Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville Ville Leinonen wrote: I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. Any clue what is wrong? Here is some logs: The shared secret is wrong. Fix it. rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57, length=154 User-Name = vle User-Password = \2063\261m\301\344J\216sCÑ \035\003\2328 This is NOT the users password. Fix the shared secrets on the NAS and on FreeRADIUS so that they match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to desactivate freeradius to open the network ?
Hello, I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Regards, RedVivi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring buffered-sql
Thanks Ivan. How do i examine the packet that caused freeze? Using detail.work file? please suggest. Thanks, Rams. I installed freeradius with detail, buffered-sql active. How to monitor the buffered-sql module. If it stops or sleeps for very long time responding to mysql db.? I saw all of a sudden buffered-sql not pushing packets to mysql db yesterday. After restarting radius process it started processing. Please suggest. Monitor the database, not module. If last insert is x minutes/hours ago send alert or even restart radiusd. I have an alert - first examine packet that caused the freeze, then release the rest. In my experience every time reason for the freeze was database backup - I am backing it up via the network, so it can be slow. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
Check out the users file and the DEFAULT directive. - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Mon Aug 31 04:32:32 2009 Subject: How to desactivate freeradius to open the network ? Hello, I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Regards, RedVivi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Logs in database (It was Re: rlm_ldap logs)
2009/8/28 Sergio Belkin seb...@gmail.com: Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Shame on me! That's is something that already logs do: Fri Aug 28 18:48:08 2009 : Auth: Login incorrect (rlm_ldap: User not found): [zz...@zz.zzz] (from client port 0 via TLS tunnel) Thanks y Sorry Even so I'd like to find a way to store radius logs on a database. Does exist such a tool? I need to perform some queries on them, for example, what users that had an incorrect login (eg bad password or certificate) after some time they could get an OK. Perhaps, some of you have an idea about how can I do that. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius2.1.6| buffered-sql | acctstoptime problems
Hi All, I'm using freeradius2.1.6 with buffered-sql , detail files for accounting. In accounting queries i observed acctstoptime = %S. my db some how freezed and radius stopped updating packets from detail.wotk file. When restarted it started updating but updating the packets with new timestamps instead of old timestmaps whatever in detail.work file. How to overcome this? please suggest. Thanks, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Why bother with radius at all. Just open the authentication on the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2.1.6| buffered-sql | acctstoptime problems
I'm using freeradius2.1.6 with buffered-sql , detail files for accounting. In accounting queries i observed acctstoptime = %S. my db some how freezed and radius stopped updating packets from detail.wotk file. When restarted it started updating but updating the packets with new timestamps instead of old timestmaps whatever in detail.work file. How to overcome this? please suggest. Timestamps for Accounting-Start-Time and Accounting-Stop-Time will be wrong but you should have delay times logged on the same radacct line. If your billing application can't calculate the correct time from the timestamp and the delayyou can run a sql query in order to correct the times in Accounting-Start-Time and Accounting-Stop-Time fields. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to desactivate freeradius to open the network ?
I have too much NAS and it's just temporary. Regards, RedVivi - Mail Original - De: Ivan Kalik t...@kalik.net À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Lundi 31 Août 2009 16h15:33 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to desactivate freeradius to open the network ? I use Freeradius on Debian with mac-based authentification along with a MySQL database containing the mac addresses (as Login Password). I would like to open the network to everyone, so I wonder how to make freeradius to authorize any mac address to open the network ? Why bother with radius at all. Just open the authentication on the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring buffered-sql
Thanks Ivan. How do i examine the packet that caused freeze? Using detail.work file? please suggest. Yes, that will be the packet(s) in detail.work file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out and into tunnel log files
Hi,
I have configured three virtual servers: default, inner (uses
eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel
attempts go to default server log files.
