EAP-SIM and EAP-AKA support
From: dfds fds srinujob2...@yahoo.com Subject: EAP-SIM and EAP-AKA support To: freeradius-users@lists.freeradius.org, freeradius-de...@lists.freeradius.org Date: Wednesday, November 3, 2010, 6:47 PM Hi, I am trying to setup a radius server with EAP-SIM and EAP-AKA supportIt seems to be freeradius server supports EAP-SIM but i am not sure about AKA , is freeradius supports EAP-AKA also. Could you please fwd procedure to setup freeradius server with EAP-SIM and AKA support. is there is any freely available servers , which supports these features? Thanks for your help RegardsSrinivas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA support
Maybe this helps you: http://agsm.sourceforge.net/eap-sim_aka.html I'm actually looking for an EAP-SIM implementation that gateways RADIUS requests to a real HLR via MAP. From the documentation I can't see that FreeRadius supports this ?! /To -- GRATIS! Movie-FLAT mit über 300 Videos. Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and Cisco VPN IPSEC profiles authentication
Hi , I tried to setup configuration from different sources from the web, but it's not easy I have cisco vpn access server where are more IPSEC proflles ( groups ). They should be authenticated against Freeradius. One profile called Group1 should be authenticated against ntlm_auth_vpn ( already working), others against vpn_auth_name So my Users file is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULTAuth-Type := vpn_auth_name, , NAS-IP-Address == 10.1.1.252 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Point is that the group Group1 should be authenticated against ntlm_auth_vpn, other groups against vpn_auth_name However this config doesn't work, debug lokks strange ( takes only first Cisco Avpair attribute ), probably something wrong In the config Thanks fro your help pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: However this config doesn’t work, debug lokks strange ( takes only first Cisco Avpair attribute ), probably something wrong In the config Send the full debug output, as asked frequently on this list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
SOrry about this mail Josip, but i checked again my clients.conf, and i put
conf here for u see.
clients.conf
client 127.0.0.1 {
secret = password
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 10.12.60.19 {
secret = password
shortname = any
nastype = other
}
and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password
And i see log of debug and receive this message:
Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100,
length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP
Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization
for username
Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username)
Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b -
dc=a,dc=a,dc=c,dc=b
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username)
Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as
cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra
localhost:389
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username)
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password =
{crypt}tg/iHj5yM2iXI in check items
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in
directory...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as
RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword
as RADIUS attribute NT-Password ==
0x3738463934413643303931413730423936454135373046344341353438304531
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword
as RADIUS attribute LM-Password ==
0x3743414142444638393134314430423841414433423433354235313430344545
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == username
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use
remote access
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap
(rlm_ldap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop
Thu Nov 4 09:30:02 2010 : Debug:
!!!
Thu Nov 4 09:30:02 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password.
Re: proxy.conf src_ipaddr ignored
I guess you (a) didn't read my message, Sorry, I did read your message. and (b) want to debug it yourself. That's sometimes the thing I end up with. Exactly. So I upgraded and things got worse (or better, if you prefer consistency). Now, it doesn't honor the src_ipaddr setting no matter if I start with -sfxx -l stdout or whatever. What I gain are hundreds of messages like Failed binding to proxy address port 1000: Permission denied (note there are two spaces here^^, so this looks like an empty string surrounded by spaces) The only unusual thing I can find is that there is an interface alias address on the interface having as a primary address the src_ipaddr given. I'm somewhat, eh, reluctant to removing this alias at this time since this would mean losing one of my two DNS resolvers. What I could try later is using another interface's (one not having an alias) address as src_ipaddr and see if that is honoured or not. This all is on NetBSD/amd64 4.0.1 in case it matters. I can post any configuration details or debugging output if that helps. The alternative is to demand that *we* do the work to track it down. There seems to be some serious misunderstanding here. I was not asking for anybody to track down my problems. I'm used to track down my problems myself. I was simply asking whether this was a known issue or not. Had the problem gone away by upgrading to 2.1.10, it might have, in fact, still been there, only hidden by some random artifact. It might have reappeared with 2.1.11 or by some totally unrelated configuration change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA support
Thanks a lot for valuable information. I will try to setup freeradius for EAP-SIM. I have to still search for configuring EAP-AKA , if anybody knows about it , please share info Thanks and RegardsSrinivas --- On Thu, 11/4/10, tmuehlh...@gmx.net tmuehlh...@gmx.net wrote: From: tmuehlh...@gmx.net tmuehlh...@gmx.net Subject: Re: EAP-SIM and EAP-AKA support To: FreeRadius users mailing list freeradius-users@lists.freeradius.org, freeradius-de...@lists.freeradius.org, freeradius-users@lists.freeradius.org Date: Thursday, November 4, 2010, 3:39 PM Maybe this helps you: http://agsm.sourceforge.net/eap-sim_aka.html I'm actually looking for an EAP-SIM implementation that gateways RADIUS requests to a real HLR via MAP. From the documentation I can't see that FreeRadius supports this ?! /To -- GRATIS! Movie-FLAT mit über 300 Videos. Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
hi johan, thanks for u reply. i try with your command, raddtest -d /etc/freeradius username password ip-server port-server secret but no works. but thanks. 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
eduardo moreira wrote: SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. The debug log you posted contains the solution to the problem. Read it. If it's too hard to understand, paste the debug output into this form: http://networkradius.com/freeradius.html And then read the output. It won't be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
What I could try later is using another interface's (one not having an alias) address as src_ipaddr and see if that is honoured or not. With that, I still get the Failed binding to proxy address messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
same message, but one message desappears:
Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
before this message appears this:
Thu Nov 4 10:58:52 2010 : Debug:
!!!
