smsotp Auth-Type
Hello! I'm having problems configuring freeradius with smsmotp. I did every step according to the materials found here: http://wiki.freeradius.org/Rlm_smsotp The problem is that freeradius doesn't start up succesfully. According to the logs, it can't find the smsotp Auth-type. My default site configuration: authorize { smsotp ... } authenticate { Auth-Type smsotp { pap smsotp } Auth-Type smsotp-reply { smsotp } ...} The part I've added to the users file: feriCleartext-Password := Abcd1234 DEFAULT Auth-Type := smsotp The debug output: Starting - reading configuration files ... including configuration file /local/freeradius-server-2.1.12/etc/raddb/radiusd.conf including configuration file /local/freeradius-server-2.1.12/etc/raddb/proxy.conf including configuration file /local/freeradius-server-2.1.12/etc/raddb/clients.conf including files in directory /local/freeradius-server-2.1.12/etc/raddb/modules/ including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/wimax including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/rediswho including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/sradutmp including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/chap including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/digest including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/perl including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/linelog including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/replicate including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/echo including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/detail.log including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/soh including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/unix including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/ldap including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/acct_unique including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/cui including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/smbpasswd including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/redis including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/exec including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/otp including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/detail.example.com including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/counter including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/logintime including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/mschap including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/mac2ip including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/smsotp including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/sql_log including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/always including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/krb5 including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/checkval including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/detail including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/policy including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/dynamic_clients including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/radutmp including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/ippool including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/passwd including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/mac2vlan including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/opendirectory including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/pam including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/ntlm_auth including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/etc_group including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/expiration including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/realm including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/inner-eap including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/pap including configuration file /local/freeradius-server-2.1.12/etc/raddb/modules/expr including configuration file
Re: Configuring rlm_counter for gigaword
I'm not sure what rlm_counter is, but the documentation for regular accounting states: *snip* Modify FreeRADIUS Queries Secondly, modify the accounting queries in sql.conf to make the SQL database perform the computation that is required to merge the two values sent as attributes by the NAS into one single 64-bit integer stored in the database. All occurences of '%{Acct-Input-Octets}' need to be replaced with: '%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}' The same thing needs to be done for '%{Acct-Output-Octets}': '%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}' *snip* Found at http://wiki.freeradius.org/FAQ#Common-problems-and-their-solutions Also, the database table must be able to hold the larger values. On 7/17/2012 10:59 PM, jobhunt...@aol.com wrote: I want to use the Acct-Output-Gigawords attribute along with the Acct-Output-Octets to keep track of traffic in an rlm_counter that can exceed the 32-bit integer limitation. It looks like the counter will take only one count-attribute. How can I use both of these attributes in a single counter? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smsotp Auth-Type
