smsotp Auth-Type
Hello!
I'm having problems configuring freeradius with smsmotp. I did every step
according to the materials found here:
http://wiki.freeradius.org/Rlm_smsotp
The problem is that freeradius doesn't start up succesfully. According to
the logs, it can't find the smsotp Auth-type.
My default site configuration:
authorize {
smsotp
...
}
authenticate {
Auth-Type smsotp {
pap
smsotp
}
Auth-Type smsotp-reply {
smsotp
}
...}
The part I've added to the users file:
feriCleartext-Password := Abcd1234
DEFAULT Auth-Type := smsotp
The debug output:
Starting - reading configuration files ...
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/radiusd.conf
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/proxy.conf
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/clients.conf
including files in directory
/local/freeradius-server-2.1.12/etc/raddb/modules/
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/wimax
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/rediswho
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/sradutmp
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/chap
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/digest
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/perl
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/linelog
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/replicate
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/echo
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/detail.log
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/soh
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/unix
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/ldap
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/acct_unique
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/cui
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/smbpasswd
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/redis
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/exec
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/otp
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/detail.example.com
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/counter
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/logintime
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/mschap
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/mac2ip
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/smsotp
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/sql_log
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/always
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/krb5
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/checkval
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/detail
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/policy
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/dynamic_clients
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/radutmp
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/ippool
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/passwd
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/mac2vlan
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/opendirectory
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/pam
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/ntlm_auth
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/etc_group
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/expiration
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/realm
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/inner-eap
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/pap
including configuration file
/local/freeradius-server-2.1.12/etc/raddb/modules/expr
including configuration file
Re: Configuring rlm_counter for gigaword
I'm not sure what rlm_counter is, but the documentation for regular
accounting states:
*snip*
Modify FreeRADIUS Queries
Secondly, modify the accounting queries in sql.conf to make the SQL
database perform the computation that is required to merge the two
values sent as attributes by the NAS into one single 64-bit integer
stored in the database.
All occurences of '%{Acct-Input-Octets}' need to be replaced with:
'%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}'
The same thing needs to be done for '%{Acct-Output-Octets}':
'%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}'
*snip*
Found at http://wiki.freeradius.org/FAQ#Common-problems-and-their-solutions
Also, the database table must be able to hold the larger values.
On 7/17/2012 10:59 PM, jobhunt...@aol.com wrote:
I want to use the Acct-Output-Gigawords attribute along with the
Acct-Output-Octets to keep track of traffic in an rlm_counter that can exceed
the 32-bit integer limitation. It looks like the counter will take only one
count-attribute. How can I use both of these attributes in a single counter?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smsotp Auth-Type
On 18 Jul 2012, at 12:07, Ferenc Tóth wrote: Hello! I'm having problems configuring freeradius with smsmotp. I did every step according to the materials found here: http://wiki.freeradius.org/Rlm_smsotp The problem is that freeradius doesn't start up succesfully. According to the logs, it can't find the smsotp Auth-type. Try with 3.0 - It seems to do some magic that adds the additional values automagically. Or you can add the additional values in the freeradius.internal dictionary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smsotp Auth-Type
Thank you, Arran! For future readers: appending the following line to /etc/raddb/dictionary solved the problem: VALUE Auth-Type smsotp 3034 Regards, Feri On Wed, Jul 18, 2012 at 3:35 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 18 Jul 2012, at 12:07, Ferenc Tóth wrote: Hello! I'm having problems configuring freeradius with smsmotp. I did every step according to the materials found here: http://wiki.freeradius.org/Rlm_smsotp The problem is that freeradius doesn't start up succesfully. According to the logs, it can't find the smsotp Auth-type. Try with 3.0 - It seems to do some magic that adds the additional values automagically. Or you can add the additional values in the freeradius.internal dictionary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Win7 Ldap Auth without RootCA
Hello, I'm trying to run ldap auth with FreeRADIUS Version 2.1.10 (Debian Squeeze) and FreeRADIUS Version 2.1.12 (FreeBSD 9.0) with a self-signed certificate. It is working for all platform excepted Win7 supplicant. I found few stuff talking about this problem but i want to be sure. Any way to do this working without change security settings on all roaming clients? Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win7 Ldap Auth without RootCA
mpi wrote: Any way to do this working without change security settings on all roaming clients? You need to add the root CA to all Windows clients. This is how PEAP works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 8021x with LDAP
Hi there!
We're trying to set up Freeradius wtih 8021x. Freeradius should query
a OpenLDAP server for autentication and check if the user belongs to
certain groups and return different VLAN IDs depending on that.
Unfortunately, we're having issues with the LDAP autentication part.
