Re: proxy question

[Alan DeKok]

Doty, Seth wrote:
> Currently I have a wireless setup that terminates the outer tunnel
> locally then queries AD to get group/user data.  This happens for the
> realm named after the domain,the default realm, and NULL realm and works
> perfectly.  What I need to do now is add a new realm (testrealm)that
> terminates the eap tunnel locally just like the other realms (to keep
> the cert the same) and then proxies the inner tunnel to a MS ias server
> (old_DC).  All i will need back is an accept and then i will attempt to
> pass attributes to the wireless controller based on the realm (I assume
> I can do this).  I appear to be having some issues with initial
> authentication however.

  You've set it to proxy to a home server.  The home server is rejecting
the request.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Renaming during Machine Authentication

[Alan DeKok]

mjonesmcne wrote:
> Here is the rest of the debug
...
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject

  That's pretty definitive.

  You didn't tell the server how to authenticate the user.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[Dan Brisson]

Just finished setting up the latest Freeradius - 2.1.10.  Checkrad is 
working.  I've replicated the settings from 2.1.7 so I have to think 
something has changed from 2.1.7 to 2.1.10.


I'm running on CentOS with 2.1.7 installed from Yum.  My 2.1.10 was 
built from source on RHEL5.


I ultimately need to be on CentOS.  Once I get 2.1.10 installed and 
tested, I'll reply to the list.


Thanks to those who chimed in.

-dan

On 6/3/11 9:21 AM, George Chelidze wrote:

On 06/03/2011 02:35 PM, Dan Brisson wrote:


It really seems like this line in the radutmp "modules" file is not
being executed:

check_with_nas = yes

But from radiusd -X, it does seem to be:


It's a configuration option not a command to be executed


check_with_nas = yes


So, it's there

Can you post authorize/accounting sections from your configuration?

Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

it appears I wont be able to easily upgrade because of the fact its windows
based and was downloaded from freeradius.net and their site is not exactly
working again but when I was able to get to parts of the page it looks as if
they only released one version, so I have and extra rack mount computer here
I may just have to dump linux on to and I been meaning to do that anyways
for a secondary dns server and for additional websites etc..

debug mode does not show the info I want last I checked, but my syslog does
have the correct info from all of the routers so I will train dad how to
look at both files and search them depending on what info he needs... I am
basically just tryin to make my dads life easier so when I am not in town he
can still manage things.

I greatly appreciate all your help!

Jason

On Fri, Jun 3, 2011 at 3:58 PM, Gary Gatten  wrote:

> Yeah, that version may help ;). Lots has changed since then, if you can
> upgrade I would. Else. If you run it in debug mode does it spew what
> info you want? Maybe you can somehow wrap it with a "tee" process and then
> massage that output as you wish.
>
> *From*: Jason Frawley [mailto:jfrawle...@gmail.com]
> *Sent*: Friday, June 03, 2011 05:48 PM
> *To*: FreeRadius users mailing list 
>
> *Subject*: Re: Log NAS IP rather than Shortname - PLEASE
>
>  it may help to note-  I am using windows version of FreeRadius ver 1.1.7
> r2
>
> On Fri, Jun 3, 2011 at 3:45 PM, Jason Frawley wrote:
>
>> - ADD what information logged (look at radiusd.conf, look for msg) --
>> unable to find msg in radiusd.conf file
>> - log to a NEW file, with another format altogether (see linelog module) --
>> unable to find anything on linelog module
>> with option one I do see where I can create the detail logs, and they are
>> being created, should I just change the directory and the file name to
>> radius.log or is that going to conflict with other opertations?
>>
>> option2- I am not finding any files etc referring to linelog modules :(
>>
>> Jason
>>
>>
>> On Fri, Jun 3, 2011 at 3:34 PM, Fajar A. Nugraha  wrote:
>>
>>> On Sat, Jun 4, 2011 at 2:46 AM, Jason Frawley 
>>> wrote:
>>> > There may be some confusion, I am currently logging auth and accounting
>>> > information in seperate folders that are labeled by client ip
>>> addresses, but
>>> > those are the detail auth logs, I am working with just the radius.log
>>> file.
>>> > Below is a sample of what I get in the radius log file, notice the from
>>> > client 207.32.194.0/23 is the subnet which is in the clients.conf file
>>> also
>>> > attached below.
>>>
>>> No confusion here.
>>>
>>> >  So rather than manually entering all my router ips is there
>>> > a shorter way to edit the way the radius.log file is built?
>>>
>>> Did you read up on the two options I sent eariler?
>>>
>>> --
>>>  Fajar
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>   "This email is intended to be reviewed by only the intended recipient
> and may contain information that is privileged and/or confidential. If you
> are not the intended recipient, you are hereby notified that any review,
> use, dissemination, disclosure or copying of this email and its attachments,
> if any, is strictly prohibited. If you have received this email in error,
> please immediately notify the sender by return email and delete this email
> from your system."
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Gary Gatten]

