Re: use_tunneled_reply has no effect

2009-06-17 Thread Stefan Winter
Hi,

> Yes, I am aware privacy is a concern. As I am doing some tests, I
> thought it would be easier to debug if there's a way to relate a request
> to a proxied username. This is technically not possible or it's more a 
> political matter?
>   

Technically impossible until you break TLS. OR make a deal with the home
server that it reveals the actual user name to you.

> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server.

And the *home* authentication server. If you operate a proxy in the
middle between user and home server, you will not see the inner tunnel
credentials.

>  So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials;

Only the *home* authentication server has access to the credentials.
These credentials are typically not proxied anywhere (there are
exceptions at the discretion of that home server).

>  this data is encrypted using the home-server shared 
> key. Please enlighten me if this is not correct.
>   

The shared secret ensures packet integrity between RADIUS peers, i.e.
between your proxy and the home server. With EAP authentication, it does
*not* add anything to credential encryption - that happens entirely in
the EAP tunnel.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread James Devine
Ah yes, I was doing that wrong, that seems to work much better now.  Thank you.



On Wed, Jun 17, 2009 at 10:28 AM, Alan DeKok wrote:
> James Devine wrote:
>> The authentication portion of the module returns ok, the session
>> portion returns reject, as it should.
>
>  No.
>
>  The session portion should return "ok", and increment
> request->simul_count.  See rlm_radutmp for examples.
>
>  This is because users may be tracked in multiple places (radutmp, sql,
> etc.), *and* they have have Simultaneous-Use limits that are more than one.
>
>  This allows the SQL module to say "I track one login", and the radutmp
> module to say "I track a different login", with the admin allowing 2
> simultaneous logins.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Cannot Authenticate - Help!

2009-06-17 Thread Ivan Kalik
> So, it works... But then I put the AP to work (Linksys wrt54g),
> configured like this:
> It nevers authenticates... No matter what I do. I tried everything I
> could find on the list or FAQ before registering. Here goes the log

This is a very old version. You shouldn't be using 1.x with EAP for a huge
number of reasons. Upgrade.

As for the debug - you have removed eap (and lots more) from the
configuration and then sent an eap request. No wonder it's not working.
Use default configuration and it will work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] Cannot Authenticate - Help!

2009-06-17 Thread Charles Gregory


I notice it matching multiple 'DEFAULT' entries in your 'users' file.
Make sure that one of them doesn't enforce an 'auth-type' other than 
the one you want to use here.


- Charles

On Wed, 17 Jun 2009, Filipe Scalioni wrote:

I'm new to FreeRadius, and I'm having some hard time to put it to
work. Simply talking: I can authenticate from my linux (Suse 11.1)
using radtest, directly linked to the server (LAN). Here is the
answer:

protagoras:~ # radtest teste teste 192.168.10.113:1812 1812 testing123
Sending Access-Request of id 240 to 192.168.10.113 port 1812
    User-Name = "teste"
    User-Password = "teste"
    NAS-IP-Address = 127.0.0.2
    NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.10.113 port 1812,
id=240, length=20

So, it works... But then I put the AP to work (Linksys wrt54g),
configured like this:

Security mode: WPA Enterprise
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.10.113 - this is my RADIUS server IP
RADIUS Port: 1812
Shared Key: testing123
Key Renewal Timeout: 3600 seconds

All good, but when I try to connect from Windows XP, Vista or 7,
configured like this

Network Authentication: WPA
Data Encryption: TKIP
EAP Type: PEAP
Authentication Method: MsCHAPv2
Not sending my windows login parameters

It nevers authenticates... No matter what I do. I tried everything I
could find on the list or FAQ before registering. Here goes the log

[r...@testecent raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/var/run/radiusd.pid"
 main: bind_address = 192.168.10.113 IP address [192.168.10.113]
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
 ldap: server = "ldap.your.domain"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: basedn = "o=My Org,c=UA"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = 

Cannot Authenticate - Help!

2009-06-17 Thread Filipe Scalioni
Hi,

I'm new to FreeRadius, and I'm having some hard time to put it to
work. Simply talking: I can authenticate from my linux (Suse 11.1)
using radtest, directly linked to the server (LAN). Here is the
answer:

protagoras:~ # radtest teste teste 192.168.10.113:1812 1812 testing123
Sending Access-Request of id 240 to 192.168.10.113 port 1812
    User-Name = "teste"
    User-Password = "teste"
    NAS-IP-Address = 127.0.0.2
    NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.10.113 port 1812,
id=240, length=20

So, it works... But then I put the AP to work (Linksys wrt54g),
configured like this:

Security mode: WPA Enterprise
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.10.113 - this is my RADIUS server IP
RADIUS Port: 1812
Shared Key: testing123
Key Renewal Timeout: 3600 seconds

All good, but when I try to connect from Windows XP, Vista or 7,
configured like this

Network Authentication: WPA
Data Encryption: TKIP
EAP Type: PEAP
Authentication Method: MsCHAPv2
Not sending my windows login parameters

It nevers authenticates... No matter what I do. I tried everything I
could find on the list or FAQ before registering. Here goes the log

[r...@testecent raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/var/run/radiusd.pid"
 main: bind_address = 192.168.10.113 IP address [192.168.10.113]
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
 ldap: server = "ldap.your.domain"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: basedn = "o=My Org,c=UA"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: access_attr = "dialupAccess"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})

Re: [rad] Re: Problem with external authentication script

2009-06-17 Thread Charles Gregory

On Wed, 17 Jun 2009, Stefan Kuegler wrote:

/etc/freeradius/users
-
DEFAULT   Auth-Type = MOTP
  Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'",
  Fall-Through = yes

user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0


If this is correctly represents the order of your entries, then your 
program execution command is getting 'constructed' on the DEFAULT entry 
*before* you assign those values on the 'user1' entry.


