RE:
You need additional attributes if you use vendor attributes. Special attributes are related to the NAS you use. The migration from MySQL to PostgreSQL is easy since there is th postgresql DB schema in the instalacion sources (find some file with sql extension). The use of a DHCP server depends on the service configuration you have. In PPP connections (PPPoE, PPTP, L2TP) the AAA service can asign a IP to the user device. Date: Mon, 19 Oct 2009 17:08:11 + From: inacioal...@yahoo.de Subject: RE: To: freeradius-users@lists.freeradius.org Thanks Ivan Kalik, Now my server is authenticating the users (Linux and Windows). First. How I reply to my email go in the thread. I need set some attribute? Second. The next step is migrate my users to MySQL or PostgreSQL database. So I need alter the file sites-available/default to include the line sql and remove the lines unix and files. Is this? I think that the http://wiki.freeradius.org/SQL_HOWTO has a how-to out-of-date because I don't find the schema to the table usergroup. Third. I set the Framed-IP-Address := 192.168.2.253, Framed-IP-Netmask = 255.255.255.0 to my user, but I don't receive this IP on my machine. I disable the DHCP on my AP and continue not receive this configuration. I need install a DHCP server on my server and close MACxIP to send this configurations to my machine? No more, thanks again. Inácio Alves http://www.polluxweb.com/inacioalves/site _ Infórmate, mantente en contacto y encuéntralo todo, a la vez. Con la nueva Toolbar de MSN nunca has tenido tantas ventajas en tan poco espacio. http://toolbar.es.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
Doc Phillips wrote: > I'm trying to prevent rogue devices from connecting to production and > obviously only allow valid users & devices. The current setup states > members of domain computers or domain users are allowed to auth against > the radius server. Do you know if its possible through freeradius to > allow these devices AND these users only? Yes. FreeRADIUS can do machine && user authentication against Active Directory, using Samba. > We're using eap-peap-mschapv2 > as our current authentication method. Is there a way using > --require-membership-of to combine users AND groups perhaps through some > type of regular expression? I'm not sure what that means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment for the authenticated users in Free radius
Anoop C wrote: > Hi > We are running EAP-TLS authentication for office users using WiFi > network. This is a certificate based authentication and we are using Free > RADIUS. > I would like to know whether we can assign IP address dynamically to the > users through FREE RADIUS server ie RADIUS server works as DHCP server. For WiFi authentication, you need a DHCP server. Sending IP addresses to the NAS in a RADIUS packet won't work. > So > after successful authentication Server should through an IP address which is > configured against that particular MAC of the user in the server. No. You need a DHCP server. You can configure FreeRADIUS to be a DHCP server, but that involves creating a DHCP configuration, not a RADIUS configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect message in 2.1.7 release
Vijay Badola wrote: > I have seen the Changelog of release freeradiusd-2.1.7. > It says there is full support of ‘CoA and Disconnect messages’. > My question is: > > (i) Is it possible to send disconnect/COA message > internally from code? From C? Yes. The rest of the code does it. From "unlang", yes, too. > (ii)If yes then how? See src/main/util.c, request_alloc_coa(). See also the code in evaluate.c, and event.c that deals with it. See also raddb/sites-available/originate-coa. This is in the ChangeLog file. > (iii) If not then how can I send the disconnect message from > outside? I have also seen your documents to send disconnect message > using radclient(externally).but I have doubt how I will get trigger to > send Disconnect/COA message if I am doing prepaid accounting. FreeRADIUS can run external programs. Just run radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnect message in 2.1.7 release
Hi, I have seen the Changelog of release freeradiusd-2.1.7. It says there is full support of 'CoA and Disconnect messages'. My question is: (i) Is it possible to send disconnect/COA message internally from code? (ii)If yes then how? (iii) If not then how can I send the disconnect message from outside? I have also seen your documents to send disconnect message using radclient(externally).but I have doubt how I will get trigger to send Disconnect/COA message if I am doing prepaid accounting. ,Regards Vijay Badola +919958995992(M) +911244200704(O) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP address assignment for the authenticated users in Free radius
