Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to desactivate freeradius to open the network ?
Hello, I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Regards, RedVivi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring buffered-sql
Thanks Ivan. How do i examine the packet that caused freeze? Using detail.work file? please suggest. Thanks, Rams. I installed freeradius with detail, buffered-sql active. How to monitor the buffered-sql module. If it stops or sleeps for very long time responding to mysql db.? I saw all of a sudden buffered-sql not pushing packets to mysql db yesterday. After restarting radius process it started processing. Please suggest. Monitor the database, not module. If last insert is x minutes/hours ago send alert or even restart radiusd. I have an alert - first examine packet that caused the freeze, then release the rest. In my experience every time reason for the freeze was database backup - I am backing it up via the network, so it can be slow. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
Check out the users file and the DEFAULT directive. - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Mon Aug 31 04:32:32 2009 Subject: How to desactivate freeradius to open the network ? Hello, I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Regards, RedVivi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Logs in database (It was Re: rlm_ldap logs)
2009/8/28 Sergio Belkin seb...@gmail.com: Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Shame on me! That's is something that already logs do: Fri Aug 28 18:48:08 2009 : Auth: Login incorrect (rlm_ldap: User not found): [zz...@zz.zzz] (from client port 0 via TLS tunnel) Thanks y Sorry Even so I'd like to find a way to store radius logs on a database. Does exist such a tool? I need to perform some queries on them, for example, what users that had an incorrect login (eg bad password or certificate) after some time they could get an OK. Perhaps, some of you have an idea about how can I do that. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius2.1.6| buffered-sql | acctstoptime problems
Hi All, I'm using freeradius2.1.6 with buffered-sql , detail files for accounting. In accounting queries i observed acctstoptime = %S. my db some how freezed and radius stopped updating packets from detail.wotk file. When restarted it started updating but updating the packets with new timestamps instead of old timestmaps whatever in detail.work file. How to overcome this? please suggest. Thanks, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Why bother with radius at all. Just open the authentication on the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2.1.6| buffered-sql | acctstoptime problems
I'm using freeradius2.1.6 with buffered-sql , detail files for accounting. In accounting queries i observed acctstoptime = %S. my db some how freezed and radius stopped updating packets from detail.wotk file. When restarted it started updating but updating the packets with new timestamps instead of old timestmaps whatever in detail.work file. How to overcome this? please suggest. Timestamps for Accounting-Start-Time and Accounting-Stop-Time will be wrong but you should have delay times logged on the same radacct line. If your billing application can't calculate the correct time from the timestamp and the delayyou can run a sql query in order to correct the times in Accounting-Start-Time and Accounting-Stop-Time fields. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
I have too much NAS and it's just temporary. Regards, RedVivi - Mail Original - De: Ivan Kalik t...@kalik.net À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Lundi 31 Août 2009 16h15:33 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to desactivate freeradius to open the network ? I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Why bother with radius at all. Just open the authentication on the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring buffered-sql
Thanks Ivan. How do i examine the packet that caused freeze? Using detail.work file? please suggest. Yes, that will be the packet(s) in detail.work file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out and into tunnel log files
Hi, I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: grep OK /var/log/radius/radiusd-*-$date.log | awk '{print $10}' | sort -fu | wc -l That way I get how many users could get an Access-Accept. Well I've found that that is not right. Because some supplicant can send different identities into and out of tunnel. So I'd like to use: grep OK /var/log/radius/radiusd-inner*-$date.log | awk '{print $10}' | sort -fu | wc -l But I've found that some OK are sent to default server log file. So I can't get right statistic. Please could you help to do it? Below are debug info: FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap group = radiusd user = radiusd including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile =
Username from LDAP in proxy request
