Re: Lost and confused
jin jin wrote: > This is the first time that I'm trying to set up a freeRADIUS server > (Ver 2.1.0) using Ubuntu 9.10 and I'm running into walls. I used the > debug mode and this is the output > > Failed binding to socket: Address already in use > /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 > port 1812 Stop the server before you run it in debugging mode: $ /etc/init.d/freeradius stop Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Jens Link wrote: > @Alan: I would document VMPS in some more detail in the wiki if my > access would be working. ;-) It seems to be fine now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.8 hangs in rlm_perl on 64bit
Olivier Bilodeau wrote: > Any ideas on what it could be? perl? freeradius? 64bit? our perl code? That code is about 3 years old at this point, and no longer actively maintained. > We haven't switched to 2.x because of day to day activity overload but > that could be a good reason for us to do the learning necessary to switch. It takes an hour or so to compile && test 2.1.8. You don't need to switch it to production until you've verified that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between?
R C wrote: > and even if i run 5-6 eapol_test processes at the same time, there will > be only 5-6 parallel sessions at any given time. So... run more processes on more machines. > 2. Since there are no free wpa supplicants that can generate multiple > separate sessions at the same time, do you know of any paid tools > (non-open source) that might generate about a 100,000 client requests? No. Generating 100K TLS requests will likely take dozens of CPUs, each running at maximum capacity, just to do all of the crypto overhead. So... run more processes on more machines. > I am just asking this question hoping some one would have had a similar > requirement. No. Because the requirement is rather extreme, a more than a little pointless. i.e. Q: What happens when I send my web server 100K HTTPS connections? A: it dies. Q: How do I generate 100K HTTPS connections from clients? A: post a link on slashot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lost and confused
This is the first time that I'm trying to set up a freeRADIUS server (Ver 2.1.0) using Ubuntu 9.10 and I'm running into walls. I used the debug mode and this is the output Failed binding to socket: Address already in use /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812 I googled but the closest match was a bug which was fixed earlier on. I'm not really sure what the above meant either. Do I have to connect my freeRADIUS server to my ADSL router first before I run freeRADIUS in debug mode? I am sorry if I have asked a few dumb questions, thanks in advance to the people replying to me. Best regards, Jin New Email names for you! Get the Email name you've always wanted on the new @ymail and @rocketmail. Hurry before someone else does! http://mail.promotions.yahoo.com/newdomains/sg/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups and attributes
Jethro The eaist way is as per what I e-mailed to you. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html This means you only need to create groups in your LDAP directory. It also means you don't need to extend the LDAP Schema to do this. And use the Postauth_users & Host Groups file to determine which server you are allowed to login from. I have yet to find a better or easier way to do things. Thanks Peter On Thu, Mar 4, 2010 at 5:19 PM, Jethro Carr wrote: > On Mon, 2010-03-01 at 17:42 -0500, John Dennis wrote: > > If I understand correctly what you would like to do then check out > > "profiles" in the ldap_howto.txt. A profile is a way to associate a set > > of attributes (e.g. the profile) with a user. > > thanks John, Robert and off-listers, > > > Looking at the ldap_howto.txt file and the responses I've had it seems > that I need to: > > 1. Define groups/profiles in LDAP > > 2. Set attributes for the users stating which groups they belong to, eg > using the radiusGroupName LDAP attribute. > > 3. Map the groups to NASes using huntgroups or users file. > > > Going to give it a try and will post back with how I get on. Thanks for > the help guys. :-) > > > > > > thanks in advance for any help! :-) > > > > > > FreeRadius version is 1.1.3 (RHEL 5 build) if that's important. > > > > BTW, you can find a current 2.1.8 build for RHEL 5 by visiting > > http://wiki.freeradius.org/RedHat_FAQ > > Thanks, but FYI, that page is blank. > > regards, > jethro > > > -- > Jethro Carr > www.jethrocarr.com/index.php?cms=blog > www.amberdms.com > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups and attributes
On Mon, 2010-03-01 at 17:42 -0500, John Dennis wrote: > If I understand correctly what you would like to do then check out > "profiles" in the ldap_howto.txt. A profile is a way to associate a set > of attributes (e.g. the profile) with a user. thanks John, Robert and off-listers, Looking at the ldap_howto.txt file and the responses I've had it seems that I need to: 1. Define groups/profiles in LDAP 2. Set attributes for the users stating which groups they belong to, eg using the radiusGroupName LDAP attribute. 3. Map the groups to NASes using huntgroups or users file. Going to give it a try and will post back with how I get on. Thanks for the help guys. :-) > > thanks in advance for any help! :-) > > > > FreeRadius version is 1.1.3 (RHEL 5 build) if that's important. > > BTW, you can find a current 2.1.8 build for RHEL 5 by visiting > http://wiki.freeradius.org/RedHat_FAQ Thanks, but FYI, that page is blank. regards, jethro -- Jethro Carr www.jethrocarr.com/index.php?cms=blog www.amberdms.com signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
special query for authentication
I am trying to setup something where I can have multiple NAS devices where
users can roam. Some NAS devices people will be able to have the first
level of service free(sponsored NAS). I need to be able to identify and
authenticate people who sign up to the free service to only be allowed to
use the free spots and not take their free account to a paid location.
