Re: problem with ldap authentication
Alan DeKok wrote: > Frank Bonnet wrote: >> is it possible to use freeradius with NIS instead of LDAP ? >> thanks > > Yes. NIS is just a different way of getting users to "seem" to be in > /etc/passwd. So there shouldn't be anything to do. Just install the > server, and it should work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html you mean uncomment the /etc/passwd in this section in radiusd.conf file right ? # Unix /etc/passwd style authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: > Frank Bonnet wrote: >> is it possible to use freeradius with NIS instead of LDAP ? >> thanks > > Yes. NIS is just a different way of getting users to "seem" to be in > /etc/passwd. So there shouldn't be anything to do. Just install the > server, and it should work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Alan DeKok wrote: > > Augusto G. Andreollo wrote: >> Hmm.. thing is, the post-auth sql query is already being processed, to >> log the Access-Reject.. > > Yes.. I know. But the return code from the LDAP module in the > *authorize* section is lost by then. > >> Is there any other way I could extract the >> rejection reason from the LDAP module, to add to this query? > > It's not in the LDAP module. > > See src/main/modcall.c for the code that handles calling modules, and > the return codes. If you really need this functionality, send a patch. > I did. It's bitrotting in your bug database; currently offline so obviously I cannot pull out a linky. It make xlat module failure aware, it's an intrusive patch but works for us and gives us LDAP failover support cleanly. Same goes for bug #544, to provide the ldap DN when needed[1]. :( If you look back in your personal INBOX (if you go back that far) to Sept 1st 2008 you will see this patch being referred to. All my patches live on my dumper space: http://stuff.digriz.org.uk/freeradius/ Cheers [1] it pains me this patch is not there, the LDAP maintainer seems AWOL and no one will touch it -- Alexander Clouter .sigmonster says: Marriage is the waste-paper basket of the emotions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, PostgreSQL and DaloRadius
>Login attempt after setup result in error. >Please what do I do wrong? > >Database connection error >Error Message: DB Error: not found >Debug: Unable to include the DB/postgresql.php file for >'postgresql://radius:radp...@127.0.0.1/radius' > That's not a freeradius error. Try daloRadius forum. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Correct operator in radcheck
> I am several years working woth freeradius, bit recently I surgeg me a > question: I do not want that johndoe account never connect from NASES with > Client IP: > >* 195.56.53.23 > >* 96.53.26.59 > >* 56.15.86.35 > >* 56.15.86.36 > > I know I have to use the attribute Client-IP-Address, so radckech will > content: > > usernameattribute op value > > > > johndoe Cleartext-Password := mypassword > > johndoe Client-IP-Address?? 195.56.53.23 > > johndoe Client-IP-Address?? 96.53.26.59 > > johndoe Client-IP-Address?? 56.15.86.35 > > johndoe Client-IP-Address?? 56.15.86.36 > > > >What is the correct op that I have to write? That can't work. You have to put those client IPs into a hungroup: nojohndoe Client-IP-Address == 195.56.53.23 nojohndoe Client-IP-Address == 96.53.26.59 etc. Then use: johndoe Hungroup-Name == nojohndoe If you don't want to use hungroups file you can create hungroups with sql and unlang: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, PostgreSQL and DaloRadius
Login attempt after setup result in error. Please what do I do wrong? Database connection error Error Message: DB Error: not found Debug: Unable to include the DB/postgresql.php file for 'postgresql://radius:radp...@127.0.0.1/radius' Sunday - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: > is it possible to use freeradius with NIS instead of LDAP ? > thanks Yes. NIS is just a different way of getting users to "seem" to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Correct operator in radcheck
Hi, I am several years working woth freeradius, bit recently I surgeg me a question: I do not want that johndoe account never connect from NASES with Client IP: * 195.56.53.23 * 96.53.26.59 * 56.15.86.35 * 56.15.86.36 I know I have to use the attribute Client-IP-Address, so radckech will content: usernameattribute op value johndoe Cleartext-Password := mypassword johndoe Client-IP-Address?? 195.56.53.23 johndoe Client-IP-Address?? 96.53.26.59 johndoe Client-IP-Address?? 56.15.86.35 johndoe Client-IP-Address?? 56.15.86.36 What is the correct op that I have to write? Thank you!! _ Descubre todas las formas en que puedes estar en contacto con amigos y familiares. http://www.microsoft.com/windows/windowslive/default.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html is it possible to use freeradius with NIS instead of LDAP ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Thank you iwill try it 2009/3/23, Alan DeKok : > > Frank Bonnet wrote: > > OK here is the debug of one failed session > ... > > rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) > > rlm_ldap: object not found or got ambiguous search result > > Well, that's relatively clear. > > There's no such user, OR it got multiple responses. > > You need to fix the LDAP configuration so that it can find the user's > clear-text password in LDAP. This can be awkward... and I'm not an LDAP > expert. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