cron performs a daily task that more or less perform something like that:
grep OK /var/log/radius/radiusd-*-$date.log | awk '{print $10}' | sort
-fu | wc -l
That way I get how many users could get an Access-Accept. Well I've
found that that is not right. Because some supplicant can send
different identities into and out of tunnel. So I'd like to use:
grep OK /var/log/radius/radiusd-inner*-$date.log | awk '{print $10}' |
sort -fu | wc -l
But I've found that some OK are sent to default server log file. So
I can't get right statistic. Please could you help to do it? Below are
debug info:
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on
Oct 21 2008 at 15:14:37
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap
group = radiusd
user = radiusd
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile =
Username from LDAP in proxy request
Hi, I'm looking for some help with proxying requests using free-radius. I have a situation where I need to perform a query to an LDAP that contains both the back-end authentication server as well as username for a user. For example, the User-Name in the originating request may be User1. FreeRADIUS then queries LDAP, which contains attributes called authenticationserver and authenticationuname. The authenticationserver is where the request should be proxied to, and the authenticationuname is the User-Name that should be substituted for the original user-name in the proxy request. I have the first part working, where I mapped authenticationservername to Proxy-To-Realm in the ldapmap file. I also setup all the possible values as realms. The server is now forwarding requests based on what it gets back in the LDAP query. I'm stuck however at trying to substitute the User-Name from what is retrieved from LDAP. Anybody know anyway to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username from LDAP in proxy request
I'm looking for some help with proxying requests using free-radius. I have a situation where I need to perform a query to an LDAP that contains both the back-end authentication server as well as username for a user. For example, the User-Name in the originating request may be User1. FreeRADIUS then queries LDAP, which contains attributes called authenticationserver and authenticationuname. The authenticationserver is where the request should be proxied to, and the authenticationuname is the User-Name that should be substituted for the original user-name in the proxy request. I have the first part working, where I mapped authenticationservername to Proxy-To-Realm in the ldapmap file. I also setup all the possible values as realms. The server is now forwarding requests based on what it gets back in the LDAP query. I'm stuck however at trying to substitute the User-Name from what is retrieved from LDAP. Anybody know anyway to do this? Create a new attribute New-User-Name in raddb/dictionary. Map it to authenticationuname in ldap.attrmap. Use unlang to replace User-Name with it in pre-proxy section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Accounting 'radrelay' functionality - Version 2.1.6
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
listen {
socket = /var/run/radiusd/radiusd.sock
}
}
listen {
type = detail
listen {
filename =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
load_factor = 10
poll_interval = 1
retry_interval = 30
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d as server
copy-acct-to-home-server
Listening on proxy address * port 1814
Waking up in 0.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125,
id=70, length=245
Acct-Status-Type = Start
User-Name = nathan...@comfort
Event-Timestamp = Aug 31 2009 13:40:56 AST
Acct-Delay-Time = 20
NAS-Identifier = ERX-2
Acct-Session-Id = 0314462397
NAS-IP-Address = 192.168.1.101
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = None
ERX-Pppoe-Description = pppoe 00:90:d0:63:df:79
Framed-IP-Address = 201.229.46.219
Framed-IP-Netmask = 255.255.255.255
ERX-Ingress-Policy-Name = COMFORT_UP
ERX-Egress-Policy-Name = COMFORT_DOWN
Calling-Station-Id = ERX-0800269
NAS-Port-Type = Ethernet
NAS-Port = 2147483917
NAS-Port-Id = GigabitEthernet 8/0.269:269
Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2147483917,Client-IP-Address =
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id =
0314462397,User-Name = nathan...@comfort'
[acct_unique] Acct-Unique-Session-ID = 526c378c1dcaa12d.
++[acct_unique] returns ok
[sanenasport] expand: ^.* - ^.*
[sanenasport] expand: %{Acct-Session-Id} - 0314462397
sanenasport: Changed value for attribute NAS-Port from '?' to '0314462397'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$
hexconvert: Does not match: User-Name = nathan...@comfort
++[hexconvert] returns ok
[suffix] Looking up realm comfort for User-Name = nathan...@comfort
[suffix] No such realm comfort
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/192.168.1.101/detail-20090831
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.101/detail-20090831
[detail]expand: %t - Mon Aug 31 13:41:10 2009
++[detail] returns ok
++[unix] returns ok
[nameonly] expand: @.*$ - @.*$
nameonly: Changed value for attribute User-Name from 'nathan...@comfort' to
'nathanjoe'
++[nameonly] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - nathanjoe
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - nathanjoe
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 70 to 192.168.1.101 port 50125
Finished request 0.
Cleaning up request 0 ID 70 with timestamp +1
Going to the next request
Waking up in 0.3 seconds.
__ Information from ESET Smart Security, version of virus signature
__ Information from ESET Smart Security, version of virus signature
database 4385 (20090831) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Accounting 'radrelay' functionality - Version 2.1.6
Sending Accounting-Response of id 70 to 192.168.1.101 port 50125 Finished request 0. Cleaning up request 0 ID 70 with timestamp +1 Going to the next request Waking up in 0.3 seconds. You have cut off the debug at the interesting point. Does it poll the detail file after these 0.3 seconds. It should. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Accounting 'radrelay' functionality - Version 2.1.6
Here is some more of the log file - I didn't realize what to look for.. (I
did a string search for proxy below this point - nothing.. same for
192.168.1.126 and radius-b strings.)