Hi We are running EAP-TLS authentication for office users using WiFi network. This is a certificate based authentication and we are using Free RADIUS. I would like to know whether we can assign IP address dynamically to the users through FREE RADIUS server ie RADIUS server works as DHCP server. So after successful authentication Server should through an IP address which is configured against that particular MAC of the user in the server. Regards Anoop C Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail & notify us immediately at ad...@sifycorp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
Hello, I tried asking the post with no response but was hoping you could assist in my search. I'm currently running a M$ implementation of radius (IAS) for a small number of users/computers (roughly 300 users and 700 devices all microsoft based). I'm trying to prevent rogue devices from connecting to production and obviously only allow valid users & devices. The current setup states members of domain computers or domain users are allowed to auth against the radius server. Do you know if its possible through freeradius to allow these devices AND these users only? We're using eap-peap-mschapv2 as our current authentication method. Is there a way using --require-membership-of to combine users AND groups perhaps through some type of regular expression? Is this some type of limitation of peap mschapv2 that's preventing this from happening? As of now the os of choice is freebsd 7.2 running freeradius 2.x. Any insight would be greatly appreciated. Best regards, D. Phillips On Sun, Oct 18, 2009 at 3:07 PM, Vieri wrote: > Hello, > > I'm connecting Windows clients to a LAN via Linksys access points and a > Freeradius server. > I'm using EAP/TLS with certificates installed on the clients and in > modules/mschap I defined: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN > --require-membership-of=DOMAIN\\WIFI_DATA > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > > So the Windows clients must have a certificate and login with the > credentials of an Active Directory user member of the WIFI_DATA group. > > This setup works fine. However, I'm seeing a major difference between a > Windows XP pro SP2 client and a Windows Vista: > if the Vista client (laptop) reboots the OS then access to the LAN via WIFI > requires the user to re-enter login username and password, as expected. > If the XP client reboots the OS then user credentials seem to be > automatically sent to the Radius server again, as if they were stored on the > system (no user interaction). > > Can I change this behavior and require the user to re-send their login data > each time the Windows session is closed or the OS reboots? > I realize this is a "client-only" issue and that freeradius can't possibly > detect the difference between the 2 cases (or can it?) but I am concerned > that if, for example, the XP laptop is stolen (or unauthoritatively lent) > then all the "unwanted" user needs to do to access our LAN is boot the OS, > unless the legitimate user's password has expired. The laptop is for a > hospital's Emergency department so it's easy to imagine that it cannot be > under 24-hour surveillance (but usually, the legitimate users switch the > device off when done working or the laptop automatically turns off after an > inactivity timeout). > > Does anyone know: > why XP re-authenticates automatically and how to disable it? > why Vista doesn't behave the same way? > if installing SP3 on XP removes this feature? > if somethng can be done on freeradius to discriminate manual logins from > auto-logins? > > I'm running freeradius 2.0.5 on Linux. > > Thank you, > > Vieri > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Check_item still wraps at 4gb
Hi Marcel, Are you able to share your work around, because I have the same problem. Either on-list or direct email? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to call an external script
> I want freeradius calls an external script and send to it the User-Name it > gets from the NAS in an access-request radius packet. > > So I am using the echo module, I configure as: > > # > # The name of the program to execute, and it's > # arguments. Dynamic translation is done on this > # field, so things like the following example will > # work. > # > #program = "/bin/echo %{User-Name}" > program = "/etc/raddb/.pl %{User-Name}" > # > # The attributes which are placed into the > # environment variables for the program. Why not use perl module for perl scripts? > And I add this module into the authorize section after the pap module. > But it does not call the script. pap should be listed last - put it before. So what does it do? Post the debug. > Another thing, if I call the script like the following, then the script is > executed and takes myusername as an argument. With freeradius it should to > automatically the same? Yes. But perl module already makes all request attributes available in $RAD_REQUEST and it should run perl scripts faster than exec module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
