Re: problem in assigning Tunnel-Private-Group-ID

[syharash]

Dear Alan,

Thank you so much. God Bless you all, its
working!

REgards,
Syed

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/problem-in-assigning-Tunnel-Private-Group-ID-tp4290798p4295526.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP-V2 with no retry

[Phil Mayers]

On 10/04/11 15:41, James J J Hooper wrote:



This C=random needs to be saved and eventually make it's way in to
data-challenge so that the line lower down:
memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN);


It's actually a bit more complex; the new challenge is being generated 
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 
needs to know it, so that it can add it to the fake request which it 
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.


This would also get us part of the way there to password change via 
mschap (Samba currently lacks the specific API call to do this, with the 
values available in an MSCHAP CPW packet, but it might be possible to 
compile a C helper which does it...)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius proxy caching users

[Ivan Luska]

Hello, I use Freeradius as proxy server. Is it possible to cache 
authenticated users on the proxy and resend access-accept to these 
users, if home server fails?


Ivan Luska
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mac Authorization

[syharash]

Joren,

This is how my policy looks, could you please let me know what changes do i
need to make, to make the mac-authentication work;

policy {
#
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else {
noop
}
}
#
#   Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}

#
#   Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
#  We MAY be inside of a TTLS tunnel.
#  PEAP and EAP-FAST require EAP inside of
#  the tunnel, so this check is OK.
#  If so, then there MUST be an outer EAP message.
if (!%{outer.request:EAP-Message}) {
reject
}
}
}

#

also my /etc/raddb/users file looks like this;

DEFAULT
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Service-Type = Framed-User,
Fall-Through = Yes

00-1F-3C-D1-2B-6C
User-Name = subhash,
Cleartext-Password = sub@1979,
Tunnel-Private-Group-ID = 17


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Mac-Authorization-tp4287256p4295664.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius proxy caching users

[Phil Mayers]

On 11/04/11 11:45, Ivan Luska wrote:

Hello, I use Freeradius as proxy server. Is it possible to cache
authenticated users on the proxy and resend access-accept to these
users, if home server fails?


Probably not, but it depends.

If you're using a challenge-response auth method (EAP, for 802.1x 
wireless or wired; CHAP for VPN/dialup/ADSL) then no. It's impossible.


If you're using PAP or similar, then you could probably write a script 
to cache them, or use rlm_caching - see raddb/experimental.conf for the 
caching module definition.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR and AD with ntlm and Users group

[Raheel Itrat]

Hi, 
 
I am authenticating my Cisco devices by integrating FreeRadius with Active 
Directory. Not using LDAP but ntlm_auth. 
Now If I make a group on my AD server for example Router Admins and put some 
users in it. Now, where would I define in  the FreeRadius that only users from 
Router Admin group are permitted. Do I need to define it in the smb.conf?
 
BR,
Raheel 

 
 
 
 
 
 
 
 
 
 
 

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius proxy caching users

[Alexander Clouter]

Ivan Luska lu...@ics.muni.cz wrote:

 Hello, I use Freeradius as proxy server. Is it possible to cache 
 authenticated users on the proxy and resend access-accept to these 
 users, if home server fails?
 
If you look through the archives and find out how to failover to a 
virtual server to proxy through instead it is possible.  You would need 
to script up something with rlm_perl/rlm_python to build up a cache, and 
the virtual failover system would then have to query that cache.

Cheers

-- 
Alexander Clouter
.sigmonster says: Manoj I *like* the chicken

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TLS authentication in Freeradius 2.1.0

[senthil kumar]

Hi Alan,
Any solution or debug to this problem.
Please let me know.



Regards
Senthil



On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar mail...@gmail.com wrote:

 Hi Alan,
 Earlier I have faced the same problem and after changing Make file it
 was working fine.
Now certificate got expired and I tried to generate new certificate.
Problem is I am not able to connect with the new certificate.
So please let me know how to solve this problem.



