EAP-SIM and EAP-AKA support
From: dfds fds srinujob2...@yahoo.com Subject: EAP-SIM and EAP-AKA support To: freeradius-users@lists.freeradius.org, freeradius-de...@lists.freeradius.org Date: Wednesday, November 3, 2010, 6:47 PM Hi, I am trying to setup a radius server with EAP-SIM and EAP-AKA supportIt seems to be freeradius server supports EAP-SIM but i am not sure about AKA , is freeradius supports EAP-AKA also. Could you please fwd procedure to setup freeradius server with EAP-SIM and AKA support. is there is any freely available servers , which supports these features? Thanks for your help RegardsSrinivas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA support
Maybe this helps you: http://agsm.sourceforge.net/eap-sim_aka.html I'm actually looking for an EAP-SIM implementation that gateways RADIUS requests to a real HLR via MAP. From the documentation I can't see that FreeRadius supports this ?! /To -- GRATIS! Movie-FLAT mit über 300 Videos. Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and Cisco VPN IPSEC profiles authentication
Hi , I tried to setup configuration from different sources from the web, but it's not easy I have cisco vpn access server where are more IPSEC proflles ( groups ). They should be authenticated against Freeradius. One profile called Group1 should be authenticated against ntlm_auth_vpn ( already working), others against vpn_auth_name So my Users file is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULTAuth-Type := vpn_auth_name, , NAS-IP-Address == 10.1.1.252 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Point is that the group Group1 should be authenticated against ntlm_auth_vpn, other groups against vpn_auth_name However this config doesn't work, debug lokks strange ( takes only first Cisco Avpair attribute ), probably something wrong In the config Thanks fro your help pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: However this config doesn’t work, debug lokks strange ( takes only first Cisco Avpair attribute ), probably something wrong In the config Send the full debug output, as asked frequently on this list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. clients.conf client 127.0.0.1 { secret = password shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.12.60.19 { secret = password shortname = any nastype = other } and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password And i see log of debug and receive this message: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization for username Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username) Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b - dc=a,dc=a,dc=c,dc=b Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra localhost:389 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = {crypt}tg/iHj5yM2iXI in check items Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword as RADIUS attribute NT-Password == 0x3738463934413643303931413730423936454135373046344341353438304531 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword as RADIUS attribute LM-Password == 0x3743414142444638393134314430423841414433423433354235313430344545 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == username Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop Thu Nov 4 09:30:02 2010 : Debug: !!! Thu Nov 4 09:30:02 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password.
Re: proxy.conf src_ipaddr ignored
I guess you (a) didn't read my message, Sorry, I did read your message. and (b) want to debug it yourself. That's sometimes the thing I end up with. Exactly. So I upgraded and things got worse (or better, if you prefer consistency). Now, it doesn't honor the src_ipaddr setting no matter if I start with -sfxx -l stdout or whatever. What I gain are hundreds of messages like Failed binding to proxy address port 1000: Permission denied (note there are two spaces here^^, so this looks like an empty string surrounded by spaces) The only unusual thing I can find is that there is an interface alias address on the interface having as a primary address the src_ipaddr given. I'm somewhat, eh, reluctant to removing this alias at this time since this would mean losing one of my two DNS resolvers. What I could try later is using another interface's (one not having an alias) address as src_ipaddr and see if that is honoured or not. This all is on NetBSD/amd64 4.0.1 in case it matters. I can post any configuration details or debugging output if that helps. The alternative is to demand that *we* do the work to track it down. There seems to be some serious misunderstanding here. I was not asking for anybody to track down my problems. I'm used to track down my problems myself. I was simply asking whether this was a known issue or not. Had the problem gone away by upgrading to 2.1.10, it might have, in fact, still been there, only hidden by some random artifact. It might have reappeared with 2.1.11 or by some totally unrelated configuration change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA support
