Re: over 30 radiusd processes
Craig Campbell wrote: Up to 65 processes now Any ideas how to stop this from happening? Which version are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning an arbitrary attribute from LDAP
Sam Hooker wrote: I'm trying to ascertain how to have radiusd return an arbitrary attribute with each successful authentication. My radiusds are doing PEAP/MS-CHAPv2 against Kerberos for authn, and it seems like activating rlm_ldap for authz will cause Auth-Type = LDAP to enter my world, which I'm betting will break things. Also, I'm fuzzy as to where I'd do this sort of thing anyway; it seems that post-auth would be the place to start, but am uncertain. Any guidance you could offer (including pointers to existing mailing list threads or other docs) would be much appreciated. See raddb/ldap.attrmap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using another passwd file
Hello Freeradius users I have a challange about using passwd file in freeradius. I'm running Debian 4.0 Kernel 2.6.18-5-486 I have installed FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu I have activated the following in radiusd.conf file passwd = /etc/passwd shadow = /etc/shadow This works great :) But since all my users are registered on a HP-UX server, that are running in untrusted inviroment, meaning that username and password are stored in /etc/passwd file I'm copying the passwd from the HP-UX server to my Debian 4.0 server. So now I'm chancing the radiusd.conf file to the following passwd = /etc/freeradius/passwd #shadow = /etc/shadow Now I'm NOT able to authenticate on my radius server. The passwd file from HP-UX looks like this pse:VE74Bof8KAnxo:131:20::/home/pse:/sbin/sh I even tried to work with the passwd module but without mutch luck. Can anyone help me here or give me a tip about how to make it work. Best regards Jan Madsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl_rlm and differences FR 1 and 2
David Jones wrote: Thanks to some handy hints in here, I've had some success with rlm_perl. But (and there is always a but) I've been happily developing against 2.x but have just discovered I need to actually use 1.x because of RHEL. You can install version 2.x on RHEL. The rlm_perl link of both version 1 and version 2 points to the same documentation page, so I made the assumption that although theres much different under the covers of FR, by the time you get to perl its all hidden, and I could just take a perl script that works on V2 and run it on V1. But it doesn't. There seems to be different handling of the module return values, and of $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge. FR V1 seems quite unkeen to send out responses. So, and finally the question; Are there supposed to be differences in behaviour for rlm_perl between V1 and V2? Lots. There are a huge number of changes between v1 and v2. We suggest using v2 for almost everything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_postgresql+auth_ldap
10/09/2009 04:05 PM, José Johnny RANDRIAMAMPIONONA:: Thank u guys! Please keep us in touch. and if you kept some history of what you've done, I am interested in. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Improving Auth-Rate..
hi, If i want to improve the auth-rate which part of the code should i focus on? Keep up with people you care about with Yahoo! India Mail. Learn how. http://in.overview.mail.yahoo.com/connectmore- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS ? What is the best option
I know that this list is not connected with any hardware vendor but I see that every couple days someone cries here NAS problems... I use Mikrotik and I'm not satisfied (duplicated packets, does not support POD correctly , etc) Also, yesterday I see that Cisco can be pain in the a*** too :) So, dear friends... What is the best solution for ISP (PPPoE)? There is no problem with using Cisco for PPPoE termination. That chap doesn't know the difference between duplicated (packet re-sent with same id) and confilicting packet (packet with same port/user etc. but different id). With default settings Cisco will send duplicated packets every 2 seconds (if there is no reply from radius server); after 30 seconds it will discard the original request and try to mark the radius server as dead (and fail over to secondary radius server). If there have been responses from radius server to other requests it won't mark it as dead (or fail over - it can be debated if that is the correct pathway; prehaps second request should go to secondary server anyway; freeradius now implements this when working in proxy mode) but send the new request (with same user/port etc.). In response to recieving this conflicting packet (user/port etc. matches but not id) freeradius will discard the original packet correctly assuming that NAS has abandoned it. For some reason user in thread you have mentioned can't comprehend that this is the correct action. He would continue processing original requests which will then get discarded by the NAS. With default settings that would extend processing time some 30 times in his example (perl processing that takes 1 second per request). So, Cisco and freeradius work fine there. Problem is his perl script. I assume he is using it to connect to the database and get data from there. Connecting to the database is very expensive. If he would offload data gathering to sql module and use perl just for calculation chances are that request processing would take 100 time shorter and his problems would vanish. But he is adamant that Cisco is broken (sending new requests every few seconds, not 30 seconds or 2 minutes that are defaults known to me; repeating same request defaults are 2 and 5 seconds on various devices). All in all, don't worry about using Cisco and freeradius for broadband aggregation. They work fine together. Just don't trust Cisco claims about numbers device can handle. Divide it by 10. If brochure says device can handle 10,000 connections it will handle about 1,000 in a realistic case. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate..
