Question on processing delayed proxy packets
Greetings all, Finally getting my system running nice and smoothly :) I have a scenario I would like some opinions on, something to think about... Lets say I have server A and server B getting requests from multiple sources. They proxy these requests to each other as well. Consider the following scenario: server A gets a start record at 08h00, and proxies it to server B immediately, so server A and server B each have an entry with start time 08h00. An hour later server A gets an interim update acct_input_octets = 5. The proxied packet is delayed due to a network issue. Another hour later server _B_ gets an interim update acct_input_octets = 7. It proxies the request and server A is updated immediately, so now server A and server B have an entry with start time 08h00 and acct_input_octets = 7. Great, all is right at this point. Then: The delayed interim update (which has acct_input_octets = 5) from server A finally gets through to server B, and server B processes the packet using my accounting_update_query query, which is formatted as follows: accounting_update_query = UPDATE ${acct_table_new} \ SET \ framed_ip_address = '%{Framed-IP-Address}', \ acct_session_time = '%{Acct-Session-Time}', \ x_ascend_xmit_rate = '%{X-Ascend-Xmit-Rate}', \ x_ascend_data_rate = '%{X-Ascend-Data-Rate}', \ acct_input_octets = '%{Acct-Input-Octets}', \ acct_output_octets = '%{Acct-Output-Octets}', \ acct_input_gigawords = '%{Acct-Input-Gigawords}', \ acct_output_gigawords = '%{Acct-Output-Gigawords}' \ WHERE \ acct_session_id = '%{Acct-Session-Id}' \ AND \ user_name = '%{SQL-User-Name}' \ AND \ nas_ip_address = '%{NAS-IP-Address}' As you can see, the above query will set acct_input_octets = 5 on server B, so now server A has acct_input_octets = 7 and server B has acct_input_octets = 5. Thats the problem. The solution I am toying with is the following: If a db entry exists, and the acct_input_octets in the db entry is more than the current packet we are processing, then the packet data is older than the db data in the record, so we want to ignore the packet and keep the db data. (Obviously we will need to apply the check to acct_output_octets and the gigaword fields as well...) So the very first problem we see is that checking the record before processing the new update is going to slow down the entire process. The best way I can think to handle this is to check the acct_delay_time field, and if it is a very small number we assume the record is fresh. If the delay time is more than say 30 minutes, we first do the lookup. This means that *most* requests wont need to do a lookup first, and only the heavily delayed ones are then checked. Im not even sure if it is possible to do this in the current setup, or if its possible to do it with a more complex SQL statement, but I would appreciate any comments on the idea and any experience others have had with this. Many thanks, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request for directions: WinXP + Samba + LDAP + 802.1x
Fellows, I have a samba+ldap domain with a bunch of WinXP clients. I intend to get those clients to get access on switch through 802.1x authentication. The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. It's tested locally with radtest. Can you give me the next step? Is there some specific docs on that subject? I found lots of docs talking about AD and ntlm_auth. That's not what I'm looking for. Many thanks in advance. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOWTO WLAN Access Point authenticate user via kerberos
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Thanks a lot. John Mok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO WLAN Access Point authenticate user via kerberos
John Mok wrote: Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically means taking the usernames plaintext password and doing a kinit with it. This means you will need to do EAP-TTLS/PAP, which requires installing software on Windows clients, because windows doesn't support TTLS. The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the MSCHAP checked against Active Directory using Samba in domain-member mode and the ntlm_auth helper. But yes - once you've got EAP-TTLS/PAP working, you can check the PAP request against Kerberos. For more info, see here: http://deployingradius.com/documents/protocols/compatibility.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
Please do the rest of us a favor and configure your mail client to use the correct data type when attaching files. Your log file came through as: Content-Type: application/octet-stream Which means mail clients think this is binary data and won't display it nor do they even know they can open a text editor on it. The Content-Type should have been text. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Alan, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm NULL ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [r...@crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? Well, read the debug of server startup and it will be clearer. Don't ask us what's in the bit you coudn't be bothered to read. ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? Correct. ++[mschap] returns noop ;as above Yes. [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? suffix is enabled by default. Lots of people have u...