Try moving the user1 line before the DEFAULT (and reverse the 'fall 
through' specifications)


- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] Re: Problem with external authentication script

2009-06-17 Thread Stefan Kuegler

Hello Ivan.


Forcing Auth-Type in users file should work.

Thanks for this advice. I changed my users file to use MOTP as the
DEFAULT-Auth-Type (first entry of the users file).

/etc/freeradius/users
-
DEFAULT   Auth-Type = MOTP
  Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'",
  Fall-Through = yes

user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0


This part of my problem seems to be solved. Freeradius now uses MOTP as
the Auth-Type.

But the "old" problem is always present: freeradius doesn't call the
external authentication script (otpverify.sh) with the needed arguments
(Secret, PIN and Offset):

[...]
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026,
id=35, length=77
User-Name = "user1"
User-Password = "secret"
Service-Type = Authenticate-Only
NAS-Identifier = "linux.local"
NAS-IP-Address = 192.168.82.40
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 2
expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}'
'%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'user1'
'secret' '' '' ''
users: Matched entry user1 at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type MOTP
auth: type "MOTP"
+- entering group MOTP
expand: %{User-Name} -> user1
expand: %{User-Password} -> secret
expand: %{Secret} ->
expand: %{PIN} ->
expand: %{Offset} ->
expr: syntax error
Usage: printf [ options ] format [string ...]
Exec-Program output: FAIL
Exec-Program-Wait: plaintext: FAIL
Exec-Program: returned: 1
++[motp] returns reject
auth: Failed to validate the user.
Login incorrect: [user1/secret] (from client 192.168.82.40 port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request


Any ideas ??

Thank you all,

Stefan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: SSH authendication with radius server fails if the user does not exist in radius client

2009-06-17 Thread kpani

Yes. Got it. Thanks Ivan.

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> Do you mean the radius server can be only used for password
>> authentication
>> in case of ssh/telnet?
> 
> Yes.
> 
>> Can't we login using the centralized
>> username/password?
> 
> No, that can't work. Let's say that you were authenticated and reached the
> shell as a nonexistant local user. How is he suposed to access anything or
> execute any commands? No permissions would apply to him.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24077890.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread Alan DeKok
James Devine wrote:
> The authentication portion of the module returns ok, the session
> portion returns reject, as it should.

  No.

  The session portion should return "ok", and increment
request->simul_count.  See rlm_radutmp for examples.

  This is because users may be tracked in multiple places (radutmp, sql,
etc.), *and* they have have Simultaneous-Use limits that are more than one.

  This allows the SQL module to say "I track one login", and the radutmp
module to say "I track a different login", with the admin allowing 2
simultaneous logins.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread James Devine
The authentication portion of the module returns ok, the session
portion returns reject, as it should.

On Wed, Jun 17, 2009 at 9:18 AM, Ivan Kalik wrote:
>> Well, in debugging mode, it doesn't log anything to the file, but the
>> debug output shows it being rejected.  When I am not running in debug,
>> I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
>> port 536936642)' logged by the radius server, I am logging my own
>> simultaneous use message, although this shows up prior to the login ok
>> message in the logs.
>
> You authentication module is broken.
>
> ...
>> Found Auth-Type = gwis
>> +- entering group authenticate {...}
>> ++[gwis] returns ok
>> +- entering group session {...}
>> [rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
>> simultaneous use: zdls02
>> ++[gwis] returns reject
> ...
>
> It first returns ok, then rejects. So you get both login OK and reject.
> Fix the module.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Elias Abou Zeid
Hi Ivan,

I used the following user record:

a...@radius  User-Password == "test"
Service-Type = Framed-User,
Framed-Protocol = PPP

And I sent a CHAP request, authentication still work.


rad_recv: Access-Request packet from host 10.205.1.1:1812, id=212,
length=188
User-Name = "a...@radius"
CHAP-Password = 0x01fb483b2d567fd0e128500a3ce0980d0b
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "Quiet"
NAS-Port = 167903232
NAS-Real-Port = 2717909092
NAS-Port-Type = Virtual
NAS-Port-Id = "10/2 vlan-id 100 pppoe 372"
Medium-Type = DSL
Mac-Addr = "00-0c-29-10-12-c3"
Platform-Type = SmartEdge-800
OS-Version = "6.1.2.6p9"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617
  modcall[authorize]: module "auth_log" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
rlm_realm: No such realm "RADIUS"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry a...@radius at line 148
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
  rlm_chap: login attempt by "a...@radius" with CHAP password
  rlm_chap: Using clear text password "test" for user a...@radius
authentication.
  rlm_chap: chap user a...@radius authenticated succesfully
  modcall[authenticate]: module "chap" returns ok for request 0
modcall: leaving group CHAP (returns ok) for request 0
Login OK: [...@radius/] (from client SE-Quiet port
167903232)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
  modcall[post-auth]: module "main_pool" returns noop for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617
  modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 212 to 10.205.1.1 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
Finished request 0

 

-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of Ivan Kalik
Sent: June-17-09 11:02 AM
To: FreeRadius users mailing list
Subject: RE: [rad] RE: Free Radius users record samples for
SmartEdgerouter subcriberauthentication.

