mschapv2 and peap not working, please help
Hi, I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Module: Instantiating module digest from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module unix from file /etc/raddb/modules/unix unix { radwtmp = /var/log/radius/radwtmp } Module: Linked to module rlm_ldap Module: Instantiating module ldap from file /etc/raddb/modules/ldap ldap { server = 10.73.93.13 port = 389 password = identity = net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=uforadius,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) dictionary_mapping = /etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9ac42e8 Module: Linked to module rlm_eap Module: Instantiating module eap from file /etc/raddb/eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
how to generate certificate with xpextension for PEAP on FreeRAdius
Hi, Can somebody tell me, how to include the OID's while generating the client and root certificates. These instructions are in the xpextensions file, it says # Add this to the PKCS#7 keybag attributes holding the client's private key # for machine authentication. How does one do this? Please help. # # File containing the OID's required for Windows. # # http://support.microsoft.com/kb/814394/en-us # [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 # # Add this to the PKCS#7 keybag attributes holding the client's private key # for machine authentication. # # the presence of this OID tells Windows XP that the cert is intended # for use by the computer itself, and not by an end-user. # # The other solution is to use Microsoft's web certificate server # to generate these certs. # # 1.3.6.1.4.1.311.17.2 -- View this message in context: http://freeradius.1045715.n5.nabble.com/how-to-generate-certificate-with-xpextension-for-PEAP-on-FreeRAdius-tp4287904p4287904.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
syharash wrote: I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Thanks for posting the debug output, but it would help if you read it. It's not complicated. Also post the debug output into the form at: http://networkradius.com/freeradius.html That will make it clearer what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Jim Rice wrote: Quick question: I am looking into adding an ACT! Plugin to populate the Radius MySQL database through unix ODBC. Found rlm_sql_unixodbc and wondered if this is already provided for this purpose, or something else? It's for that purpose. Looks like it needs to be run through make... (not installed by default). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to generate certificate with xpextension for PEAP on FreeRAdius
syharash wrote: Can somebody tell me, how to include the OID's while generating the client and root certificates. $ cd raddb/certs $ more README This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
On 04/06/2011 10:59 PM, Joren Love wrote: Hey, thanks for your reply. I did try creating the file module with the contents from the howto, and it seems to get loaded (Debug: including configuration file /etc/freeradius/modules/file however, I still get the same error: Edit: Now I'm noticing there's a typo in the wiki. Under raddb/sites-available/default it says authorize_macs instead of authorized_macs. Fixing this makes it work. Oops. Well spotted, fixed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288211.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288213.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no authenticate step ...
hello * i try to transfer a working configuration from an very old (1.x) freeradius version to a more recent radius version: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:14:10 My problem: after authenticate against ldap and auth-type = ldap is set, no authorize step is done the next step happening is trying the next entry from the users file expected: authenticate with bind as user and password hash of the user against ldap here the snippet from debug log i assume relevant: hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t - Thu Apr 7 12:45:28 2011 Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = pilot1, looking up realm NULL Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm NULL Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for pilot1 Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} - pilot1 Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pilot1) Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC- l=Berlin,dc=de,o=ABC Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389, authentication 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to 10.128.1.1:389 Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ... Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in l=Berlin,dc=de,o=ABC, with filter (uid=pilot1) Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory... Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword - Password-With-Header == {MD5}hashvalueD1xtOw==- the sequence after the hashed pw astonishes me, the D1xt0w Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory... Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot1 authorized to use remote access Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop ... next line / match in users file is done next ...in the old config next step was authenticate So clearly i do a mistake and have overlooked a neccessary config option any hints where to look next ? The hint to transfer a deprecated expression from users file to unlang will be done when i succeed with auth TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming
Re: mschapv2 and peap not working, please help
[ldap] looking for check items in directory... [ldap] userPassword - Password-With-Header == {crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0 crypt passwords cannot be used to do MS-CHAP. It is impossible. MS-CHAP requires either the cleartext password or NT/LM hashes. See: http://deployingradius.com/documents/protocols/compatibility.html [ldap] looking for reply items in directory... [ldap] user mahendra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: mahendra [mschap] Told to do MS-CHAPv2 for mahendra with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. ...because you only have crypt passwords, it fails. You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Great Phil, I've changed my /etc/raddb/users file and it worked, could you please help me if i can make a particular user login only from a single machine using the MAC Address of that machine. my existing /etc/raddb/users file looks like this DEFAULT Auth-Type = System Fall-Through = 1 # # Defaults for LDAP # #DEFAULT Auth-Type := LDAP #Fall-Through = 1 DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := test123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no authenticate step ...
