Re: Problem with max-all-session check

[ShR3K]

Sorry for the log. I forgot to post it : 

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.182.1 port 34135, id=0,
length=218
User-Name = "bcmybc"
CHAP-Challenge = 0x882ad5b896682e7ed4239986eeb84ddd
CHAP-Password = 0x00e246d4ee106a0cc62dbc36f76c8c373a
NAS-IP-Address = 192.168.182.1
Service-Type = Login-User
Framed-IP-Address = 192.168.182.4
Calling-Station-Id = "00-D0-C9-B4-C5-F4"
Called-Station-Id = "00-90-05-02-FA-46"
NAS-Identifier = "hotspot"
Acct-Session-Id = "4e2e656a"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x0c9d727f78723a21ae18be33d2937769
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
[suffix] No '@' in User-Name = "bcmybc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql]   expand: %{User-Name} -> bcmybc
[sql] sql_set_user escaped user --> 'bcmybc'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radcheck  
WHERE username = 'bcmybc'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op  
FROM radcheck   WHERE username = 'bcmybc'   ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radreply  
WHERE username = 'bcmybc'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op  
FROM radreply   WHERE username = 'bcmybc'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username = 'bcmybc'   
   
ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname   FROM radusergroup  
WHERE username = 'bcmybc'   ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{User-Name}''
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM 
radacct
WHERE UserName='%{User-Name}' -> SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='bcmybc'
sqlcounter_expand:  '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='bcmybc'}'
[noresetcounter] sql_xlat
[noresetcounter]expand: %{User-Name} -> bcmybc
[noresetcounter] sql_set_user escaped user --> 'bcmybc'
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM 
radacct
WHERE UserName='bcmybc' -> SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='bcmybc'
[noresetcounter]expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='bcmybc'
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
[noresetcounter]expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='bcmybc'} -> 220
*rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user bcmybc, check_item=0, counter=220*
++[noresetcounter] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bcmybc
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.182.1 port 34135
Reply-Message = "Your maximum never usage time has been reached"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +28
Ready to process requests.


As you can see check_item is zero and it never take the Max-All-Session
attribute.
This is my counter : 

sqlcounter noresetcounter {
counter-name = Max-All-Session-Time 
check-name = Max-All-Session
sqlmod-inst = sql 
key = User-Name 
reset = neve

Re: Problem with max-all-session check

[ShR3K]

Ok !
My problem came from dictionary.freeradius.internal : Ihad a Max-All-Session
attribute but with a String type instead of an Integer type.
May be one day someone will have the same problem.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Problem-with-max-all-session-check-tp4630670p4633901.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

Thanks, Issue has been resolved.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634082.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

Thanks, Issue has been resolved.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634084.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When I am using FreeRadius as Proxy and when a timeout happens this is not been reported back to the application.

[Alan DeKok]

Raja_Kiran wrote:
> Issue: when ever the time out happens I am getting the below error. 
> /*Info: WARNING: Internal sanity check failed in event handler for request
> 0: Discarding the request!*/
> 
> Request: Can some one help me in doing the right configuration/suggestion to
> get the error reported back to the application.

  Upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Duplicate Response

[schnoocats]

Hello everybody,
as part of my studies I try to set up a radius server with a mysql database.

Everything works but i can see with wireshark that my freeradius server send
always a Duplicate Response for Access-Accept or Accounting-Response.
Yet there is only one message Access-Request or Accounting-Request arriving
in radius server...

So is it necessary or better to have a duplicate response ?
Where can i configure it ?

Greetings

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Duplicate-Response-tp4634351p4634351.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxing (auth and accounting request) based on a username (not realm)

[Samantha]

Guys

Looking for some help in the following scenerio


Fred tries to authenticate a 3g mobile broadband device and I don't have
there id on my radius database so I need to send to another provider who has
the account on their radius database.  The other provider terminates "fred
3g mobile device" on their lns and issues the framed ip and route requests -
I also send the accounting data to them as well


Secondly
Looking for script to count both in and out data traffic.


