Re: LDAP MSCHAP error
Larry Ross wrote: Hmm interesting, how were you able to divine that that is how we are storing the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On Sat, Aug 22, 2009 at 7:59 AM, Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: On 21/08/2009 21:15, John Morrissey wrote: Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? Yes. Otherwise it'll wait for the response from the proxy server, and proxy the Accounting-Response from the proxy server back to the NAS. It's the only way the NAS could be sure the remote server received the Accounting-Request. In that setup, where does one get AcctStartTime and AcctStopTime values? - is it from the NAS? - is it determined by the radius when writing to detail file, and everything after that simply reads what's in the detail file? - Or does every radius/SQL server involved create its own depending on when it receives the packet/query? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Exec-Program
David Rodríguez Fernández wrote: Hi list. The accounting is working, the radius server stores the accounting data in files, but don't execute my script. This script was working with a previous version of freeradius. I'm missing some configuration parameter, but I don't know what. Have you listed exec in the accounting section? It's that way in the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
Fajar A. Nugraha wrote: On Sat, Aug 22, 2009 at 7:59 AM, Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: On 21/08/2009 21:15, John Morrissey wrote: Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? Yes. Otherwise it'll wait for the response from the proxy server, and proxy the Accounting-Response from the proxy server back to the NAS. It's the only way the NAS could be sure the remote server received the Accounting-Request. In that setup, where does one get AcctStartTime and AcctStopTime values? - is it from the NAS? Yes. As in any other setup. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
I don't want to receive any email form freeradius-users@lists.freeradius.org . plss --- On Fri, 8/21/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: LDAP MSCHAP error To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Friday, August 21, 2009, 11:35 PM Larry Ross wrote: Hmm interesting, how were you able to divine that that is how we are storing the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't want to receive any email form freeradius-users@lists.freeradius.org
I don't want to receive any email form freeradius-users@lists.freeradius.org How can i do for this? Pls help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't want to receive any email form freeradius-users@lists.freeradius.org
Mai Khai Hung wrote: I don't want to receive any email form freeradius-users@lists.freeradius.org How can i do for this? Read the URL at the bottom of EVERY message on the list. It's not hard. Pls help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
Fajar A. Nugraha wrote: On Sat, Aug 22, 2009 at 7:59 AM, Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: On 21/08/2009 21:15, John Morrissey wrote: Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? Yes. Otherwise it'll wait for the response from the proxy server, and proxy the Accounting-Response from the proxy server back to the NAS. It's the only way the NAS could be sure the remote server received the Accounting-Request. In that setup, where does one get AcctStartTime and AcctStopTime values? The RADIUS server records the amount of delay between the packet being received and the packet being entered into the database, you then have to compensate for this (you should be already) when you read Accounting-Sessions out of the database. The attribute it uses is Acct-Delay-Time, and it's a simple sum of the received Acct-Delay-Time and how much time has passed since the request was written to the detail file. To calculate the real AcctStartTime and AcctStopTime, you may use the following SQL snippets: (UNIX_TIMESTAMP(`acctstarttime`) - `acctstartdelay`) as 'acctstartadj' (UNIX_TIMESTAMP(`acctstoptime`) - `acctstopdelay`) as 'acctstopadj' Or just use whatever functions are available in your scripting environment. - is it from the NAS? No, the NAS doesn't include any timestamps. There is no guarantee that the NAS's clock would be in sync. Including an Acct-Delay-Time attribute means that timestamps are calculated using a common reference (the local time on the server). - is it determined by the radius when writing to detail file, and everything after that simply reads what's in the detail file? When the packet is written to the detail file, an attribute is written along with the request attributes (I think it's something like Packet-Original-Timestamp), this is subtracted from the current time and added to the original Acct-Delay-Time value. - Or does every radius/SQL server involved create its own depending on when it receives the packet/query? RADIUS server creates its own. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: I have a strange problem with CoA-Ack receive Which version of the software are you using? git/stable from Aug 13 10:07 GMT It works for me with the latest git stable tree... get today git/stable and tried - same result.. ( Alan, can you please provide me some tips to do further debug of this? Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. some# /usr/local/bin/radclient -t20 -r 1 -c 1 -f ./coa.rad -x 10.200.27.3:1700 coa su29 Sending CoA-Request of id 223 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=223, length=20 radclient: received response to request we did not send. (id=223 socket 3) radclient: no response from server for ID 223 socket 3 some# tcpdump and radsniff didn`t show anything strange some# radsniff -x -I /home/ak/coa.dump -f udp PCAP filter: [udp] RADIUS secret: [testing123] CoA-Request Id 223 10.200.3.4:56318 - 10.200.27.3:1700(1 packets) +0.000 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 CoA-ACK Id 223 10.200.27.3:1700 - 10.200.3.4:56318(2 packets) +7.069 Done sniffing some# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Oh! I notice in /var/log/messages follow line after each auth attempt: Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal 12 Thanks, Anton 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Anton G. wrote: get today git/stable and tried - same result.. ( Are you sure you're using *that* version, and that you don't have multiple versions of the software installed? Alan, can you please provide me some tips to do further debug of this? It involves looking through the hashes in src/lib/packet.c. It's not pretty... Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. I don't know... others have got this to work. What's the OS / CPU? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hmmm... Problem was solved by recompiling kernel and freeradius. Thanks, Anton. 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Oh! I notice in /var/log/messages follow line after each auth attempt: Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal 12 Thanks, Anton 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html