> How I reply to my email go in the thread. I need set some attribute? No, just reply to the message with your title. > The next step is migrate my users to MySQL or PostgreSQL database. So I > need alter the file sites-available/default to include the line sql and > remove the lines unix and files. Is this? That will do it. > I think that the http://wiki.freeradius.org/SQL_HOWTO has a how-to > out-of-date because I don't find the schema to the table usergroup. It's called radusergroup now. > I set the > Framed-IP-Address := 192.168.2.253, > Framed-IP-Netmask = 255.255.255.0 > to my user, but I don't receive this IP on my machine. I disable the DHCP > on my AP and continue not receive this configuration. I need install a > DHCP server on my server and close MACxIP to send this configurations to > my machine? AP will allways ignore Framed-IP-Address you are sending via radius and go to dhcp. That's how wireless works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
Thanks Ivan Kalik, Now my server is authenticating the users (Linux and Windows). First. How I reply to my email go in the thread. I need set some attribute? Second. The next step is migrate my users to MySQL or PostgreSQL database. So I need alter the file sites-available/default to include the line sql and remove the lines unix and files. Is this? I think that the http://wiki.freeradius.org/SQL_HOWTO has a how-to out-of-date because I don't find the schema to the table usergroup. Third. I set the Framed-IP-Address := 192.168.2.253, Framed-IP-Netmask = 255.255.255.0 to my user, but I don't receive this IP on my machine. I disable the DHCP on my AP and continue not receive this configuration. I need install a DHCP server on my server and close MACxIP to send this configurations to my machine? No more, thanks again. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to call an external script
Hello, I want freeradius calls an external script and send to it the User-Name it gets from the NAS in an access-request radius packet. So I am using the echo module, I configure as: # # The name of the program to execute, and it's # arguments. Dynamic translation is done on this # field, so things like the following example will # work. # #program = "/bin/echo %{User-Name}" program = "/etc/raddb/.pl %{User-Name}" # # The attributes which are placed into the # environment variables for the program. And I add this module into the authorize section after the pap module. But it does not call the script. Another thing, if I call the script like the following, then the script is executed and takes myusername as an argument. With freeradius it should to automatically the same? # ./.pl %myusername Thanks a lot -- View this message in context: http://www.nabble.com/how-to-call-an-external-script-tp25961979p25961979.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
Hi, > But I still got small problem, when i run in de debug mode i saw this > warning. I'm not fully sure what it asks me to do? Any advice on this? its fairly clear isnt it? the error is written very clearly. follow the advice. > !!! Please update your configuration so that the "known good" > !!! clear text password is in Cleartext-Password, and not in User-Password. somewhere in your config you are matching against 'User-Password'. change that attribute to 'Cleartext-Password' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
ok now since i know where autorize and authenticate and accounting modules went i feel much better =) But I still got small problem, when i run in de debug mode i saw this warning. I'm not fully sure what it asks me to do? Any advice on this? ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password "" [pap] Using clear text password "" [pap] User authenticated successfully ++[pap] returns ok Thanks a lot for helping! On Mon, Oct 19, 2009 at 7:03 AM, Alan Buxey wrote: > Hi, > > My SQL include and module authorization is enabled in instantiate section > > Im not 100% sure what "virtual server" do in new radius. > > > > I guess you are probably right about that fact that my radius is not > > accsesing SQL to see the users there,.. so since my Include is enabled i > > guess i need to figure out what those virtual servers are and how to use > > them > > you need to ensure that 'sql' is listed in the correct section - eg > in the authenticate section - see the files and comments in config files. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: ,
Thanks Ivan Kalik, Now my server is authenticating the users (Linux and Windows). First. How I reply to my email go in the thread. I need set some attribute? Second. The next step is migrate my users to MySQL or PostgreSQL database. So I need alter the file sites-available/default to include the line sql and remove the lines unix and files. Is this? Third. I set the Framed-IP-Address := 192.168.2.253, Framed-IP-Netmask = 255.255.255.0 to my user, but I don't receive this IP on my machine. I disable the DHCP on my AP and continue not receive this configuration. I need install a DHCP server on my server and close MACxIP to send this configurations to my machine? No more, thanks again. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 54, Issue 89
