Re: Access Challenge in freeRadius server
Thank you very much Ivan for your detailed response. I will check it and respond you. Regards, Dhandapani Ivan Kalik wrote: Not sure how ssh/telnet will handle. That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Why? Server already knows it's RSA key. This has nothing to do with user authentication. Also, does NAS need any installation to support Access-Challenge like CHAP? It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048486.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failover fails in proxy.conf
With the primary server everything works fine, but my problem is when I force to switch to fallover server (I switch off IP 1.2.3.4 machine) my freeradius server does not change to request 1.2.3.5 server. How hard have you tried? It does not mark home server as dead on the first packet that doesn't get answered. Have a look at proxy.conf and dead and zombie times. Sincerely I do not know how to mark a home server as 'dead'. The only way is response_window = 5 ('dead' after five seconds, I think). See my new proxy.conf ### home_server primary_server { type = auth+acct ipaddr = 1.2.3.4 port = 1812 secret = mysecret require_message_authenticator = no response_window = 5 zombie_period = 30 revive_interval = 900 status_check = status-server check_interval = 60 num_answers_to_alive = 3 } home_server secondary_server { type = auth+acct ipaddr = 1.2.3.5 port = 1812 secret = mysecret require_message_authenticator = no response_window = 5 zombie_period = 30 revive_interval = 900 status_check = status-server check_interval = 60 num_answers_to_alive = 3 } home_server_pool roam_pool { type = fail-over home_server = primary_server home_server = secondary_server } realm myrealm.com { nostrip pool= roam_pool } _ Chatea sin límites en Messenger con la tarifa plana de Orange http://serviciosmoviles.es.msn.com/messenger/orange.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failover fails in proxy.conf
Sincerely I do not know how to mark a home server as 'dead'. The only way is response_window = 5 ('dead' after five seconds, I think). No, zombie after 5 seconds, dead after zombie period. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failover fails in proxy.conf
Santiago Balaguer García wrote: Sincerely I do not know how to mark a home server as 'dead'. Connect to the server with radmin, and type: radmin set home_server state 1.1.2.3 1812 dead It will *immediately* mark that home server as dead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: rlm_exec wiki
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. (nod) I don't know enough about the differences between 1.x and 2.x to say whether it would be better to have two complete document trees, like the apache server, or annotated with applies to versions x-y the way the postfix docs do it. I get the feeling that for the most part features have been *added* to FreeRADIUS, and very little removed. But is that actually the case? if i see one more config with Auth-Type = EAP I'll scream ;-) Had to look that one up. First hit on google explained it all LOL - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
Hi, still getting problems with this. I created a table using the schema called nas.sql, and populated it with local host. When i then run radius (please note that i am in fact running it: radiusd -X) i can't get it to authenticate. I had a look to see if sql was in the authenticate section of the virtual server and by this i guess you mean the file 'default' located inside 'sites-enabled' that is used in radiusd.conf? Sql was enabled under: authorize section and accounting. I haven't uncommented sql sections in post-auth. I added a line just saying 'sql' to the authenticate section like u suggested and still doesn't make a difference. One thing i noticed as well is the dialup.conf seems to deal with the nas database too. Theres a line saying 'sql_user_name = %{User-Name}' not sure if this is meant to be 'radpass' as the user? mysql -uroot -p CREATE DATABASE radius; GRANT ALL ON radius.* TO rad...@localhost IDENTIFIED BY radpass; exit I'm unsure on what i should look at now? Please find below my code and .conf files. mysql show databases; ++ | Database | ++ | information_schema | | mysql | | nas| | radius | | share | ++ 5 rows in set (0.00 sec) Nas: mysql select * from nas; ++---+---+---+---++---+--+ | id | nasname | shortname | type | ports | secret | community | description | ++---+---+---+---++---+--+ | 1 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | RADIUS Local | ++---+---+---+---++---+--+ 1 row in set (0.00 sec) Radius: mysql show tables - ; +--+ | Tables_in_radius | +--+ | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radpostauth | | radreply | | radusergroup | +--+ 7 rows in set (0.00 sec) mysql select * from radcheck - ; ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 3 | sqltest | password | := | testpwd | ++--+---++-+ 1 row in set (0.00 sec) mysql select * from radgroupcheck; Empty set (0.00 sec) mysql select * from radgroupreply; ++---+++-+ | id | groupname | attribute | op | value | ++---+++-+ | 1 | dynamic | Framed-Compression | := | Van-Jacobsen-TCP-IP | | 2 | dynamic | Framed-Protocol| := | ppp | | 3 | dynamic | Service-Type | := | Framed-User | | 5 | dynamic | Framed-MTU | := | 1500| ++---+++-+ 4 rows in set (0.01 sec) mysql select * from radpostauth - ; Empty set (0.00 sec) mysql select * from radreply; Empty set (0.01 sec) mysql select * from radusergroup - ; +--+---+--+ | username | groupname | priority | +--+---+--+ | sqltest | dynamic |1 | +--+---+--+ 1 row in set (0.02 sec) /etc/raddb/sites-enabled/default ## # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # server section, and configuration directives. # # Virtual hosts should be put into the sites-available # directory. Soft links should be created in the sites-enabled # directory to these files. This is done in a normal installation. # # $Id$ # ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. See also man unlang, which documents the format # of this file. # # This configuration is designed to work in the widest possible # set of circumstances, with the widest possible number of # authentication methods. This means that in general, you should # need to make very few changes to this file. # # The best way to configure the server for your local system # is to CAREFULLY edit this file. Most attempts to make large # edits to this file will BREAK THE SERVER. Any edits should # be small, and tested by running the server with radiusd -X. # Once the edits have been verified to work, save a copy of these # configuration files somewhere. (e.g. as a tar file). Then, # make more edits, and test, as
Re: mysql errors when running freeradius
I created a table using the schema called nas.sql, and populated it with local host. When i then run radius (please note that i am in fact running it: radiusd -X) i can't get it to authenticate. So, post the debug. I had a look to see if sql was in the authenticate section of the virtual server and by this i guess you mean the file 'default' located inside 'sites-enabled' that is used in radiusd.conf? Sql was enabled under: authorize section and accounting. I haven't uncommented sql sections in post-auth. I added a line just saying 'sql' to the authenticate section like u suggested and still doesn't make a difference. Remove sql from authenticate. Have you uncommented INCLUDE stetement for sql in radiusd.conf? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
JamesWhetherly wrote: I created a table using the schema called nas.sql, and populated it with local host. When i then run radius (please note that i am in fact running it: radiusd -X) i can't get it to authenticate. For us to be able to help you, you *must* post the output of radiusd -X here. Otherwise, you're not sharing the single most useful piece of information that can let us help you. And for testing, DON'T start off with nases in SQL. I had a look to see if sql was in the authenticate section of the virtual server and by this i guess you mean the file 'default' located inside 'sites-enabled' that is used in radiusd.conf? Sql was enabled under: authorize section and accounting. I haven't uncommented sql sections in post-auth. I added a line just saying 'sql' to the authenticate section like u suggested and still doesn't make a difference. Don't do that. The SQL module *cannot* be used in the authenticate section. One thing i noticed as well is the dialup.conf seems to deal with the nas database too. Yes. That's where it's configured. Theres a line saying 'sql_user_name = %{User-Name}' not sure if this is meant to be 'radpass' as the user? It's the name of the user. I'm unsure on what i should look at now? Don't add NASes in SQL. Start off with the *default* configuration. Then, configure the sql module (sql.conf), and uncomment the line including sql.conf in radiusd.conf. Edit raddb/sites-available/default, and un-comment the references to SQL. It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password conflict between Radius Server and Machine account
Hi, When I was trying to authenticate ssh login through radius server, I noticed an conflict issue with password. I have a linux machine-1 in which radius server is installed. I have configured an user with name/password as root/public in /usr/local/etc/raddb/users. But the linux machine already have a 'root' user account with password 'public123'. Now I tried to ssh machine-2 with username 'root' and password 'public'. SSH of this machine-2 is configured with above radius server for authentication. But the radius server rejects the access-request and log as below. - ++[unix] returns updated [files] users: Matched entry root at line 107 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password public [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject --- Note the highlighted lines. First line says '[unix] returns updated. Later says 'password doesn't match'. But if I try with Machine-1 password 'public123', it accepts the request. So looks like that the radius server authenticates with machine password not using the configured one. Please clarify me if you have faced this issue. Regards, Dhandapani -- View this message in context: http://www.nabble.com/Password-conflict-between-Radius-Server-and-Machine-account-tp24055968p24055968.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password conflict between Radius Server and Machine account