@domain type username that it makes sense for it to be default option. If you don't have such usernames you can comment it out. [suffix] No such realm NULL ;what this mean? No @ in username. ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop Same as chap and mschap. ++[unix] returns notfound ;what is this? System passwords. Again enabled by default as enough people use it. You can comment it out if you are not using it. ++[files] returns noop? You don't have that user entry in users file (people have told you to put the password there but you haven't). ++[expiration] returns noop ? Password expiration. Another module enabled by default. ++[logintime] returns noop? Does what says on the tin. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). No, you don't. Or should I say - where did you store that password? ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? No password - no authentication. You haven't stored password for this user in any place server looked. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Where did you create the user and password cisco? A copy of your users configuration file would be great On Thu, Dec 10, 2009 at 12:05 PM, g gerard...@gmail.com wrote: Where did you create the user and password cisco? A copy of your users configuration file would be great. On Thu, Dec 10, 2009 at 11:03 AM, Alex Bahoor alexbah...@sbcglobal.netwrote: Alan, Radius -X is always on, and I went through the clients.conf file. -Xgives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as aprotocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm NULL ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it’s arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [r...@crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal.net@ lists.freeradius.org [ mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.orgfreeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
attached is the complete debug log Try using Calling-Station-Id instead of NAS-Port for accounting. Alter (raddb/modules/)acct_unique to use Calling-Station-Id. And use sql for session and accounting. It's quicker and queries can be configured to use Calling-Station-Id instead of NAS-Port. Ivan Kalik Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting with freeradius
I try to setup accounting with freeradius. Not much lick to find step-by-step instruction on Internet. Can some guru help on this? I have freeradius 2.1.3-1-fc9 installed on my Linux machine. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Gera _ From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of gera Sent: Thursday, December 10, 2009 11:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Where did you create the user and password cisco? in the /etc/raddb/clients.conf. A copy of your users configuration file would be great Which config files do you need, radiusd.conf, or clients.conf? There is also, /etc/raddb/users which I have not even touched, cuz I did not see it readily on the wiki, and I did not know about till now. I'm not clear on the purpose of the attachment you mailed? This file is not accessible: http://wiki.freeradius.org/FAQ Alex On Thu, Dec 10, 2009 at 12:05 PM, g gerard...@gmail.com wrote: Where did you create the user and password cisco? A copy of your users configuration file would be great. On Thu, Dec 10, 2009 at 11:03 AM, Alex Bahoor alexbah...@sbcglobal.net wrote: Alan, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm NULL ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [r...@crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked
RE: Testing radius server
Ivan, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to RFC1855 http://www.faqs.org/rfcs/rfc1855.html . The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of t...@kalik.net Sent: Thursday, December 10, 2009 10:58 AM To: FreeRadius users mailing list Subject: RE: Testing radius server [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). No, you don't. Or should I say - where did you store that password? I edited /etc/raddb/clients.conf. Below is the only thing I edited in this file. And I take it it's wrong, so please point me to the right lines. # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } # Ivan Kalik Rgrds, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Alex, Where did you create the user and password cisco? in the /etc/raddb/clients.conf. tim That's the problem. You configure RADIUS clients in the clients.conf file. A RADIUS client is a network device like a NAS or a wireless Access Point. A copy of your users configuration file would be great Which config files do you need, radiusd.conf, or clients.conf? There is also, /etc/raddb/users which I have not even touched, cuz I did not see it readily on the wiki, and I did not know about till now. tim users are defined in the users file. Read the comments in the users file. Generally, when you install and configure FR, you start with the radiusd.conf file, then clients.conf and finally users. Yes, the documentation is in many different places. Start here: 1. FreeRADIUS v2 Documentation http://freeradius.org/doc/ 2. Read the comments in the config files - radiusd.conf, clients.conf and users. 3. Check out this page from Alan's online book - http://deployingradius.com/documents/configuration/pap.html Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting with freeradius
