Re: Help me with Access-Challenge configuration
GreenUA wrote: What methods? How i can configure it? If you don't know, you don't need Access-Challenges. I need to see how my client process challenge response. And i can't generate that message. If you're debugging a RADIUS client you wrote, then this isn't a FreeRADIUS question. As a hint: people who don't understand the RADIUS protocol shouldn't write RADIUS clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
To Alan DeKok-2 Sorry, for my maybe inconsistent question. I try to explain: 1. If you're debugging a RADIUS client you wrote, then this isn't a FreeRADIUS question. It's freeRADIUS question because i need to configure freeRADIUS server 2. What methods? How i can configure it? If you don't know, you don't need Access-Challenges. If i don't now how to configure it, i don't need it? In such way why are you replaying on mails from this forum? I want to configure, and i don't know how, that's why i posted my question here. FROM RFC: If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an Access-Challenge response. It MAY include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute. But there is noting about: what conditions, server wishes, etc. 3. As a hint: people who don't understand the RADIUS protocol shouldn't write RADIUS clients. Again sorry if my question not correct, and don't worry i'm not writing RADIUS client. My simple question: How to configure freeRADIUS server so it replay access-challenge message on access-request from a client? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: 1. If you're debugging a RADIUS client you wrote, then this isn't a FreeRADIUS question. It's freeRADIUS question because i need to configure freeRADIUS server If you know so much more than we do, why are you asking questions on this list? 2. What methods? How i can configure it? If you don't know, you don't need Access-Challenges. If i don't now how to configure it, i don't need it? In such way why are you replaying on mails from this forum? Yes. You *don't* configure it. If the authentication method requires Access-Challenge, then the Access-Challenge is automatically generated. If Access-Challenge is not automatically generated, then you don't need it. Again sorry if my question not correct, and don't worry i'm not writing RADIUS client. Well, you said you were. My simple question: How to configure freeRADIUS server so it replay access-challenge message on access-request from a client? My answer (again) is you don't. If you keep asking the question, then it's clear you don't understand the answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Hi, My simple question: How to configure freeRADIUS server so it replay access-challenge message on access-request from a client? Alan's problem with this simple question of yours is that it's not just simple, but simplistic. RADIUS can convey *many different* authentication protocols which are all using an Access-Challenge to send challenge data back. The content of the Access-Challenge, and the configuration needed for that specific Access-Challenge, is significantly different. The fact that you ask the question like you did is a strong indication that you don't know about this fact. Please ask a question like How to configure freeRADIUS server so it replies with a CHAP access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a MS-CHAP access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a MS-CHAPv2 access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a EAP-TLS access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a EAP-TTLS access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a PEAP access-challenge message on access-request from a client? See? You need to be more specific in your question before anyone here can give you an answer. Or better yet, read up on RADIUS, and/or EAP methods, and *then* ask a well-informed question. Greetings, Stefan Winter -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Aa Stefan Winter-4, Thanks a lot, now i underspend how to configure my configuration It's what i need to hear! Have a nice day! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297576.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, how to cooperate with a wireless AP( system is linux, openwrt)
On 12/04/2554 12:20, xuyu wrote: Hi,I want to build a wireless network with radius server . server computer is ubuntu , wireless router is a linux system-openwrt.So i need to install something in the router,So what is it? Can somebody know something about it? please do me a favor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html coova-chilli can be the portal for you. -- http://www.easyzonecorp.net - ? EasyZone Hotspot Billing, EasyZone PPPoE Billing, EasyZone Radius Billing, EasyZone VPN Billing http://www.EasyHorpak.com - ???,???,???,? http://www.EasyHorpak.com/internet - ?? http://www.EasyHorpak.com/move - ? http://www.EasyHorpak.com/software - http://www.efooddata.com - ??? ?? ?, ???, ?, ???, , ???,??, ???, ???, ? http://www.thai-school.net - ? ??? ? ??? http://www.SeamTour.com - ?? ??? ???, ??, ??, ?, ???, ???, ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: With send_error = yes, the client just hangs (and in fact crashed my phone several times) Nice to know! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS + Symbian = weird behaviour
