Re: When to ldap?
Dean, Barry wrote:
I am working on a new radius config and have been trying to avoid the lookup
in LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
*which* virtual server?
The if(!EAP-Message) works a treat at preventing an LDAP lookup for the
outer identity, but if I want to send a basic User-Name/User-Password type
auth request after checking with LDAP and returning Remote access is
permitted, I then see:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
And the *rest* of the debug log says ?
I presume:
if (!EAP-Message) {
ldap
}
Fails to set Auth-Type LDAP?
Yes. It *shouldn't*, either. That was a mistake from 1.x.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Sumedh Sathaye wrote: Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. You're using an EAP method that doesn't provide the MSK. Use something mandated by the WiMAX spec instead of EAP-MD5. e.g. EAP-TLS, PEAP, or TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
It seems that it could not generate EAP-MSK first,maybe you can check that.
On Thu, May 13, 2010 at 2:49 AM, Sumedh Sathaye sath...@us.ibm.com wrote:
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/
detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
Simultneous-Use + SQL + Checkrad
Hi All! I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. The online users check not work in the NAS with checkrad script my network. I read the list and forums but not founded solution. I have read and followed the step of below comment: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html my config: radcheck table: Simultaneous-Use: =1 -sites-enabled/default- accounting ( sql sqlippool ) session ( sql ) uncomment: simul_count_query... in dialup.conf include: sql.conf etc.. in the radiusd.conf Question: working the checkrad script without radutmp? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SAMBA Version
Hi, I was reading the archives and saw that some of the later versions of SAMBA had a bug so it couldn't be used for ntlm_auth/Eap-PEAP. Does anyone know if this is now fixed ? We are running Fedora core 12 and it ships with SAMBA 3.4.7 Thanks Colin -- --- Colin Byelong Email: c.byel...@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When to ldap?
On 13 May 2010, at 06:54, Alan DeKok wrote:
Dean, Barry wrote:
I am working on a new radius config and have been trying to avoid the lookup
in LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
*which* virtual server?
I have 3 virtual servers on this host, one is for just local
authentication, one is for the JANET Roaming Service and one is for our local
Guest Wireless service. The config section I posted was from the local auth
virtual server.
Complete config:
# Local auth
#
server radius {
listen {
ipaddr = server ip
port = 0
type = auth
}
listen {
ipaddr = server ip
port = 0
type = acct
}
proxy_requests = no
$INCLUDE local-clients.conf
authorize {
preprocess
auth_log
if (%{User-Name} =~ /forbidden/i) {
update reply {
Reply-Message = Cannot use this user account
}
reject
}
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
reply_log
}
pre-proxy {
pre_proxy_log
}
post-proxy {
eap
post_proxy_log
}
}
The if(!EAP-Message) works a treat at preventing an LDAP lookup for the
outer identity, but if I want to send a basic User-Name/User-Password type
auth request after checking with LDAP and returning Remote access is
permitted, I then see:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
And the *rest* of the debug log says ?
Complete log is:
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111,
length=49
User-Name = user
User-Password = password
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] expand: %t - Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if (%{User-Name} =~ /forbidden/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /forbidden/i) - FALSE
++? if (%{User-Name} =~ /forbidden/i) - FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = user
[suffix] Adding Realm = NULL
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] expand: %{Stripped-User-Name} - user
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=user)
[ldap] expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.liv.ac.uk:389, authentication 0
[ldap] bind as CN=radius-account,OU=Service
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to
adserver.liv.ac.uk:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk
Re: When to ldap?
Dean, Barry wrote:
...
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with
filter (sAMAccountName=user)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
I mean, really... what's the issue?
...
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
That should be a hint.
Paste the debugging output into the form at:
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [user] (from client EZProxy port 0)
} # server radius
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111,
length=49
Waiting to send Access-Reject to client EZProxy port 63775 - ID: 111
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 192.168.0.10 port 63775
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +32
I presume:
if (!EAP-Message) {
ldap
}
Fails to set Auth-Type LDAP?
Yes. It *shouldn't*, either. That was a mistake from 1.x.
I have seen the dire warnings about Don't set Auth-Type = LDAP so I
have not ventured there as I am sure there are dragons.
