Re: Problem with eap-peap
El vie, 19-02-2010 a las 11:47 +0100, Alan DeKok escribió: Trujillo Carmona, Antonio wrote: ... [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for gdxtrujo with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} - --username=gdxtrujo [mschap] expand: --domain=%{mschap:NT-Domain:-HUVN} - --domain=HUVN [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=cacf5023c11e7ea7 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=3e1277f2d4835fc8a8de7dfae71b2890c6ef6d3841140af2 Exec-Program output: NT_KEY: 2A28DA9AD2160A673F22F87D37D8E9BC Exec-Program-Wait: plaintext: NT_KEY: 2A28DA9AD2160A673F22F87D37D8E9BC Exec-Program: returned: 0 ... Sending Access-Challenge of id 50 to 10.104.16.128 port 45236 EAP-Message = 0x0109004a1900170301003f27dd660624182f35234bd9f80b3c7ad5c4ca8c538fc86c6bae1ba3991e4d3fd17f1a934ac2f7453801032ca9894b0d4a8687ceccbb61bb439c4c9fc642d244 Message-Authenticator = 0x State = 0x3cd4450c3bdd5c57a4c67a935e13b1f8 Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 43 with timestamp +35 It's a bug in Samba. Downgrade Samba versions until it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok I try with ubuntu 8.4 (samba 3.0.28a) compiling freeradius 2.1.6 (version 2.1.8 give me a problem with some library) and all go fine. Thank. -- Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. SALUD. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS configuration with PAP inner
Hi, Apologies if this has been asked before. I am trying to configure freeradius to replicate our current radius server, there are a couple of things that im not clear about. We tend to use a anonym...@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ? In the eap.conf file under the ttls section it asks for default_eap_type = tls if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ? Thanks Colin -- --- Colin Byelong Email: c.byel...@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default_eap_type in ttls configuraion in file eap.conf
ZHANG Gina wrote: I have a question regarding to the default_eap_type setting for ttls configuration in file eap.conf. From TTLS protocol, it is not necessary to do authentication in the tunnel Huh? It is absolutely necessary to do authentication in the tunnel. and it is the user who decides and initiates which eap type to use inside tunnel. No. The server ALWAYS initiates an EAP rtype. What the default_eap_type is used for? The comments in eap.conf explain this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki editing
Am I overlooking something? How do you edit the wiki. I can't find a way to register an account to edit wiki pages. I was about to add some comments about the rlm_sql_iodb driver since everybody need to know the driver looks for the DSN in radius_db config option and not in the server configuration option. (at least for 1.1.8) Rg, Arnaud -- View this message in context: http://old.nabble.com/Wiki-editing-tp27700281p27700281.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization through inner identity
Hi, Alan, All I want to do is to use inner username to lookup the database table to authorize. so long as you call the relevant SQL module in the authorize {} section of innter-tunnel then the default config will work fine for you. - once the server is in inner-tunnel (called via EAP) it will only be dealing with the inner username (unless you've done something crazy/weird with the config!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS configuration with PAP inner
Hi, We tend to use a anonym...@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ? IIRC, this is just so that the user 'anonymous' is never treated as a real user so no real challenges regarding this ID are sent to the LDAP or SQL backend? We've never had to define an 'anonymous' username anywhere in FreeRADIUS config for this to not be a problembasically, if you have anonym...@realm then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy it through..and its its EAP it'll be proxied to the inner-tunnel (from then on the InnerID is what matters!) In the eap.conf file under the ttls section it asks for default_eap_type = tls if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ? thats the default EAP type and hence the one that is initially challenged... if you want to optimize things then set it to you most commonly used methodwe have it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = {clear} and without it. b --- On Tue, 2/23/10, Fajar A. Nugraha fa...@fajar.net wrote: From: Fajar A. Nugraha fa...@fajar.net Subject: Re: rlm-ldap error for chap To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, February 23, 2010, 6:47 AM On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password is the cleartext password there? ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS configuration with PAP inner
Hi Thanks for the quck reply. Hi, We tend to use a anonym...@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ? IIRC, this is just so that the user 'anonymous' is never treated as a real user so no real challenges regarding this ID are sent to the LDAP or SQL backend? We've never had to define an 'anonymous' username anywhere in FreeRADIUS config for this to not be a problembasically, if you have anonym...@realm then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy it through..and its its EAP it'll be proxied to the inner-tunnel (from then on the InnerID is what matters!) Thanks I will try and configure this. In the eap.conf file under the ttls section it asks for default_eap_type = tls if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ? thats the default EAP type and hence the one that is initially challenged... if you want to optimize things then set it to you most commonly used methodwe have it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls' I thought it should be ttls but I found this to be a little confusing The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. as I have eap { default_eap_type = ttls Thanks Colin alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Colin Byelong Email: c.byel...