Thanks a lot for valuable information. I will try to setup freeradius for EAP-SIM. I have to still search for configuring EAP-AKA , if anybody knows about it , please share info Thanks and RegardsSrinivas --- On Thu, 11/4/10, tmuehlh...@gmx.net tmuehlh...@gmx.net wrote: From: tmuehlh...@gmx.net tmuehlh...@gmx.net Subject: Re: EAP-SIM and EAP-AKA support To: FreeRadius users mailing list freeradius-users@lists.freeradius.org, freeradius-de...@lists.freeradius.org, freeradius-users@lists.freeradius.org Date: Thursday, November 4, 2010, 3:39 PM Maybe this helps you: http://agsm.sourceforge.net/eap-sim_aka.html I'm actually looking for an EAP-SIM implementation that gateways RADIUS requests to a real HLR via MAP. From the documentation I can't see that FreeRadius supports this ?! /To -- GRATIS! Movie-FLAT mit über 300 Videos. Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
hi johan, thanks for u reply. i try with your command, raddtest -d /etc/freeradius username password ip-server port-server secret but no works. but thanks. 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
eduardo moreira wrote: SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. The debug log you posted contains the solution to the problem. Read it. If it's too hard to understand, paste the debug output into this form: http://networkradius.com/freeradius.html And then read the output. It won't be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
What I could try later is using another interface's (one not having an alias) address as src_ipaddr and see if that is honoured or not. With that, I still get the Failed binding to proxy address messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
same message, but one message desappears: Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! before this message appears this: Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Please update your configuration so that the known good !!! Thu Nov 4 10:58:52 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: auth: type Local Thu Nov 4 10:58:52 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Thu Nov 4 10:58:52 2010 : Debug: auth: Failed to validate the user. Thu Nov 4 10:58:52 2010 : Auth: Login incorrect: [username/123456] (from clientany port 1812) Sending Access-Reject of id 168 to 10.12.60.19 port 53629 Thu Nov 4 10:58:52 2010 : Debug: Finished request 2. Thu Nov 4 10:58:52 2010 : Debug: Going to the next request Thu Nov 4 10:58:52 2010 : Debug: Waking up in 4.9 seconds. Thu Nov 4 10:58:57 2010 : Debug: Cleaning up request 2 ID 168 with timestamp +98 Thu Nov 4 10:58:57 2010 : Debug: Ready to process requests. in debug appears: security { reject_delay = 0 but still dont work thanks for help. 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Failed binding to proxy address port 1000: Permission denied (note there are two spaces here^^ I' unsure why ip_ntoh fails (I don't get any ip_ntoh: errors), but turning off dns_lookups shows the default IP (the one to be used without ip_srcaddr) here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: EAP-PEAP/MSCHAPv2 Proxy
Phil Mayers thanks it works !!! But after auth radius going down with message Segmentation fault. AS-IP-Address = 172.100.50.24 NAS-Port = 1 Framed-MTU = 1388 NAS-Port-Type = Wireless-802.11 Service-Type = Authenticate-Only Called-Station-Id = 00-18-25-10-2b-20:SOME Calling-Station-Id = 0c-60-76-7c-af-d0 NAS-Port-Id = 0c-60-76-7c-af-d0 State = 0xa1759ecfa772878fdc8ea6894bd21bdb User-Name = testuser EAP-Message = 0x0207009019001703010020e2682cb330a2b26327dbdf5b0f75ff4cc88263dc762230422137cf3c31a862831703010060c6fc24cf2bc03974380904eaadcf3ec855144dce86f9f0ab43321d1bd29990f4a0c80d2b5e7acddd7dd14e6350e16d5d8deb92c9c7ea672c934b04325afe61998aa7afec350bdd7cb2d5bcc8e46bd1af866fa8c051662d89a8bcb1fdd3a11dac Message-Authenticator = 0x416646a7c9bf61e87f0a523ea2ab38b5 Thu Nov 4 19:42:55 2010 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Thu Nov 4 19:42:55 2010 : Info: +- entering group authorize {...