> Just out for sake of completeness. On FreeRADIUS Version 1.1.7
>
> I tried both User-Password == "test" and Cleartext-Password := "test".
>
> They both work fine when the user entry is before default setting in 
> users file.

For a pap request. Try sending chap or mschap request and see what
happens. Cleartext-Password will work with all cases, User-Password
won't.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: SSH authendication with radius server fails if the user does not exist in radius client

2009-06-17 Thread Ivan Kalik
> Do you mean the radius server can be only used for password authentication
> in case of ssh/telnet?

Yes.

> Can't we login using the centralized
> username/password?

No, that can't work. Let's say that you were authenticated and reached the
shell as a nonexistant local user. How is he suposed to access anything or
execute any commands? No permissions would apply to him.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: SSH authendication with radius server fails if the user does not exist in radius client

2009-06-17 Thread kpani

Thanks a lot Ivan for the clarification. I am feeling like working with you.

Do you mean the radius server can be only used for password authentication
in case of ssh/telnet? Can't we login using the centralized
username/password?

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> So it looks like the radius client is not sending the password to radius
>> server if the user does not exist in local machine.
> 
> Yes, that's how PAM works. It can't authenticate users that don't exist
> locally (think about it - if user/group is not defined locally what will
> user be able to access on the machine). Nothing to do with radius.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24075986.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread Ivan Kalik
> Well, in debugging mode, it doesn't log anything to the file, but the
> debug output shows it being rejected.  When I am not running in debug,
> I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
> port 536936642)' logged by the radius server, I am logging my own
> simultaneous use message, although this shows up prior to the login ok
> message in the logs.

You authentication module is broken.

...
> Found Auth-Type = gwis
> +- entering group authenticate {...}
> ++[gwis] returns ok
> +- entering group session {...}
> [rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
> simultaneous use: zdls02
> ++[gwis] returns reject
...

It first returns ok, then rejects. So you get both login OK and reject.
Fix the module.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Charles Gregory

On Wed, 17 Jun 2009, Elias Abou Zeid wrote:

Just out for sake of completeness. On FreeRADIUS Version 1.1.7
I tried both User-Password == "test" and Cleartext-Password := "test".
They both work fine when the user entry is before default setting in
users file.
Just to let you know.
Elias


Thank you, Elias.

- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Ivan Kalik
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7
>
> I tried both User-Password == "test" and Cleartext-Password := "test".
>
> They both work fine when the user entry is before default setting in
> users file.

For a pap request. Try sending chap or mschap request and see what
happens. Cleartext-Password will work with all cases, User-Password won't.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.

2009-06-17 Thread Alan DeKok
Charles Gregory wrote:
> Okay, this isn't just my favorite quibbler jumping on me. So I have to
> ask, even if there is a 'better' syntax, or a 'preferred' way of doing
> things, why is this 'standard' old radius check item so 'wrong'?

  The '==' operator should be *comparing* attributes.  There should be
no magic needed to compare attributes.

  Until 1.1.4, the code had magic specifically for User-Password.  This
kind of magic is wrong on many levels.  It makes the code more complex,
it is inconsistent, and it breaks the principle of "least surprise".

  In addition to that, many authentication methods do *not* contain a
User-Password.  So if we got rid of that magic without doing anything
else, checking "User-Password == foo" for EAP requests will *always*
fail.  This will make administrators unhappy.

  There is a simple solution.  Tell the server what the "known good"
password is.  Let the modules do the authentication.  So the MS-CHAP
module will take the "known good" password, do it's MS-CHAP
calculations, and compare that to what's in the packet.

  The same goes for CHAP, EAP, and other authentication protocols.

  That's why we have Cleartext-Password, NT-Password, Crypt-Password,
and others.  Those are all different forms of the "known good" password.
 And because they are "server side" attributes, they will *never* go
into a packet.  This is a Good Thing.

  This argument is the same argument against using "Auth-Type = LDAP".
LDAP is a *database*.  Using it as an authentication server is *wrong*,
because LDAP servers don't implement CHAP, MS-CHAP, EAP, etc.  Until the
documentation and examples were updated to SHOUT at people "don't use
Auth-Type = LDAP", there were weekly complaints that people had followed
some horrible third-party guide, and couldn't get EAP working.

> I checked the docs, and it *appears* that checking an input attribute
> value against a hard-coded constant is still valid syntax.

  Yes.  And there is magic to deal with User-Password, so that it does
what users expect, and *not* what is the "right" thing to do.

> So why is Input-Attribute == "value" now wrong?

  It's not.  Doing those comparisons on User-Password is wrong.
*Unless* you want to break every authentication method other than PAP.

> Or is '==' deprecated for all check items past a certain release?

  No.

> If so, why is it still in the 'users' man page for 2.x?