Michael Arndt wrote: i try to transfer a working configuration from an very old (1.x) freeradius version to a more recent radius version: You should transfer it by starting with the default configuration for 2.1.10, and then make gradual changes, with tests, until you have what you want. Right now, your message says I have a new configuration which doesn't behave the same as my old configuration. That kind of issue is impossible to figure out without additional information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi, comparisons/requirements are ont he first line, replies are on following lines ie user Cleartext-Password := testing, NAS-IP-Address = 192.168.0.1 AttributeX = this, AttributeY = that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- index c512018..3f3fc46 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST *request) response-vp_octets + 26, nthashhash, do_ntlm_auth) 0) { RDEBUG2(FAILED: MS-CHAP2-Response is incorrect); + + /* JCH - changes to include challenge and message */ +char msg[100]; +strcpy(msg, E=691 R=0 C=); +int i, offset = strlen(msg); +char *ptr = msg[offset]; +for (i=0; i16; i++, ptr+=2) { + sprintf(ptr, %02X, response-vp_octets[i+2]); +} +*ptr = 0; +strcat(msg, V=3 M=May Need to reset cached password); + mschap_add_reply(request, request-reply-vps, *response-vp_octets, -MS-CHAP-Error, E=691 R=1, 9); +MS-CHAP-Error, msg, strlen(msg)); return RLM_MODULE_REJECT; } index bdf4668..051fe71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Looking at the output, things become clearer. The conversation ends when the server tries to send the first Access-Challenge packet to the client. It seems like that packet never gets there - and so the client retransmits the same Request over and over again. The server then repeatedly tries to re-send its reply, but again, it never seems to get there. Make sure that the changed IP address doesn't lead to some firewall (host FW? net FW? Cisco Controller's ACLs?) eats the responses. I checked with wireshark, requests were send, but no response. This was the point. An ACL blocked traffic back to the wlc. Thanks al lot for your help :-) Greetings, Juergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
hi, this would be great to get into 2.1.11 release if possible if not 2.1.12 or 2.2.x as it solves one of our current problems of devices configured for our roaming SSID continually trying to authenticate to the system even if the user no longer exists - currently they just keep on and on and on... this will 'break' their settings until they put in new details (which they cant if no longer a member able to use the roaming SSID alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to radtest from another client
I install freeradius in the server its ip is 192.168.1.1. In the server I have already do the radtest ,and the result is OK rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20 the end of my clients.conf and assign a shared-secret. client 192.168.1.100 { secret = testing123 shortname = 192.168.1.100 } Should I do other things to finish it? I need to do the radtest in the client(192.168.1.100) right? But there isn't a radtest command in the client, Need I install some softwares in the client? thank you for your help ,best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi Alan, Thanks, everything is set. works fine just that my client pc is not getting an IP address leased from that particular vlan's dhcp scope. It just worked once but after that its baffling that the client's are not getting an IP address leased from the dhcp scope. my routing is fine, on the wired i get IP addresses from all the respective vlan scopes. I have pasted the debug output +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = ufomoviez, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 8 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 219 [files] users: Matched entry ufomoviez at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: ufomoviez [mschap] Told to do MS-CHAPv2 for ufomoviez with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 14 EAP-Message = 0x010900331a0308002e533d343130373445353137393930323232303835323534334634413033453935423736413131 Message-Authenticator = 0x State = 0xf8774653f97e5cc97113aabe8c277640 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 14 EAP-Message = 0x010900331a0308002e533d343130373445353137393930323232303835323534334634413033453935423736413131 Message-Authenticator = 0x State = 0xf8774653f97e5cc97113aabe8c277640 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 67 to 10.73.93.151 port 1027 EAP-Message = 0x0109004a1900170301003f666073d1310682a7a10b8428e26dd7635ca8d935dd7fddec1cd136768ca41bfdfc62b2d099c4f981e4d80d6d36eadf76aeb394d608351f6f58a4a2aed304bd Message-Authenticator = 0x State = 0xc25314c9ca5a0d8b20dd096be7aef9e4 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=68, length=226 User-Name = ufomoviez Calling-Station-Id = 00-1F-3C-E1-17-A9 NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = AC-67-06-39-C7-A9 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = AC-67-06-39-C7-A9 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0209001d19001703010012fb14fcf6b8188d4bec31a53ccd4a02d3fe40 State = 0xc25314c9ca5a0d8b20dd096be7aef9e4 Vendor-25053-Attr-3 = 0x55464f4d6f7669657a Message-Authenticator = 0xf765d281ccdde6faa88707b082869895 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = ufomoviez, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 9 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to ufomoviez Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ufomoviez State = 0xf8774653f97e5cc97113aabe8c277640 server { # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name =