 Regards
 Senthil

   On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok 
 al...@deployingradius.comwrote:

 senthil kumar wrote:
I am using Freeradius 2.1.0
PEAP/TTLS is working fine and I am facing problem in TLS
  authentication. I am able to generate certificate but while connecting
  it throws Authentication error.
   Please let me know how to debug it.

  *Read* the debug log.  There's a lot of text, but looking for
 warning or error or failure or reject is simple.

  [tls]  TLS 1.0 Alert [length 0002], warning bad_certificate
 
  TLS Alert read:warning:bad certificate

  See?

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




  --
 Adversity always presents opportunity for Introspection

 Regards
 Senthil




-- 
Adversity always presents opportunity for Introspection

Regards
Senthil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Duplicate Accounting maybe once, twice a day

[Marius Pesé]

Hi everyone,

we are having an issue on our FreeRadius setup where our redundant servers will 
maybe once, twice a day create duplicate accounting entries.
I have switched the servers to debug for a full day and caught one of these 
incidents in the log file, see attached.

The strange thing is it only happens maybe once a day, regardless of realm or 
user, and the other couple of hundred accounting requests are fine.
Can anyone see why this particular one would bounce back and forth?

Our setup consists of two virtually identical FreeRadius2 servers, each with 
their own mySQL database, so each of them is capable of doing Auth and Acct, 
and proxies Acct to the other one.
Also I changed the acct_update_alt query to write to a failover table since I 
thought this was the alt query being triggered, but this does not make a 
difference. Still duplicates in radacct table.

Thanks!
Marius

__
Marius Pesé
Senior Software Developer
B.Sc. Computer Science
[cid:image003.jpg@01CBF85B.77F8AF50]http://www.mindspring.co.za/
Unit 5, Doncaster Office ParkMindspring Computing
Punters Way, Kenilworth   P O Box 46926
Cape Town, South Africa   Glosderry 7702
Phone: +27 21 657 1780  Fax   : +27 21 671 7599
Cell : 072 100 70 73
E-mail: mar...@mindspring.co.zamailto:mar...@mindspring.co.za

inline: image003.jpgrad_recv: Accounting-Request packet from host 196.43.1.87 port 1820, id=1, 
length=261
Acct-Session-Id = 3/0/0/5.159_00A0493F
Framed-Protocol = PPP
Framed-IP-Address = 41.144.110.38
User-Name = aba...@msp.co.za
X-Ascend-Connect-Progress = LAN-Session-Up
X-Ascend-PreSession-Time = 3
X-Ascend-Xmit-Rate = 4096000
X-Ascend-Data-Rate = 4096000
Acct-Session-Time = 3404
Acct-Input-Octets = 970
Acct-Output-Octets = 994
X-Ascend-Pre-Input-Octets = 86
X-Ascend-Pre-Output-Octets = 91
Acct-Input-Packets = 62
Acct-Output-Packets = 62
X-Ascend-Pre-Input-Packets = 5
X-Ascend-Pre-Output-Packets = 6
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
NAS-Port = 805634207
NAS-Port-Id = 3/0/0/5.159
Connect-Info = AutoShapedVC
Calling-Station-Id = 0182932392
Class = NL1
Service-Type = Framed-User
NAS-IP-Address = 196.43.27.100
X-Ascend-Session-Svr-Key = 01FB51D4
Acct-Delay-Time = 5
Telkom-Access-Type = DSL
Proxy-State = 0x3436
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 805634207,Client-IP-Address = 
196.43.1.87,NAS-IP-Address = 196.43.27.100,Acct-Session-Id = 
3/0/0/5.159_00A0493F,User-Name = aba...@msp.co.za'
[acct_unique] Acct-Unique-Session-ID = bf140131ce2e1d1f.
++[acct_unique] returns ok
[suffix] Looking up realm msp.co.za for User-Name = aba...@msp.co.za
[suffix] Found realm msp.co.za
[suffix] Adding Stripped-User-Name = abacus
[suffix] Adding Realm = msp.co.za
[suffix] Proxying request from user abacus to realm msp.co.za
[suffix] Preparing to proxy accounting request to realm msp.co.za 
++[suffix] returns updated
++[files] returns noop
+- entering group accounting {...}
[radutmp]   expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp]   expand: %{User-Name} - aba...@msp.co.za
++[radutmp] returns ok
[sql]   expand: %{User-Name} - aba...@msp.co.za
[sql] sql_set_user escaped user -- 'aba...@msp.co.za'
[sql]   expand: %{Acct-Input-Gigawords} - 
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Input-Octets} - 970
[sql]   expand: %{Acct-Output-Gigawords} - 
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Output-Octets} - 994
[sql]   expand:UPDATE radacct   SET  
framedipaddress = '%{Framed-IP-Address}',  acctsessiontime = 
'%{Acct-Session-Time}',  acctinputoctets = 
'%{%{Acct-Input-Gigawords}:-0}'   32 |
'%{%{Acct-Input-Octets}:-0}',  acctoutputoctets= 
'%{%{Acct-Output-Gigawords}:-0}'  32 |
'%{%{Acct-Output-Octets}:-0}'   WHERE acctsessionid = 
'%{Acct-Session-Id}'   AND username= '%{SQL-User-Name}' 
  AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct
   SET  framedipaddress = '41.144.110.38',  
acctsessiontime = '3404',  acctinputoctets = '0'   32 |   
 '970',  acctoutputoctets= '0' 
 32 |'994'   WHERE acctsessionid 
= '3/0/0/5.159_00A0493F'   AND username= 'aba...@msp.co.za
rlm_sql (sql): xlat failed.
rlm_sql (sql): Reserving sql socket id: 5
rlm_sql_mysql: query: UPDATE radacct   SET  
framedipaddress = 