  Because it works.

> I finally noticed that "Cleartext-Password" is not an input attribute,

  Yes.  It's a "check" attribute.  See the "users" file documentation
for how check attributes are treated.

> which suggests that there is something 'different' about the way we're
> now specifying input attribute checking in the users file. I don't doubt
> that it 'makes sense' according to some new way of doing things, but it
> looks like an amazing departure from 'classic' Livingston syntax

  Yes.  The Livingston server was wrong.  It had magic to deal with
'User-Password = foo', that made it work for CHAP authentication.  This
was (and still is) ugly.

  The Livingston server also read the entire "users" file into memory
for *every* request.  That behavior was wrong, too.

  The Livingston server didn't cache requests and responses, so it would
re-process duplicates, causing unnecessary delays and load.  See RFC
5080 for the *FreeRADIUS* way of doing things, which all RADIUS servers
have now implemented.

> If so, I'm *really* glad I didn't upgrade my live version. :-O

  Upgrading versions always requires care and attention.  This is no
different.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread James Devine
Well, in debugging mode, it doesn't log anything to the file, but the
debug output shows it being rejected.  When I am not running in debug,
I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
port 536936642)' logged by the radius server, I am logging my own
simultaneous use message, although this shows up prior to the login ok
message in the logs.


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.231 port 50895,
id=25, length=97
User-Name = "zdls02"
Service-Type = Framed-User
NAS-IP-Address = 10.10.10.231
NAS-Port = 536936642
NAS-Port-Type = Virtual
User-Password = "fred"
Framed-Protocol = PPP
NAS-Port-Id = "2/0/0/1.194"
Service-Type = Framed-User
+- entering group authorize {...}
[preprocess]   hints: Matched DEFAULT at 21
[preprocess]   hints: Matched DEFAULT at 58
[preprocess]   hints: Matched DEFAULT at 751
[preprocess]   hints: Matched DEFAULT at 1180
++[preprocess] returns ok
++[gwis] returns ok
[files] users: Matched entry DEFAULT at line 316
++[files] returns ok
Found Auth-Type = gwis
+- entering group authenticate {...}
++[gwis] returns ok
+- entering group session {...}
[rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
simultaneous use: zdls02
++[gwis] returns reject
Login OK: [zdls02/p2182111] (from client allowed_clients port 536936642)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> zdls02
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 25 to 10.10.10.231 port 50895
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 25 with timestamp +26
Ready to process requests.




On Wed, Jun 17, 2009 at 3:08 AM, Ivan Kalik wrote:
>> I have setup a custom module to do auth and acct.  In debug mode
>> everything appears correct, and responses appear correct.  When I
>> don't have radius running in debug mode, responses still appear
>> correct, but if auth fails due to simultaneous use, radius is logging
>> 'Auth: Login OK'.  Authentication was successful, but the auth request
>> failed due to simultaneous use, so it should be logging a failure I
>> would think.  Any idea what I might be doing wrong?
>
> If simultaneous checking rejected the user you will have an entry like:
>
> Multiple logins (max 1) : [username]
>
> in radius.log.
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Alan DeKok
Elias Abou Zeid wrote:
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7
> 
> I tried both User-Password == "test" and Cleartext-Password := "test".
> 
> They both work fine when the user entry is before default setting in
> users file.

  Yes.  Because *old* versions of the server accepted 'User-Password
==', and not 'Cleartext-Password :='.  We try to keep compatibility
between versions of the server.

  Even with that, 'User-Password ==' is wrong.  It's been wrong for
nearly three years now.  Any blog, web page, "howto", etc. that suggests
it is wrong, and is out of date.

  At some point, that backwards compatibility will be removed.  Any
systems still using "User-Password ==" will then *break*.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.

2009-06-17 Thread Charles Gregory

On Wed, 17 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:

abcUser-Password == "test"

that is wrong. wrong and wrong


Okay, this isn't just my favorite quibbler jumping on me. So I have to 
ask, even if there is a 'better' syntax, or a 'preferred' way of doing 
things, why is this 'standard' old radius check item so 'wrong'?


I checked the docs, and it *appears* that checking an input attribute 
value against a hard-coded constant is still valid syntax. Though I notice 
that the example that both Elias and I quote is *gone* from the 1.1.7 docs 
(Elias, please check, I think you have man pages and/or documentation from 
a version of FR earlier than your 1.1.7! This really confuses things!).


So why is Input-Attribute == "value" now wrong?
Is it just wrong for the Passwords? Groups?
Or is '==' deprecated for all check items past a certain release?
If so, why is it still in the 'users' man page for 2.x?
I finally noticed that "Cleartext-Password" is not an input attribute, 
which suggests that there is something 'different' about the way we're 
now specifying input attribute checking in the users file. I don't doubt 
that it 'makes sense' according to some new way of doing things, but it 
looks like an amazing departure from 'classic' Livingston syntax


If so, I'm *really* glad I didn't upgrade my live version. :-O

- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Elias Abou Zeid
Hi,

Just out for sake of completeness. On FreeRADIUS Version 1.1.7

I tried both User-Password == "test" and Cleartext-Password := "test".

They both work fine when the user entry is before default setting in
users file.

Just to let you know.

