Re: EAP advanced auth. methods problem
> Alan DeKok wrote: >> Tomas Pelka wrote: >>> have a problem with "advanced" EAP authentication methods including >>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. >> >> I wouldn't call them "advanced..." >> >>> Certs was created with the makefile included in freeradius sources. >>> >>> All my experiments ending with: decapsulated EAP packet (code=4 id=4 >>> len=4) from RADIUS server: EAP Failure Authentication works fine - you are getting an initial Access-Accept. But then: [ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. Read cache section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Alan DeKok wrote:
> Tomas Pelka wrote:
>> have a problem with "advanced" EAP authentication methods including
>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>
> I wouldn't call them "advanced..."
>
>> Certs was created with the makefile included in freeradius sources.
>>
>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>> len=4) from RADIUS server: EAP Failure
>>
>> Runnin as, for example
>> ./eapol_test -c test_tls.conf -a192.168.56.3 -p1812 -stesting123 -r1
>>
>> Output, eap.conf and test_tls.conf attached.
>
> Can you explain why you sent:
>
> * config files
>
> * eapol_test outpiut
>
> And NOT the server debugging output, as suggested in the FAQ, README,
> INSTALL, "man" page, web pages, and daily on this list?
>
> You have sent everything EXCEPT the information we need to help you.
Yes you are right, shame on me! radiusd -X output is attached now.
Sorry
--
Tom
FreeRADIUS Version 2.1.7, for host i486-pc-linux-gnu, built on Nov 18 2009 at
00:32:07
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/control-socket
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/f
Re: Freeradius load balancing.
Nick Warr wrote: > I may have misphrased the question, if the ip pool is a single one, > containing say 192.168.1.1 - 192.168.1.50, is there a way that the > second Radius server can know the IPs distributed by the first Radius > server to avoid duplicate IP assignments? You said they both talked to the same database. I would *presume* that the database works correctly. i.e. it doesn't give an IP to one RADIUS server, and the lie to the second, and tell it that the IP is unallocated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed default PAP in CentOS
At 01:17 PM 11/20/2009, t...@kalik.net wrote: http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5 Just what I needed - thanks! Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql on Freeradius
> Since I want OpenSSL support i need to make my own build which Ubuntu´s > own Freeradius release in Synaptic does not seem to have support for. > > > > I have tried to find information on the net about how to make a build of > Freeradius that works together with MySql. If you built from source mysql is supported if you have mysql development libraries. All you have to do is remove comments from $INCLUDE sql.conf in radiusd.conf and from sql entries you want in virtual servers. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed default PAP in CentOS
freerad...@corwyn.net wrote: > CentOS 5.2 > installing freeradius from the default base repository > freeradius-1.1.3-1.5.el5_4 See the Wiki. You can install updated versions of FreeRADIUS. > If I add, to the top of /etc/raddb/users: > bob Cleartext-Password := "hello" > > Then when I attempt to start freeradius I get: > /etc/raddb/users[1]: Parse error (check) for entry bob: Unknown > attribute "Cleartext-Password" Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed default PAP in CentOS
> CentOS 5.2 > installing freeradius from the default base repository > freeradius-1.1.3-1.5.el5_4 Install current version instead. http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5 > If I add, to the top of /etc/raddb/users: > bob Cleartext-Password := "hello" Which really doesn't exist in ancient 1.1.3. > Then when I attempt to start freeradius I get: > /etc/raddb/users[1]: Parse error (check) for entry bob: Unknown > attribute "Cleartext-Password" If you don't want to upgrade, read users file and see what password attribute is userd in 1.1.3. I think it was User-Password then. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help authenticating against AD
> Technically, this is all I need; this seems like a hacked way of doing
> things,
Well, you have to hack things if you don't want freeradius server to
autheticate users but get the result of authentication done by something
else.
> though and I want to understand the operations of the server
> better. I commented out the pap and unix modules in
> ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT
> line from the top of the users file.