I am looking at several possibilities of maybe adding a field with say usage
= free or paid as an example and I want the NAS-Identifier,
WISPr-Location-ID or theMS-CHAP-Domain to equal the "free" or "paid".
The query would be something like WHERE usage = ${MS-CHAP-Domain} but
I cannot figure out where and how to do this. Can anyone help and if you
have another idea please let me know.
--
View this message in context:
http://old.nabble.com/special-query-for-authentication-tp27776513p27776513.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On Wed, Mar 3, 2010 at 10:44 AM, Phil Mayers wrote: >> but how to set the fail VLAN and guest VLAN to Y ??? > > Setting the "Fail" and "Guest" VLAN by radius doesn't make any sense. > > The "Fail" vlan is what to use when the radius server is unavailable. > > The "Guest" vlan is what to do when the client doesn't do 802.1x i.e. no > radius. > > So you can't set these over radius. Look in the Cisco documentation for information on: dot1x auth-fail vlan vlan-id and dot1x guest-vlan vlan-id -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between?
On Thu, Mar 4, 2010 at 1:29 PM, R C wrote: > Hi, > > I ran eapol_test with reauthentication = 100. It went through fine. Thanks > for that. > > 1. But, since these reauthentications are serial and not parallel, > > and even if i run 5-6 eapol_test processes at the same time, there will be > only 5-6 parallel sessions at any given time. > > 2. Since there are no free wpa supplicants that can generate multiple > separate sessions at the same time, do you know of any paid tools (non-open > source) that might generate about a 100,000 client requests? At this point, > i still understand that the Free radius server cant handle those many > requests even if there was a way to generate them. > JMeter can do some very clever things in distributed environments. JMeter + Beanshell + eapol_test may be the way to go. > > I am just asking this question hoping some one would have had a similar > requirement. > > Thanks, > RC. > -- > *From:* Alan DeKok > *To:* FreeRadius users mailing list > > *Sent:* Tue, March 2, 2010 12:25:42 AM > *Subject:* Re: Can a wpa_supplicant talk to a Free Radius server without a > NAS in between? > > rchinnapu wrote: > > My requirement is to test scalability of my Server software that hosts > > Free Radius Server. I want to see how many wpa supplicant requests it > > can handle via EAP-TLS. > > > > 1. Can a wpa_supplicant talk to a Free Radius server without a NAS in > > between? I just want to see how many requests my Free Radius server can > > handle simultaneously. But, is it even possible for the WPA supplicant > > to talk to the Free radius server without the NAS in between them? > > See eapol_test. It's included with wpa_supplicant. > > http://deployingradius.com/ for complete instructions on building && > using it with EAP. > > > 2. Is there a free wpa supplicant (peer) that generates multiple > > separate sessions at the same time? > > No. Just run 5-6 processes at the same time. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between?
Hi, I ran eapol_test with reauthentication = 100. It went through fine. Thanks for that. 1. But, since these reauthentications are serial and not parallel, and even if i run 5-6 eapol_test processes at the same time, there will be only 5-6 parallel sessions at any given time. 2. Since there are no free wpa supplicants that can generate multiple separate sessions at the same time, do you know of any paid tools (non-open source) that might generate about a 100,000 client requests? At this point, i still understand that the Free radius server cant handle those many requests even if there was a way to generate them. I am just asking this question hoping some one would have had a similar requirement. Thanks, RC. From: Alan DeKok To: FreeRadius users mailing list Sent: Tue, March 2, 2010 12:25:42 AM Subject: Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between? rchinnapu wrote: > My requirement is to test scalability of my Server software that hosts > Free Radius Server. I want to see how many wpa supplicant requests it > can handle via EAP-TLS. > > 1. Can a wpa_supplicant talk to a Free Radius server without a NAS in > between? I just want to see how many requests my Free Radius server can > handle simultaneously. But, is it even possible for the WPA supplicant > to talk to the Free radius server without the NAS in between them? See eapol_test. It's included with wpa_supplicant. http://deployingradius.com/ for complete instructions on building && using it with EAP. > 2. Is there a free wpa supplicant (peer) that generates multiple > separate sessions at the same time? No. Just run 5-6 processes at the same time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup admin error
radiusd: FreeRADIUS Version 1.1.8, for host i686-pc-linux-gnu, built on Mar 3
2010 at 18:01:19
here is the exact error I am getting
Warning: import_request_variables() [function.import-request-variables]:
Numeric key detected - possible security hazard. in
/usr/local/dialup_admin/conf/config.php3 on line 8
here is the code from dialup admin (config.php3)
= $testVer )
import_request_variables('GPC');
# If using sessions set use_session to 1 to also cache the config file
#
$use_session = 0;
if ($use_session){
// Start session
@session_start();
}
if (!isset($config)){
unset($nas_list);
$ARR=file("../conf/admin.conf");
$EXTRA_ARR = array();
foreach($ARR as $val) {
$val=chop($val);
if (ereg('^[[:space:]]*#',$val) || ereg('^[[:space:]]*$',$val))
continue;
There are no errors in the error_log file in apache
As far as the procedure I was doing I was attempting to change a user password
through the edit user screen.