Thanks Ivan Kalik, Now my server is authenticating the users (Linux and Windows). First. How I reply to my email go in the thread. I need set some attribute? Second. The next step is migrate my users to MySQL or PostgreSQL database. So I need alter the file sites-available/default to include the line sql and remove the lines unix and files. Is this? Third. I set the Framed-IP-Address := 192.168.2.253, Framed-IP-Netmask = 255.255.255.0 to my user, but I don't receive this IP on my machine. I disable the DHCP on my AP and continue not receive this configuration. I need install a DHCP server on my server and close MACxIP to send this configurations to my machine? No more, thanks again. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius-Users Digest, Vol 54, Issue 89
Thanks Ivan Kalik, Now my server is authenticating the users (Linux and Windows). The next step is migrate my users to MySQL or PostgreSQL database. So I need alter the file sites-available/default to include the line sql and remove the lines unix and files. Is this? Second. I set the Framed-IP-Address := 192.168.2.253, Framed-IP-Netmask = 255.255.255.0 to my user, but I don't receive this IP on my machine. I disable the DHCP on my AP and continue not receive this configuration. I need install a DHCP server on my server and close MACxIP to send this configurations to my machine? No more, thanks again. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
> But, how I said, I don't need proxy, Then I have commented the line proxy > proxy_requests = no > #$INCLUDE proxy.conf ... and broke the server (inner-tunnel processing). Well done! Now put it back the way it was. Peap works by doing internal proxy to LOCAL realm. So, you *do* need to proxy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
Thanks to all, But, how I said, I don't need proxy, Then I have commented the line proxy proxy_requests = no #$INCLUDE proxy.conf See http://pastebin.com/m52c747e3 to my radiusd.conf Therefore, I don't know why the log is Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel)On my proxy.conf I have(even whithout use then, I don't alter this file) # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL # realm LOCAL { # If we do not specify a server pool, the realm is LOCAL, and # requests are not proxied to it. } Inácio Alves http://www.polluxweb.com/inacioalves/site --- freeradius-users-requ...@lists.freeradius.org schrieb am Mo, 19.10.2009: Message: 1 Date: Mon, 19 Oct 2009 00:54:39 + (GMT) From: INACIO ALVES To: freeradius-users@lists.freeradius.org Message-ID: <370578.7811...@web27401.mail.ukl.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" I'm trying configure the freeRADIUS on my wireless network but i'm having problems. My scnario: Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 clients - ((( AP ))) [freeRADIUS server] When I execute the radiustest I get rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=20 and when I execute radclient I get Received response ID 146, code 2, length = 32 But when I try authenticate on my nootebook I get rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 My debug output is on address: http://pastebin.com/f7e47862f. My clients.conf is on: http://pastebin.com/f30e4955d And my users is on: http://pastebin.com/f5d958f63 This is my initial configuration. I want migrate to MySQL or PostgreSQL when the server is ready, I don't need proxy, and i need provide/revoke digital certificates to my clients. -- Message: 7 Date: Mon, 19 Oct 2009 09:07:25 +0100 From: "nf-vale" Subject: Re: To: FreeRadius users mailing list Message-ID: <200910190907.25443.nf-v...@critical-links.com> Content-Type: Text/Plain; charset="iso-8859-15" Check your proxy / realms configuration. The reason why it fails is described in the logs: Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel) Nelson Vale On Monday 19 October 2009 01:54:39 INACIO ALVES wrote: > I'm trying configure the freeRADIUS on my wireless network but i'm having > problems. > > > > My scnario: > > Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 > > > > clients - ((( AP ))) [freeRADIUS server] > > > > When I execute the radiustest I get > > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, > length=20 > > > > and when I execute radclient I get > > Received response ID 146, code 2, length = 32 > > > > But when I try authenticate on my nootebook I get > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 > > > > My debug output is on address: http://pastebin.com/f7e47862f. > > My clients.conf is on: http://pastebin.com/f30e4955d > > And my users is on: http://pastebin.com/f5d958f63 > > > > This is my initial configuration. I want migrate to MySQL or PostgreSQL > when the server is ready, I don't need proxy, and i need provide/revoke > digital certificates to my clients. > > In?cio Alves > http://www.polluxweb.com/inacioalves/site -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 54, Issue 86 **