When I was trying to authenticate ssh login through radius server, I noticed an conflict issue with password. I have a linux machine-1 in which radius server is installed. I have configured an user with name/password as root/public in /usr/local/etc/raddb/users. But the linux machine already have a 'root' user account with password 'public123'. Comment out unix in authorize. Don't store passwords for same username in several places. Pick one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius users record samples for SmartEdge router subcriber authentication.
Hi, I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Thanks for refering me to some examples. BR, Elias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriber authentication.
Elias Abou Zeid wrote: I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) That's a CVS revision string. If it's in the binary you have, you're running 1.1.x. Your server is more than 2 years out of date. for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. Version 2.1 has greatly improved documentation, including many examples. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd In 1.1.7: abs Cleartext-Password := passwd Don't set Auth-Type. Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Thanks for refering me to some examples. And what does the server say when you run it with radiusd -X? This is in the FAQ, README, man page, and nearly daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
forgot to post the radiusd debug: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 46876, id=114, length=59 User-Name = sqltest User-Password = testpwd NAS-IP-Address = 127.0.0.2 NAS-Port = 1812 No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 114 to 127.0.0.1 port 46876 Waking up in 4.9 seconds. Cleaning up request 1 ID 114 with timestamp +7469 Ready to process requests. -- View this message in context: http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24057283.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriber authentication.
I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Thanks for refering me to some examples. Examples relevant to your freeradius version will be - in users file. That example looks seriously outdated. What needs to be returned to Redback - will be in Redback documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Free Radius users record samples for SmartEdge router subcriber authentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd I notice the example in the comments of the 'users' file references the check item User-Password not just Password. That might make a difference. Another option: Are these users going to be in your local *nix password file (for mail or login)? If so, then don't specify passwords in the users file at all. Just use an Auth-Type += System, and let FR pluck it from the system files. - Charles- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 46876, id=114, length=59 User-Name = sqltest User-Password = testpwd NAS-IP-Address = 127.0.0.2 NAS-Port = 1812 No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 114 to 127.0.0.1 port 46876 Waking up in 4.9 seconds. Cleaning up request 1 ID 114 with timestamp +7469 Ready to process requests. Ugh, it looks like you have commented out virtual servers (INCLUDE for sites-enabled). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistic RADIUS
Hi all, In my Scenario FreeRadius is used as RADIUS PROXY. Is it possible with FreeRadius generating the statistics based on an Attribute? i.e The statistics based on NAS-Port-ID. Thanks in advance for your support. Regards Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistic RADIUS
Marco De Magistris wrote: Is it possible with FreeRadius generating the statistics based on an Attribute? i.e The statistics based on NAS-Port-ID. No. The statistics it keeps are based on IP address. See raddb/sites-available/status Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP - Radius connection failure
