RE: freeradius and ADSL-Agent-Circuit-Id
> Tim Sylvester wrote: > > Try the following: > > > > Add this to the top of the Authorize section: > > > > > > if ADSL-Agent-Circuit-Id { > > update request { > > User-Name := "%{ADSL-Agent-Circuit-Id}" > > User-Password := "%{ADSL-Agent-Circuit-Id}" > > } > > } > > > > > > Thank you for taking the time to provide this detailed example. I > should have included the previous thread where this was suggested and > that it 'works', but also that it creates a security hole in that an > end user could simply set their user name and password to be the same as a > Circuit-Id, thereby taking advantage of a 'known passwords' if anyone > knows what my circuit id's look like. No. You should have read my message in more detail. If you look at the example below, you will see that if someone tries to use a Username/Password with the Circuit-Id, the authentication will fail. The second entry for in the radcheck table requires that both the username/password and the username/ADSL-Agent-Circuit-Id are required. > The task is to set things up so that _only_ in the event that the > request contains an actual ADSL-Agent-Circuit-Id attribute, that I > don't bother trying to do chap/pap, but instead I pull everything (Including > Access-Accept) from the database indexed by ADSL-Agent-Circuit-Id. If > there is no such attribute, then just proceed as normal. I can use sql > to get a truth value wether the circuit-id is present in a non-default > table, and I can use unlang to update the control with "Auth-Type := > Accept". This works and results in 'access accept' to the client. But, > it does not get me anyway to pull attributes specific to this id and > return them to the client. My configuration will allow you to do what you want. Try it before dismissing it. > What I was talking about was perhaps using the presence of > ADSL-Agent-Circuit-Id to decide whether to proxy the request to another > virtual server. I could configure this virtual server to listen on > loopback so the only way to consult it is thru the proxy, and I could > configure the sql query used on THIS server to peform the authorization > query. This seperation would give me the abillity to either engage > chap/pap or not based on presence of the attribute, instead of simply > overwriting the attribute values which doesn't address my security > concerns. I'm still looking for a good method to accomplish this. You are welcome to try your much more complicated method. Or you could re-read my message and perform some actual tests before responding in e-mail. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
Tim Sylvester wrote: Try the following: Add this to the top of the Authorize section: if ADSL-Agent-Circuit-Id { update request { User-Name := "%{ADSL-Agent-Circuit-Id}" User-Password := "%{ADSL-Agent-Circuit-Id}" } } Thank you for taking the time to provide this detailed example. I should have included the previous thread where this was suggested and that it 'works', but also that it creates a security hole in that an end user could simply set their user name and password to be the same as a Circuit-Id, thereby taking advantage of a 'known passwords' if anyone knows what my circuit id's look like. The task is to set things up so that _only_ in the event that the request contains an actual ADSL-Agent-Circuit-Id attribute, that I don't bother trying to do chap/pap, but instead I pull everything (Including Access-Accept) from the database indexed by ADSL-Agent-Circuit-Id. If there is no such attribute, then just proceed as normal. I can use sql to get a truth value wether the circuit-id is present in a non-default table, and I can use unlang to update the control with "Auth-Type := Accept". This works and results in 'access accept' to the client. But, it does not get me anyway to pull attributes specific to this id and return them to the client. What I was talking about was perhaps using the presence of ADSL-Agent-Circuit-Id to decide whether to proxy the request to another virtual server. I could configure this virtual server to listen on loopback so the only way to consult it is thru the proxy, and I could configure the sql query used on THIS server to peform the authorization query. This seperation would give me the abillity to either engage chap/pap or not based on presence of the attribute, instead of simply overwriting the attribute values which doesn't address my security concerns. I'm still looking for a good method to accomplish this. Mike- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
send radius response without request
Is it possible to have FreeRADIUS send a radius response without first receiving a request, provided I can feed it the same information the request would have? OR Is it possible for FreeRADIUS to see the request come from one host and have the response go to another? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ADSL-Agent-Circuit-Id
