Re: Starent NAS dictionary
Hi Alan, Sorry, I saw that freeradius has a default dictionary for Starent equipment. I replaced the file without realizing (overwrote the files). I'll use the default dictionary. Regards On Thu, Jul 1, 2010 at 6:59 PM, Alan DeKok wrote: > JOE wrote: >> Hi all >> Freeradius can't parse this dictionary. Fails with ' invalid keyword >> "MACRO"': > > Because it's not a dictionary suitable for FreeRADIUS. > > Could you explain why you're not using the starent dictionary that is > *included* with FreeRADIUS? > >> I will try to replace the macro with the actual value > > The FreeRADIUS dictionary file format is documented. Simply > "replacing" values won't be enough to convert the file formats. You > need to understand the file format, too. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth fails for none domain
Hi, It is the whole debug info. I think the problem is we could not get the default domain name "xjtu". Listening on authentication address * port 1812 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.85 port 32807, id=118, length=125 Service-Type = Authorize-Only NAS-Port-Type = Wireless-802.11 User-Name = "hhe" MS-CHAP-Challenge = 0xd764c8cce93255c4478d7aa05d83f3ea MS-CHAP2-Response = 0x9c00a2b7249b043e23cd2866211bff3783d6924fed02a24dee7533a7b9af370e858e1b798d9151617838 NAS-IP-Address = 10.155.20.85 +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for hhe [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=hhe) [ldap] expand: OU=Domain Controllers,dc=xjtu,dc=cn -> OU=Domain Controllers,dc=xjtu,dc=cn [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.155.3.250:389, authentication 0 [ldap] bind as h...@xjtu.cn/w2006njh to 10.155.3.250:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Domain Controllers,dc=xjtu,dc=cn, with filter (sAMAccountName=hhe) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user hhe authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for hhe with NT-Password [mschap] No NT-Domain was found in the User-Name. [mschap] expand: --domain=%{mschap:NT-Domain:-xjtu} -> --domain= [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=hhe [mschap] mschap2: d7 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cf5ba32b520debdd [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=924fed02a24dee7533a7b9af370e858e1b798d9151617838 Exec-Program output: No such user (0xc064) Exec-Program-Wait: plaintext: No such user (0xc064) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 10.155.20.85 port 32807 MS-CHAP-Error = "\234E=691 R=1" Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +33 Ready to process requests. --- 10年7月1日,周四, Alan DeKok 写道: 发件人: Alan DeKok 主题: Re: ntlm_auth fails for none domain 收件人: "FreeRadius users mailing list" 日期: 2010年7月1日,周四,下午2:02 John wrote: > "xjtu" is our default domain, for users under this domain will only use > username to authenticate to RADIUS. With 1.1.6, it will get "xjtu" as > domain; But with 2.1.9, it will not, please see the debug info below. You have deleted nearly all of the debug information, including the information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Listening on authentication address * port 1812 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.85 port 32807, id=118, length=125 Service-Type = Authorize-Only NAS-Port-Type = Wireless-802.11 User-Name = "hhe" MS-CHAP-Challenge = 0xd764c8cce93255c4478d7aa05d83f3ea MS-CHAP2-Response = 0x9c00a2b7249b043e23cd2866211bff3783d6924fed02a24dee7533a7b9af370e858e1b798d9151617838 NAS-IP-Address = 10.155.20.85 +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for hhe [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=hhe) [ldap] expand: OU=Domain Controllers,dc=xjtu,dc=cn -> OU=Domain Controllers,dc=xjtu,dc=cn [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.155.3.250:389, authentication 0 [ldap] bind as h...@xjtu.cn/w2006njh to 10.155.3.250:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Dom