UTF-8 UaseName permit?

[ziyen]

Hi
I want to use UserName as chinese UTF-8 characters type.
is't special config? olso it permit?

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP-V2 with no retry

[Phil Mayers]

On 11/04/11 11:22, Phil Mayers wrote:

On 10/04/11 15:41, James J J Hooper wrote:



This C=random needs to be saved and eventually make it's way in to
data-challenge so that the line lower down:
memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN);


It's actually a bit more complex; the new challenge is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.

This would also get us part of the way there to password change via
mschap (Samba currently lacks the specific API call to do this, with the
values available in an MSCHAP CPW packet, but it might be possible to
compile a C helper which does it...)



The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry 
work for me.


It needs a bit of work, specifically there should be a:

 num_retries

...parameter, and the EAP module should keep track of retry attempt 
counts, and stop when either:


 try_number  num_retries

 or

 R=0 in the MS-CHAP-Error attribute

Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure 
it should go into 2.1.11 - there's probably not enough testing time.


It works for a Windows XP SP3 client here, as well as with a jury-rigged 
eapol_test/wpa_cli combo.


I'll spin up an SSID and give it a try with real clients later today.

Of note: this gets us nearer to MS-CHAP change-password functionality; 
I've looked into this a couple of times recently and Samba has almost 
all the bits required to make it work... However, that would require 
some infrastructure for the server to override the MS-CHAP error code, 
currently hard-coded at 691 - 648 is password expired and would need 
to be set, either by parsing the output of ntlm_auth (for those that use 
it) or from some SQL/database attribute (for those using 
Cleartext/NT-Password)


retry.patch.gz
Description: GNU Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unable to authenticate freeradius+AD

[Yao Konou]

Hi all,

I  need your help  to  fix  a problem   in an AD configuration with Freeradius
My platform : Freeradius + samba + AD ( windows 2003).
The PB : unable to authenticate AD users
This the debug of the authentication of an AD user on the server

Regards.