David N'DAKPAZE wrote: > I want to know what to configure in order to use ldap as freeradius > database of users Read raddb/modules/ldap The O'Reilly OpenLDAP book also has a good description of how to configure FreeRADIUS to use LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: > OK here is the debug of one failed session ... > rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) > rlm_ldap: object not found or got ambiguous search result Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/] (from client localhost port 31 cli 00-13-02-AE-F1-01) Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK here is the debug of one failed session thanks for your help Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33076, id=0, length=217 User-Name = "xxx" CHAP-Challenge = 0x01464b2728f172473bf5dd5d64d71539 CHAP-Password = 0x00443c19722da8b5ac9799a1a5d39bc1af NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.54 Calling-Station-Id = "00-19-D2-78-56-4D" Called-Station-Id = "00-12-79-90-10-21" NAS-Identifier = "nas01" Acct-Session-Id = "49c7b8940034" NAS-Port-Type = Wireless-802.11 NAS-Port = 52 Message-Authenticator = 0x64d387cd750288b284dc8182e4f2dec6 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "xxx", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 363 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for xxx radius_xlat: '(uid=)' radius_xlat: 'dc=esiee,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.esiee.fr:389, authentication 0 rlm_ldap: bind as / to ldap.esiee.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [xxx/] (from client localhost port 52 cli 00-19-D2-78-56-4D) Delaying request 0 for 1 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
I want to know what to configure in order to use ldap as freeradius database of users 2009/3/23, Alan DeKok : > > Frank Bonnet wrote: > > I'm in trouble with a debian version of freeradius > > I've installed chillispot and freeradius packages > > but it won't work for LDAP users it fails with > > such error messages : > > > > Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: > > [/] (from client localhost port 31 cli > > 00-13-02-AE-F1-01) > > Is there any reason you're not running it in debugging mode, as > suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on > this list? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
David N'DAKPAZE wrote: > Hello, > Please I 'd to know how to use an ldap as a database of freeradius. I > use freeradius-server-2.1.3. Is it possible to use more than one nas in > clients.conf ? If yes how to do it? Read the examples in clients.conf? There is lots of documentation. > How to configure EAP-TLS ? 1) Install the server. 2) cd raddb/certs 3) make client.crt ca.der Put the client.crt && ca.der into the client. EAP-TLS will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: > I'm in trouble with a debian version of freeradius > I've installed chillispot and freeradius packages > but it won't work for LDAP users it fails with > such error messages : > > Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: > [/] (from client localhost port 31 cli > 00-13-02-AE-F1-01) Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Am 23.03.2009 um 16:46 schrieb Frank Bonnet: hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Be sure to assign passwords ( := ) and not to compare ( == ) passwords. Also check that the shared secret is really the same. Otherwise, I suppose that you will be asked to give the output of radiusd -X Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+freeradius
Hello, Please I 'd to know how to use an ldap as a database of freeradius. I use freeradius-server-2.1.3. Is it possible to use more than one nas in clients.conf ? If yes how to do it? How to configure EAP-TLS ? Thank you for your help. Rato - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with ldap authentication
hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help checking group membership with FreeRadius
Currently we have a radius server that performs authentication off our samba domain controller for wireless users. This works great. I would like to limit users so they must be a member of the wireless group in order to connect. Since the /etc/group file is on a different server I believe I cannot use the etc_group module. Also, in order to use that module the user must have a valid account on the radius server as well. Any ideas on checking group membership? I use ntlm_auth in the mschap module for authentication in Freeradius ver 2.1.3-1. Here is the string in the users file to limit to the wireless group (its all on one line, email may wrap it): DEFAULTCalled-Station-Id =~ "CCISD-REMC1", Group != "wireless", Auth-Type := Reject here is my ntlm_auth line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=ISD --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" thanks for any help =D *** This Email was sent by a system administrator in REMC #1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fake user and unregistered user forwarding
