL was never defined. I'm in the process of trying to track this down, but it's slow going because the machine generated autotools scripts are just plain nasty ;-) O.K. I give up. I've begun to truly despise libtool. There are too many layers, obsurcifications, and poorly documented configuration options to wrap my poor little brain around. I figured out that the reason why INSTALL_LTDL was never defined is because it's defined deep inside the code which only gets turned on when --with-system-libtool is not specified. However if one removes this option then linking fails because libtool cannot find libltdl/libltdlc.la in the root of the build tree. With the prior release (2.1.1) if I didn't define --with-system-libtool then I would get an unresolved reference to lt__PROGRAM__LTX_preloaded_symbols and I was told by our libtool maintainer this is due to incompatibilities with the files included in the tarball and the right solution is to specify --with-system-libtool so that local files are used but if I do that then it barfs on INSTALL_LTDL :-( Googling all of this did not provide much help other than discovering I'm not the only who thinks libtool is too hard to use. If anyone truly understands this stuff I'd love an explanation. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius log files
I have included a clip from the radius log file that shows both allow and a deny. The problem that I'm having is that I need to log info that I can track back to the computer that logged on. Can I get the mac address or computer name of the computer written to the log file? I see that the computer name is logged when the user is denied. Thu Dec 4 07:01:37 2008 : Auth: Login incorrect: host/paolo-laptop/via Auth-Type = EAP] (from client linksys port 0 via TLS tunnel) Thu Dec 4 07:01:37 2008 : Auth: Login incorrect: host/paolo-laptop/via Auth-Type = EAP] (from client linksys port 44) Thu Dec 4 07:14:17 2008 : Auth: Login OK: [bradatea/via Auth-Type = EAP] (from client linksys port 0 via TLS tunnel) Thu Dec 4 07:14:17 2008 : Auth: Login OK: [bradatea/via Auth-Type = EAP] (from client linksys port 44) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - wrong IP
Greg Woods wrote: You can control this. Read radiusd.conf, and look for the documentation in the listen section. What this means in a nutshell is that there is no direct way to tell freeradius what source IP address to use when proxying(I'll be happy if I'm proven wrong on that). Perhaps you could try reading what I said? Or, if you're not running 2.x, upgrade. The only way to accomplish this is to force freeradius to listen on only a single IP address (which I think is what Alan is suggesting). This will cause freeradius to use that IP as the source for anything it sends. I have run into this issue on multihomed servers and it's the only way I found to solve it. This is documented. It works. It does what I said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
You can also browse server related stuff on github. For mysql: http://github.com/alandekok/freeradius-server/tree/master/raddb/sql/mysql You can get the schema from there, use it and play with RoR and the database without installing freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/12/2008, Alexandre Chapellon [EMAIL PROTECTED] piše: http://wiki.freeradius.org/SQL_HOWTO http://wiki.freeradius.org/Rlm_sql_mysql Le 04.12.2008 09:03, Matthew Carriere a écrit : This is great thank you. I was trying to find something in the documentation about doing this. Could anyone point me in the direction of documentation that outlines using a MySQL database for authenticating users? Is there some kind of schema that the users table must follow? Thanks Matthew On 4-Dec-08, at 1:44 AM, Alan DeKok wrote: Matthew Carriere wrote: I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. FreeRADIUS authenticates users... databases provision them. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Install FreeRADIUS *and* MySQL. Use a RoR app to provision the database. Use FreeRADIUS to pull user information out of the database, and authenticate the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
That's awesome. This is a much better option than what I previously thought would be necessary to setup a development environment. Has anyone done this before in any language? Any potential issues to watch out for? Thanks. On 4-Dec-08, at 12:43 PM, [EMAIL PROTECTED] wrote: You can also browse server related stuff on github. For mysql: http://github.com/alandekok/freeradius-server/tree/master/raddb/sql/mysql You can get the schema from there, use it and play with RoR and the database without installing freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/12/2008, Alexandre Chapellon [EMAIL PROTECTED] piše: http://wiki.freeradius.org/SQL_HOWTO http://wiki.freeradius.org/Rlm_sql_mysql Le 04.12.2008 09:03, Matthew Carriere a écrit : This is great thank you. I was trying to find something in the documentation about doing this. Could anyone point me in the direction of documentation that outlines using a MySQL database