Re: user-group for rejected users
Fabricio Viana wrote: Let´s suppose the following situations: 1) User exists but the password is wrong 2) User does not exist In both cases the answer is REJECT. It happens that certain hardware is making endless attempts that eventually saturating the server. See reject_delay in radiusd.conf. It's intended to slow down broken hardware. - It is possible to cause the server, instead of rejecting the users, accept the login but responds ACCEPT with framed-pool = pool-block ? Sure. Just configure that - Is there any way to put REJECT users in a given group by default? See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsniff behaviour change?
Brian Candler wrote: As of 2.1.10, radsniff doesn't decode packets automatically without -x: ... Looking at the code, it doesn't even read the dictionary unless you add -x (debug) or -F (filter). This change was made in commit 7a85628d I wonder if this logic is unintentionally broken, and in fact you meant to load the dictionary *unless* -F is present? The attribute names are needed only when they're being printed. So the code should be fixed to not load the dictionaries when it's writing PCAP files. In all other situations, it should load them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password (radius)
On Fri, Dec 3, 2010 at 2:29 PM, Miha Zoubek miha_zou...@hotmail.com wrote: [pap] login attempt with password 1234 [pap] Using CRYPT password 1234 [pap] Passwords don't match Why passwords do not match if they are the same. (1234)? Because Crypt-Password does not suppose to be the same as users' password entry. You're supposed to store Unix-style crypted passwords there. If the actual password is 1234, then the what you put in crypt password column should look something like uTDRbHPzsi4IE See http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix) http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_encrypt -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: agent-remote-id, agent-circuit-id strange format change.
Denis Iskandarov wrote: I'm running 2.1.7 on CentOS Why I'm editing dictionaries ? Because i've read whole mailing list regarding this problem and read such suggestions in some posts (suggested even by you) It's sometimes useful, yes. In general, editing them is a bad idea. SO RESULTS: 1. default FreeRadius 2.1.7 setup: has old redback dicitionary from 2000y. with incorrect format of attributes, which are STRING there. Yes.. Changed them to OCTETS - still not working. I fail to see why. If you get the attributes printed as ... when the data type is octets, it's because the server is not using the dictionaries you've edited. Really? There are other RADIUS servers? Sorry if i've broken ur illusions that FreeRadius is only RADIUS server in the world. I just wanted to say that i've tested this setup on other server and system which has almost same config files, just couple PERL scripts. No, your comment about Radiator was unnecessary. Maybe something else should be changed in some configuration files that makes FreeRadius to understand or convert this attributes in normal format. Try 2.1.10. It works. Or, edit the dictionaries that the server is reading. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Clear text password (radius)
Thanks! how can I get this cryped password that should look like uTDRbHPzsi4IE ? I am using radius for voip, could it be causing this problem becuse I include sql.conf not voip-postpaid.conf ? thanks!! miha Date: Fri, 3 Dec 2010 15:33:04 +0700 Subject: Re: Clear text password (radius) From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 3, 2010 at 2:29 PM, Miha Zoubek miha_zou...@hotmail.com wrote: [pap] login attempt with password 1234 [pap] Using CRYPT password 1234 [pap] Passwords don't match Why passwords do not match if they are the same. (1234)? Because Crypt-Password does not suppose to be the same as users' password entry. You're supposed to store Unix-style crypted passwords there. If the actual password is 1234, then the what you put in crypt password column should look something like uTDRbHPzsi4IE See http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix) http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_encrypt -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password (radius)
On Fri, Dec 3, 2010 at 3:57 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Thanks! how can I get this cryped password that should look like uTDRbHPzsi4IE ? Did you read the links I sent? Jump to the third one if you're impatient. I am using radius for voip, could it be causing this problem becuse I include sql.conf not voip-postpaid.conf ? No idea. I'd check first whether you REALLY want to use Crypt-password though. Using it pretty much limits your authentication to pap, and MS-CHAP won't work. Depending on your needs, that may or may not be acceptable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Clear text password (radius)