kachin Agarwal wrote: hi, If i want to improve the auth-rate which part of the code should i focus on? Improving it from... what? Why do you want to improve it? Hi, I want to fix the server so it's better. How do I do that That question is nearly content-free. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate
Hi, I m trying to improve the auth rate. the auth-rate i m getting now is 3 i.e number of mobile units that can authenticate per minute is 3. So how can i increase it to 5 or something? Which part of the code should i focus on? Thanx From cricket scores to your friends. Try the Yahoo! India Homepage! Try the new Yahoo! India Homepage. Click here. http://in.yahoo.com/trynew- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate
Am Dienstag, 13. Oktober 2009 12:18:24 schrieb kachin Agarwal: Hi, I m trying to improve the auth rate. the auth-rate i m getting now is 3 i.e number of mobile units that can authenticate per minute is 3. So how can i increase it to 5 or something? Which part of the code should i focus on? Thanx Hi, somehow your setup is messed up. I have several 100 auths/sec on a quite standard hardware. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate
I m trying to improve the auth rate. the auth-rate i m getting now is 3 i.e number of mobile units that can authenticate per minute is 3. So how can i increase it to 5 or something? Which part of the code should i focus on? What modules are you using? Chances are that problem comes from outside database (sql, ldap). Post a debug with timestamps (radiusd -Xx) that will show where is the delay. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory/freeradius/enterasys - combination
Hello, I know there was a threat with the same subject 3 years ago, but in addition we need mac-authentication (printers,..),too. The Mac-auth is ok: Ready to process requests. rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=98, length=158 User-Name = 00-13-20-73-D0-45 Service-Type = Framed-User Called-Station-Id = 00-1F-45-19-9C-68 Calling-Station-Id = 00-13-20-73-D0-45 NAS-Identifier = D2_Zi31_Tom NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = ge.1.1 User-Password = hdpasswd Message-Authenticator = 0xc2baf30d011d595efa42357331abcc6c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t - Tue Oct 13 11:59:35 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00-13-20-73-D0-45, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = 00-13-20-73-D0-45, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 213 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password hdpasswd [pap] Using clear text password hdpasswd [pap] User authenticated successfully ++[pap] returns ok Login OK: [00-13-20-73-D0-45/hdpasswd] (from client 172.16.255.101 port 1 cli 00-13-20-73-D0-45) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 172.16.255.101 port 49169 Framed-Filter-Id = Enterasys:version=1:policy=Mitarbeiter Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 98 with timestamp +31 Ready to process requests. Now I need a username/password auth against AD. Ntlm-auth works very well. If I activate ldap in /etc/raddb/modules: rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=191, length=167 User-Name = DNT1\\testtom Service-Type = Framed-User Called-Station-Id = 00-1F-45-19-9C-68 Calling-Station-Id = 00-13-20-73-D0-45 NAS-Identifier = D2_Zi31_Tom NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Id = ge.1.1 Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x113208ad123411cced08469153aa8038 EAP-Message = 0x020600061900 Message-Authenticator = 0x27fe716e0b83c7d08f295275043550f4 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t - Tue Oct 13 13:16:13 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = DNT1\testtom, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm DNT1 for User-Name = DNT1\testtom [ntdomain] Found realm DNT1 [ntdomain] Adding Stripped-User-Name = testtom [ntdomain] Adding Realm = DNT1 [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 172.16.255.101 port 49169 EAP-Message = 0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8 1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9 e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368 80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00 Message-Authenticator = 0x State = 0x113208ad153511cced08469153aa8038 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 187 with timestamp +63 Cleaning up request 2 ID 188
Re: over 30 radiusd processes
