Re: freeRADIUS talk to multiple AD forests
John wrote: > Hello, > We are using freeRADIUS-1.1.6. The backend server is Active > directory. It can work well for single AD forest (A.com). We are using > Global catalog port 3286 to get attribute from A.com. > We want to support another forest (B.com) which is trust with > A.com. unfortunatly Global catalog can not access different forests > info. How can we get attrubutes from these AD forests? If we do not > configure another LDAP instance for B.com. Is there a way to get > attributes from B.com? You'll need to configure another LDAP instance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS talk to multiple AD forests
Hello, We are using freeRADIUS-1.1.6. The backend server is Active directory. It can work well for single AD forest (A.com). We are using Global catalog port 3286 to get attribute from A.com. We want to support another forest (B.com) which is trust with A.com. unfortunatly Global catalog can not access different forests info. How can we get attrubutes from these AD forests? If we do not configure another LDAP instance for B.com. Is there a way to get attributes from B.com? Best. John ___ 好玩贺卡等你发,邮箱贺卡全新上线! http://card.mail.cn.yahoo.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
piston wrote: > hi > > after upgrade 2.1.8 prelease to 2.1.8, i get No authenticate method > (Auth-Type) configuration found for the request: Rejecting the user You have managed to delete all of the virtual servers from raddb/sites-enabled. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP timeouts
I'm currently using freeradius2-2.1.7-2.el5 on CentOS 5.2 for Cisco and L2TP VPN user authentication (via a Sonicwall firewall), using LDAP back to a AD environment, with the Windows built in VPN client. (for very specific details of that environment see my post of Tue, Dec 1, 2009 at 6:31 PM ) The Cisco environment works flawlessly. Every time I attempt to log in it works. The Windows environment works, with one quirk, if no one has logged in for a while (~15-30 min), the next user gets: Thu Jan 14 19:31:51 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Jan 14 19:31:51 2010 : Info: rlm_ldap: Attempting reconnect Thu Jan 14 19:31:51 2010 : Auth: Login OK: [user] (from client VPN port 0) The end user reports that the first attempt to login fails, but the second succeeds. Further attempts will succeed until it's been a while since anyone logged in. That's only true for VPN users, logging into a Cisco never causes the same issue - works every time. Both servers refer to the same ldap module. I only have about 4 VPN users right now, so I'm thinking it's not a load problem. In some respecting I'm thinking it's the reverse of a load problem - that once I have more users on the system there won't be a long period of time where no one has logged in, and so the problem will go away. Thoughts? I'd like for the user to (barring network issues) be able to log on the first time, every time. Thanks Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Certificate Signing Request Question
I am generating a CSR for Verisign (WiMAX) to support EAP-TTLS. Some of the examples I see use the -nodes switch when generating the CSR, and others do not. Is the use of nodes CA specific, or why would I want to or not want to use -nodes. I see that when it is used the private key will not be encrypted, but I'm afraid I don't understand the ramifications of that. Any help or a link to a helpful RTFM would be greatly appreciated. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS comparison tee
In moving our RADIUS infrastructure to FreeRADIUS, I wrote a tee to transparently compare FreeRADIUS' responses with those of our existing Radiator installations. It sniffs RADIUS traffic on the current machine, replays the requests to another RADIUS server, and compares the received responses with the sniffed responses. Differences are emitted to stdout, and known differences can be configured so they're automatically ignored. http://horde.net/~jwm/software/misc/comparison-tee john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with XPsp3 and FreeRADIUS
Alan, We are currently using Samba 3.0.34... Do you know if there are release notes or a discussion regarding this issue you can point me to, I didnt see anything from a search. Thanks, /Seth On Thu, Jan 14, 2010 at 9:29 AM, Alan DeKok wrote: > Seth wrote: > > I have a strange problem where the initial 802.1X authentication is > > successful, but then fails subsequent auth attempts. This is using > > Windows XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory > > running on a Windows2003 server. > > > > I noticed the following discrepency in the RADIUS logs. The two auth > > attempts are identical until this part: > > You are using ntlm_auth for authentication. This issue appears to be > a bug in Samba. Downgrade Samba until you find a version that works. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
hi after upgrade 2.1.8 prelease to 2.1.8, i get No authenticate method (Auth-Type) configuration found for the request: Rejecting the user please help. here's my debug info radius2:/etc/freeradius# freeradius -Xxx Fri Jan 15 02:21:01 2010 : Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 15 2010 at 00:56:39 Fri Jan 15 02:21:01 2010 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Fri Jan 15 02:21:01 2010 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Jan 15 02:21:01 2010 : Info: PARTICULAR PURPOSE. Fri Jan 15 02:21:01 2010 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Jan 15 02:21:01 2010 : Info: GNU General Public License v2. Fri Jan 15 02:21:01 2010 : Info: Starting - reading configuration files ... Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/radiusd.conf Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/proxy.conf Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/clients.conf Fri Jan 15 02:21:01 2010 : Debug: including files in directory /etc/freeradius/modules/ Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/preprocess Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/always Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/logintime Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/smbpasswd Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/counter Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/detail Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/digest Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/smsotp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/cui Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/realm Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mschap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/ippool Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/expr Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/linelog Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/attr_filter Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/inner-eap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/unix Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/otp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/sql_log Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/etc_group Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/perl Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/policy Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/chap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/exec Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/echo Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/detail.example.com Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/sradutmp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/krb5 Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/expiration Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/pam Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/checkval Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/acct_unique Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/passwd Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mac2vlan Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/wimax Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/files Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mac2ip Fri Jan 15 02:21:01 2010 : Debug: including configur
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 1:29 AM, Alan DeKok wrote: > *something* is either adding a crypt'd password, or is > forcing the PAP module to use the crypt'd password. > > Maybe the "unix" module? Good guess! I disabled the "unix" module from authentication and authorization, and everything looks great. As it happens, the system has picked one of the NT passwords to check, but as long as it works I'm fine. Thanks so much for your timely assistance. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing & Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type and Group precedence
Hey guys, Setting an Auth-Type := Accept to a user while also associating the same user to a group with Auth-Type := Reject results in a successful login of the user due to the Auth-Type := Accept in radcheck table taking precedence. Is it possible to give a higher priority to the group association? System is a FreeRADIUS 1.1.7 install with a mysql database backend. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.x + MySQL: Failed to authenticate the user
--- On Thu, 1/14/10, Alan DeKok wrote: > See your "users" file: > > ++[unix] returns notfound > [files] users: Matched entry DEFAULT at line 70 > > > That entry is forcing "Auth-Type := System". > > Don't do that. > > Alan DeKok. Hello Alan, thanks for your hint which solved my problem. After removing the entry from the users file everything worked like a charm. Time for coffee I guess ;-) Cheers, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with XPsp3 and FreeRADIUS
Seth wrote: > I have a strange problem where the initial 802.1X authentication is > successful, but then fails subsequent auth attempts. This is using > Windows XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory > running on a Windows2003 server. > > I noticed the following discrepency in the RADIUS logs. The two auth > attempts are identical until this part: You are using ntlm_auth for authentication. This issue appears to be a bug in Samba. Downgrade Samba until you find a version that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.x + MySQL: Failed to authenticate the user
Alexander wrote: > Hello all, > > I have a new setup with Freeradius 2.1.7, Dialup Admin 1.80 and MySQL 5.0.77 > running under Red Hat ES 5.4. Access from Freeradius to MySQL is working fine > but user 'dummy' does not get authenticated. After hours of searching through > my setup it seems to me that the problem is rather related to my Freeradius > configuration than to MySQL. > > I tested locally with radtest and remotly with NTRadPing: Access-Reject. From > the attached debug output can you see why? Thanks in advance! See your "users" file: ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 70 That entry is forcing "Auth-Type := System". Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP user gets access-reject due to CHAP
It has been a while since I have used the users file having gone to MySQL,
but that about adding something like:
tevfikceydelilerPacket-Type == Access-Request
Proxy-To-Realm := 10.1.1.51,
Framed-IP-Address := 172.30.65.90,
Framed-IP-Netmask : 255.255.240.0,
Fail-Through = Yes
The first line is the check items, the next lines are the reply items. You
have Framed-IP-Address as a check item not a reply item. Keep in mind that I
may have the syntax a bit wrong but the idea is to add some reply items to
assign the static IP instead of having the static IP as a check item.
-Original Message-
From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org
[mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org]
On Behalf Of Tevfik Ceydeliler
Sent: January 14, 2010 03:32
To: freeradius-users@lists.freeradius.org
Subject: Framed-IP user gets access-reject due to CHAP
Hi list,
I have two types user. One of them get IP address from pool. Other one must
use static IP address.