Thanks for you help! I checked your links. But how can I know whitch encryption is using my nas server ? Now my secret on nas and on radius is the same but I am still geting WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS!. Thank you!!! ++[pap] returns updatedFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password wyE?[pap] Using MD5 encryption.[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS!Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 1 for 1 secondsGoing to the next requestWaking up in 0.9 seconds. Date: Fri, 3 Dec 2010 16:02:04 +0700 Subject: Re: Clear text password (radius) From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 3, 2010 at 3:57 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Thanks! how can I get this cryped password that should look like uTDRbHPzsi4IE ? Did you read the links I sent? Jump to the third one if you're impatient. I am using radius for voip, could it be causing this problem becuse I include sql.conf not voip-postpaid.conf ? No idea. I'd check first whether you REALLY want to use Crypt-password though. Using it pretty much limits your authentication to pap, and MS-CHAP won't work. Depending on your needs, that may or may not be acceptable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password (radius)
On Fri, Dec 3, 2010 at 4:31 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Now my secret on nas and on radius is the same but I am still geting WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!. Did you change anything on the radius config files? Your previous debug does NOT show that problem. Something you do cause the shared secret to be mismtached again after that. PLEASE check these basic things beforehand, nobody likes wasting time. Judging from your questions, I highly suggest you simply use Cleartext-Password, and making sure you can authenticate succesfully first. Don't even bother with Crypt-Password or MD5-Password just yet. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
too long Calling Station Ids
Hi, Just ran across this IRL: Calling-Station-Id: GigabitEthernet 1/0/3.2045:2045#587202578###pppoe c0:d0:44:e4:cf:3b# But: Mon Nov 29 16:54:16 2010 : Error: [our_sql] Couldn't insert SQL accounting START record - ERROR: value too long for type character varying(50) The situation is actually a bit inconsistent: raddb/sql/mssql/schema.sql: [CallingStationId] [varchar] (30) DEFAULT ('') FOR [CallingStationId], raddb/sql/mysql/schema.sql: callingstationid varchar(50) NOT NULL default '', raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), Is there really much point in limiting this? The specification seems to say it's a string of an arbitrary length... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
Le vendredi 03 décembre 2010 à 11:52 +0100, Josip Rodin a écrit : Hi, Just ran across this IRL: Calling-Station-Id: GigabitEthernet 1/0/3.2045:2045#587202578###pppoe c0:d0:44:e4:cf:3b# But: Mon Nov 29 16:54:16 2010 : Error: [our_sql] Couldn't insert SQL accounting START record - ERROR: value too long for type character varying(50) The situation is actually a bit inconsistent: raddb/sql/mssql/schema.sql: [CallingStationId] [varchar] (30) DEFAULT ('') FOR [CallingStationId], raddb/sql/mysql/schema.sql: callingstationid varchar(50) NOT NULL default '', raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), Is there really much point in limiting this? The specification seems to say it's a string of an arbitrary length... Pending on client, CallingStationId could be a mac address or an ip address or a string. So 50 char is a good thing that will cover all common case. If you are sure of the retrieved CallingStationId format you could discreased it to your needs in the sql table(ip address= 15 char, Mac address= 17 char). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
Josip Rodin wrote: Just ran across this IRL: Calling-Station-Id: GigabitEthernet 1/0/3.2045:2045#587202578###pppoe c0:d0:44:e4:cf:3b# Arg. That's a *stupid* thing to do. It would have been saner to define VSAs to hold all of this information, or to re-use the standard attributes. But: Mon Nov 29 16:54:16 2010 : Error: [our_sql] Couldn't insert SQL accounting START record - ERROR: value too long for type character varying(50) The situation is actually a bit inconsistent: raddb/sql/mssql/schema.sql: [CallingStationId] [varchar] (30) DEFAULT ('') FOR [CallingStationId], raddb/sql/mysql/schema.sql: callingstationid varchar(50) NOT NULL default '', raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), Is there really much point in limiting this? The specification seems to say it's a string of an arbitrary length... No more than 253 octets. 99.999% of the time, smaller than 50. My $0.02 is that you can change the schema, but it would be better to fix the PPoE server. Have it send *useful* information, and not random concatenations of arbitrary text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