Thu Nov 4 10:58:52 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Thu Nov 4 10:58:52 2010 : Debug:
!!!
Thu Nov 4 10:58:52 2010 : Debug: !!! Please update your configuration so
that the known good !!!
Thu Nov 4 10:58:52 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Thu Nov 4 10:58:52 2010 : Debug:
!!!
Thu Nov 4 10:58:52 2010 : Debug: auth: type Local
Thu Nov 4 10:58:52 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Thu Nov 4 10:58:52 2010 : Debug: auth: Failed to validate the user.
Thu Nov 4 10:58:52 2010 : Auth: Login incorrect: [username/123456] (from
clientany port 1812)
Sending Access-Reject of id 168 to 10.12.60.19 port 53629
Thu Nov 4 10:58:52 2010 : Debug: Finished request 2.
Thu Nov 4 10:58:52 2010 : Debug: Going to the next request
Thu Nov 4 10:58:52 2010 : Debug: Waking up in 4.9 seconds.
Thu Nov 4 10:58:57 2010 : Debug: Cleaning up request 2 ID 168 with
timestamp +98
Thu Nov 4 10:58:57 2010 : Debug: Ready to process requests.
in debug appears:
security {
reject_delay = 0
but still dont work
thanks for help.
2010/11/4 Johan Meiring jmeir...@pcservices.co.za
On 2010/11/04 02:37 PM, eduardo moreira wrote:
sorry
radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any
That should work.
The any is probably unnecesary.
What does freeradius -X now say?
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Failed binding to proxy address port 1000: Permission denied (note there are two spaces here^^ I' unsure why ip_ntoh fails (I don't get any ip_ntoh: errors), but turning off dns_lookups shows the default IP (the one to be used without ip_srcaddr) here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: EAP-PEAP/MSCHAPv2 Proxy
Phil Mayers thanks it works !!!
But after auth radius going down with message Segmentation fault.
AS-IP-Address = 172.100.50.24
NAS-Port = 1
Framed-MTU = 1388
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
Called-Station-Id = 00-18-25-10-2b-20:SOME
Calling-Station-Id = 0c-60-76-7c-af-d0
NAS-Port-Id = 0c-60-76-7c-af-d0
State = 0xa1759ecfa772878fdc8ea6894bd21bdb
User-Name = testuser
EAP-Message =
0x0207009019001703010020e2682cb330a2b26327dbdf5b0f75ff4cc88263dc762230422137cf3c31a862831703010060c6fc24cf2bc03974380904eaadcf3ec855144dce86f9f0ab43321d1bd29990f4a0c80d2b5e7acddd7dd14e6350e16d5d8deb92c9c7ea672c934b04325afe61998aa7afec350bdd7cb2d5bcc8e46bd1af866fa8c051662d89a8bcb1fdd3a11dac
Message-Authenticator = 0x416646a7c9bf61e87f0a523ea2ab38b5
Thu Nov 4 19:42:55 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Thu Nov 4 19:42:55 2010 : Info: +- entering group authorize {...}
Thu Nov 4 19:42:55 2010 : Info: ++[preprocess] returns ok
Thu Nov 4 19:42:55 2010 : Info: ++[chap] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[mschap] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[digest] returns noop
Thu Nov 4 19:42:55 2010 : Info: [eap] EAP packet type response id 7 length 144
Thu Nov 4 19:42:55 2010 : Info: [eap] Continuing tunnel setup.