We only managed to get it to work with radtest. Example command:
$ radtest testuser4 testpass4 localhost 1812 testing123
But to accomplish that we had to uncomment these lines in sites-enabled/default:
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
#Auth-Type LDAP {
# ldap
#}
As the comment states, this works with radtest but not with EAP. We do
our tests with a Macbook Pro running Mac OS X 10.7.4.
If I comment the above lines again, freeradius rejects the request.
Passwords are stored as cleartext in ldap.
I'm looking at the ldap queries performed by freeradius it is only
checking if the user exists. No password check at all.
This the output of freeradius -X while using our test laptop:
-8--
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov
14 2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
Re: Freeradius 8021x with LDAP
Francesc Zacarias wrote:
We're trying to set up Freeradius wtih 8021x. Freeradius should query
a OpenLDAP server for autentication and check if the user belongs to
certain groups and return different VLAN IDs depending on that.
Those are two completely independent things. Get them working
independently, they should work together.
Unfortunately, we're having issues with the LDAP autentication part.
So what did you configure? Did you read
raddb/sites-available/default, and look for ldap?
I'm looking at the ldap queries performed by freeradius it is only
checking if the user exists. No password check at all.
Read it again. It does this:
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SASL}testus...@spotify.net
[ldap] looking for reply items in directory...
Is that really the cleartext-password of the user?
Really?
Did you read raddb/sites-available/inner-tunnel, and follow the
instructions at the top (in 2.1.12)
This the output of freeradius -X while using our test laptop:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov
14 2010 at 21:12:30
Well, upgrading wouldn't hurt.
Notice the lines:
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
You've said that the LDAP server contains cleartext passwords. Yet
the debug log shows it doesn't. And this entry shows the server doesn't
have the cleartext passwords.
Fix that.
I wonder what is this module doing.
MSCHAP?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius 3.0 Master branch after 2012-06-29
YJZ wrote: 1) ./configure keeps complaining of: configure: WARNING: unrecognized options: --without-rlm_perl, --without-rlm_sql_mysql, --with-rlm_pam, --with-rlm_ldap, --with-openldap-include-dir, --without-rlm_counter, --without-rlm_dbm, --without-rlm_ippool, --without-rlm_krb5, --without-rlm_otp, --without-rlm_python, --without-rlm_sql, --without-rlm_unixodbc, --without-rlm_sql_iodbc, --without-rlm_sql_postgresql, --without-rlm_sql_oracle, --without-rlm_sqlcounter, --without-rlm_sqlippool, --without-rlm_eap_tnc, --without-rlm_eap_ikev2, --enable-shared, --disable-static, --enable-ltdl-install I have no idea what causes that. It can be ignored, though. 2) make eventually errors out: ... Making all in src/modules/rlm_sometimes... Making all in src/main... /Users/raymont/freeradius-server/libtool --quiet --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo soh.lo connection.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo process.lo realms.lo evaluate.lo vmps.lo detail.lo cb.lo tls.lo tls_listen.lo \ /Users/raymont/freeradius-server/src/lib/libfreeradius-radius.la -framework DirectoryService -lresolv -lpthread \ /Users/raymont/freeradius-server/libltdl/libltdl.la -lcrypto -lssl -lcrypto Undefined symbols for architecture x86_64: _SSL_CTX_set_psk_client_callback, referenced from: _init_tls_ctx in tls.o _SSL_CTX_set_psk_server_callback, referenced from: _init_tls_ctx in tls.o You have two versions of OpenSSL installed. Fix that. Edit Make.inc. Look for lines referencing OPENSSL, and fix them to have the correct C compiler / linker flags. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Load-Balance VLAN assignment via unlang
Thanks for the reply Scott. Not something I had considered however in our case
it's not an issue since we aren't requiring clients to reauth. We are
implementing this for our wired network. Our equipment, primarily Cisco 2960s
do support a group vlan for load-balancing client distribution however it's
not as easy to manage as a few lines within the radius config.
-Original Message-
From: freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org
[mailto:freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org]
On Behalf Of Scott Armitage
Sent: Tuesday, July 17, 2012 8:29 AM
To: FreeRadius users mailing list
Subject: Re: Load-Balance VLAN assignment via unlang
On 17 Jul 2012, at 12:57, Cotton, Jesse wrote:
Using FR as a central RADIUS server. One task it performs is dot1x auth. It
forwards eap requests to one of several home servers which performs the auth
and returns several attributes including Tunnel-Private-Group-Id. This
attribute contains multiple values indicating one of several potential vlans
a client can be put on. I would like perform simple load balancing by
selecting one of the vlans randomly. I have the following within the
post-auth section. What am I doing wrong? I have tried several variations. I
know the syntax is incorrect but google has not been helpful. Thanks in
advance.
if(%{reply:Tunnel-Private-Group-Id[#]} 1){
update reply {
Tunnel-Private-Group-Id :=
%{reply:Tunnel-Private-Group-Id[%{rand:%{reply:Tunnel-Private-Group-Id[#]}}]}
}
}
Not a solution but some caveats. If you are randomly returning a vlan, you
could have clients bouncing around vlans when they reauth. You may also
achieve the same result using features in your wireless equipment. For example
if you have Cisco wireless you could use Vlan Select (and return the clan
select group from the radius server).