On Fri, Dec 03, 2010 at 12:20:04PM +0100, Alan DeKok wrote: Josip Rodin wrote: Just ran across this IRL: Calling-Station-Id: GigabitEthernet 1/0/3.2045:2045#587202578###pppoe c0:d0:44:e4:cf:3b# Arg. That's a *stupid* thing to do. It would have been saner to define VSAs to hold all of this information, or to re-use the standard attributes. The RADIUS client is a Cisco NAS :) But: Mon Nov 29 16:54:16 2010 : Error: [our_sql] Couldn't insert SQL accounting START record - ERROR: value too long for type character varying(50) The situation is actually a bit inconsistent: raddb/sql/mssql/schema.sql: [CallingStationId] [varchar] (30) DEFAULT ('') FOR [CallingStationId], raddb/sql/mysql/schema.sql: callingstationid varchar(50) NOT NULL default '', raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), raddb/sql/postgresql/schema.sql:CallingStationIdVARCHAR(50), Is there really much point in limiting this? The specification seems to say it's a string of an arbitrary length... No more than 253 octets. 99.999% of the time, smaller than 50. Yes, well, at least synchronize MS SQL schema with that :) My $0.02 is that you can change the schema, but it would be better to fix the PPoE server. Have it send *useful* information, and not random concatenations of arbitrary text. I already told PostgreSQL to just stop limiting it, because AFAICT there's no actual benefit. I told the people in charge for that Cisco box to compare its IOS to another which doesn't do this on the same input data, instead it does things like this: 0026-5a86-982e eth 2/0/1:4096.2241 0/18/0/5:0.35 -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
On 03/12/10 11:51, Josip Rodin wrote: I already told PostgreSQL to just stop limiting it, because AFAICT there's no actual benefit. Under postgresql, there is NO performance benefit or storage space saving using varchar(N) or char(N) over text. The latter should IMHO always be used, and we modified the SQL schema locally to do that. It's also worth noting that 253 octets of radius value can expand to 3*253 if they're all unsafe characters and have to be =XX escaped; dumb behaviour or not, it's very unfortunate when a NAS brings your whole radius-SQL infrastructure crashing to a (silent) halt because of unnecessary field length restrictions ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
Phil Mayers wrote: Under postgresql, there is NO performance benefit or storage space saving using varchar(N) or char(N) over text. The latter should IMHO always be used, and we modified the SQL schema locally to do that. Patch ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
On Fri, Dec 03, 2010 at 12:12:52PM +, Phil Mayers wrote: On 03/12/10 11:51, Josip Rodin wrote: I already told PostgreSQL to just stop limiting it, because AFAICT there's no actual benefit. Under postgresql, there is NO performance benefit or storage space saving using varchar(N) or char(N) over text. The latter should IMHO always be used, and we modified the SQL schema locally to do that. I should note that the same is for varchar (character varying) with no specified limit. IOW, alter table radacct alter column callingstationid type varchar; -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Clear text password (radius)
The interesting thig is this: If I change my password in sql (different password) I can see the password.If I put right password in sql, when I am trying to call I can see some encrypted password. So, why the login password is encrypted if it is the same as sql passord? thanks # Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password /5§Ó?[pap] Using clear text password 12345[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!Using Post-Auth-Type Reject ++[pap] returns updatedFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password 12345[pap] Using clear text password 12[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user.Using Post-Auth-Type Reject From: miha_zou...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: Clear text password (radius) Date: Fri, 3 Dec 2010 10:00:10 + Hello, I have chacked all this thing but I do not see any problem. This is configuration on nas: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 12345 setProperty com.centile.connectors.aaa.remotserv 1.2.3.4 setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any You can see that the shered secret is 1235. Please help me. In attachment please find configuration files. Thanks!! miha Date: Fri, 3 Dec 2010 16:40:59 +0700 Subject: Re: Clear text password (radius) From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 3, 2010 at 4:31 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Now my secret on nas and on radius is the same but I am still geting WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS!. Did you change anything on the radius config files? Your previous debug does NOT show that problem. Something you do cause the shared secret to be mismtached again after that. PLEASE check these basic things beforehand, nobody likes wasting time. Judging from your questions, I highly suggest you simply use Cleartext-Password, and making sure you can authenticate succesfully first. Don't even bother with Crypt-Password or MD5-Password just yet. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Again: clients.conf storage in ldap