Kind Regards



Samantha Scafe
System Administrator

The Smelly Black Dog Company Pty Ltd t/as  IP NETWORKS
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxing (auth and accounting request) based on a username (not realm)

[Phil Mayers]

On 26/07/11 12:00, Samantha wrote:

Guys

Looking for some help in the following scenerio


Fred tries to authenticate a 3g mobile broadband device and I don't have
there id on my radius database so I need to send to another provider who has
the account on their radius database.  The other provider terminates "fred
3g mobile device" on their lns and issues the framed ip and route requests -
I also send the accounting data to them as well


Easy:

authorize {
  if (User-Name == Fred) {
update control {
  Proxy-To-Realm := OTHER_PROVIDER
}
  }
}

...then define the realm & home servers for "OTHER_PROVIDER" in proxy.conf.

Obviously you can use SQL, rlm_passwd, "files" modules to do the lookup.




Secondly
Looking for script to count both in and out data traffic.


Your question is unclear. Be more specific.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Duplicate Response

[Alan DeKok]

schnoocats wrote:
> Hello everybody,
> as part of my studies I try to set up a radius server with a mysql database.
> 
> Everything works but i can see with wireshark that my freeradius server send
> always a Duplicate Response for Access-Accept or Accounting-Response.
> Yet there is only one message Access-Request or Accounting-Request arriving
> in radius server...

  Run the server in debugging mode to see what it's doing.

> So is it necessary or better to have a duplicate response ?
> Where can i configure it ?

  You can't.  Either wireshark is wrong, or the server really is sending
a duplicate response.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

confused with "Failed to find IP address"

[Mehdi]

Hi,
I am running a Debain server on the domain "haskell-solutions.com". I 
installed freeradius 2.1.11 on that. As the tutorial suggested I added a 
user account to the top of users file "bob Cleartext-Password := 
"hello"" and on the seperated terminal "connecting throw SSH to the 
haskel server" executed radiusd -X -outcome is below. But I get error 
message and nothing on the other terminal " radiusd -X" appear ... 
any idea?


"hasksol:/etc# radtest bob hello *localhost* 0 testing123
radclient:: Failed to find IP address for hasksol
radclient: Nothing to send." *

AND for*

"hasksol:/etc# radtest bob hello *haskell-solutions.com* 0 testing123
radclient:: Failed to find IP address for hasksol
radclient: Nothing to send."


*my /etc/hosts*

hasksol:/etc# cat hosts
127.0.0.1 localhost haskell-solutions.com www.haskell-solutions.com 
vpn.haskell-solutions.com*


radiusd -X :*

hasksol:~# radiusd -X
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 25 
2011 at 18:49:35

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file 
/usr/local/etc/raddb/modules/dolaradius_sql.conf

including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file 
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration fil

Re: confused with "Failed to find IP address"

[Alan DeKok]

Mehdi wrote:
> "hasksol:/etc# radtest bob hello *localhost* 0 testing123
> radclient:: Failed to find IP address for hasksol
> radclient: Nothing to send." *

  Your system doesn't have working DNS.

  Have you tried using an IP address instead of a hostname?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: confused with "Failed to find IP address"

[Phil Mayers]

On 26/07/11 13:21, Mehdi wrote:

Hi,
I am running a Debain server on the domain "haskell-solutions.com". I
installed freeradius 2.1.11 on that. As the tutorial suggested I added a
user account to the top of users file "bob Cleartext-Password :=
"hello"" and on the seperated terminal "connecting throw SSH to the
haskel server" executed radiusd -X -outcome is below. But I get error
message and nothing on the other terminal " radiusd -X" appear ...
any idea?


You appear to have a basic networking problem. This is not a FreeRADIUS 
problem.


Can you "ping localhost"?