Re: radius proxy authentication problem with realm stripping for EAP
Thanks, Alan. From: Alan DeKok To: FreeRadius users mailing list Sent: Thu, July 1, 2010 12:58:18 PM Subject: Re: radius proxy authentication problem with realm stripping for EAP Alex Myself wrote: > Hi, > > I'm trying to configure free radius server as a proxy radius server with > realm defined and strip option enabled. Don't strip the user name. > Authentication fails on > external radius server when EAP is used. Without EAP authentication is > fine. > > Any configuration option required for EAP to work (with realm stripping)? EAP will work *only* without realm stripping. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy authentication problem with realm stripping for EAP
Alex Myself wrote: > Hi, > > I'm trying to configure free radius server as a proxy radius server with > realm defined and strip option enabled. Don't strip the user name. > Authentication fails on > external radius server when EAP is used. Without EAP authentication is > fine. > > Any configuration option required for EAP to work (with realm stripping)? EAP will work *only* without realm stripping. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed disabling Core Dumps on RHEL - SELinux Updates
Will do, just wanted to verify. Ben > -Original Message- > From: freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org > [mailto:freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of > John Dennis > Sent: Wednesday, June 30, 2010 2:32 PM > To: FreeRadius users mailing list > Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates > > On 06/30/2010 03:06 PM, Ben Wiechman wrote: > > Despite the fact that this was against 2.1.9, not the freeradius2 rpm > that > > is available with RHEL? > > Yes. It's a policy problem and it needs to get fixed. We'll eventually > ship 2.1.9 or the core dump fix back ported to an earlier version, it > would be nice to know the SELinux policy would just support it when we > do ship it. For those like yourself who built 2.1.9 wouldn't it be nice > to know the SELinux policy supports it? > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius proxy authentication problem with realm stripping for EAP
Hi, I'm trying to configure free radius server as a proxy radius server with realm defined and strip option enabled. Authentication fails on external radius server when EAP is used. Without EAP authentication is fine. Any configuration option required for EAP to work (with realm stripping)? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Starent NAS dictionary
JOE wrote: > Hi all > Freeradius can't parse this dictionary. Fails with ' invalid keyword "MACRO"': Because it's not a dictionary suitable for FreeRADIUS. Could you explain why you're not using the starent dictionary that is *included* with FreeRADIUS? > I will try to replace the macro with the actual value The FreeRADIUS dictionary file format is documented. Simply "replacing" values won't be enough to convert the file formats. You need to understand the file format, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Starent NAS dictionary
Hi all Freeradius can't parse this dictionary. Fails with ' invalid keyword "MACRO"': ## # Starent Networks Dictionary for ST16 ## # # Use the Radius specification attributes in lieu of the starent ones # #...