Thank you for choosing
--
Michael J Humphries
Penstar Office Center, Suite 101
1431 N. 26th Street
Escanaba, MI 49829
Phone: 906.786.3583 ext. 139
Fax: 906.786.4300
E-Mail: mhumphr...@dstech.us
www.dstech.us
-Original Message-
From: Steve Bertrand [mailto:st...@ibctech.ca]
Sent: Tuesday, March 02, 2010 8:36 PM
To: FreeRadius users mailing list
Cc: Michael J Humphries
Subject: Re: Dialup admin error
On 2010.03.02 15:38, Michael J Humphries wrote:
> We had to reboot the Radius server and ever since then I am getting the
> following error when I try to edit someones account in Dialup admin
>
> *Warning*: import_request_variables() [function.import-request-variables
> ]:
> Numeric key detected - possible security hazard. in
> */usr/local/dialup_admin/conf/config.php3* on line *8*
>
> *Any ideas*
What version of FreeRADIUS?
I don't know if the dialup_admin code has been changed in recent
versions of FreeRADIUS or not, but you might want to paste the code in
question (five lines previous, and five lines following) in the
offending file.
Also, posting what you attempted to enter, and what your web server log
file states would also be relevant.
This isn't a FreeRADIUS problem fwiw. It is a problem with your setup.
I'm not trying to be ignorant, I'm just attempting to get that out of
the way. This is third party code you are having an issue with.
Post what I asked for. Someone here will be able to guide you to an
appropriate resource if they can't help directly.
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between?
Sorry, again. I didn't mean not to lookup eapol_test. This is what happened. 1. Initially, I thought I will work without NAS and required information about how to get the wpa_supplicant to talk with the Free radius server directly. You suggested eapol_test for this. 2. When I resent my questions, I had already switched to the setup where I was working with a NAS (hostapd) in between the radius server and the wpa_supplicant. Hence, I did not look up eapol_test thinking eapol_test was the solution for point #1. I did not realise it also had the answers to running multiple sessions until your next reply. :( That is why i missed looking up the eapol_test. Thank you very much for your time. Regards, RC. From: Alan DeKok To: FreeRadius users mailing list Sent: Tue, March 2, 2010 6:36:03 PM Subject: Re: Can a wpa_supplicant talk to a Free Radius server without a NAS in between? R C wrote: > Sorry about the multiple questions. > > But, I really didnt get what tool to use for the following question :( I said: See eapol_test. It's included with wpa_supplicant. > 4. Are they good for scalability testing or should I look out for other > open source wpa supplicants/NASs? > > I will be grateful if you can answer this again for me please. Thanks > again for reading my message. I said: See eapol_test. It's included with wpa_supplicant. > Also, in question #2, what processes are you referring to? please shed > some light on this. sorry again. > > 2. When you say "Just run 5-6 processes at the same time.", can one > interface be used to send out multiple simultaneous wpa supplicant > requests? If yes, how many wpa client sessions can i generate on 1 > interface? I said: See eapol_test. It's included with wpa_supplicant. If you go read the documentation for what eapol_test is, and what it does, your question (2) is answered. You need to read the answers on this list, and follow the instructions. You've asked the same questions *repeatedly* when it's clear you haven't bothered to look at eapol_test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hardware NAT
Здравствуйте, Коньков. Вы писали 3 марта 2010 г., 21:43:10: КЕ> Hello, FreeRadius. КЕ> GE Intelligent Platforms - 10GE. КЕ> Does FreeBSD support that? Another interesting thing http://www.netfpga.org/ -- С уважением, Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hardware NAT
Hello, FreeRadius. GE Intelligent Platforms - 10GE. Does FreeBSD support that? -- Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Works now. Update to instantiate description is now there. Thanks. On 3 March 2010, at 07:19, Peter Nixon wrote: > On Sun 28 Feb 2010, Doug Hardie wrote: >> A week ago I tried to update the wiki to correct an interpretation error >> that was pointed out by one of the freeradius users. I can log into the >> wiki fine, but even though the save says the update was saved, it is not. >> I then posted the necessary change here and nothing has happened. Has >> the wiki become road kill? - > > The wiki has not become road kill.. I have just been busy and not paying > attantion to the mailing list :-) > > I did several test changes, and couldn't see any problems, but I have > upgraded to the latest mediawiki anyway. > > Let me know if you still have issues. > > Cheers > > -- > > Peter Nixon > http://peternixon.net/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On 03/03/2010 03:01 PM, omega bk wrote: 2) " set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y" => that's really what i want to do so in my users file myuser Cleartext-Password := "user" Tunnel-type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = "666" Session-Timeout = "28800" Termination-Action = "RADIUS-Request" but how to set the fail VLAN and guest VLAN to Y ??? Setting the "Fail" and "Guest" VLAN by radius doesn't make any sense. The "Fail" vlan is what to use when the radius server is unavailable. The "Guest" vlan is what to do when the client doesn't do 802.1x i.e. no radius. So you can't set these over radius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.8 hangs in rlm_perl on 64bit
