Re: problem in assigning Tunnel-Private-Group-ID
syharash wrote: > My freeradius is set and working fine, the authentication is successful on a > windows XP machine on the wireless network. I am using Cisco Switches and > Ruckus Zone Director 1000 with Ruckus AP's. They are connected to the > switches on the trunk ports with all vlans allowed. Edit eap.conf, set "use_tunneled_reply = yes" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to radtest from another client
I install freeradius in the server its ip is 192.168.1.1. In the server I have already do the radtest ,and the result is OK rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20 I want to add a test authenticator host client. So I add something at the end of my clients.conf and assign a shared-secret. client 192.168.1.100 { secret = testing123 shortname = 192.168.1.100 } Should I do other things to finish it? I need to do the radtest in the client(192.168.1.100) right? But there isn't a radtest command in the client, Need I install some softwares in the client? thank you for your help ,best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [How to use Listen directive in inner tunnel virtual server]
Thomas Fagart wrote: > The server where it is located has two IP interfaces and even worse on > one of the interface we're using IP aliasing :-) > > I've notice that freeradius always use the same IP to proxy from inner > tunnel. > > I know that I could use the listen directive in radiusd.conf (and that's > what I've done) to force freeradius to choose the correct IP to proxy. Even better, use the latest version of the server. It supports a "src_ipaddr" for each home server. This forces the server to open a socket using a particular address. > But this does not seems to work for inner-tunnel proxyfication. That might be true for 2.1.6. For later versions, probably not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple "Guest user" web front end for FreeRADIUS
On Apr 8, 2011, at 1:13 PM, Alan Buxey wrote: > Hi, >> On my client's wifi network, we are authenticating staff users via >> FreeRADIUS against the corporate LDAP database. >> >> I've created a new SSID/WLAN with an IP pool that I've restricted through >> router ACLs that we want to deploy for temporary "guest" users. I can set >> up a new FreeRADIUS server (I've done many of those) backend for this, but >> am unfamiliar with 2 things that will be different here, which are: >> >> 1) A Web front end for a clerical type to enter in temporary accounts to >> FreeRADIUS. I imagine there must be a simple php interface for some sort >> of "Internet cafe" type of use. I'd prefer as simple as possible (ie, >> flat file), but would be fine if MySQL is the way to go for account info >> storage. >> >> I know I COULD put together a FreeRADIUS and OpenLDAP server with >> something like a webmin front end, but that seems overkill to me. >> >> 2) Some sort of automatic password generator for above...not absolutely >> necessary, but would be nice. >> >> I would imagine this wheel has already been invented, so if anybody could >> point me in the right direction, it would be appreciated. > > daloradius? Have you ever tried to use it? GUI looks pretty, but is painful to use at best and just plain broken at worst. Better off rolling your own... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple "Guest user" web front end for FreeRADIUS
Hi, > On my client's wifi network, we are authenticating staff users via > FreeRADIUS against the corporate LDAP database. > > I've created a new SSID/WLAN with an IP pool that I've restricted through > router ACLs that we want to deploy for temporary "guest" users. I can set > up a new FreeRADIUS server (I've done many of those) backend for this, but > am unfamiliar with 2 things that will be different here, which are: > > 1) A Web front end for a clerical type to enter in temporary accounts to > FreeRADIUS. I imagine there must be a simple php interface for some sort > of "Internet cafe" type of use. I'd prefer as simple as possible (ie, > flat file), but would be fine if MySQL is the way to go for account info > storage. > > I know I COULD put together a FreeRADIUS and OpenLDAP server with > something like a webmin front end, but that seems overkill to me. > > 2) Some sort of automatic password generator for above...not absolutely > necessary, but would be nice. > > I would imagine this wheel has already been invented, so if anybody could > point me in the right direction, it would be appreciated. daloradius? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Found it. I was missing unixODBC-devel Thanks! - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Friday, April 08, 2011 04:02 AM Subject: Re: rlm_sql_unixodbc ? Jim Rice wrote: config.log:configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. Install the unixodbc software, library, and header files. Ask the unixodbc people how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple "Guest user" web front end for FreeRADIUS
On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary "guest" users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of "Internet cafe" type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[How to use Listen directive in inner tunnel virtual server]