Scott Armitage
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a router as NAS
DeKOK, Buxey and andy79! Please, see if my understanding below is better. Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Were there no NAS already, the radiusd would not have answered. Simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, and I can understand Buxeys resignation about my very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? For the radtest to work I found that I had to apply the IPs or their authorized names or shortnames registered in the /etc/hosts. Otherwise: radclient: Failed to find IP address for host sled-10sp3m: No such file or directory At the same time the client.conf must correlate with the /etc/hosts What is wrong is my subject heading: router as NAS, which of course confuses. If this is correct everything is simplified to just find out how to network this. Am I closer now? -- Si St sigbj...@operamail.com On Mon, Jul 16, 2012, at 12:34 PM, Alan DeKok wrote: Si St wrote: Q:Buxey: Hi, what makes you think you can send RADIUS requests to this router and for it to then send those requests to your server? A:Because the router documentation said it: -WPA-Enterprise This option works with a RADIUS Server to authenticate wireless clients. Wireless clients should have established the necessary credentials before attempting to authenticate to the Server through this Gateway. Furthermore, it may be necessary to configure the RADIUS Server to allow this Gateway to authenticate users. That text does NOT say the router accepts RADIUS requests. I really cant help for that the docu is unprecise, has lacks etc. It assumes that you are familiar with RADIUS and wireless configuration. If you're not, the text is hard to understand. The credentials and understand as certs, the configure is very sparse if PORTS have to be taken in consideration. - But we are really getting somewhere taking PORTS into my knowledge. But I do not how to configure this and where. If the router has the 1812 configured I would assume that radius would return through the same port. I will try to read through the files in raddb to find something about it. Could /etc/service give a clue? No. Read more about RADIUS and wireless configuration. Start with Wikipedia. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.fastmail.fm - Choose from over 50 domains or use your own - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a router as NAS
Hi Si St, I don't know why you are using router but in my situation we have sites where we installed L3 core switches and we just configure the radius ip and the radius shared key and is working or we have sites where we install a ZoneDirector (wireless controller) and can use as a NAS under the AAA settings we configured the port number (1812 or 1813 if you want) and the ip / shared key.As you can see the NAS need to know the ip , port number and the shared key. If you have a router then you need to do something similar so the router can pass the messages to the Radius server. The next step is about your clients. Again we have sited (with the core switches) where the clients are connected with the ethernet cable so you need to configure the ports for dot1x, 1 example from the Alied telesis switch is : switchport switchport mode access dot1x port-control auto dot1x control-direction both auth dynamic-vlan-creation as you can see the port-control is necessary and the dynamic vlan is optional. If your clients are connected through the wireless then you need to configure PEAP / mschapv2 because the freeradius is using MD5 by default and all the ports trunks (Access Point, Controller, Radius server). I believe in you case you are using a cisco router, so configure the router with the AAA commands (check the cisco site) and the port where you connect the client for dot1x. Run the server in debug mode (radiusd -X) and the same time from the client try to connect with the radius server. You should be able to see the requests , if the radius can't find the NAS or recognise then you will see an error and the ip of the router. If you are using MAC OS as a client go to the network preferences and setup the dot1x to use MD5 only (if you haven't change it in the EAP file) regardsAndrew From: sigbj...@operamail.com To: freeradius-users@lists.freeradius.org Subject: Re: a router as NAS Date: Wed, 18 Jul 2012 21:43:49 +0200 DeKOK, Buxey and andy79! Please, see if my understanding below is better. Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Were there no NAS already, the radiusd would not have answered. Simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, and I can understand Buxeys resignation about my very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? For the radtest to work I found that I had to apply the IPs or their authorized names or shortnames registered in the /etc/hosts. Otherwise: radclient: Failed to find IP address for host sled-10sp3m: No such file or directory At the same time the client.conf must correlate with the /etc/hosts What is wrong is my subject heading: router as NAS, which of course confuses. If this is correct everything is simplified to just find out how to network this. Am I closer now? -- Si St sigbj...@operamail.com On Mon, Jul 16, 2012, at 12:34 PM, Alan DeKok wrote: Si St wrote: Q:Buxey: Hi, what makes you think you can send RADIUS requests to this router and for it to then send those requests to your server? A:Because the router documentation said it: -WPA-Enterprise This option works with a RADIUS Server to authenticate wireless clients. Wireless clients should have established the necessary credentials before attempting to authenticate to the Server through this Gateway. Furthermore, it may be necessary to configure the RADIUS Server to allow this Gateway to authenticate users. That text does NOT say the router accepts RADIUS requests. I really cant help for that the docu is unprecise, has lacks etc. It assumes that you are familiar with RADIUS and wireless configuration. If you're not, the text is hard to understand. The credentials and understand as certs, the configure is very sparse if PORTS have to be taken in consideration. - But we are really getting somewhere taking PORTS into my knowledge.