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When to ldap?
sigh Dean, Barry wrote: ... [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Again... ... [pap] WARNING! No known good password found for the user. Authentication may fail because of this. See the form at: http://networkradius.com/freeradius.html It will *highlight* the information you need to know. I have seen the dire warnings about Don't set Auth-Type = LDAP so I have not ventured there as I am sure there are dragons. The warnings are there because people set it, and the try to do EAP. For some reason, no LDAP server implements EAP. Your choices are: a) fix your LDAP server to return a password b) force Auth-Type := LDAP *only* for certain kinds of packets If you're trying to do EAP with this LDAP server (I presume it's Active Directory), see my web site at http://deployingradius.com/. It has complete instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
Zheng, Jiajia wrote: But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access request-access reject
users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rlm_pap: Found existing Auth-Type, not changing it. rad_check_password: Found Auth-Type System modcall[authenticate]: module unix returns notfound for request 0 It shouldn't be using an auth-type of System, that means to lookup the user in the /etc/passwd (/etc/shadow) file. But you don't have a user on your system named abc so the not found result makes sense, right? Why is it trying to find abc amongst the unix users on your system? The answer is right above, look at the lines labeled users:, that's your users file, also look at the line that says Found Auth-Type, not changing it. So somthing in your users file forced the user abc to have an Auth-Type of system or unix, it also tells you which lines in the users files it matched. Go fix your users file so it doesn't do that. I found in users file that line: DEFAULTAuth-Type = System i decommented it but same problem. i think i must change it to other attribut? I'm guessing in your attempts to get things working you may have mangled the example users file, you might want to start with the unaltered users file and just add your test user. All this is documented in the link I sent you a week ago: http://deployingradius.com/documents/configuration/pap.html -- John Dennis jden...@redhat.com _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access request-access reject
Hi, I found in users file that line: DEFAULTAuth-Type = System comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When to ldap?
On 13 May 2010, at 10:15, Alan DeKok wrote:
Dean, Barry wrote:
...
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with
filter (sAMAccountName=user)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
I mean, really... what's the issue?
The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But
with 2.1.8 it fails.
The difference in the debug output is:
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type ldap
auth: type LDAP
+- entering group LDAP
rlm_ldap: - authenticate
In FR 2.0.2 this rad_check_password is causing LDAP authentication, whereas
is FR 2.1.8 the same section of debug output says:
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
...
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
That should be a hint.
True. My problem was why was LDAP not being attempted for this basic request.
No EAP, just a username and a password, which works just fine with FR 2.0.2.
In fact with 2.0.2 either:
if (!EAP-Message) {
ldap
}
or
ldap
Works in the authorise section as the Non-EAP request calls ldap either way.
With FR 2.1.8, both fail. They follow the same path and produce the No
authentication method ... error.
All the complex EAP/TTLS/PEAP/MSCHAP etc stuff is working with FR 2.1.8 with my
config, just the simple stuff is broken.
Maybe my question should have been:
FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to
authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no
Auth-Type set and does not attempt LDAP authentication.
Complete output for working one:
rad_recv: Access-Request packet from host 192.168.0.10 port 33158, id=66,
length=49
User-Name = user
User-Password = password
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize
++[preprocess] returns ok
expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/log/radacct/192.168.0.10/auth-detail-20100513
rlm_detail: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/log/radacct/192.168.0.10/auth-detail-20100513
expand: %t - Thu May 13 10:46:02 2010
++[auth_log] returns ok
++? if (%{User-Name} =~ /forbidden/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /forbidden/i) - FALSE
++? if (%{User-Name} =~ /forbidden/i) - FALSE
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
users: Matched entry user at line 203
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) - FALSE
++? if (!EAP-Message) - TRUE
++- entering if (!EAP-Message)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
expand: %{Stripped-User-Name} - user
expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=user)
expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to adserver.liv.ac.uk:389, authentication 0
rlm_ldap: bind as CN=radius-account,OU=Service
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to
adserver.liv.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk, with
filter (sAMAccountName=user)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type ldap
auth: type LDAP
RE: Access request-access reject
Date: Thu, 13 May 2010 11:01:10 +0100
From: a.l.m.bu...@lboro.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Access request-access reject
Hi,
I found in users file that line:
DEFAULTAuth-Type = System
comment this line out and restart the daemon
remove calls to 'unix' from your configuration
if you dont want to even think about /etc/passwd
i commented it like that:
#DEFAULT Auth-Type = System
Fall-Through = 1
also in file radiusd.conf:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
#digest
#
# Pluggable Authentication Modules.
#pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
#Auth-Type LDAP {
#ldap
#}
#
# Allow EAP authentication.
eap
}
i commented :unix
...