Hello, We're using freeradius 2.1.6 as a proxy server. It receives authentication/accounting from Wimax NAS/ASN Gateway, (EAP/TTLS), send it to inner tunnel, and then proxy to customer home server. The server where it is located has two IP interfaces and even worse on one of the interface we're using IP aliasing :-) I've notice that freeradius always use the same IP to proxy from inner tunnel. I know that I could use the listen directive in radiusd.conf (and that's what I've done) to force freeradius to choose the correct IP to proxy. But this does not seems to work for inner-tunnel proxyfication. Do you have any ideas how I could do that ( e g use two differents sources IP to do the proxification). Thanks Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
Phil - i changed according to your suggestion. Still getting the "rlm_ldap::ldap_groupcmp: ldap_get_values() failed" error. Alexander - you have a point - WANN is under OU - I've made an adjustment in modules/ldap and changed groupname_attribute to ou "groupname_attribute = ou" But after running it - i still receive "rlm_ldap::ldap_groupcmp: ldap_get_values() failed" error... +- entering group post-auth {...} [ldap] Entering ldap_groupcmp() [files] expand: ou=Departments,dc=corp,dc=development,dc=com -> ou=Departments,dc=corp,dc=development,dc=com [files] expand: (&(sAMAccountName=%{mschap:User-Name})) -> (&(sAMAccountName=RobertTest1)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter (&(sAMAccountName=RobertTest1)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (&(objectClass=group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=group)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter (&(ou=WANN)(&(objectClass=group)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop Sending Access-Accept of id 224 to 192.168.100.2 port 1645 User-Name = "DEVELOPMENT\\RobertTest1" MS-MPPE-Recv-Key = 0x8c2d74933e7870173463e1855e01e93bf9e67a837387801d85c5b9e307b0d08f MS-MPPE-Send-Key = 0x677459a0d6a7498398e7d7083e9ab49d33be9d812e6a3117569cdf126f9b385c EAP-Message = 0x030a0004 Message-Authenticator = 0x Finished request 8. And after running ldapsearch -h server -x -b dc=corp,dc=development,dc=com ou=wann dn member I get... # extended LDIF # # LDAPv3 # basewith scope subtree # filter: ou=wann # requesting: ALL # # WANN, Departments, corp.development.com dn: OU=WANN,OU=Departments,DC=corp,DC=development,DC=com objectClass: top objectClass: organizationalUnit ou: WANN distinguishedName: OU=WANN,OU=Departments,DC=corp,DC=development,DC=com instanceType: 4 whenCreated: 20110405164142.0Z whenChanged: 20110405164142.0Z uSNCreated: 10913685 uSNChanged: 10913685 name: WANN objectGUID:: Eqi2LbFChke1MJ1VS9a4GA== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=d evelopment,DC=com # search reference ref: ldap://ForestDnsZones.corp.development.com/DC=ForestDnsZones,DC=corp,DC=development,DC=com # search reference ref: ldap://DomainDnsZones.corp.development.com/DC=DomainDnsZones,DC=corp,DC=development,DC=com # search reference ref: ldap://corp.development.com/CN=Configuration,DC=corp,DC=development,DC=com # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4291313.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
On 08/04/11 16:39, Arran Cudbard-Bell wrote: Well spotted, this was accounted for correctly in the original example, after someone else on the listed pointed out that files returned not found. I guess the author of the new examples didn't actually check what return code the files module returns when an entry isn't found. Yeah sorry, my bad; I'm translating that from a dissimilar example at our site. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
Well spotted, this was accounted for correctly in the original example, after someone else on the listed pointed out that files returned not found. I guess the author of the new examples didn't actually check what return code the files module returns when an entry isn't found. I've updated the wiki examples with !ok. Thanks, Arran On Apr 8, 2011, at 8:07 AM, Joren Love wrote: > There was also an issue with the authorized_macs "module" returning noop > instead of notfound. Not sure if this is just something weird on my end, but > changing the if statement seems to make it work. > > -Joren > > On Thu, Apr 7, 2011 at 1:25 AM, Phil Mayers wrote: > On 04/06/2011 10:59 PM, Joren Love wrote: > Hey, thanks for your reply. I did try creating the "file" module with the > contents from the howto, and it seems to get loaded (Debug: including > configuration file /etc/freeradius/modules/file however, I still get the same > error: > > Edit: Now I'm noticing there's a typo in the wiki. Under > raddb/sites-available/default > it says authorize_macs instead of authorized_macs. Fixing this makes it work. > > > Oops. Well spotted, fixed. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