Hi, I try to setup accounting with freeradius. Not much lick to find step-by-step instruction on Internet. Can some guru help on this? I have freeradius 2.1.3-1-fc9 installed on my Linux machine. Thanks in advance. what exactly is it that you want to do? what part of docs/ isnt telling you what to do? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Hi, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. i think you need to start with the basics before you start playing with experimental features! ;-) r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 okay - very simple. we now look to see what happensi've cut out the basic bits to answer your questions ++[preprocess] returns ok ;what is preprocess and what does it do? Contains the functions for the huntgroups and hints - if you use those files then they'll seed the request so you can deal with it ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? correct ++[mschap] returns noop ;as above yep [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? @ is not 'expected' - but if its present then the suffix module will do stuff. [suffix] No such realm NULL ;what this mean? exactly what it says - there wasnt a suffix, so the value is NULL but the suffix module found no NULL realm in your config [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. correct - this isnt an EAP message ++[unix] returns notfound ;what is this? unix passwd support. if you dont want to use /etc/passwd etc then comment 'unix' module out ++[files] returns noop ? this is the big one - this is saying that files module found no information - this suggests that eg you dont have cisco Cleartext-Password := cisco in your users file. if you do then you are looking at the wrong users file - /etc/raddb/users or /usr/local/etc/raddb ? ++[expiration] returns noop ? ++[logintime] returns noop ? 2 modules that deal with exactly what they say - expiration and logintime - these are authorisation methods [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). PAP could not find your configured user - it relies on at least one of the previous methods to get such a user! No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it’s arguments. ? radtest doesnt do EAP you need to use one of the tests that does do EAP. anywayI can safely state that if you install a fresh FreeRADIUS you should be able to add an example user to the users file (as I state above!) and do a radtest and test the whole thing within minutes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Alex, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to http://www.faqs.org/rfcs/rfc1855.html RFC1855. The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline tim Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996. # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } tim You need to put users in the users file. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Hi, Where did you create the user and password cisco? in the /etc/raddb/clients.conf. A copy of your users configuration file would be great Which config files do you need, radiusd.conf, or clients.conf? There is also, /etc/raddb/users which I have not even touched, cuz I did not see it readily on the wiki, and I did not know about till now. no no no (cries!) cleints.conf is for NAS devices to talk to the FreeRADIUS server user accounts/passwords go into the users filethis is so clear and well documented! please just READ the users file and see - eg 'John Doe' example account in that file.. once you look you will truly understand! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
configuration item in the radiusd.conf file. -z Include the password in the radius.log file even for successful logins. This is very insecure! This command line option is deprecated. See the log_auth_badpass and the log_auth_goodpass configuration items in the radiusd.conf file. Configuration Radiusd uses a number of configuration files. Each file has it's own manpage describing the format of the file. These files are: radiusd.conf The main configuration file, which sets the administrator-controlled items. dictionary This file is usually static. It defines all the possible RADIUS attributes used in the other configuration files. You don't have to modify it. It includes other dictionary files in the same directory. clients [ Deprecated in favor of clients.conf ] clients.conf Contains the IP address and a secret key for every client that wants to connect to the server. naslist [ Deprecated in favor of clients.conf ] Contains an entry for every NAS (Network Access Server) in the network. This is not the same as a client, especially if you have radius proxy server in your network. In that case, the proxy server is the client and it sends requests for different NASes. It also contains an abbreviated name for each terminal server, used to create the directory name where the detail file is written, and used for the /var/log/radwtmp file. Finally it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is. hints Defines certain hints to the radius server based on the users's loginname or other attributes sent by the access server. It also provides for mapping user names (such as Pusername - username). This provides the functionality that the Livingston 2.0 server has as Prefix and Suffix support in the users file, but