cannot upgrade 2.1.6 to 2.1.7
Hi, If i dont ve pthread.h in my system.. then how did the 2.1.6 build work.? but i remove the line callback=wait_for_child_to_die; there is no error. can i remove this line and build or is there any other solution to fix it Thanx & Regards, kachin Keep up with people you care about with Yahoo! India Mail. Learn how. http://in.overview.mail.yahoo.com/connectmore- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct and db handles
> I'm installed freeradius with daloradius in a FC11 box, everything new. > After some corrections everything is working, but in radius.log I receive > constantly the error message below: > Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to > connect 0 > > I checked my radius db and radacct table and there are many indexed and > nothing I could found is the problem. It only append when I enable radius > accounting in SQL. Run server in debug mode and see which queries are failing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct and db handles
HI, I'm installed freeradius with daloradius in a FC11 box, everything new. After some corrections everything is working, but in radius.log I receive constantly the error message below: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 I checked my radius db and radacct table and there are many indexed and nothing I could found is the problem. It only append when I enable radius accounting in SQL. Any help would bee appreciated. Tks, Ademir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot upgrade 2.1.6 to 2.1.7
kachin Agarwal wrote: > Hi, > i m trying to upgrade my radius server from 2.1.6 to 2.1.7 > but when ever i try to make the build i m getting the following error Those errors occur if you don't have "pthread.h" on your system, or if the build is completely broken. I have no idea how else these errors could occur. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Postgresql dies unexpectedly
Duarte Fonseca wrote: > I've got a freeRadius (v2.1.7) install running on CentOs using > postgresql to store accounting data and have noticed that occasionally > freeRadius seems to die unexpectedly. See doc/bugs. You can run the server in foreground mode (radiusd -f), too. If it dies after a few packets, the problem should be pretty simple to find && fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Postgresql dies unexpectedly
Hi, I've got a freeRadius (v2.1.7) install running on CentOs using postgresql to store accounting data and have noticed that occasionally freeRadius seems to die unexpectedly. After some time investigating this and going over the logs I can now reproduce this behavior easily by following these steps: 1 - In my sql configuration file (/etc/raddb/postgresql.conf) I specify server = "localhost" (freeRADIUS connects to the database through TCP/IP) 2 - Restart radiusd 3 - Use radclient to send several accounting requests without an Acct-session-Time attribute (radclient -p 200 -f 1.txt 10.1.60.141:1813 acct secret) After a few requests radiusd dies. If i change my sql configuration file (/etc/raddb/postgresql.conf) so server = "" (freeRADIUS connects to DB using Unix-domain socket) radiusd doesn't die. If i run radiusd in debug mode it doesn't die. If i send accounting requests with the Acct-Session-Time set to a positive integer radiusd doesn't die. The following are extracts from the freeRADIUS log and Postgresql log during a test where the radiusd dies extract from radius.log # cat /var/log/radius/radius.log Thu Oct 22 16:20:30 2009 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Thu Oct 22 16:20:30 2009 : Info: rlm_sql (sql): Attempting to connect to postg...@localhost:/gapdb Thu Oct 22 16:20:30 2009 : Info: Loaded virtual server Thu Oct 22 16:20:30 2009 : Info: Ready to process requests. Thu Oct 22 16:20:51 2009 : Error: [sql] stop packet with zero session length. [user '0017f24eff31', nas '172.20.200.66'] Thu Oct 22 16:20:51 2009 : Error: [sql] stop packet with zero session length. [user '0012f0aac218', nas '172.20.200.66'] Thu Oct 22 16:20:55 2009 : Error: [sql] stop packet with zero session length. [user 'admin', nas '172.20.200.226'] Thu Oct 22 16:20:55 2009 : Error: [sql] stop packet with zero session length. [user 'JoePublic7', nas '172.20.200.226'] Thu Oct 22 16:20:55 2009 : Error: [sql] stop packet with zero session length. [user 'admin', nas '172.20.200.226'] Thu Oct 22 16:20:55 2009 : Error: [sql] stop packet with zero session length. [user 'admin', nas '172.20.200.226'] extract from postgresql log <2009-10-22 16:20:55.095 BST> LOG: SSL error: sslv3 alert bad record mac <2009-10-22 16:20:55.095 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.095 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.097 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.097 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.097 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.097 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.098 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.098 