Thu Nov 4 19:42:55 2010 : Info: ++[eap] returns ok
Thu Nov 4 19:42:55 2010 : Info: Found Auth-Type = EAP
Thu Nov 4 19:42:55 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Thu Nov 4 19:42:55 2010 : Info: +- entering group authenticate {...}
Thu Nov 4 19:42:55 2010 : Info: [eap] Request found, released from the list
Thu Nov 4 19:42:55 2010 : Info: [eap] EAP/peap
Thu Nov 4 19:42:55 2010 : Info: [eap] processing type peap
Thu Nov 4 19:42:55 2010 : Info: [peap] processing EAP-TLS
Thu Nov 4 19:42:55 2010 : Info: [peap] eaptls_verify returned 7
Thu Nov 4 19:42:55 2010 : Info: [peap] Done initial handshake
Thu Nov 4 19:42:55 2010 : Info: [peap] eaptls_process returned 7
Thu Nov 4 19:42:55 2010 : Info: [peap] EAPTLS_OK
Thu Nov 4 19:42:55 2010 : Info: [peap] Session established. Decoding tunneled
attributes.
Thu Nov 4 19:42:55 2010 : Info: [peap] Peap state phase2
Thu Nov 4 19:42:55 2010 : Info: [peap] EAP type mschapv2
Thu Nov 4 19:42:55 2010 : Info: [peap] Got tunneled request
EAP-Message =
0x020700421a0207003d319efde001465e794686be86bbd699982fba5cbf47e1f74caa982438716a3d0b0764c999d747b37b7f006e635f766c6164
server {
Thu Nov 4 19:42:55 2010 : Debug: PEAP: Setting User-Name to testuser
Sending tunneled request
EAP-Message =
0x020700421a0207003d319efde001465e794686be86bbd699982fba5cbf47e1f74caa982438716a3d0b0764c999d747b37b7f006e635f766c6164
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = testuser
State = 0x6a0cdd0a6a0bc75fe06fe99ae32a7b2d
server inner-tunnel {
Thu Nov 4 19:42:55 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
Thu Nov 4 19:42:55 2010 : Info: +- entering group authorize {...}
Thu Nov 4 19:42:55 2010 : Info: ++[chap] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[mschap] returns noop
Thu Nov 4 19:42:55 2010 : Info: [suffix] No '@' in User-Name = testuser,
looking up realm NULL
Thu Nov 4 19:42:55 2010 : Info: [suffix] Found realm DEFAULT
Thu Nov 4 19:42:55 2010 : Info: [suffix] Adding Stripped-User-Name = testuser
Thu Nov 4 19:42:55 2010 : Info: [suffix] Adding Realm = DEFAULT
Thu Nov 4 19:42:55 2010 : Info: [suffix] Proxying request from user testuser
to realm DEFAULT
Thu Nov 4 19:42:55 2010 : Info: [suffix] Preparing to proxy authentication
request to realm DEFAULT
Thu Nov 4 19:42:55 2010 : Info: ++[suffix] returns updated
Thu Nov 4 19:42:55 2010 : Info: [eap] Request is supposed to be proxied to
Realm DEFAULT. Not doing EAP.
Thu Nov 4 19:42:55 2010 : Info: ++[eap] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[files] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[expiration] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[logintime] returns noop
Thu Nov 4 19:42:55 2010 : Info: ++[pap] returns noop
} # server inner-tunnel
Thu Nov 4 19:42:55 2010 : Info: [peap] Got tunneled reply code 0
Thu Nov 4 19:42:55 2010 : Debug: PEAP: Calling authenticate in order to
initiate tunneled EAP session.