Try the following: Add this to the top of the Authorize section: authorize { if ADSL-Agent-Circuit-Id { update request { User-Name := "%{ADSL-Agent-Circuit-Id}" User-Password := "%{ADSL-Agent-Circuit-Id}" } } Then, add the Circuit-IDs to radcheck: mysql> select * from radcheck where username = "circuit-123"; ++-+---++-+ | id | username| attribute | op | value | ++-+---++-+ | 226536 | circuit-123 | ADSL-Agent-Circuit-Id | == | circuit-123 | | 226537 | circuit-123 | Cleartext-Password| := | circuit-123 | ++-+---++-+ 2 rows in set (0.00 sec) Then run a test to make sure that when using the Circuit-Id to authenticate the device, the ADSL-Agent-Circuit-Id must be in the request. [r...@sparky performance]# cat circuit-id.rad User-Name = "test" User-Password = "FreeRADIUS" User-Name = "circuit-123" User-Password = "circuit-123" User-Name = "" ADSL-Agent-Circuit-Id ="circuit-123" User-Name = "void" ADSL-Agent-Circuit-Id ="circuit-123" [r...@sparky performance]# [r...@sparky performance]# radclient -f circuit-id.rad localhost auth FreeRADIUS Received response ID 81, code 2, length = 20 Received response ID 165, code 3, length = 20 Received response ID 157, code 2, length = 20 Received response ID 119, code 2, length = 20 [r...@sparky performance]# Tim > -Original Message- > From: freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org > [mailto:freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf > Of Mike > Sent: Wednesday, July 28, 2010 3:37 PM > To: FreeRadius users mailing list > Subject: Re: freeradius and ADSL-Agent-Circuit-Id > > > > Johan Meiring wrote: > > On 2010/07/21 11:00 AM, Alan DeKok wrote: > >> > >> authorize { > >> ... > >> if (ADSL-Agent-Circuit-Id&& \ > >> ("%{sql: select ...}")) { > >> update control { > >> Auth-Type := Accept > >> } > >> > >> } > >> else { > >> reject > >> } > >> > >> } > >> > > > > I disagree with the logic slightly. > > In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does > > not exist. > > > > As fas as I understand, the desireable result is: > > If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication > > must happen. > > If it *does* exist, accept or reject, depending on its value. > > > > Would this not work better? > > > > authorize { > > ... > > if (ADSL-Agent-Circuit-Id) { > > if ("%{sql: select ...}") { > > update control { > > Auth-Type := Accept > > } > > } > > else { > > reject > > } > > } > > } > > > > > > > I have been attempting to implement this advice. I can use a 'select > count(*)' sql query and based on wether the value is 1, I can then set > Auth-Type := Accept just like it's written above. But, there's > additional processing that is desireable that I just can't figure out > how to do here. Instead of just blindly setting Accept, I might want to > proceed with having the sql module do group processing and so forth to > finally accumulate all of the reply attributes that apply to this > request. Maybe that reply is 'Auth-Type := Reject" but then others > contain 'Accept' along with framed-ip-address and so forth. This would > involve using a modified sql query in the event that > ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any > way > at run time to make that selection. > > I am getting the impression that perhaps I need to run maybe a second > server that has it's sql configured with queries tailored for the > presence of this attribute, and then proxy requests from the primary > server to this one in this case. I could probably run it on lookback on > another port so that the radius clients don't have to know anything > about it. Still it's a bit of work but that seems to be the only way > possible to make sql query one database if the attribute is present, > and > query another if it's not (or, use different queries). > > Would love more insight if anyone cares to share. > > Thank you. > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
Johan Meiring wrote: On 2010/07/21 11:00 AM, Alan DeKok wrote: authorize { ... if (ADSL-Agent-Circuit-Id&& \ ("%{sql: select ...}")) { update control { Auth-Type := Accept } } else { reject } } I disagree with the logic slightly. In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does not exist. As fas as I understand, the desireable result is: If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication must happen. If it *does* exist, accept or reject, depending on its value. Would this not work better? authorize { ... if (ADSL-Agent-Circuit-Id) { if ("%{sql: select ...