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.098 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.098 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.098 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.098 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.103 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.103 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.103 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.103 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.103 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.103 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.103 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.104 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.105 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.105 BST> LOG: unexpected EOF on client connection <2009-10-22 16:20:55.111 BST> LOG: could not receive data from client: Connection reset by peer <2009-10-22 16:20:55.111 BST> LOG: unexpected EOF on client connection # radiusd -v radiusd: FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 18 2009 at 10:59:17 How would you guys advise me to proceed with resolving this issue, is it a bug, is it something wrong in my configuration? Thank you, Duarte -- Duarte Fonseca -- Mobile: +44 753 4262674 E-mail: fonseca.dua...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot upgrade 2.1.6 to 2.1.7
What type of system are you on? Did you run ./configure first? Make clean? I built 2.1.7 and had no similar issues. (Readhat AS5 Update 3) - Original Message - From: kachin Agarwal To: freeradius-users@lists.freeradius.org Sent: Thursday, October 22, 2009 7:30 AM Subject: cannot upgrade 2.1.6 to 2.1.7 Hi, i m trying to upgrade my radius server from 2.1.6 to 2.1.7 but when ever i try to make the build i m getting the following error xlat.c:548: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:557: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:569: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:577: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:582: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type event.c: In function 'wait_a_bit': event.c:1166: warning: implicit declaration of function 'pthread_equal' event.c:1177: error: 'wait_for_child_to_die' undeclared (first use in this function) event.c:1177: error: (Each undeclared identifier is reported only once event.c:1177: error: for each function it appears in.) event.c: In function 'radius_event_init': event.c:3441: warning: unused variable 'attr' make[5]: *** [event.lo] Error 1 make[4]: *** [common] Error 2 make[3]: *** [all] Error 2 make[2]: *** [common] Error 2 make[1]: *** [all] Error 2 make: *** [*/*/*/*/*/*/freeradius-server-2.1.7/src/main/radiusd] Error 2 plz help me. where should i declare it?? Thanx & Regards, Kachin -- From cricket scores to your friends. Try the Yahoo! India Homepage! -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4532 (20091022) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4533 (20091022) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql freeradius "rlm_pap: empty password supplied"
serre wrote: Hello, After some hours of googling my problem, i come. I hope somebody will be able to help me! I set up a mac based authentication, with users in mysql database. It is working properly when users are difined in the users file, but did not work with empty Cleartext-Password in the database. Any idea? It is the only problem I've found when following this EXELLENT howto page: http://wiki.freeradius.org/SQL_HOWTO Thanks in advance Ok I have found the problem. Here is how look like the radcheck table now: ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 7 | seb | Auth-Type | := | Accept | | 8 | chris| Auth-Type | := |Accept | And it is working. Don't realy know why, but the problem is solved. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Vieri wrote: > From: Vieri > Subject: Re: PEAP + EAP-TLS: client certificates > To: freeradius-users@lists.freeradius.org > Date: Thursday, October 22, 2009, 9:05 AM > > --- On Thu, 10/22/09, Ivan Kalik > wrote: > > > > If I install a self-signed certificate on > another > > Windows client and > > > connect via EAP-TLS then I can connect without > having > > to use an Active > > > Directory user, as expected. > > > > > > I'm wondering if I can *require* both a > certificate on > > the client machine > > > AND an AD user authentication. In other words, > how can > > I *require* > > > PEAP-EAP-TLS? (currently, my freeradius > configuration > > seems to require > > > PEAP OR EAP-TLS) > > > > > > Freeradius version: 2.0.5 > > > > Don't know about that version. It should say how to > require > > certificates > > for peap in eap.conf above peap section. > > Is this the option? > EAP-TLS-Require-Client-Cert = Yes > I'm not sure where I should place it. If in eap.conf I have: peap { ... virtual_server = "inner-tunnel" } then maybe I should edit sites-available/inner-tunnel and add: server inner-tunnel { ... authorize { ... update control { ... EAP-TLS-Require-Client-Cert = Yes } } } Is this correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