Hello list, I have found one old discussion in freeradius maillist about storing RADIUS clients definitions in LDAP. That discussion is from date 23 Nov 2004 and is in following link: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11425.html I want to ask what is the status of integrating clients.conf in LDAP storage now, four years later from that discussion? This integration is interesting and makes the configuration more centralized. thanks michal -- Ing. Michal Bruncko, CCNP Linux systems and network administrator Coupled school of business and services Ruzomberok Slovak Republic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: clients.conf storage in ldap
On 03/12/10 13:52, Michal Bruncko wrote: Hello list, I have found one old discussion in freeradius maillist about storing RADIUS clients definitions in LDAP. That discussion is from date 23 Nov 2004 and is in following link: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11425.html I want to ask what is the status of integrating clients.conf in LDAP storage now, four years later from that discussion? This integration is interesting and makes the configuration more centralized. FreeRadius 2 has support for dynamic clients; with that I guess the ldap module can be used to reply to the dynamic client queries with xlat values or (with a 2nd instance and custom ldap.attrmap) read them wholesale out of LDAP. For example: modules { ldap ldap_clients { ... ldap config dictionary_mapping = ldap.attrmap_clients base = ... filter = (radiusClientIP=%{Packet-Src-IP-Address}) } } client dynamic { ipaddr = 192.168.0.0 netmask = 16 dynamic_client = dyn_clients_ldap lifetime = 3600 } server dyn_clients_ldap { authorize { ldap_clients } } ...and in ldap.attrmap_clients: checkItem FreeRADIUS-Client-Secret radiusClientSecret checkItem FreeRADIUS-Client-IP-Address radiusClientIP checkItem FreeRADIUS-Client-Shortname cn ...obviously modify for your LDAP schema. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: clients.conf storage in ldap
On 12/03/2010 08:52 AM, Michal Bruncko wrote: Hello list, I have found one old discussion in freeradius maillist about storing RADIUS clients definitions in LDAP. That discussion is from date 23 Nov 2004 and is in following link: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11425.html I want to ask what is the status of integrating clients.conf in LDAP storage now, four years later from that discussion? This integration is interesting and makes the configuration more centralized. I sent Alan patches for storing clients in ldap. I think I recall Alan saying the plan was to add them to the 2.2 version. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: clients.conf storage in ldap
John Dennis wrote: I sent Alan patches for storing clients in ldap. I think I recall Alan saying the plan was to add them to the 2.2 version. That's on the (large) list of things to do. I like Phil's suggestion, too. Even 2.1 has the dynamic_clients module, so that *all* of the clients can be defined dynamically. It's just habit that most people put them into a static clients.conf file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no calling-station-id received
Hey everybody I don't seem to get a calling-station-id packet when a username is trying to connect. I'm running gentoo and have the following package versions: net-dialup/ppp-2.4.5-r1 USE=activefilter atm dhcp eap-tls pam radius -gtk -ipv6 0 kB net-dialup/rp-pppoe-3.10-r1 USE=-X 0 kB net-dialup/freeradius-2.1.7 USE=mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp 0 kB Another problem I seem to have is people using the same pool_key in my radippool table :/ Where should I start digging ? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no calling-station-id received
S Adrian wrote: I don't seem to get a calling-station-id packet when a username is trying to connect. Fix the client software so that it sends a Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no calling-station-id received
I don't seem to get a calling-station-id packet when a username is trying to connect. Fix the client software so that it sends a Calling-Station-Id. clientsoftware being the pppd or rp-pppoe ? Would this also fix the second problem ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
Alan DeKok al...@deployingradius.com writes: Josip Rodin wrote: Just ran across this IRL: Calling-Station-Id: GigabitEthernet 1/0/3.2045:2045#587202578###pppoe c0:d0:44:e4:cf:3b# Arg. That's a *stupid* thing to do. It would have been saner to define VSAs to hold all of this information, or to re-use the standard attributes. I fail to see how that is wrong. It *is* the NASes Calling Station identificator. What do you suggest a PPPoE concentrator should use? Yes, I know RFC 2865 says phone number. But if fails to say anything about the situation where there is no originating phone number. So vendors use what they have. And port/vlan/mac is the best they can do unless they have some PPPoE intermediate agent information. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no calling-station-id received