for authenticating users? Is there some kind of schema that the users table must follow? Thanks Matthew On 4-Dec-08, at 1:44 AM, Alan DeKok wrote: Matthew Carriere wrote: I am thinking of adding a FreeRadius server to an existing infrastructure in order to provision users through an application. FreeRADIUS authenticates users... databases provision them. I am currently running a WLAN controller connecting several access points. Currently users are added manually through the WLAN controller interface. Could I add a FreeRadius server and be able to programatically add users to it? I need to be able to do this through a Ruby on Rails application. Install FreeRADIUS *and* MySQL. Use a RoR app to provision the database. Use FreeRADIUS to pull user information out of the database, and authenticate the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error on 2.1.2: library libltdl/libltdlc.la
John Dennis wrote: O.K. I give up. I've begun to truly despise libtool. There are too many layers, obsurcifications, and poorly documented configuration options to wrap my poor little brain around. The libtool people must be *much* smarter than me, because I don't understand the code. My inclination at this point is to remove libltld entirely from the build. If your system doesn't have a functional dlopen(), it doesn't deserve to run FreeRADIUS. I figured out that the reason why INSTALL_LTDL was never defined is because it's defined deep inside the code which only gets turned on when --with-system-libtool is not specified. However if one removes this option then linking fails because libtool cannot find libltdl/libltdlc.la in the root of the build tree. What the heck is libltdlc.la? I don't see it on my system when the server is being built. With the prior release (2.1.1) if I didn't define --with-system-libtool then I would get an unresolved reference to lt__PROGRAM__LTX_preloaded_symbols and I was told by our libtool maintainer this is due to incompatibilities with the files included in the tarball and the right solution is to specify --with-system-libtool so that local files are used but if I do that then it barfs on INSTALL_LTDL :-( Googling all of this did not provide much help other than discovering I'm not the only who thinks libtool is too hard to use. If anyone truly understands this stuff I'd love an explanation. libtool, libltdl, and autoconf are steaming masses of fertilizer. When FreeRADIUS started, I took a look at automake, and decided it was truly pointless. So we used gmake, and no one has ever really complained. If you look at the source code, there are a few references to WITHOUT_LIBLTLDL. It still requires some finalization, but it's been known to work (after some edits) on some systems. I might just spend some time removing ltldl from the system entirely. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
Has anyone done this before in any language? I've done it in ASP.NET (C#), php and perl (on separate occasions). You actually have dialup admin (php) included with the server. That is not under active development. daloRadius is (you will find the developer lurking on this list). Any potential issues to watch out for? Not much. Changes from version to version might require application alterations. Schema, attributes, operators are not set in stone. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest nasname IP address support?
Hi, radiusd: FreeRADIUS Version 1.1.7 radiusd nasname could be host name only. It would be convenient if it could also be ip as radiusserver in radtest. Is it supported in new version? Thanks. Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius log files
I have included a clip from the radius log file that shows both allow and a deny. The problem that I'm having is that I need to log info that I can track back to the computer that logged on. Can I get the mac address or computer name of the computer written to the log file? I see that the computer name is logged when the user is denied. Do radiusd -X and see if mac address (computer name will not appear for user authentication) appears in the request attributes (Calling-Station-Id is the most likely). If it does, you can log it. See linelog module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - wrong IP
I got it working once I upgraded to 2.1.2. Guess something was wrong with my 2.1.1 install. A pity that it's not possible to have more then one proxy listener as this would be very useful. I guess I'll have to nest multiple freeradius installs in the future when I need to proxy to other networks. Cheers, Jørn Greg Woods wrote: You can control this. Read radiusd.conf, and look for the documentation in the listen section. What this means in a nutshell is that there is no direct way to tell freeradius what source IP address to use when proxying(I'll be happy if I'm proven wrong on that). Perhaps you could try reading what I said? Or, if you're not running 2.x, upgrade. The only way to accomplish this is to force freeradius to listen on only a single IP address (which I think is what Alan is suggesting). This will cause freeradius to use that IP as the source for anything it sends. I have run into this issue on multihomed servers and it's the only way I found to solve it. This is documented. It works. It does what I said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