PS. No, default virtual server looks more like it. Won't hurt to try both. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
> Is this the option? > EAP-TLS-Require-Client-Cert = Yes > I'm not sure where I should place it. Authorize section of inner-tunnel virtual server I think. Use unlang (update control ...). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql freeradius "rlm_pap: empty password supplied"
Hello, After some hours of googling my problem, i come. I hope somebody will be able to help me! I set up a mac based authentication, with users in mysql database. It is working properly when users are difined in the users file, but did not work with empty Cleartext-Password in the database. Any idea? It is the only problem I've found when following this EXELLENT howto page: http://wiki.freeradius.org/SQL_HOWTO Thanks in advance I show you to of my test users, one with password, the other without (hope i'm clear): Sory, this post post is bigest that wath i was think. Mysql tables: mysql> select * from radcheck; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 7 | seb | Cleartext-Password | := | password | | 8 | chris| Cleartext-Password | := | | mysql> select * from radreply -> ; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 5 | seb | Auth-Type | := | Accept | | 6 | chris| Auth-Type | := | Accept | RADTEST whith user seb: radius:/etc/freeradius# radtest seb password localhost 1812 testing123 Sending Access-Request of id 70 to 127.0.0.1 port 1812 User-Name = "seb" User-Password = "password" NAS-IP-Address = 172.18.100.19 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=70, length=20 DEBUG OUTPUT: ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "password" rlm_pap: Using clear text password "password" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [seb/password] (from client localhost port 1812) +- entering group post-auth RADTEST WITH user tof: radius:/etc/freeradius# radtest tof "" localhost 1812 testing123 Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "tof" User-Password = "" NAS-IP-Address = 172.18.100.19 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=220, length=20 DEBUG OUTPUT: ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP ++[pap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_pap: empty password supplied): [tof/] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> tof attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Ivan Kalik wrote: > > If I install a self-signed certificate on another > Windows client and > > connect via EAP-TLS then I can connect without having > to use an Active > > Directory user, as expected. > > > > I'm wondering if I can *require* both a certificate on > the client machine > > AND an AD user authentication. In other words, how can > I *require* > > PEAP-EAP-TLS? (currently, my freeradius configuration > seems to require > > PEAP OR EAP-TLS) > > > > Freeradius version: 2.0.5 > > Don't know about that version. It should say how to require > certificates > for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
> If I try to connect from a Windows client via a wireless AP "WIFIAP1" with > Active Directory "user1" I see this in the log: > > Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/] > (from client WIFIAP1 port 0 via TLS tunnel) > Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/] > (from client WIFIAP1 port 48 cli 001a73f7f0f7) > > Dumb question: does this mean the client used PEAP to connect? Can I > deduce this from "Auth-Type = EAP" and from "via TLS tunnel"? Can also be TTLS. > If connected via PEAP, authentication is "secure". However, I'd like to > know if the data exchanged between the clients and the rest of the LAN via > the Access Point is also encrypted and "cannot be sniffed". Does this > "data encryption" depend only on the AP's encryption settings (eg. AES) > and does FreeRadius get out of this equation after authentication? Radius has nothing to do with that. > If I install a self-signed certificate on another Windows client and > connect via EAP-TLS then I can connect without having to use an Active > Directory user, as expected. > > I'm wondering if I can *require* both a certificate on the client machine > AND an AD user authentication. In other words, how can I *require* > PEAP-EAP-TLS? (currently, my freeradius configuration seems to require > PEAP OR EAP-TLS) > > Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. At least it does in the current version. If it doesn't - it probably isn't supported, so upgrade. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP + EAP-TLS: client certificates
Hi, Sorry for the trivial questions but here I go: I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application. If I try to connect from a Windows client via a wireless AP "WIFIAP1" with Active Directory "user1" I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from "Auth-Type = EAP" and from "via TLS tunnel"? If connected via PEAP, authentication is "secure". However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and "cannot be sniffed". Does this "data encryption" depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cannot upgrade 2.1.6 to 2.1.7
