Re: problem in assigning Tunnel-Private-Group-ID
Dear Alan, Thank you so much. God Bless you all, its working! REgards, Syed -- View this message in context: http://freeradius.1045715.n5.nabble.com/problem-in-assigning-Tunnel-Private-Group-ID-tp4290798p4295526.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy caching users
Hello, I use Freeradius as proxy server. Is it possible to cache authenticated users on the proxy and resend access-accept to these users, if home server fails? Ivan Luska - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
Joren, This is how my policy looks, could you please let me know what changes do i need to make, to make the mac-authentication work; policy { # # Rewrite called station id attribute into a standard format. # rewrite_calling_station_id { if(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } # # Forbid all EAP types. # forbid_eap { if (EAP-Message) { reject } } # # Forbid all non-EAP types outside of an EAP tunnel. # permit_only_eap { if (!EAP-Message) { # We MAY be inside of a TTLS tunnel. # PEAP and EAP-FAST require EAP inside of # the tunnel, so this check is OK. # If so, then there MUST be an outer EAP message. if (!%{outer.request:EAP-Message}) { reject } } } # also my /etc/raddb/users file looks like this; DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes 00-1F-3C-D1-2B-6C User-Name = subhash, Cleartext-Password = sub@1979, Tunnel-Private-Group-ID = 17 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-Authorization-tp4287256p4295664.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy caching users
On 11/04/11 11:45, Ivan Luska wrote: Hello, I use Freeradius as proxy server. Is it possible to cache authenticated users on the proxy and resend access-accept to these users, if home server fails? Probably not, but it depends. If you're using a challenge-response auth method (EAP, for 802.1x wireless or wired; CHAP for VPN/dialup/ADSL) then no. It's impossible. If you're using PAP or similar, then you could probably write a script to cache them, or use rlm_caching - see raddb/experimental.conf for the caching module definition. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR and AD with ntlm and Users group
Hi, I am authenticating my Cisco devices by integrating FreeRadius with Active Directory. Not using LDAP but ntlm_auth. Now If I make a group on my AD server for example Router Admins and put some users in it. Now, where would I define in the FreeRadius that only users from Router Admin group are permitted. Do I need to define it in the smb.conf? BR, Raheel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy caching users
Ivan Luska lu...@ics.muni.cz wrote: Hello, I use Freeradius as proxy server. Is it possible to cache authenticated users on the proxy and resend access-accept to these users, if home server fails? If you look through the archives and find out how to failover to a virtual server to proxy through instead it is possible. You would need to script up something with rlm_perl/rlm_python to build up a cache, and the virtual failover system would then have to query that cache. Cheers -- Alexander Clouter .sigmonster says: Manoj I *like* the chicken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi Alan, Any solution or debug to this problem. Please let me know. Regards Senthil On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Accounting maybe once, twice a day
Hi everyone, we are having an issue on our FreeRadius setup where our redundant servers will maybe once, twice a day create duplicate accounting entries. I have switched the servers to debug for a full day and caught one of these incidents in the log file, see attached. The strange thing is it only happens maybe once a day, regardless of realm or user, and the other couple of hundred accounting requests are fine. Can anyone see why this particular one would bounce back and forth? Our setup consists of two virtually identical FreeRadius2 servers, each with their own mySQL database, so each of them is capable of doing Auth and Acct, and proxies Acct to the other one. Also I changed the acct_update_alt query to write to a failover table since I thought this was the alt query being triggered, but this does not make a difference. Still duplicates in radacct table. Thanks! Marius __ Marius Pesé Senior Software Developer B.Sc. Computer Science [cid:image003.jpg@01CBF85B.77F8AF50]http://www.mindspring.co.za/ Unit 5, Doncaster Office ParkMindspring Computing Punters Way, Kenilworth P O Box 46926 Cape Town, South Africa Glosderry 7702 Phone: +27 21 657 1780 Fax : +27 21 671 7599 Cell : 072 100 70 73 E-mail: mar...@mindspring.co.zamailto:mar...@mindspring.co.za inline: image003.jpgrad_recv: Accounting-Request packet from host 196.43.1.87 port 1820, id=1, length=261 Acct-Session-Id = 3/0/0/5.159_00A0493F Framed-Protocol = PPP Framed-IP-Address = 41.144.110.38 User-Name = aba...