There was also an issue with the authorized_macs "module" returning noop instead of notfound. Not sure if this is just something weird on my end, but changing the if statement seems to make it work. -Joren On Thu, Apr 7, 2011 at 1:25 AM, Phil Mayers wrote: > On 04/06/2011 10:59 PM, Joren Love wrote: > >> Hey, thanks for your reply. I did try creating the "file" module with the >> contents from the howto, and it seems to get loaded (Debug: including >> configuration file /etc/freeradius/modules/file however, I still get the >> same error: >> >> Edit: Now I'm noticing there's a typo in the wiki. Under >> raddb/sites-available/default >> it says authorize_macs instead of authorized_macs. Fixing this makes it >> work. >> > > > Oops. Well spotted, fixed. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict access per NAS
you are probably looking to check for the calling-station-id attribute... im not sure how to do with ldap. On Fri, Apr 8, 2011 at 7:11 AM, Sergio Belkin wrote: > Hi, > > Is there a way to restrict an LDAP user to be authorized only from an > specific NAS (Access Point)? > > I'm using FreeRADIUS Version 2.1.1 > > Thanks in advance! > -- > -- > Sergio Belkin http://www.sergiobelkin.com > Watch More TV http://sebelk.blogspot.com > LPIC-2 Certified - http://www.lpi.org > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Random quote of the week/month/whenever i get to updating it: "Quis custodiet ipsos custodes?": "who shall watch the watchers themselves?" - Juvenal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access per NAS
Hi, Is there a way to restrict an LDAP user to be authorized only from an specific NAS (Access Point)? I'm using FreeRADIUS Version 2.1.1 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to radtest from another client
I install freeradius in the server its ip is 192.168.1.1. In the server I have already do the radtest ,and the result is OK rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20 I want to add a test authenticator host client. So I add something at the end of my clients.conf and assign a shared-secret. client 192.168.1.100 { secret = testing123 shortname = 192.168.1.100 } Should I do other things to finish it? I need to do the radtest in the client(192.168.1.100) right? But there isn't a radtest command in the client, Need I install some softwares in the client? thank you for your help ,best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem in assigning Tunnel-Private-Group-ID
rt 1044, id=184, length=213 User-Name = "abdul" Acct-Status-Type = Start Acct-Authentic = RADIUS Framed-IP-Address = 169.254.67.194 Calling-Station-Id = "00-1F-3C-E1-17-A9" NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = "AC-67-06-39-CB-0D" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AC-67-06-39-CB-0D" Connect-Info = "AC-67-06-39-CB-0D" Acct-Session-Id = "4D9EBE6D-0037" Acct-Multi-Session-Id = "ac670639cb0d001f3ce117a94d9f077c00d2" Vendor-25053-Attr-3 = 0x55464f4d6f7669657a # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 10.73.93.151,NAS-IP-Address = 10.73.93.151,Acct-Session-Id = "4D9EBE6D-0037",User-Name = "abdul"' [acct_unique] Acct-Unique-Session-ID = "c55f8220b641e9bd". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "abdul", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.73.93.151/detail-20110408 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.73.93.151/detail-20110408 [detail]expand: %t -> Fri Apr 8 18:38:10 2011 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> abdul ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> abdul attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 184 to 10.73.93.151 port 1044 Finished request 11. Cleaning up request 11 ID 184 with timestamp +68 Going to the next request Ready to process requests. I have checked the /etc/raddb/users, which looks like this; DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := "test123" Tunnel-Private-Group-ID = 18 Is there anything that I need to do on the FreeRadius or is it my switches or the Zone Director which is the culprit. Please help. Syed -- View this message in context: http://freeradius.1045715.n5.nabble.com/problem-in-assigning-Tunnel-Private-Group-ID-tp4290798p4290798.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP-V2 with no retry
A couple of comments on how clients behave: o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure. I have not tested this. I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc). o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries. So if you are going to test macs on the MS radius server you might try both with retry and without retry. o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients. o Testing of both windows and mac with out the patch and with the patch need to be done. johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Friday, April 08, 2011 2:54 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry Phil Mayers wrote: > +1 - In my experience it's necessary to cater for windows' weirdness > *first*. Most other clients have sane behaviours. I'm concerned about > the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PC XP SP2 with 802.1x/PEAP authenticate problem