Yao Thierry Konou
AMR SERVICES
11 Rue du Petit Châtelier CS90346
44303 NANTES CEDEX 3
Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88
Site: http://www.amr-services.frhttp://www.amr-services.fr/


Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_realm, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_realm
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating suffix
Mon Apr 11 14:24:39 2011 : Debug:   realm suffix {
Mon Apr 11 14:24:39 2011 : Debug:   format = suffix
Mon Apr 11 14:24:39 2011 : Debug:   delimiter = @
Mon Apr 11 14:24:39 2011 : Debug:   ignore_default = no
Mon Apr 11 14:24:39 2011 : Debug:   ignore_null = no
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_files, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_files
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating files
Mon Apr 11 14:24:39 2011 : Debug:   files {
Mon Apr 11 14:24:39 2011 : Debug:   usersfile = /etc/freeradius/users
Mon Apr 11 14:24:39 2011 : Debug:   acctusersfile = 
/etc/freeradius/acct_users
Mon Apr 11 14:24:39 2011 : Debug:   preproxy_usersfile = 
/etc/freeradius/preproxy_users
Mon Apr 11 14:24:39 2011 : Debug:   compat = no
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug: [/etc/freeradius/users]:103 WARNING! Changing 
'Tunnel-Medium-Type =' to 'Tunnel-Medium-Type =='   for comparing RADIUS 
attribute in check item list for user DEFAULT
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking session {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_radutmp, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_radutmp
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating radutmp
Mon Apr 11 14:24:39 2011 : Debug:   radutmp {
Mon Apr 11 14:24:39 2011 : Debug:   filename = /var/log/freeradius/radutmp
Mon Apr 11 14:24:39 2011 : Debug:   username = %{User-Name}
Mon Apr 11 14:24:39 2011 : Debug:   case_sensitive = yes
Mon Apr 11 14:24:39 2011 : Debug:   check_with_nas = yes
Mon Apr 11 14:24:39 2011 : Debug:   perm = 384
Mon Apr 11 14:24:39 2011 : Debug:   callerid = yes
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking post-proxy {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking post-auth {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_attr_filter, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_attr_filter
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating 
attr_filter.access_reject
Mon Apr 11 14:24:39 2011 : Debug:   attr_filter attr_filter.access_reject {
Mon Apr 11 14:24:39 2011 : Debug:   attrsfile = 
/etc/freeradius/attrs.access_reject
Mon Apr 11 14:24:39 2011 : Debug:   key = %{User-Name}
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  } # modules
Mon Apr 11 14:24:39 2011 : Debug: } # server
Mon Apr 11 14:24:39 2011 : Debug: server {
Mon Apr 11 14:24:39 2011 : Debug:  modules {
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking authenticate {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking authorize {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_preprocess, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_preprocess
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating preprocess
Mon Apr 11 14:24:39 2011 : Debug:   preprocess {
Mon Apr 11 14:24:39 2011 : Debug:   huntgroups = 
/etc/freeradius/huntgroups
Mon Apr 11 14:24:39 2011 : Debug:   hints = /etc/freeradius/hints
Mon Apr 11 14:24:39 2011 : Debug:   with_ascend_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   ascend_channels_per_line = 23
Mon Apr 11 14:24:39 2011 : Debug:   with_ntdomain_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_specialix_jetstream_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_cisco_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_alvarion_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking preacct {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_acct_unique, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_acct_unique
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating acct_unique
Mon Apr 11 14:24:39 2011 : Debug:   acct_unique {
Mon Apr 11 14:24:39 2011 : Debug:   key = User-Name, Acct-Session-Id, 
NAS-IP-Address, Client-IP-Address, NAS-Port
Mon 

Re: UTF-8 UaseName permit?

[John Dennis]

On 04/11/2011 09:38 AM, ziyen wrote:

Hi
I want to use UserName as chinese UTF-8 characters type.
is't special config? olso it permit?
Thanks


UTF-8 is not special and does not require special config, yes it's 
supported.


The only thing you have to do is get the UTF-8 into the data store 
you're using (users file, SQL, ldap, etc.). How to do that is *NOT* 
FreeRADIUS specific, rather it's a generic issue specific to the tools 
you're using to manage your data so please do not ask how to do it here.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP-group filter search is failing

[joezamosc]

Alex - as requested...




ldapsearch -h  -x -b ou=Departments,DC=corp,DC=development,DC=com
cn=wann

# extended LDIF
#
# LDAPv3
# base lt;ou=Departments,DC=corp,DC=development,DC=comgt; with scope
subtree
# filter: cn=wann
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1










ldapsearch -h xxx -x -b  ou=Departments,DC=corp,DC=development,DC=com
member=CN=RobertTest1,ou=WANN,ou=Departments,dc=corp,dc=development,dc=com

# extended LDIF
#
# LDAPv3
# base lt;ou=Departments,DC=corp,DC=development,DC=comgt; with scope
subtree
# filter: member=cn=roberttest1
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296096.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP-group filter search is failing

[joezamosc]

I got more info with a different query...