Elias


-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: June-17-09 4:09 AM
To: FreeRadius users mailing list
Subject: Re: [rad] RE: Free Radius users record samples for
SmartEdgerouter subcriberauthentication.

Hi,

> I still suggest:
>
>> abcUser-Password == "test"

that is wrong. wrong and wrong


Elias, please put your entry at the top of the users file - or remove
the 

DEFAULT Auth-Type == System

from your config (this forces the server to always use 'system' auth
- which you really dont want)

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: SSH authendication with radius server fails if the user does not exist in radius client

2009-06-17 Thread Ivan Kalik
> So it looks like the radius client is not sending the password to radius
> server if the user does not exist in local machine.

Yes, that's how PAM works. It can't authenticate users that don't exist
locally (think about it - if user/group is not defined locally what will
user be able to access on the machine). Nothing to do with radius.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


SSH authendication with radius server fails if the user does not exist in radius client

2009-06-17 Thread kpani

Hi,
I am trying to authenticate ssh login using radius server running in another
linux machine.

I added a new user in /usr/local/etc/raddb/users of radius server.

Now when I do ssh to the radius client, the radius server denies request and
says 'Password doesn't match. But I gave right password. If I add the new
user in radius client machine, then if I do ssh, the server accepts and
authenticates the request.

So it looks like the radius client is not sending the password to radius
server if the user does not exist in local machine.

Do I need to configure anywhere in client or server to skip the local
machine user check. Please help me to solve this issue.

Thanks in advance.

Regards,
Dhandapani
-- 
View this message in context: 
http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24074268.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread Ivan Kalik
> I thought that the dialup.conf was linked to the 'nas' table . . . .
>
> I've re-added it and it just brings up errors to do with the nas table
> again, which i deleted and told not to look at with readclients.

Don't delete things from sql.conf. Put back:


  # Table to keep radius client info
  nas_table = "nas"

Just don't read any clients from it. If you want to read clients from it
create the table with nas.sql.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread Marinko Tarlac
create nas table and leave it empty. add client in clients.conf

you have all you will need inside clients.conf... just delete comments and
enter your own IP address(es) and secret.



On Wed, Jun 17, 2009 at 3:19 PM, JamesWhetherly
wrote:

>
> I thought that the dialup.conf was linked to the 'nas' table . . . .
>
> I've re-added it and it just brings up errors to do with the nas table
> again, which i deleted and told not to look at with readclients.
>
> radiusd -X debug:
>
> linux-6pfg:/home/james # radiusd -X
> FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec  3
> 2008
> at 10:47:13
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/krb5
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/sql.conf
> including configuration file /etc/raddb/sql/mysql/dialup.conf
> WARNING: No such configuration item nas_table
> /etc/raddb/sql/mysql/dialup.conf[65]: Reference "SELECT id, nasname,
> shortname, type, secret FROM ${nas_table}" not found
> Errors reading /etc/raddb/radiusd.conf
>
> --
> View this message in context:
> http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24073492.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql errors when running freeradius

2009-06-17 Thread Alan DeKok
JamesWhetherly wrote:
> I thought that the dialup.conf was linked to the 'nas' table . . . .

  No.

> I've re-added it and it just brings up errors to do with the nas table
> again, which i deleted and told not to look at with readclients. 

  Could you *please* stop breaking the configuration?  Don't "delete"
the reference to the nas table.  Don't "re-add" the reference.  Use the
*default* configuration.  It *works*.

> radiusd -X debug:
...
> including configuration file /etc/raddb/sql/mysql/dialup.conf
> WARNING: No such configuration item nas_table
> /etc/raddb/sql/mysql/dialup.conf[65]: Reference "SELECT id, nasname,
> shortname, type, secret FROM ${nas_table}" not found

  You've edited the sql.conf file, and broken the server.  Don't do
that.  Really.  We've told you *many* times what to do.  You're still
not following instructions.  You're still doing *extra* work that is
breaking the system.

  Really.  If you had simply done the *minimum* amount of work, *as
instructed*, it would work by now.  Every random change you make takes
you further away from a working configuration.

  It also wastes your time, and ours.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.

2009-06-17 Thread Elias Abou Zeid
Alan,

It worked after I put my user entry before DEFAULT Auth-Type == System.

Thanks for your help,
Elias
-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: June-17-09 4:09 AM
To: FreeRadius users mailing list
Subject: Re: [rad] RE: Free Radius users record samples for
SmartEdgerouter subcriberauthentication.

Hi,

> I still suggest:
>
>> abcUser-Password == "test"

that is wrong. wrong and wrong


Elias, please put your entry at the top of the users file - or remove
the 

DEFAULT Auth-Type == System

from your config (this forces the server to always use 'system' auth
- which you really dont want)

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread JamesWhetherly

I thought that the dialup.conf was linked to the 'nas' table . . . .

I've re-added it and it just brings up errors to do with the nas table
again, which i deleted and told not to look at with readclients. 

radiusd -X debug:

linux-6pfg:/home/james # radiusd -X
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec  3 2008
at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
WARNING: No such configuration item nas_table
/etc/raddb/sql/mysql/dialup.conf[65]: Reference "SELECT id, nasname,
shortname, type, secret FROM ${nas_table}" not found
Errors reading /etc/raddb/radiusd.conf

-- 
View this message in context: 
http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24073492.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: radclient: no response from server ... please help newbe.