Hi, We have been using freeradius 1.1.8 with a lot of success on a lot of our deployments. Lately we deployed a freeradius 1.1.8 on a 64 bit environment for the first time. On that setup we have been experiencing segfaults and hanging processes once a month maybe. When hanged, gdb points to line 1202 of rlm_perl.c: (gdb) bt #0 0x2ac034f962e4 in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x2ac034f91c3a in _L_lock_1034 () from /lib64/libpthread.so.0 #2 0x2ac034f91afc in pthread_mutex_lock () from /lib64/libpthread.so.0 #3 0x2ac038fa1063 in perl_detach (instance=) at rlm_perl.c:1202 #4 0x2ac03472aa96 in detach_modules () from /usr/sbin/radiusd #5 0x2ac03472e5e3 in main () from /usr/sbin/radiusd Here's the line: /* * Wait until clone becomes idle */ MUTEX_LOCK(&handle->lock); Any ideas on what it could be? perl? freeradius? 64bit? our perl code? We haven't switched to 2.x because of day to day activity overload but that could be a good reason for us to do the learning necessary to switch. Thanks in advance, Cheers! -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Home Server for authentication
Thank you Alan, your help was precious and (I hope) needful. In the next days I will send my (hopefully) configuration, if you consider it appropriate. Thanks. Rosario L. 2010/3/3 Alan Buxey > Hi, > > > I'm tryng to use Freeradius 2.x for managing a complex architecture. I > use the 802.1x standard for wireless authentication. > > I need to authenticate users that have passwords in different > authentication server whit different protocol (TTLS/PAP or PEAP/MSCHAPv2) > and i'd want to proxy the requests tryng to authenticate in first auth > server and more if the auth fails. > > Can I get this feature simply listing home servers in home_server_pool > module in proxy.conf file? > > not easily or at all if you use proxying - as all you'll get back is a > reject/fail and > that'll be it. > > ideally what you want to do is configure the FreeRADIUS server to talk to > both of the > authentication serversand if the first one fails then dont care and > continue onto > the second one...etc etc. you need to check the fail-over section of the > WIKI > > http://wiki.freeradius.org/Fail-over > > particularly the 'More Complex Configurations' section. > > > we actually use this to talk to 2 AD systems and 2 Kerberos systems - > because > people are in one or the other...each system has different credentials and > different DOMAIN etc...but the mschap and krb5 sections of FreeRADIUS are > very flexible > (we took the modules and have a mschap-new and mschap-old etc with correct > parts in). > > works great! PEAP, TTLS etc - we dont care. we just deal with it. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Rosario L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging
James Devine wrote: > Is there a way to enable full debugging while still having it write to > the log file and not push into the foreground? $ man raddebug It requires 2.1.7 or 2.1.8 (IIRC). > We are seeing radius > packets coming in that I can locate via tcpdump but not via the logs. > We have a custom module which dumps the radius packet almost > immediately to logs which isn't seeing these packets and I'm trying to > see if the freeradius core is even seeing these packets. They are likely duplicates, and suppressed. See the SNMP statistics, or the stats via "radmin". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging
Is there a way to enable full debugging while still having it write to the log file and not push into the foreground? We are seeing radius packets coming in that I can locate via tcpdump but not via the logs. We have a custom module which dumps the radius packet almost immediately to logs which isn't seeing these packets and I'm trying to see if the freeradius core is even seeing these packets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On Sun 28 Feb 2010, Doug Hardie wrote: > A week ago I tried to update the wiki to correct an interpretation error > that was pointed out by one of the freeradius users. I can log into the > wiki fine, but even though the save says the update was saved, it is not. > I then posted the necessary change here and nothing has happened. Has > the wiki become road kill? - The wiki has not become road kill.. I have just been busy and not paying attantion to the mailing list :-) I did several test changes, and couldn't see any problems, but I have upgraded to the latest mediawiki anyway. Let me know if you still have issues. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checkrad.pl MIB
Does anyone know the MIB OID we need to put in checkrad.pl in order for it to work with Cisco 4404 wireless controller? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