some additional details: the same behaviour with different AP i use AP mostly under OpenWRT but now have tried Lynksys WAP54G which was working at the place where no problem found and now no it's no way to authorize via it ... any idea? -- Zeus V. Panchenko IT Dpt., IBS ltdGMT+2 (EET) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Address and Username Binding on FreeRADIUS
Hi, My FreeRadius is working fine, my wireless clients are able to authenticate with username and password from the /etc/raddb/users file and dynamic vlan assignment is working fine too. Need to now configure to restrict a user to get authenticated only from a single mac address, so the dynamic vlan assignment is restricted to that user only from its authorized mac address. Please help. I tried following the How-to guide but have not been able to get it working. please help. I have attached my configuration files for your reference, please let me know if how to go about doing it. http://freeradius.1045715.n5.nabble.com/file/n4297874/authorize_macs authorize_macs http://freeradius.1045715.n5.nabble.com/file/n4297874/default%5Bsites-available%5D default%5Bsites-available%5D http://freeradius.1045715.n5.nabble.com/file/n4297874/eap.conf eap.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/files files http://freeradius.1045715.n5.nabble.com/file/n4297874/policy.conf policy.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/radiusd.conf radiusd.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/users users -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4297874.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrealy and dynamic-sql-clients
Hello List. I am using the dynamic-sql-clients example in my freeradius server. I am keying off the %{Packet-Src-IP-Address} of the NAS sending the packets to two separate virtual servers on the same host. The problem comes, when I wish to radrelay - I end up having to pick one or the other virtual server. I was just wandering if there was a way for me to proxy these packets to the correct virtual server based on the attributes in them, namely NAS-IP-Address? Perhaps to create another virtual server to handle those specific radrelay hosts and then proxy them... Kind Regards, Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different sql servers for separated authacc
Hello, in a special setup we are using freeradius Version 1.1.3 (sql.conf v 1.41.2.2.2.2), on a debian x86 machine, which can't be upgraded to Version 2.0. I would like to check authorization against mysqldb1 and insert/update accounting in mysqldb2. Is it possible to use two independent mysql databases in Version 1.1.3? Thanks in advance, chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and file authentication
hi @all, is it possible to provide ldap authentication and users file authentication at the same time on a radius server? On my radius server the ldap authentication works fine, additional I want to provide users file authentication, so I commented out the following lines: --radiusd.conf file { userfile = ${confdir}/users } ... authorize{ ... files ... } My users file: testuser Cleartext-Password := XXX When I want to login the user testuser the Debugscreen shows: Login incorrect: (rlm_ldap: User not found): [testuser] Are there any other options I have to set or isn´t it possible to authenticate users via ldap and users file at the same time? Thanks for your answers, greetings Klaus -- NEU: FreePhone - kostenlos mobil telefonieren und surfen! Jetzt informieren: http://www.gmx.net/de/go/freephone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unable to authenticate freeradius+AD
SOS - is somebody around to HELP ME Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org [mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org] De la part de Yao Konou Envoyé : lundi 11 avril 2011 15:56 À : freeradius-users@lists.freeradius.org Objet : unable to authenticate freeradius+AD Hi all, I need your help to fix a problem in an AD configuration with Freeradius My platform : Freeradius + samba + AD ( windows 2003). The PB : unable to authenticate AD users This the debug of the authentication of an AD user on the server Regards. Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unable to authenticate freeradius+AD
You have not configured ntlm_auth, see http://deployingradius.com/documents/configuration/active_directory.html Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Yao Konou Gesendet: Dienstag, 12. April 2011 15:53 An: FreeRadius users mailing list Betreff: RE: unable to authenticate freeradius+AD SOS - is somebody around to HELP ME Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org [mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org] De la part de Yao Konou Envoyé : lundi 11 avril 2011 15:56 À : freeradius-users@lists.freeradius.org Objet : unable to authenticate freeradius+AD Hi all, I need your help to fix a problem in an AD configuration with Freeradius My platform : Freeradius + samba + AD ( windows 2003). The PB : unable to authenticate AD users This the debug of the authentication of an AD user on the server Regards. Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add RADIUS users under OU=People