is more general. Of course the Livingston way of doing things is also supported, and you can even use both at the same time (within certain limits). huntgroups Defines the huntgroups that you have, and makes it possible to restrict access to certain huntgroups to certain (groups of) users. users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However, it is also possible to define all users, and their passwords, in this file. See -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 1:43 PM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Where did you create the user and password cisco? in the /etc/raddb/clients.conf. A copy of your users configuration file would be great Which config files do you need, radiusd.conf, or clients.conf? There is also, /etc/raddb/users which I have not even touched, cuz I did not see it readily on the wiki, and I did not know about till now. no no no (cries!) cleints.conf is for NAS devices to talk to the FreeRADIUS server user accounts/passwords go into the users filethis is so clear and well documented! please just READ the users file and see - eg 'John Doe' example account in that file.. once you look you will truly understand! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting with freeradius (Alan Buxey)
I hope to see step-by-step instructions to setup accounting system using sql server with freeradius such that I can see a user's network usage (Tx'd / Rx'd). Also, with freeRADIUS, is there a way to log a user's accounting info in a local file, not in a sql server? Thanks.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Where is the user file? Why the wiki did not list this file. How would I know about the file. From the wiki, I don't see any talk about this file you talking about. Read the documentation included with the server. Start with doc/README. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Arrogant. -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of t...@kalik.net Sent: Thursday, December 10, 2009 2:37 PM To: FreeRadius users mailing list Subject: RE: Testing radius server Where is the user file? Why the wiki did not list this file. How would I know about the file. From the wiki, I don't see any talk about this file you talking about. Read the documentation included with the server. Start with doc/README. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting with freeradius (Alan Buxey)
I hope to see step-by-step instructions to setup accounting system using sql server with freeradius such that I can see a user's network usage (Tx'd / Rx'd). Use schema.sql from raddb/sql/your_database_type directory to create the database tables. Configure raddb/sql.conf. Uncomment include for sql.conf in radiusd.conf. Uncomment sql entry in accounting in default virtual server. Restart server. That's it. Also, with freeRADIUS, is there a way to log a user's accounting info in a local file, not in a sql server? Yes, that's called detail file and that is enabled by default. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Tim, Go ahead and take my out of this list. I had enough of this. Alex _ From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Tim Sylvester Sent: Thursday, December 10, 2009 1:41 PM To: 'FreeRadius users mailing list' Subject: RE: Testing radius server Alex, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to http://www.faqs.org/rfcs/rfc1855.html RFC1855. The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline tim Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996. # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } tim You need to put users in the users file. Tim __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Arrogant. Yes, terribly obscene suggestion - read available documentation. Don't ask us what's written in the documentation you already have with you. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Alex, as stated at the end of every message from this list, everyone can do that: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Greetings and good luck. On Thu, Dec 10, 2009 at 3:48 PM, Alex Bahoor alexbah...@sbcglobal.netwrote: Tim, Go ahead and take my out of this list. I had enough of this. Alex -- *From:* freeradius-users-bounces+alexbahoor=sbcglobal.net@ lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoorfreeradius-users-bounces%2Balexbahoor =sbcglobal@lists.freeradius.org] *On Behalf Of *Tim Sylvester *Sent:* Thursday, December 10, 2009 1:41 PM *To:* 'FreeRadius users mailing list' *Subject:* RE: Testing radius server Alex, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I’m not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to RFC1855http://www.faqs.org/rfcs/rfc1855.html . The reason I’m having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it’s written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline tim Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996. # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } tim You need to put users in the users file. Tim __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting with freeradius (Alan Buxey)