igrubnic wrote: > but when i enter that username/pwd on pc again same debug output obtained: > > Ready to process requests. > rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16, > length=132 > NAS-IP-Address = 100.1.1.1 > NAS-Port-Id = "1.2" > Framed-MTU = 1024 > User-Name = "00-02-A5-F8-70-29" > Calling-Station-Id = "00-02-A5-F8-70-29" > Message-Authenticator = 0x9ea1afaf433c44fbe0e5197d6a2a0292 > EAP-Message = 0x0279000c0167706f6e706333 The access point is garbage. Throw it out, and buy one that works. The User-Name should *not* be a MAC address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PC XP SP2 with 802.1x/PEAP authenticate problem
hi alan, tnank you for reply.i google/found how to configure pc according to ch.4: http://h17007.www1.hp.com/docs/interoperability/Microsoft/4AA2-1531EEE.pdf on pc i have pop-up window which asks for credentials (username and pwd) and for pc i have defined following entry (deleted old one including mac): gponpc3 Cleartext-Password := "pw4gponpc3" it works (as expected) with radtest check: bash-3.2$ sudo radtest gponpc3 pw4gponpc3 127.0.0.1 0 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 1812 User-Name = "gponpc3" User-Password = "pw4gponpc3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20 but when i enter that username/pwd on pc again same debug output obtained: Ready to process requests. rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16, length=132 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.2" Framed-MTU = 1024 User-Name = "00-02-A5-F8-70-29" Calling-Station-Id = "00-02-A5-F8-70-29" Message-Authenticator = 0x9ea1afaf433c44fbe0e5197d6a2a0292 EAP-Message = 0x0279000c0167706f6e706333 NAS-Identifier = "PENKALA" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "00-02-A5-F8-70-29", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 121 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 00-02-A5-F8-70-29 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 16 to 10.223.0.131 port 65534 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16, length=132 Sending duplicate reply to client 10.223.0.131 port 65534 - ID: 16 Sending Access-Reject of id 16 to 10.223.0.131 port 65534 Waking up in 4.7 seconds. Cleaning up request 0 ID 16 with timestamp +44 Ready to process requests. it seems that authenticator has field User-Name = "00-02-A5-F8-70-29" set according to RFC 3580, ch.3.1, regardles of what i define in users file: 3.1. User-Name In IEEE 802.1X, the Supplicant typically provides its identity via an EAP-Response/Identity message. Where available, the Supplicant identity is included in the User-Name attribute, and included in the RADIUS Access-Request and Access-Reply messages as specified in [RFC2865] and [RFC3579]. Alternatively, as discussed in [RFC3579] Section 2.1., the User-Name <-- attribute may contain the Calling-Station-ID value, which is set to <-- the Supplicant MAC address. <-- please can u comment again? i have captured 2 wireshark traces: -between server and authenticator -between authenticator and supplicant from wireshark trace (RADIUS_AUTH_SUPPLICANT.pcap) it can be observed that identity obtained from PC is gponpc3 (username i entered in pop-up window). please let me know if u r interested to see those ws traces and how i can post it to you? thank u in advance, irena -- View this message in context: http://freeradius.1045715.n5.nabble.com/PC-XP-SP2-with-802-1x-PEAP-authenticate-problem-tp4288722p4290719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault in detail listener
Phil Mayers wrote: > We're seeing very occasional segfaults in the detail listener. I've > managed to catch one under gdb, and the backtrace shows it dying at > detail.c:601: > > if (feof(data->fp)) goto cleanup; > > ...because data->fp == NULL > > I can't follow the control flow to see why this might happen, but I did > gather a backtrace etc. The fix is easy. Check if it's NULL. Pushed to git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Jim Rice wrote: > config.log:configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: > sql.h. Install the unixodbc software, library, and header files. Ask the unixodbc people how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per Vendor NAS-Port documentation
Olivier Bilodeau wrote: > >> If there's nothing yet, maybe they can create a wiki page for it? I'd be >> willing to edit the entries, either on the wiki if I can get an account, >> or offline and batch up the responses into wiki markup. >> > > As suggested, I created a Wiki page: http://wiki.freeradius.org/NAS-Port > > I added what we have so far. I'll try to remember to maintain it. > NAS-Port-Id not useful or am I missing something? I get 'FastEthernet1/0/2' and what not which is good enough for me. Obviously that is just what our Cisco 3750's knock out, and I guess other vendors might vary. Cheers -- Alexander Clouter .sigmonster says: "He don't know me vewy well, DO he?" -- Bugs Bunny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault in detail listener
All, We're seeing very occasional segfaults in the detail listener. I've managed to catch one under gdb, and the backtrace shows it dying at detail.c:601: if (feof(data->fp)) goto cleanup; ...because data->fp == NULL I can't follow the control flow to see why this might happen, but I did gather a backtrace etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