# RobertTest1, WANN, Departments, corp.development.com
dn: CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: RobertTest1
givenName: RobertTest1
distinguishedName:
CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com
instanceType: 4
whenCreated: 20110401191333.0Z
whenChanged: 20110405164213.0Z
displayName: RobertTest1
uSNCreated: 10906825
uSNChanged: 10913688
name: RobertTest1
objectGUID:: GsSgT0UjekqU6zZku/fn2A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 129461649719116071
pwdLastSet: 129461588135809607
primaryGroupID: 513
objectSid:: AQUAAAUVJRdSujUPgdGF4vwq+QgAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: RobertTest1
sAMAccountType: 805306368
userPrincipalName: robertte...@corp.development.com
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=development,DC=com
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 16010108151513.0Z

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296140.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MLPPP Acct-Session-Id

[Jay Kuhne (jkuhne)]

Thank you Arran and Alan for your feedback.
I received confirmation it was not yet implemented on Cisco ASR1k.

-Original Message-
From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Saturday, April 02, 2011 4:58 AM
To: FreeRadius users mailing list
Subject: Re: MLPPP Acct-Session-Id


On Apr 2, 2011, at 12:34 AM, Alan DeKok wrote:

 Jay Kuhne (jkuhne) wrote:
 Forgot to mention, also attempted with Acct-Multi-Session-Id, which
was in the accounting record but same result.
 
  I would say to ask the NAS manufacturer for a list of what they need 
 in the CoA packet, but that doesn't seem to apply here.
 
  I'm not sure why CoA is so complicated.  If there's an 
 Acct-Session-Id attribute, the NAS should use that to identify a 
 session.  Pretty much every other session identification attribute
can be ignored.
 

Some NAS manufacturers require multiple Identification attributes, you
really need to ask the manufacturer what attributes and values are
required to identify a session. Sometimes you also need a minimum number
of policy attributes in addition to the identification attributes. CoA
doesn't differentiate between the two types at a packet level its
completely implementation specific.

-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP-V2 with no retry

[Phil Mayers]

On 11/04/11 14:45, Phil Mayers wrote:



I'll spin up an SSID and give it a try with real clients later today.


Regrettably I can report that this does not work with Symbian.

With send_error = no, incorrect username/password reports EAP/PEAP 
authentication failed


With send_error = yes, the client just hangs (and in fact crashed my 
phone several times)


:o(
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help me with Access-Challenge configuration

[GreenUA]

I reviewed RFC and FAQ, but i can't fined sane info about configuration of
freeRADIUS server (on Windows) to send access-challenge message on
access-request.

My configuration is (users.conf):

test   Auth-Type := Local, User-Password == test
   Service-Type = Login-User,
   Login-IP-Host = 192.99.98.119,
   Login-Service = Telnet,
   CS_Priv_Level = 2,
   Reply-Message = Hello, %u. Wellcome from RADIUS. You
are Administrator


For such configuration RADIUS server (receive access-request)checks Login +
Pass and if they are correct sends Reply-Message with right
CS_Priv_Level for Client (access-accept).
But i need to validate one more parameter from client and sent for him
access-challenge, and i don't know how to configure my RADIUS server to send
Access-challenge.
Guys pls help me with the answer or if it's possible give me some link or
manual in which i can fined the answer.


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4296727.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[Alexander Clouter]

GreenUA green_...@mail.ru wrote:

 I reviewed RFC and FAQ, but i can't fined sane info about 
 configuration of freeRADIUS server (on Windows) to send 
 access-challenge message on access-request.

...because running FreeRADIUS is not a sane thing to do.
 