You should remove unix (if you are going to use AD passwords and not local
system ones). Put pap back. Instead of forcing things in users file put
this bit of unlang *below* pap in authorize:
if(!control:Auth-Type) {
update control {
Auth-Type = "ntlm-auth"
}
}
If none of the standard modules don't set Auth-Type this will set ntlm_auth.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed default PAP in CentOS
CentOS 5.2 installing freeradius from the default base repository freeradius-1.1.3-1.5.el5_4 If I add, to the top of /etc/raddb/users: bob Cleartext-Password := "hello" Then when I attempt to start freeradius I get: /etc/raddb/users[1]: Parse error (check) for entry bob: Unknown attribute "Cleartext-Password" I haven't made any other changes to freeradius other than the rpm install. (full dbug output) [r...@ns4 ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" /etc/raddb/users[1]: Parse error (check) for entry bob: Unknown attribute "Cleartext-Password" Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module "files". radiusd.conf[1773] Failed to parse authorize section. If I remove that line, freeradius appears ok: [r...@ns4 ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: rada
Re: Module not invoking for CHAP authentication
> i am using freeradius 2.1.6 and soalris 10. > > i created one module like rlm_radius. This module does authenticatin using > java file which is resideds in Jboss server > > for PAP authentication it is working fine going to java file and checking > the logic.but when i use CHAP authentication is shwoing segment fault Guess what's broken: freeradius or your module. You will have to debug your module yourself - we can't help you with that. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius load balancing.
>> MySQL is a DB. If it exports a transactional API, then it doesn't >> matter if two RADIUS servers are allocating IP's simultaneously. >> >> Alan DeKok. >> > I may have misphrased the question, No, you didn't understand the answer. > if the ip pool is a single one, > containing say 192.168.1.1 - 192.168.1.50, is there a way that the > second Radius server can know the IPs distributed by the first Radius > server to avoid duplicate IP assignments? It knows the same way as the first one - through sqlippool queries. > Or is the only way to have two separate ip pools without overlap? No. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius load balancing.
On Fri, 2009-11-20 at 15:52 +0100, Nick Warr wrote: > I may have misphrased the question, if the ip pool is a single one, > containing say 192.168.1.1 - 192.168.1.50, is there a way that the > second Radius server can know the IPs distributed by the first Radius > server to avoid duplicate IP assignments? > > Or is the only way to have two separate ip pools without overlap? It might be better to mark a set of IPs for allocation for each radius server. I currently have something similar and using master-master sql replication. There can be delays with the replication so to be safe I created a field for the radius server allocating a particular IP. eg of a table struct ip | free | radius_server 192.168.0.1 | 1 | radius1 192.168.0.2 | 1 | radius1 192.168.0.3 | 1 | radius1 192.168.0.4 | 1 | radius1 192.168.0.5 | 1 | radius2 192.168.0.6 | 1 | radius2 192.168.0.7 | 1 | radius2 192.168.0.8 | 1 | radius2 SELECT ip FROM ips WHERE free = 1 and radius_server ='radius1'; Note: Above is an example and differs from freeradius default sql ippool struct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help authenticating against AD
You broke the server and authentication fails - not a suprise. If the server
cannot discover the source/type of auth then you need to give it a hint - users
file will feed that hint . I think you dont need the unix module
--- original message ---
From: "Michael Phillips"
Subject: RE: need help authenticating against AD
Date: 20th November 2009
Time: 4:25:56
I followed the directions in that link prior to emailing the group. For some
reason, it still isn't working as expected.
If I put this line at the top of the users file, VPN users and Cisco exec users
are able to authenticate with their AD account.
DEFAULT Auth-Type = ntlm_auth
This is the debug output from a successful auth:
rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86
User-Name = "mphillips"
User-Password = ""
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "w.x.y.z"
NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = ntlm_auth
+- entering group ntlm_auth {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=mphillips
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 33 to w.x.y.z port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 33 with timestamp +16
Ready to process requests.