Or "ping haskell-solutions.com"?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS Questions

[Dan]

I've been running FreeRadius 2 on Centos 5.5 for a while now. So far so 
good. I'm now looking to make connecting to our WPA secured wireless easier.


The RADIUS server is running in a VM and since the system is in use I 
have copied the original and used that copy to create a test 
environment. I have run through all system updates and have upgraded all 
relevant packages. The test system is at 5.6 now.


Currently with Windows machines I can't just connect to the SSID and 
enter in a username and password. I have to go and manually add the 
SSID, modify some settings; specifically turning off validating server 
certificate, turning off automatically use my Windows login, and turning 
on User or computer authentication mode.


We also have some OS X clients. Fortunately connecting via OS X is 
easier. The catch is that I have to join the machine to our domain. 
After that it's pretty much username and password, and they are on.


Ideally I would like to have a simple "connect to this SSID, enter your 
username and password and that's it" solution and still have all 
requests checked against our Active Directory server.


On a side note. I'm going through my settings trying to get this working 
more smoothly and I ran across:


wbinfo --a user%password (yes I'm adding in my username and pass)

plaintext password authentication succeeded
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: winbind client not authorized to use 
winbindd_pam_auth_crap. Ensure permissions on 
/var/cache/samba/winbindd_privileged are set correctly.

Could not authenticate user MYUSERNAME with challenge/response

I know the 2 error lines are permissions related. I'm not sure what the 
permissions should be on this file/folder. Can someone let me know this?


The tutorial from FreeRadius says that I should get output similar to:

plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error message was: No such user
Could not authenticate user CHSchwartz%mypassword with plaintext password

Yet

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYUSERNAME
NT_STATUS_OK: Success (0x0)

So the Auth is working. I don't understand though why my AD server is 
letting cleartext passwords through. It shouldn't right?


Any help would be greatly appreciated.

Dan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP SHA1 Password, EAP-PAP and Dynamic VLAN

[stich86]

Hello,

i'm trying to figure out how to configure FreeRadius with SHA1 hashed
password on openldap backend.

Actually i've already a configuration to dynamic assing VLAN ID with
MS-CHAPv2 (that works on OSX, Linux and Windows XP/Vista/7). I want to
switch to SHA1 because we have already a LDAP DB populated with all SHA1
password. I've read that it's possibile with the use of PAP (OSX and Linux
have no problem to support it, for Windows it's necessary another
supplicant.. no problem).

I've done some tests.. can actually authenticated based on the logs and the
switch info, but Dynamic VLAN isn't configured on the switch ports. So..
before waste my time.. Is it REAL possible to use SHA1 with PAP to do
Dynamic VLAN association?

Thanks to anyone :)



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-SHA1-Password-EAP-PAP-and-Dynamic-VLAN-tp4635755p4635755.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN

[Gary Gatten]

The DVLAN is after a successful authentication, so I don't *think* it matters 
how the password is stored and such.  If you can authenticate ok, then you move 
to the authorize section and do DVLAN through whatever means.

Note: I am a FR beginner myself, don't take my word for anything!

- Original Message -
From: stich86 [mailto:stic...@gmail.com]
Sent: Tuesday, July 26, 2011 01:06 PM
To: freeradius-users@lists.freeradius.org 

Subject: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN

Hello,

i'm trying to figure out how to configure FreeRadius with SHA1 hashed
password on openldap backend.

Actually i've already a configuration to dynamic assing VLAN ID with
MS-CHAPv2 (that works on OSX, Linux and Windows XP/Vista/7). I want to
switch to SHA1 because we have already a LDAP DB populated with all SHA1
password. I've read that it's possibile with the use of PAP (OSX and Linux
have no problem to support it, for Windows it's necessary another
supplicant.. no problem).

I've done some tests.. can actually authenticated based on the logs and the
switch info, but Dynamic VLAN isn't configured on the switch ports. So..
before waste my time.. Is it REAL possible to use SHA1 with PAP to do
Dynamic VLAN association?