@msp.co.za X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-PreSession-Time = 3 X-Ascend-Xmit-Rate = 4096000 X-Ascend-Data-Rate = 4096000 Acct-Session-Time = 3404 Acct-Input-Octets = 970 Acct-Output-Octets = 994 X-Ascend-Pre-Input-Octets = 86 X-Ascend-Pre-Output-Octets = 91 Acct-Input-Packets = 62 Acct-Output-Packets = 62 X-Ascend-Pre-Input-Packets = 5 X-Ascend-Pre-Output-Packets = 6 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual NAS-Port = 805634207 NAS-Port-Id = 3/0/0/5.159 Connect-Info = AutoShapedVC Calling-Station-Id = 0182932392 Class = NL1 Service-Type = Framed-User NAS-IP-Address = 196.43.27.100 X-Ascend-Session-Svr-Key = 01FB51D4 Acct-Delay-Time = 5 Telkom-Access-Type = DSL Proxy-State = 0x3436 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 805634207,Client-IP-Address = 196.43.1.87,NAS-IP-Address = 196.43.27.100,Acct-Session-Id = 3/0/0/5.159_00A0493F,User-Name = aba...@msp.co.za' [acct_unique] Acct-Unique-Session-ID = bf140131ce2e1d1f. ++[acct_unique] returns ok [suffix] Looking up realm msp.co.za for User-Name = aba...@msp.co.za [suffix] Found realm msp.co.za [suffix] Adding Stripped-User-Name = abacus [suffix] Adding Realm = msp.co.za [suffix] Proxying request from user abacus to realm msp.co.za [suffix] Preparing to proxy accounting request to realm msp.co.za ++[suffix] returns updated ++[files] returns noop +- entering group accounting {...} [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - aba...@msp.co.za ++[radutmp] returns ok [sql] expand: %{User-Name} - aba...@msp.co.za [sql] sql_set_user escaped user -- 'aba...@msp.co.za' [sql] expand: %{Acct-Input-Gigawords} - [sql] ... expanding second conditional [sql] expand: %{Acct-Input-Octets} - 970 [sql] expand: %{Acct-Output-Gigawords} - [sql] ... expanding second conditional [sql] expand: %{Acct-Output-Octets} - 994 [sql] expand:UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username= '%{SQL-User-Name}' AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct SET framedipaddress = '41.144.110.38', acctsessiontime = '3404', acctinputoctets = '0' 32 | '970', acctoutputoctets= '0' 32 |'994' WHERE acctsessionid = '3/0/0/5.159_00A0493F' AND username= 'aba...@msp.co.za rlm_sql (sql): xlat failed. rlm_sql (sql): Reserving sql socket id: 5 rlm_sql_mysql: query: UPDATE radacct SET framedipaddress =
UTF-8 UaseName permit?
Hi I want to use UserName as chinese UTF-8 characters type. is't special config? olso it permit? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) retry.patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to authenticate freeradius+AD
Hi all, I need your help to fix a problem in an AD configuration with Freeradius My platform : Freeradius + samba + AD ( windows 2003). The PB : unable to authenticate AD users This the debug of the authentication of an AD user on the server Regards. Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_realm, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_realm Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating suffix Mon Apr 11 14:24:39 2011 : Debug: realm suffix { Mon Apr 11 14:24:39 2011 : Debug: format = suffix Mon Apr 11 14:24:39 2011 : Debug: delimiter = @ Mon Apr 11 14:24:39 2011 : Debug: ignore_default = no Mon Apr 11 14:24:39 2011 : Debug: ignore_null = no Mon Apr 11 14:24:39 2011 : Debug: } Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_files, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_files Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating files Mon Apr 11 14:24:39 2011 : Debug: files { Mon Apr 11 14:24:39 2011 : Debug: usersfile = /etc/freeradius/users Mon Apr 11 14:24:39 2011 : Debug: acctusersfile = /etc/freeradius/acct_users Mon Apr 11 14:24:39 2011 : Debug: preproxy_usersfile = /etc/freeradius/preproxy_users Mon Apr 11 14:24:39 2011 : Debug: compat = no Mon Apr 11 14:24:39 2011 : Debug: } Mon Apr 11 14:24:39 2011 : Debug: [/etc/freeradius/users]:103 WARNING! Changing 'Tunnel-Medium-Type =' to 'Tunnel-Medium-Type ==' for comparing RADIUS attribute in check item list for user DEFAULT Mon Apr 11 14:24:39 2011 : Debug: Module: Checking session {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_radutmp, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_radutmp Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating radutmp Mon Apr 11 14:24:39 2011 : Debug: radutmp { Mon Apr 11 14:24:39 2011 : Debug: filename = /var/log/freeradius/radutmp Mon Apr 11 14:24:39 2011 : Debug: username = %{User-Name} Mon Apr 11 14:24:39 2011 : Debug: case_sensitive = yes Mon Apr 11 14:24:39 2011 : Debug: check_with_nas = yes Mon Apr 11 14:24:39 2011 : Debug: perm = 384 Mon Apr 11 14:24:39 2011 : Debug: callerid = yes Mon Apr 11 14:24:39 2011 : Debug: } Mon Apr 11 14:24:39 2011 : Debug: Module: Checking post-proxy {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: Module: Checking post-auth {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_attr_filter Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating attr_filter.access_reject Mon Apr 11 