Hello, I need a help, What i want is instead of creating a OU called radius, i would like to add all radius users under OU=People, how to achieve this? I am not able to add a user with objectclass:radiusprofile, I tried changing radius schema to AUX but no luck. Please have a look at my LDIF file. I am using SuSE 11 dn: uid=kris,ou=People,dc=example,dc=com uid: kris cn: kris objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: uidObject objectClass: radiusprofile userPassword: {crypt}$2a$10$DXf3RUs5cQv/WYOgaeyv1uwvUJ.3ZfW3sr7sCr75/6/dw062c5YOe shadowLastChange: 15076 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 100 homeDirectory: /home/krisradiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None radiusGroupName: dial radiusGroupName: isdn radiusAuthType: LDAP Suggestions will be appreciated. /Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Microsoft NPS
I couldn't find anything in the archives with this error and i am fairly new to freeradius config anyway so i thought this would be a good start. We are looking to authenticate wireless users through freeradius and Microsoft NPS. Our outer authentication is PEAP and terminates at the radius server, inner is MSCHAPv2 and is passed to the NPS. With our current config we get a segfault at the end of the exchange. The output of radiusd -X is below FreeRADIUS Version 2.1.10, for host i386-redhat-linux-gnu, built on Mar 25 2011 at 15:16:13 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead =
Authentication based on users and NAS
Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 12/04/11 16:34, Doty, Seth wrote: I couldn't find anything in the archives with this error and i am fairly new to freeradius config anyway so i thought this would be a good start. We are looking to authenticate wireless users through freeradius and Microsoft NPS. Our outer authentication is PEAP and terminates at the radius server, inner is MSCHAPv2 and is passed to the NPS. With our current config we get a segfault at the end of the exchange. See doc/bugs - you need to get a backtrace under gdb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address and Username Binding on FreeRADIUS
SO far as I know, there is no good way to automatically add a mac address to a user entry, or an user entry to a mac80211 entry on first connect. the UNLANG to ensure that the mac address matches for a validated account is simple however, and you should have no issue figuring that out. see modules/checkval for an example. You can, however, easily run a script to watch the output for successful auth attempts with no mac--user mapping, and have your script add that mapping. I find it's usually better, however, to just have someone manually inject the mapping. are you trying to lock a single laptop to a single user, or a single user to a single laptop? if this is an environment where people can provide their own hardware, you'd be better off not locking them in, but instead just correlating them, as many people can have more than one laptop. additionally, in today's modern age of multi-user systems, many people can share a single laptop as well, so you should also be aware of that. good luck! On 4/12/2011 03:11, syharash wrote: Hi, My FreeRadius is working fine, my wireless clients are able to authenticate with username and password from the /etc/raddb/users file and dynamic vlan assignment is working fine too. Need to now configure to restrict a user to get authenticated only from a single mac address, so the dynamic vlan assignment is restricted to that user only from its authorized mac address. Please help. I tried following the How-to guide but have not been able to get it working. please help. I have attached my configuration files for your reference, please let me know if how to go about doing it. http://freeradius.1045715.n5.nabble.com/file/n4297874/authorize_macs authorize_macs http://freeradius.1045715.n5.nabble.com/file/n4297874/default%5Bsites-available%5D default%5Bsites-available%5D http://freeradius.1045715.n5.nabble.com/file/n4297874/eap.conf eap.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/files files http://freeradius.1045715.n5.nabble.com/file/n4297874/policy.conf policy.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/radiusd.conf radiusd.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/users users -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4297874.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Microsoft NPS