Thu Nov 4 19:42:55 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
Thu Nov 4 19:42:55 2010 : Info: +- entering group authenticate {...}
Thu Nov 4 19:42:55 2010 : Info: modsingle[authenticate]: calling eap
(rlm_eap) for request 7
Thu Nov 4 19:42:55 2010 : Info: [eap] Request found, released from the list
Thu Nov 4 19:42:55 2010 : Info: [eap] EAP/mschapv2
Thu Nov 4 19:42:55 2010 : Info: [eap] processing type mschapv2
Thu Nov 4 19:42:55 2010 : Info: [eap] Not-EAP proxy
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which user is using this IP? (Ethernet, no dial-up)
[Apparently the usenet gateway is not bidirectional, so I re-post here, sorry] Hello, AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? The only thing you can do is FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? To clarify my question I will explain why I need this. I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login but since this is not implemented I'm willing to contribute some code to the project, and here I need to clarify some technical details. The programmatic counterpart of running radwho should be reading /var/log/freeradius/radutmp, which is simply the serialization of a C struct, as I read here: http://goo.gl/Rq1c7 http://goo.gl/BSvAn http://goo.gl/erLtw Would be this one the correct approach? Any suggestion? Thanks! Guido De Rosa P.S. the matching thread in the DG mailing list is: http://tech.groups.yahoo.com/group/dansguardian/message/24488 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:25, Jevos, Peter wrote: On 04/11/10 10:41, Jevos, Peter wrote: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, This wrong; you want: Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair=ipsec:addr-pool=vpn_pool, Cisco-Avpair=ipsec:inacl=101, Cisco-Avpair=ipsec:key-exchange=ike, Cisco-Avpair=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes You've set Fall-Through here - so your Auth-Type will be overwritten by the 2nd entry: DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Remove the Fall-Through - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Edgar Fuß wrote: So I upgraded and things got worse (or better, if you prefer consistency). Now, it doesn't honor the src_ipaddr setting no matter if I start with -sfxx -l stdout or whatever. Hmm... this *was* tested in 2.1.10. Your configuration must be doing something odd. What I gain are hundreds of messages like Failed binding to proxy address port 1000: Permission denied Well, the IP address isn't a valid one. That's probably why it can't bind to the socket. I can post any configuration details or debugging output if that helps. Debugging output would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
On 04/11/10 15:31, Guido De Rosa wrote: [Apparently the usenet gateway is not bidirectional, so I re-post here, sorry] Hello, AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? The only thing you can do is The radius server only knows what the NAS tells it. FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? If your NAS supplies the IP information in the radius requests, use FreeRadius and the SQL module; there are many variations on how to do this. The most common is the NAS sending Framed-IP-Address in accounting packets, and rlm_sql logging the session. If your NAS doesn't supply the IP information in the radius requests, FreeRadius can't help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
Guido De Rosa wrote: AFAIK, there's nothing in the RADIUS protocol allowing you to ask a RADIUS server which user is currently using a given IP address... or am I missing something? No. Use a database for this kind of query. I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP/MSCHAPv2 Proxy
Влад Власов wrote: Phil Mayers thanks it works !!! But after auth radius going down with message Segmentation fault. ... Thu Nov 4 19:42:55 2010 : Info: [eap] Final reply from tunneled session code 2 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 864000 Acct-Interim-Interval = 180 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x15cd1e3f591a3cea38108b5deacae079 MS-MPPE-Recv-Key = 0x2f8000c9000217f94bba2673f2c3b711 MS-CHAP2-Success = 0x81533d32444636394345313934363538303844323846303231363431333043364536373737444137394535 Thu Nov 4 19:42:55 2010 : Info: [eap] Got reply 2 Segmentation fault: 11 Hmm... see doc/bugs for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Cisco-AVpair += 2nd:attribute This is documented in the manpage and docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it helped but it still doesn't work as I wished: All I need is: When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = Group1, use authentication ntlm_auth_vpn, and send back Cisco-av pairs (ipsec values) When request comes from whencesoever and Tunnel-Private-Group-ID is whatever, use authentication vpn_auth_name ,and that's it My current settings is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 , Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, Tunnel-Password = cisco, Cisco-Avpair+=ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair+=ipsec:addr-pool=vpn_pool, Cisco-Avpair+=ipsec:inacl=101, Cisco-Avpair+=ipsec:key-exchange=ike, Cisco-Avpair+=ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes You've set Fall-Through here - so your Auth-Type will be overwritten by the 2nd entry: DEFAULTAuth-Type := vpn_auth_name, Service-Type = Framed-User, Framed-Protocol = PPP, Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:52, Jevos, Peter wrote: Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group So, match both fields. Have you read the docs - specifically man users You want something like: DEFAULT Auth-Type := x, Service-Type == a, Tunnel-Private-Group-Id == b Reply-Var-1 = ... Note: ALL the conditions must be on the 1st line - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 15:52, Jevos, Peter wrote: Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group So, match both fields. Have you read the docs - specifically man users You want something like: DEFAULT Auth-Type := x, Service-Type == a, Tunnel-Private-Group-Id == b Reply-Var-1 = ... Note: ALL the conditions must be on the 1st line - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank fo your reply, hoever as you can see from my previous posts, I did it: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group1, So in the first line is: DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 16:15, Jevos, Peter wrote: Thank fo your reply, hoever as you can see from my previous posts, I did it: Frankly I find your posts confusing; your email client doesn't quote properly and mangles the text wrapping, so I had no way to be sure. Post full debug output of a failing request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
On 04/11/10 16:15, Jevos, Peter wrote: Thank fo your reply, hoever as you can see from my previous posts, I did it: Frankly I find your posts confusing; your email client doesn't quote properly and mangles the text wrapping, so I had no way to be sure. Post full debug output of a failing request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I'm sorry , It's outlook : ) Point is if I use Tunnel-Private-Group-ID == Group1 as the condition on the dirst line, it doesn't work, it skips and goes to another auth method. DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252,Tunnel-Private-Group-ID == Group1 Other statemts ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Which OS? David On Thu, Nov 4, 2010 at 9:00 AM, rdeboer rem...@gmail.com wrote: I'm using the Juniper Odyssey Access Client, you can download a trial from the Juniper website. So far it's the only supplicant I've come across that allows for PEAP or TTLS with client certificates. Drawback being you have to buy licenses for each instance of it running inside the company, which undoubtedly is going to cost a fortune. So if anyone out there has any idea of a free open source solution I'm game... About the perl module, I'll start looking into that, thanks for the tip. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250321.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which user is using this IP? (Ethernet, no dial-up)
2010/11/4 Phil Mayers p.may...@imperial.ac.uk: FreeRADIUS-specific like issuing the radwho command which shows you a list of currently logged users, their IP addresses and other informations. Another option is querying the FreeRADIUS database (MySQL/whatever...), which is actually what some front-ends do (like DaloRADIUS...). Do you know a more robust/standard/portable solution to get these info? If your NAS supplies the IP information in the radius requests, use FreeRadius and the SQL module; there are many variations on how to do this. The most common is the NAS sending Framed-IP-Address in accounting packets, My NAS is CoovaChilli (http://coova.org/CoovaChilli) and, yes, it sends Framed-IP-Address to the RADIUS server. and rlm_sql logging the session. I thought about radutmp because of its simplicity, and it would not require additional dependency on a mysql-client libary, but I understand that the mysql solution is far more scalable... Thanks, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword not working
Hi All,
We had ntPassword hash in our ldap server, now the authentication from
peap from windows computer and radtest -t mschap fail. Attached please
find the full debug information. My username is sding for the testing.
Thanks,
[r...@auth2 opt]# ./sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4
2010 at 13:04:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/etc/raddb/radiusd.conf
including configuration file /opt/etc/raddb/clients.conf
including files in directory /opt/etc/raddb/modules/
including configuration file /opt/etc/raddb/modules/policy
including configuration file /opt/etc/raddb/modules/acct_unique
including configuration file /opt/etc/raddb/modules/unix
including configuration file /opt/etc/raddb/modules/chap
including configuration file /opt/etc/raddb/modules/preprocess
including configuration file /opt/etc/raddb/modules/expiration
including configuration file /opt/etc/raddb/modules/mac2vlan
including configuration file /opt/etc/raddb/modules/mschap
including configuration file /opt/etc/raddb/modules/ippool
including configuration file /opt/etc/raddb/modules/files
including configuration file /opt/etc/raddb/modules/krb5
including configuration file /opt/etc/raddb/modules/passwd
including configuration file /opt/etc/raddb/modules/radutmp
including configuration file /opt/etc/raddb/modules/attr_rewrite
including configuration file /opt/etc/raddb/modules/echo
including configuration file /opt/etc/raddb/modules/etc_group
including configuration file /opt/etc/raddb/modules/pap
including configuration file /opt/etc/raddb/modules/realm
including configuration file /opt/etc/raddb/modules/pam
including configuration file /opt/etc/raddb/modules/always
including configuration file /opt/etc/raddb/modules/exec
including configuration file /opt/etc/raddb/modules/logintime
including configuration file /opt/etc/raddb/modules/sql_log
including configuration file /opt/etc/raddb/modules/smbpasswd
including configuration file /opt/etc/raddb/modules/sradutmp
including configuration file /opt/etc/raddb/modules/counter
including configuration file /opt/etc/raddb/modules/ldap
including configuration file /opt/etc/raddb/modules/expr