On Mon, 2009-03-23 at 11:24 +0100, t...@kalik.net wrote: > >Are we forward fake user and unregistered users to fake ip or redirect page. > > > >We are using freeradius on platform freebsd, databse server on postgresql. > > > >That is possible? > > > > Yes, use captive portal. > Ivan Kalik > Kalik Informatika ISP > > - You mentioned you're using FreeBSD. If you need a more ready-made solution, you can give pfSense a try: http://www.pfsense.org/ []s Guto -- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- "Wit beyond measure is men's greatest treasure." smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates
an overview you can read is located at http://wildbill.nulldevice.net/presentations/sslpreso/ 2009/3/23 orion > hi, > its all about being authenticated as a known part. > if A knows B as a trusted part and B have issued a certificate for C then A > will trust C. > > the server certificate is issued by the CA ( certificate authority. ) > > the client needs to have the certificate of the CA ( not the server > certificate issued from the CA ) > > the mschap v2, tls,ttls, are methods of authentication(encryption). > > the eap-ttls doesnt requires that the client have a certificate on its > own.so you need the ca certificate and the server certificate. > > 2009/3/23 Tomas > > Dear all, >> I'd appreciate if somebody could please explain me the meaning of >> certificates. I had a look at certs/README, but some things are still >> unclear. >> As far as I know there are 3 types of certificates on FreeRADIUS: >>* ROOT CA >>* Server >>* Client >> >> What is the purpose of each of them? I know that ROOT CA is required to >> allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on >> 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does >> ROOT CA do? >> What is the purpose of server certificate? How is that linked with >> MSCHAP v2? I remember I could not authenticate xp host with users file >> without generating certificates first. >> And lastly Client certificate, would I need to install this on a client >> PC, what do I get with that? >> >> What are the benefits of using certificates? >> >> Thanks very much for your help. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates
hi, its all about being authenticated as a known part. if A knows B as a trusted part and B have issued a certificate for C then A will trust C. the server certificate is issued by the CA ( certificate authority. ) the client needs to have the certificate of the CA ( not the server certificate issued from the CA ) the mschap v2, tls,ttls, are methods of authentication(encryption). the eap-ttls doesnt requires that the client have a certificate on its own.so you need the ca certificate and the server certificate. 2009/3/23 Tomas > Dear all, > I'd appreciate if somebody could please explain me the meaning of > certificates. I had a look at certs/README, but some things are still > unclear. > As far as I know there are 3 types of certificates on FreeRADIUS: >* ROOT CA >* Server >* Client > > What is the purpose of each of them? I know that ROOT CA is required to > allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on > 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does > ROOT CA do? > What is the purpose of server certificate? How is that linked with > MSCHAP v2? I remember I could not authenticate xp host with users file > without generating certificates first. > And lastly Client certificate, would I need to install this on a client > PC, what do I get with that? > > What are the benefits of using certificates? > > Thanks very much for your help. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates
Dear all, I'd appreciate if somebody could please explain me the meaning of certificates. I had a look at certs/README, but some things are still unclear. As far as I know there are 3 types of certificates on FreeRADIUS: * ROOT CA * Server * Client What is the purpose of each of them? I know that ROOT CA is required to allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does ROOT CA do? What is the purpose of server certificate? How is that linked with MSCHAP v2? I remember I could not authenticate xp host with users file without generating certificates first. And lastly Client certificate, would I need to install this on a client PC, what do I get with that? What are the benefits of using certificates? Thanks very much for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fake user and unregistered user forwarding
>Are we forward fake user and unregistered users to fake ip or redirect page. > >We are using freeradius on platform freebsd, databse server on postgresql. > >That is possible? > Yes, use captive portal. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fake user and unregistered user forwarding
Hi, Sory for bad English. Are we forward fake user and unregistered users to fake ip or redirect page. We are using freeradius on platform freebsd, databse server on postgresql. That is possible? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRaidus-PAM:: user password issue - Urgent help required
>Verified the shared secret and it is given correctly in the request.Is there >any configuration need to be done?Appreciate your help.Thanks,Sri > Shared secret *is* wrong - probability 99.99% Crypto libraries are corrupted - probability 0.01% Retype the shared secret on the remote test client. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html