The box is fedora 14 with freeradius from the repos. This the the output of the gdb log flle: Starting program: /usr/sbin/radiusd -X [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0xb7fce31d in rbtree_find () from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so * 1 Thread 0xb79e8730 (LWP 15969) 0xb7fce31d in rbtree_find () from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so Thread 1 (Thread 0xb79e8730 (LWP 15969)): #0 0xb7fce31d in rbtree_find () from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so No symbol table info available. #1 0xb7fce38b in rbtree_deletebydata () from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so No symbol table info available. #2 0xb79d5123 in eap_handler_free () from /usr/lib/freeradius/rlm_eap.so No symbol table info available. #3 0x00131127 in request_free () No symbol table info available. #4 0xb79aec29 in ?? () from /usr/lib/freeradius/rlm_eap_peap.so No symbol table info available. #5 0xb79d2c07 in ?? () from /usr/lib/freeradius/rlm_eap.so No symbol table info available. #6 0x0012c95d in modcall () No symbol table info available. #7 0x0012b0a4 in indexed_modcall () No symbol table info available. #8 0x0012ba4c in module_post_proxy () No symbol table info available. #9 0x0013504c in ?? () No symbol table info available. #10 0x001350fe in ?? () No symbol table info available. #11 0x001389c3 in radius_handle_request () No symbol table info available. #12 0x001309ec in thread_pool_addrequest () No symbol table info available. #13 0x00136424 in ?? () No symbol table info available. #14 0xb7fd4d65 in fr_event_loop () from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so No symbol table info available. #15 0x00138994 in radius_event_process () No symbol table info available. #16 0x0011821e in main () No symbol table info available. A debugging session is active. Inferior 1 [process 15969] will be killed. From: freeradius-users-bounces+seth.doty=nebraska@lists.freeradius.org [freeradius-users-bounces+seth.doty=nebraska@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Tuesday, April 12, 2011 12:00 PM To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius and Microsoft NPS On 12/04/11 16:34, Doty, Seth wrote: I couldn't find anything in the archives with this error and i am fairly new to freeradius config anyway so i thought this would be a good start. We are looking to authenticate wireless users through freeradius and Microsoft NPS. Our outer authentication is PEAP and terminates at the radius server, inner is MSCHAPv2 and is passed to the NPS. With our current config we get a segfault at the end of the exchange. See doc/bugs - you need to get a backtrace under gdb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP-GTC User-Password never set
Hello All, I've been trying to get this seemingly simple implementation working for the past week to no avail. I've been scouring the search in an attempt to find someone with the exact same problem, yet haven't found anyone. Hopefully someone here can help. Here is my attempted implementation: I'm trying to implement a sort of MobileOTP solution for testing using EAP-PEAP-GTC. A user has a time synchronized MobileOTP soft token (on their mobile phone) which they will use to generate a One Time Password. The user can then log onto a wireless networking using their given username and OTP. To make matters simpler, I thought I'd just use the users file to store the users username, seed Secret, PIN, and time offset. When a user tries to login using GTC, the PEAP tunnel will be created and then the users username will be checked against the users file in order to populate their data (Secret, PIN, Offset). Then the username, OTP, Secret, PIN, and Offset will be sent as arguments to an external script called otpverify.sh that will verify that the OTP entered for that user is correct. If it is it returns ACCEPT, otherwise FAIL. So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it. I'm a little new to FreeRADIUS and this is the first time I've tried working with GTC and external scripts, so absolutely any help/direction/suggestions are greatly appreciated. I've tried a bunch of different things but I'm pretty stuck, my configuration is probably screwed up to the max so if you'd like me to start from a more default configuration I'd be happy to do that. Thank you in advance. Here is the radiusd debug output: FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19 2010 at 19:44:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap.rpmsave including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ntlm_auth.rpmsave including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap.rpmsave including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mac2vlan including configuration file
Re: MAC Address and Username Binding on FreeRADIUS
Hi, You could use a huntgroup for the MAC addresses and then define what to do for that huntgroup. Thor. - Original Message - From: syharash syhar...@yahoo.com To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 12:11:51 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: MAC Address and Username Binding on FreeRADIUS Hi, My FreeRadius is working fine, my wireless clients are able to authenticate with username and password from the /etc/raddb/users file and dynamic vlan assignment is working fine too. Need to now configure to restrict a user to get authenticated only from a single mac address, so the dynamic vlan assignment is restricted to that user only from its authorized mac address. Please help. I tried following the How-to guide but have not been able to get it working. please help. I have attached my configuration files for your reference, please let me know if how to go about doing it. http://freeradius.1045715.n5.nabble.com/file/n4297874/authorize_macs authorize_macs http://freeradius.1045715.n5.nabble.com/file/n4297874/default%5Bsites-available%5D default%5Bsites-available%5D http://freeradius.1045715.n5.nabble.com/file/n4297874/eap.conf eap.