Thanks,
-craig
Listening on proxy address * port 1814
Waking up in 0.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125,
id=180, length=241
Acct-Status-Type = Start
User-Name = na...@comfort
Event-Timestamp = Aug 31 2009 15:33:05 AST
Acct-Delay-Time = 0
NAS-Identifier = ERX-2
Acct-Session-Id = 0314486542
NAS-IP-Address = 192.168.1.101
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = None
ERX-Pppoe-Description = pppoe 00:90:d0:63:df:6d
Framed-IP-Address = 199.2.117.119
Framed-IP-Netmask = 255.255.255.255
ERX-Ingress-Policy-Name = COMFORT_UP
ERX-Egress-Policy-Name = COMFORT_DOWN
Calling-Station-Id = ERX-0900261
NAS-Port-Type = Ethernet
NAS-Port = 2415919365
NAS-Port-Id = GigabitEthernet 9/0.261:261
Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2415919365,Client-IP-Address =
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id =
0314486542,User-Name = na...@comfort'
[acct_unique] Acct-Unique-Session-ID = a805b61e88cd3fe2.
++[acct_unique] returns ok
[sanenasport] expand: ^.* - ^.*
[sanenasport] expand: %{Acct-Session-Id} - 0314486542
sanenasport: Changed value for attribute NAS-Port from '?' to '0314486542'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$
hexconvert: Does not match: User-Name = na...@comfort
++[hexconvert] returns ok
[suffix] Looking up realm comfort for User-Name = na...@comfort
[suffix] No such realm comfort
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/192.168.1.101/detail-20090831
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.101/detail-20090831
[detail]expand: %t - Mon Aug 31 15:32:59 2009
++[detail] returns ok
++[unix] returns ok
[nameonly] expand: @.*$ - @.*$
nameonly: Changed value for attribute User-Name from 'na...@comfort' to
'nana1'
++[nameonly] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - nana1
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - nana1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 180 to 192.168.1.101 port 50125
Finished request 0.
Cleaning up request 0 ID 180 with timestamp +1
Going to the next request
Waking up in 0.4 seconds.
Polling for detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
Waking up in 1.1 seconds.
Polling for detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
Waking up in 0.8 seconds.
Polling for detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
Waking up in 1.2 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125,
id=181, length=250
Acct-Status-Type = Start
User-Name = jmartine...@comfort
Event-Timestamp = Aug 31 2009 15:33:07 AST
Acct-Delay-Time = 0
NAS-Identifier = ERX-2
Acct-Session-Id = 0314486551
NAS-IP-Address = 192.168.1.101
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = None
ERX-Pppoe-Description = pppoe 00:08:5c:89:2c:20
Framed-IP-Address = 199.2.118.252
Framed-IP-Netmask = 255.255.255.255
ERX-Ingress-Policy-Name = COMFORT_UP
ERX-Egress-Policy-Name = COMFORT_DOWN
Calling-Station-Id = ERX-01317600067
Connect-Info = speed:UBR
NAS-Port-Type = xDSL
NAS-Port = 330301507
NAS-Port-Id = atm 1/3.3300:176.67
Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 330301507,Client-IP-Address =
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id =
0314486551,User-Name = jmartine...@comfort'
[acct_unique] Acct-Unique-Session-ID = 21e39488e0f55f2c.
++[acct_unique] returns ok
[sanenasport] expand: ^.* - ^.*
[sanenasport] expand: %{Acct-Session-Id} - 0314486551
sanenasport: Changed value for attribute NAS-Port from '?°' to '0314486551'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert]expand: ^...@ftth.aw$ - ^...@ftth.aw$
hexconvert: Does not match: User-Name = jmartine...@comfort
++[hexconvert] returns ok
[suffix] Looking up realm comfort for User-Name = jmartine...@comfort
[suffix
Re: Setting FreeRadius + WPA - Enterprises (PEAP) CA Cert?
Hello Experts, Now that I have my 1st. test user working with clear text passwords I am ready to setup WPA - Enterprise (PEAP). I noticed in my client (RedHat RHEL Workstation) will need a CA.Cert in the connection settings. Can I simply copy the FR ca.pem file to my client for this or not? Or do I need to create my own? If I need to create my own CA is there a guide for doing this for Free Radius. I have read all the docs and can not find a clear approach. Thanks, Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, Hi, I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. this is usually symptomatic of an incorrect shared secret being entered at one end of the RADIUS link alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius + WPA - Enterprises (PEAP) CA Cert?
Now that I have my 1st. test user working with clear text passwords I am ready to setup WPA - Enterprise (PEAP). I noticed in my client (RedHat RHEL Workstation) will need a CA.Cert in the connection settings. Can I simply copy the FR ca.pem file to my client for this or not? Yes. If I need to create my own CA is there a guide for doing this for Free Radius. I have read all the docs and can not find a clear approach. raddb/certs/README. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
process auth request from any AP
Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. Thank you, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: process auth request from any AP
Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. No. You have to configure shared secret for radius to work. ipaddr accepts subnets as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: process auth request from any AP
Yep - I think you'd need at least a couple lines in Clients.conf, but you don't have to configure a separate block for EVERY AP. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Ivan Kalik Sent: Monday, August 31, 2009 4:57 PM To: FreeRadius users mailing list Subject: Re: process auth request from any AP Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. No. You have to configure shared secret for radius to work. ipaddr accepts subnets as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool - Duplicate IP
Hi,
I've facing a problem since rebuild, where every user is being allocated the
same IP from the sqlippool, and I'm not sure why this is happening.