Freeradius 2.1.6 Running on Redhat AS5 Update 3 with mysql-devel rpms added to enable mysql support. Compiled with no options specified. (./configure ; make clean ; make ; make install) Thanks, -craig - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 13, 2009 1:55 AM Subject: Re: over 30 radiusd processes Craig Campbell wrote: Up to 65 processes now Any ideas how to stop this from happening? Which version are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4501 (20091012) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4502 (20091013) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic crl fetching
Hello, is or will there be a feature called dynamic crl fetching in FreeRADIUS 2.x ? Strongswan for example is able to fetch actual crls via http and ldap. In the wiki i only could get information about defining local stored pem files. regards, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating access via caller-id or username/password
Good Day, I've an interesting question. I currently authenticate users via caller-id for a static ip delivery system. I have had to change the sql_user_name to the calling-station-id attribute so that i can match the entries to so called usernames in the MYSQL database This is working and works well as the username for authentication ends up being the caller id. I now have to authenticate users based on username and password in one instance and solely calling-station-id in another. the config i use in the files to authenticate a user on caller id is as follows: DEFAULT Calling-Station-ID ==1234567890, Auth-Type := Accept Framed-IP-Address = 155.22.0.21 DEFAULT Calling-Station-ID ==2234567890, Auth-Type := Accept Framed-IP-Address = 155.22.0.22 DEFAULT Calling-Station-ID ==3234567890, Auth-Type := Accept Framed-IP-Address = 155.22.0.23 DEFAULT Calling-Station-ID ==4234567890, Auth-Type := Accept Framed-IP-Address = 155.22.0.24 the DEFAULT section has the framing types etc set. How would i now do this in the MYSQL database as there is no way of tying the username to anything ? Regards John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS ? What is the best option
Hi, I am using MikroTik and I am vry satisfied. However, it is not a easy device to configura and understand all its different configurations. I do not understand why you have to ue POD packets. If you do correctly the configurations and you have you want to offer your users, I think you needn't it. Think twice what you want to offer! The best device are Cisco ones, but you have to prepare a good quantity of money. Not 200-300€ which a mikrotik cost. Sincerely, Santiago Date: Tue, 13 Oct 2009 01:29:40 +0200 From: mangi...@gmail.com To: freeradius-users@lists.freeradius.org Subject: NAS ? What is the best option I know that this list is not connected with any hardware vendor but I see that every couple days someone cries here NAS problems... I use Mikrotik and I'm not satisfied (duplicated packets, does not support POD correctly , etc) Also, yesterday I see that Cisco can be pain in the a*** too :) So, dear friends... What is the best solution for ISP (PPPoE)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ ¿Estás fuera de temporada? Entra ya en Nueva Temporada y entérate antes que nadie de sobre famosos, moda, belleza y el look que se lleva este otoño. http://events.es.msn.com/entretenimiento/nueva-temporada/vuelta-al-cole/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_postgresql+auth_ldap
understood 2009/10/13 Rakotomandimby Mihamina miham...@gulfsat.mg 10/09/2009 04:05 PM, José Johnny RANDRIAMAMPIONONA:: Thank u guys! Please keep us in touch. and if you kept some history of what you've done, I am interested in. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- JJohnny RANDRIAMAMPIONONA Phone: +212663682554, +212533158575 National School of Applied Sciences ZIP 1818 TANGIER 9 -Morocco --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errors There are no DB handles to use and Discarding conflicting packet from client
Hi, I still have the problems, I changed some variables, but the problem continues 2009/10/9 Marinko Tarlac mangi...@gmail.com This is not database list but here what you can do: - install sysbench and do some tests with your current settings - tunning-primer.sh (http://www.day32.com/MySQL/tuning-primer.sh), - mytop, - mysqlreport (http://hackmysql.com/mysqlreport) and - mysqltuner.pl (http://wiki.mysqltuner.com/MySQLTuner) Tools I mentioned above will help you to track down the bottleneck you have with your database. Of course, you have a task to find a problem and tell us about it :) Best regards Ivan Kalik wrote: ok.. but what I need to do on my DB? Is your database server/process running? Is database IP/port/user/password correct in sql.conf? Is correct type of database selected? Is your database configured to recieve queries from radius server (ie. not localhost) if they are not on the same machine? Have you created radius database? Does user configured in radius have permissions to run queries on radius database? Is there a firewall stopping traffic? Do you see radius handles connected to the database server when you start radius server? Should I go on? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating access via caller-id or username/password