There is no problem with users use IP pool.
But users ,using static IP , get Access-Reject.
I have two debug output. And I use my account name to test. First I put my
account into pooli then I put my account with static Ip address. In each
tests I comment other raw.
Here is the users file :
-For Ip pool test:
tevfikceydeliler Service-Type ==
Framed-User,Packet-Type==Access-Request, Proxy-To-Realm := 10.1.1.51,
Pool-Name := BirmasGPRS_pool
#tevfikceydeliler Packet-Type==Access-Request, Proxy-To-Realm :=
10.1.1.51, Framed-IP-Address := 172.30.65.90, Framed-IP-Netmask :=
255.255.240, Fall-Through = Yes
-For static IP test:
#tevfikceydeliler Service-Type ==
Framed-User,Packet-Type==Access-Request, Proxy-To-Realm := 10.1.1.51,
Pool-Name := BirmasGPRS_pool
tevfikceydeliler Packet-Type==Access-Request, Proxy-To-Realm :=
10.1.1.51, Framed-IP-Address := 172.30.65.90, Framed-IP-Netmask :=
255.255.240, Fall-Through = Yes
I also have debug output for these two test:
-For Ip pool test:
rad_recv: Access-Request packet from host 172.30.80.1 port 1048, id=181,
length=139
NAS-IP-Address = 172.30.80.1
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 119530800
CHAP-Challenge = 0x084c2d1eb2b0da2fa88e86be50190074
User-Name = "tevfikceydeliler"
CHAP-Password = 0x01fe1f5c6c3340f451ba829a456b302ece
Calling-Station-Id = "905308507313"
Thu Jan 14 10:05:39 2010 : Info: +- entering group authorize {...}
Thu Jan 14 10:05:39 2010 : Info: ++[preprocess] returns ok
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/auth-detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/172.30.80.1/auth-detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39
2010
Thu Jan 14 10:05:39 2010 : Info: ++[auth_log] returns ok
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39
2010
Thu Jan 14 10:05:39 2010 : Info: ++[detail] returns ok
Thu Jan 14 10:05:39 2010 : Info: [chap] Setting 'Auth-Type := CHAP'
Thu Jan 14 10:05:39 2010 : Info: ++[chap] returns ok
Thu Jan 14 10:05:39 2010 : Info: ++[mschap] returns noop
Thu Jan 14 10:05:39 2010 : Info: [suffix] No '@' in User-Name =
"tevfikceydeliler", looking up realm NULL
Thu Jan 14 10:05:39 2010 : Info: [suffix] No such realm "NULL"
Thu Jan 14 10:05:39 2010 : Info: ++[suffix] returns noop
Thu Jan 14 10:05:39 2010 : Info: [eap] No EAP-Message, not doing EAP
Thu Jan 14 10:05:39 2010 : Info: ++[eap] returns noop
Thu Jan 14 10:05:39 2010 : Info: ++[unix] returns notfound
Thu Jan 14 10:05:39 2010 : Info: [files] users: Matched entry
tevfikceydeliler at line 114
Thu Jan 14 10:05:39 2010 : Debug: expand: Hello, %{User-Name} ->
Hello, tevfikceydeliler
Thu Jan 14 10:05:39 2010 : Info: ++[files] returns ok
Thu Jan 14 10:05:39 2010 : Info: ++[expiration] returns noop
Thu Jan 14 10:05:39 2010 : Info: ++[logintime] returns noop
Thu Jan 14 10:05:39 2010 : Info: +- entering group pre-proxy {...}
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/pre-
Freeradius 2.x + MySQL: Failed to authenticate the user
Hello all,
I have a new setup with Freeradius 2.1.7, Dialup Admin 1.80 and MySQL 5.0.77
running under Red Hat ES 5.4. Access from Freeradius to MySQL is working fine
but user 'dummy' does not get authenticated. After hours of searching through
my setup it seems to me that the problem is rather related to my Freeradius
configuration than to MySQL.
I tested locally with radtest and remotly with NTRadPing: Access-Reject. From
the attached debug output can you see why? Thanks in advance!