} Thu Nov 4 19:42:55 2010 : Info: ++[preprocess] returns ok Thu Nov 4 19:42:55 2010 : Info: ++[chap] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[mschap] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[digest] returns noop Thu Nov 4 19:42:55 2010 : Info: [eap] EAP packet type response id 7 length 144 Thu Nov 4 19:42:55 2010 : Info: [eap] Continuing tunnel setup. Thu Nov 4 19:42:55 2010 : Info: ++[eap] returns ok Thu Nov 4 19:42:55 2010 : Info: Found Auth-Type = EAP Thu Nov 4 19:42:55 2010 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Thu Nov 4 19:42:55 2010 : Info: +- entering group authenticate {...} Thu Nov 4 19:42:55 2010 : Info: [eap] Request found, released from the list Thu Nov 4 19:42:55 2010 : Info: [eap] EAP/peap Thu Nov 4 19:42:55 2010 : Info: [eap] processing type peap Thu Nov 4 19:42:55 2010 : Info: [peap] processing EAP-TLS Thu Nov 4 19:42:55 2010 : Info: [peap] eaptls_verify returned 7 Thu Nov 4 19:42:55 2010 : Info: [peap] Done initial handshake Thu Nov 4 19:42:55 2010 : Info: [peap] eaptls_process returned 7 Thu Nov 4 19:42:55 2010 : Info: [peap] EAPTLS_OK Thu Nov 4 19:42:55 2010 : Info: [peap] Session established. Decoding tunneled attributes. Thu Nov 4 19:42:55 2010 : Info: [peap] Peap state phase2 Thu Nov 4 19:42:55 2010 : Info: [peap] EAP type mschapv2 Thu Nov 4 19:42:55 2010 : Info: [peap] Got tunneled request EAP-Message = 0x020700421a0207003d319efde001465e794686be86bbd699982fba5cbf47e1f74caa982438716a3d0b0764c999d747b37b7f006e635f766c6164 server { Thu Nov 4 19:42:55 2010 : Debug: PEAP: Setting User-Name to testuser Sending tunneled request EAP-Message = 0x020700421a0207003d319efde001465e794686be86bbd699982fba5cbf47e1f74caa982438716a3d0b0764c999d747b37b7f006e635f766c6164 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = testuser State = 0x6a0cdd0a6a0bc75fe06fe99ae32a7b2d server inner-tunnel { Thu Nov 4 19:42:55 2010 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Nov 4 19:42:55 2010 : Info: +- entering group authorize {...} Thu Nov 4 19:42:55 2010 : Info: ++[chap] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[mschap] returns noop Thu Nov 4 19:42:55 2010 : Info: [suffix] No '@' in User-Name = testuser, looking up realm NULL Thu Nov 4 19:42:55 2010 : Info: [suffix] Found realm DEFAULT Thu Nov 4 19:42:55 2010 : Info: [suffix] Adding Stripped-User-Name = testuser Thu Nov 4 19:42:55 2010 : Info: [suffix] Adding Realm = DEFAULT Thu Nov 4 19:42:55 2010 : Info: [suffix] Proxying request from user testuser to realm DEFAULT Thu Nov 4 19:42:55 2010 : Info: [suffix] Preparing to proxy authentication request to realm DEFAULT Thu Nov 4 19:42:55 2010 : Info: ++[suffix] returns updated Thu Nov 4 19:42:55 2010 : Info: [eap] Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. Thu Nov 4 19:42:55 2010 : Info: ++[eap] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[files] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[expiration] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[logintime] returns noop Thu Nov 4 19:42:55 2010 : Info: ++[pap] returns noop } # server inner-tunnel Thu Nov 4 19:42:55 2010 : Info: [peap] Got tunneled reply code 0 Thu Nov 4 19:42:55 2010 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session. Thu Nov 4 19:42:55 2010 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Nov 4 19:42:55 2010 : Info: +- entering group authenticate {...} Thu Nov 4 19:42:55 2010 : Info: modsingle[authenticate]: calling eap (rlm_eap) for request 7 Thu Nov 4 19:42:55 2010 : Info: [eap] Request found, released from the list Thu Nov 4 19:42:55 2010 : Info: [eap] EAP/mschapv2 Thu Nov 4 19:42:55 2010 : Info: [eap] processing type mschapv2 Thu Nov 4 19:42:55 2010 : Info: [eap] Not-EAP proxy
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which user is using this IP? (Ethernet, no dial-up)
[Apparently the usenet gateway is not bidirectional, so I re-post here, sorry] Hello, AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? The only thing you can do is FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? To clarify my question I will explain why I need this. I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login but since this is not implemented I'm willing to contribute some code to the project, and here I need to clarify some technical details. The programmatic counterpart of running radwho should be reading /var/log/freeradius/radutmp, which is simply the serialization of a C struct, as I read here: http://goo.gl/Rq1c7 http://goo.gl/BSvAn