Yeah, that version may help ;). Lots has changed since then, if you can upgrade 
I would. Else. If you run it in debug mode does it spew what info you want? 
Maybe you can somehow wrap it with a "tee" process and then massage that output 
as you wish.

From: Jason Frawley [mailto:jfrawle...@gmail.com]
Sent: Friday, June 03, 2011 05:48 PM
To: FreeRadius users mailing list 
Subject: Re: Log NAS IP rather than Shortname - PLEASE

it may help to note-  I am using windows version of FreeRadius ver 1.1.7 r2

On Fri, Jun 3, 2011 at 3:45 PM, Jason Frawley 
mailto:jfrawle...@gmail.com>> wrote:
- ADD what information logged (look at radiusd.conf, look for msg) -- unable to 
find msg in radiusd.conf file
- log to a NEW file, with another format altogether (see linelog module) -- 
unable to find anything on linelog module
with option one I do see where I can create the detail logs, and they are being 
created, should I just change the directory and the file name to radius.log or 
is that going to conflict with other opertations?

option2- I am not finding any files etc referring to linelog modules :(

Jason


On Fri, Jun 3, 2011 at 3:34 PM, Fajar A. Nugraha 
mailto:l...@fajar.net>> wrote:
On Sat, Jun 4, 2011 at 2:46 AM, Jason Frawley 
mailto:jfrawle...@gmail.com>> wrote:
> There may be some confusion, I am currently logging auth and accounting
> information in seperate folders that are labeled by client ip addresses, but
> those are the detail auth logs, I am working with just the radius.log file.
> Below is a sample of what I get in the radius log file, notice the from
> client 207.32.194.0/23 is the subnet which is in the 
> clients.conf file also
> attached below.

No confusion here.

>  So rather than manually entering all my router ips is there
> a shorter way to edit the way the radius.log file is built?

Did you read up on the two options I sent eariler?

--
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html










"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Fajar A. Nugraha]

On Sat, Jun 4, 2011 at 5:48 AM, Jason Frawley  wrote:
> it may help to note-  I am using windows version of FreeRadius ver 1.1.7 r2

The usual reponse would be "upgrade".

>
> On Fri, Jun 3, 2011 at 3:45 PM, Jason Frawley  wrote:
>>
>> - ADD what information logged (look at radiusd.conf, look for msg) --
>> unable to find msg in radiusd.conf file

See http://wiki.freeradius.org/radiusd.conf for example from 2.1.x

>> - log to a NEW file, with another format altogether (see linelog module)
>> -- unable to find anything on linelog module

https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog
Basically with that you can create additional log files anywhere,
using any format you choose.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

it may help to note-  I am using windows version of FreeRadius ver 1.1.7 r2

On Fri, Jun 3, 2011 at 3:45 PM, Jason Frawley  wrote:

> - ADD what information logged (look at radiusd.conf, look for msg) --
> unable to find msg in radiusd.conf file
> - log to a NEW file, with another format altogether (see linelog module) --
> unable to find anything on linelog module
> with option one I do see where I can create the detail logs, and they are
> being created, should I just change the directory and the file name to
> radius.log or is that going to conflict with other opertations?
>
> option2- I am not finding any files etc referring to linelog modules :(
>
> Jason
>
>
> On Fri, Jun 3, 2011 at 3:34 PM, Fajar A. Nugraha  wrote:
>
>> On Sat, Jun 4, 2011 at 2:46 AM, Jason Frawley 
>> wrote:
>> > There may be some confusion, I am currently logging auth and accounting
>> > information in seperate folders that are labeled by client ip addresses,
>> but
>> > those are the detail auth logs, I am working with just the radius.log
>> file.
>> > Below is a sample of what I get in the radius log file, notice the from
>> > client 207.32.194.0/23 is the subnet which is in the clients.conf file
>> also
>> > attached below.
>>
>> No confusion here.
>>
>> >  So rather than manually entering all my router ips is there
>> > a shorter way to edit the way the radius.log file is built?
>>
>> Did you read up on the two options I sent eariler?
>>
>> --
>>  Fajar
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

- ADD what information logged (look at radiusd.conf, look for msg) -- unable
to find msg in radiusd.conf file
- log to a NEW file, with another format altogether (see linelog module) --
unable to find anything on linelog module
with option one I do see where I can create the detail logs, and they are
being created, should I just change the directory and the file name to
radius.log or is that going to conflict with other opertations?

option2- I am not finding any files etc referring to linelog modules :(

Jason


On Fri, Jun 3, 2011 at 3:34 PM, Fajar A. Nugraha  wrote:

> On Sat, Jun 4, 2011 at 2:46 AM, Jason Frawley 
> wrote:
> > There may be some confusion, I am currently logging auth and accounting
> > information in seperate folders that are labeled by client ip addresses,
> but
> > those are the detail auth logs, I am working with just the radius.log
> file.
> > Below is a sample of what I get in the radius log file, notice the from
> > client 207.32.194.0/23 is the subnet which is in the clients.conf file
> also
> > attached below.
>
> No confusion here.
>
> >  So rather than manually entering all my router ips is there
> > a shorter way to edit the way the radius.log file is built?
>
> Did you read up on the two options I sent eariler?
>
> --
>  Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Fajar A. Nugraha]

On Sat, Jun 4, 2011 at 2:46 AM, Jason Frawley  wrote:
> There may be some confusion, I am currently logging auth and accounting
> information in seperate folders that are labeled by client ip addresses, but
> those are the detail auth logs, I am working with just the radius.log file.
> Below is a sample of what I get in the radius log file, notice the from
> client 207.32.194.0/23 is the subnet which is in the clients.conf file also
> attached below.

No confusion here.

>  So rather than manually entering all my router ips is there
> a shorter way to edit the way the radius.log file is built?

Did you read up on the two options I sent eariler?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy question

[Doty, Seth]

Currently I have a wireless setup that terminates the outer tunnel
locally then queries AD to get group/user data.  This happens for the
realm named after the domain,the default realm, and NULL realm and works
perfectly.  What I need to do now is add a new realm (testrealm)that
terminates the eap tunnel locally just like the other realms (to keep
the cert the same) and then proxies the inner tunnel to a MS ias server
(old_DC).  All i will need back is an accept and then i will attempt to
pass attributes to the wireless controller based on the realm (I assume
I can do this).  I appear to be having some issues with initial
authentication however.

 FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on
Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ldap.save
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/files
including configuration
file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/TESTrealm
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
   status_server = yes
 }
}
radiusd:  Loading Realms and Home S

Re: Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

There may be some confusion, I am currently logging auth and accounting
information in seperate folders that are labeled by client ip addresses, but
those are the detail auth logs, I am working with just the radius.log file.
Below is a sample of what I get in the radius log file, notice the from
client 207.32.194.0/23 is the subnet which is in the clients.conf file also
attached below.  So rather than manually entering all my router ips is there
a shorter way to edit the way the radius.log file is built?

*SAMPLE from Radius.log

Fri Jun  3 12:39:17 2011 : Auth: Login incorrect: [00:60:B3:3C:A2:3C/] (from
cli
ent 207.32.194.0/23 port 2207252597)
*SAMPLE from clients.conf file
client 207.32.194.0/23 {
 secret  = nottellin
 shortname =
}


I did browse thru some of the previous posts but never really saw any
answers... I have a feeling I will need to do what the clients.conf file
recommends and that is to manually enter each one of my routers  :(  a
script would be nice to do that but I am not very educated in scripting
etc...   thanks for any additional help!

Jason Frawley
www.sm-email.com
208-740-3290
On Fri, Jun 3, 2011 at 12:31 PM, Fajar A. Nugraha  wrote:

> On Sat, Jun 4, 2011 at 2:19 AM, Jason Frawley 
> wrote:
> > Sorry I meant to say log the client ip and not the subnet in which its in
> > eg.  log shows request from 207.32.194.0/23 but I need it to show
> the
> > actual ip in which the request came from.  Eg.  207.32.194.4
>
> There was a post sometime ago about custom log format, search the list
> archive if you're interested in the complete responses.
> Basically you can either:
> - ADD what information logged (look at radiusd.conf, look for msg)
> - log to a NEW file, with another format altogether (see linelog module)
>
> Whichever path you choose, looks like you can use NAS-IP-Address or
> Client-IP-Address attribute as the extra information.
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log NAS IP rather than Shortname - PLEASE

[Fajar A. Nugraha]

On Sat, Jun 4, 2011 at 2:19 AM, Jason Frawley  wrote:
> Sorry I meant to say log the client ip and not the subnet in which its in
> eg.  log shows request from 207.32.194.0/23 but I need it to show the
> actual ip in which the request came from.  Eg.  207.32.194.4

There was a post sometime ago about custom log format, search the list
archive if you're interested in the complete responses.
Basically you can either:
- ADD what information logged (look at radiusd.conf, look for msg)
- log to a NEW file, with another format altogether (see linelog module)

Whichever path you choose, looks like you can use NAS-IP-Address or
Client-IP-Address attribute as the extra information.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

Sorry I meant to say log the client ip and not the subnet in which its in
eg.  log shows request from 207.32.194.0/23 but I need it to show the
actual ip in which the request came from.  Eg.  207.32.194.4
On Jun 3, 2011 10:57 AM, "Gary Gatten"  wrote:
>
> Huh?  It sounds like you already have it reporting the NAS IP.  Are you
saying you want it to report the “client” IP?  Doesn’t it already to that in
radiusd.log?
>
>
>
> 
>
> From: 
> freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto:
freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf
Of Jason Frawley
> Sent: Friday, June 03, 2011 12:50 PM
> To: freeradius-users@lists.freeradius.org
> Subject: Log NAS IP rather than Shortname - PLEASE
>
>
>
> I have about 50 routers that are accessing my radius server and I setup
the clients.conf with CIDR and left shortnames blank so now it logs the ip
address and cidr.  What I really need it to do is just report the ip in
which the requests came from rather than the shortname...
>
> thoughts?
>
> Jason Frawley
>
> "This email is intended to be reviewed by only the intended recipient and
may contain information that is privileged and/or confidential. If you are
not the intended recipient, you are hereby notified that any review, use,
dissemination, disclosure or copying of this email and its attachments, if
any, is strictly prohibited. If you have received this email in error,
please immediately notify the sender by return email and delete this email
from your system."
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Log NAS IP rather than Shortname - PLEASE

[Gary Gatten]

Huh?  It sounds like you already have it reporting the NAS IP.  Are you saying 
you want it to report the "client" IP?  Doesn't it already to that in 
radiusd.log?