Thanks to anyone :)



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-SHA1-Password-EAP-PAP-and-Dynamic-VLAN-tp4635755p4635755.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN

[stich86]

i've got a similar problem in the first attempt to create this scenario. The
problem was related to a field in the LDAP ldif that the switch doesn't
accept (radiusenterprise policy). Now all the sequence seems ok, but Radius
seems to send the authentication to switch (that reports port is
authenticated) but not the VLAN ID :(

Do you have (or anyone) and example of PAP authentication that works? I
think the problem is related to a misconfigured freeradius.. (i hope!)

thanks :)

P.s.: until tomorrow i cannot post logs because i'm not in office

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-SHA1-Password-EAP-PAP-and-Dynamic-VLAN-tp4635755p4635812.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Trying multiple realms

[Charles Plater]

Is there any way to try multiple realms inside an update control statement? 
What I want to do is try proxying to one realm, and if that fails trying the 
credentials via the local ream. Thanks in advance.

-- 
Charles Plater
Lead Application Technical Analyst
Internet Services
+1-313-577-4620
ab3...@wayne.edu

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS Questions

[Garber, Neal]

You didn't give much information regarding your
environment, so some of the responses below are
based upon assumptions: that you manage all devices
that are connecting, that they are joined to your
A/D domain and that you are using the Windows
supplicant.  

You haven't said what version of Windows you
are running and what version of FreeRADIUS
you are running!

> Currently with Windows machines I can't just connect to
> the SSID and enter in a username and password. I have 
> to go and manually add the SSID, modify some settings; 

If you are referring to PEAP vs. TLS, that's a Windows XP
issue. XP defaults to TLS and won't connect automatically
if you are using PEAP.  However, you can push wireless
policy to your Windows devices using A/D group policy
and set this up automatically.

> specifically turning off validating server certificate

This is a bad idea as you could be passing your credentials
to someone else's RADIUS server.  It's best to generate a
certificate signed by an internal Certificate Authority
and require a cert signed by that CA in your 802.1x config.
This too can be pushed to Windows devices as part of your
A/D policy assuming they are joined to your domain and
run Windows.

> turning off automatically use my Windows login, and 
> turning on User or computer authentication mode.

Why do you want to use manual authentication as opposed to
automatic?  If the machines that are connecting are joined
to your A/D domain, you may want to consider using machine
authentication. User authentication, in the current release, doesn't support 
MS-CHAP password change. Also, user authentication with the Windows supplicant 
requires the
presence of cached credentials (because you logon locally 
first and then connect to the wireless network) which may
not match current A/D credentials.

> error messsage was: winbind client not authorized to
> use winbindd_pam_auth_crap. Ensure permissions on 
> /var/cache/samba/winbindd_privileged are set correctly.

Use "sudo wbinfo" or run it as root if you don't use sudo.
That said, wbinfo isn't used by FreeRADIUS to authenticate
to A/D (ntlm_auth is used for PEAP/MS-CHAPv2).


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN

[Garber, Neal]

> Actually i've already a configuration to 
> dynamic assing VLAN ID with MS-CHAPv2 

What reply attribute(s) are you passing
to the switch in this case?

> I've done some tests.. can actually authenticated 
> based on the logs and the switch info, but Dynamic 
> VLAN isn't configured on the switch ports. 

If you are authenticating successfully, then check
what attributes are being returned to the switch and
compare to the scenario above when you said it worked!
Then, fix your config to return the proper attribute
with the proper value.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Questions

[Dan]

Garber,

Thanks for your reply.

We do not manage every machine in the building. We allow for users to 
bring in there personal laptops to work and they vary in manufacture and 
OS. We have machines with Windows versions ranging from XP to 7. Same is 
true with Mac OS X, the oldest version we run is 10.4.11 and the newest 
is 10.6.8. We have some Linux clients be these are all hardwired so they 
aren't a concern.