I'm receiving the calling station id now .. I somehow fscked up the sqlippool :| everybody seems to receive 10.67 ips :/ On Fri, Dec 3, 2010 at 5:50 PM, S Adrian dex...@d3xt3r01.tk wrote: I don't seem to get a calling-station-id packet when a username is trying to connect. Fix the client software so that it sends a Calling-Station-Id. clientsoftware being the pppd or rp-pppoe ? Would this also fix the second problem ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
How to manage customers Freeradiusd 2.10.1 Server, MAC filtering through, having an operating system Ubuntun 10? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help Configuring Radius and Ldap
My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config) Thanks in advance, - James # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 58 ++[files] returns ok [ldap] performing user authorization for jwn6657 [ldap] expand: (samaccountname=%{User-Name}) - (samaccountname=jwn6657) [ldap] expand: cn=Users,dc=ds,dc=saintjoe,dc=edu - cn=Users,dc=ds,dc=saintjoe,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/raddb/sites-enabled/default +- entering group ntlm_auth {...} [2010/12/03 10:14:58.799575, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: idmap domains [2010/12/03 10:14:58.799645, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter idmap domains [2010/12/03 10:14:58.799870, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: master browser [2010/12/03 10:14:58.799883, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter master browser Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 186 with timestamp +452 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On 03/12/10 16:39, James Winter wrote: My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config) You haven't said what your problem is! The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request ...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syntax to discharge my mac Address
hello I have a problem, not what the syntax should I use to insert the mac addresses of users in the users file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
what is the syntax to register a mac address on file freeradius users in the Ubuntu operating system? the error I get is: parse errror (reply) for entry 00-1E-65-9C-2C-BC Errors reading /usr/local/etc/raddb/users /usr/local/ect/raddb/modules/files[7]:Instantiation failed for module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[124]:failed to load module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]:Errors parsing authorize section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to enlist Mac addresses
hello: my name is jesus I am making a management settings mac address, I register a user in freeradius-server-02.01.1910 I have a ubuntu 9.10 operating system, and users to modify the plain, unformatted to register a user as follows: jesus cleartest-password: = jesus service-type = framed-user framed-protocol = ppp Framed-Compression = Van-Jacobsen-TCP-IP Now as you ago to enlist Mac addresses and what is the syntax or commands? Thanks .. Jesus R. Cervantes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syntax to discharge my mac Address
Hi, hello I have a problem, not what the syntax should I use to insert the mac addresses of users in the users file ..and another one? well, its in the documents, the WIKI and the deployment pages, but basically, some of this depends ont he format sent by your NAS 00aa44dd33ff Cleartext-Password := 00aa44dd33ff ..would be a good start. if you read the documents you would have already learnt about 'radiusd -X' - which, if you run it with that argument would show you exactly whats coming to your RADIUS server from the NAS. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: to enlist Mac addresses
Hi, jesus cleartest-password: = jesus that would never work. massive, important typo. i've already replied to someone asking the same question about MAC authentication ...what is it with the sudden surge of wanting to authenticate people onto the network based on their MAC address??? is there some course going on that you're all trying to pass...or is there really a big surge of weak athenticated networks? MAC authentication is 2001 technology. use 802.1X ! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syntax to discharge my mac Address
Alan Buxey wrote: ..and another one? I'm prepared to ban every account that keeps asking this question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