and i have this output in the deamon:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:40128, id=130, length=55
User-Name = abc
User-Password = 123
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = abc, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry abc at line 216
modcall[authorize]: module files returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 130 to 127.0.0.1 port 40128
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 130 with timestamp 4bebd86e
Nothing to do. Sleeping until we see a request.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When to ldap?
Dean, Barry wrote: The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But with 2.1.8 it fails. Yes... the behavior changed slightly in the past 2 years. Read raddb/modules/ldap in 2.1.8. Look for auth_type. This is documented. FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no Auth-Type set and does not attempt LDAP authentication. Yes. Older versions had the LDAP module set the Auth-Type... which is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pending release of 2.1.9
I've put pre releases of 2.1.9 on the web: http://git.freeradius.org/pre/ Please try them, and note any issues. If there aren't problems, we can release 2.1.9 real soon now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i found two freeradius
yestaerday i create that file: cd ~ apt-get source freeradius and i woked in the users of: cd freeradius-1.1.7/ but now i find another freeradius in: /etc/freeradius. I don't know how it is created there? and does it have any influence in my radius, because i do mychanges in file: users of cd freeradius-1.1.7/. may i delete the second freeradius that i do not created?? _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: i found two freeradius
Hi, yestaerday i create that file: cd ~ apt-get source freeradius and i woked in the users of: cd freeradius-1.1.7/ that would just be the original source code of the program. but now i find another freeradius in: /etc/freeradius. that would be the directory created and filled with correct files from the install of freeradius if you run radiusd -X you will clearly see which directory is in use by the program. delete the one not in use alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access request-access reject
Hi, comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd i commented it like that: #DEFAULT Auth-Type = System Fall-Through = 1 comment out both lines.the DEFAULT line and the fall-through and you didnt read my original email...which is a pity, where i said to comment out calls to 'unix' in your config if you dont use it or need it. as you are not reading what i am telling you then i'm afraid i wont bother replying to you again over this issue :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query regarding update reason
Hi, I have a query regarding Update-Reason field in PPAQ attribute of Access-Request for prepaid case. According to WiMax specification the size of this AVP is 4 byte(including tag and length). And according to dictionary.wimax supplied by freeradius size of Update-Reason field is 4 byte means total size of AVP is 6 byte. Can we change the size of Update-Reason field to 2 byte in dictionary.wimax to make over all AVP size 4 byte, to decode this AVP at server properly (when incoming Access-Request has 4 byte for update-reason AVP)? Or What is other way to achieve it? Please correct me if my understading is wrong? , * P We have responsibility to the environment. Before printing this e-mail or any other document, let's ask ourselves whether we need a hard copy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultneous-Use + SQL + Checkrad
Galatóczki István wrote: I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. You should really upgrade to 2.1.8. The online users check not work in the NAS with checkrad script my network. I read the list and forums but not founded solution. I have read and followed the step of below comment: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html my config: radcheck table: Simultaneous-Use: =1 -sites-enabled/default- accounting ( sql sqlippool The IPPool module does not do simultaneous-use tracking. ) session ( sql ) uncomment: simul_count_query... in dialup.conf include: sql.conf etc.. in the radiusd.conf Question: working the checkrad script without radutmp? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query regarding update reason
Vijay Badola wrote: I have a query regarding Update-Reason field in PPAQ attribute of Access-Request for prepaid case. According to WiMax specification the size of this AVP is 4 byte(including tag and length). *Which* WiMAX specification? The geniuses involved in WiMAX *changed* the definition of multiple attributes when they updated the specifications. And according to dictionary.wimax supplied by freeradius size of Update-Reason field is 4 byte means total size of AVP is 6 byte. We're compatible with the specification we quote at the top of dictionary.wimax. Can we change the size of Update-Reason field to 2 byte in dictionary.wimax to make over all AVP size 4 byte, to decode this AVP at server properly (when incoming Access-Request has 4 byte for update-reason AVP)? Or What is other way to achieve it? The dictionaries are text for a reason: you can edit them. Please correct me if my understading is wrong? WiMAX is completely wrong. The specs are ridiculously complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: i found two freeradius
yestaerday i create that file: cd ~ apt-get source freeradius and i woked in the users of: cd freeradius-1.1.7/ that would just be the original source code of the program. but now i find another freeradius in: /etc/freeradius. that would be the directory created and filled with correct files from the install of freeradius if you run radiusd -X you will clearly see which directory is in use by the program. delete the one not in use ok i see that: # freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf that mean i must delete ~/freeradius-1.1.7 that i have created with the debian : freeradius_1.1.7-1ubuntu0.2_i386.deb. that don't result any problem in my work? because im using a document with this debian _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius privilege separation
Hi!