 My configuration is (users.conf):

 [snipped AWOL radiusd.conf file]
 
 Guys pls help me with the answer or if it's possible give me some link 
 or manual in which i can fined the answer.

The best links on FreeRADIUS can be found at:

http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

Cheers

-- 
Alexander Clouter
.sigmonster says: Check your local listings.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[Arran Cudbard-Bell]

On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:

 GreenUA green_...@mail.ru wrote:
 
 I reviewed RFC and FAQ, but i can't fined sane info about 
 configuration of freeRADIUS server (on Windows) to send 
 access-challenge message on access-request.
 
 ...because running FreeRADIUS is not a sane thing to do.

Shouldn't that be running Windows is not a sane thing to do? :P

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[Alexander Clouter]

Arran Cudbard-Bell a.cudba...@gmail.com wrote:

 On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:
 
 GreenUA green_...@mail.ru wrote:
 
 I reviewed RFC and FAQ, but i can't fined sane info about 
 configuration of freeRADIUS server (on Windows) to send 
 access-challenge message on access-request.
 
 ...because running FreeRADIUS is not a sane thing to do.
 
 Shouldn't that be running Windows is not a sane thing to do? :P
 
Bah, and it would have looked so awesome if I didn't screw it up.

*ahem*

...because running FreeRADIUS on Windows is not a sane thing to do.

ta da

Cheers

-- 
Alexander Clouter
.sigmonster says: Some restrictions may apply.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new to radius osx client 3com switch

[jeffrey j donovan]

hello

I have been learning about freeradius and could use some guidance. I have a 
freeradius server a 3com 5500 switch and mac osx client

I setup a test machine and added a client record and shared secret. Joe User is 
getting his credentials from ldap, and the machine he sent the request on is 
10.5.1.8, freeradius running on 10.5.1.101. 

Now I need to configure a 3Com switch, and mac OSX client to send/accept EAP or 
EAPTLS. neither apple or 3com have good setup docs, so Im looking to the list , 
maybe someone has crossed this river before I build a new bridge ?

here was my auth test from remote user;

echo User-Name = joeuser\n User-Password = hispassword | radclient -sx 
10.5.1.101 auth Secret

Sending Access-Request of id 137 to 10.5.1.101 port 1812
User-Name = joeuser
User-Password = hispassword
rad_recv: Access-Accept packet from host 10.5.1.101:1812, id=137, length=20

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0


Mon Apr 11 20:17:42 2011 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.5.1.8 port 57337, id=254, length=51
User-Name = joeuser
User-Password = hispassword
Mon Apr 11 20:27:04 2011 : Info: +- entering group authorize {...}
Mon Apr 11 20:27:04 2011 : Info: ++[preprocess] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[chap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[mschap] returns noop
Mon Apr 11 20:27:04 2011 : Info: [suffix] No '@' in User-Name = joeuser, 
looking up realm NULL
Mon Apr 11 20:27:04 2011 : Info: [suffix] No such realm NULL
Mon Apr 11 20:27:04 2011 : Info: ++[suffix] returns noop
Mon Apr 11 20:27:04 2011 : Info: [eap] No EAP-Message, not doing EAP
Mon Apr 11 20:27:04 2011 : Info: ++[eap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[unix] returns updated
Mon Apr 11 20:27:04 2011 : Info: ++[files] returns noop
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The SACL group 
com.apple.access_radius does not exist on this system.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The host 10.5.1.8 does not 
have an access group.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: no access control groups, 
all users allowed.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: Setting Auth-Type = 
opendirectory
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[expiration] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[logintime] returns noop
Mon Apr 11 20:27:04 2011 : Info: [pap] Found existing Auth-Type, not changing 
it.
Mon Apr 11 20:27:04 2011 : Info: ++[pap] returns noop
Mon Apr 11 20:27:04 2011 : Info: Found Auth-Type = opendirectory
Mon Apr 11 20:27:04 2011 : Info: +- entering group opendirectory {...}
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Auth: Login OK: [joeuser/hispassword] (from client 
noc port 0)
Mon Apr 11 20:27:04 2011 : Info: +- entering group post-auth {...}
Mon Apr 11 20:27:04 2011 : Info: ++[exec] returns noop
Sending Access-Accept of id 254 to 10.5.1.8 port 57337
Mon Apr 11 20:27:04 2011 : Info: Finished request 2.
Mon Apr 11 20:27:04 2011 : Debug: Going to the next request
Mon Apr 11 20:27:04 2011 : Debug: Waking up in 4.9 seconds.