}") { update control { Auth-Type := Accept } } else { reject } } } I have been attempting to implement this advice. I can use a 'select count(*)' sql query and based on wether the value is 1, I can then set Auth-Type := Accept just like it's written above. But, there's additional processing that is desireable that I just can't figure out how to do here. Instead of just blindly setting Accept, I might want to proceed with having the sql module do group processing and so forth to finally accumulate all of the reply attributes that apply to this request. Maybe that reply is 'Auth-Type := Reject" but then others contain 'Accept' along with framed-ip-address and so forth. This would involve using a modified sql query in the event that ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any way at run time to make that selection. I am getting the impression that perhaps I need to run maybe a second server that has it's sql configured with queries tailored for the presence of this attribute, and then proxy requests from the primary server to this one in this case. I could probably run it on lookback on another port so that the radius clients don't have to know anything about it. Still it's a bit of work but that seems to be the only way possible to make sql query one database if the attribute is present, and query another if it's not (or, use different queries). Would love more insight if anyone cares to share. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes. Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output. !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! Thanks! Tom On 07/28/2010 11:59 AM, Tom Leach wrote: Alan, changing from User-Password to Password-With-Header brought back the 'No "known good" password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :) Thanks! Tom Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword -> Password-With-Header == "{crypt}4gOgBZqZgtwIw" [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access Date: Tue, 27 Jul 2010 09:00:23 +0200 From: Alan DeKok Subject: Re: Another LDAP/RADIUS integration problem. To: FreeRadius users mailing list Message-ID: <4c4e8407.3030...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Tom Leach wrote: Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password userPassword" to "checkItem User-Password userPassword" and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise. It's a suggestion. But the first step was to get it to work. I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with. Change the mapping in ldap.attrmap to: checkItem Password-With-Header userPassword That should *still* work, and will remove the warning. The process here is to first get it to work, and then get it to work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 95
Alan, changing from User-Password to Password-With-Header brought back the 'No "known good" password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :) Thanks! Tom Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword -> Password-With-Header == "{crypt}4gOgBZqZgtwIw" [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access Date: Tue, 27 Jul 2010 09:00:23 +0200 From: Alan DeKok Subject: Re: Another LDAP/RADIUS integration problem. To: FreeRadius users mailing list Message-ID: <4c4e8407.3030...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Tom Leach wrote: Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password userPassword" to "checkItem User-Password userPassword" and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise. It's a suggestion. But the first step was to get it to work. I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with. Change the mapping in ldap.attrmap to: checkItem Password-With-Header userPassword That should *still* work, and will remove the warning. The process here is to first get it to work, and then get it to work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 10 1.13 FreeRadius
Will LDAP failover work on Solaris 10 with FreeRadius 1.1.3 ? This is the default that comes with Solaris or do we need to upgrade FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
HI, Since I need to have the LDAP-UserDn in the post-auth section of the default-server is there a way to execute a LDAP query in this part? Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287788.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, I think I understand the problem here, there are multiple request done to freeradius in the process of authenticating the user and since I'm trying to access the variable that was set in the previous request it is simply empty... Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287687.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
newtownz wrote: > Hi, > > Thank your for your answer. > >> Just return User-Name in the reply and do a repeat LDAP query on your >> outer layer; doing a 'cn' lookup should be instantaneous... > > I'm a little puzzled on how to accomplish this! In the "inner-tunnel" virtual server: authorize { ... update reply { User-Name = "foo" } ... } Also, be aware that EAP does multiple round trips. If you update "outer.control" in one packet, that value is *not* available to the next packet in the stream. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying creates 200 Attributes resulting in DoS warning