Forgive me if this is not the correct mailing list for this question (and if not, point me to the correct one, if possible). I am running PPTP (poptop w/radiusclient) on the same RHEL Linux box as the freeradius server. Initially, all works well. But after some time (30-45 min?), the radius server quits responding, and I see this in the pptpd.log: Jun 16 14:32:35 time3 pppd[29588]: rc_send_server: no reply from RADIUS server localhost.localdomain:1812 Running radiusd in debug mode shows nothing coming in for this query, although the server shows to be listening: [r...@time3 raddb]# netstat -ua | grep rad udp19260 0 *:radius*:* udp0 0 *:radius-acct *:* When this is occurring, radtest also fails, as it never gets a response (just keep resending). I am running (sorry, I realize that is no longer supported, but that's RH's latest Freeradius RPM, thus what I am required to use): freeradius 1.1.3 freeradius-client 1.1.6 ppp 2.2.4 pptpd 1.3.4 My configs: # cat /etc/radiusclient/radiusclient.conf | grep -v '#' | grep -v '^$' auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost acctserver localhost servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius/usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login # cat /etc/radiusclient/servers | grep -v '#' | grep -v '^$' localhost/localhost testing123 # cat /etc/pptpd.conf | grep -v '#' | grep -v '^$' ppp /usr/sbin/pppd option /etc/ppp/options.pptpd debug stimeout 5 logwtmp connections 63 localip 172.20.1.143 remoteip 172.20.2.128-191 # cat /etc/ppp/options.pptpd | grep -v '#' | grep -v '^$' name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 172.24.2.197 ms-dns 172.24.2.196 proxyarp debug dump lock nobsdcomp novj novjccomp nologfd plugin radius.so plugin radattr.so Thanks for any help or suggestions, John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password conflict between Radius Server and Machine account
Thanks Ivan. My requirement falls in the situation where the radius server will configure a user which may be already configured machine. And I couldn't find the 'authorize' config file anywhere in my server. May I know the exact file/path, the unix should be commented. I am using RedHat Linux. Regards, Dhandapani Ivan Kalik wrote: When I was trying to authenticate ssh login through radius server, I noticed an conflict issue with password. I have a linux machine-1 in which radius server is installed. I have configured an user with name/password as root/public in /usr/local/etc/raddb/users. But the linux machine already have a 'root' user account with password 'public123'. Comment out unix in authorize. Don't store passwords for same username in several places. Pick one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Password-conflict-between-Radius-Server-and-Machine-account-tp24055968p24058723.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistic RADIUS
Hi, Marco De Magistris wrote: Is it possible with FreeRadius generating the statistics based on an Attribute? i.e The statistics based on NAS-Port-ID. No. The statistics it keeps are based on IP address. See raddb/sites-available/status out of the box it wont do - but you can call eg a perl script to ensure such things get counted (eg use SQL to store values) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Authentication + Windows PKI
Guys just a quick question. Can I use freeradius to authenticate my LDAP users and instead of using OpenSSL for certificates I use a Microsoft Certificate Authority? Thanks Nik Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := passwd Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Tue Jun 16 13:36:10 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) Tue Jun 16 13:36:20 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) Tue Jun 16 13:36:30 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) I decoded the packest sent by Redback router to RADiUS: Authenticator Field: 46 49 cf c2 77 d5 3f e3 d6 16 32 91 7c 35 16 87 User-Name: a...@radius User-Password: 55 df f0 56 30 d1 c0 ed de b9 26 1c 95 48 c5 69 Service-Type: Framed-User (2) Framed-Protocol: PPP (1) NAS-Identifier: Quiet NAS-Port: 0x0a02 RBN:NAS-Real-Port: 0xa264 NAS-Port-Type: Virtual (5) NAS-Port-Id: 10/2 vlan-id 100 pppoe 334 RBN:Medium-Type: DSL (11) RBN:MAC-Address: 00-0c-29-10-12-c3 RBN:Platform-Type: SE-800 (2) RBN:OS-Version: 6.1.2.6p9 And response of Radius: Authenticator Field: 90 1f 01 e2 ab cd 2d 30 ef 45 df 4e 66 eb e7 9e Please advice. Thanks, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 11:44 AM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdge router subcriberauthentication. Elias Abou Zeid wrote: I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) That's a CVS revision string. If it's in the binary you have, you're running 1.1.x. Your server is more than 2 years out of date. for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. Version 2.1 has greatly improved documentation, including many examples. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd In 1.1.7: abs Cleartext-Password := passwd Don't set Auth-Type. Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Thanks for refering me to some examples. And what does the server say when you run it with radiusd -X? This is in the FAQ, README, man page, and nearly daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriberauthentication.
