RE: chap authentication and freeradius
Ok you are told me that my router are not sending chap ??? I will chek on monday and will send again my config. > To: freeradius-users@lists.freeradius.org > Subject: RE: chap authentication and freeradius > Date: Sun, 1 Feb 2009 03:22:38 +0100 > From: t...@kalik.net > > >I have this when the user try to authenticate but on Monday i will post all > >info of the freeradius -X > > The request would be nice. > > >why the radius sayd me rlm_chap: Attribute "CHAP-Password" is required for > >authentication. ??? > > Because you are forcing Auth-Type CHAP on something that isn't a chap > request. > > >auth: type "CHAP" +- entering group CHAP rlm_chap: Attribute "CHAP-Password" > >is required for authentication. ++[chap] returns invalid > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Disfruta los mejores contenidos en MSN Video http://video.msn.com/?mkt=es-xl- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
>I have this when the user try to authenticate but on Monday i will post all >info of the freeradius -X The request would be nice. >why the radius sayd me rlm_chap: Attribute "CHAP-Password" is required for >authentication. ??? Because you are forcing Auth-Type CHAP on something that isn't a chap request. >auth: type "CHAP" +- entering group CHAP rlm_chap: Attribute "CHAP-Password" >is required for authentication. ++[chap] returns invalid Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
Sorry for the las email this is the correct with my question I have this when the user try to authenticate but on Monday i will post all info of the freeradius -X why the radius sayd me rlm_chap: Attribute "CHAP-Password" is required for authentication. ??? auth: type "CHAP" +- entering group CHAP rlm_chap: Attribute "CHAP-Password" is required for authentication. ++[chap] returns invalid auth: Failed to validate the user. Login incorrect: [Olga1/akrd24bf] (from client localhost port 1) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> olga1attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 206 to 127.0.0.1 port 59528 Waking up in 4.9 seconds. Cleaning up request 10 ID 206 with timestamp +1508 Ready to process requests. Thz all boys to try to understand me and try to help me! Adminístralas todas usando Windows Live Mail. ¡Descárgalo gratis! ¿Tienes más de una cuenta de correo? _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
I have this when the user try to authenticate but on Monday i will post all info of the freeradius -X auth: type "CHAP" +- entering group CHAP rlm_chap: Attribute "CHAP-Password" is required for authentication. ++[chap] returns invalid auth: Failed to validate the user. Login incorrect: [Olga1/akrd24bf] (from client localhost port 1) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> alex attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 206 to 127.0.0.1 port 59528 Waking up in 4.9 seconds. Cleaning up request 10 ID 206 with timestamp +1508 Ready to process requests. _ Disfruta los mejores contenidos en MSN Video http://video.msn.com/?mkt=es-xl- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
>and my freeradius -X was : > >FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Nov 14 2008 at >11:57:03 >Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. >There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A >PARTICULAR PURPOSE. >You may redistribute copies of FreeRADIUS under the terms of the >GNU General Public License v2. >Starting - reading configuration files ... .. .. >Listening on authentication address 192.168.1.49 port 1812 >Listening on accounting address * port 1813 >Listening on proxy address 192.168.1.49 port 1814 >Ready to process requests. > I don't see sql anywhere in the server startup. >my radiusd.conf : > >mschap { > authtype = MS-CHAP > use_mppe = yes > require_strong = yes >} > >authorize { > preprocess > chap > mschap > suffix > eap > files > sql > pap > } >authenticate { > >Auth-Type CHAP { >chap >} >Auth-Type MS-CHAP { >mschap >} > >eap >} > > > > >preacct { >preprocess >suffix >files >} > > >accounting { > detail > sql >acct_unique > } > > >session { > >sql > > >} Are you sure *this* radiusd.conf belongs to the server you are debugging? It doesn't look like 2.1.0 radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
.. >Listening on authentication address 192.168.1.49 port 1812 >Listening on accounting address * port 1813 >Listening on proxy address 192.168.1.49 port 1814 >Ready to process requests. > You didn't send the request. The idea is to debug the request processing that "isn't working". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
Here i post the tables and the config files: +--+ | Tables_in_radius | +--+ | badusers | | mtotacct | | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radpostauth | | radreply | | radusergroup | | totacct | | userinfo | +--+ mysql> SELECT * FROM radcheck WHERE username = 'aledecchi' ORDER BY id; ++---++++ | id | username | attribute | op | value | ++---++++ | 5 | alex | Cleartext-Password | := | 123456 | ++---++++ 1 row in set (0.00 sec) mysql> select * from radcheck; ++---++++ | id | username | attribute | op | value | ++---++++ | 5 | alex | Cleartext-Password | := | 123456 | | | || | | ++---++++ 2 rows in set (0.02 sec) mysql> select * from radgroupcheck; Empty set (0.03 sec) mysql> select * from radgroupreply; Empty set (0.03 sec) mysql> select * from radpostauth; Empty set (0.04 sec) mysql> select * from radreply; Empty set (0.00 sec) mysql> select * from radusergroup; Empty set (0.00 sec) mysql> select * from totacct; Empty set (0.03 sec) mysql> select * from userinfo; ++---+---+-++---+---++ | id | UserName | Name | Mail| Department | WorkPhone | HomePhone | Mobile | ++---+---+-++---+---++ | 1 | dd| -dd | asasasasasa | - | - | - | - | | 4 | alex | dsdsds| || | || ++---+---+-++---+---++ 2 rows in set (0.06 sec) and my freeradius -X was : FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/free