Marius Pesé wrote: > After spending some more time on our FreeRadius2 project it managed once > again to leave me clueless. The error message: > > WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in > request (received 201, max 200 are allowed). See the "security" section of radiusd.conf. > Googleing showed that it most likely is the result of a mis-configuration in > proxy.conf. You are very likely proxying packets FROM the server TO itself, in an infinite loop. Stop that. > This is our proxy.conf without comments: Have you tried running the server in debugging mode? Do you see it proxying packets to itself in an endless loop? Does the debug log show WHY the packets were proxied? If the packets really do have more than 200 real attributes, edit radiusd.conf to allow this. If the packets have dozens of "Proxy-State" attributes, you've misconfigured the server and broken it. Configure to proxy packets to *other* RADIUS servers, not to itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying creates 200 Attributes resulting in DoS warning
After spending some more time on our FreeRadius2 project it managed once again to leave me clueless. The error message: WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in request (received 201, max 200 are allowed). Googleing showed that it most likely is the result of a mis-configuration in proxy.conf. This is our proxy.conf without comments: proxy server { default_fallback = no } home_server copy-acct-to-home-server-B { type = acct ipaddr = 196.25.xxx.xx port = 1646 secret = xx } home_server_pool my_acct_failover { type = fail-over home_server = copy-acct-to-home-server-B } realm DEFAULT { acct_pool = my_acct_failover } realm LOCAL { } Might look a bit odd because we played around for quite a bit. Who can spot the fatal error? Thanks Marius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, Thank your for your answer. >Just return User-Name in the reply and do a repeat LDAP query on your >outer layer; doing a 'cn' lookup should be instantaneous... I'm a little puzzled on how to accomplish this! Regards Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29286932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ASSERT FAILED threads.c[406]
On Jul 26, 2010, at 8:00 PM, Meyers, Dan wrote: > and what's happening in > the perl is still something I need to investigate (and is probably > thread related), or should the fix also stop me getting unresponsive > children in the perl accounting method? Using threaded perl with DB is a little tricky. You have to use for each perl thread his own separate connection to DB. You can achieve this by using sub CLONE {} which is calling on every new thread creation, or you just can use perl without threads. Best Regards, Boian Jordanov Head of Voice Department tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, newtownz wrote: > > I'm trying to pass the value of LDAP-UserDn from the inner-tunnel > to the default server. I have read unlang and also tried many combinations > including update outer.control from the inner tunnel and nothing worked... > I'm pretty sure I saw this too and (was some time back) a glance over the source code gave me the impression that anything in the FreeRADIUS internal dictionary gets lost. > Here is a debug output where we can see that the User-Dn get expanded > correctly in the tunnel but is empty in the default server. > Just return User-Name in the reply and do a repeat LDAP query on your outer layer; doing a 'cn' lookup should be instantaneous...if it is not you have other bigger problems[1]. Cheers [1] obviously scalability and transaction time is not a problem as you are Exec-Program-Wait'ing a PHP script ;) -- Alexander Clouter .sigmonster says: Pretend to spank me -- I'm a pseudo-masochist! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect auth-type
Sallee, Stephen (Jake) wrote: > You will see that the user is found and authenticated by the > "ntlm_auth_Cru" module, however the user is still rejected bec the > server says no auth-type was configured for the request. Any help is > appreciated. Yes, because you didn't put the configuration into the right place. > I have the following lines in my users file: > - > DEFAULT Auth-Type := ntlm_auth > Fall-Through = Yes > - > > I also have the following in my radius.conf: Where? The location is important. You can't just put random text into random places, and expect it to do what you want. > Here is the debug output: From "-Xx". Please use *just* "-X', as suggested everywhere. Following basic instructions is the first step to fixing the problem. > -- > rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239, > length=51 > User-Name = "image" > User-Password = "image" > NAS-IP-Address = 10.2.1.75 > Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...} > Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok > Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...} Hmm... you put the *authentication* configuration into the *authorization* section. Why? See my web page for the *correct* configuration: http://deployingradius.com/documents/configuration/active_directory.html And you *deleted* "files" from the "authorize" section. This means that the "users" file entry you posted above does *nothing*. > PS: I know it is not best practice to specify the default auth-type but > this is a single purpose server and I know what types of requests are > going to come to it, anything other than what I want should be > discarded. (1) don't butcher the configuration. (2) Follow the documentation If you want to use the fail-over configuration for 2 versions of ntlm_auth, read my web page and follow the instructions. Then, where it says to list "ntlm_auth" in the "authenticate" section, *instead*, put: Auth-Type ntlm_auth { group { ntlm_auth_Cru { reject = 1 ok = return } ntlm_auth_UMHB { reject = 1 ok = return } } } That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 97