Elias Abou Zeid wrote: I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := passwd You have not used the configuration I suggested. Why? Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Tue Jun 16 13:36:10 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) Run the server in debugging mode, as I suggested. It will tell you what's going wrong: The shared secret is WRONG. You need to fix the shared secret. You need to follow the instructions on this list. Nothing else will fix the problem. Please advice. We did. You did not follow instructions. Why do you ask for advice if you don't follow the advice you're given? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP - Radius connection failure
John Kane wrote: Running radiusd in debug mode shows nothing coming in for this query, although the server shows to be listening: That would seem to be a firewall issue. When you run in debugging mode, it prints out ALL packets it receives. If it's not printing out packets, the reason is that it's not receiving packets. I am running (sorry, I realize that is no longer supported, but that's RH's latest Freeradius RPM, thus what I am required to use): The basic RADIUS functionality is the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := passwd This syntax SETS the User-Password attribute. It's almost like saying accept any password and replace it with this value. Please review man 5 users for the use of =, :=, et al. Have you tried: abc User-Password == passwd Service-Type = Framed-User, Framed-Protocol = PPP I don't know what this next line does, so unless *you* do, may I suggest leaving it out while testing? Bind_Auth_Context = RADIUS - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, abc User-Password == passwd huh? abc Cleartext-Password := passwd thats true for 1.1.6 (iirc) upwards alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abc User-Password == passwd huh? abc Cleartext-Password := passwd thats true for 1.1.6 (iirc) upwards My turn to 'huh?'. According to the 'users' man page (man 5 users): Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. My impression from the OP's first use of == was that he was hard-coding the password into the users file. So wouldn't the above code 'replace' the password, producing an 'always authenticates' kind of condition? The example in the users man itself is: EXAMPLES bob User-Password == hello Requests containing the User-Name attribute, with value bob, will be authenticated using the password bob. Which is, I think, a typo. It should say authenticated with the password hello, shouldn't it? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
a.l.m.bu...@lboro.ac.uk wrote: abc Cleartext-Password := passwd thats true for 1.1.6 (iirc) upwards 1.1.4 and later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, According to the 'users' man page (man 5 users): Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. as a check item - you wont have two passwords in a request. if there was such a condition then it would be sorted. Requests containing the User-Name attribute, with value bob, will be authenticated using the password bob. Which is, I think, a typo. It should say authenticated with the password hello, shouldn't it? yep - dont worry, the typo also crept into the WIKI http://wiki.freeradius.org/Operators EXAMPLES bob Cleartext-Password := hello Requests containing the User-Name attribute, with value bob, will be authenticated using the password bob. There are no reply items, so the reply will be empty. should be EXAMPLES bob Cleartext-Password := hello Requests containing the User-Name attribute, with value bob, will be authenticated using the password hello. There are no reply items, so the reply will be empty. but at least the operator is right. its good to have a new proof reader on board! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, thats true for 1.1.6 (iirc) upwards 1.1.4 and later. my how time really flies. I've just been updating some boilerplate/logo/copyright stuff on some code tonight that was all 2004. sheesh. its a nostalgic evening. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Ok gentlmen, Sorry for the :=, == confusion. I was doing it right using ==. So now I have: a...@radius User-Password == test Service-Type = Framed-User, Framed-Protocol = PPP Now after enabling the radius -X, I get: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=53, length=187 User-Name = a...@radius User-Password = \361\305\244qY\303.N\331o\200\027\236L\340 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Quiet NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = 10/2 vlan-id 100 pppoe 342 Medium-Type = DSL Mac-Addr = 00-0c-29-10-12-c3 Platform-Type = SmartEdge-800 OS-Version = 6.1.2.6p9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module auth_log returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module unix returns notfound for request 2 modcall: leaving group authenticate (returns notfound) for request 2 auth: Failed to validate the user. Login incorrect: [...@radius/\361\305\244qY\303.N\331o\200\027\236L\340] (from client SE-Quiet port 167903232) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So it seems the password radius is receiving is different that what I am giving. I checked the shared secret between server and NAS, it matches! I am not sure why ? Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 11:44 AM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdge router subcriberauthentication. Elias Abou Zeid wrote: I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) That's a CVS revision string. If it's in the binary you have, you're running 1.1.x. Your server is more than 2 years out of date. for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. Version 2.1 has greatly improved documentation, including many examples. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == passwd In 1.1.7: abs Cleartext-Password := passwd Don't set Auth-Type. Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Thanks for refering me to some examples. And what does the server say when you run it with radiusd -X? This is in the FAQ, README, man page, and nearly daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriberauthentication.
Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. No, using == is wrong. So now I have: a...@radius User-Password == test That's wrong. Now after enabling the radius -X, I get: ... WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So it seems the password radius is receiving is different that what I am giving. I checked the shared secret between server and NAS, it matches! I am not sure why ? The shared secrets do NOT match. This is in the FAQ. Don't check them. Re-enter them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Ok, I have removed encrypted-key in Redback router which was causing issue about shared secrets. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP From redius debug: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, length=187 User-Name = a...@radius User-Password = test Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Quiet NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = 10/2 vlan-id 100 pppoe 347 Medium-Type = DSL Mac-Addr = 00-0c-29-10-12-c3 Platform-Type = SmartEdge-800 OS-Version = 6.1.2.6p9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) Delaying request 0 for 1 seconds Finished request 0 Unfortunately, the login is still failing with no obvious reason why. Any thoughts ? Thanks, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 3:50 PM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. No, using == is wrong. So now I have: a...@radius User-Password == test That's wrong. Now after enabling the radius -X, I get: ... WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So it seems the password radius is receiving is different that what I am giving. I checked the shared secret between server and NAS, it matches! I am not sure why ? The shared secrets do NOT match. This is in the FAQ. Don't check them. Re-enter them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless-802.11 vs. Ethernet and MSCHAP vs. EAP-TLS
I have working, fresh FreeRADIUS 2.1.6 configuration with certificates for EAP-TLS in wireless network - Access-Accept with real AP and eapol_test tool. An attempt to use this environment (except NAS) for wired network - this same client (MS Vista), server and certs unfortunately doesn't work (logs below). Changing authentication protocol to MSCHAP allow to authenticate client. Can anybody explain this? I include also tcpdump udp log with wire EAP-TLS and MSCHAP attempts. Roman FreeRADIUS Version 2.1.6, for host x86_64-redhat-linux-gnu, built on Jun 13 2009 at 22:31:21 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radius including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64 radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server
Re: Authentication failure - PEAP - MS-CHAPv2
It's getting even more interesting: using the same configuration, but with another access point (same model and firmware version): works flawlessly. There are only two differences between the setups: - In the test environment, the AP is located near to the test machine (it was placed about 5-6 meters from the AP, no walls between) - We didn't configure VLANs on the test AP. I have a feeling, that the AP refuses the connection, because some kind of privilege checking fails (the client is not privileged to access the required VLAN). Does FreeRADIUS configuration need anything special, if the AP is configured for multiple VLANs? The VLAN configuration looks like this in the live environment: VLAN4 - Private vlan, the radius server is located here and an EAP-protected SSID is mapped to this VLAN VLAN5 - Public vlan, mapped to an open SSID VLAN6 - Management vlan - untagged - we configure the APs using this VLAN Probably the LDAP server has to provide some extra attribute which grants access to VLAN4, but I'm not sure. Could you please help? Thank you Gergely Kiss 2009/6/12 kissg mail.g...@gmail.com 2009/6/11 Matthieu Lazaro matthieu.laz...@eservglobal.com ! eap profile Profile Name method mschapv2 ! I don't have the lines above in my config. Does this have any influence on the way the AP proxies radius packets? I think, this is only relevant if the AP authenticates using its own database, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password conflict between Radius Server and Machine account
And I couldn't find the 'authorize' config file anywhere in my server. Oh, dear. How are you going to use the server when you don't know even the most basic things about it? Authorize is a section in the default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless-802.11 vs. Ethernet and MSCHAP vs. EAP-TLS