2) " set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y" => that's really what i want to do so in my users file myuser Cleartext-Password := "user" Tunnel-type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = "666" Session-Timeout = "28800" Termination-Action = "RADIUS-Request" but how to set the fail VLAN and guest VLAN to Y ??? many thanks PS: "you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan." => sure!!! 2010/3/3 Alan Buxey > Hi, > > Hello, > > > > so i would like to redirect my winxp authenticated to VLAN1 and if not > authenticated , this client must be in vlan2 > > > > i got a switch cisco > > > > so how to handla this with freeradius? > > > read the cisco docs on dealing with 802.1X. > > you should never use VLAN1 for users - most would say you shouldnt use > VLAN1 > for anything on cisco kit - its the default native vlan. > > > what you need to do is set the port on the switch to do 802.1X...then you > can either > do the following > > > 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN > to Y > > or (my preferred way) > > 2) set the switch to use RADIUS return attributes for VLAN (and for session > time etc) > and set the fail VLAN and guest VLAN to Y > > > where X is the access vlan for auth and Y is the chosen fail vlan > > > why do method 2? well, its then easy/quick to change the VLAN returned to > the switch > no matter where on campus/site/infrastructure - its all done via decisions > made > on the radius server. > > > the return attributeS? > > > 'Tunnel-Medium-Type'} = "IEEE-802" > 'Tunnel-Type' = "VLAN" > 'Tunnel-Private-Group-Id' = "666" > 'Session-Timeout' = "28800" > 'Termination-Action' = "RADIUS-Request" > > that would set the VLAN to be 666 with an 8 hour timeout. > > these can be set via users file, SQL, perl, python etc. we use a PERL > script in the post-auth section > > > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Am Mittwoch, 3. März 2010 15:45:56 schrieb omega bk: > in fact, > > i got my client wired with winxp and authentication works well in 802.1x > this client is connected directly in my switch trough vlan3 > > i would like dynamically assign a successfull authentication trough vlan2 > and faillure authentication to vlan1 > > autthentication is based in users file (not mac auth) > > thanks u (...) Perhaps Cisco IOS can do this. Check it. If not, make a default login that always authenticates but also sends the vlan1 attributes. Be aware that this might be a security risk! Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Hi, > Hello, > > so i would like to redirect my winxp authenticated to VLAN1 and if not > authenticated , this client must be in vlan2 > > i got a switch cisco > > so how to handla this with freeradius? read the cisco docs on dealing with 802.1X. you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan. what you need to do is set the port on the switch to do 802.1X...then you can either do the following 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN to Y or (my preferred way) 2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y where X is the access vlan for auth and Y is the chosen fail vlan why do method 2? well, its then easy/quick to change the VLAN returned to the switch no matter where on campus/site/infrastructure - its all done via decisions made on the radius server. the return attributeS? 'Tunnel-Medium-Type'} = "IEEE-802" 'Tunnel-Type' = "VLAN" 'Tunnel-Private-Group-Id' = "666" 'Session-Timeout' = "28800" 'Termination-Action' = "RADIUS-Request" that would set the VLAN to be 666 with an 8 hour timeout. these can be set via users file, SQL, perl, python etc. we use a PERL script in the post-auth section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
in fact, i got my client wired with winxp and authentication works well in 802.1x this client is connected directly in my switch trough vlan3 i would like dynamically assign a successfull authentication trough vlan2 and faillure authentication to vlan1 autthentication is based in users file (not mac auth) thanks u 2010/3/3 Michael Schwartzkopff > Am Mittwoch, 3. März 2010 15:34:56 schrieb Jens Link: > > omega bk writes: > > > > Hi, > > > > > so i would like to redirect my winxp authenticated to VLAN1 and if not > > > authenticated , this client must be in vlan2 > > > > > > i got a switch cisco > > > > > > so how to handla this with freeradius? > > > > Depends on how you do the authentication: > > > > Using certificates (either machine based or user based) 802.1x is the > > way to go if it's okay for you to use only the MAC address of the client > > (and you are using Cisco) VMPS might be worth a look. > > > > @Alan: I would document VMPS in some more detail in the wiki if my > > access would be working. ;-) > > > > Jens > > Port authentication also works with mac addresses. You just have to pass > back > on the correct attributes to the cisco. AND your IOS has to be able to > interprete them. > > Greetings, > > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