Please use proper etiquette on this list. Do not reply to digests (it plays havoc with threading). Do properly quote relevant material and trim the irrelevant material. Thank you. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
--- Pada Rab, 28/7/10, Alan Buxey menulis: > Dari: Alan Buxey > Judul: Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for > 0.0.0.0 port 1812 > Kepada: "FreeRadius users mailing list" > > Cc: "Edi Sujono" > Tanggal: Rabu, 28 Juli, 2010, 6:01 PM > Hi, > > > Failed binding to socket: Address already in use > > /etc/freeradius/radiusd.conf[236]: Error binding to > port for 0.0.0.0 port 1812 > > fairly obvious - somethings already running on that port. > suggest that > the system is already starting the daemon... use the system > scripts to stop > the process (eg /etc/init.d/freeradius2 > stop or such) or killall > radiusd > > netatst -anp | grep 1812 > > will show the name of the process using port 1812 > > > once nothing is on that port, you can use it with radiusd > -X > > > alan > - Yes... thank you Alan, my freeradius is now running. thanks & best regards Edi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
Hi, > Failed binding to socket: Address already in use > /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812 fairly obvious - somethings already running on that port. suggest that the system is already starting the daemon... use the system scripts to stop the process (eg /etc/init.d/freeradius2 stop or such) or killall radiusd netatst -anp | grep 1812 will show the name of the process using port 1812 once nothing is on that port, you can use it with radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
Dear sir, I had installed freeradius on ubuntu 9.04, but got an error when applying the command : freeradius -X the result of freeradius -X command as per attachement file. Your attention and help would be highly appreciated. Thanks & best regards, Edi Sujono FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Apr 30 2009 at 07:22:56 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_o
Re: Freeradius-Users Digest, Vol 63, Issue 97
I constently get this error: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user why? On 07/28/2010 08:07 AM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: SV: FR proxy to ACS and NPS with MS CHAP v2 (SagiBarOr) 2. RHDS (Natr Brazell) 3. RE: Bug #17 (MS-CHAP user names) (Garber, Neal) 4. incorrect auth-type (Sallee, Stephen (Jake)) 5. Re: RHDS (John Dennis) 6. coa proxy'ing with a NAC device (Kevin Ehlers) 7. Passing variables from inner tunnel (newtownz) -- Message: 1 Date: Tue, 27 Jul 2010 04:12:16 -0700 (PDT) From: SagiBarOr Subject: Re: SV: FR proxy to ACS and NPS with MS CHAP v2 To: freeradius-users@lists.freeradius.org Message-ID:<29275298.p...@talk.nabble.com> Content-Type: text/plain; charset=UTF-8 Thank you for the info Jan. The radiusd-x files were included in the zip files. Though I guess the other logs were overwhelming. I now posted the two log files here. The file cn-check_splitauth.log is from the first free radius. The file ldap_mschapv2.log is from the second FR server which does the MS CHAP v2 portion. Note that everything works in this confioguration. No issues. What I like the forum to advise, is what might be non std or missing in the MC CHAP v2 session, which FR overcomes it. When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails, looks like because the pwd (hash) does not match. Thnks Sagi Madsen.Jan JMD wrote: I think you need to stop the radius process and then start i with radiusd -X This will run freeradius in the window you are starting it in, in debug mode. On a Linux it will look something like this /usr/sbin/freeradius -X (Default Debian install directory) Or in a manually compiled /opt/freeradius-1.1.8/sbin/radiusd -X (My install location) And that output it comes from that is what Phil wants :) Best regards Jan Madsen -Oprindelig meddelelse- Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] P? vegne af SagiBarOr Sendt: 15. juli 2010 09:46 Til: freeradius-users@lists.freeradius.org Emne: Re: FR proxy to ACS and NPS with MS CHAP v2 Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate. Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads. Phil Mayers wrote: On 07/14/2010 11:17 PM, SagiBarOr wrote: Files posted. No. Post the output of "radiusd -X" to the list. We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, me