From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Jason Frawley
Sent: Friday, June 03, 2011 12:50 PM
To: freeradius-users@lists.freeradius.org
Subject: Log NAS IP rather than Shortname - PLEASE

I have about 50 routers that are accessing my radius server and I setup the 
clients.conf with CIDR and left shortnames blank so now it logs the ip address 
and cidr.  What I really need it to do is just report the ip in which the 
requests came from rather than the shortname...

thoughts?

Jason Frawley








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Log NAS IP rather than Shortname - PLEASE

[Jason Frawley]

I have about 50 routers that are accessing my radius server and I setup the
clients.conf with CIDR and left shortnames blank so now it logs the ip
address and cidr.  What I really need it to do is just report the ip in
which the requests came from rather than the shortname...

thoughts?

Jason Frawley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how apply policy on my ldap users

[motaibi]

Please guys i need some help ??

no reply on my post above 

UP UP UP 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/how-apply-policy-on-my-ldap-users-tp4449095p4451928.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Renaming during Machine Authentication

[mjonesmcne]

Here is the rest of the debug

Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=114,
length=198
User-Name = "host/TEST-11501.hpsd48.ab.ca"
NAS-IP-Address = 10.152.0.100
NAS-Port = 1
NAS-Identifier = "10.152.0.100"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020600061900
State = 0xaf0b06b8ab0d1f13414e4025002a7e0a
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
Message-Authenticator = 0x39806663461b05b46cf3125e79491f35
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 114 to 10.152.0.100 port 32819
EAP-Message =
0x01070020190017030100154b001c00411832b717df4ad0a3453ea7f54a7477c6
Message-Authenticator = 0x
State = 0xaf0b06b8aa0c1f13414e4025002a7e0a
Finished request 14.
Going to the next request
Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=115,
length=248
User-Name = "host/TEST-11501.hpsd48.ab.ca"
NAS-IP-Address = 10.152.0.100
NAS-Port = 1
NAS-Identifier = "10.152.0.100"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020700381900170301002d801b74be448ec8e8a1fd0bf61c7419611e41c0204edf3ec539b25c8f86becf0c98758d6c769df73dac4be09a7b
State = 0xaf0b06b8aa0c1f13414e4025002a7e0a
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
Message-Authenticator = 0x76eadd506811e5fbaaa9bd651c72cfa5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 56
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - host/TEST-11501.hpsd48.ab.ca
[peap] Got inner identity 'host/TEST-11501.hpsd48.ab.ca'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message =
0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361
server  {
  PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca
Sending tunneled request
EAP-Message =
0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/TEST-11501.hpsd48.ab.ca"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel

Re: Renaming during Machine Authentication

[mjonesmcne]

Here is my debug now I might have to break it up into 2 posts though because
of the size

FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011
at 11:28:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive 

Re: Error: User-Name is not the same as MS-CHAP name

[Phil Mayers]

On 03/06/11 15:09, Johan Meiring wrote:

On 2011/06/03 02:15 PM, Phil Mayers wrote:


I'm not downloading a torrent of copyrighted software to fix someone
else's
problem.


As long as you dont get a key, it is legal.



This is getting farcical...

Not picking on any one specific person here, but seriously - can anyone 
not contributing to the discussion at the level of the radius protocols 
just move along please?


I will get to it when I get to it, and in a manner of my own choosing. 
If you think you can do it faster, then please - do so. I'll gladly 
defer. Installing a copy of Windows XP and trying to reproduce some 
crappy Novell client issue is very much not top of my TODO list.


Grumbling,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mac authenticaion failure

[Phil Mayers]

On 26/05/11 15:48, pcunha wrote:

Hi Everyone,

I tried to set up Mac Authentication per the the doc at freeradius.org.