Hi, I'm looking for some help with proxying requests using free-radius. I have a situation where I need to perform a query to an LDAP that contains both the back-end authentication server as well as username for a user. For example, the User-Name in the originating request may be User1. FreeRADIUS then queries LDAP, which contains attributes called authenticationserver and authenticationuname. The authenticationserver is where the request should be proxied to, and the authenticationuname is the User-Name that should be substituted for the original user-name in the proxy request. I have the first part working, where I mapped authenticationservername to Proxy-To-Realm in the ldapmap file. I also setup all the possible values as realms. The server is now forwarding requests based on what it gets back in the LDAP query. I'm stuck however at trying to substitute the User-Name from what is retrieved from LDAP. Anybody know anyway to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username from LDAP in proxy request
I'm looking for some help with proxying requests using free-radius. I have a situation where I need to perform a query to an LDAP that contains both the back-end authentication server as well as username for a user. For example, the User-Name in the originating request may be User1. FreeRADIUS then queries LDAP, which contains attributes called authenticationserver and authenticationuname. The authenticationserver is where the request should be proxied to, and the authenticationuname is the User-Name that should be substituted for the original user-name in the proxy request. I have the first part working, where I mapped authenticationservername to Proxy-To-Realm in the ldapmap file. I also setup all the possible values as realms. The server is now forwarding requests based on what it gets back in the LDAP query. I'm stuck however at trying to substitute the User-Name from what is retrieved from LDAP. Anybody know anyway to do this? Create a new attribute New-User-Name in raddb/dictionary. Map it to authenticationuname in ldap.attrmap. Use unlang to replace User-Name with it in pre-proxy section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Accounting 'radrelay' functionality - Version 2.1.6
radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } listen { type = detail listen { filename = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d load_factor = 10 poll_interval = 1 retry_interval = 30 } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on detail file /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d as server copy-acct-to-home-server Listening on proxy address * port 1814 Waking up in 0.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125, id=70, length=245 Acct-Status-Type = Start User-Name = nathan...@comfort Event-Timestamp = Aug 31 2009 13:40:56 AST Acct-Delay-Time = 20 NAS-Identifier = ERX-2 Acct-Session-Id = 0314462397 NAS-IP-Address = 192.168.1.101 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = None ERX-Pppoe-Description = pppoe 00:90:d0:63:df:79 Framed-IP-Address = 201.229.46.219 Framed-IP-Netmask = 255.255.255.255 ERX-Ingress-Policy-Name = COMFORT_UP ERX-Egress-Policy-Name = COMFORT_DOWN Calling-Station-Id = ERX-0800269 NAS-Port-Type = Ethernet NAS-Port = 2147483917 NAS-Port-Id = GigabitEthernet 8/0.269:269 Acct-Authentic = RADIUS +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2147483917,Client-IP-Address = 192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 0314462397,User-Name = nathan...@comfort' [acct_unique] Acct-Unique-Session-ID = 526c378c1dcaa12d. ++[acct_unique] returns ok [sanenasport] expand: ^.* - ^.* [sanenasport] expand: %{Acct-Session-Id} - 0314462397 sanenasport: Changed value for attribute NAS-Port from '?' to '0314462397' sanenasport: Could not find value pair for attribute NAS-Port ++[sanenasport] returns ok [hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$ hexconvert: Does not match: User-Name = nathan...@comfort ++[hexconvert] returns ok [suffix] Looking up realm comfort for User-Name = nathan...@comfort [suffix] No such realm comfort ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/192.168.1.101/detail-20090831 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.101/detail-20090831 [detail]expand: %t - Mon Aug 31 13:41:10 2009 ++[detail] returns ok ++[unix] returns ok [nameonly] expand: @.*$ - @.*$ nameonly: Changed value for attribute User-Name from 'nathan...@comfort' to 'nathanjoe' ++[nameonly] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - nathanjoe ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - nathanjoe attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 70 to 192.168.1.101 port 50125 Finished request 0. Cleaning up request 0 ID 70 with timestamp +1 Going to the next request Waking up in 0.3 seconds. __ Information from ESET Smart Security, version of virus signature __ Information from ESET Smart Security, version of virus signature database 4385 (20090831) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Accounting 'radrelay' functionality - Version 2.1.6
Sending Accounting-Response of id 70 to 192.168.1.101 port 50125 Finished request 0. Cleaning up request 0 ID 70 with timestamp +1 Going to the next request Waking up in 0.3 seconds. You have cut off the debug at the interesting point. Does it poll the detail file after these 0.3 seconds. It should. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Accounting 'radrelay' functionality - Version 2.1.6