http://goo.gl/erLtw Would be this one the correct approach? Any suggestion? Thanks! Guido De Rosa P.S. the matching thread in the DG mailing list is: http://tech.groups.yahoo.com/group/dansguardian/message/24488 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:25, Jevos, Peter wrote: On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes You've set Fall-Through here - so your Auth-Type will be overwritten by the 2nd entry: DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Remove the Fall-Through - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Edgar Fuß wrote: So I upgraded and things got worse (or better, if you prefer consistency). Now, it doesn't honor the src_ipaddr setting no matter if I start with -sfxx -l stdout or whatever. Hmm... this *was* tested in 2.1.10. Your configuration must be doing something odd. What I gain are hundreds of messages like Failed binding to proxy address port 1000: Permission denied Well, the IP address isn't a valid one. That's probably why it can't bind to the socket. I can post any configuration details or debugging output if that helps. Debugging output would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
On 04/11/10 15:31, Guido De Rosa wrote: [Apparently the usenet gateway is not bidirectional, so I re-post here, sorry] Hello, AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? The only thing you can do is The radius server only knows what the NAS tells it. FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? If your NAS supplies the IP information in the radius requests, use FreeRadius and the SQL module; there are many variations on how to do this. The most common is the NAS sending Framed-IP-Address in accounting packets, and rlm_sql logging the session. If your NAS doesn't supply the IP information in the radius requests, FreeRadius can't help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
Guido De Rosa wrote: AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? No. Use a database for this kind of query. I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP/MSCHAPv2 Proxy
Влад Власов wrote: Phil Mayers thanks it works !!! But after auth radius going down with message Segmentation fault. ... Thu Nov 4 19:42:55 2010 : Info: [eap] Final reply from tunneled session code 2 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 864000 Acct-Interim-Interval = 180 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x15cd1e3f591a3cea38108b5deacae079 MS-MPPE-Recv-Key = 0x2f8000c9000217f94bba2673f2c3b711 MS-CHAP2-Success = 0x81533d32444636394345313934363538303844323846303231363431333043364536373737444137394535 Thu Nov 4 19:42:55 2010 : Info: [eap] Got reply 2 Segmentation fault: 11 Hmm... see doc/bugs for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair+=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair+=ipsec:addr-pool=vpn_pool, Cisco-Avpair+=ipsec:inacl=101, Cisco-Avpair+=ipsec:key-exchange=ike, Cisco-Avpair+=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes You've set Fall-Through here - so your Auth-Type will be overwritten by the 2nd entry: DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:52, Jevos, Peter wrote: Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group So, match both fields. Have you read the docs - specifically man users You want something like: DEFAULT Auth-Type := x, Service-Type == a, Tunnel-Private-Group-Id == b Reply-Var-1 = ... Note: ALL the conditions must be on the 1st line - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:52, Jevos, Peter wrote: Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group So, match both fields. Have you read the docs - specifically man users You want something like: DEFAULT Auth-Type := x, Service-Type == a, Tunnel-Private-Group-Id == b Reply-Var-1 = ... Note: ALL the conditions must be on the 1st line - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank fo your reply, hoever as you can see from my previous posts, I did it: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, So in the first line is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 16:15, Jevos, Peter wrote: Thank fo your reply, hoever as you can see from my previous posts, I did it: Frankly I find your posts confusing; your email client doesn't quote properly and mangles the text wrapping, so I had no way to be sure. Post full debug output of a failing request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 16:15, Jevos, Peter wrote: Thank fo your reply, hoever as you can see from my previous posts, I did it: Frankly I find your posts confusing; your email client doesn't quote properly and mangles the text wrapping, so I had no way to be sure. Post full debug output of a failing request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I'm sorry , It's outlook : ) Point is if I use Tunnel-Private-Group-ID == Group1 as the condition on the dirst line, it doesn't work, it skips and goes to another auth method. DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 Other statemts ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Which OS? David On Thu, Nov 4, 2010 at 9:00 AM, rdeboer rem...