Cheers,
Alexander
[r...@radius-01 /]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
[r...@radius-01 /]# yum list freeradius2\* | grep installed
freeradius2.x86_64 2.1.7-2.el5 installed
freeradius2-libs.x86_642.1.7-2.el5 installed
freeradius2-mysql.x86_64 2.1.7-2.el5 installed
freeradius2-utils.x86_64 2.1.7-2.el5 installed
[r...@radius-01 /]# yum list mysql | grep installed
mysql.x86_645.0.77-3.el5installed
[r...@radius-01 raddb]# radtest dummy dummypass localhost 1812 flazglug_
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = "dummy"
User-Password = "dummypass"
NAS-IP-Address = 172.25.64.205
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20
[r...@radius-01 /]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Sep 18
2009 at 11:00:13
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
RE: freeradius + sqlippool
Why not put them into groups and assign IP address based on their group? That's how we have ours setup and it worked well during our test run last year. Cheers, Roy Kartadinata From: freeradius-users-bounces+rkartadinata=pocket@lists.freeradius.org [mailto:freeradius-users-bounces+rkartadinata=pocket@lists.freeradiu s.org] On Behalf Of Konstantin Chekushin Sent: Thursday, January 14, 2010 7:38 AM To: freeradius-users@lists.freeradius.org Subject: freeradius + sqlippool Good afternoon! I have a question. It is necessary to assign ip-address by RADUIS-server to gprs user. My decision is to use freeradius+sqlippool for this purpose . But there is one problem. ippool name is initially unknown. It should be taken depending on a phone number. I.e. there is one more table in my database, where is a conformity - number (calling station id)=ip pool. (If calling-station-id does not present in the table - RADIUS takes default ippool name.) Is there a good way to realize the similar scheme? Thanks for advices. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + sqlippool
Good afternoon! I have a question. It is necessary to assign ip-address by RADUIS-server to gprs user. My decision is to use freeradius+sqlippool for this purpose . But there is one problem. ippool name is initially unknown. It should be taken depending on a phone number. I.e. there is one more table in my database, where is a conformity - number (calling station id)=ip pool. (If calling-station-id does not present in the table - RADIUS takes default ippool name.) Is there a good way to realize the similar scheme? Thanks for advices.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
Eric Swanson wrote: > My intent is to use the SSHA password -- of the ones my LDAP system > must maintain, I assumed it would be the most straightforward (better > than those Windows ones anyway). *something* is either adding a crypt'd password, or is forcing the PAP module to use the crypt'd password. Maybe the "unix" module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP user gets access-reject due to CHAP
Hi list,
I have two types user. One of them get IP address from pool. Other one must use
static IP address.
There is no problem with users use IP pool.
But users ,using static IP , get Access-Reject.
I have two debug output. And I use my account name to test. First I put my
account into pooli then I put my account with static Ip address. In each tests
I comment other raw.
Here is the users file :
-For Ip pool test:
tevfikceydeliler Service-Type == Framed-User,Packet-Type==Access-Request,
Proxy-To-Realm := 10.1.1.51, Pool-Name := BirmasGPRS_pool
#tevfikceydeliler Packet-Type==Access-Request, Proxy-To-Realm :=
10.1.1.51, Framed-IP-Address := 172.30.65.90, Framed-IP-Netmask := 255.255.240,
Fall-Through = Yes
-For static IP test:
#tevfikceydeliler Service-Type ==
Framed-User,Packet-Type==Access-Request, Proxy-To-Realm := 10.1.1.51, Pool-Name
:= BirmasGPRS_pool
tevfikceydeliler Packet-Type==Access-Request, Proxy-To-Realm :=
10.1.1.51, Framed-IP-Address := 172.30.65.90, Framed-IP-Netmask := 255.255.240,
Fall-Through = Yes
I also have debug output for these two test:
-For Ip pool test:
rad_recv: Access-Request packet from host 172.30.80.1 port 1048, id=181,
length=139
NAS-IP-Address = 172.30.80.1
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 119530800
CHAP-Challenge = 0x084c2d1eb2b0da2fa88e86be50190074
User-Name = "tevfikceydeliler"
CHAP-Password = 0x01fe1f5c6c3340f451ba829a456b302ece
Calling-Station-Id = "905308507313"
Thu Jan 14 10:05:39 2010 : Info: +- entering group authorize {...}
Thu Jan 14 10:05:39 2010 : Info: ++[preprocess] returns ok