including configuration file /opt/etc/raddb/modules/attr_filter
including configuration file /opt/etc/raddb/modules/checkval
including configuration file /opt/etc/raddb/modules/digest
including configuration file /opt/etc/raddb/modules/detail
including configuration file /opt/etc/raddb/modules/detail.log
including configuration file /opt/etc/raddb/modules/mac2ip
including configuration file /opt/etc/raddb/modules/detail.example.com
including configuration file /opt/etc/raddb/modules/inner-eap
including configuration file /opt/etc/raddb/modules/linelog
including configuration file /opt/etc/raddb/modules/otp
including configuration file /opt/etc/raddb/modules/perl
including configuration file /opt/etc/raddb/modules/smsotp
including configuration file /opt/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /opt/etc/raddb/modules/wimax
including configuration file /opt/etc/raddb/modules/cui
including configuration file /opt/etc/raddb/modules/dynamic_clients
including configuration file /opt/etc/raddb/modules/ntlm_auth
including configuration file /opt/etc/raddb/modules/opendirectory
including configuration file /opt/etc/raddb/eap.conf
including configuration file /opt/etc/raddb/sql.conf
including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
including configuration file /opt/etc/raddb/policy.conf
including files in directory /opt/etc/raddb/sites-enabled/
including configuration file /opt/etc/raddb/sites-enabled/default
including configuration file /opt/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /opt/etc/raddb/dictionary
main {
prefix = /opt
localstatedir = /opt/var
logdir = /var/log/radius
libdir = /opt/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /opt/var/run/radiusd/radiusd.pid
checkrad = /opt/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator =
Re: which user is using this IP? (Ethernet, no dial-up)
2010/11/4 Alan DeKok al...@deployingradius.com: Guido De Rosa wrote: I'm configuring DansGuardian web content filtering (http://dansguardian.org) which has the possibility to configure several filter groups each with different filtering rules. I would like to match filter groups by RADIUS login What does that mean? DansGuardian has the ability to filter web content in a different way for different users: http://goo.gl/bVm0V And as you see in the table http://goo.gl/yJWmQ there is number of methods to identify a user; I simply thought that a RADIUS identification would be a nice feature to have. Cheers, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict certain users to certain clients
I have clients multiple clients on the following networks: 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 I have two users: test1 test2 I would like to grant test1 access to clients on 192.168.89.0/24 and 192.168.90.0/24 but not 192.168.91.0/24. I would like to grant test2 access to clients on 192.168.91.0/24 but not 192.168.89.0/24 nor 192.168.90.0/24. I've solved it with huntgroups with individual client IP's but I need to do it by subnet. I thought the following would work but it didn't. /etc/raddb/huntgroups hunt1NAS-IP-Address =~ /^192\.168\.(89|90|91)\..*$/ Can anyone provide some direction? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
Mostly windows 7 but linux and OSX would be nice too.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3250786.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict certain users to certain clients
I've solved it with huntgroups with individual client IP's but I need to do it by subnet. I thought the following would work but it didn't. /etc/raddb/huntgroups hunt1NAS-IP-Address =~ /^192\.168\.(89|90|91)\..*$/ This appears to have been fixed by putting quotes around the regex in place of the / hunt1NAS-IP-Address =~ ^192\.168\.(89|90|91)\..*$ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy.conf src_ipaddr ignored
Your configuration must be doing something odd.
Yes. As specifying multiple identical src_ipaddr values for several home
servers resulted in 2.1.7 not to start up properly, I (mis)understood the
comment
# The rest of the configuration items listed here are optional,
# and do not have to appear in every home server definition.
as if you could specify the values in the localhost home_server definition
and then every other home_server section would pick up them as default.
No, that's not what the wording suggests, but apperantly, it's how 2.1.7 worked
-- at least in case of src_ipaddr and -X.
I thought I had tried moving the src_ipaddr definitions to the individual home
server sections earlier the day after I upgraded to 2.1.10, but I must have
made some mistake I cannot reproduce.
As you already pointed out further up in this thread, I like to debug things
myself. So at least, there is a patch attached adding more debug output to
proxy listener allocation and home server selection so the day I wasted on the
subject may serve somebody else.
--- src/main/event.c.orig 2010-09-28 13:03:56.0 +0200
+++ src/main/event.c2010-11-04 17:37:19.0 +0100
@@ -1867,7 +1867,7 @@
static int proxy_request(REQUEST *request)
{
struct timeval when;
- char buffer[128];
+ char buffer[128], buffer2[128];
#ifdef WITH_COA
if (request-coa) {
@@ -1903,12 +1903,15 @@
}
request-next_callback = no_response_to_proxied_request;
- RDEBUG2(Proxying request %u to home server %s port %d,
+ RDEBUG2(Proxying request %u to home server %s port %d using source
addr %s,
request-number,
inet_ntop(request-proxy-dst_ipaddr.af,
request-proxy-dst_ipaddr.ipaddr,
buffer, sizeof(buffer)),
- request-proxy-dst_port);
+ request-proxy-dst_port,
+ inet_ntop(request-proxy-src_ipaddr.af,
+request-proxy-src_ipaddr.ipaddr,
+buffer2, sizeof(buffer2)));
/*
* Note that we set proxied BEFORE sending the packet.