okay so thats good. now I assume that I can configure the switch , after 
following 3coms instructions i end up with
5500G-EI]display dot1x int g1/0/5
 Equipment 802.1X protocol is enabled
 CHAP authentication is enabled
 DHCP-launch is disabled
 Proxy trap checker is disabled
 Proxy logoff checker is disabled

 Configuration: Transmit Period 30 s,  Handshake Period   15 s
Quiet Period60 s,  Quiet Period Timer is disabled
Supp Timeout30 s,  Server Timeout 100 s
The maximal retransmitting times  2

 Total maximum 802.1x user resource number is 1024
 Total current used 802.1x resource number is 1

 GigabitEthernet1/0/5  is link-up
   802.1X protocol is enabled
   Proxy trap checker is disabled
   Proxy logoff checker is disabled
   The port is a(n) an authenticator
   Authenticate Mode is Auto
   Port Control Type is Mac-based
   Max on-line user number is 256
  
   Authentication Success: 0, Failed: 2 
   EAPOL Packets: Tx 13, Rx 12 
   Sent EAP Request/Identity Packet : 5 
EAP Request/Challenge Packets: 5 
   Received EAPOL Start Packets : 3 
EAPOL LogOff Packets: 0 
EAP Response/Identity Packets : 5 
EAP Response/Challenge Packets: 0 
Error Packets: 0 
 1. Unauthenticated user : MAC address: 0025-- 

   Controlled User(s) amount to 1
[5500G-EI]  disp domain
0  Domain = nocdomain
   State = Active
   RADIUS Scheme = nocsys  Access-limit = Disable 
   Domain User Template: 
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable

1  Domain = system 

freeradius, how to cooperate with a wireless AP( system is linux, openwrt)

[xuyu]

Hi,I want to build a wireless network with radius server . server computer
is ubuntu , wireless router is a linux system-openwrt.So i need to install
something in the router,So what is it?
Can somebody know something about it? please do me a favor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[GreenUA]

OK guys ) 
Ha Ha i know about windows must die... but i can't do nothing with that.
Give me examples for Linux... what files i need to configure,
maybe i should use another Auth-Type or something else...

Thanks to Alexander Clouter for FAQ links, but this is debugging and it will
be 
useful if configuration exist and you don't know why it doesn't work. 
My question was how to say RADIUS server send Access-Challenge for
client Access-request

In my configuration RADIUS checks login and password, so it returns
Access-accept or Access-reject.



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297438.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[Alan DeKok]

GreenUA wrote:
 In my configuration RADIUS checks login and password, so it returns
 Access-accept or Access-reject.

  That's what a RADIUS server does.

  Specific authentication methods allow for Access-Challenges.  If
you're not using one of those methods, you won't get Access-Challenges.

  You're trying to solve one problem, but not saying what it is.  You've
somehow convinced yourself that Access-Challenges are the solution to
that problem. So you're asking questions about that instead.

  What, exactly, is the problem, and why do you think Access-Challenges
are the solution?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

[GreenUA]

Specific authentication methods allow for Access-Challenges.  If 
you're not using one of those methods, you won't get Access-Challenges.

What methods? How i can configure it? 

Maybe my post was not clear enough.


You're trying to solve one problem, but not saying what it is.  You've 
somehow convinced yourself that Access-Challenges are the solution to 
that problem. So you're asking questions about that instead. 

  What, exactly, is the problem, and why do you think Access-Challenges 
are the solution? 

I'm not trying to configure correct authorization via RADIUS server it's not
my main goal.
I just want to configure and send back Access-challenge message to the
client side.
I need to see how my client process challenge response. And i can't generate
that message.



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297457.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html