@gmail.com wrote: I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
2010/11/4 Phil Mayers p.may...@imperial.ac.uk: FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? If your NAS supplies the IP information in the radius requests, use FreeRadius and the SQL module; there are many variations on how to do this. The most common is the NAS sending Framed-IP-Address in accounting packets, My NAS is CoovaChilli (http://coova.org/CoovaChilli) and, yes, it sends Framed-IP-Address to the RADIUS server. and rlm_sql logging the session. I thought about radutmp because of its simplicity, and it would not require additional dependency on a mysql-client libary, but I understand that the mysql solution is far more scalable... Thanks, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword not working
Hi All, We had ntPassword hash in our ldap server, now the authentication from peap from windows computer and radtest -t mschap fail. Attached please find the full debug information. My username is sding for the testing. Thanks, [r...@auth2 opt]# ./sbin/radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4 2010 at 13:04:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /opt/etc/raddb/radiusd.conf including configuration file /opt/etc/raddb/clients.conf including files in directory /opt/etc/raddb/modules/ including configuration file /opt/etc/raddb/modules/policy including configuration file /opt/etc/raddb/modules/acct_unique including configuration file /opt/etc/raddb/modules/unix including configuration file /opt/etc/raddb/modules/chap including configuration file /opt/etc/raddb/modules/preprocess including configuration file /opt/etc/raddb/modules/expiration including configuration file /opt/etc/raddb/modules/mac2vlan including configuration file /opt/etc/raddb/modules/mschap including configuration file /opt/etc/raddb/modules/ippool including configuration file /opt/etc/raddb/modules/files including configuration file /opt/etc/raddb/modules/krb5 including configuration file /opt/etc/raddb/modules/passwd including configuration file /opt/etc/raddb/modules/radutmp including configuration file /opt/etc/raddb/modules/attr_rewrite including configuration file /opt/etc/raddb/modules/echo including configuration file /opt/etc/raddb/modules/etc_group including configuration file /opt/etc/raddb/modules/pap including configuration file /opt/etc/raddb/modules/realm including configuration file /opt/etc/raddb/modules/pam including configuration file /opt/etc/raddb/modules/always including configuration file /opt/etc/raddb/modules/exec including configuration file /opt/etc/raddb/modules/logintime including configuration file /opt/etc/raddb/modules/sql_log including configuration file /opt/etc/raddb/modules/smbpasswd including configuration file /opt/etc/raddb/modules/sradutmp including configuration file /opt/etc/raddb/modules/counter including configuration file /opt/etc/raddb/modules/ldap including configuration file /opt/etc/raddb/modules/expr including configuration file /opt/etc/raddb/modules/attr_filter including configuration file /opt/etc/raddb/modules/checkval including configuration file /opt/etc/raddb/modules/digest including configuration file /opt/etc/raddb/modules/detail including configuration file /opt/etc/raddb/modules/detail.log including configuration file /opt/etc/raddb/modules/mac2ip including configuration file /opt/etc/raddb/modules/detail.example.com including configuration file /opt/etc/raddb/modules/inner-eap including configuration file /opt/etc/raddb/modules/linelog including configuration file /opt/etc/raddb/modules/otp including configuration file /opt/etc/raddb/modules/perl including configuration file /opt/etc/raddb/modules/smsotp including configuration file /opt/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /opt/etc/raddb/modules/wimax including configuration file /opt/etc/raddb/modules/cui including