It is possible in freeradius to have one user who has full privilege level
to one equipment (one cisco router privilege lvl15), and limited privilege
level to other equipment (other router with smaller privilege e.g. lvl10
which will be configured on router)?
How to separate it?
My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = passwrd
Service-Type = Administrative-User,
Cisco-AVPair=shell:priv-lvl=15,
Brocade-Auth-Role =Administrator
and part of clienf.conf
client 192.168.1.1 {
secret = community
shortname = router1
}
client 192.168.1.2 {
secret = community
shortname = router2
}
I'm waiting for response
Michal Dopierala
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access request-access reject
no plz sorry i'm not so well in english. thank you Alan :))) it's working now see it: r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123 Sending Access-Request of id 185 to 127.0.0.1 port 1812 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=185, length=20 thakkksss Date: Thu, 13 May 2010 13:07:45 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: Access request-access reject Hi, comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd i commented it like that: #DEFAULT Auth-Type = System Fall-Through = 1 comment out both lines.the DEFAULT line and the fall-through and you didnt read my original email...which is a pity, where i said to comment out calls to 'unix' in your config if you dont use it or need it. as you are not reading what i am telling you then i'm afraid i wont bother replying to you again over this issue :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny connection to users
Hi all. It's posible to when a user disconnect from the directive Session-Timeout deny connect again in the following 30 Min? Thanks in advance!! Hermidio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 05/13/2010 06:57 AM, Alan DeKok wrote: I've put pre releases of 2.1.9 on the web: http://git.freeradius.org/pre/ Please try them, and note any issues. If there aren't problems, we can release 2.1.9 real soon now. Thank you for your hard work Alan! I'd like to thank you and everyone who worked on this for their contributions to the open source community. We all owe you a debt of gratitude. As to 2.1.9 ... It passes basic sanity checking. It builds, installs, and runs. I have tested with radtest and with each of the eapol_test scripts. I do not have a stress testing environment, I think others do and it would be good to hear from them. The Changelog notes several feature additions. I thought this was a bug fix update only. In fairness some of the feature additions were in the area of documentation, that's great and I don't have a problem with features which do not change code and make it easier for users to use. But shouldn't the other features have been reserved for the 2.2.x branch and limit 2.1.9 to only bug fixes? The one bug I was most concerned about I don't see specifically called out and I'm wondering what the disposition of that was. Sorry, but I'm going to be a little vague rather than citing a bug number. There was a problem reported by several people that resulted in a server crash and only seemed to appear under high load conditions after the server was up for a while. Alan said he was having a hard time reproducing it, that logically it seemed impossible from static code inspection, but acknowledged it was real because it had been reported often enough. Does that ring a bell? Does this update address that issue? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free NAS ?