Re: chap authentication and freeradius
>I have installed Freeradius and diualup admin and mysql >I configurated the both ! I have an an aplication called vyatta. I am trying >that this vyatta validate the users with the freeradius >I configurated in the admin.conf with chap and clear-password and i set that >the password are store in clear in the database too. >But when i try to login with a user that uses chap authentiation! the >freeradius told me that need claer password! > >what is worng ??? Post the debug (radiusd -X) and what you entered into the database. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
Here is a trick from the old days: Create a huntgroup like: blocked Calling-Station-Id == whatever SQL-Group == "suspend" Where suspend is the group with Auth-Type := Reject in it. That will blok him if he is in suspend group or not (only the message in radius.log will be different). It means using huntgroups file and restart for each change to it but if it's only 3 users ... Ivan Kalik Kalik Informatika ISP Dana 31/1/2009, "Alex M" piše: >damn, upgrade will be painfull for me :( >I guess I will try to use other means to block missbehaving users. At least >we got only 3 people who try to free ride. > >thanks for help > >2009/1/31 > >> Ah, sql groups don't work properly in 1.x. Upgrade. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 31/1/2009, "Alex M" piše: >> >> >I guess its different in newer version of radius but in my 1.5 the only >> >table that has PRIO is radgroupreply >> > >> >and there is table radusergroup instead there is a group called usergroup. >> > >> >I'm getting fustrated. :( >> > >> >On Fri, Jan 30, 2009 at 7:32 PM, wrote: >> > >> >> >Tried that... >> >> >now i'm getting all users rejected regardless of mac address in the >> given >> >> >group :( >> >> >> >> That shouldn't happen. Post the debug. >> >> >> >> >How do i set priorities? >> >> >> >> You have priority field in radusergroup table. >> >> >> >> >I though priorities only apply to radreply. >> >> >> >> There are no priorities in radreply. >> >> >> >> > >> >> >Do I have to set fall through? >> >> > >> >> >> >> No. >> >> >> >> Ivan Kalik >> >> Kalik Informatika ISP >> >> >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> > >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap authentication and freeradius
Hi Freeradius users! I have installed Freeradius and diualup admin and mysql I configurated the both ! I have an an aplication called vyatta. I am trying that this vyatta validate the users with the freeradius I configurated in the admin.conf with chap and clear-password and i set that the password are store in clear in the database too. But when i try to login with a user that uses chap authentiation! the freeradius told me that need claer password! what is worng ??? Someone can help me to configurate Freeradius , dialup admin and mysql with chap authentication ?? _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
> How do you get the certificates on the device in the first place? Well - that's the problem. I would like for there be a USB cable method of putting the key material on the device. Then we could build some nifty client script to automate the provisioning. But these devices in particular don't have that. As it is - we need to setup some ad-hoc or other non-routed WLAN with PSK or WEP security, put the device(s) on there and at that point the devices can pull the certs down via http or tftp. So, here's how it goes in our test environment. We have the 'production' WLAN which must remain WPA2/EAP-TLS. For compliance there is no flexibility of the security of that WLAN. *sigh* OK no worries it makes it a cool problem to solve. :-) So I've just got a laptop temporarily setup with a little ad-hoc network for provisioning the phones via tftp. These will be in a dozen remote locations so I need to build a solution enabling rapid provisioning of the devices with minimal local technical oversight. -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
damn, upgrade will be painfull for me :( I guess I will try to use other means to block missbehaving users. At least we got only 3 people who try to free ride. thanks for help 2009/1/31 > Ah, sql groups don't work properly in 1.x. Upgrade. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 31/1/2009, "Alex M" piše: > > >I guess its different in newer version of radius but in my 1.5 the only > >table that has PRIO is radgroupreply > > > >and there is table radusergroup instead there is a group called usergroup. > > > >I'm getting fustrated. :( > > > >On Fri, Jan 30, 2009 at 7:32 PM, wrote: > > > >> >Tried that... > >> >now i'm getting all users rejected regardless of mac address in the > given > >> >group :( > >> > >> That shouldn't happen. Post the debug. > >> > >> >How do i set priorities? > >> > >> You have priority field in radusergroup table. > >> > >> >I though priorities only apply to radreply. > >> > >> There are no priorities in radreply. > >> > >> > > >> >Do I have to set fall through? > >> > > >> > >> No. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
Ah, sql groups don't work properly in 1.x. Upgrade. Ivan Kalik Kalik Informatika ISP Dana 31/1/2009, "Alex M" piše: >I guess its different in newer version of radius but in my 1.5 the only >table that has PRIO is radgroupreply > >and there is table radusergroup instead there is a group called usergroup. > >I'm getting fustrated. :( > >On Fri, Jan 30, 2009 at 7:32 PM, wrote: > >> >Tried that... >> >now i'm getting all users rejected regardless of mac address in the given >> >group :( >> >> That shouldn't happen. Post the debug. >> >> >How do i set priorities? >> >> You have priority field in radusergroup table. >> >> >I though priorities only apply to radreply. >> >> There are no priorities in radreply. >> >> > >> >Do I have to set fall through? >> > >> >> No. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html