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/auth-detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/freeradius/radacct/172.30.80.1/auth-detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39 2010
Thu Jan 14 10:05:39 2010 : Info: ++[auth_log] returns ok
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39 2010
Thu Jan 14 10:05:39 2010 : Info: ++[detail] returns ok
Thu Jan 14 10:05:39 2010 : Info: [chap] Setting 'Auth-Type := CHAP'
Thu Jan 14 10:05:39 2010 : Info: ++[chap] returns ok
Thu Jan 14 10:05:39 2010 : Info: ++[mschap] returns noop
Thu Jan 14 10:05:39 2010 : Info: [suffix] No '@' in User-Name =
"tevfikceydeliler", looking up realm NULL
Thu Jan 14 10:05:39 2010 : Info: [suffix] No such realm "NULL"
Thu Jan 14 10:05:39 2010 : Info: ++[suffix] returns noop
Thu Jan 14 10:05:39 2010 : Info: [eap] No EAP-Message, not doing EAP
Thu Jan 14 10:05:39 2010 : Info: ++[eap] returns noop
Thu Jan 14 10:05:39 2010 : Info: ++[unix] returns notfound
Thu Jan 14 10:05:39 2010 : Info: [files] users: Matched entry tevfikceydeliler
at line 114
Thu Jan 14 10:05:39 2010 : Debug: expand: Hello, %{User-Name} -> Hello,
tevfikceydeliler
Thu Jan 14 10:05:39 2010 : Info: ++[files] returns ok
Thu Jan 14 10:05:39 2010 : Info: ++[expiration] returns noop
Thu Jan 14 10:05:39 2010 : Info: ++[logintime] returns noop
Thu Jan 14 10:05:39 2010 : Info: +- entering group pre-proxy {...}
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/pre-proxy-detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [pre_proxy_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.30.80.1/pre-proxy-detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39 2010
Thu Jan 14 10:05:39 2010 : Info: ++[pre_proxy_log] returns ok
Thu Jan 14 10:05:39 2010 : Debug: expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Info: [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/freeradius/radacct/172.30.80.1/detail-20100114
Thu Jan 14 10:05:39 2010 : Debug: expand: %t -> Thu Jan 14 10:05:39 2010
Thu Jan 14 10:05:39 2010 : Info: ++[detail] returns ok
Sending Access-Request of id 218 to 10.1.1.51 port 1812
NAS-IP-Addr
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 12:18 AM, Eric Swanson wrote: > There's not much to the rest of my PAP-related configuration. ...and just for the record, I've just grepped through my whole /etc/raddb folder. The only other non-commented mentions of PAP are in eap.conf, sites-available/inner-tunnel, and modules/inner-eap -- none of which has been modified from the standard distributed file. Thanks again, E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Wed, Jan 13, 2010 at 10:48 PM, Alan DeKok wrote:
> Eric Swanson wrote:
>> ...
>> [ldap] Added User-Password = {SSHA}i9--censored--JI in check items
>> [ldap] looking for check items in directory...
>> rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531
>> rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545
>
> You have 3 versions of the "known good" password for the user. Which
> one do you want to use?
Alan:
Thanks so much for getting back to me.
My intent is to use the SSHA password -- of the ones my LDAP system
must maintain, I assumed it would be the most straightforward (better
than those Windows ones anyway).
>> [pap] Using CRYPT encryption.
>
> And the "pap" module isn't configured to use any of them.
>
>> The part that seems strange to me is that the system clearly
>> identifies the type of passwords we are using ("Normalizing
>> SSHA1-Password from base64 encoding" seems proof enough of that), but
>> a couple lines later PAP has decided to use CRYPT encryption for some
>> reason. I can't imagine what I've done to make the system believe it
>> should use CRYPT instead of SSHA.
>
> Check the configuration of the PAP module.
Here's my modules/pap in its entirety:
pap {
auto_header = yes
}
I haven't found any information on other (non-deprecated) directives
that go in this file. If there's a way to tell PAP to use the SSHA
password, I would _love_ to hear it.
There's not much to the rest of my PAP-related configuration.
In sites-available/default under the authorization section, PAP is
listed last, just like this:
pap
In sites-available/default under the authentication section, PAP is
listed first like this:
Auth-Type PAP {
pap
}
I'm excited about your note's implication that there's a way to tell
PAP which password to use. If that's really true, I think all I need
is to be pointed to information about how to do so.
Thankx,
E.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