Try next steps: 1. google about freeradius sql howto 2. click on the first link in results ( http://wiki.freeradius.org/SQL_HOWTO ) If you have any other questions (which isn't already included in wiki), please ask... Keep in mind that some pages on wiki are outdated for FR 2.x but all config files are commented so you won't have any problems (I suppose that you'll read them carefully ) MT rosect...@yahoo.com wrote: I hope to see step-by-step instructions to setup accounting system using sql server with freeradius such that I can see a user's network usage (Tx'd / Rx'd). Also, with freeRADIUS, is there a way to log a user's accounting info in a local file, not in a sql server? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Hi, Alan, Where is the user file? Why the wiki did not list this file. How would I know about the file. From the wiki, I don't see any talk about this file you talking about. /etc/raddb/users ? /usr/local/raddb/users ? /opt/freeradius/users? whereever you installed the server config files. http://wiki.freeradius.org/CONFIGURATION_FILES lookee there. 'users; file clearly shown and explained. and thats just one obvious example but i think you're there now alan PS in your email you actually wrote users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However, it is also possible to define all users, and their passwords, in this file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to get tunneling to work
I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an IAS server. The IAS requests are authenticated by a Safeword server, which doesn't support 802.11. So the idea is that freeradius takes the request, proxies it to IAS as if it was a non-802.11 client, IAS passes it to the integrated Safeword server, and everything is happy. My configuration works from a 802.11 supplicant if the user exist locally in freeradius, but no proxying happens when the user doesn't exist locally. It doesn't appear to ever leave radiusd. What I hope is the relevant debug output is below. Please be nice, I am very new to RADIUS! If you could point out the issues you see and where to look for resolution I'd really appreciate it. If you need more info or the contents of any files, just ask. rad_recv: Access-Request packet from host 192.168.7.139 port 1645, id=90, length=253 User-Name = mbernhardt Framed-MTU = 1400 Called-Station-Id = 000a.f4e2.2a00 Calling-Station-Id = 0021.6a46.b0cc Service-Type = Login-User Message-Authenticator = 0x6d0c7d1550b928f2c1e4819363b4c655 EAP-Message = 0x0209006b190017030100605b9dff6664aed05daf847f94f2c5653aeb8bd71c24eb8cb32250 f2326709a15aa5cca25c1fd4a80 78736d29db8a366c19e511ead9cd2464eea7d6c7c9ed1d334d140b044029ab54bad420b8a1a6 e09d0d98be53e16ce732e7ae903591d 65 NAS-Port-Type = Wireless-802.11 NAS-Port = 2948 State = 0x7986d88d7f8fc1cc817b41b32920e7cd NAS-IP-Address = 192.168.7.139 NAS-Identifier = lks15w-ap350 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = mbernhardt, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900451a0209004031d64addabbce8df20ddb2b2bf5f76e1e0b3641d 7bbaa84d8e02bd692d2b804b6eb8632 9e81e2c878c006d6265726e6861726474 server { PEAP: Setting User-Name to mbernhardt Sending tunneled request EAP-Message = 0x020900451a0209004031d64addabbce8df20ddb2b2bf5f76e1e0b3641d 7bbaa84d8e02bd692d2b804b6eb8632 9e81e2c878c006d6265726e6861726474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = mbernhardt State = 0xf069bb62f060a15804b7cea0a47025dc Framed-MTU = 1400 Called-Station-Id = 000a.f4e2.2a00 Calling-Station-Id = 0021.6a46.b0cc Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 2948 NAS-IP-Address = 192.168.7.139 NAS-Identifier = lks15w-ap350 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = mbernhardt, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 69 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to safeword.eng PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty section. Using default return values. ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. ERROR: Failed to proxy request 7 There was no response configured: rejecting request 7 Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - mbernhardt attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 90 to 192.168.7.139 port 1645 - List info/subscribe/unsubscribe? See
Re: Testing radius server
Hi, I had enough of this. what? free support pointing out the same suggestions and help every time? just a _little_ bit of reading would have informed you of the basics...but I think there _could_ be issues and am open to suggestions to fix the docs/guides for newcomers (and I've used all the alternatives to FreeRADIUS so know what you face on those platforms) so - please point out the weaknesses that you faced alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Go ahead and take my out of this list. I had enough of this. So you can't be bothered even to read your mail to the end. Unsubscribe link is in every mail. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to get tunneling to work