AW: Freeradius-Users Digest, Vol 54, Issue 86
Thanks to all, But, how I said, I don't need proxy, Then I have commented the line proxy proxy_requests = no #$INCLUDE proxy.conf See http://pastebin.com/m52c747e3 to my radiusd.conf Therefore, I don't know why the log is Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel)On my proxy.conf I have(even whithout use then, I don't alter this file) # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL # realm LOCAL { # If we do not specify a server pool, the realm is LOCAL, and # requests are not proxied to it. } Inácio Alves http://www.polluxweb.com/inacioalves/site --- freeradius-users-requ...@lists.freeradius.org schrieb am Mo, 19.10.2009: Message: 1 Date: Mon, 19 Oct 2009 00:54:39 + (GMT) From: INACIO ALVES To: freeradius-users@lists.freeradius.org Message-ID: <370578.7811...@web27401.mail.ukl.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" I'm trying configure the freeRADIUS on my wireless network but i'm having problems. My scnario: Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 clients - ((( AP ))) [freeRADIUS server] When I execute the radiustest I get rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=20 and when I execute radclient I get Received response ID 146, code 2, length = 32 But when I try authenticate on my nootebook I get rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 My debug output is on address: http://pastebin.com/f7e47862f. My clients.conf is on: http://pastebin.com/f30e4955d And my users is on: http://pastebin.com/f5d958f63 This is my initial configuration. I want migrate to MySQL or PostgreSQL when the server is ready, I don't need proxy, and i need provide/revoke digital certificates to my clients. -- Message: 7 Date: Mon, 19 Oct 2009 09:07:25 +0100 From: "nf-vale" Subject: Re: To: FreeRadius users mailing list Message-ID: <200910190907.25443.nf-v...@critical-links.com> Content-Type: Text/Plain; charset="iso-8859-15" Check your proxy / realms configuration. The reason why it fails is described in the logs: Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel) Nelson Vale On Monday 19 October 2009 01:54:39 INACIO ALVES wrote: > I'm trying configure the freeRADIUS on my wireless network but i'm having > problems. > > > > My scnario: > > Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 > > > > clients - ((( AP ))) [freeRADIUS server] > > > > When I execute the radiustest I get > > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, > length=20 > > > > and when I execute radclient I get > > Received response ID 146, code 2, length = 32 > > > > But when I try authenticate on my nootebook I get > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 > > > > My debug output is on address: http://pastebin.com/f7e47862f. > > My clients.conf is on: http://pastebin.com/f30e4955d > > And my users is on: http://pastebin.com/f5d958f63 > > > > This is my initial configuration. I want migrate to MySQL or PostgreSQL > when the server is ready, I don't need proxy, and i need provide/revoke > digital certificates to my clients. > > In?cio Alves > http://www.polluxweb.com/inacioalves/site -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 54, Issue 86 **
Re: how to get a UserName from a Pool
but, how I get the Calling Station Id ? 2009/10/19 Ivan Kalik > > Hi, I need to redirect a customer to a page with the pool and I need to > > get > > his UserName. > > > > I tougth to use the MK API to acess, I used the NASIPAddress, UserName > and > > Password, > > > > The redirect and acess MK API its easy, but my problem is how to get the > > UserName of one customer if I have alot of customers with one > > NASIpAddress? > > NAS-IP-Address + NAS-Port should be unique per online user (without > simultaneous logins) but there are plenty devices using same NAS-Port for > everybody (usually 0). You can try NAS-IP-Address + Calling-Station-Id in > such cases. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to get a UserName from a Pool
> Hi, I need to redirect a customer to a page with the pool and I need to > get > his UserName. > > I tougth to use the MK API to acess, I used the NASIPAddress, UserName and > Password, > > The redirect and acess MK API its easy, but my problem is how to get the > UserName of one customer if I have alot of customers with one > NASIpAddress? NAS-IP-Address + NAS-Port should be unique per online user (without simultaneous logins) but there are plenty devices using same NAS-Port for everybody (usually 0). You can try NAS-IP-Address + Calling-Station-Id in such cases. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HINTS and EAP correspondence issue.