Hi, i m trying to upgrade my radius server from 2.1.6 to 2.1.7 but when ever i try to make the build i m getting the following error xlat.c:548: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:557: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:569: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:577: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type xlat.c:582: warning: passing argument 3 of 'xlat_register' discards qualifiers from pointer target type event.c: In function 'wait_a_bit': event.c:1166: warning: implicit declaration of function 'pthread_equal' event.c:1177: error: 'wait_for_child_to_die' undeclared (first use in this function) event.c:1177: error: (Each undeclared identifier is reported only once event.c:1177: error: for each function it appears in.) event.c: In function 'radius_event_init': event.c:3441: warning: unused variable 'attr' make[5]: *** [event.lo] Error 1 make[4]: *** [common] Error 2 make[3]: *** [all] Error 2 make[2]: *** [common] Error 2 make[1]: *** [all] Error 2 make: *** [*/*/*/*/*/*/freeradius-server-2.1.7/src/main/radiusd] Error 2 plz help me. where should i declare it?? Thanx & Regards, Kachin Try the new Yahoo! India Homepage. Click here. http://in.yahoo.com/trynew- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with default configuration in 2.0.4-3 version
2009/10/22 Alan DeKok > Ana Gallardo wrote: > > Hello, I have installed debian lenny with freeradius 2.0.4-3: > ... > > /etc/freeradius# freeradius -X > ... > > Starting - reading configuration files ... > ... > > including files in directory /etc/freeradius/sites-enabled/ > > There are no files in that directory. You either deleted them, or > they were not installed by the package. > I delete nothing in my sites-enabled directory, it was empty. I create a soft link and everithing is ok now. /etc/freeradius# ls -l sites-enabled/ total 0 lrwxrwxrwx 1 root freerad 39 oct 22 12:29 default -> /etc/freeradius/sites-available/default Thankyou very much Alan. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with default configuration in 2.0.4-3 version
Ana Gallardo wrote: > Hello, I have installed debian lenny with freeradius 2.0.4-3: ... > /etc/freeradius# freeradius -X ... > Starting - reading configuration files ... ... > including files in directory /etc/freeradius/sites-enabled/ There are no files in that directory. You either deleted them, or they were not installed by the package. Ensure that the file "sites-enabled/default" exists. It should be a soft link to "sites-available/default". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with default configuration in 2.0.4-3 version
Hello, I have installed debian lenny with freeradius 2.0.4-3: /etc/freeradius# dpkg -l | grep freeradius hi freeradius 2.0.4-3 a high-performance and highly configurable RADIUS server hi freeradius-common 2.0.4-3 FreeRadius common files hi freeradius-ldap 2.0.4-3 LDAP module for FreeRADIUS server hi freeradius-mysql2.0.4-3 MySQL module for FreeRADIUS server hi freeradius-utils2.0.4-3 FreeRadius client utilities hi libfreeradius-dev 2.0.4-3 FreeRADIUS shared library development files hi libfreeradius2 2.0.4-3 FreeRADIUS shared library and I can't run the default configuration following this instructions http://deployingradius.com/documents/configuration/pap.html Here is my debug information: /etc/freeradius# freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Oct 20 2009 at 11:45:11 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { } } radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53599, id=186, length=55 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [bob/hello] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 186 to 127.0.0.1 port 53599 Waking up in 4.9 seconds. Cleaning up request 0 ID 186 with timestamp +4 Ready to process requests. My
Re: mschap problem
Found! I've updated from 2.1.1 to 2.1.7 and with Stripped-User-Name now everithing is right. On 22/ott/2009, at 11:27, Paolo Barbato wrote: I forgot to mention that I've used also ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=% {Stripped-User-Name:-%{User-Name:-None}} --challenge=% {mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" but nothing changed. On 22/ott/2009, at 11:12, Ivan Kalik wrote: I've configured freeradius to authenticate local users with our AD. When I use simple username "barbato" it works perfectly, but if I use barb...@igi.cnr.it it fails. From log it seems that it's not stripped the realm/domain part after @: [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for barb...@igi.cnr.it with NT- Password [mschap]expand: --username=%{mschap:User-Name} -> --username=barb...