14:24:39 2011 : Debug: attr_filter attr_filter.access_reject { Mon Apr 11 14:24:39 2011 : Debug: attrsfile = /etc/freeradius/attrs.access_reject Mon Apr 11 14:24:39 2011 : Debug: key = %{User-Name} Mon Apr 11 14:24:39 2011 : Debug: } Mon Apr 11 14:24:39 2011 : Debug: } # modules Mon Apr 11 14:24:39 2011 : Debug: } # server Mon Apr 11 14:24:39 2011 : Debug: server { Mon Apr 11 14:24:39 2011 : Debug: modules { Mon Apr 11 14:24:39 2011 : Debug: Module: Checking authenticate {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: Module: Checking authorize {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_preprocess, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_preprocess Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating preprocess Mon Apr 11 14:24:39 2011 : Debug: preprocess { Mon Apr 11 14:24:39 2011 : Debug: huntgroups = /etc/freeradius/huntgroups Mon Apr 11 14:24:39 2011 : Debug: hints = /etc/freeradius/hints Mon Apr 11 14:24:39 2011 : Debug: with_ascend_hack = no Mon Apr 11 14:24:39 2011 : Debug: ascend_channels_per_line = 23 Mon Apr 11 14:24:39 2011 : Debug: with_ntdomain_hack = no Mon Apr 11 14:24:39 2011 : Debug: with_specialix_jetstream_hack = no Mon Apr 11 14:24:39 2011 : Debug: with_cisco_vsa_hack = no Mon Apr 11 14:24:39 2011 : Debug: with_alvarion_vsa_hack = no Mon Apr 11 14:24:39 2011 : Debug: } Mon Apr 11 14:24:39 2011 : Debug: Module: Checking preacct {...} for more modules to load Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_acct_unique, checking if it's valid) Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_acct_unique Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating acct_unique Mon Apr 11 14:24:39 2011 : Debug: acct_unique { Mon Apr 11 14:24:39 2011 : Debug: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Mon
Re: UTF-8 UaseName permit?
On 04/11/2011 09:38 AM, ziyen wrote: Hi I want to use UserName as chinese UTF-8 characters type. is't special config? olso it permit? Thanks UTF-8 is not special and does not require special config, yes it's supported. The only thing you have to do is get the UTF-8 into the data store you're using (users file, SQL, ldap, etc.). How to do that is *NOT* FreeRADIUS specific, rather it's a generic issue specific to the tools you're using to manage your data so please do not ask how to do it here. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
Alex - as requested... ldapsearch -h -x -b ou=Departments,DC=corp,DC=development,DC=com cn=wann # extended LDIF # # LDAPv3 # base lt;ou=Departments,DC=corp,DC=development,DC=comgt; with scope subtree # filter: cn=wann # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 ldapsearch -h xxx -x -b ou=Departments,DC=corp,DC=development,DC=com member=CN=RobertTest1,ou=WANN,ou=Departments,dc=corp,dc=development,dc=com # extended LDIF # # LDAPv3 # base lt;ou=Departments,DC=corp,DC=development,DC=comgt; with scope subtree # filter: member=cn=roberttest1 # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296096.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
I got more info with a different query... # RobertTest1, WANN, Departments, corp.development.com dn: CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: RobertTest1 givenName: RobertTest1 distinguishedName: CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com instanceType: 4 whenCreated: 20110401191333.0Z whenChanged: 20110405164213.0Z displayName: RobertTest1 uSNCreated: 10906825 uSNChanged: 10913688 name: RobertTest1 objectGUID:: GsSgT0UjekqU6zZku/fn2A== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 129461649719116071 pwdLastSet: 129461588135809607 primaryGroupID: 513 objectSid:: AQUAAAUVJRdSujUPgdGF4vwq+QgAAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: RobertTest1 sAMAccountType: 805306368 userPrincipalName: robertte...@corp.development.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=development,DC=com dSCorePropagationData: 20110405164213.0Z dSCorePropagationData: 20110405164213.0Z dSCorePropagationData: 20110405164213.0Z dSCorePropagationData: 16010108151513.0Z # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296140.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MLPPP Acct-Session-Id
Thank you Arran and Alan for your feedback. I received confirmation it was not yet implemented on Cisco ASR1k. -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Saturday, April 02, 2011 4:58 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id On Apr 2, 2011, at 12:34 AM, Alan DeKok wrote: Jay Kuhne (jkuhne) wrote: Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result. I would say to ask the NAS manufacturer for a list of what they need in the CoA packet, but that doesn't seem to apply here. I'm not sure why CoA is so complicated. If there's an Acct-Session-Id attribute, the NAS should use that to identify a session. Pretty much every other session identification attribute can be ignored. Some NAS manufacturers require multiple Identification attributes, you really need to ask the manufacturer what attributes and values are required to identify a session. Sometimes you also need a minimum number of policy attributes in addition to the identification attributes. CoA doesn't differentiate between the two types at a packet level its completely implementation specific. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 14:45, Phil Mayers wrote: I'll spin up an SSID and give it a try with real clients later today. Regrettably I can report that this does not work with Symbian. With send_error = no, incorrect username/password reports EAP/PEAP authentication failed With send_error = yes, the client just hangs (and in fact crashed my phone several times) :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help me with Access-Challenge configuration
I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. My configuration is (users.conf): test Auth-Type := Local, User-Password == test Service-Type = Login-User, Login-IP-Host = 192.99.98.119, Login-Service = Telnet, CS_Priv_Level = 2, Reply-Message = Hello, %u. Wellcome from RADIUS. You are Administrator For such configuration RADIUS server (receive access-request)checks Login + Pass and if they are correct sends Reply-Message with right CS_Priv_Level for Client (access-accept). But i need to validate one more parameter from client and sent for him access-challenge, and i don't know how to configure my RADIUS server to send Access-challenge. Guys pls help me with the answer or if it's possible give me some link or manual in which i can fined the answer. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4296727.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA green_...@mail.ru wrote: I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. ...because running FreeRADIUS is not a sane thing to do. My configuration is (users.conf): [snipped AWOL radiusd.conf file] Guys pls help me with the answer or if it's possible give me some link or manual in which i can fined the answer. The best links on FreeRADIUS can be found at: http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Cheers -- Alexander Clouter .sigmonster says: Check your local listings. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote: GreenUA green_...@mail.ru wrote: I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. ...because running FreeRADIUS is not a sane thing to do. Shouldn't that be running Windows is not a sane thing to do? :P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote: GreenUA green_...@mail.ru wrote: I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. ...because running FreeRADIUS is not a sane thing to do. Shouldn't that be running Windows is not a sane thing to do? :P Bah, and it would have looked so awesome if I didn't screw it up. *ahem* ...because running FreeRADIUS on Windows is not a sane thing to do. ta da Cheers -- Alexander Clouter .sigmonster says: Some restrictions may apply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new to radius osx client 3com switch
hello I have been learning about freeradius and could use some guidance. I have a freeradius server a 3com 5500 switch and mac osx client I setup a test machine and added a client record and shared secret. Joe User is getting his credentials from ldap, and the machine he sent the request on is 10.5.1.8, freeradius running on 10.5.1.101. Now I need to configure a 3Com switch, and mac OSX client to send/accept EAP or EAPTLS. neither apple or 3com have good setup docs, so Im looking to the list , maybe someone has crossed this river before I build a new bridge ? here was my auth test from remote user; echo User-Name = joeuser\n User-Password = hispassword | radclient -sx 10.5.1.101 auth Secret Sending Access-Request of id 137 to 10.5.1.101 port 1812 User-Name = joeuser User-Password = hispassword rad_recv: Access-Accept packet from host 10.5.1.101:1812, id=137, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Mon Apr 11 20:17:42 2011 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.5.1.8 port 57337, id=254, length=51 User-Name = joeuser User-Password = hispassword Mon Apr 11 20:27:04 2011 : Info: +- entering group authorize {...} Mon Apr 11 20:27:04 2011 : Info: ++[preprocess] returns ok Mon Apr 11 20:27:04 2011 : Info: ++[chap] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[mschap] returns noop Mon Apr 11 20:27:04 2011 : Info: [suffix] No '@' in User-Name = joeuser, looking up realm NULL Mon Apr 11 20:27:04 2011 : Info: [suffix] No such realm NULL Mon Apr 11 20:27:04 2011 : Info: ++[suffix] returns noop Mon Apr 11 20:27:04 2011 : Info: [eap] No EAP-Message, not doing EAP Mon Apr 11 20:27:04 2011 : Info: ++[eap] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[unix] returns updated Mon Apr 11 20:27:04 2011 : Info: ++[files] returns noop Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The SACL group com.apple.access_radius does not exist on this system. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The host 10.5.1.8 does not have an access group. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: no access control groups, all users allowed. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: Setting Auth-Type = opendirectory Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok Mon Apr 11 20:27:04 2011 : Info: ++[expiration] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[logintime] returns noop Mon Apr 11 20:27:04 2011 : Info: [pap] Found existing Auth-Type, not changing it. Mon Apr 11 20:27:04 2011 : Info: ++[pap] returns noop Mon Apr 11 20:27:04 2011 : Info: Found Auth-Type = opendirectory Mon Apr 11 20:27:04 2011 : Info: +- entering group opendirectory {...} Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok Mon Apr 11 20:27:04 2011 : Auth: Login OK: [joeuser/hispassword] (from client noc port 0) Mon Apr 11 20:27:04 2011 : Info: +- entering group post-auth {...} Mon Apr 11 20:27:04 2011 : Info: ++[exec] returns noop Sending Access-Accept of id 254 to 10.5.1.8 port 57337 Mon Apr 11 20:27:04 2011 : Info: Finished request 2. Mon Apr 11 20:27:04 2011 : Debug: Going to the next request Mon Apr 11 20:27:04 2011 : Debug: Waking up in 4.9 seconds. okay so thats good. now I assume that I can configure the switch , after following 3coms instructions i end up with 5500G-EI]display dot1x int g1/0/5 Equipment 802.1X protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Proxy trap checker is disabled Proxy logoff checker is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period60 s, Quiet Period Timer is disabled Supp Timeout30 s, Server Timeout 100 s The maximal retransmitting times 2 Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 1 GigabitEthernet1/0/5 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled The port is a(n) an authenticator Authenticate Mode is Auto Port Control Type is Mac-based Max on-line user number is 256 Authentication Success: 0, Failed: 2 EAPOL Packets: Tx 13, Rx 12 Sent EAP Request/Identity Packet : 5 EAP Request/Challenge Packets: 5 Received EAPOL Start Packets : 3 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 5 EAP Response/Challenge Packets: 0 Error Packets: 0 1. Unauthenticated user : MAC address: 0025-- Controlled User(s) amount to 1 [5500G-EI] disp domain 0 Domain = nocdomain State = Active RADIUS Scheme = nocsys Access-limit = Disable Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable 1 Domain = system
freeradius, how to cooperate with a wireless AP( system is linux, openwrt)
Hi,I want to build a wireless network with radius server . server computer is ubuntu , wireless router is a linux system-openwrt.So i need to install something in the router,So what is it? Can somebody know something about it? please do me a favor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
OK guys ) Ha Ha i know about windows must die... but i can't do nothing with that. Give me examples for Linux... what files i need to configure, maybe i should use another Auth-Type or something else... Thanks to Alexander Clouter for FAQ links, but this is debugging and it will be useful if configuration exist and you don't know why it doesn't work. My question was how to say RADIUS server send Access-Challenge for client Access-request In my configuration RADIUS checks login and password, so it returns Access-accept or Access-reject. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297438.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: In my configuration RADIUS checks login and password, so it returns Access-accept or Access-reject. That's what a RADIUS server does. Specific authentication methods allow for Access-Challenges. If you're not using one of those methods, you won't get Access-Challenges. You're trying to solve one problem, but not saying what it is. You've somehow convinced yourself that Access-Challenges are the solution to that problem. So you're asking questions about that instead. What, exactly, is the problem, and why do you think Access-Challenges are the solution? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Specific authentication methods allow for Access-Challenges. If you're not using one of those methods, you won't get Access-Challenges. What methods? How i can configure it? Maybe my post was not clear enough. You're trying to solve one problem, but not saying what it is. You've somehow convinced yourself that Access-Challenges are the solution to that problem. So you're asking questions about that instead. What, exactly, is the problem, and why do you think Access-Challenges are the solution? I'm not trying to configure correct authorization via RADIUS server it's not my main goal. I just want to configure and send back Access-challenge message to the client side. I need to see how my client process challenge response. And i can't generate that message. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297457.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html