@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Excuse me my reply was incomplete and sent with error. I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = {clear} and without it. but error is the same as before. --- On Tue, 2/23/10, Eric Eric eric121...@yahoo.com wrote: From: Eric Eric eric121...@yahoo.com Subject: rlm-ldap error for chap To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, February 23, 2010, 10:31 AM I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = {clear} and without it. b --- On Tue, 2/23/10, Fajar A. Nugraha fa...@fajar.net wrote: From: Fajar A. Nugraha fa...@fajar.net Subject: Re: rlm-ldap error for chap To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, February 23, 2010, 6:47 AM On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password is the cleartext password there? ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Inline Attachment Follows- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS configuration with PAP inner
Hi, I thought it should be ttls but I found this to be a little confusing aye. there are a couple of 'default_eap_type' lines - one for the main EAP engine..and then entries under a couple of the tunnelled types (eg peap and ttls) eap { default_eap_type = ttls ... ... } is correct under the ttls {} config you can have 'md5' or 'gtc' - i dont think that 'pap' is a valid entry though as that is not an EAP type. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS configuration with PAP inner
On 23/02/2010 10:44, Alan Buxey wrote: Hi, aye. there are a couple of 'default_eap_type' lines - one for the main EAP engine..and then entries under a couple of the tunnelled types (eg peap and ttls) eap { default_eap_type = ttls ... ... } is correct under the ttls {} config you can have 'md5' or 'gtc' - i dont think that 'pap' is a valid entry though as that is not an EAP type. This is what was confusing me I would have thought I should put ttls here but I have already defined that as the default eap type, I know that pap is not a eap-type but that what we are using in the tunnel, could I put md5 here and configure ldap in the inner-tunnel file ? Thanks Colin alan -- --- Colin Byelong Email: c.byel...@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(rlm_chap: Clear text password not available)
I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Dial rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x90f2d90 Module: Instantiated ldap (ldap-Vpn) Module: Loaded always Module: Instantiated always (ok) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL Counter Module: Instantiated sqlcounter (monthly-Vpn) rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Vpn rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Re: EAP-TTLS configuration with PAP inner
Hi, This is what was confusing me I would have thought I should put ttls here but I have already defined that as the default eap type, I know that pap is not a eap-type but that what we are using in the tunnel, could I put md5 here and configure ldap in the inner-tunnel file ? yes - you should see LDAP working fine in the inner-tunnel no matter what you put (you MAY find that putting GTC as the default method might get better performance/throughput though cant vouch for certainty!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_chap clear text password not available
please help.It confused me ! I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Dial rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x90f2d90 Module: Instantiated ldap (ldap-Vpn) Module: Loaded always Module: Instantiated always (ok) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL Counter Module: Instantiated sqlcounter (monthly-Vpn) rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Vpn rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to
Re: How long it take to auth in 802.1X/WPA-enterprise?
Thank you very much. Your comment and advice are very helpful to understand Radius mechanism I replaced the AP(Belkin54g) with new one(DWL-8200AP, D-Link). As a result, the delay time is reduced from 18 sec to 0.15 sec I measured the time stamp the captured packet-based on Network Monitor 3.1(M$) However, I'm not sure it depends on AP's feature or not. I have already installed VMware tools in that measuring, so networking configuration is ok. Lastly, concerned with Looking up realm, Actually, I didn't know very well about this, I just use the user name like that style. Can you explain in detail? Best. Jaejong Baek 02-365-7966 *** Message: 3 Date: Thu, 18 Feb 2010 10:02:22 + From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: How long it take to auth in 802.1X/WPA-enterprise? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: freeradius-users-ow...@lists.freeradius.org freeradius-users-ow...@lists.freeradius.org Message-ID: 20100218100222.ga11...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, How long it take to auth in 802.1X/WPA-enterprise? depends on the system and what methods etc...but easily under 1 second here In this simple network model, I have tried to auth using EAP-TLS(self-certification) and it works good. By the way, about 18 seconds are taken to auth as follow debug logs. (confer the timestamp (1) and (2)) wheres the real authentication - ie Access-Accept return packet? do you have vmware tools on your ubuntu VMware hosted system - and therefore using vmxnet driver instead of the slow pcnet32 ? (lsmod | grep vmx) turn off any non-needed modules - eg are you ever going to use /etc/passwd for user accounts? if not, comment out the unix module whenever it appears.. likewise files, expiration, logintime etc. make sure you are not going to be needign them though! ..also... Wed Feb 17 21:37:00 2010 : Info: [suffix] Looking up realm .yyy.zz.vv for User-Name = k...@.yyy.zz.vv Wed Feb 17 21:37:00 2010 : Info: [suffix] No such realm .yyy.zz.vv are you deliberately not dealing with this realm? are you expecting it to be sent elsewhere? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get simultaneous login to work Part 1