include_length and EAP-TTLS
I wonder if this is a small violation of the EAP-TTLS RFC (5281). In RFC 5281 http://tools.ietf.org/html/rfc5281#section-9.2.2, it states: Fragments other than the first MUST NOT have the L bit set. ... while this behavior is configurable in eap.conf: # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes I understand that it is for EAP-TLS (which does not have this restriction) but I think EAP-TTLS is controlled by the same line. (?) I confess that I only actually SEE the behavior in the now ancient 1.1.6 version, and only took a quick look at the 2.1.0 config file and source code. I apologize if I missed something or this had been brought up before. -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Hi All, I have a few problem. i have freeradius version 1.0.5 running with rlm_sql. radcheck : username, attribute, op, value test1,password,==,testpass test2,password,==,testpass radreply : none radusergroup : test1,HS1 test2,HS2 test2,HS1 radgroupcheck : groupname, attribute, op, value HS1,Called-Station-Id,==,device1 HS2,Called-Station-Id,==,device2 radgroupreply : groupname, attribute, op, value,prio HS1,Framed-Pool,=,pool1,0 HS2,Framed-Pool,=,pool2,0 the problem is user test1 and test2 can connect and get pool1 but user test2 can't connect and can't get pool2 i already use Fall-Through = Yes in radreply and radgroupreply, but it still not work. when i use freeradius 2.1.1, that setting is work. Does freeradius 1.0.5 doesn't support multiple group or something wrong with my setting? how many group that can be assigned to one user in freeradius 2.1.1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: include_length and EAP-TTLS
Gong Cheng wrote: I wonder if this is a small violation of the EAP-TTLS RFC (5281). In RFC 5281 http://tools.ietf.org/html/rfc5281#section-9.2.2, it states: Fragments other than the first MUST NOT have the L bit set. ... while this behavior is configurable in eap.conf: ... I confess that I only actually SEE the behavior in the now ancient 1.1.6 version, and only took a quick look at the 2.1.0 config file and source code. I apologize if I missed something or this had been brought up before. I don't think it's serious. I don't know why this is a MUST NOT, because it makes very little difference to the protocol. And supplicants that break if the L bit is set on second fragments are badly written. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest nasname IP address support?
schilling wrote: radiusd nasname could be host name only. It would be convenient if it could also be ip as radiusserver in radtest. What does that mean? The server can use hostname or IP address almost anywhere... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - wrong IP
Jørn Kostøl wrote: I got it working once I upgraded to 2.1.2. Guess something was wrong with my 2.1.1 install. A pity that it's not possible to have more then one proxy listener as this would be very useful. It's possible to add that feature to the code. But it's not a priority right now. I guess I'll have to nest multiple freeradius installs in the future when I need to proxy to other networks. It's easier to fix the code, quite frankly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
Sergio Belkin wrote: That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Your LDAP server is likely timeout out the connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: include_length and EAP-TTLS
(sorry i still don't know how to reply into a thread from yahoo web mail) Yeah I agree. All the supplicants I used are ok with that. I just thought I might point it out ... Thanks for your reply Alan. Re: include_length and EAP-TTLS * To: FreeRadius users mailing list freeradius-users@lists.freeradius.org * Subject: Re: include_length and EAP-TTLS * From: Alan DeKok [EMAIL PROTECTED] * Date: Fri, 05 Dec 2008 07:58:14 +0100 * In-reply-to: [EMAIL PROTECTED] * References: [EMAIL PROTECTED] * Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org * User-agent: Thunderbird 2.0.0.18 (Macintosh/20081105) Gong Cheng wrote: I wonder if this is a small violation of the EAP-TTLS RFC (5281). In RFC 5281 http://tools.ietf.org/html/rfc5281#section-9.2.2, it states: Fragments other than the first MUST NOT have the L bit set. ... while this behavior is configurable in eap.conf: ... I confess that I only actually SEE the behavior in the now ancient 1.1.6 version, and only took a quick look at the 2.1.0 config file and source code. I apologize if I missed something or this had been brought up before. I don't think it's serious. I don't know why this is a MUST NOT, because it makes very little difference to the protocol. And supplicants that break if the L bit is set on second fragments are badly written. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html