On 18 Jul 2012, at 12:07, Ferenc Tóth wrote: Hello! I'm having problems configuring freeradius with smsmotp. I did every step according to the materials found here: http://wiki.freeradius.org/Rlm_smsotp The problem is that freeradius doesn't start up succesfully. According to the logs, it can't find the smsotp Auth-type. Try with 3.0 - It seems to do some magic that adds the additional values automagically. Or you can add the additional values in the freeradius.internal dictionary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smsotp Auth-Type
Thank you, Arran! For future readers: appending the following line to /etc/raddb/dictionary solved the problem: VALUE Auth-Type smsotp 3034 Regards, Feri On Wed, Jul 18, 2012 at 3:35 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 18 Jul 2012, at 12:07, Ferenc Tóth wrote: Hello! I'm having problems configuring freeradius with smsmotp. I did every step according to the materials found here: http://wiki.freeradius.org/Rlm_smsotp The problem is that freeradius doesn't start up succesfully. According to the logs, it can't find the smsotp Auth-type. Try with 3.0 - It seems to do some magic that adds the additional values automagically. Or you can add the additional values in the freeradius.internal dictionary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Win7 Ldap Auth without RootCA
Hello, I'm trying to run ldap auth with FreeRADIUS Version 2.1.10 (Debian Squeeze) and FreeRADIUS Version 2.1.12 (FreeBSD 9.0) with a self-signed certificate. It is working for all platform excepted Win7 supplicant. I found few stuff talking about this problem but i want to be sure. Any way to do this working without change security settings on all roaming clients? Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win7 Ldap Auth without RootCA
mpi wrote: Any way to do this working without change security settings on all roaming clients? You need to add the root CA to all Windows clients. This is how PEAP works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 8021x with LDAP
Hi there! We're trying to set up Freeradius wtih 8021x. Freeradius should query a OpenLDAP server for autentication and check if the user belongs to certain groups and return different VLAN IDs depending on that. Unfortunately, we're having issues with the LDAP autentication part. We only managed to get it to work with radtest. Example command: $ radtest testuser4 testpass4 localhost 1812 testing123 But to accomplish that we had to uncomment these lines in sites-enabled/default: # Uncomment it if you want to use ldap for authentication # # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. #Auth-Type LDAP { # ldap #} As the comment states, this works with radtest but not with EAP. We do our tests with a Macbook Pro running Mac OS X 10.7.4. If I comment the above lines again, freeradius rejects the request. Passwords are stored as cleartext in ldap. I'm looking at the ldap queries performed by freeradius it is only checking if the user exists. No password check at all. This the output of freeradius -X while using our test laptop: -8-- FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel
Re: Freeradius 8021x with LDAP
Francesc Zacarias wrote: We're trying to set up Freeradius wtih 8021x. Freeradius should query a OpenLDAP server for autentication and check if the user belongs to certain groups and return different VLAN IDs depending on that. Those are two completely independent things. Get them working independently, they should work together. Unfortunately, we're having issues with the LDAP autentication part. So what did you configure? Did you read raddb/sites-available/default, and look for ldap? I'm looking at the ldap queries performed by freeradius it is only checking if the user exists. No password check at all. Read it again. It does this: [ldap] looking for check items in directory... [ldap] userPassword - Password-With-Header == {SASL}testus...@spotify.net [ldap] looking for reply items in directory... Is that really the cleartext-password of the user? Really? Did you read raddb/sites-available/inner-tunnel, and follow the instructions at the top (in 2.1.12) This the output of freeradius -X while using our test laptop: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Well, upgrading wouldn't hurt. Notice the lines: [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. You've said that the LDAP server contains cleartext passwords. Yet the debug log shows it doesn't. And this entry shows the server doesn't have the cleartext passwords. Fix that. I wonder what is this module doing. MSCHAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius 3.0 Master branch after 2012-06-29