Technically, this is all I need; this seems like a hacked way of doing things,
though and I want to understand the operations of the server better. I
commented out the pap and unix modules in ../sites-enabled/inner-tunnel and
default and I also removed the DEFAULT line from the top of the users file. Now
I get this debug output:
rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86
User-Name = "mphillips"
User-Password = ""
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "w.x.y.z"
NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [mphillips/] (from client Access-Layer-Switch1 port 1 cli
w.x.y.z)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> mphillips
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 34 to 10.200.1.4 port 1645
Waking up in 4.6 seconds.
Cleaning up request 0 ID 34 with timestamp +12
Ready to process requests.
Thanks for any assistance.
-Mike
> Date: Thu, 19 Nov 2009 22:30:50 +
> Subject: Re: need help authenticating against AD
> From: t...@kalik.net
> To: freeradius-users@lists.freeradius.org
>
> > I need some help authenticating against AD. I have followed directions
> > online as best as I can, but things still aren't working as expected.
>
> These:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
> > I'm
> > ultimately hoping to have our VPN users and admins logging into Cisco
> > network equipment authenticate against AD through our FreeRADIUS 2
> > installation. Today, I have been testing authentication from one of Cisco
> > switches, and I continually receive this basic output:
>
> You are not authenticating against AD. You are authenticating against
> local system file:
> ...
> > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
> ...
> > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password ""
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
>
> ... and the password isn't correct.
>
> > I can't tell from this output if the RADIUS server is ever even attempting
> > to reach AD.
>
> It isn't.
>
> > Obviously
RE: need help authenticating against AD
I followed the directions in that link prior to emailing the group. For some
reason, it still isn't working as expected.
If I put this line at the top of the users file, VPN users and Cisco exec users
are able to authenticate with their AD account.
DEFAULT Auth-Type = ntlm_auth
This is the debug output from a successful auth:
rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86
User-Name = "mphillips"
User-Password = ""
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "w.x.y.z"
NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = ntlm_auth
+- entering group ntlm_auth {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=mphillips
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 33 to w.x.y.z port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 33 with timestamp +16
Ready to process requests.
Technically, this is all I need; this seems like a hacked way of doing things,
though and I want to understand the operations of the server better. I
commented out the pap and unix modules in ../sites-enabled/inner-tunnel and
default and I also removed the DEFAULT line from the top of the users file. Now
I get this debug output:
rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86
User-Name = "mphillips"
User-Password = ""
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "w.x.y.z"
NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [mphillips/] (from client Access-Layer-Switch1 port 1 cli
w.x.y.z)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> mphillips
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 34 to 10.200.1.4 port 1645
Waking up in 4.6 seconds.
Cleaning up request 0 ID 34 with timestamp +12
Ready to process requests.
Thanks for any assistance.
-Mike
> Date: Thu, 19 Nov 2009 22:30:50 +
> Subject: Re: need help authenticating against AD
> From: t...@kalik.net
> To: freeradius-users@lists.freeradius.org
>
> > I need some help authenticating against AD. I have followed directions
> > online as best as I can, but things still aren't working as expected.
>
> These:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
> > I'm
> > ultimately hoping to have our VPN users and admins logging into Cisco
> > network equipment authenticate against AD through our FreeRADIUS 2
> > installation. Today, I have been testing authentication from one of Cisco
> > switches, and I continually receive this basic output:
>
> You are not authenticating against AD. You are authenticating against
> local system file:
> ...
> > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
> ...
> > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password ""
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
>
> ... and the password isn't correct.
>
> > I can't tell from this output if the RADIUS server is ever even attempting
> > to reach AD.
>
> It isn't.
>
> > Obviously, if I enter the correct password for my username on
> > the RADIUS server itself, authentication will succeed, but this is not the
> > desired behavior at this time.