All of the Macs in our building, that is the ones that aren't personal 
machines, are joined to our domain. The few PC machines that we do 
manage are joined to our AD server but I would say that the vast 
majority of the PCs are not managed and not joined to out AD server. All 
windows systems--XP through 7--have to be setup the way I described 
earlier in order for this to work.


I don't think that I'm using the supplicant but I could be wrong. I'm 
running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with 
freeradius2-krb5-2.1.7-7.e15 and freeradius2-utils-2.1.7-7.e15.


I'm pretty sure I'm using PEAP.

I realize that and I'm going to work on using our wild card cert to 
better secure this. However the question still arises on will our SSL 
cert validate properly on a Windows system. When I initially set this up 
I never saw anything regarding and 802.11x config. After updating I seem 
to remember seeing this config file mentioned.


"Why do you want to use manual authentication as opposed to
automatic?  If the machines that are connecting are joined
to your A/D domain, you may want to consider using machine
authentication. User authentication, in the current release, doesn't support 
MS-CHAP password change. Also, user authentication with the Windows supplicant 
requires the
presence of cached credentials (because you logon locally
first and then connect to the wireless network) which may
not match current A/D credentials."

Like I mentioned above not all, actually few machines, are managed via 
our AD server. I would love to change this but it would require far more 
administrative changes that I'm unable to make.


Dan


Like I mentioned our Windows versions vary from XP to 7.
On 7/26/11 12:30 PM, Garber, Neal wrote:

You didn't give much information regarding your
environment, so some of the responses below are
based upon assumptions: that you manage all devices
that are connecting, that they are joined to your
A/D domain and that you are using the Windows
supplicant.

You haven't said what version of Windows you
are running and what version of FreeRADIUS
you are running!


Currently with Windows machines I can't just connect to
the SSID and enter in a username and password. I have
to go and manually add the SSID, modify some settings;

If you are referring to PEAP vs. TLS, that's a Windows XP
issue. XP defaults to TLS and won't connect automatically
if you are using PEAP.  However, you can push wireless
policy to your Windows devices using A/D group policy
and set this up automatically.


specifically turning off validating server certificate

This is a bad idea as you could be passing your credentials
to someone else's RADIUS server.  It's best to generate a
certificate signed by an internal Certificate Authority
and require a cert signed by that CA in your 802.1x config.
This too can be pushed to Windows devices as part of your
A/D policy assuming they are joined to your domain and
run Windows.


turning off automatically use my Windows login, and
turning on User or computer authentication mode.

Why do you want to use manual authentication as opposed to
automatic?  If the machines that are connecting are joined
to your A/D domain, you may want to consider using machine
authentication. User authentication, in the current release, doesn't support 
MS-CHAP password change. Also, user authentication with the Windows supplicant 
requires the
presence of cached credentials (because you logon locally
first and then connect to the wireless network) which may
not match current A/D credentials.


error messsage was: winbind client not authorized to
use winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly.

Use "sudo wbinfo" or run it as root if you don't use sudo.
That said, wbinfo isn't used by FreeRADIUS to authenticate
to A/D (ntlm_auth is used for PEAP/MS-CHAPv2).


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius and MacOsx (LDAP vs Kerberos)

[Massimiliano Tommasi]

Hello guys,
I spent many days testing and working with free-radius and LDAP.
I got my app, was working authenticating on my LDAP thru FreeRadius, i
seed to be what I was looking for...
BUT
I tested everything with OpenLDAP on Linux but my "real world", in this
case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be
pretty different.
I was getting the password from LDAP (on linux) with the field
"userPassword" but on the Mac OSX Server implementation the
"userPassword" is not used..., all the users have the same base64
encoded fake password, which is (decoded) "***".
I need to authenticate all my users thru freeradius and using the MACosX
Server as backend...
I suppose that Kerberos is the only way, which remains but I have no
experience on Kerberos and Freeradius...
I read, there was something to achieve this aim but right now.., I'm not
able to find something useful on google...
Do you have some idea? Some suggest?
I'm freking out :(

Cheers,
Max
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying multiple realms

[Alan DeKok]

Charles Plater wrote:
> Is there any way to try multiple realms inside an update control
> statement? What I want to do is try proxying to one realm, and if that
> fails trying the credentials via the local ream. Thanks in advance.