I think yes. In my current config (2.1.8) it works fine. -- --- Apostolos Pantsiopoulos Kinetix Tele.com R & D email: r...@kinetix.gr --- On 3/3/2010 4:26 μμ, Alexandr Kovalenko wrote: On Wed, Apr 22, 2009 at 12:23 PM, Alan DeKok wrote: Apostolos Pantsiopoulos wrote: If any changes are to be made to the current implementation to support multiple interpreters (one per thread) would they show up in a 2.1.x release or a future one (2.2.x or something)? They will show up in the next release, whatever that is. i.e. "next after the changes have been made". Have any changes been made already? :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Am Mittwoch, 3. März 2010 15:34:56 schrieb Jens Link: > omega bk writes: > > Hi, > > > so i would like to redirect my winxp authenticated to VLAN1 and if not > > authenticated , this client must be in vlan2 > > > > i got a switch cisco > > > > so how to handla this with freeradius? > > Depends on how you do the authentication: > > Using certificates (either machine based or user based) 802.1x is the > way to go if it's okay for you to use only the MAC address of the client > (and you are using Cisco) VMPS might be worth a look. > > @Alan: I would document VMPS in some more detail in the wiki if my > access would be working. ;-) > > Jens Port authentication also works with mac addresses. You just have to pass back on the correct attributes to the cisco. AND your IOS has to be able to interprete them. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
omega bk writes: Hi, > so i would like to redirect my winxp authenticated to VLAN1 and if not > authenticated , this client must be in vlan2 > > i got a switch cisco > > so how to handla this with freeradius? Depends on how you do the authentication: Using certificates (either machine based or user based) 802.1x is the way to go if it's okay for you to use only the MAC address of the client (and you are using Cisco) VMPS might be worth a look. @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
On Wed, Apr 22, 2009 at 12:23 PM, Alan DeKok wrote: > Apostolos Pantsiopoulos wrote: >> If any changes are to be made to the current >> implementation to support multiple interpreters (one per thread) >> would they show up in a 2.1.x release or a future one (2.2.x or something)? > > They will show up in the next release, whatever that is. > > i.e. "next after the changes have been made". Have any changes been made already? :) -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan and freeradius
Hello, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? thank u - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
Hi, > oh great i compiled the latest => and tryed new configuration great , it > works with my client wired > > Thank u so much congratulations - and thanks. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Home Server for authentication
Hi, > I'm tryng to use Freeradius 2.x for managing a complex architecture. I use > the 802.1x standard for wireless authentication. > I need to authenticate users that have passwords in different authentication > server whit different protocol (TTLS/PAP or PEAP/MSCHAPv2) and i'd want to > proxy the requests tryng to authenticate in first auth server and more if the > auth fails. > Can I get this feature simply listing home servers in home_server_pool module > in proxy.conf file? not easily or at all if you use proxying - as all you'll get back is a reject/fail and that'll be it. ideally what you want to do is configure the FreeRADIUS server to talk to both of the authentication serversand if the first one fails then dont care and continue onto the second one...etc etc. you need to check the fail-over section of the WIKI http://wiki.freeradius.org/Fail-over particularly the 'More Complex Configurations' section. we actually use this to talk to 2 AD systems and 2 Kerberos systems - because people are in one or the other...each system has different credentials and different DOMAIN etc...but the mschap and krb5 sections of FreeRADIUS are very flexible (we took the modules and have a mschap-new and mschap-old etc with correct parts in). works great! PEAP, TTLS etc - we dont care. we just deal with it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Home Server for authentication
Hi to all. I'm tryng to use Freeradius 2.x for managing a complex architecture. I use the 802.1x standard for wireless authentication. I need to authenticate users that have passwords in different authentication server whit different protocol (TTLS/PAP or PEAP/MSCHAPv2) and i'd want to proxy the requests tryng to authenticate in first auth server and more if the auth fails. Can I get this feature simply listing home servers in home_server_pool module in proxy.conf file? Thanks to all Regards. -- Rosario L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
oh great i compiled the latest => and tryed new configuration great , it works with my client wired Thank u so much 2010/3/3 omega bk > yeah i really messed things up. > > i got my radius from apt-get > > i downloaded from source the latest version. > i removed the odl one with apt-get remove freeradius > i did a dpkg-bildpackage -b -uc but messd in: > /home/omega/freeradius-server-2.1.8/src/main/modules.c:1358: undefined > reference to `lt_preloaded_symbols' > > so i din't know how to put that new version. > > thanks for your help > > > 2010/3/3 Alan Buxey > > Hi, >> >> > i use ubuntu as radius server >> > all configuration file is under /etc/freeradius/* >> > >> > as client i use winxp wired without certificate. just EAP-MSCHAP v2 as >> authentication method. >> > >> > in my users file i put one user like this: >> > ## >> > linatestAuth-Type = CHAP , Cleartext-Password := "linagora" >> > Service-Type = Framed-User >> > >> >> okay - now you messing things up. for a start this is not what you said >> int he last email >> >> secondly, wired authentication on a WinXP will either be EAP-TLS, PEAP (w >> MSCHAPv2) >> or EAP-MD5 >> >> either way, setting "Auth-Type = CHAP" is just totally wrong (wrong wrong >> wrong). dont do it. >> >> just have >> >> linatestCleartext-Password := "linagora" >> >> >> in your dumb/basic testing users file and then do the WinXP >> connectionyou should see all >> sorts of things about EAP then flying past the screen...that'll be okay - >> and it'll work if you >> have configured the client to ignore certificate and dont check >> certificate etc...you'll have >> also configured the client to NOT use the windows login for authentication >> or login is guest >> because those settings will also mess things up. >> >> what you are currently trying to do will work 100% with latest version of >> FreeRADIUS >> with ONLY the users file being played with. >> >> >> of course...the other thing is you're using Ubuntu - did you build this >> yourself WITH SSL support >> enabled or did you just get it via apt-get/synaptic? 'cos its very likely >> you wont have SSL >> support (and hence no EAP!) if you havent sorted that bit out too. >> >> alan >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
yeah i really messed things up. i got my radius from apt-get i downloaded from source the latest version. i removed the odl one with apt-get remove freeradius i did a dpkg-bildpackage -b -uc but messd in: /home/omega/freeradius-server-2.1.8/src/main/modules.c:1358: undefined reference to `lt_preloaded_symbols' so i din't know how to put that new version. thanks for your help 2010/3/3 Alan Buxey > Hi, > > > i use ubuntu as radius server > > all configuration file is under /etc/freeradius/* > > > > as client i use winxp wired without certificate. just EAP-MSCHAP v2 as > authentication method. > > > > in my users file i put one user like this: > > ## > > linatestAuth-Type = CHAP , Cleartext-Password := "linagora" > > Service-Type = Framed-User > > > > okay - now you messing things up. for a start this is not what you said > int he last email > > secondly, wired authentication on a WinXP will either be EAP-TLS, PEAP (w > MSCHAPv2) > or EAP-MD5 > > either way, setting "Auth-Type = CHAP" is just totally wrong (wrong wrong > wrong). dont do it. > > just have > > linatestCleartext-Password := "linagora" > > > in your dumb/basic testing users file and then do the WinXP > connectionyou should see all > sorts of things about EAP then flying past the screen...that'll be okay - > and it'll work if you > have configured the client to ignore certificate and dont check certificate > etc...you'll have > also configured the client to NOT use the windows login for authentication > or login is guest > because those settings will also mess things up. > > what you are currently trying to do will work 100% with latest version of > FreeRADIUS > with ONLY the users file being played with. > > > of course...the other thing is you're using Ubuntu - did you build this > yourself WITH SSL support > enabled or did you just get it via apt-get/synaptic? 'cos its very likely > you wont have SSL > support (and hence no EAP!) if you havent sorted that bit out too. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
Hi, > i use ubuntu as radius server > all configuration file is under /etc/freeradius/* > > as client i use winxp wired without certificate. just EAP-MSCHAP v2 as > authentication method. > > in my users file i put one user like this: > ## > linatestAuth-Type = CHAP , Cleartext-Password := "linagora" > Service-Type = Framed-User > okay - now you messing things up. for a start this is not what you said int he last email secondly, wired authentication on a WinXP will either be EAP-TLS, PEAP (w MSCHAPv2) or EAP-MD5 either way, setting "Auth-Type = CHAP" is just totally wrong (wrong wrong wrong). dont do it. just have linatestCleartext-Password := "linagora" in your dumb/basic testing users file and then do the WinXP connectionyou should see all sorts of things about EAP then flying past the screen...that'll be okay - and it'll work if you have configured the client to ignore certificate and dont check certificate etc...you'll have also configured the client to NOT use the windows login for authentication or login is guest because those settings will also mess things up. what you are currently trying to do will work 100% with latest version of FreeRADIUS with ONLY the users file being played with. of course...the other thing is you're using Ubuntu - did you build this yourself WITH SSL support enabled or did you just get it via apt-get/synaptic? 'cos its very likely you wont have SSL support (and hence no EAP!) if you havent sorted that bit out too. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
omega bk wrote: > hi alan, thanks for your help. > > i use ubuntu as radius server > all configuration file is under /etc/freeradius/* > > as client i use winxp wired without certificate. just EAP-MSCHAP v2 as > authentication method. > > in my users file i put one user like this: > ## > linatestAuth-Type = CHAP , Cleartext-Password := "linagora" Delete the "Auth-Type = CHAP" line. It's not necessary. > in my radiusd.conf: You've butchered the configuration files. It's not necessary. USE THE DEFAULT CONFIGURATION. IT WORKS. Really. Your edits have *BROKEN THE SERVER*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
hi alan, thanks for your help.