Be specific. Which doc?

The doc on the wiki:

http://wiki.freeradius.org/Mac%20Auth

...contains several examples. Which are you following?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: User-Name is not the same as MS-CHAP name

[Alan DeKok]

Johan Meiring wrote:
> As long as you dont get a key, it is legal.

  No.

  This list is not the place to discuss non-FreeRADIUS software.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: User-Name is not the same as MS-CHAP name

[Johan Meiring]

On 2011/06/03 02:15 PM, Phil Mayers wrote:


I'm not downloading a torrent of copyrighted software to fix someone else's
problem.


As long as you dont get a key, it is legal.

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782


Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[Dan Brisson]

On 6/3/2011 9:21 AM, George Chelidze wrote:

On 06/03/2011 02:35 PM, Dan Brisson wrote:


It really seems like this line in the radutmp "modules" file is not
being executed:

check_with_nas = yes

But from radiusd -X, it does seem to be:


It's a configuration option not a command to be executed

Sorry, poorly worded on my part.



check_with_nas = yes


So, it's there

Can you post authorize/accounting sections from your configuration?

authorize {

preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
files
sql
checkval
nascheck
expiration
logintime
pap
}

accounting {

detail
unix
radutmp
sql
attr_filter.accounting_response
}




Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[George Chelidze]

On 06/03/2011 02:35 PM, Dan Brisson wrote:


It really seems like this line in the radutmp "modules" file is not
being executed:

check_with_nas = yes

But from radiusd -X, it does seem to be:


It's a configuration option not a command to be executed


check_with_nas = yes


So, it's there

Can you post authorize/accounting sections from your configuration?

Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: User-Name is not the same as MS-CHAP name

[Phil Mayers]

On 03/06/11 13:10, Paul Harris wrote:

On 02/06/11 14:47, Francois Gaudreault wrote:




Did you have a chance to look at it?



Ironically I'm having trouble finding a windows XP install CD...



I have a link to a torrent, just send me a email at pau...@mail.com


Or not.

I'm not downloading a torrent of copyrighted software to fix someone 
else's problem.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Error: User-Name is not the same as MS-CHAP name

[Paul Harris]

On 02/06/11 14:47, Francois Gaudreault wrote:

>>>
>> Did you have a chance to look at it?

>Ironically I'm having trouble finding a windows XP install CD...


I have a link to a torrent, just send me a email at pau...@mail.com


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mac authenticaion failure

[Stanisław Kamiński]

What hardware are you using?

On 2011-05-26 16:48, pcunha wrote:

Hi Everyone,

I tried to set up Mac Authentication per the the doc at freeradius.org.
The client connects but the users don't. The folowing is the output from the
debug mode in freeradius. Thanks for your help.

eady to process requests.
rad_recv: Access-Request packet from host 10.41.0.254 port 32768, id=107,
length=135
 User-Name = "d8-a2-5e-c4-a4-58"
 Called-Station-Id = "00-3a-98-8e-ad-d0:USDOD"
 Calling-Station-Id = "d8-a2-5e-c4-a4-58"
 NAS-Port = 1
 NAS-IP-Address = 10.41.0.254
 NAS-Identifier = "NCPSWIFI"
 Airespace-Wlan-Id = 1
 Service-Type = Call-Check
 Framed-MTU = 1300
 NAS-Port-Type = Wireless-802.11
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "d8-a2-5e-c4-a4-58", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry d8-a2-5e-c4-a4-58 at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->  d8-a2-5e-c4-a4-58
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 107 to 10.41.0.254 port 32768
Waking up in 4.9 seconds.


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Mac-authenticaion-failure-tp4428847p4428847.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[Dan Brisson]

No different with only using sql in session { }.