2009-06-17 Thread Gregory Machin
From: freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org 
[freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org] On 
Behalf Of Ivan Kalik [...@kalik.net]
Sent: Wednesday, June 17, 2009 1:57 PM
To: FreeRadius users mailing list
Subject: Re: radclient: no response from server ... please help newbe.

> I'm using the following stack FreeRADIUS Version 2.1.3 with
> coova-chilli-1.0.13  with Daloradius .
>
>
> I'm having issues with sending POD from Daloradius and radclient via the
> command line

Send it to NAS (coova-chilli), not radius server.

Ivan Kalik
Kalik Informatika ISP



The whole stack is running on the same server. I have tried to send it to the 
chilli ports with the same results..

Thanks


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: use_tunneled_reply has no effect

2009-06-17 Thread A . L . M . Buxey
Hi,

> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server. So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials; this data is encrypted using the home-server shared 
> key. Please enlighten me if this is not correct.

the outer identity is used to identity (and can be anonymous - the RFC states
it should be blank ie @realm.com rather than anonym...@realm.com)
the user that is requesting the service - so that the packets can
be sent to the correct end server via proxy methods before the inner
tunnel can be created (which uses the RADIUS certificate etc to create
a secure tunnel through the proxied path)

authentication can never occur on outer id/outer tunnel. well, it could
if you just didnt care about security, didnt use passwords and
didnt have any kind of EAP ;-) 

dont forget, the user never does anything. the packets get sent
via 802.1X to the NAS (RADIUS client) which in turn passes the
RADIUS packets to the RADIUS server (which then proxies etc if
needed). the NAS will never talk directly to the final AAA RADIUS  -
the communication is always passed through the proxy chain.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radclient: no response from server ... please help newbe.

2009-06-17 Thread Ivan Kalik
> I'm using the following stack FreeRADIUS Version 2.1.3 with
> coova-chilli-1.0.13  with Daloradius .
>
>
> I'm having issues with sending POD from Daloradius and radclient via the
> command line

Send it to NAS (coova-chilli), not radius server.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radclient: no response from server ... please help newbe.

2009-06-17 Thread Nicolas Goutte


Am 17.06.2009 um 13:43 schrieb Gregory Machin:


Hi
Please could someone help a newbe ...

I'm using the following stack FreeRADIUS Version 2.1.3 with coova- 
chilli-1.0.13  with Daloradius .



I'm having issues with sending POD from Daloradius and radclient via  
the command line


[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 2>&1

Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700
User-Name = "TC-Demo"
^X^C
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 2>&1

Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
radclient: no response from server for ID 77 socket 3
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 2>&1

Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
radclient: no response from server for ID 215 socket 3
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 2>&1

Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
radclient: no response from server for ID 168 socket 3


The server is listening on all the port's I have tried ..

r...@localhost ~]# netstat -antup | grep rad
udp0  0 0.0.0.0:1812 
0.0.0.0:*  2461/radiusd
udp0  0 0.0.0.0:1813 
0.0.0.0:*  2461/radiusd
udp0  0 0.0.0.0:1814 
0.0.0.0:*  2461/radiusd



What have I missed ...


Do you know (via tcpdump, wireshark or so) that the packets do arrive  
on the computer where Freeradius runs? If not, check firewall settings  
of both computers and of anything that might be between.


Have a nice day!






Regards
Gregory Machin
Email: gmac...@techconcepts.co.za
Cell:   +27 (0) 72 524 5098
gtalk:  gmachin.techconce...@gmail.com
Support
helpd...@techconcepts.co.za
Tell: +27 (0) 11 803 2169
Fax: +27 (0) 11 803 2189
After Hours
Cell:+27 (0) 82 790 0796


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: use_tunneled_reply has no effect

2009-06-17 Thread Xiwen Cheng
On Wed, Jun 17, 2009 at 01:23:57PM +0200, Stefan Winter wrote:
> The whole concept of inner tunneling and protecting it via TLS is
> *because* you are *not* supposed to see the actual authentication
> credentials. For your local users, you terminate the tunnel yourself and
> can decide to expose the information by uncommenting the above, but for
> non-local users it is supposed to not work.
> 
> Outer anonymous identities preserve privacy of the (remote) user
> authenticating. If you want to change that, you need a business
> agreement with the remote party to disclose their user information to you.
> 
> Taking a peek at your mail domain name: if you are about to set up
> eduroam - there is no automated disclosure of the inner identity in
> eduroam. There is a process to ask the identity provider (IdP)
> retroactively *if and when* the user has done something wrong and needs
> to be traced. But there is no proactive information disclosure - or
> better put, it's in the discretion of the IdP to tell the rest of the
> world who his user is; unsurprisingly most IdPs opt not to do so, if for
> no other reason than to evade privacy and data protection laws.

Yes, I am aware privacy is a concern. As I am doing some tests, I
thought it would be easier to debug if there's a way to relate a request
to a proxied username. This is technically not possible or it's more a 
political matter?

I thought the outer-tunnel is set up to secure the connection between the
user and the authentication server. So the Authentication has access to
the unencrypted data which it in turn queries proxies to verify the
received credentials; this data is encrypted using the home-server shared 
key. Please enlighten me if this is not correct.