--- src/main/listen.c.orig 2010-09-28 13:03:56.0 +0200
+++ src/main/listen.c 2010-11-04 18:34:41.0 +0100
@@ -1718,6 +1718,7 @@
{
rad_listen_t *this, *tmp, **last;
listen_socket_t *sock, *old;
+ char buffer[128];
/*
* Find an existing proxy socket to copy.
@@ -1778,6 +1779,11 @@
sock-port = 0;
if (listen_bind(this) = 0) {
+ DEBUG(Adding listener on address %s, port %u,
+ inet_ntop(sock-ipaddr.af,
+ sock-ipaddr.ipaddr,
+ buffer, sizeof(buffer)),
+ sock-port);
/*
* Add the new listener to the list of
* listeners.
--- src/main/realms.c.orig 2010-09-28 13:03:56.0 +0200
+++ src/main/realms.c 2010-11-04 21:34:44.0 +0100
@@ -1872,6 +1872,7 @@
home_server *found = NULL;
home_server *zombie = NULL;
VALUE_PAIR *vp;
+ charbuffer1[128], buffer2[128];
/*
* Determine how to pick choose the home server.
@@ -2098,6 +2099,15 @@
request-proxy-vps = paircopy(request-packet-vps);
}
+ DEBUG(Found home server %s, address %s, port %u, source
address %s,
+ found-name,
+ inet_ntop(found-ipaddr.af,
+ found-ipaddr.ipaddr,
+ buffer1, sizeof(buffer1)),
+ found-port,
+ inet_ntop(found-src_ipaddr.af,
+ found-src_ipaddr.ipaddr,
+ buffer2, sizeof(buffer2)));
/*
* Update the various fields as appropriate.
*/
@@ -2232,12 +2242,19 @@
{
home_server *home = data;
rad_listen_t *this;
+ char buffer[128];
/*
* If there WAS a src address defined, ensure that a
* proxy listener has been defined.
*/
if (home-src_ipaddr.af != AF_UNSPEC) {
+ DEBUG(Allocating proxy listener for %s using source address
%s,
+ home-name,
+ inet_ntop(home-src_ipaddr.af,
+ home-src_ipaddr.ipaddr,
+ buffer, sizeof(buffer)));
+
this = proxy_new_listener(home-src_ipaddr, TRUE);
/*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I put the debug into the form
http://networkradius.com/freeradius.html
and got the following for the first packet.
My LDAP entry
dn: uid=sding,ou=People,dc=fsu,dc=edu
ntPassword: 771CFDFE02A8C15E15B3E0E4974602FA
smbencrypt of my password, they are the same as in ldap query.
LM Hash NT Hash
FC6252923272ADAEC6EBE8776A153FEB771CFDFE02A8C15E15B3E0E4974602FA
Radius debug interpreter output
[ldap] ntPassword - NT-Password ==
0x3737314346444645303241384331354531354233453045343937343630324641
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
Could someone kindly shed me some light on this please?
Thanks,
Schilling
Packet 0
rad_recv: Access-Request packet from host 127.0.0.1 port 35206,
id=243, length=113
User-Name = sding
NAS-IP-Address = 128.186.33.38
NAS-Port = 3
MS-CHAP-Challenge = 0x1f0a6708d52907ac
MS-CHAP-Response =
0x0001b521c0b0b7e69a6109b6b5a5ed5724222914a679acbb5208
server ldap_ntpassword_1814 {
# Executing section authorize from file /opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[ldap] performing user authorization for sding
[ldap] expand: ((uid=%u)(!(uid=lib-guest*))) -
((uid=sding)(!(uid=lib-guest*)))
[ldap] expand: dc=fsu,dc=edu - dc=fsu,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to mds.fsu.edu:389, authentication 0
[ldap] starting TLS
[ldap] bind as cn=radius-proxy,ou=proxy-users,dc=fsu,dc=edu/y0dayad0
to mds.fsu.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=fsu,dc=edu, with filter
((uid=sding)(!(uid=lib-guest*)))
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password ==
0x3737314346444645303241384331354531354233453045343937343630324641
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
Found Auth-Type = MSCHAP
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
Failed to authenticate the user.
Login incorrect: [sding] (from client localhost port 3)
} # server ldap_ntpassword_1814
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 243 to 127.0.0.1 port 35206
On Thu, Nov 4, 2010 at 2:41 PM, schilling schilling2...@gmail.com wrote:
Hi All,
We had ntPassword hash in our ldap server, now the authentication from
peap from windows computer and radtest -t mschap fail. Attached please
find the full debug information. My username is sding for the testing.