Bjørn Mork wrote: I fail to see how that is wrong. It *is* the NASes Calling Station identificator. What do you suggest a PPPoE concentrator should use? Something better. VSAs, even. Using random fields in random printable formats is a bad idea. RADIUS has the concept of attributes. These attributes have names, specific meanings, and well-defined formats. I have no idea why many vendors are unable to use them. Yes, I know RFC 2865 says phone number. But if fails to say anything about the situation where there is no originating phone number. So vendors use what they have. And port/vlan/mac is the best they can do unless they have some PPPoE intermediate agent information. So define VSAs. Other vendors have. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 03:48:34PM +0100, Josip Rodin wrote: The configuration that work: ldap ldapPerson{ set_auth_type = yes } I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8. I re-checked the documentation and I see now that it had nothing to do with versions, but a simple fact that the LDAP module defers to any other Auth-Type - and you had a PAP handler there. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The remote device also told me that the authentication was invalid. I was able to successfully authenticate on this device by using the local users file(on the radius server). The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request ...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: too long Calling Station Ids
On Fri, Dec 03, 2010 at 09:41:07PM +0100, Alan DeKok wrote: Using random fields in random printable formats is a bad idea. RADIUS has the concept of attributes. These attributes have names, specific meanings, and well-defined formats. I have no idea why many vendors are unable to use them. Yes, I know RFC 2865 says phone number. But if fails to say anything about the situation where there is no originating phone number. So vendors use what they have. And port/vlan/mac is the best they can do unless they have some PPPoE intermediate agent information. So define VSAs. Other vendors have. It's not hard. I agree with you that a random string is too vague, but in practice that's actually not bad, compared to the situation that I've had lately, where one set of PPPoE NASes was sending that information like this, another set of PPPoE NASes didn't send *anything*, another set of PPTP NASes sent Tunnel-* attributes, and yet another set of PPTP NASes decided to send nothing. They're all fairly similar Ciscos, but some have funky LAC's at the other end, some have a funky T train IOS, some have rabies... Getting a string full of actual information and worrying how to store it and parse it is a good kind of worry. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Fri, Dec 03, 2010 at 02:43:50PM -0600, James Winter wrote: On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign VLAN
Hello Dears, I´m using Freeradius for EAPOL authentication with AD (ntlm). My users file is: more /etc/raddb/users DEFAULTAuth-Type = ntlm_auth Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200 I Success authentication but the switch not assign vlan 200 to client port as log below: Why the switch taking the VLAN 0? 23:27:44: dot1x-ev:dot1x_vlan_assign_authc_success: Successfully assigned VLAN 0 to interface FastEthernet0/22 23:27:44: dot1x-sm:Posting AUTHC_SUCCESS on Client=1A6F44C 23:27:44: dot1x_auth Fa0/22: during state auth_authc_result, got event 23(authcSuccess) 23:27:44: @@@ dot1x_auth Fa0/22: auth_authc_result - auth_authz_success 23:27:44: dot1x-sm:Fa0/22:001e.6847.9261:auth_authz_success_enter called 23:27:44: dot1x-ev:dot1x_switch_supplicant_add: Adding 001e.6847.9261 on FastEthernet0/22 in vlan 1, domain is DATA 23:27:44: dot1x-ev:dot1x_switch_addr_add: Added MAC 001e.6847.9261 to vlan 1 on interface FastEthernet0/22 23:27:44: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 23:27:44: dot1x-ev:ignored vlan 1 vp is added on interface FastEthernet0/22 23:27:44: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 23:27:44: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface FastEthernet0/22 23:27:44: dot1x-ev:Received successful Authz complete for 001e.6847.9261 23:27:44: dot1x-sm:Posting AUTHZ_SUCCESS on Client=1A6F44C 23:27:44: dot1x_auth Fa0/22: during state auth_authz_success, got event 26(authzSuccess) 23:27:44: @@@ dot1x_auth Fa0/22: auth_authz_success - auth_authenticated 23:27:44: dot1x-sm:Fa0/22:001e.6847.9261:auth_authenticated_enter called 23:27:44: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 23:27:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 23:27:44: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 23:27:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up 23:28:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up PS. I tested sending attribute with Cisco ACS and ran Luciano Rangel Think green - keep it on the screen. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP_OPT_X_TLS_REQUIRE_CERT error on 1.1.7-3.1
I am seeing the following error messages in the radius.log: Fri Dec 3 19:29:48 2010 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand Everything seems to be working. I am running freeradius.i386 1.1.7-3.1.fc6 that I downloading from rpm.pbone.net. I find some old Red Hat posts where this was an issue in 1.1.3 (Bug 287381 ). Any ideas? Is this a real issue, or just a bogus log? Thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP_OPT_X_TLS_REQUIRE_CERT error on 1.1.7-3.1