Best regards,
Xiwen

-- 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


radclient: no response from server ... please help newbe.

2009-06-17 Thread Gregory Machin
Hi 
Please could someone help a newbe ...

I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 
 with Daloradius .


I'm having issues with sending POD from Daloradius and radclient via the 
command line

[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n '3' -r '3' 
-t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 2>&1
Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700
User-Name = "TC-Demo"
^X^C
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n '3' -r '3' 
-t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 2>&1
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = "TC-Demo"
radclient: no response from server for ID 77 socket 3
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n '3' -r '3' 
-t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 2>&1
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = "TC-Demo"
radclient: no response from server for ID 215 socket 3
[r...@localhost ~]# echo "User-Name='TC-Demo'" | radclient -c '1' -n '3' -r '3' 
-t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 2>&1
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = "TC-Demo"
radclient: no response from server for ID 168 socket 3


The server is listening on all the port's I have tried ..

r...@localhost ~]# netstat -antup | grep rad
udp0  0 0.0.0.0:18120.0.0.0:*   
   2461/radiusd
udp0  0 0.0.0.0:18130.0.0.0:*   
   2461/radiusd
udp0  0 0.0.0.0:18140.0.0.0:*   
   2461/radiusd


What have I missed ...



Regards
Gregory Machin
Email: gmac...@techconcepts.co.za
Cell:   +27 (0) 72 524 5098
gtalk:  gmachin.techconce...@gmail.com
Support
helpd...@techconcepts.co.za
Tell: +27 (0) 11 803 2169
Fax: +27 (0) 11 803 2189
After Hours
Cell:+27 (0) 82 790 0796 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread Ivan Kalik
...
> including configuration file /etc/raddb/sql.conf
> including configuration file /etc/raddb/sql/mysql/counter.conf
...

You have done something to sql.conf. It didn't include dialup.conf.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Robust proxy accounting

2009-06-17 Thread Alan DeKok
Chris Howley wrote:
> I can confirm that the change made to the event.c file fixed the problem
> with the robust proxy accounting. 

  That's great news!

> Many thanks for you help.

  And thanks for spending the time to not only debug it, but provide
useful feedback.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: use_tunneled_reply has no effect

2009-06-17 Thread Stefan Winter
Hi,

> After uncommenting that in inner-tunnel, I see local users authenticated
> by the LOCAL auth called outer.reply. But this is not the case for
> external users(Realm handled by external proxy).
>
> The latter is what I really want: being able to see which external user
> is authenticating. 

The whole concept of inner tunneling and protecting it via TLS is
*because* you are *not* supposed to see the actual authentication
credentials. For your local users, you terminate the tunnel yourself and
can decide to expose the information by uncommenting the above, but for
non-local users it is supposed to not work.

> As we are not doing Accounting, isn't it possible to
> move the outer.reply higher up in the stack? Or it shouldn't matter?
>   

Outer anonymous identities preserve privacy of the (remote) user
authenticating. If you want to change that, you need a business
agreement with the remote party to disclose their user information to you.

Taking a peek at your mail domain name: if you are about to set up
eduroam - there is no automated disclosure of the inner identity in
eduroam. There is a process to ask the identity provider (IdP)
retroactively *if and when* the user has done something wrong and needs
to be traced. But there is no proactive information disclosure - or
better put, it's in the discretion of the IdP to tell the rest of the
world who his user is; unsurprisingly most IdPs opt not to do so, if for
no other reason than to evade privacy and data protection laws.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Robust proxy accounting

2009-06-17 Thread Chris Howley
Alan & Ivan,

I can confirm that the change made to the event.c file fixed the problem
with the robust proxy accounting. 

Many thanks for you help.

Chris

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread Alan DeKok
JamesWhetherly wrote:
> linux-6pfg:/home/james # radiusd -X
...
>  Module: Linked to module rlm_sql
>  Module: Instantiating sql

  Ok, it's there...

>   sql {
...
>   authorize_check_query = ""
>   authorize_group_check_query = ""
>   authorize_group_reply_query = ""
>   accounting_onoff_query = ""
>   accounting_update_query = ""
>   accounting_update_query_alt = ""
>   accounting_start_query = ""
>   accounting_start_query_alt = ""
>   accounting_stop_query = ""
>   accounting_stop_query_alt = ""
>   connect_failure_retry_delay = 60
>   simul_count_query = ""
>   simul_verify_query = ""
>   postauth_query = ""

  Uh... the queries are all blank.  Why have you done that?

  Again, the default configuration requires *minimal* editing to get it
to work.  The only time the queries are empty is when you edit sql.conf,
and *delete* the line saying:

$INCLUDE sql/${database}/dialup.conf

  Why did you do that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread JamesWhetherly

linux-6pfg:/home/james # radiusd -X
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec  3 2008
at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating 

Re: mysql errors when running freeradius

2009-06-17 Thread Ivan Kalik
> ok added that new line to radiusd.conf, seems to go through the first
> stages
> of the authorize section, when it comes to the sql part it errors again.
>

Post the debug of the server startup as well.