Thanks,
[r...@auth2 opt]# ./sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4
2010 at 13:04:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/etc/raddb/radiusd.conf
including configuration file /opt/etc/raddb/clients.conf
including files in directory /opt/etc/raddb/modules/
including configuration file /opt/etc/raddb/modules/policy
including configuration file /opt/etc/raddb/modules/acct_unique
including configuration file /opt/etc/raddb/modules/unix
including configuration file /opt/etc/raddb/modules/chap
including configuration file /opt/etc/raddb/modules/preprocess
including configuration file /opt/etc/raddb/modules/expiration
including configuration file /opt/etc/raddb/modules/mac2vlan
including configuration file /opt/etc/raddb/modules/mschap
including configuration file /opt/etc/raddb/modules/ippool
including configuration file /opt/etc/raddb/modules/files
including configuration file /opt/etc/raddb/modules/krb5
including configuration file /opt/etc/raddb/modules/passwd
including configuration file /opt/etc/raddb/modules/radutmp
including configuration file /opt/etc/raddb/modules/attr_rewrite
including configuration file /opt/etc/raddb/modules/echo
including configuration file /opt/etc/raddb/modules/etc_group
including configuration file /opt/etc/raddb/modules/pap
including configuration file
Re: Counter SQL Calculation
Can anyone please help on this as I've googled as cannot find a solution to
the issue I've outlined below.
Thx
Nev
Hi Everyone,
Here is some Debug if anyone can help explain or correct the
[monthlytraffic] Counter calculation.
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())}'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand:
%{User-Name} - FTU-GzwgcD
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped
user -- 'FTU-GzwgcD'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id:
4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand:
%{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())} - 991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater
than
query result
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user
FTU-GzwgcD, check_item=26210, counter=991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user
FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221
Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok
The Important bit is that the counter returns 991187, but then the
Reply-Item Session-Octets-Limit is set to 262191221, which is actually
an
INCREASE of 91221, how is this calculation CORRECT?
Thx
Nev
Hi everyone,
I have a small problem where the counter is not working how I would like
it two work.
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct
WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
The problem with this, is that it the SELECT statement returns a value
Less than the value of Max-Monthly-Traffic, then sets
Session-Octets-Limit is set to equal Max-Monthly-Traffic.
What I need it to do is to populate Session-Octets-Limit with the VALUE
of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.
E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT
returns a result of 5243 being 50Mb of usage, then
Session-Octets-Limit should be set to 26210 - 523 being
25687
Can anyone point in the right direction on this please.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Idle-Timeout problem
Hi I currently work with freeradius version 2.1.7, my users are in mysql. mysql SELECT * FROM `radusergroup`; +++--+ | username | groupname | priority | +++--+ | joseph | Desarrollo |1 | | carlos | Desarrollo |1 | | miguel | Admins |1 | ++ My problem is that users are being disconnected before the time indicated by parameter Idle-Timeout. mysql SELECT * FROM `radgroupreply` ; +++++-+ | id | groupname | attribute | op | value | +++++-+ | 1 | Desarrollo | Service-Type | = | Framed-User | | 2 | Desarrollo | Framed-Protocol| = | PPP | | 3 | Desarrollo | Framed-MTU | = | 1500| | 4 | Desarrollo | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 5 | Desarrollo | Framed-IP-Netmask | = | 255.255.255.0 | | 6 | Desarrollo | Idle-Timeout | := | 900 | | 7 | Admins | Service-Type | = | Framed-User | | 8 | Admins | Framed-Protocol| = | PPP | | 9 | Admins | Framed-MTU | = | 1500| | 10 | Admins | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 11 | Admins | Framed-IP-Netmask | = | 255.255.255.0 | | 12 | Admins | Idle-Timeout | := | 0 | +++++-+ As you can see here he is sending the access server parameters defined above in the database. Sending Access-Accept of id 246 to 172.19.19.50 port 17979 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 Idle-Timeout := 900 And here you can see the user disconnected prematurely rad_recv: Accounting-Request packet from host 172.19.19.10 port 17979, id=197, length=170 NAS-IP-Address = 172.19.19.10 NAS-Identifier = Access Server Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.71.53.214 User-Name = carlos NAS-Port = 447 NAS-Port-Type = Async Called-Station-Id = 60110 Calling-Station-Id = 78382547 Acct-Status-Type = Stop Acct-Session-Id = 013425 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Acct-Input-Octets = 47429 Acct-Output-Octets = 4377 Acct-Input-Packets = 66 Acct-Output-Packets = 57 Acct-Session-Time = 95 Acct-Terminate-Cause = Idle-Timeout Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