Ivan Kalik a écrit : >>> Trying to set up machine authentification, I have been able to rewrite >>> my user-name to match my requirements in my Open ldap: get rid of the >>> host/ and add $ ( host/machinename --> machinename$) using hints. >>> But it ends up with this error after ldap authorisation: >>> [eap] Identity does not match User-Name, setting from EAP Identity >>> And it fails the authentification part. >>> >>> How can I tell EAP the new user name? >>> >>> It works when I use realm in proxy.conf and remove the $ at the end of >>> the machine uid in my ldap, but this won't do as I don't want to rename >>> all the uids. >>> > > You can't. Altering User-Name breaks EAP. > > >> I have checked again, files are uncommented in my inner-tunnel >> configuration and hints is reprocessed. >> >> Thanks for any suggestions. >> > > Alter ldap information. It's not AD so don't use it's naming conventions. > > Ivan Kalik > Kalik Informatika ISP > > Thanks, This is exactly what I thought, I wanted to be sure. I'll alter LDAP information as proxy REALM works very well. Best regards, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to get a UserName from a Pool
Hi, I need to redirect a customer to a page with the pool and I need to get his UserName. I tougth to use the MK API to acess, I used the NASIPAddress, UserName and Password, The redirect and acess MK API its easy, but my problem is how to get the UserName of one customer if I have alot of customers with one NASIpAddress? -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HINTS and EAP correspondence issue.
>> Trying to set up machine authentification, I have been able to rewrite >> my user-name to match my requirements in my Open ldap: get rid of the >> host/ and add $ ( host/machinename --> machinename$) using hints. >> But it ends up with this error after ldap authorisation: >> [eap] Identity does not match User-Name, setting from EAP Identity >> And it fails the authentification part. >> >> How can I tell EAP the new user name? >> >> It works when I use realm in proxy.conf and remove the $ at the end of >> the machine uid in my ldap, but this won't do as I don't want to rename >> all the uids. You can't. Altering User-Name breaks EAP. > I have checked again, files are uncommented in my inner-tunnel > configuration and hints is reprocessed. > > Thanks for any suggestions. Alter ldap information. It's not AD so don't use it's naming conventions. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HINTS and EAP correspondence issue.
Matthieu Lazaro a écrit : > Hello list, > > I have a little question about hints and EAP. > > Trying to set up machine authentification, I have been able to rewrite > my user-name to match my requirements in my Open ldap: get rid of the > host/ and add $ ( host/machinename --> machinename$) using hints. > But it ends up with this error after ldap authorisation: > [eap] Identity does not match User-Name, setting from EAP Identity > And it fails the authentification part. > > How can I tell EAP the new user name? > > It works when I use realm in proxy.conf and remove the $ at the end of > the machine uid in my ldap, but this won't do as I don't want to rename > all the uids. > > Best regards, > > Matthew > > Hello, Anyone? Am I unclear? I have checked again, files are uncommented in my inner-tunnel configuration and hints is reprocessed. Thanks for any suggestions. Regards, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several virtual servers with different log files?