configuration file /opt/etc/raddb/modules/dynamic_clients including configuration file /opt/etc/raddb/modules/ntlm_auth including configuration file /opt/etc/raddb/modules/opendirectory including configuration file /opt/etc/raddb/eap.conf including configuration file /opt/etc/raddb/sql.conf including configuration file /opt/etc/raddb/sql/mysql/dialup.conf including configuration file /opt/etc/raddb/policy.conf including files in directory /opt/etc/raddb/sites-enabled/ including configuration file /opt/etc/raddb/sites-enabled/default including configuration file /opt/etc/raddb/sites-enabled/inner-tunnel including configuration file /opt/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /opt/etc/raddb/dictionary main { prefix = /opt localstatedir = /opt/var logdir = /var/log/radius libdir = /opt/lib radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /opt/var/run/radiusd/radiusd.pid checkrad = /opt/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator =
Re: which user is using this IP? (Ethernet, no dial-up)
2010/11/4 Alan DeKok al...@deployingradius.com: Guido De Rosa wrote: I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login What does that mean? DansGuardian has the ability to filter web content in a different way for different users: http://goo.gl/bVm0V And as you see in the table http://goo.gl/yJWmQ there is number of methods to identify a user; I simply thought that a RADIUS identification would be a nice feature to have. Cheers, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict certain users to certain clients
I have clients multiple clients on the following networks: 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 I have two users: test1 test2 I would like to grant test1 access to clients on 192.168.89.0/24 and 192.168.90.0/24 but not 192.168.91.0/24. I would like to grant test2 access to clients on 192.168.91.0/24 but not 192.168.89.0/24 nor 192.168.90.0/24. I've solved it with huntgroups with individual client IP's but I need to do it by subnet. I thought the following would work but it didn't. /etc/raddb/huntgroups hunt1NAS-IP-Address =~ /^192\.168\.(89|90|91)\..*$/ Can anyone provide some direction? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Mostly windows 7 but linux and OSX would be nice too.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250786.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict certain users to certain clients
I've solved it with huntgroups with individual client IP's but I need to do it by subnet. I thought the following would work but it didn't. /etc/raddb/huntgroups hunt1NAS-IP-Address =~ /^192\.168\.(89|90|91)\..*$/ This appears to have been fixed by putting quotes around the regex in place of the / hunt1NAS-IP-Address =~ ^192\.168\.(89|90|91)\..*$ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Your configuration must be doing something odd. Yes. As specifying multiple identical src_ipaddr values for several home servers resulted in 2.1.7 not to start up properly, I (mis)understood the comment # The rest of the configuration items listed here are optional, # and do not have to appear in every home server definition. as if you could specify the values in the localhost home_server definition and then every other home_server section would pick up them as default. No, that's not what the wording suggests, but apperantly, it's how 2.1.7 worked -- at least in case of src_ipaddr and -X. I thought I had tried moving the src_ipaddr definitions to the individual home server sections earlier the day after I upgraded to 2.1.10, but I must have made some mistake I cannot reproduce. As you already pointed out further up in this thread, I like to debug things myself. So at least, there is a patch attached adding more debug output to proxy listener allocation and home server selection so the day I wasted on the subject may serve somebody else. --- src/main/event.c.orig 2010-09-28 13:03:56.0 +0200 +++ src/main/event.c2010-11-04 17:37:19.0 +0100 @@ -1867,7 +1867,7 @@ static int proxy_request(REQUEST *request) { struct timeval when; - char buffer[128]; + char buffer[128], buffer2[128]; #ifdef WITH_COA if (request-coa) { @@ -1903,12 +1903,15 @@ } request-next_callback = no_response_to_proxied_request; - RDEBUG2(Proxying request %u to home server %s port %d, + RDEBUG2(Proxying request %u to home server %s port %d using source addr %s, request-number, inet_ntop(request-proxy-dst_ipaddr.af, request-proxy-dst_ipaddr.ipaddr, buffer, sizeof(buffer)), - request-proxy-dst_port); + request-proxy-dst_port, + inet_ntop(request-proxy-src_ipaddr.af, +request-proxy-src_ipaddr.ipaddr, +buffer2, sizeof(buffer2))); /* * Note that we set proxied BEFORE sending the packet. --- src/main/listen.c.orig 2010-09-28 13:03:56.0 +0200 +++ src/main/listen.c 2010-11-04 18:34:41.0 +0100 @@ -1718,6 +1718,7 @@ { rad_listen_t *this, *tmp, **last; listen_socket_t *sock, *old; + char buffer[128]; /* * Find an existing proxy socket to copy. @@ -1778,6 +1779,11 @@ sock-port = 0; if (listen_bind(this) = 0) { + DEBUG(Adding listener on address %s, port %u, + inet_ntop(sock-ipaddr.af, + sock-ipaddr.ipaddr, + buffer, sizeof(buffer)), + sock-port); /* * Add the new listener to the list of * listeners. --- src/main/realms.c.orig 2010-09-28 13:03:56.0 +0200 +++ src/main/realms.c 2010-11-04 21:34:44.0 +0100 @@ -1872,6 +1872,7 @@ home_server *found = NULL; home_server *zombie = NULL; VALUE_PAIR *vp; + charbuffer1[128], buffer2[128]; /* * Determine how to pick choose the home server. @@ -2098,6 +2099,15 @@ request-proxy-vps = paircopy(request-packet-vps); } + DEBUG(Found home server %s, address %s, port %u, source address %s, + found-name, + inet_ntop(found-ipaddr.af, + found-ipaddr.ipaddr, + buffer1, sizeof(buffer1)), + found-port, + inet_ntop(found-src_ipaddr.af, + found-src_ipaddr.ipaddr, + buffer2, sizeof(buffer2))); /* * Update the various fields as appropriate. */ @@ -2232,12 +2242,19 @@ { home_server *home = data; rad_listen_t *this; + char buffer[128]; /* * If there WAS a src address defined, ensure that a * proxy listener has been defined. */ if (home-src_ipaddr.af != AF_UNSPEC) { + DEBUG(Allocating proxy listener for %s using source address %s, + home-name, + inet_ntop(home-src_ipaddr.af, + home-src_ipaddr.ipaddr, + buffer, sizeof(buffer))); + this = proxy_new_listener(home-src_ipaddr, TRUE); /* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I put the debug into the form http://networkradius.com/freeradius.html and got the following for the first packet. My LDAP entry dn: uid=sding,ou=People,dc=fsu,dc=edu ntPassword: 771CFDFE02A8C15E15B3E0E4974602FA smbencrypt of my password, they are the same as in ldap query. LM Hash NT Hash FC6252923272ADAEC6EBE8776A153FEB771CFDFE02A8C15E15B3E0E4974602FA Radius debug interpreter output [ldap] ntPassword - NT-Password == 0x3737314346444645303241384331354531354233453045343937343630324641 [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Could someone kindly shed me some light on this please? Thanks, Schilling Packet 0 rad_recv: Access-Request packet from host 127.0.0.1 port 35206, id=243, length=113 User-Name = sding NAS-IP-Address = 128.186.33.38 NAS-Port = 3 MS-CHAP-Challenge = 0x1f0a6708d52907ac MS-CHAP-Response = 0x0001b521c0b0b7e69a6109b6b5a5ed5724222914a679acbb5208 server ldap_ntpassword_1814 { # Executing section authorize from file /opt/etc/raddb/radiusd.conf +- entering group authorize {...} [ldap] performing user authorization for sding [ldap] expand: ((uid=%u)(!(uid=lib-guest*))) - ((uid=sding)(!(uid=lib-guest*))) [ldap] expand: dc=fsu,dc=edu - dc=fsu,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to mds.fsu.edu:389, authentication 0 [ldap] starting TLS [ldap] bind as cn=radius-proxy,ou=proxy-users,dc=fsu,dc=edu/y0dayad0 to mds.fsu.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=fsu,dc=edu, with filter ((uid=sding)(!(uid=lib-guest*))) [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x3737314346444645303241384331354531354233453045343937343630324641 [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok Found Auth-Type = MSCHAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. Login incorrect: [sding] (from client localhost port 3) } # server ldap_ntpassword_1814 Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 243 to 127.0.0.1 port 35206 On Thu, Nov 4, 2010 at 2:41 PM, schilling schilling2...@gmail.com wrote: Hi All, We had ntPassword hash in our ldap server, now the authentication from peap from windows computer and radtest -t mschap fail. Attached please find the full debug information. My username is sding for the testing. Thanks, [r...