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/files files http://freeradius.1045715.n5.nabble.com/file/n4297874/policy.conf policy.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/radiusd.conf radiusd.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/users users -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4297874.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 04/12/2011 07:32 PM, Doty, Seth wrote: The box is fedora 14 with freeradius from the repos. This the the output of the gdb log flle: Can you install the freeradius-debuginfo RPM and do this again; the backtrace is partial/mangled. It looks like it may be dying in request_free in peap.c:625, but the debug info will give line numbers; you could also try stepping up a few times and examining relevant variables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different sql servers for separated authacc
Hi, Read http://wiki.freeradius.org/Rlm_sql section Instances Regards, Thor. - Original Message - From: c schwarz c.schw...@funknetz.at To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 1:36:17 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Different sql servers for separated authacc Hello, in a special setup we are using freeradius Version 1.1.3 (sql.conf v 1.41.2.2.2.2), on a debian x86 machine, which can’t be upgraded to Version 2.0. I would like to check authorization against mysqldb1 and insert/update accounting in mysqldb2. Is it possible to use two independent mysql databases in Version 1.1.3? Thanks in advance, chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and file authentication
Hi, Read http://wiki.freeradius.org/Fail-over Regards, Thor. - Original Message - From: Marco Kalmbach mc...@gmx.de To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 3:24:35 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: ldap and file authentication hi @all, is it possible to provide ldap authentication and users file authentication at the same time on a radius server? On my radius server the ldap authentication works fine, additional I want to provide users file authentication, so I commented out the following lines: --radiusd.conf file { userfile = ${confdir}/users } ... authorize{ ... files ... } My users file: testuser Cleartext-Password := XXX When I want to login the user testuser the Debugscreen shows: Login incorrect: (rlm_ldap: User not found): [testuser] Are there any other options I have to set or isn´t it possible to authenticate users via ldap and users file at the same time? Thanks for your answers, greetings Klaus -- NEU: FreePhone - kostenlos mobil telefonieren und surfen! Jetzt informieren: http://www.gmx.net/de/go/freephone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add RADIUS users under OU=People
Hi, Read http://wiki.freeradius.org/Rlm_ldap You might want to play with basedn and filter. Regards, Thor. - Original Message - From: pradyumna dash pradyumna_dash...@yahoo.co.in To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 4:34:52 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: How to add RADIUS users under OU=People Hello, I need a help, What i want is instead of creating a OU called radius, i would like to add all radius users under OU=People, how to achieve this? I am not able to add a user with objectclass:radiusprofile, I tried changing radius schema to AUX but no luck. Please have a look at my LDIF file. I am using SuSE 11 dn: uid=kris,ou=People,dc=example,dc=com uid: kris cn: kris objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: uidObject objectClass: radiusprofile userPassword: {crypt}$2a$10$DXf3RUs5cQv/WYOgaeyv1uwvUJ.3ZfW3sr7sCr75/6/dw062c5YOe shadowLastChange: 15076 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 100 homeDirectory: /home/krisradiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None radiusGroupName: dial radiusGroupName: isdn radiusAuthType: LDAP Suggestions will be appreciated. /Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication based on users and NAS
Hi, If you're going to use LDAP, then just add the Called-Station-Id to your search filter and add one or multiple attributes to match against in your LDAP entries. Regards, Thor. - Original Message - From: Sergio Belkin seb...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 5:46:58 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Authentication based on users and NAS Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using user name from certificate.
Hello everyone, I have been trying to check some parameters for authentication which needs the CommonName from the certificate. I realise that the value I need to access is cn_str(from source code) but it is not available for processing from the configuration file. Will defining in dictionary help ? Excuse the ignorence of a new freeradius user. Regards, Mrinal -- - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using user name from certificate.