  Read raddb/proxy.conf.  Look for the home server pool section.

  This works, and is documented.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and MacOsx (LDAP vs Kerberos)

[Alan DeKok]

Massimiliano Tommasi wrote:
> I tested everything with OpenLDAP on Linux but my "real world", in this
> case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be
> pretty different.

  See rlm_opendirectory.  It's written by Apple, so I suspect it should
work. :)

  Just list "opendirectory" in the "authorize" and "authenticate" sections.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Questions

[John Dennis]

On 07/26/2011 04:10 PM, Dan wrote:

I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the latest)
with freeradius2-krb5-2.1.7-7.e15 and freeradius2-utils-2.1.7-7.e15.


2.1.7 is the latest in RHEL5. 2.1.11 is the latest from the FreeRADIUS 
project (just released a few weeks ago). Fedora has the latest upstream 
2.1.11, but RHEL does not, why? See:


http://wiki.freeradius.org/Red_Hat_FAQ

We've been rebasing FreeRADIUS in the RHEL versions on average every 
other update cycle, no guarantee though. RHEL is generally not amenable 
to software rebases (i.e. changing to a new upstream version) because 
it's in conflict with RHEL's goal of long term stability. But we've got 
special dispensation for FreeRADIUS because of it's high churn rate.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS Questions

[Garber, Neal]

> I don't think that I'm using the supplicant but I could 
> be wrong. 

The supplicant is the software on the client device that
manages wireless profiles/connections.  If Windows 
controls the wireless connections (Wireless Zero Config service) then you are 
using the Windows supplicant.

> I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the 
> latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2-
> utils-2.1.7-7.e15.

2.1.7 is old!  2.1.11 is the latest version of FreeRADIUS..

> I'm pretty sure I'm using PEAP.

This would be obvious in the wireless settings on the
device.  

> I realize that and I'm going to work on using our wild 
> card cert to better secure this. However the question 
> still arises on will our SSL cert validate properly on a 
> Windows system. When I initially set this up I never saw 
> anything regarding and 802.11x config. After updating I seem 
> to remember seeing this config file mentioned.

Windows clients require that certain extensions be present
in the certificate (you can thank Microsoft for that - it's
not a FreeRADIUS issue).  If most of the machines are not joined to your domain 
and are personal devices and you want easy access, you'll want to use a 
certificate signed by a CA
that's in the Windows root CA list.  Just be aware that 
this is not as secure as an internal or self-signed cert. because any 
certificate from the CA you choose would be
accepted (even if it's from someone else's RADIUS server);
but, the alternative is that you would need to distribute 
the CA's cert to each user that wants to connect.  

I can't answer your question regarding whether 
your SSL cert will validate properly on Windows because
you haven't said how it was generated? Is it self-signed?
Is it signed by a CA that's in the root CA list of a
device you were using to test?  Does it include the 
required Windows extensions?  There have been considerable
discussion on the mailing list regarding the creation 
of certs that will work with Windows clients.  Google is
your friend (along with the doc inside the FR files).

> Like I mentioned above not all, actually few machines, are 
> managed via our AD server. I would love to change this but it 
> would require far more administrative changes that I'm unable 
> to make.

Makes sense..

> Like I mentioned our Windows versions vary from XP to 7. 