>>> Hi, I have a freeRadius 2.1.7 server with three virtual servers >>> listening to different kinds of clients. I would like to know whether >>> it >>> is possible to define different log files for these virtual servers, >>> instead of the global log file defined in radiusd.conf. >>> >> >> No. >> >> As always, patches are welcome. >> > So, given that there is no way to have several log files; is there any > way of adding information to the log (such as the port or the virtual > server that is handling the request) in order to differentiate from > which virtual server is the authorization log coming from? Yes in 2.1.7 (port is already logged). See msg_goodpass/msg_badpass in radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
Hi, > My SQL include and module authorization is enabled in instantiate section > Im not 100% sure what "virtual server" do in new radius. > > I guess you are probably right about that fact that my radius is not > accsesing SQL to see the users there,.. so since my Include is enabled i > guess i need to figure out what those virtual servers are and how to use > them you need to ensure that 'sql' is listed in the correct section - eg in the authenticate section - see the files and comments in config files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several virtual servers with different log files?
Alan DeKok wrote: Francisco Javier Valdera Garcia wrote: Hi, I have a freeRadius 2.1.7 server with three virtual servers listening to different kinds of clients. I would like to know whether it is possible to define different log files for these virtual servers, instead of the global log file defined in radiusd.conf. No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html So, given that there is no way to have several log files; is there any way of adding information to the log (such as the port or the virtual server that is handling the request) in order to differentiate from which virtual server is the authorization log coming from? Greetings, Francisco Javier Valdera. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radgroupcheck, deny access
> I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3 > installed > from packages. > > I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4 > > After upgrading I ran into some problems with my radgroupcheck rules. > > In radgroupcheck, I have some rules to restrict which NAS users are > allowed > to connect to. > > Here's an example : > > > mysql> select * from radcheck where username = 'mbowe-test'; > +--++++- > ---+ > | id | username | attribute | op | value > | > +--++++- > ---+ > | 708 | mbowe-test | Crypt-Password | := | > | > +--++++- > ---+ > > > mysql> select * from radreply where username = 'mbowe-test'; > Empty set (0.00 sec) > > > mysql> select * from radusergroup where username = 'mbowe-test'; > +++--+ > | username | groupname | priority | > +++--+ > | mbowe-test | dialup-freedom |1 | > +++--+ > > > mysql> select * from radgroupcheck where groupname = 'dialup-freedom'; > +++--++- > + > | id | groupname | attribute| op | value > | > +++--++- > + > | 3 | dialup-freedom | NAS-IP-Address | !~ | > ^111.222.333.(1|2|3|4|5|6)$ > | > | 4 | dialup-freedom | Simultaneous-Use | := | 1 > | > +++--++- > + > > > mysql> select * from radgroupreply where groupname = 'dialup-freedom'; > +++++-+ > | id | groupname | attribute | op | value | > +++++-+ > | 9 | dialup-freedom | Service-Type | := | Framed-User | > | 10 | dialup-freedom | Framed-Protocol| := | PPP | > | 11 | dialup-freedom | Framed-IP-Address | = | 255.255.255.254 | > | 12 | dialup-freedom | Framed-IP-Netmask | := | 255.255.255.255 | > | 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP | > | 14 | dialup-freedom | Idle-Timeout | := | 1800| > | 15 | dialup-freedom | Session-Timeout| := | 14400 | > | 16 | dialup-freedom | Port-Limit | := | 1 | > +++++-+ > > > Under the older freeradius, if the mbowe-test user tried to connect to a > NAS > with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected. > > However under the newer freeradius, the user can now get online OK. (The > group doesn't match so the 'dialup-freedom' attributes are not returned) > > In my sql.conf I have read_groups = yes > > I tried installing the freeradius 2.1.7 from source, and it gives the same > result as the 2.0.4 from packages (user can get online). > > Am I doing something wrong? No. That is the correct behaviour. Groups emulate DEFAULT entries in users file. If check doesn't match reply is ignored but user is not rejected. If you want to reject the user not matching NAS-IP-Address for this group you need to add: if(SQL-Group == "dialup-freedom") { if(NAS-IP-Address !~ "^111.222.333.(1|2|3|4|5|6)$") { ok } else { reject } } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-Port seen warning