YJZ wrote: 1) ./configure keeps complaining of: configure: WARNING: unrecognized options: --without-rlm_perl, --without-rlm_sql_mysql, --with-rlm_pam, --with-rlm_ldap, --with-openldap-include-dir, --without-rlm_counter, --without-rlm_dbm, --without-rlm_ippool, --without-rlm_krb5, --without-rlm_otp, --without-rlm_python, --without-rlm_sql, --without-rlm_unixodbc, --without-rlm_sql_iodbc, --without-rlm_sql_postgresql, --without-rlm_sql_oracle, --without-rlm_sqlcounter, --without-rlm_sqlippool, --without-rlm_eap_tnc, --without-rlm_eap_ikev2, --enable-shared, --disable-static, --enable-ltdl-install I have no idea what causes that. It can be ignored, though. 2) make eventually errors out: ... Making all in src/modules/rlm_sometimes... Making all in src/main... /Users/raymont/freeradius-server/libtool --quiet --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo soh.lo connection.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo process.lo realms.lo evaluate.lo vmps.lo detail.lo cb.lo tls.lo tls_listen.lo \ /Users/raymont/freeradius-server/src/lib/libfreeradius-radius.la -framework DirectoryService -lresolv -lpthread \ /Users/raymont/freeradius-server/libltdl/libltdl.la -lcrypto -lssl -lcrypto Undefined symbols for architecture x86_64: _SSL_CTX_set_psk_client_callback, referenced from: _init_tls_ctx in tls.o _SSL_CTX_set_psk_server_callback, referenced from: _init_tls_ctx in tls.o You have two versions of OpenSSL installed. Fix that. Edit Make.inc. Look for lines referencing OPENSSL, and fix them to have the correct C compiler / linker flags. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Load-Balance VLAN assignment via unlang
Thanks for the reply Scott. Not something I had considered however in our case it's not an issue since we aren't requiring clients to reauth. We are implementing this for our wired network. Our equipment, primarily Cisco 2960s do support a group vlan for load-balancing client distribution however it's not as easy to manage as a few lines within the radius config. -Original Message- From: freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org [mailto:freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org] On Behalf Of Scott Armitage Sent: Tuesday, July 17, 2012 8:29 AM To: FreeRadius users mailing list Subject: Re: Load-Balance VLAN assignment via unlang On 17 Jul 2012, at 12:57, Cotton, Jesse wrote: Using FR as a central RADIUS server. One task it performs is dot1x auth. It forwards eap requests to one of several home servers which performs the auth and returns several attributes including Tunnel-Private-Group-Id. This attribute contains multiple values indicating one of several potential vlans a client can be put on. I would like perform simple load balancing by selecting one of the vlans randomly. I have the following within the post-auth section. What am I doing wrong? I have tried several variations. I know the syntax is incorrect but google has not been helpful. Thanks in advance. if(%{reply:Tunnel-Private-Group-Id[#]} 1){ update reply { Tunnel-Private-Group-Id := %{reply:Tunnel-Private-Group-Id[%{rand:%{reply:Tunnel-Private-Group-Id[#]}}]} } } Not a solution but some caveats. If you are randomly returning a vlan, you could have clients bouncing around vlans when they reauth. You may also achieve the same result using features in your wireless equipment. For example if you have Cisco wireless you could use Vlan Select (and return the clan select group from the radius server). Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a router as NAS
DeKOK, Buxey and andy79! Please, see if my understanding below is better. Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Were there no NAS already, the radiusd would not have answered. Simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, and I can understand Buxeys resignation about my very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? For the radtest to work I found that I had to apply the IPs or their authorized names or shortnames registered in the /etc/hosts. Otherwise: radclient: Failed to find IP address for host sled-10sp3m: No such file or directory At the same time the client.conf must correlate with the /etc/hosts What is wrong is my subject heading: router as NAS, which of course confuses. If this is correct everything is simplified to just find out how to network this. Am I closer now? -- Si St sigbj...@operamail.com On Mon, Jul 16, 2012, at 12:34 PM, Alan DeKok wrote: Si St wrote: Q:Buxey: Hi, what makes you think you can send RADIUS requests to this router and for it to then send those requests to your server? A:Because the router documentation said it: -WPA-Enterprise This option works with a RADIUS Server to authenticate wireless clients. Wireless clients should have established the necessary credentials before attempting to authenticate to the Server through this Gateway. Furthermore, it may be necessary to configure the RADIUS Server to allow this Gateway to authenticate users. That text does NOT say the router accepts RADIUS requests. I really cant help for that the docu is unprecise, has lacks etc. It assumes that you are familiar with RADIUS and wireless configuration. If you're not, the text is hard to understand. The credentials and understand as certs, the configure is very sparse if PORTS have to be taken in consideration. - But we are really getting somewhere taking PORTS into my knowledge. But I do not how to configure this and where. If the router has the 1812 configured I would assume that radius would return through the same port. I will try to read through the files in raddb to find something about it. Could /etc/service give a clue? No. Read more about RADIUS and wireless configuration. Start with Wikipedia. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.fastmail.fm - Choose from over 50 domains or use your own - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a router as NAS