You're not meaning something like coova-chilli (a captive portal) http://www.coova.org/ are you ? Timothy On 07/05/2010 20:46, VU VAN HUNG wrote: sunhualing wrote: hostapd as a NAS, authenticator wpa-supplicant as a supplicant On Fri, May 7, 2010 at 1:31 AM, Jeff Voskamp javos...@uwaterloo.ca mailto:javos...@uwaterloo.ca wrote: On 05/06/2010 01:27 PM, John McDonnell wrote: On May 6th, 2010 at 1:09 PM, Randal Carpenter wrote: Try openfiler, at http://www.openfiler.com/, it emulates both SAN and NAS equipment. On Thu, May 6, 2010 at 5:56 AM, VU VAN HUNGvanhung2...@gmail.com mailto:vanhung2...@gmail.com wrote: Hi all, I just wonder that are there any open source software that have same functionalities like Network Access Server ? Because I see that there's Asterisk, which 's like a PBX. Best, Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html There's always FreeNAS as well... http://freenas.org/freenas Wrong NAS - those ones are Network Attached Storage, not Network Access Server. Dang TLA overload. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hostapd only for authentication, I have tried to google but found nothing. I want to find a free NAS supporting accounting for radius server. Just found this one. Check it out ! https://www.rahunas.org/trac/ Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/13 12:57 PM, Alan DeKok wrote: I've put pre releases of 2.1.9 on the web: http://git.freeradius.org/pre/ Please try them, and note any issues. If there aren't problems, we can release 2.1.9 real soon now. Builds fine on debian lenny using dpkg-buildpackage There is a log of warnings though. Small subset says this. - dpkg-shlibdeps: warning: symbol radlog used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol cf_section_parse used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol debug_flag used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol rad_malloc used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol log_debug used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. - The warnings above also happen for other modules. rlm_mysql rlm_pam rlm_dbm etc.. After building I end up with various packages. freeradius-common freeradius-mysql etc When building previous versions (tried 2.1.7), the packages were different. freeradius(note - no -common) freeradius-mysql etc I realise the official debian packages has a freeradius and a freeradius-common, but the debian packages built from source never had a -common. When installing 2.1.9, I installed the -common instead of the non -common one. When trying to install freeradius-mysql afterwards, it complained about not finding dependency freeradius (without -common). There is something wrong with the package names. Also, the version in debian/changelog still contains git. Hope that helps. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On Thu, May 13, 2010 at 06:52:28PM +0200, Johan Meiring wrote: After building I end up with various packages. freeradius-common freeradius-mysql etc When building previous versions (tried 2.1.7), the packages were different. freeradius(note - no -common) freeradius-mysql etc I realise the official debian packages has a freeradius and a freeradius-common, but the debian packages built from source never had a -common. When installing 2.1.9, I installed the -common instead of the non -common one. When trying to install freeradius-mysql afterwards, it complained about not finding dependency freeradius (without -common). There is something wrong with the package names. This was already changed in 2.1.8, actually. Simply install *both* packages, like the dependencies tell you to... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius privilege separation
On Thu, May 13, 2010 at 03:23:37PM +0200, Michał Dopierała wrote:
It is possible in freeradius to have one user who has full privilege level
to one equipment (one cisco router privilege lvl15), and limited privilege
level to other equipment (other router with smaller privilege e.g. lvl10
which will be configured on router)?
How to separate it?
My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = passwrd
Service-Type = Administrative-User,
Cisco-AVPair=shell:priv-lvl=15,
Brocade-Auth-Role =Administrator
Yes, just answer differently to each client (router) by assigning them to
different virtual hosts.
You can probably keep the authentication part in the users file if you want,
but you can move the repetitive part of the authorization to unlang.