Yes I read doc/Simultaneous-Use what makes a session unique? What does the perl script need to know from the controller? We may be able to work with the script to pull that information out. We think its looking through for a cisco VPN device by default and not a wireless controller. Alan DeKok al...@deployingradius.com 2/19/2010 4:31 PM J Brandon Polley wrote: We can't get simultaneous login to work. We are trying to restrict simultaneous use to allow only one user to be logged at once. OK... you've posted rather a lot of information. Did you read doc/Simultaneous-Use? I don't see any session aections being executed. They get run only when you set Simultaneous-Use... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 01:32 AM, Eric Eric wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap What version of FreeRADIUS are you running? Normally it's the first thing in the debug output, except for old versions. What does an ldap search of the test user's dn return? (use the ldapsearch command line utility). My guess is there isn't an attribute called userPassword. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_chap clear text password not available
On 02/23/2010 08:07 AM, Eric Eric wrote: please help.It confused me ! You only need to post your question once, posting it again and again in frustration because no one immediately answered you is not polite. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 05:31 AM, Eric Eric wrote: I changed Cleartext-Password in ldap.attrmap to User-Password Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get simultaneous login to work Part 1
J Brandon Polley wrote: Yes I read doc/Simultaneous-Use what makes a session unique? The fields in the radutmp file, or the simul_count_query and simul_verify_query in the SQL configuration. What does the perl script need to know from the controller? Huh? We may be able to work with the script to pull that information out. We think its looking through for a cisco VPN device by default and not a wireless controller. I have no idea what that means. It's clear you didn't follow the instructions in doc/Simultaneous-Use. If you had, the session section would have run to do simultaneous-use checking. It didn't run in the debug output you posted, so you didn't follow the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorization through inner identity
Alan, Thanks for all the help! I need to modify my question. I am using mschapv2 inside ttls tunnel. Upon receipt of the MS-CHAP2-Success AVP, the client is able to authenticate the FR. If the authentication succeeds, the client sends and EAP-TTLS packet to FR containing no data. Only upon receiving this packet, FR authorize. But at this point, the request packet contains no inner tunnel identity. Is there anyway to config FR to authorize according to the inner-tunnel indentity in this case? Regards, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan Buxey Sent: Tuesday, February 23, 2010 3:41 AM To: FreeRadius users mailing list Subject: Re: Authorization through inner identity Hi, Alan, All I want to do is to use inner username to lookup the database table to authorize. so long as you call the relevant SQL module in the authorize {} section of innter-tunnel then the default config will work fine for you. - once the server is in inner-tunnel (called via EAP) it will only be dealing with the inner username (unless you've done something crazy/weird with the config!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Monthly-Traffic
Neville wrote: Anyone please, as this is driving me mad... 2^31 issues? Check the code for unsigned int... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
monitoring freeradius
How does one go about monitoring freeradius in that to see if it is reaching process limits or max clients etc.. If I run it in debug mode it laces limits on it hat are not in normal mode. Is snmp the only way? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and MacOSX 10.6
Hi there, I'm trying to setup a freeRadius on MacOSX host 10.6. This OS use FreeRADIUS Version 2.1.3. I'm looking for informations about how to permit a client device to ask an IP address when it is plugged on the network. The switch forward the request to radius server. The radius server ask to opendirectory (ldap) if the client is allowed (Mac Address check) and in which vlan. Then if the client is allowed the port of the switch is configured in the vlan specified by opendirectory. All informations are welcome. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius
Le mardi 23 février 2010 à 13:39 -0500, Mark Jones a écrit : How does one go about monitoring freeradius in that to see if it is reaching process limits or max clients etc.. I have made a cacti template, it won't do any sentry upon max-client or process-limit as you asked for. But it may help track access accept/reject... and accounting request. If your interested in it it can be found here http://forums.cacti.net/viewtopic.php?t=29880highlight=freeradius but needs to be tweaked. (It uses radius status request instead of snmp) I know it's not what you asked for , but i thought it could help (And I'd be glad that someone can test it :p) regards If I run it in debug mode it laces limits on it hat are not in normal mode.I know it Is snmp the only way? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius
On Tue, 23 Feb 2010, Mark Jones wrote: How does one go about monitoring freeradius in that to see if it is reaching process limits or max clients etc.. If I run it in debug mode it laces limits on it hat are not in normal mode. Proactive network monitoring with Nagios and check_radius or check_radauth. ~BAS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
This is very clear.Thanks. --- On Mon, 2/22/10, Doug Hardie bc...@lafn.org wrote: From: Doug Hardie bc...@lafn.org Subject: Re: modules instantiation To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, February 22, 2010, 10:56 PM I tried to correct the wiki's description but was not able to do so. I can log in fine and it says I can edit the file. However, after making the changes save just gives a blank screen and the changes never appear in the text. In the modules2 file change: The xxx_instantiate module is called each time a new instance is started. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. to: The xxx_instantiate module is called each time a new instance is started during the initial configuration process. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. Note that the instantiate module is not called each time a new instantiation of the module is started during run time. The data established during the instantiate module is available to all instantiations during run time. If you need to store data that is associated with a particulare *request*, and is valid only for the lifetime of a request, see request_data_add(), and request_data_get(). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sequence realms
Hi, I am using freeradius 2.1.3. Is there a way in freeradius to forward the requests to all the configured realms one after the other, if it gets rejected say for null or default realms ?? I did not find anything like that in the configuration ? Any response is grately appreciated. Thanks, Latha. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius
Mark Jones wrote: How does one go about monitoring freeradius in that to see if it is reaching process limits or max clients etc.. If I run it in debug mode it laces limits on it hat are not in normal mode. Err... what does that mean? For general OS CPU / memory monitoring: see monit. For other RADIUS monitoring... the latest release of Monit includes FreeRADIUS plugins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOSX 10.6
Fabien COMBERNOUS wrote: Hi there, I'm trying to setup a freeRadius on MacOSX host 10.6. This OS use FreeRADIUS Version 2.1.3. I'm looking for informations about how to permit a client device to ask an IP address when it is plugged on the network. Is this for PPP? (a) Yes: use the ippool / sqlippool module. (b) No: use DHCP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed binding to socket: Address already in use
i would like to listen to the address assigned to the computer. 192.168.1.12 FreeRADIUS Version 2.1.0 g...@lisa:/sbin$ sudo freeradius -X FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 17 2009 at 17:22:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm
Re: monitoring freeradius
Sorry was in a hurry and did not notice my spelling mistakes. I am not looking to see if radius is failing or not running but as to how many of the options under the thread pool are being used at any given point in time. if I run the server with -X then it only runs one thread so that does not tell me what is going on. Also if the cleanup delay is too long so I am hitting the max_requests - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 23, 2010 4:17 PM Subject: Re: monitoring freeradius Mark Jones wrote: How does one go about monitoring freeradius in that to see if it is reaching process limits or max clients etc.. If I run it in debug mode it laces limits on it hat are not in normal mode. Err... what does that mean? For general OS CPU / memory monitoring: see monit. For other RADIUS monitoring... the latest release of Monit includes FreeRADIUS plugins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed binding to socket: Address already in use
On 02/23/2010 04:36 PM, George Greene wrote: i would like to listen to the address assigned to the computer. 192.168.1.12 FreeRADIUS Version 2.1.0 g...@lisa:/sbin$ sudo freeradius -X Failed binding to socket: Address already in use Then stop the already running radius server, you can only have one running at a time. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed binding to socket: Address already in use
hi, radiusd is already running and bound to port 1812 - either stop the current process using the relevant tool that started it... eg /sbin/service radiusd stop or /etc/init.d/radiusd stop or kill it eg killall radiusd THEN run the daemon in full debug mode alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parse error
Could someone tell me what the syntax error on the Proxy-To-Realm line is please? preacct { detail suffix if ((Proxy-To-Realm = DEFAULT) (User-Name =~ /@.*.domain.tld$/)) update control { Proxy-To-Realm := NULL } } /usr/local/freeradius/sbin/radiusd -X: /usr/local/freeradius/etc/raddb/sites-enabled/eduroam[23]: Parse error in condition at: (Proxy-To-Realm = DEFAULT) (User-Name =~ /@.*.domain.tld$/)) Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Monthly-Traffic
On Wed, Feb 24, 2010 at 1:32 AM, Alan DeKok al...@deployingradius.com wrote: Neville wrote: Anyone please, as this is driving me mad... 2^31 issues? Check the code for unsigned int... So you're suggesting to change the source code for rlm_sqlcounter and recompile? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html