>
> Comment out unix in authorize then. If you follow the guide this will work
> with Auth-Type := ntlm_auth in users file.
>
> Ivan Kalik
>
> -
> List
Re: Freeradius load balancing.
On 11/20/2009 09:52 AM, Nick Warr wrote: Alan DeKok ha scritto: nick wrote: At the moment we have a freeradius 1.1.3 server on CentOS which is functioning fine, but due to circumstances, and the devices we are using as NASes, the ip pools are located on the NAS instead of being centralized on the RADIUS server as we'd like it. You should really upgrade to a more recent version. That's the plan :) You'll find current pre-built packages for CentOS here: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius load balancing.
Alan DeKok ha scritto: nick wrote: At the moment we have a freeradius 1.1.3 server on CentOS which is functioning fine, but due to circumstances, and the devices we are using as NASes, the ip pools are located on the NAS instead of being centralized on the RADIUS server as we'd like it. You should really upgrade to a more recent version. That's the plan :) We'd now like to make things a bit more robust, including a clustered MySQL backend for AAA, and, if possible, load balanced freeradius servers on the front end. We'd also like to use SQL ip pools. I am only unsure about one thing though. If we have a shared pool available via DB, what prevents the two load balanced radius instances from giving out the same ip address? For one, SQL IP pools are likely to *not* work in 1.1.3. There were a number of fixes put into 2.x that solved those problems. Certainly, the idea is to upgrade the whole infrastructure, to allow for more flexibility, and redundancy. I've been doing a fair bit of googling, but without a whole lot of luck in this respect. MySQL is a DB. If it exports a transactional API, then it doesn't matter if two RADIUS servers are allocating IP's simultaneously. Alan DeKok. I may have misphrased the question, if the ip pool is a single one, containing say 192.168.1.1 - 192.168.1.50, is there a way that the second Radius server can know the IPs distributed by the first Radius server to avoid duplicate IP assignments? Or is the only way to have two separate ip pools without overlap? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius load balancing.
nick wrote: > At the moment we have a freeradius 1.1.3 server on CentOS which is > functioning fine, but due to circumstances, and the devices we are using > as NASes, the ip pools are located on the NAS instead of being > centralized on the RADIUS server as we'd like it. You should really upgrade to a more recent version. > We'd now like to make things a bit more robust, including a clustered > MySQL backend for AAA, and, if possible, load balanced freeradius > servers on the front end. > > We'd also like to use SQL ip pools. I am only unsure about one thing > though. If we have a shared pool available via DB, what prevents the two > load balanced radius instances from giving out the same ip address? For one, SQL IP pools are likely to *not* work in 1.1.3. There were a number of fixes put into 2.x that solved those problems. > I've been doing a fair bit of googling, but without a whole lot of luck > in this respect. MySQL is a DB. If it exports a transactional API, then it doesn't matter if two RADIUS servers are allocating IP's simultaneously. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql on Freeradius
Hello everyone! I have succeeded in most what i want to accomplice but stupid me forgot that I would also want to be able to administrate the users through a GUI instead of jump into the users.conf file everytime i need to add a new user. Since I want OpenSSL support i need to make my own build which Ubuntu´s own Freeradius release in Synaptic does not seem to have support for. I have tried to find information on the net about how to make a build of Freeradius that works together with MySql. The guides I have read is all about installing with the help of synaptic package manager in ubuntu 9.04 and install freeradius-mysql. A question I have is if that module comes with the build I make when im downloading from Freeradius site? If not do I need it to be able to get mysql work together with freeradius and if I do need it, how can I do a separate installation of it? Or can I use the one I find in Ubuntu´s Synaptic Package Manager? Lots of questions I know, hope you can find the time to answer them. Best regards/ Peter _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