config.log:configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. - Original Message - From: "Fajar A. Nugraha" To: "FreeRadius users mailing list" Sent: Thursday, April 07, 2011 07:30 PM Subject: Re: rlm_sql_unixodbc ? On Fri, Apr 8, 2011 at 8:13 AM, Jim Rice wrote: After installing mysql-connector-odbc, running ./configure within rlm_sql_unixodbc it was then able to find: checking for SQLConnect in -lodbc... yes But not: checking for sql.h... no configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. I ran a find for sql.h and it is not in /usr. And neither pkg exists for mysql-connector-odbc-devel nor mysql-connector-odbc-dev. There is this: /usr/local/src/freeradius-server-2.1.10/src/modules/rlm_sql/rlm_sql.h Still not sure how to resolve this. Ask your distro list/forum/support, the package name can be distro-specific. Or build unixodbc from source. For example, on Ubuntu, it should be unixodbc-dev http://packages.ubuntu.com/search?searchon=contents&keywords=sql.h&mode=exactfilename&suite=maverick&arch=any -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per Vendor NAS-Port documentation
Olivier Bilodeau wrote: > As suggested, I created a Wiki page: http://wiki.freeradius.org/NAS-Port > > I added what we have so far. I'll try to remember to maintain it. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok wrote: > senthil kumar wrote: > > I am using Freeradius 2.1.0 > > PEAP/TTLS is working fine and I am facing problem in TLS > > authentication. I am able to generate certificate but while connecting > > it throws Authentication error. > > Please let me know how to debug it. > > *Read* the debug log. There's a lot of text, but looking for > "warning" or "error" or "failure" or "reject" is simple. > > > [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate > > > > TLS Alert read:warning:bad certificate > > See? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- "Adversity always presents opportunity for Introspection" Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
joezamosc wrote: > > > The 10th line from the bottom of the snippet returns with the following... > > rlm_ldap::ldap_groupcmp: ldap_get_values() failed > > I'm waiting for a subsequent "[ldap] performing search in" my DN and to > match with filter (cn=WANN) > But it's not happening. > It is happening, you have to read the debug ;) [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter (&(cn=WANN)(|(&(objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom > Any insight? > You are hunting for the group under 'ou=Departments,dc=corp,dc=development,dc=com', effectively doing: ldapsearch -h server -x -b ou=Departments,dc=corp,dc=development,dc=com '(&(cn=WANN)(|(&(objectClass=GroupOfNames)(member=CN...' I'm guessing that's not where 'cn=WANN' lives? What does the following give you? ldapsearch -h server -x -b dc=corp,dc=development,dc=com cn=wann dn member Cheers -- Alexander Clouter .sigmonster says: Creditor, n.: A man who has a better memory than a debtor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > +1 - In my experience it's necessary to cater for windows' weirdness > *first*. Most other clients have sane behaviours. I'm concerned about > the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
On 04/07/2011 10:06 PM, joezamosc wrote: 2.1.10 Here's a snippet of freeradius -X... +- entering group post-auth {...} [ldap] Entering ldap_groupcmp() [files] expand: ou=Departments,dc=corp,dc=development,dc=com -> ou=Departments,dc=corp,dc=development,dc=com [files] expand: (&(sAMAccountName=%{mschap:User-Name})) -> (&(sAMAccountName=RobertTest1)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter (&(sAMAccountName=RobertTest1)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> You are using Active Directory, and this LDAP filter is invalid. You want: (&(objectClass=group)(member=%{control:Ldap-UserDn})) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/08/2011 08:26 AM, Alan DeKok wrote: James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git "v2.1.x" branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the "we didn't do much windows testing" line... I also think that, if we're aiming to make the behaviour "better" we should take a careful look at what IAS/NPS does; we maintain a "for comparison" server for just such cases, and I'll try to have a look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: > It works on Mac OS and iOS, but I havn't been able to get it to work > as expected on XP or Win7: > * Win7 does as it did before That's not all bad. > * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' > message. That's not good. > Could you forward your patches gzipped [so they don't get mangled] so I > can verify I have patched the source correctly? I'll put some fixes into git "v2.1.x" branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
senthil kumar wrote: > I am using Freeradius 2.1.0 > PEAP/TTLS is working fine and I am facing problem in TLS > authentication. I am able to generate certificate but while connecting > it throws Authentication error. > Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for "warning" or "error" or "failure" or "reject" is simple. > [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate > > TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 len