I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an IAS server. The IAS requests are authenticated by a Safeword server, which doesn't support 802.11. So the idea is that freeradius takes the request, proxies it to IAS as if it was a non-802.11 client, IAS passes it to the integrated Safeword server, and everything is happy. My configuration works from a 802.11 supplicant if the user exist locally in freeradius, but no proxying happens when the user doesn't exist locally. Read comments in peap section of eap.conf. Replace LOCAL in Proxy-To-Realm statement in inner-tunnel virtual server with the name of the realm pointing to IAS server. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 3:18 PM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, I had enough of this. what? free support pointing out the same suggestions and help every time? just a _little_ bit of reading would have informed you of the basics...but I think there _could_ be issues and am open to suggestions to fix the docs/guides for newcomers (and I've used all the alternatives to FreeRADIUS so know what you face on those platforms) so - please point out the weaknesses that you faced alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
At 12:12 AM 12/11/2009, Alex Bahoor wrote: For someone that claims words are important, you're not listening to the people trying to tell you you're using words wrong. random != dynamic for example client != user would be another example. The client is not the user. It's the physical device that's configured to uses RADIUS for authentication. cilents are defined in ./clients.conf The user is the one with an ID and a password. Users are defined in ./users (who they are, what their password is, where to go look for their information) And to get to your next question, ./huntgroups can be used to define the association between the two (which users can log into which clients) The docs might not be optimal, but they're offset by an amazing supportive and active email list (which I'll trade for docs any day really). That is, if you don't spend all your time claiming the application is broken and buggy The real question is, presuming you bear with it and get FR to work, will you write up and contribute documentation for what you've done to help others? Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
On Fri, Dec 11, 2009 at 12:12 PM, Alex Bahoor alexbah...@sbcglobal.net wrote: I'm spoiled in using purchased software, which uses GUIs all the time. So my expectations are little different. Alex, When you need more help than what's available freely, you can purchase support from networkradius (http://networkradius.com/services.html) I'm sure they'd be happy to help you with installation and configuration issues. While six years working with Sun Microsystems, I kept hearing all the time difficulty was the nature of Solaris, and Unix. I don't agree with you on that point, but to each his own oppinion. The most elegant OS, Solaris, unfortunately did not go any where, and Sun went under. Why? Because it was not user friendly. Just because it's not popular in desktop does not mean it did not go anywhere. Solaris is widely used in enterprise server environment. There are also a lot of improvements in Solaris 10 and opensolaris, which makes it easier to use for desktop users. It took me quite some time to find out which platform I should have used. What's in the wiki is vague, not specific to specific versions. And what packages of freeradious I should have installed. Till Tim clarified this for me, I was at loss and frustrated. You have to understand, this is free software, compatibility, and interoperability is at a big question; I don't have the time test every OS to find out which one is good, soso, or even bad. It should have been stated clearly in the wiki under operating systems, and which version of each OS you have tested. Take a look at this paragraph which clearly proves my point. The link under several versions of Linux would not bring up a page. And in the same page, all OSes listed have links to download the softwar, which is convenient, but did not tell me, what is there has been tested. When you have problems, it's usually easier to get help if you ask nicely, and be specific. For this particular case, if you ask which OS works and tested, I'd point you to RHEL/Centos/Fedora http://wiki.freeradius.org/Red_Hat_FAQ Last, as Rick mentioned, if you find that current documentation/wiki needs updating, please contribute to make it better. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Alex Bahoor wrote: I don't know what your capacity in freeradius, but I sure hope this product is comparable to steel belt or Cisco's ACS, which are very costly. It's better. A picture is worth a thousand words. Network topologies, samples of clients.conf and radiusd.conf with various features from basic to complex security configuration can be downladed and used would save a lot time and confusion. If there is such samples, you would not hear from me. Unfortunately, your messages show that this isn't true. When you asked for *specific* help, you were given detailed answers. You (a) ignored the answers and asked the same question again, or (b) told them that the answer was wrong. No amount of documentation can make you understand when you refuse to understand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to get tunneling to work
Mike Bernhardt wrote: I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an IAS server. The IAS requests are authenticated by a Safeword server, which doesn’t support 802.11. So the idea is that freeradius takes the request, proxies it to IAS as if it was a non-802.11 client, IAS passes it to the integrated Safeword server, and everything is happy. OK. ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. Hmm... which version are you using? That shouldn't happen in a released version of the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html