I have working, fresh FreeRADIUS 2.1.6 configuration with certificates for EAP-TLS in wireless network - Access-Accept with real AP and eapol_test tool. An attempt to use this environment (except NAS) for wired network - this same client (MS Vista), server and certs unfortunately doesn't work (logs below). Changing authentication protocol to MSCHAP allow to authenticate client. Can anybody explain this? I include also tcpdump udp log with wire EAP-TLS and MSCHAP attempts. Roman FreeRADIUS Version 2.1.6, for host x86_64-redhat-linux-gnu, built on Jun 13 2009 at 22:31:21 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radius including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64 radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server
Re: LDAP Authentication + Windows PKI
Guys just a quick question. Can I use freeradius to authenticate my LDAP users and instead of using OpenSSL for certificates I use a Microsoft Certificate Authority? Yes, you can generate certificates that way too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP Are you sure you are changing the correct users file? I don't see this entry in the debug. Do you know what server version you are using? Do radiusd -v if you don't. This debug looks older than 1.1.4. From redius debug: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, length=187 User-Name = a...@radius User-Password = test Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Quiet NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = 10/2 vlan-id 100 pppoe 347 Medium-Type = DSL Mac-Addr = 00-0c-29-10-12-c3 Platform-Type = SmartEdge-800 OS-Version = 6.1.2.6p9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 One of these sets Auth-Type System. Comment it out. modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) Delaying request 0 for 1 seconds Finished request 0 Unfortunately, the login is still failing with no obvious reason why. Because default entry in users file sets Auth-Type to System. It was like that by default in old versions. If your version in pre 1.1.4 you will need to force Auth-Type. Probably to Local. But let's see the version first. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Jun 16, 2009, at 1:37 PM, Elias Abou Zeid wrote: Ok, I have removed encrypted-key in Redback router which was causing issue about shared secrets. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP From redius debug: rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS I think you need to either define a DEFAULT realm or define the RADIUS realm in proxy.conf Either: RADIUS { } Or: DEFAULT { } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan, The version info is: radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built on Jan 8 2008 at 00:54:01 Copyright (C) 2000-2007 The FreeRADIUS server project. I added in users: Auth-Type := Local, But still same debug result: Ready to process requests. rad_recv: Access-Request packet from host 10.205.1.1:1812, id=4, length=187 User-Name = a...@radius User-Password = test Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Quiet NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = 10/2 vlan-id 100 pppoe 348 Medium-Type = DSL Mac-Addr = 00-0c-29-10-12-c3 Platform-Type = SmartEdge-800 OS-Version = 6.1.2.6p9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 4 to 10.205.1.1 port 1812 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 4 with timestamp 4a380fa8 Nothing to do. Sleeping until we see a request. Any other ideas ? BR, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June-16-09 5:28 PM To: FreeRadius users mailing list Subject: RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP Are you sure you are changing the correct users file? I don't see this entry in the debug. Do you know what server version you are using? Do radiusd -v if you don't. This debug looks older than 1.1.4. From redius debug: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, length=187 User-Name = a...@radius User-Password = test Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Quiet NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = 10/2 vlan-id 100 pppoe 347 Medium-Type = DSL Mac-Addr = 00-0c-29-10-12-c3 Platform-Type = SmartEdge-800 OS-Version = 6.1.2.6p9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop
Re: Wireless-802.11 vs. Ethernet and MSCHAP vs. EAP-TLS