On 12/03/2010 06:06 PM, Joe Friedeggs wrote: I am seeing the following error messages in the radius.log: Fri Dec 3 19:29:48 2010 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand Everything seems to be working. I am running freeradius.i386 1.1.7-3.1.fc6 that I downloading from rpm.pbone.net. I find some old Red Hat posts where this was an issue in 1.1.3 (*Bug 287381* https://bugzilla.redhat.com/show_bug.cgi?id=287381 ). Any ideas? Is this a real issue, or just a bogus log? Why would you download an rpm from there? Use yum. Version 1.1.7 is way out of date. See http://wiki.freeradius.org/Red_Hat_FAQ for more info. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ayuda
Hello friend first of all I send you greetings know I am a good novice at this I need your help because I see you are very advanced in this case I desarrolladon a practice school in Freeradius-Server Server at Vercion 2.10.1 I have to make only the MAC authentication for users but my questions is the MAC addresses are enlisted in the Users file that is located in the directory / usr / local / etc / raddb / users if ay where you register the MAC address? with which to command or syntax or only modified the file with the via Appreciate your support Thank your server My mail in which I am at your command is horacio...@hotmail.com Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 68, Issue 22
Hello Nesite help I am working with a FreeRADIUS server 2.10.1 Ubuntun in an operating system 10 and I need to know syntax or command as I use to incorporate customer a Linksys WAP54G Access Point Model Thanks ! I await your reply !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient: no response
Hello! In the file users add the userjorge Auth-Type := Local , User-Password == jorge place the following command :~$ radtest jorge jorge localhost 1812 testing123 and the result is Sending Access-Request of id 19 to 127.0.0.1 port 1812 User-Name = jorge User-Password = jorge NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=19, length=2 - After add the user00- 07 -E9- C7 -51- 89 Auth-Type := Local , User-Password == macnote this is a mac address 00- 07 -E9- C7 -51- 89 :~$ radtest 00- 07 -E9- C7 -51- 89 mac localhost 1812 testing123 and the result is Sending Acces-Request of id 208 to 127.0.0.1 port 1812 User-Name = 00- 07 -E9- C7 -51- 89 User-Password = mac Nas-IP-Address = 127.0.1.1 Nas-Port = 1812 Framed-Protocol = PPP radclient: no response from server for ID 208 socket 3 help to solve the problem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no calling-station-id received
On 03/12/2553 22:59, S Adrian wrote: I'm receiving the calling station id now .. I somehow fscked up the sqlippool :| everybody seems to receive 10.67 ips :/ On Fri, Dec 3, 2010 at 5:50 PM, S Adrian dex...@d3xt3r01.tk wrote: I don't seem to get a calling-station-id packet when a username is trying to connect. ?? Fix the client software so that it sends a Calling-Station-Id. ?? clientsoftware being the pppd or rp-pppoe ? Would this also fix the second problem ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html you run pppoe-server right? 1. you can run pppoe-server in kernel mode to send calling-station-id to radius 2. if you don't need to run in kernel mode, you can write unlang to get calling-station-id send to sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: clients.conf storage in ldap
I had it setup in mysql using the ability to manually specify queries. if the ldap module has that exact same functionality, it should be absolutely possible. Unless you have frequently changing clients, or an overabundance of clients, it's not worth it. it's a nightmare to maintain On 12/3/2010 5:52 AM, Michal Bruncko wrote: Hello list, I have found one old discussion in freeradius maillist about storing RADIUS clients definitions in LDAP. That discussion is from date 23 Nov 2004 and is in following link: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11425.html I want to ask what is the status of integrating clients.conf in LDAP storage now, four years later from that discussion? This integration is interesting and makes the configuration more centralized. thanks michal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no calling-station-id received
you run pppoe-server right? 1. you can run pppoe-server in kernel mode to send calling-station-id to radius yup .. this was it .. Thanks :) There's a problem in gentoo's ippool.conf # ## If you prefer to allocate a random IP address every time, i # ## use this query instead allocate-find = SELECT framedipaddress FROM ${ippool_table} \ WHERE pool_name = '%{control:Pool-Name}' \ AND expiry_time IS NULL \ ( failed to alocate before because expiry_time = NULL isn't valid .. had to replace with IS NULL ) .. ORDER BY RAND() \ LIMIT 1 \ FOR UPDATE everything seems to work now ! :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html