Here is some more of the log file - I didn't realize what to look for.. (I did a string search for proxy below this point - nothing.. same for 192.168.1.126 and radius-b strings.) Thanks, -craig Listening on proxy address * port 1814 Waking up in 0.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125, id=180, length=241 Acct-Status-Type = Start User-Name = na...@comfort Event-Timestamp = Aug 31 2009 15:33:05 AST Acct-Delay-Time = 0 NAS-Identifier = ERX-2 Acct-Session-Id = 0314486542 NAS-IP-Address = 192.168.1.101 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = None ERX-Pppoe-Description = pppoe 00:90:d0:63:df:6d Framed-IP-Address = 199.2.117.119 Framed-IP-Netmask = 255.255.255.255 ERX-Ingress-Policy-Name = COMFORT_UP ERX-Egress-Policy-Name = COMFORT_DOWN Calling-Station-Id = ERX-0900261 NAS-Port-Type = Ethernet NAS-Port = 2415919365 NAS-Port-Id = GigabitEthernet 9/0.261:261 Acct-Authentic = RADIUS +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2415919365,Client-IP-Address = 192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 0314486542,User-Name = na...@comfort' [acct_unique] Acct-Unique-Session-ID = a805b61e88cd3fe2. ++[acct_unique] returns ok [sanenasport] expand: ^.* - ^.* [sanenasport] expand: %{Acct-Session-Id} - 0314486542 sanenasport: Changed value for attribute NAS-Port from '?' to '0314486542' sanenasport: Could not find value pair for attribute NAS-Port ++[sanenasport] returns ok [hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$ hexconvert: Does not match: User-Name = na...@comfort ++[hexconvert] returns ok [suffix] Looking up realm comfort for User-Name = na...@comfort [suffix] No such realm comfort ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/192.168.1.101/detail-20090831 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.101/detail-20090831 [detail]expand: %t - Mon Aug 31 15:32:59 2009 ++[detail] returns ok ++[unix] returns ok [nameonly] expand: @.*$ - @.*$ nameonly: Changed value for attribute User-Name from 'na...@comfort' to 'nana1' ++[nameonly] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - nana1 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - nana1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 180 to 192.168.1.101 port 50125 Finished request 0. Cleaning up request 0 ID 180 with timestamp +1 Going to the next request Waking up in 0.4 seconds. Polling for detail file /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d Waking up in 1.1 seconds. Polling for detail file /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d Waking up in 0.8 seconds. Polling for detail file /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d Waking up in 1.2 seconds. rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125, id=181, length=250 Acct-Status-Type = Start User-Name = jmartine...@comfort Event-Timestamp = Aug 31 2009 15:33:07 AST Acct-Delay-Time = 0 NAS-Identifier = ERX-2 Acct-Session-Id = 0314486551 NAS-IP-Address = 192.168.1.101 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = None ERX-Pppoe-Description = pppoe 00:08:5c:89:2c:20 Framed-IP-Address = 199.2.118.252 Framed-IP-Netmask = 255.255.255.255 ERX-Ingress-Policy-Name = COMFORT_UP ERX-Egress-Policy-Name = COMFORT_DOWN Calling-Station-Id = ERX-01317600067 Connect-Info = speed:UBR NAS-Port-Type = xDSL NAS-Port = 330301507 NAS-Port-Id = atm 1/3.3300:176.67 Acct-Authentic = RADIUS +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 330301507,Client-IP-Address = 192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 0314486551,User-Name = jmartine...@comfort' [acct_unique] Acct-Unique-Session-ID = 21e39488e0f55f2c. ++[acct_unique] returns ok [sanenasport] expand: ^.* - ^.* [sanenasport] expand: %{Acct-Session-Id} - 0314486551 sanenasport: Changed value for attribute NAS-Port from '?°' to '0314486551' sanenasport: Could not find value pair for attribute NAS-Port ++[sanenasport] returns ok [hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$ hexconvert: Does not match: User-Name = jmartine...@comfort ++[hexconvert] returns ok [suffix] Looking up realm comfort for User-Name = jmartine...@comfort [suffix
Re: Setting FreeRadius + WPA - Enterprises (PEAP) CA Cert?
Hello Experts, Now that I have my 1st. test user working with clear text passwords I am ready to setup WPA - Enterprise (PEAP). I noticed in my client (RedHat RHEL Workstation) will need a CA.Cert in the connection settings. Can I simply copy the FR ca.pem file to my client for this or not? Or do I need to create my own? If I need to create my own CA is there a guide for doing this for Free Radius. I have read all the docs and can not find a clear approach. Thanks, Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, Hi, I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. this is usually symptomatic of an incorrect shared secret being entered at one end of the RADIUS link alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius + WPA - Enterprises (PEAP) CA Cert?