I have working, fresh FreeRADIUS 2.1.6 configuration with certificates for EAP-TLS in wireless network - Access-Accept with real AP and eapol_test tool. An attempt to use this environment (except NAS) for wired network - this same client (MS Vista), server and certs unfortunately doesn't work (logs below). Changing authentication protocol to MSCHAP allow to authenticate client. Can anybody explain this? That Vista supplicant is broken: ... rad_recv: Access-Request packet from host 82.177.110.254 port 1031, id=10, length=132 State = 0xa0f2d08ba418ddd73e9644301c3ef096 NAS-Port-Type = Ethernet User-Name = user NAS-IP-Address = 192.168.167.10 NAS-Port = 2 Framed-MTU = 1000 NAS-Port-Id = Port 2 Calling-Station-Id = 00-21-70-88-3f-c1 Called-Station-Id = 00-30-4f-64-76-eb Message-Authenticator = 0xfbc6c2b85d0058ca9db53c130e84189c ... [eap] No EAP-Message, not doing EAP ++[eap] returns noop ... It stopped doing EAP for some reason. There is no EAP-Message in that last packet. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous use logging
I have setup a custom module to do auth and acct. In debug mode everything appears correct, and responses appear correct. When I don't have radius running in debug mode, responses still appear correct, but if auth fails due to simultaneous use, radius is logging 'Auth: Login OK'. Authentication was successful, but the auth request failed due to simultaneous use, so it should be logging a failure I would think. Any idea what I might be doing wrong? FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.1, built on May 7 2009 at 10:48:55 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/gwis including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket group = freeradius user = freeradius including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib/freeradius-2.1.4 radacctdir = /var/log/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 4096 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log {
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP Why do you specify a realm (@RADIUS)? Try removing it, or, as suggested by others, specift a default realm. users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 These lines tell us that you have more rules in your users file than the one you list above. Taken at face value, looks like two rules with 'fall through' followed by one without. And it never gets to the rule for 'abc'. Remember that radius looks for the first matching rule in your users file. DEFAULT rules should go at the bottom. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. Neither is 'right' or 'wrong'. You just need to be sure what you want to achieve with them. I'm not a complete expert on this, so if in doubt, try it *both* ways. (smile) One of them will work. I still suggest: abcUser-Password == test Service-Type = Framed-User, Framed-Protocol = PPP ...and make sure there are no default entries to interfere. :) - C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Charles Gregory wrote: On Tue, 16 Jun 2009, Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. Neither is 'right' or 'wrong'. Using User-Password == foo is wrong. Using Cleartext-Password := foo is right. You just need to be sure what you want to achieve with them. I'm not a complete expert on this, so if in doubt, try it *both* ways. (smile) One of them will work. How about suggesting that people follow the instructions on this list? He was already told multiple times what was right, and what was wrong. Do not give people incorrect advice. It means that they won't solve their problem, and it means that I now have *three* times the work to do. One, to tell them what to do. Two, to tell you your advice is mistaken, and three, to convince them to *not* follow your advice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: The version info is: radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built on Jan 8 2008 at 00:54:01 Copyright (C) 2000-2007 The FreeRADIUS server project. So the suggestions should work. I added in users: Auth-Type := Local, Do NOT do that. See the FAQ for other examples of adding a default user. Your entry should go at the TOP of the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
James Devine wrote: I have setup a custom module to do auth and acct. In debug mode everything appears correct, and responses appear correct. When I don't have radius running in debug mode, responses still appear correct, but if auth fails due to simultaneous use, radius is logging 'Auth: Login OK'. Authentication was successful, but the auth request failed due to simultaneous use, so it should be logging a failure I would think. Any idea what I might be doing wrong? The Login OK message is produced only when it sends an Access-Accept back to the NAS. See src/main/auth.c. If a simultaneous-use check fails, it returns Access-Reject, and logs You are already logged in... The debug log you posted shows it receiving no packets, and therefore doing nothing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html