Mrinal K wrote: I have been trying to check some parameters for authentication which needs the CommonName from the certificate. I realise that the value I need to access is cn_str(from source code) but it is not available for processing from the configuration file. Will defining in dictionary help ? No. Install 2.1.10, and read raddb/sites-available/default. Look for certificate Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP-GTC User-Password never set
Carl Anderson wrote: So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it. Read what you just wrote: the User-Password doesn't exist, and the gtc module says it needs a Cleartext-Password. They're not the same. The GTC module requires a Cleartext-Password to authenticate the user, as the known good password. It doesn't exist, because you're using a script. Your config is looking for a User-Password attribute to pass to the script. It doesn't exist becaue you're using GTC. In short, what you want to do isn't possible unless you modify the source code to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrealy and dynamic-sql-clients
Etienne Pretorius wrote: The problem comes, when I wish to radrelay - I end up having to pick one or the other virtual server. I was just wandering if there was a way for me to proxy these packets to the correct virtual server based on the attributes in them, namely NAS-IP-Address? Set Proxy-To-Realm: if (NAS-IP-Address == 1.2.3.4) { update control { Proxy-To-Realm := foo } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add RADIUS users under OU=People
Hi Thor, Thanks for your reply. The rlm_ldap module is used for integration of FreeRADIUS with OpenLDAP, but am facing issues, while adding a user under OU=People with radiusprofile objectclass and radius attributes. If am adding another OU e.g RADIUS and trying to add users in it, it is working fine but when am trying to add the same user under OU=People, am facing issue. I feel like some issues with the objectclass and all. Suggestions will be appreciated. /N --- On Wed, 13/4/11, Thor Spruyt thor.spr...@telenet.be wrote: From: Thor Spruyt thor.spr...@telenet.be Subject: Re: How to add RADIUS users under OU=People To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, 13 April, 2011, 3:50 AM Hi, Read http://wiki.freeradius.org/Rlm_ldap You might want to play with basedn and filter. Regards, Thor. - Original Message - From: pradyumna dash pradyumna_dash...@yahoo.co.in To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 4:34:52 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: How to add RADIUS users under OU=People Hello, I need a help, What i want is instead of creating a OU called radius, i would like to add all radius users under OU=People, how to achieve this? I am not able to add a user with objectclass:radiusprofile, I tried changing radius schema to AUX but no luck. Please have a look at my LDIF file. I am using SuSE 11 dn: uid=kris,ou=People,dc=example,dc=com uid: kris cn: kris objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: uidObject objectClass: radiusprofile userPassword: {crypt}$2a$10$DXf3RUs5cQv/WYOgaeyv1uwvUJ.3ZfW3sr7sCr75/6/dw062c5YOe shadowLastChange: 15076 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 100 homeDirectory: /home/krisradiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None radiusGroupName: dial radiusGroupName: isdn radiusAuthType: LDAP Suggestions will be appreciated. /Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP-GTC User-Password never set
Well, that's a shame, but thank you very much for the reply, I appreciate it. It'll at least save me countless hours of fiddling around with the config to no avail. Cheers, Carl From: Alan DeKok-2 [via FreeRadius] [mailto:ml-node+4299802-2066596580-197...@n5.nabble.com] Sent: Wednesday, April 13, 2011 1:09 AM To: Carl Anderson Subject: Re: EAP-PEAP-GTC User-Password never set Carl Anderson wrote: So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it. Read what you just wrote: the User-Password doesn't exist, and the gtc module says it needs a Cleartext-Password. They're not the same. The GTC module requires a Cleartext-Password to authenticate the user, as the known good password. It doesn't exist, because you're using a script. Your config is looking for a User-Password attribute to pass to the script. It doesn't exist becaue you're using GTC. In short, what you want to do isn't possible unless you modify the source code to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/EAP-PEAP-GTC-User-Password-never-set -tp4298997p4299802.html To unsubscribe from EAP-PEAP-GTC User-Password never set, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsu bscribe_by_codenode=4298997code=Y3dhbmRlcnNvbjMzQGdtYWlsLmNvbXw0Mjk4OTk3fD g2ODYwMDMyOQ== . -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-PEAP-GTC-User-Password-never-set-tp4298997p4299812.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html