Then your per-user attributes can be checked automatically with logic such
as:
if (%{reply:Service-Type} == Login-User) {
update reply {
Cisco-AVPair = shell:priv-lvl=1
}
}
elsif (%{reply:Service-Type} == Administrative-User) {
update reply {
Cisco-AVPair = shell:priv-lvl=15
}
}
else {
reject
}
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/13 07:16 PM, Josip Rodin wrote: Simply install *both* packages, like the dependencies tell you to... OOPS... Idiot mode. I didn't look properly. The one without -common *does* exist. Apologies for time wasting.. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: SSL issues
Hi, I am using a radius-openldap-EAP/TTLS|EAP/PEAP scheme and often I've got the following error from a Windows 7 client trying to connect using EAP/PEAP. Client lacked CA cert, but I've found clients that are able to import it. Finally client connected using EAP/TTLS with SecureW2. But I wonder if there was a problem with the client or there are a misconfiguration or a failing certificate. Below my data, thanks in advance! /var/log/radius/radius.log Thu May 13 11:18:07 2010 : Error: TLS Alert read:fatal:unknown CA Thu May 13 11:18:07 2010 : Error: TLS_accept:failed in SSLv3 read client certificate A Thu May 13 11:18:07 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thu May 13 11:18:07 2010 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Thu May 13 11:18:49 2010 : Error: TLS Alert read:fatal:unknown CA Thu May 13 11:18:49 2010 : Error: TLS_accept:failed in SSLv3 read client certificate A Thu May 13 11:18:49 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thu May 13 11:18:49 2010 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. My radius Configuration: FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/status including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including
freeradius with mysql failed
hi
i installed mysql.
and i modify in /etc/freeradius/sql.conf:
readclients=yes
also, i decommented in /etc/freeradius/radiusd.conf:
accounting
{
sql}
authorize
{...
sql}
i run again freeradius -X:
but it seems failed because of sql: this is the output
[...]
sql: postauth_query = INSERT into radpostauth (user, pass, reply, date)
values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
sql: safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to r...@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server r...@localhost:radius
rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' (using
password: YES)'
# but i check it and it's ok i have in sql.conf: sql{server = localhost
login = root
password = rootpass}
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
#but i begin with installing mysql-server and i add a user in the database
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
rlm_sql (sql): generate_sql_clients() returned error
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
radiusd.conf[14]: sql: Module instantiation failed.
radiusd.conf[1860] Unknown module sql.
radiusd.conf[1789] Failed to parse authorize section.
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement EAP-TLS with freeradius and wpa_supplicant?
Alan DeKok wrote: Zheng, Jiajia wrote: But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this. Thanks! I'll have a try. bests, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-server-2.1.8
dorra aa dj_dido2...@hotmail.com : and ther is nothing in the output of radiusd -X I think your computer is not clean and you cant figure out how to work with it. My advices: - Take a clean Linux install - Use the packages providede with the distribution - Optionally, change school... -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 3456 000 19 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
Johan Meiring wrote: There is a log of warnings though. Small subset says this. - dpkg-shlibdeps: warning: symbol radlog used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. It's in the server core. There's no libfreeradius-server.so, though perhaps there could be. In any case, the warnings are minor. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
John Dennis wrote: It passes basic sanity checking. It builds, installs, and runs. I have tested with radtest and with each of the eapol_test scripts. I do not have a stress testing environment, I think others do and it would be good to hear from them. OK. The Changelog notes several feature additions. I thought this was a bug fix update only. In fairness some of the feature additions were in the area of documentation, that's great and I don't have a problem with features which do not change code and make it easier for users to use. But shouldn't the other features have been reserved for the 2.2.x branch and limit 2.1.9 to only bug fixes? The features are: - show stats for detail files Arguably a bug that it wasn't there originally. Added because people ran into problems where they couldn't see what was going on with a detail file The control socket isn't enabled in the default install, either. - documentation - better DHCP Option 82 support Arguably a bug: DHCP servers need Option 82 support. This affects only people who use DHCP. (i.e. not many) - enabled server in NAS table arguably a bug that it wasn't there a year ago. Only affects *new* installations who use SQL. For me, all of these fall into the arguably a bug fix area. There are no major code changes, and will not affect existing systems. The one bug I was most concerned about I don't see specifically called out and I'm wondering what the disposition of that was. Sorry, but I'm going to be a little vague rather than citing a bug number. There was a problem reported by several people that resulted in a server crash and only seemed to appear under high load conditions after the server was up for a while. Alan said he was having a hard time reproducing it, that logically it seemed impossible from static code inspection, but acknowledged it was real because it had been reported often enough. Does that ring a bell? Does this update address that issue? Yes. Bug #35. There's a work-around which should help. I've run *billions* of packets through the server on the same machine as people who claim to have problems. I've been unable to reproduce the issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