@auth2 opt]# ./sbin/radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4 2010 at 13:04:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /opt/etc/raddb/radiusd.conf including configuration file /opt/etc/raddb/clients.conf including files in directory /opt/etc/raddb/modules/ including configuration file /opt/etc/raddb/modules/policy including configuration file /opt/etc/raddb/modules/acct_unique including configuration file /opt/etc/raddb/modules/unix including configuration file /opt/etc/raddb/modules/chap including configuration file /opt/etc/raddb/modules/preprocess including configuration file /opt/etc/raddb/modules/expiration including configuration file /opt/etc/raddb/modules/mac2vlan including configuration file /opt/etc/raddb/modules/mschap including configuration file /opt/etc/raddb/modules/ippool including configuration file /opt/etc/raddb/modules/files including configuration file /opt/etc/raddb/modules/krb5 including configuration file /opt/etc/raddb/modules/passwd including configuration file /opt/etc/raddb/modules/radutmp including configuration file /opt/etc/raddb/modules/attr_rewrite including configuration file /opt/etc/raddb/modules/echo including configuration file /opt/etc/raddb/modules/etc_group including configuration file /opt/etc/raddb/modules/pap including configuration file
Re: Counter SQL Calculation
Can anyone please help on this as I've googled as cannot find a solution to the issue I've outlined below. Thx Nev Hi Everyone, Here is some Debug if anyone can help explain or correct the [monthlytraffic] Counter calculation. Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())}' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{User-Name} - FTU-GzwgcD Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped user -- 'FTU-GzwgcD' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater than query result Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user FTU-GzwgcD, check_item=26210, counter=991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221 Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok The Important bit is that the counter returns 991187, but then the Reply-Item Session-Octets-Limit is set to 262191221, which is actually an INCREASE of 91221, how is this calculation CORRECT? Thx Nev Hi everyone, I have a small problem where the counter is not working how I would like it two work. sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } The problem with this, is that it the SELECT statement returns a value Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set to equal Max-Monthly-Traffic. What I need it to do is to populate Session-Octets-Limit with the VALUE of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement. E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit should be set to 26210 - 523 being 25687 Can anyone point in the right direction on this please. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Idle-Timeout problem
Hi I currently work with freeradius version 2.1.7, my users are in mysql. mysql SELECT * FROM `radusergroup`; +++--+ | username | groupname | priority | +++--+ | joseph | Desarrollo |1 | | carlos | Desarrollo |1 | | miguel | Admins |1 | ++ My problem is that users are being disconnected before the time indicated by parameter Idle-Timeout. mysql SELECT * FROM `radgroupreply` ; +++++-+ | id | groupname | attribute | op | value | +++++-+ | 1 | Desarrollo | Service-Type | = | Framed-User | | 2 | Desarrollo | Framed-Protocol| = | PPP | | 3 | Desarrollo | Framed-MTU | = | 1500| | 4 | Desarrollo | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 5 | Desarrollo | Framed-IP-Netmask | = | 255.255.255.0 | | 6 | Desarrollo | Idle-Timeout | := | 900 | | 7 | Admins | Service-Type | = | Framed-User | | 8 | Admins | Framed-Protocol| = | PPP | | 9 | Admins | Framed-MTU | = | 1500| | 10 | Admins | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 11 | Admins | Framed-IP-Netmask | = | 255.255.255.0 | | 12 | Admins | Idle-Timeout | := | 0 | +++++-+ As you can see here he is sending the access server parameters defined above in the database. Sending Access-Accept of id 246 to 172.19.19.50 port 17979 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 Idle-Timeout := 900 And here you can see the user disconnected prematurely rad_recv: Accounting-Request packet from host 172.19.19.10 port 17979, id=197, length=170 NAS-IP-Address = 172.19.19.10 NAS-Identifier = Access Server Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.71.53.214 User-Name = carlos NAS-Port = 447 NAS-Port-Type = Async Called-Station-Id = 60110 Calling-Station-Id = 78382547 Acct-Status-Type = Stop Acct-Session-Id = 013425 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Acct-Input-Octets = 47429 Acct-Output-Octets = 4377 Acct-Input-Packets = 66 Acct-Output-Packets = 57 Acct-Session-Time = 95 Acct-Terminate-Cause = Idle-Timeout Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html