I now have to authenticate users based on username and password in one instance That's easy, but ... and solely calling-station-id in another. ... what does that mean? Each user can call from a specific callerID? Each user can call from a specific list of callerIDs? Every user can call from a list of (all) known callerIDs? Solution will depend on the policy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl_rlm and differences FR 1 and 2
On 10/13/2009 01:57 AM, Alan DeKok wrote: David Jones wrote: Thanks to some handy hints in here, I've had some success with rlm_perl. But (and there is always a but) I've been happily developing against 2.x but have just discovered I need to actually use 1.x because of RHEL. You can install version 2.x on RHEL. http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory/freeradius/enterasys - combination
Now I need a username/password auth against AD. Ntlm-auth works very well. If I activate ldap in /etc/raddb/modules: The server don't do ldap. What is my mistake ? First the server should do a ntlm-auth and then check an ldap-group in AD. How does that ldap-group check look like and where is it? BTW I don't see ntlm-auth on that debug either. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Improving Auth-Rate
Hi, When you have 100 auths/sec rate, what protocol are you using? Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: Tuesday, October 13, 2009 5:25 AM To: FreeRadius users mailing list Subject: Re: Improving Auth-Rate Am Dienstag, 13. Oktober 2009 12:18:24 schrieb kachin Agarwal: Hi, I m trying to improve the auth rate. the auth-rate i m getting now is 3 i.e number of mobile units that can authenticate per minute is 3. So how can i increase it to 5 or something? Which part of the code should i focus on? Thanx Hi, somehow your setup is messed up. I have several 100 auths/sec on a quite standard hardware. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xsupplicant - freeradius EAP-TTLS PAP Access-Reject
Hi All, Supplicant tries authentication with EAP-TTLS, TLS tunnel is established properly but Radius sends Access-Reject. Following are the xsupplicant.conf, eap.conf and radius output. radiusd.conf is not changed. It would be great if anyone could help in solving this issue or identify it. Thanks, Nagendra. freeradius version: FreeRADIUS Version 1.0.1 xsupplicant version: 1.2.8 Following is my xsupplicant configuration: eap-ttls { root_cert = /etc/raddb/certs/ca.pem phase2_type = pap pap { username = test...@mynet.net password = test123 } } Following is my eap.conf configuration with freeradius: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = nagendra private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } } Following is the output of freeRadius. rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201, length=300 User-Name = test...@mynet.net NAS-Port = 68 State = 0x31f6a6d18c0edbbe0a8135be701c9eff EAP-Message = 0x020e00801500170301002003c6f62435902b65dc7748b238fc47a7e5af9cfdbfed7ce3763b8a3830ac25a41703010050bd010059a58d0a9db18cb4df099dca43c1cadebca1672d9fb2b08a9131aa32b657e2d497196c130405e11396402abbcc130558325bc9ef888c19692d6ce7e2d736b463e6bfa09de4cacdc2511be08c20 Message-Authenticator = 0x9b2ba395fe336634039600437f39e5e4 Acct-Session-Id = 8O2.1x81680002 NAS-Port-Id = ge-0/0/0.0 Calling-Station-Id = 00-30-48-8b-7f-ff Called-Station-Id = 00-1f-12-3f-89-40 NAS-Identifier = bng-l24f1-dev NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 rlm_eap: EAP packet type response id 14 length 128 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = test...@mynet.net User-Password = test123 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = test...@mynet.net User-Password = test123 FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv:
Re: xsupplicant - freeradius EAP-TTLS PAP Access-Reject
freeradius version: FreeRADIUS Version 1.0.1 That is seriously outdated. Upgrade. Following is the output of freeRadius. ... users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type System ... You are using much outdated freeradius version that has Auth-Type System enabled by default in users file. Comment that DEFAULT line out. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddebug before 2.1.4