kachin Agarwal wrote: >I m currently using freeradius-server 2.1.7. >when i try to authenticate it takes abt 400 millisec to authenticate. > i use peap-mschapv2 for authentication. > So in 1 sec the number of devices i can authenticate is jus 4 to 5. No. Multiple authentications can be done in parallel. > so wat to do? should i modify anything in the freeradius code to > increase the authentication rate. For EAP, the only way to increase performance is to buy a faster machine. Nearly all of the CPU time is spent doing cryptographic calculations. See raddb/certs/README, the PERFORMANCE section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing a second AV Pair
Robert White wrote: > Ah ha! Thanks for that. I've managed to access my second AVPair by > using []. Now, because it's a Quintum, much like a cisco, the value is > Quintum-AVPair = "h323-incoming-conf-id=34623031 35363261 3031 > " rather than the preferred Quintum-AVPair = "34623031 35363261 > 3031 ". I have the vsa hack enabled and it works on a value > such as Quintum-h323-setup-time = "h323-setup-time=03:39:54.875 UTC Mon > Nov 16 2009" but not on the Quintum-AVPairs. > > Is there a way to run the AVPairs through whatever method it is that > applies the vsa hack? You will need to modify the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Tomas Pelka wrote: > have a problem with "advanced" EAP authentication methods including > PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. I wouldn't call them "advanced..." > Certs was created with the makefile included in freeradius sources. > > All my experiments ending with: decapsulated EAP packet (code=4 id=4 > len=4) from RADIUS server: EAP Failure > > Runnin as, for example > ./eapol_test -c test_tls.conf -a192.168.56.3 -p1812 -stesting123 -r1 > > Output, eap.conf and test_tls.conf attached. Can you explain why you sent: * config files * eapol_test outpiut And NOT the server debugging output, as suggested in the FAQ, README, INSTALL, "man" page, web pages, and daily on this list? You have sent everything EXCEPT the information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication
Hi, I m currently using freeradius-server 2.1.7. when i try to authenticate it takes abt 400 millisec to authenticate. i use peap-mschapv2 for authentication. So in 1 sec the number of devices i can authenticate is jus 4 to 5. so wat to do? should i modify anything in the freeradius code to increase the authentication rate. Thanx & Regards, kachin The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius load balancing.
At the moment we have a freeradius 1.1.3 server on CentOS which is functioning fine, but due to circumstances, and the devices we are using as NASes, the ip pools are located on the NAS instead of being centralized on the RADIUS server as we'd like it. We'd now like to make things a bit more robust, including a clustered MySQL backend for AAA, and, if possible, load balanced freeradius servers on the front end. We'd also like to use SQL ip pools. I am only unsure about one thing though. If we have a shared pool available via DB, what prevents the two load balanced radius instances from giving out the same ip address? I've been doing a fair bit of googling, but without a whole lot of luck in this respect. Thanks for any info, Nick Warr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Module not invoking for CHAP authentication
hi,
i am using freeradius 2.1.6 and soalris 10.
i created one module like rlm_radius. This module does authenticatin using
java file which is resideds in Jboss server
for PAP authentication it is working fine going to java file and checking
the logic.but when i use CHAP authentication is shwoing segment fault
see there the debug code
Ready to process requests.
rad_recv: Access-Request packet from host 10.232.163.145 port 1349, id=27,
length=44
User-Name = "moto"
User-Password = "shiva"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "moto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
authorize ---login = 1
[radius] Send Access-Accept.
++[radius] returns handled
Sending Access-Accept of id 27 to 10.232.163.145 port 1349
Reply-Message = "This is a challenge"
State = 0x30
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 27 with timestamp +2
Ready to process requests.
rad_recv: Access-Request packet from host 10.232.163.145 port 1350, id=28,
length=45
User-Name = "moto"
CHAP-Password = 0x60373d77e7cd68c4d46e937727c380d565
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "moto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Segmentation Fault (core dumped)
r...@nms-t1000-03:/
--
View this message in context:
http://old.nabble.com/Module-not-invoking-for-CHAP-authentication-tp26432167p26432167.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