PC XP SP2 with 802.1x/PEAP authenticate problem
Hi, maybe somebody can help me in my attempt to authenticate supplicant PC (WinXP SP2 with enabled 802.1x authentication using PEAP and Authentication Mehtod Secured password EAP-MSCHAP v2) using Free RADIUS Version 2.1.10. RADIUS client is ONT (GPON, 802.1x enabled on it's Ethernet port). I have modified 3 RADIUS configuration files: *** 1.eap.conf* *** deafault_eap_type = peap *** 2.clients.conf* *** Added new client (PC is connected to ONT which further forwards requests to BLM acting as client). client 10.223.0.131 { ipaddr = 10.223.0.131 secret = hello123 require_message_authenticator = no nastype = other # localhost isn't usually a NAS... } Secret password hello123 is also configured on related client (ONT): RADIUS proxy address | 100.1.1.1 RADIUS proxy secret | ont343 RADIUS auth server 1 | 10.223.0.13 RADIUS auth secret 1 | hello123 RADIUS auth port 1 | 1812 RADIUS auth server 2 | 0.0.0.0 RADIUS auth secret 2 | - RADIUS auth port 2 | 0 RADIUS auth server 3 | 0.0.0.0 RADIUS auth secret 3 | - RADIUS auth port 3 | 0 3.users* Added new entry for PC using its MAC address for credentials: 00:02:a5:f8:70:29 Cleartext-Password := 00:02:a5:f8:70:29 When I try to authenticate PC by entering its MAC address as user name/password RADIUS Access-Reject message is generated by Free RADIUS and in debug window following output is obtained: rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=71, length=142 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = 1.2 Framed-MTU = 1024 User-Name = 00-02-A5-F8-70-29 Calling-Station-Id = 00-02-A5-F8-70-29 Message-Authenticator = 0xe990ef46d4eaddc9760eff3924f3613e EAP-Message = 0x025200160130303a30323a61353a66383a37303a3239 NAS-Identifier = PENKALA Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 00-02-A5-F8-70-29, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 82 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00-02-A5-F8-70-29 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 71 to 10.223.0.131 port 65534 Waking up in 4.9 seconds. Cleaning up request 0 ID 71 with timestamp +160 Ready to process requests. Please can you help me with this issue, I assume I missed something related to configuration.. BR, Irena -- T - C o m - - W e b m a i l -- Ova poruka poslana je upotrebom T-Com Webmail usluge Uzivajte u shoppingu ne napustajuci udobnost svoga doma! http://shopping.tportal.hr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PC XP SP2 with 802.1x/PEAP authenticate problem
Hi, maybe somebody can help me in my attempt to authenticate supplicant PC (WinXP SP2 with enabled 802.1x authentication using PEAP and Authentication Mehtod Secured password EAP-MSCHAP v2) using *that* (PEAP) wont work with this: Added new entry for PC using its MAC address for credentials: 00:02:a5:f8:70:29 Cleartext-Password := 00:02:a5:f8:70:29 configure the PC to use PEAP, with username/pass and put that username/pass into users file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Found this in the rlm_sql_unixodbc config.log: ... /usr/bin/ld: cannot find -lodbc ... configure:3080: WARNING: silently not building rlm_sql_unixodbc. configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Did I miss some dependencies earlier when installing FR 2.1.10? Can I run make within this directory stand-alone, or should I rebuild from the top? I wouldn't want to lose where I am now and start over. ;-) - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 07, 2011 12:43 AM Subject: Re: rlm_sql_unixodbc ? Jim Rice wrote: Quick question: I am looking into adding an ACT! Plugin to populate the Radius MySQL database through unix ODBC. Found rlm_sql_unixodbc and wondered if this is already provided for this purpose, or something else? It's for that purpose. Looks like it needs to be run through make... (not installed by default). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per Vendor NAS-Port documentation
I was wondering if there has been a collective effort to document the meaning of the NAS-Port by the various Network Vendors? If there's nothing yet, maybe they can create a wiki page for it? I'd be willing to edit the entries, either on the wiki if I can get an account, or offline and batch up the responses into wiki markup. As suggested, I created a Wiki page: http://wiki.freeradius.org/NAS-Port I added what we have so far. I'll try to remember to maintain it. Cheers! -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Hi, Found this in the rlm_sql_unixodbc config.log: ... /usr/bin/ld: cannot find -lodbc ... configure:3080: WARNING: silently not building rlm_sql_unixodbc. configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Did I miss some dependencies earlier when installing FR 2.1.10? yes. Can I run make within this directory stand-alone, or should I rebuild from the top? just install the required dependencies , then recompile...then run 'make install' the required rlm_sql_unixodbc will be built and installed and none of your config will be touched (though you might want to just back up your current RADDB config directory just in case! ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-group filter search is failing