> There's no such path in /etc/raddb > I'm running version 1.1.3 Upgrade. That version is many years out of date. In 1.1.3 module will be in radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
> I'm trying configure the freeRADIUS on my wireless network but i'm having > problems. > > > > My scnario: > > Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 > > > > clients - ((( AP ))) [freeRADIUS server] > > > > When I execute the radiustest I get > > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, > length=20 > > > > and when I execute radclient I get > > Received response ID 146, code 2, length = 32 > > > > But when I try authenticate on my nootebook I get > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 You have removed realm LOCAL from proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure Wrong Message-Authenticator in Free-radius server response
Venseen wrote: > Hi, I have to insert cooked Message-authenticator in Free-radius srver > Message, You will need to edit the source code to do this. FreeRADIUS does *not* generate invalid Message-Authenticators. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-Port seen warning
Hi, > There's no such path in /etc/raddb > I'm running version 1.1.3 if you upgrade to 2.1.7 then there will be such a $PATH and file :-) okay - you need to look in the main radiusd.conf file for where the uniq line is mentioned - however, i cant recall whether you can just slap that new NAS-Port onto the line instead. I think you can but 1.1.x was so long ago. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Check your proxy / realms configuration. The reason why it fails is described in the logs: Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel) Nelson Vale On Monday 19 October 2009 01:54:39 INACIO ALVES wrote: > I'm trying configure the freeRADIUS on my wireless network but i'm having > problems. > > > > My scnario: > > Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 > > > > clients - ((( AP ))) [freeRADIUS server] > > > > When I execute the radiustest I get > > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, > length=20 > > > > and when I execute radclient I get > > Received response ID 146, code 2, length = 32 > > > > But when I try authenticate on my nootebook I get > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 > > > > My debug output is on address: http://pastebin.com/f7e47862f. > > My clients.conf is on: http://pastebin.com/f30e4955d > > And my users is on: http://pastebin.com/f5d958f63 > > > > This is my initial configuration. I want migrate to MySQL or PostgreSQL > when the server is ready, I don't need proxy, and i need provide/revoke > digital certificates to my clients. > > Inácio Alves > http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
--- On Sun, 10/18/09, Alan Buxey wrote: > XP caches successful connections - Vista does too IIRC so > I'm not > sure why you are seeing different behaviour.. anyhow..you > can clear > the credentials by blatting a registry on eg logout or > login. OK, thanks for the suggestion. And thanks, Micro$oft, for automating things for me. > the RADIUS server wont see the difference between std login > and > cached login as the client sends the same stuff. I thought so. > regarding theft. you are using EAP-TLS with client certs? > in that case, > you can simply revoke that client cert. But I have to revoke it manually (CRL) as soon as I'm informed of the theft, which is usually a long and unreliable process. :-( Thanks anyway. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help on adding value to mysql
No ideas to help me a little? At least to know if what described is possible. Thank's Simon Simone Felici ha scritto in data 16/10/2009 11.26: Hello to all, I've freeradius installed on a CentOS 4.5: freeradius-1.1.5-0. I would like to add a new field to my radacct table to log a new value taken from sip/ser accounting. Until here ok, It's sufficient to alter the table, add the value into proper dictionary and alter the sql inserts to add the value. What I would like to do is to modify the value BEFORE insert it into mysql. The detail-file logs the following value: (...) Sip-Translated-Request-ID = "sip:@:;transport=udp" (...) Also I would like to add to MySQL (radacct) the Sip-Translated-Request-ID field, BUT ONLY the . I should execute a sort of regexp or something that gives me the following result, for example: Sip-Translated-Request-ID = `echo "sip:@:;transport=udp" | awk -F@ '{ print $2 }' | awk -F: '{ print $1 }'` This would return me only the IP-ADDRESS to add within '%{Sip-Translated-Request-ID}'. Can someone help me a little bit? Thank's Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Simone FeliciE-Mail: s.fel...@alpikom.it Divisione TecnicaTel:0461 030 111 Alpikom S.p.A. Fax:0461 030 112 v.Fersina, 23 - 38123 Trento URL:http://www.alpikom.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html