@radius.dct # # Define additional starent parameters # (add starent specific attributes below) MACRO SN-VSA(t,v) 26 [vid=8164 type2=%t% len2=+4 data=%v%] ATTRIBUTE SN-VPN-ID SN-VSA(1, integer) r ATTRIBUTE SN-VPN-Name SN-VSA(2, string)r ATTRIBUTE SN-Disconnect-Reason SN-VSA(3, integer) VALUE SN-Disconnect-Reason Not-Defined 0 VALUE SN-Disconnect-Reason Admin-Disconnect 1 VALUE SN-Disconnect-Reason Remote-Disconnect2 VALUE SN-Disconnect-Reason Local-Disconnect 3 VALUE SN-Disconnect-Reason Disc-No-Resource 4 VALUE SN-Disconnect-Reason Disc-Excd-Service-Limit 5 VALUE SN-Disconnect-Reason PPP-LCP-Neg-Failed 6 VALUE SN-Disconnect-Reason PPP-LCP-No-Response 7 VALUE SN-Disconnect-Reason PPP-LCP-Loopback 8 VALUE SN-Disconnect-Reason PPP-LCP-Max-Retry9 VALUE SN-Disconnect-Reason PPP-Echo-Failed 10 VALUE SN-Disconnect-Reason PPP-Auth-Failed 11 VALUE SN-Disconnect-Reason PPP-Auth-Failed-No-AAA-Resp 12 VALUE SN-Disconnect-Reason PPP-Auth-No-Response13 VALUE SN-Disconnect-Reason PPP-Auth-Max-Retry 14 VALUE SN-Disconnect-Reason Invalid-AAA-Attr15 VALUE SN-Disconnect-Reason Failed-User-Filter 16 VALUE SN-Disconnect-Reason Failed-Provide-Service 17 VALUE SN-Disconnect-Reason Invalid-IP-Address-AAA 18 VALUE SN-Disconnect-Reason Invalid-IP-Pool-AAA 19 VALUE SN-Disconnect-Reason PPP-IPCP-Neg-Failed 20 VALUE SN-Disconnect-Reason PPP-IPCP-No-Response21 VALUE SN-Disconnect-Reason PPP-IPCP-Max-Retry 22 VALUE SN-Disconnect-Reason PPP-No-Rem-IP-Address 23 VALUE SN-Disconnect-Reason Inactivity-Timeout 24 VALUE SN-Disconnect-Reason Session-Timeout 25 VALUE SN-Disconnect-Reason Max-Data-Excd 26 VALUE SN-Disconnect-Reason Invalid-IP-Source-Address 27 VALUE SN-Disconnect-Reason MSID-Auth-Failed28 VALUE SN-Disconnect-Reason MSID-Auth-Fauiled-No-AAA-Resp 29 VALUE SN-Disconnect-Reason A11-Max-Retry 30 VALUE SN-Disconnect-Reason A11-Lifetime-Expired31 VALUE SN-Disconnect-Reason A11-Message-Integrity-Failure 32 VALUE SN-Disconnect-Reason PPP-lcp-remote-disc 33 VALUE SN-Disconnect-Reason Session-setup-timeout 34 VALUE SN-Disconnect-Reason PPP-keepalive-failure 35 VALUE SN-Disconnect-Reason Flow-add-failed 36 VALUE SN-Disconnect-Reason Call-type-detection-failed 37 VALUE SN-Disconnect-Reason Wrong-ipcp-params 38 VALUE SN-Disconnect-Reason MIP-remote-dereg39 VALUE SN-Disconnect-Reason MIP-lifetime-expiry 40 VALUE SN-Disconnect-Reason MIP-proto-error 41 VALUE SN-Disconnect-Reason MIP-auth-failure42 VALUE SN-Disconnect-Reason MIP-reg-timeout 43 VALUE SN-Disconnect-Reason Invalid-dest-context44 VALUE SN-Disconnect-Reason Source-context-removed 45 VALUE SN-Disconnect-Reason Destination-context-removed 46 VALUE SN-Disconnect-Reason Req-service-addr-unavailable47 VALUE SN-Disconnect-Reason Demux-mgr-failed48 VALUE SN-Disconnect-Reason Internal-error 49 ATTRIBUTE SN-PPP-Progress-Code SN-VSA(4, integer) VALUE SN-PPP-Progress-Code Not-Defined 0 VALUE SN-PPP-Progress-Code Call-Lcp-Down1 VALUE SN-PPP-Progress-Code Call-Disconnecting
Re: Detail accounting by REalm
BELLIERE Eric wrote: > But what you do you mean by " You can use the Realm name in the detail > filename. That's why the > filename is configurable in the "detail" module."? What part of that is unclear? If I could say it another way, I would have said it another way. Do you know what I meant by the "detail filename"? Do you know what I meant by "configurable in the detail module"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail accounting by REalm
Message: 3 Date: Wed, 30 Jun 2010 16:47:45 +0200 From: Alan DeKok Subject: Re: Detail accounting by REalm To: FreeRadius users mailing list Message-ID: <4c2b5911.8060...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 BELLIERE Eric wrote: > Now I am trying to make a file by realm proxyied. You can use the Realm name in the detail filename. That's why the filename is configurable in the "detail" module. > I have try this and works but I need to specify the exact realm. > > Is it a way to configure a expression here? $ man unlang > I would like to make an expression to replace abc.be and abcnet.be so > only one line is nacessary (like realm == "~abc$") ? See the above "man" page. You can use a regex. Alan DeKok. Ok thanks It is working with REGEX. But what you do you mean by " You can use the Realm name in the detail filename. That's why the filename is configurable in the "detail" module."? Thanks Eric Bellière smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html