It really seems like this line in the radutmp "modules" file is not 
being executed:


check_with_nas = yes

But from radiusd -X, it does seem to be:

 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes

Stumped still

-dan

On 6/3/11 5:49 AM, Dan Brisson wrote:

George,

Sorry, I had commented out the simul_verify_query as a troubleshooting 
step but actually do have it uncommented at this point, but it still 
won't work.


I checked radiusd.conf and found this:

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

Re: radutmp vs. sql, good question.  I will try with only sql active.

Thanks,
-dan

On 6/3/11 3:58 AM, George Chelidze wrote:

On 06/03/2011 03:59 AM, Dan Brisson wrote:


# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"


as your verify_query is commented out, it will never check it with 
nas, just compare result of count_query with configured max value (1 
in your case), so uncomment it.



sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the 
radutmp

# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}


Do you really need both?


modules/perl:
func_checksimul = checksimul


I would enable checkrad statement in radiusd.conf as it seems to be 
used with radutmp/sql modules for sumult checks.


Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[Dan Brisson]

George,

Sorry, I had commented out the simul_verify_query as a troubleshooting 
step but actually do have it uncommented at this point, but it still 
won't work.


I checked radiusd.conf and found this:

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

Re: radutmp vs. sql, good question.  I will try with only sql active.

Thanks,
-dan

On 6/3/11 3:58 AM, George Chelidze wrote:

On 06/03/2011 03:59 AM, Dan Brisson wrote:


# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"


as your verify_query is commented out, it will never check it with 
nas, just compare result of count_query with configured max value (1 
in your case), so uncomment it.



sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the 
radutmp

# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}


Do you really need both?


modules/perl:
func_checksimul = checksimul


I would enable checkrad statement in radiusd.conf as it seems to be 
used with radutmp/sql modules for sumult checks.


Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius not releasing IPs from pool

[George Chelidze]

On 06/01/2011 04:02 PM, Angel L. Mateo wrote:

Hello,

I have a problem with my pools in freeradius. The problems is that it is
not releasing IPs from the pools. At least, not all of them, so after a
while my users can't connect because the pool is full.


Several quick questions:

1. Are you sure your pool is large enough? Average duration of a 
session/Number of new sessions per second should be taken in account.

2. Are you sure you don't miss any accounting messages?
3. Which attributes do you use to construct a pool key? Make sure all 
attributes exist in Accounting messages.


Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Support for WiMAX Sub-TLVs of Sub-TLVs

[Johan Meiring]

On 2011/06/03 10:07 AM, Alan DeKok wrote:

Martin wrote:

Did this and it is 3.0.0, but on on the official site there is nothing
mention regarding 3.0 version. When is going to be official released
3.0?


   Perhaps this summer.



What hemisphere are you in?  :-)


--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782


Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Support for WiMAX Sub-TLVs of Sub-TLVs

[Alan DeKok]

Martin wrote:
> Did this and it is 3.0.0, but on on the official site there is nothing
> mention regarding 3.0 version. When is going to be official released
> 3.0?

  Perhaps this summer.

> Some people are reticent to install it in production if it is not
> official released.

  The 3.0 pre-release is more stable than many production commercial
servers.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get checkrad to be called

[George Chelidze]

On 06/03/2011 03:59 AM, Dan Brisson wrote:


# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"


as your verify_query is commented out, it will never check it with nas, 
just compare result of count_query with configured max value (1 in your 
case), so uncomment it.



sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}


Do you really need both?


modules/perl:
func_checksimul = checksimul


I would enable checkrad statement in radiusd.conf as it seems to be used 
with radutmp/sql modules for sumult checks.


Best Regards,

George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: User-Name is not the same as MS-CHAP name

[Phil Mayers]

On 06/02/2011 10:39 PM, Fajar A. Nugraha wrote:

On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers  wrote:

On 02/06/11 14:47, Francois Gaudreault wrote:




Did you have a chance to look at it?


Ironically I'm having trouble finding a windows XP install CD...


This might help:


Not really.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html