> Radiusd -X Debug:
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on proxy address * port 1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 49731, id=252,
> length=59
>   User-Name = "sqltest"
>   User-Password = "testpwd"
>   NAS-IP-Address = 127.0.0.2
>   NAS-Port = 1812
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "sqltest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> rlm_sql (sql): Reserving sql socket id: 4
> [sql] expand:  ->
> [sql] Error generating query; rejecting user
> rlm_sql (sql): Released sql socket id: 4
> ++[sql] returns fail
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]   expand: %{User-Name} -> sqltest
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 252 to 127.0.0.1 port 49731
> Waking up in 4.9 seconds.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread JamesWhetherly

ok added that new line to radiusd.conf, seems to go through the first stages
of the authorize section, when it comes to the sql part it errors again. 

Radiusd -X Debug:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49731, id=252,
length=59
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sqltest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand:  -> 
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sqltest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 252 to 127.0.0.1 port 49731
Waking up in 4.9 seconds.
Cleaning up request 0 ID 252 with timestamp +10
Ready to process requests.

-- 
View this message in context: 
http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24071260.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: use_tunneled_reply has no effect

2009-06-17 Thread Xiwen Cheng
On Wed, Jun 17, 2009 at 10:48:07AM +0100, Ivan Kalik wrote:
> This is already present in post-auth in latest version (after a lengthy
> explanation):
> 
>   #update outer.reply {
>   #  User-Name = "%{request:User-Name}"
>   #}

After uncommenting that in inner-tunnel, I see local users authenticated
by the LOCAL auth called outer.reply. But this is not the case for
external users(Realm handled by external proxy).

The latter is what I really want: being able to see which external user
is authenticating. As we are not doing Accounting, isn't it possible to
move the outer.reply higher up in the stack? Or it shouldn't matter?


Kind regards,
xiwen


-- 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread A . L . M . Buxey
Hi,

> have checked radiusd.conf and it has the line $INCLUDE sites-enabled at the

wrong.

$INCLUDE ${confdir}/sites-enabled/

and then make sure you have some files in there (usually
symlinks to the files in sites-available directory)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: mysql errors when running freeradius

2009-06-17 Thread Ivan Kalik
> Ok i have done what you guys have said, which is to not use sql for nas's.
> I
> deleted the table and changed the readclient line in sql.conf to 'no'. I
> have checked radiusd.conf and it has the line $INCLUDE sites-enabled at
> the
> end of the file. I have also checked in sites-enabled in the default file
> any sql sections commented out are open.  I am still getting the same "No
> authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user" message. When looking at the debug it doesn't look
> like
> its loading up any virtual servers? Is there any other sections that i
> need
> to change?
>
>
> Radiusd -X:
> linux-6pfg:/home/james # radiusd -X
> FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec  3
> 2008
> at 10:47:13
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/krb5
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/sql.conf
> including configuration file /etc/raddb/sql/mysql/counter.conf
> including configuration file /etc/raddb/policy.conf
> including configuration file /etc/raddb/sites-enabled
> group = radiusd
> user = radiusd

Check permissions.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: use_tunneled_reply has no effect

2009-06-17 Thread Ivan Kalik
> I have searched through the maillinglist archive regarding this matter.
> There was one thread similar to the problem I'm facing with: Have the
> outer-tunnel reply with the user-name specified in the inner-tunnel;
> thus instead of anonym...@some.realm
>
>>From this thread:
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html
>
> In eap.conf:
> ttls {
>   
>   use_tunneled_reply = yes
>   virtual_server = "inner-tunnel"
> }
>
> In users:
> 
> DEFAULT
>   User-Name = "%{User-Name}",
>   Fall-Through = no
>
> Running radiusd in debug mode, the User-Name attribute remained
> unchanged through out the request session.

This is already present in post-auth in latest version (after a lengthy
explanation):

  #update outer.reply {
  #  User-Name = "%{request:User-Name}"
  #}

Just remove comments.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


use_tunneled_reply has no effect

2009-06-17 Thread Xiwen Cheng
I have searched through the maillinglist archive regarding this matter.
There was one thread similar to the problem I'm facing with: Have the
outer-tunnel reply with the user-name specified in the inner-tunnel;
thus instead of anonym...@some.realm 

>From this thread:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html

In eap.conf:
ttls {

use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}

In users:

DEFAULT
User-Name = "%{User-Name}",
Fall-Through = no

Running radiusd in debug mode, the User-Name attribute remained
unchanged through out the request session.

Best regards,
Xiwen

-- 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: simultaneous use logging

2009-06-17 Thread Ivan Kalik
> I have setup a custom module to do auth and acct.  In debug mode
> everything appears correct, and responses appear correct.  When I
> don't have radius running in debug mode, responses still appear
> correct, but if auth fails due to simultaneous use, radius is logging
> 'Auth: Login OK'.  Authentication was successful, but the auth request
> failed due to simultaneous use, so it should be logging a failure I
> would think.  Any idea what I might be doing wrong?

If simultaneous checking rejected the user you will have an entry like:

Multiple logins (max 1) : [username]

in radius.log.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.

2009-06-17 Thread A . L . M . Buxey
Hi,

> I still suggest:
>
>> abcUser-Password == "test"

that is wrong. wrong and wrong


Elias, please put your entry at the top of the users file - or remove
the 

DEFAULT Auth-Type == System

from your config (this forces the server to always use 'system' auth
- which you really dont want)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html