2.1.10 Here's a snippet of freeradius -X... +- entering group post-auth {...} [ldap] Entering ldap_groupcmp() [files] expand: ou=Departments,dc=corp,dc=development,dc=com - ou=Departments,dc=corp,dc=development,dc=com [files] expand: ((sAMAccountName=%{mschap:User-Name})) - ((sAMAccountName=RobertTest1)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter ((sAMAccountName=RobertTest1)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter ((cn=WANN)(|((objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop Sending Access-Accept of id 100 to 192.168.100.2 port 1645 User-Name = DEVELOPMENT\\RobertTest1 MS-MPPE-Recv-Key = 0xa873077b6643bb983d8dbf04da7699d7832fe38f78c5458b0318eaa27db6 MS-MPPE-Send-Key = 0x866779d60ae2e9da0a928ebfb1f20e2f5e26dc05d050075dc8e65210e2946936 EAP-Message = 0x030a0004 Message-Authenticator = 0x Finished request 8. This is in my postauth_users file... DEFAULT Huntgroup-Name == Switches, Ldap-Group == WANN Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = dragons_cave The 10th line from the bottom of the snippet returns with the following... rlm_ldap::ldap_groupcmp: ldap_get_values() failed I'm waiting for a subsequent [ldap] performing search in my DN and to match with filter (cn=WANN) But it's not happening. Any insight? Thx. Joe -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4289457.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
I thought I had followed the FR installation instructions and was surprised that something might have been missing. How can I know which dependencies are missing? (Which packages to install?) I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
On Fri, Apr 8, 2011 at 4:30 AM, Jim Rice jmrice6...@yahoo.com wrote: I thought I had followed the FR installation instructions and was surprised that something might have been missing. How can I know which dependencies are missing? (Which packages to install?) I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. Usually you'd need a *.so for linking, so I'm guessing you need a package which contains /usr/lib/libodbc.so (although in reality it could be just a symlink to libodbc.so.1.0.0). It's probably called mysql-connector-odbc-devel or mysql-connector-odbc-dev -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Jim Rice wrote: I thought I had followed the FR installation instructions and was surprised that something might have been missing. I think you're misunderstanding *optional* modules. The server comes with plugins for LDAP, SQL (MySQL, PostGreSQL, DB2, Oracle, ...), and many, many, more. However, the build process checks for preconditions. If you don't have MySQL installed, it won't build the MySQL plugin. This shouldn't be a suprise. How can I know which dependencies are missing? (Which packages to install?) The Unixodbc headers and libraries. *Read* the configure output from the rlm_sql_unixodbc module. It says what it's looking for. I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. -lodbc tells the linker to find a file libodbc*. Please do some reading on how Unix build systems work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
After installing mysql-connector-odbc, running ./configure within rlm_sql_unixodbc it was then able to find: checking for SQLConnect in -lodbc... yes But not: checking for sql.h... no configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. I ran a find for sql.h and it is not in /usr. And neither pkg exists for mysql-connector-odbc-devel nor mysql-connector-odbc-dev. There is this: /usr/local/src/freeradius-server-2.1.10/src/modules/rlm_sql/rlm_sql.h Still not sure how to resolve this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
On Fri, Apr 8, 2011 at 8:13 AM, Jim Rice jmrice6...@yahoo.com wrote: After installing mysql-connector-odbc, running ./configure within rlm_sql_unixodbc it was then able to find: checking for SQLConnect in -lodbc... yes But not: checking for sql.h... no configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. I ran a find for sql.h and it is not in /usr. And neither pkg exists for mysql-connector-odbc-devel nor mysql-connector-odbc-dev. There is this: /usr/local/src/freeradius-server-2.1.10/src/modules/rlm_sql/rlm_sql.h Still not sure how to resolve this. Ask your distro list/forum/support, the package name can be distro-specific. Or build unixodbc from source. For example, on Ubuntu, it should be unixodbc-dev http://packages.ubuntu.com/search?searchon=contentskeywords=sql.hmode=exactfilenamesuite=maverickarch=any -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html