I have a DaloRadius / FreeRadius2.1.6 / Poptop (pptpd) 1.3.4 / ppp 2.4.4.-2 /
mysql 5.0.45
pppd does not pass back Client-IP-Address or Client-Station-Id
table structure for radipool is
( `id` int(11) unsigned NOT NULL auto_increment,
`pool_name` varchar(30) NOT NULL,
`framedipaddress` varchar(15) NOT NULL default '',
`nasipaddress` varchar(15) NOT NULL default '',
`calledstationid` varchar(30) NOT NULL,
`callingstationid` varchar(30) NOT NULL,
`expiry_time` datetime default NULL,
`username` varchar(64) NOT NULL default '',
`pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`) )
1st Login
Ready to process requests.
rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117,
length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = TESTUSER
MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a
MS-CHAP2-Response =
0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96
NAS-Identifier = NASIPHERE
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/NASIPHERE/auth-detail-20090831
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/NASIPHERE/auth-detail-20090831
[auth_log] expand: %t - Mon Aug 31 22:47:05 2009
++[auth_log] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[sql] expand: %{User-Name} - TESTUSER
[sql] sql_set_user escaped user -- 'TESTUSER'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'TESTUSER' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'TESTUSER' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'TESTUSER' ORDER
BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'USUKTV' ORDER BY id
[sql] User found in group USUKTV
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'USUKTV' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for TESTUSER with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
+- entering group session {...}
++[sql] returns noop
Login OK: [TESTUSER/via Auth-Type = mschap] (from client VPN1-UK port 0)
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 2
[sqlippool] expand: %{User-Name} - TESTUSER
[sqlippool] sql_set_user escaped user -- 'TESTUSER'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time = NULL WHERE
expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress =
'%{Nas-IP-Address}' - UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time
= NOW() - INTERVAL 1 SECOND AND nasipaddress = 'NASIPHERE'
[sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name
= '%{control:Pool-Name}' AND (expiry_time NOW() OR expiry_time IS NULL)
ORDER BY (username '%{User-Name}'), (callingstationid
'%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE - SELECT
framedipaddress FROM radippool WHERE pool_name = 'tvpool' AND (expiry_time
NOW() OR expiry_time IS NULL) ORDER BY (username 'TESTUSER'),
(callingstationid ''), expiry_time LIMIT 1 FOR UPDATE
[sqlippool] expand: UPDATE radippool SET nasipaddress =
'%{NAS-IP
Re: Setting FreeRadius + WPA - Enterprises (PEAP) Test Results
Ivan,
I copied over the servers ca.pem to my workstation for use in this test.
My first try gave me client errors so I fixed those by creating a
network
-copied this from the example.
client 192.168.0.0/24 {
require_message_authenticator = no
secret = testing123
shortname = private-network-1
}
After restarting Free Radius here's the results from my terminal
- sorry this is long. Can you give me any hints on what went wrong here?
-
[r...@ns1 ~]# radiusd -X
FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun
2 2009 at 17:33:54
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration
file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period =
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I just compile 2.1.6 from src and it's start to works. Thanks for everyone that tryed to help me. Br, Ville Hi, Hi, I try to use FR to forwarding access-request to NPS servers, but some reason FR/NPS gives User password is incorrect message. I have tripple check that password is correct. When i test IAS to NPS proxy it works. I have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. this is usually symptomatic of an incorrect shared secret being entered at one end of the RADIUS link alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS with freeradius and telephone number
excuse me, somebody know if freeradius can see of some way the telephone number that one remote user is wearing in order to call me with his modem.My line(pair of copper) give me this information trhough a single telephone ,then can a NAS with freeradius give me the same information. if the answer is yes, how i can see that information, i need to use this for make an authentication process.Any orientation will be welcome. thank you for any help. -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Server Authenticate the user but Windows XP generate a error 691
Dear freeradius-users,
I have implemented Free Radius Server
SUSE 9.3 Prof and using mysql database with Perle JETSTREAM 4000 RAS
device. My problem is that when I try to connect a user through modem
in windows XP client machine its occure a error 691 but radius log
authenticate the user.
The Radius Server Log:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: bind_address = 192.168.1.78 IP address [192.168.1.78]
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = yes
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = root
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