Hi Si St, I don't know why you are using router but in my situation we have sites where we installed L3 core switches and we just configure the radius ip and the radius shared key and is working or we have sites where we install a ZoneDirector (wireless controller) and can use as a NAS under the AAA settings we configured the port number (1812 or 1813 if you want) and the ip / shared key.As you can see the NAS need to know the ip , port number and the shared key. If you have a router then you need to do something similar so the router can pass the messages to the Radius server. The next step is about your clients. Again we have sited (with the core switches) where the clients are connected with the ethernet cable so you need to configure the ports for dot1x, 1 example from the Alied telesis switch is : switchport switchport mode access dot1x port-control auto dot1x control-direction both auth dynamic-vlan-creation as you can see the port-control is necessary and the dynamic vlan is optional. If your clients are connected through the wireless then you need to configure PEAP / mschapv2 because the freeradius is using MD5 by default and all the ports trunks (Access Point, Controller, Radius server). I believe in you case you are using a cisco router, so configure the router with the AAA commands (check the cisco site) and the port where you connect the client for dot1x. Run the server in debug mode (radiusd -X) and the same time from the client try to connect with the radius server. You should be able to see the requests , if the radius can't find the NAS or recognise then you will see an error and the ip of the router. If you are using MAC OS as a client go to the network preferences and setup the dot1x to use MD5 only (if you haven't change it in the EAP file) regardsAndrew From: sigbj...@operamail.com To: freeradius-users@lists.freeradius.org Subject: Re: a router as NAS Date: Wed, 18 Jul 2012 21:43:49 +0200 DeKOK, Buxey and andy79! Please, see if my understanding below is better. Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Were there no NAS already, the radiusd would not have answered. Simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, and I can understand Buxeys resignation about my very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? For the radtest to work I found that I had to apply the IPs or their authorized names or shortnames registered in the /etc/hosts. Otherwise: radclient: Failed to find IP address for host sled-10sp3m: No such file or directory At the same time the client.conf must correlate with the /etc/hosts What is wrong is my subject heading: router as NAS, which of course confuses. If this is correct everything is simplified to just find out how to network this. Am I closer now? -- Si St sigbj...@operamail.com On Mon, Jul 16, 2012, at 12:34 PM, Alan DeKok wrote: Si St wrote: Q:Buxey: Hi, what makes you think you can send RADIUS requests to this router and for it to then send those requests to your server? A:Because the router documentation said it: -WPA-Enterprise This option works with a RADIUS Server to authenticate wireless clients. Wireless clients should have established the necessary credentials before attempting to authenticate to the Server through this Gateway. Furthermore, it may be necessary to configure the RADIUS Server to allow this Gateway to authenticate users. That text does NOT say the router accepts RADIUS requests. I really cant help for that the docu is unprecise, has lacks etc. It assumes that you are familiar with RADIUS and wireless configuration. If you're not, the text is hard to understand. The credentials and understand as certs, the configure is very sparse if PORTS have to be taken in consideration. - But we are really getting somewhere taking PORTS into my knowledge.
Re: a router as NAS
Si St wrote: Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 So... why are you reading random pages on the net? And not the pages we suggested you read? it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. You're mixing up terminology. Get it right, or you'll *never* understand what's going on. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. What the heck does that mean? Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Well... you've completely misunderstand everything about that. Were there no NAS already, the radiusd would not have answered. Simple as that. No. Absolutely not. Not simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, No. Many routers do send RADIUS Access-Request packets. and I can understand Buxeys resignation about my very special router. No. You thought that the router would accept RADIUS packets from a third party, and then send them to the RADIUS server. Routers don't work like that. Hence his comment of very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. You're using terminology you invented. STOP IT NOW. Your misconception of how everything works is making it IMPOSSIBLE for you to understand ANYTHING. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? It's complete nonsense. You might as well be writing gibberish. If this is correct everything is simplified to just find out how to network this. Am I closer now? You're even further away from understanding how it works. Read the Wikipedia pages on RADIUS and EAP. It's really not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 8021x with LDAP