i use ubuntu as radius server
all configuration file is under /etc/freeradius/*
as client i use winxp wired without certificate. just EAP-MSCHAP v2 as
authentication method.
in my users file i put one user like this:
##
linatestAuth-Type = CHAP , Cleartext-Password := "linagora"
Service-Type = Framed-User
in my radiusd.conf:
##
modules {
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
chap {
authtype = CHAP
}
...
}
authorize {
preprocess
chap
files
}
authenticate {
Auth-Type CHAP{
chap
}
}
##
in result of freeradius -X , I got:
rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=118,
length=131
User-Name = "linatest"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1A-A1-64-BB-1A"
Calling-Station-Id = "00-18-8B-B5-26-B7"
EAP-Message = 0x0202000d016c696e6174657374
Message-Authenticator = 0x4e31158d9f8be4943a213e992598bdf6
NAS-Port = 50024
NAS-Port-Type = Ethernet
NAS-IP-Address = 192.168.20.253
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[files] users: Matched entry linatest at line 89
++[files] returns ok
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] rlm_chap: Attribute "CHAP-Password" is required for authentication.
++[chap] returns invalid
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 118 to 192.168.20.253 port 1645
Service-Type = Framed-User
Waking up in 4.9 seconds.
Cleaning up request 0 ID 118 with timestamp +20
Ready to process requests.
So my asking help is:
how can i authenticate my client?
which "CHAP-Password" ?
thanks for your help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
Hi, > My version of freeradius is Version 2.1.0 upgrade to 2.1.8 > [files] users: Matched entry linatest at line 11 > ++[files] returns ok > WARNING: Please update your configuration, and remove 'Auth-Type = Local' > WARNING: Use the PAP or CHAP modules instead. FreeRADIUS doesnt lie > i don't have 'Auth-Type = Local' but it still remaining me this > And : > No User-Password or CHAP-Password attribute in the request. > Cannot perform authentication. > Failed to authenticate the user. oh but you do - or did you just not restart the server? are you sure you are editing the right 'users' file - so many many times people have installed multiple copies and then found that whilst they are editing eg /etc/raddb/users, the daemon is reading /usr/local/etc/raddb/users etc if you check the full output of 'radiusd -X' you will see which files it is reading alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password or CHAP-Password attribute in the request
>
> hello all,
>
> My version of freeradius is Version 2.1.0
>
> here is my result in debug mode:
>
> rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=112,
> length=131
> User-Name = "linatest"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "00-1A-A1-64-BB-1A"
> Calling-Station-Id = "00-18-8B-B5-26-B7"
> EAP-Message = 0x0202000d016c696e6174657374
> Message-Authenticator = 0x3fe6e297218c3aa1e98286a5a3db3303
> NAS-Port = 50024
> NAS-Port-Type = Ethernet
> NAS-IP-Address = 192.168.20.253
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [files] users: Matched entry linatest at line 11
> ++[files] returns ok
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 112 to 192.168.20.253 port 1645
> Service-Type = Framed-User
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 112 with timestamp +20
>
>
> i don't have 'Auth-Type = Local' but it still remaining me this
> And :
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
>
> where to put this CHAP-Password attribute in the request??
>
> here is my users file
>
> linatestCleartext-Password := "mypass"
> Service-Type = Framed-User
>
>
>
> thanks for your help
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