@igi.cnr.it [mschap] mschap2: b9 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> -- challenge=4e0cb755e2e70d10 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- response=a0e03bda2615311436749b892e3a741d7a8605a1037fcce1 Exec-Program output: Logon failure (0xc06d) Right, so you have altered the default ntlm_auth line and replaced Stripped-User-Name with mschap:User-Name and now you are wondering why is it not using Stripped-User-Name??? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Paolo Barbato email: mailto:paolo.barb...@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barb...@messenger.efda.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Paolo Barbato email: mailto:paolo.barb...@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barb...@messenger.efda.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap problem
I forgot to mention that I've used also ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped- User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} -- nt-response=%{mschap:NT-Response:-00}" but nothing changed. On 22/ott/2009, at 11:12, Ivan Kalik wrote: I've configured freeradius to authenticate local users with our AD. When I use simple username "barbato" it works perfectly, but if I use barb...@igi.cnr.it it fails. From log it seems that it's not stripped the realm/domain part after @: [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for barb...@igi.cnr.it with NT-Password [mschap]expand: --username=%{mschap:User-Name} -> --username=barb...@igi.cnr.it [mschap] mschap2: b9 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> -- challenge=4e0cb755e2e70d10 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- response=a0e03bda2615311436749b892e3a741d7a8605a1037fcce1 Exec-Program output: Logon failure (0xc06d) Right, so you have altered the default ntlm_auth line and replaced Stripped-User-Name with mschap:User-Name and now you are wondering why is it not using Stripped-User-Name??? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Paolo Barbato email: mailto:paolo.barb...@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barb...@messenger.efda.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap problem
> I've configured freeradius to authenticate local users with our AD. > > When I use simple username "barbato" it works perfectly, but if I use > barb...@igi.cnr.it > it fails. > > From log it seems that it's not stripped the realm/domain part after @: > > [mschapv2] +- entering group MS-CHAP {...} > [mschap] Told to do MS-CHAPv2 for barb...@igi.cnr.it with NT-Password > [mschap] expand: --username=%{mschap:User-Name} -> > --username=barb...@igi.cnr.it > [mschap] mschap2: b9 > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> -- > challenge=4e0cb755e2e70d10 > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- > response=a0e03bda2615311436749b892e3a741d7a8605a1037fcce1 > Exec-Program output: Logon failure (0xc06d) Right, so you have altered the default ntlm_auth line and replaced Stripped-User-Name with mschap:User-Name and now you are wondering why is it not using Stripped-User-Name??? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to call an external script once the users is expired?
> I store the expiration date as a radius attribute inside the LDAP (radius > profile object class). > > But where I check this value and where i call the script? in which module? Run the script after ldap module in authorize. You should be able to pass it to script as %{control:Expiration} (I think that it will be on the control list). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
> See raddb/sites-available/dhcp, and modules/mac2ip > > Don't have problems in use this options? I read that it is in experimental > stage. I think > that this can break my server. You'll never know if you don't try. It's not going to set your machine on fire or wipe clean your hard drive. It just might not work as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap problem
I've configured freeradius to authenticate local users with our AD. When I use simple username "barbato" it works perfectly, but if I use barb...@igi.cnr.it it fails. From log it seems that it's not stripped the realm/domain part after @: [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for barb...@igi.cnr.it with NT-Password [mschap]expand: --username=%{mschap:User-Name} -> --username=barb...@igi.cnr.it [mschap] mschap2: b9 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> -- challenge=4e0cb755e2e70d10 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- response=a0e03bda2615311436749b892e3a741d7a8605a1037fcce1 Exec-Program output: Logon failure (0xc06d) I use this line for radius.conf : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=% {mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=% {mschap:NT-Response:-00}" and in proxy.conf realm igi.cnr.it { type= radius authhost= LOCAL accthost= LOCAL strip } Regards, Paolo. Paolo Barbato email: mailto:paolo.barb...@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barb...@messenger.efda.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html