hi list! my simple question is: is there a way to use the powerfull/wonderfull raddebug script with version 2.1.1? or the only way is to start the server with -x option? thanks and regards, marco -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie. This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating access via caller-id or username/password
Hi There, the authentication will take place based only on the calling station id. in one scenario: the users use usernames and passwords. in the second scenario, a device is authenticated on the calling-station-id as it has no username or password. the device is put into a different part of the network. i was thinking of this: sql_user_name = %{User-Name:-%{Calling-Station-Id:-DENY}} the problem is that the NAS returns VOID as the username if its left blank. seeing as i have to tie the username to something usefull to make a select statement i guess i'm looking for a method to put the calling station id into the username field if the username is VOID where would the best place for that be and how could it be done? I see some nifty UNLANG examples but none that work on run time substitutions. Regards John On Tue, Oct 13, 2009 at 3:54 PM, Ivan Kalik t...@kalik.net wrote: I now have to authenticate users based on username and password in one instance That's easy, but ... and solely calling-station-id in another. ... what does that mean? Each user can call from a specific callerID? Each user can call from a specific list of callerIDs? Every user can call from a list of (all) known callerIDs? Solution will depend on the policy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddebug before 2.1.4
marco perugini wrote: hi list! my simple question is: is there a way to use the powerfull/wonderfull raddebug script with version 2.1.1? or the only way is to start the server with -x option? It can't be used with 2.1.1. There are other changes inside of the server to work with raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd proxy authentication failures
I don't suppose anyone has any ideas on this issue I posted, do they? If I missed something in the documentation for relaying, etc. it would be greatly appreciated if someone could point it out to me. Michael Schlies - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLdap + WindowsXP(Wifi)
Freeradius 1.1.7 Openldap Windows XP SP2 (WPA-TKIP / Protected EAP (PEAP)) Have any idea ? Where can i find the solution ? When i trying connect freeradius server with wireless over access point i get this error: Tue Oct 13 12:00:45 2009 : Debug: Finished request 7 Tue Oct 13 12:00:45 2009 : Debug: Going to the next request Tue Oct 13 12:00:45 2009 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.155.123:1812, id=77, length=117 User-Name = kleberl NAS-IP-Address = 192.168.155.123 NAS-Port-Type = Wireless-802.11 State = 0xcdb24b80885193f00e1673d06eb7859c EAP-Message = 0x029600261900170301001b8cfe319046bdc5f99d42805f852d4695a57e722889822c7a01be3f Message-Authenticator = 0x9d1262ea1db0eca8f5ecaaee93e7ff1d Tue Oct 13 12:00:45 2009 : Debug: Processing the authorize section of radiusd.conf Tue Oct 13 12:00:45 2009 : Debug: modcall: entering group authorize for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module preprocess returns ok for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module chap returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module mschap returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_realm: No '@' in User-Name = kleberl, looking up realm NULL Tue Oct 13 12:00:45 2009 : Debug: rlm_realm: No such realm NULL Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module suffix returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: - authorize Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: performing user authorization for kleberl Tue Oct 13 12:00:45 2009 : Debug: radius_xlat: '(uid=kleberl)' Tue Oct 13 12:00:45 2009 : Debug: radius_xlat: 'ou=People,dc=stars,dc=net' Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: performing search in ou=People,dc=stars,dc=net, with filter (uid=kleberl) Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for check items in directory... Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for reply items in directory... Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: user kleberl authorized to use remote access Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module ldap returns ok for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: EAP packet type response id 150 length 38 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module eap returns updated for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall: leaving group authorize (returns updated) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rad_check_password: Found Auth-Type EAP Tue Oct 13 12:00:45 2009 : Debug: auth: type EAP Tue Oct 13 12:00:45 2009 : Debug: Processing the authenticate section of radiusd.conf Tue Oct 13 12:00:45 2009 : Debug: modcall: entering group authenticate for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: Request found, released from the list Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: EAP/peap Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: processing type peap Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_peap: Authenticate Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_tls: processing TLS Tue Oct 13 12:00:45 2009 : Debug: eaptls_verify returned 7 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_tls: Done initial handshake Tue Oct 13 12:00:45
RE: Freeradius + OpenLdap + WindowsXP(Wifi)
Have any idea ? Where can i find the solution ? When i trying connect freeradius server with wireless over access point i get this error: snip Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. The error you're looking for is earlier that what you posted. Look at the previous round trip in the debug output to see why it failed.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: raddebug before 2.1.4
Where to get a copy of raddebug? Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan DeKok Sent: Tuesday, October 13, 2009 10:46 AM To: FreeRadius users mailing list Subject: Re: raddebug before 2.1.4 marco perugini wrote: hi list! my simple question is: is there a way to use the powerfull/wonderfull raddebug script with version 2.1.1? or the only way is to start the server with -x option? It can't be used with 2.1.1. There are other changes inside of the server to work with raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error on log radius
i get this message Info: rlm_sql (sql): received Acct On/Off packet -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddebug before 2.1.4
ZHANG Gina wrote: Where to get a copy of raddebug? It's included in all recent versions of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, Cisco WLC, configuration
Hello all, I need help with FreeRadius and Cisco's WLC. Anyone ever did this deployment before? Please help. Regards, Jalil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius, Cisco WLC, configuration
Jalil, Refer to this page as it will be extremely helpful! http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml James Taylor From: freeradius-users-bounces+jtaylor=fcip@lists.freeradius.org [mailto:freeradius-users-bounces+jtaylor=fcip@lists.freeradius.org] On Behalf Of Aziz, Jalil Sent: Tuesday, October 13, 2009 2:12 PM To: FreeRadius users mailing list Subject: FreeRadius, Cisco WLC, configuration Hello all, I need help with FreeRadius and Cisco's WLC. Anyone ever did this deployment before? Please help. Regards, Jalil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on log radius
Hi, i get this message Info: rlm_sql (sql): received Acct On/Off packet ??? your FR server received an accounting packet and your system is configured to use sql in the accounting section - whats the error? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on log radius
thanks for the information, i tougth that was a error beacause I never got this message thank you 2009/10/13 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, i get this message Info: rlm_sql (sql): received Acct On/Off packet ??? your FR server received an accounting packet and your system is configured to use sql in the accounting section - whats the error? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied Any ideas Running direct from root works fine, just [r...@vpn1 munin]# radmin -f /usr/local/var/run/radiusd/radiusd.sock -e stats client auth requests273 responses 273 accepts 206 rejects 67 challenges 0 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied edit the munin/plugins/freeradius* files and put the correct user into the RADMIN= part. you really should NEVER be using the root user - simply use the user that you run radiusd as (once again, should never be root) - check the radiusd.sock to see who/what owns it (ls -l /usr/local/var/run/radiusd/radiusd.sock) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: raddebug before 2.1.4
Got it. Thanks! Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan DeKok Sent: Tuesday, October 13, 2009 3:05 PM To: FreeRadius users mailing list Subject: Re: raddebug before 2.1.4 ZHANG Gina wrote: Where to get a copy of raddebug? It's included in all recent versions of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html