Now that I have my 1st. test user working with clear text passwords I am ready to setup WPA - Enterprise (PEAP). I noticed in my client (RedHat RHEL Workstation) will need a CA.Cert in the connection settings. Can I simply copy the FR ca.pem file to my client for this or not? Yes. If I need to create my own CA is there a guide for doing this for Free Radius. I have read all the docs and can not find a clear approach. raddb/certs/README. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
process auth request from any AP
Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. Thank you, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: process auth request from any AP
Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. No. You have to configure shared secret for radius to work. ipaddr accepts subnets as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: process auth request from any AP
Yep - I think you'd need at least a couple lines in Clients.conf, but you don't have to configure a separate block for EVERY AP. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Ivan Kalik Sent: Monday, August 31, 2009 4:57 PM To: FreeRadius users mailing list Subject: Re: process auth request from any AP Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. No. You have to configure shared secret for radius to work. ipaddr accepts subnets as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool - Duplicate IP
Hi, I've facing a problem since rebuild, where every user is being allocated the same IP from the sqlippool, and I'm not sure why this is happening. I have a DaloRadius / FreeRadius2.1.6 / Poptop (pptpd) 1.3.4 / ppp 2.4.4.-2 / mysql 5.0.45 pppd does not pass back Client-IP-Address or Client-Station-Id table structure for radipool is ( `id` int(11) unsigned NOT NULL auto_increment, `pool_name` varchar(30) NOT NULL, `framedipaddress` varchar(15) NOT NULL default '', `nasipaddress` varchar(15) NOT NULL default '', `calledstationid` varchar(30) NOT NULL, `callingstationid` varchar(30) NOT NULL, `expiry_time` datetime default NULL, `username` varchar(64) NOT NULL default '', `pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`) ) 1st Login Ready to process requests. rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = TESTUSER MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a MS-CHAP2-Response = 0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96 NAS-Identifier = NASIPHERE NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/NASIPHERE/auth-detail-20090831 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/NASIPHERE/auth-detail-20090831 [auth_log] expand: %t - Mon Aug 31 22:47:05 2009 ++[auth_log] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [sql] expand: %{User-Name} - TESTUSER [sql] sql_set_user escaped user -- 'TESTUSER' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'TESTUSER' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'TESTUSER' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'TESTUSER' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'USUKTV' ORDER BY id [sql] User found in group USUKTV [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'USUKTV' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for TESTUSER with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok +- entering group session {...} ++[sql] returns noop Login OK: [TESTUSER/via Auth-Type = mschap] (from client VPN1-UK port 0) +- entering group post-auth {...} rlm_sql (sql): Reserving sql socket id: 2 [sqlippool] expand: %{User-Name} - TESTUSER [sqlippool] sql_set_user escaped user -- 'TESTUSER' [sqlippool] expand: START TRANSACTION - START TRANSACTION [sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}' - UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress = 'NASIPHERE' [sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time NOW() OR expiry_time IS NULL) ORDER BY (username '%{User-Name}'), (callingstationid '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE - SELECT framedipaddress FROM radippool WHERE pool_name = 'tvpool' AND (expiry_time NOW() OR expiry_time IS NULL) ORDER BY (username 'TESTUSER'), (callingstationid ''), expiry_time LIMIT 1 FOR UPDATE [sqlippool] expand: UPDATE radippool SET nasipaddress = '%{NAS-IP
Re: Setting FreeRadius + WPA - Enterprises (PEAP) Test Results
Ivan, I copied over the servers ca.pem to my workstation for use in this test. My first try gave me client errors so I fixed those by creating a network -copied this from the example. client 192.168.0.0/24 { require_message_authenticator = no secret = testing123 shortname = private-network-1 } After restarting Free Radius here's the results from my terminal - sorry this is long. Can you give me any hints on what went wrong here? - [r...@ns1 ~]# radiusd -X FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2 2009 at 17:33:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period =
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I just compile 2.1.6 from src and it's start to works. Thanks for everyone that tryed to help me. Br, Ville Hi, Hi, I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. this is usually symptomatic of an incorrect shared secret being entered at one end of the RADIUS link alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS with freeradius and telephone number
excuse me, somebody know if freeradius can see of some way the telephone number that one remote user is wearing in order to call me with his modem.My line(pair of copper) give me this information trhough a single telephone ,then can a NAS with freeradius give me the same information. if the answer is yes, how i can see that information, i need to use this for make an authentication process.Any orientation will be welcome. thank you for any help. -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Server Authenticate the user but Windows XP generate a error 691
Dear freeradius-users, I have implemented Free Radius Server SUSE 9.3 Prof and using mysql database with Perle JETSTREAM 4000 RAS device. My problem is that when I try to connect a user through modem in windows XP client machine its occure a error 691 but radius log authenticate the user. The Radius Server Log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 192.168.1.78 IP address [192.168.1.78] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = yes preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = root sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),