Hi, you need to ensure that LDAP is being called in the authenticate section of the inner-tunnel (in the EAP phase) and that it is being given the cleartext password that you say is being stored there. you also need to protect your authorize calls to LDAP - as your debug clearly shows that its being hit all the time - thats a performance hit that doesnt scale. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to log successful/unsuccessful login requests
Howdy, So we have installed FreeRADIUS 2.1.7 via YUM on a 5.6 CentOS Server and 2.1.12 from source on a 5.1 RHEL Server. Both are working and are running pretty sweet. What I can't seem to get working though is getting the RADIUS server to log somewhere that user joe-bob logged in, then user daisy-duke failed to login, etc. If I run the server in debug mode via radiusd -X I do see this spit to STDOUT. However, how can I get it to log to a file somewhere on the disk is my question. This is from the RHEL 5.1 server running latest, stable of the FreeRadius Server: [root@foo radacct]# pwd /usr/local/var/log/radius/radacct [root@foo radacct]# ls -la total 8 drwx-- 2 root root 4096 Jul 18 17:01 . drwx-- 3 root root 4096 Jul 18 17:01 .. [root@ttmi-nms2 radacct]# Nada I have this in the radiusd.conf: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct and # Log authentication requests to the log file. # # allowed values: {no, yes} # auth = yes Any ideas? Thanks! -jg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS in failover - HA setup (question)
Hi, everybody. I was reading the Deploying FreeRADIUS with the MySQL Cluster Database whitepaper downloaded from MySQL website, it mentions in 3.1 Deployment Topologies section that MySQL cluster can be integrated with FreeRADIUS but it always mention FreeRADIUS to be installed in a single node, would be a way to setup FreeRADIUS to be also failover the same way MySQL is, and not run just in a single node always? Note: Before reply saying that this question should be posted in MySQL forums please consider that I am not asking about MySQL configurations, I am asking about FreeRADIUS product, many thanks to everybody! Aldo Zavala - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius 3.0 Master branch after 2012-06-29
2) make eventually errors out: ... Making all in src/modules/rlm_sometimes... Making all in src/main... /Users/raymont/freeradius-server/libtool --quiet --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo soh.lo connection.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo process.lo realms.lo evaluate.lo vmps.lo detail.lo cb.lo tls.lo tls_listen.lo \ /Users/raymont/freeradius-server/src/lib/libfreeradius-radius.la -framework DirectoryService -lresolv -lpthread \ /Users/raymont/freeradius-server/libltdl/libltdl.la -lcrypto -lssl -lcrypto Undefined symbols for architecture x86_64: _SSL_CTX_set_psk_client_callback, referenced from: _init_tls_ctx in tls.o _SSL_CTX_set_psk_server_callback, referenced from: _init_tls_ctx in tls.o You have two versions of OpenSSL installed. Fix that. Edit Make.inc. Look for lines referencing OPENSSL, and fix them to have the correct C compiler / linker flags. Alan DeKok. - Thank you. After straightening out the paths to openssl lib include, I'm now able to compile FR 3.0 successfully. Best Regards, Y.J. Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to log successful/unsuccessful login requests
Hi, I am having suse 11.1 radius(2.1.6) in raddb/radiusd.conf , you can check log section. In my case it is by default enabled to log to files the file is ${logdir}/radius.log. So in your case log file would be /usr/local/var/log/radius/radius.log Also You can configure radius in log section to log onto syslog or to stderr , change the facility etc.. Regards, Prateek On Thu, Jul 19, 2012 at 4:38 AM, John Giordano john.giord...@ttmi.uswrote: Howdy, So we have installed FreeRADIUS 2.1.7 via YUM on a 5.6 CentOS Server and 2.1.12 from source on a 5.1 RHEL Server. Both are working and are running pretty sweet. What I can't seem to get working though is getting the RADIUS server to log somewhere that user joe-bob logged in, then user daisy-duke failed to login, etc. If I run the server in debug mode via radiusd -X I do see this spit to STDOUT. However, how can I get it to log to a file somewhere on the disk is my question. This is from the RHEL 5.1 server running latest, stable of the FreeRadius Server: [root@foo radacct]# pwd /usr/local/var/log/radius/radacct [root@foo radacct]# ls -la total 8 drwx-- 2 root root 4096 Jul 18 17:01 . drwx-- 3 root root 4096 Jul 18 17:01 .. [root@ttmi-nms2 radacct]# Nada I have this in the radiusd.conf: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct and # Log authentication requests to the log file. # # allowed values: {no, yes} # auth = yes Any ideas? Thanks! -jg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html