I thought, but can't verify right now, that starting with
Vista, Windows will connect using PEAP without manual 
wireless configuration (i.e., it doesn't assume TLS 
as a default the way XP does). Perhaps your only issue 
with Vista/7 is that the cert doesn't have the required extensions or isn't 
signed by a CA that's in the root CA 
list of the device?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 75, Issue 87

[Eddie]

On 07/26/2011 09:29 PM, freeradius-users-requ...@lists.freeradius.org 
wrote:

Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org

You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Re: confused with "Failed to find IP address" (Alan DeKok)
2. Re: confused with "Failed to find IP address" (Phil Mayers)


--

Message: 1
Date: Tue, 26 Jul 2011 10:04:14 -0400
From: Alan DeKok
Subject: Re: confused with "Failed to find IP address"
To: FreeRadius users mailing list

Message-ID:<4e2ec95e.20...@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Mehdi wrote:

"hasksol:/etc# radtest bob hello *localhost* 0 testing123
radclient:: Failed to find IP address for hasksol
radclient: Nothing to send." *

   Your system doesn't have working DNS.

   Have you tried using an IP address instead of a hostname?

   Alan DeKok.


--

Message: 2
Date: Tue, 26 Jul 2011 15:09:18 +0100
From: Phil Mayers
Subject: Re: confused with "Failed to find IP address"
To: freeradius-users@lists.freeradius.org
Message-ID:<4e2eca8e.9030...@imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 26/07/11 13:21, Mehdi wrote:

Hi,
I am running a Debain server on the domain "haskell-solutions.com". I
installed freeradius 2.1.11 on that. As the tutorial suggested I added a
user account to the top of users file "bob Cleartext-Password :=
"hello"" and on the seperated terminal "connecting throw SSH to the
haskel server" executed radiusd -X -outcome is below. But I get error
message and nothing on the other terminal " radiusd -X" appear ...
any idea?

You appear to have a basic networking problem. This is not a FreeRADIUS
problem.

Can you "ping localhost"?

Or "ping haskell-solutions.com"?






Dear Alen, you are right; I am using google DNS but is it necessary 
to run DNS ? and I have tried the IP address as well. thanks /mehdi


Dear Phil, it seems that I have a network problem but I have no clue :( 
I can ping both localhost and haskell-solutions.com. thanks /mehdi



/
hasksol:~# radtest bob hello *hasksol* 0 testing123
radclient: Failed to find IP address for host hasksol: *Success*

hasksol:~# radtest bob *wrongpass* *hasksol* 0 testing123
radclient: Failed to find IP address for host hasksol: *Success

*hasksol:~# radtest bob wrongpass *haskell-solutions.com* 0 testing123
radclient:: Failed to find IP address for hasksol
radclient: Nothing to send.

hasksol:~# radtest bob wrongpass *178.79.150.152* 0 testing123
radclient:: Failed to find IP address for hasksol
radclient: Nothing to send.

hasksol:~# *ping localhost*
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.056 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.044/0.050/0.056/0.006 ms

hasksol:~# *ping haskell-solutions.com*
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.048 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.048/0.049/0.050/0.001 ms



hasksol:~# *radiusd -X*
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 25 
2011 at 18:49:35

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sra

Re: FreeRadius and MacOsx (LDAP vs Kerberos)

[Massimiliano Tommasi]

You are pretty right ;)
I have just recompiled freeradius with that module, which I need...
It seems to be what I need but ... I notice a lack of documentation for
that module..
I have found nothing at all :(
Could you suggest me some doc or/and example of the conf, please?

Max

Il 26/07/11 22.40, Alan DeKok ha scritto:
> Massimiliano Tommasi wrote:
>> I tested everything with OpenLDAP on Linux but my "real world", in this
>> case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be
>> pretty different.
> 
>   See rlm_opendirectory.  It's written by Apple, so I suspect it should
> work. :)
> 
>   Just list "opendirectory" in the "authorize" and "authenticate" sections.
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Disconnect Online User

[dulan]

hi, 

i need to disconnect online user automatically when complete his download
capacity (like prepaid).how can i configure it in freeradius. 

please help me.. 
Thank you...

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Disconnect-Online-User-tp4637476p4637476.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR 2.1.10, fail-over not working

[魏景鹏]

Hi Alan & all,

I've configured two home_server for a pool with type=fail-over, when the
1st one not start,FR didn't send the request to the 2nd one.

Works fine when configured with type=load-balance.

following is my proxy.conf section:

home_server svr1st {
type = auth+acct
ipaddr = 192.168.0.2
port = 11812
secret = testing123
response_window = 5
zombie_period = 120
revive_interval = 120
}

home_server svr2nd {
type = auth+acct
ipaddr = 192.168.0.3
port = 11812
secret = testing123
response_window = 5
zombie_period = 120
revive_interval = 120
}

home_server_pool authpool {
type = fail-over
home_server = svr1st
home_server = svr2nd
}



Any Ideas?

B.R.
Wei JingPeng

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.10, fail-over not working

[魏景鹏]

Hi Alan & all,

I found that when radiusd started with -X, the config-item of type =
fail-over in proxy.conf will not take effect.

Anyone to confirm that?

B.R.

Wei JingPeng


Wei JingPeng wrote:
> Hi Alan & all,
>
> I've configured two home_server for a pool with type=fail-over, when the
> 1st one not start,FR didn't send the request to the 2nd one.
>
> Works fine when configured with type=load-balance.
>
> following is my proxy.conf section:
>
> home_server svr1st {
> type = auth+acct
> ipaddr = 192.168.0.2
> port = 11812
> secret = testing123
> response_window = 5
> zombie_period = 120
> revive_interval = 120
> }
>
> home_server svr2nd {
> type = auth+acct
> ipaddr = 192.168.0.3
> port = 11812
> secret = testing123
> response_window = 5
> zombie_period = 120
> revive_interval = 120
> }
>
> home_server_pool authpool {
> type = fail-over
> home_server = svr1st
> home_server = svr2nd
> }
>
>
>
> Any Ideas?
>
> B.R.
> Wei JingPeng
>
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.10, fail-over not working

[Alan DeKok]

魏景鹏 wrote:
> I've configured two home_server for a pool with type=fail-over, when the
> 1st one not start,FR didn't send the request to the 2nd one.

  FreeRADIUS doesn't check if a home server "starts".  RADIUS doesn't
work that way.

  The fail-over code works.  Fail-over occurs when a home server is down
for an extended period of time, and when the proxy keeps trying to send
packets to the home server.

  If you're not seeing failover, it's likely because you're only sending
a few testing packets.  Send more packets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disconnect Online User

[Alan DeKok]

dulan wrote:
> i need to disconnect online user automatically when complete his download
> capacity (like prepaid).how can i configure it in freeradius. 

  You don't.  RADIUS doesn't really do that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disconnect Online User

[Chris L]

On Jul 26, 2011, at 11:19 PM, Alan DeKok wrote:

> dulan wrote:
>> i need to disconnect online user automatically when complete his download
>> capacity (like prepaid).how can i configure it in freeradius. 
> 
>  You don't.  RADIUS doesn't really do that.

Well, if you know in advance, at AA time, how much the session is allocated to 
transfer and *IF* your NAS supports something like Acct-Session-Output-Octets, 
Session-Octets-Limit, etc, you should be able to set that to a specific value 
as a Reply Item and the NAS *SHOULD* disconnect the user when that limit is 
reached.  Good luck.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disconnect Online User

[Alan DeKok]

Chris L wrote:
> Well, if you know in advance, at AA time, how much the session is allocated 
> to transfer and *IF* your NAS supports something like 
> Acct-Session-Output-Octets, Session-Octets-Limit, etc, you should be able to 
> set that to a specific value as a Reply Item and the NAS *SHOULD* disconnect 
> the user when that limit is reached.  Good luck.

  That isn't standard in RADIUS.  One or two pieces of software support
it.  But most NASes (switches, APs, etc.) do not support it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html