Re: a router as NAS
Si St wrote: Taking a glimps at the page http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659 So... why are you reading random pages on the net? And not the pages we suggested you read? it seemes obvious to me that I have misunderstood a few things: I thought I needed something EXTRA that should run a NAS request to the radius-server, and thought the router should do the job. You're mixing up terminology. Get it right, or you'll *never* understand what's going on. But the NAS is there already in the freeradiusserver downloadfile installed together with the server. What the heck does that mean? Looking at what the radtest is spitting out it is there with its NAS IP and port Sending Access-Request. The radiud -X answers this request:rad_recv: Access-Request..[pap] User authenticated successfully ++[pap] returns ok... Well... you've completely misunderstand everything about that. Were there no NAS already, the radiusd would not have answered. Simple as that. No. Absolutely not. Not simple as that. From this it is of course obvious to me that it is impossible that the router can run a NAS, No. Many routers do send RADIUS Access-Request packets. and I can understand Buxeys resignation about my very special router. No. You thought that the router would accept RADIUS packets from a third party, and then send them to the RADIUS server. Routers don't work like that. Hence his comment of very special router. The router can only direct or rather route the userclient message to the NAS-radius machinery. You're using terminology you invented. STOP IT NOW. Your misconception of how everything works is making it IMPOSSIBLE for you to understand ANYTHING. That is what the router's EAP-switch is for, letting me configure an IP and a port in that box where to send it, have it treated by the NAS/radclient/radserver and receive an OK or something to let me through to the f.ex. internet. Isn't this correct? It's complete nonsense. You might as well be writing gibberish. If this is correct everything is simplified to just find out how to network this. Am I closer now? You're even further away from understanding how it works. Read the Wikipedia pages on RADIUS and EAP. It's really not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 8021x with LDAP
Hi, you need to ensure that LDAP is being called in the authenticate section of the inner-tunnel (in the EAP phase) and that it is being given the cleartext password that you say is being stored there. you also need to protect your authorize calls to LDAP - as your debug clearly shows that its being hit all the time - thats a performance hit that doesnt scale. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to log successful/unsuccessful login requests
Howdy,
So we have installed FreeRADIUS 2.1.7 via YUM on a 5.6 CentOS Server and 2.1.12
from source on a 5.1 RHEL Server.
Both are working and are running pretty sweet. What I can't seem to get
working though is getting the RADIUS server to log somewhere that user joe-bob
logged in, then user daisy-duke failed to login, etc. If I run the server in
debug mode via radiusd -X I do see this spit to STDOUT. However, how can I get
it to log to a file somewhere on the disk is my question.
This is from the RHEL 5.1 server running latest, stable of the FreeRadius
Server:
[root@foo radacct]# pwd
/usr/local/var/log/radius/radacct
[root@foo radacct]# ls -la
total 8
drwx-- 2 root root 4096 Jul 18 17:01 .
drwx-- 3 root root 4096 Jul 18 17:01 ..
[root@ttmi-nms2 radacct]#
Nada
I have this in the radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
and
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
Any ideas? Thanks!
-jg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS in failover - HA setup (question)
Hi, everybody. I was reading the Deploying FreeRADIUS with the MySQL Cluster Database whitepaper downloaded from MySQL website, it mentions in 3.1 Deployment Topologies section that MySQL cluster can be integrated with FreeRADIUS but it always mention FreeRADIUS to be installed in a single node, would be a way to setup FreeRADIUS to be also failover the same way MySQL is, and not run just in a single node always? Note: Before reply saying that this question should be posted in MySQL forums please consider that I am not asking about MySQL configurations, I am asking about FreeRADIUS product, many thanks to everybody! Aldo Zavala - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius 3.0 Master branch after 2012-06-29
2) make eventually errors out: ... Making all in src/modules/rlm_sometimes... Making all in src/main... /Users/raymont/freeradius-server/libtool --quiet --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo soh.lo connection.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo process.lo realms.lo evaluate.lo vmps.lo detail.lo cb.lo tls.lo tls_listen.lo \ /Users/raymont/freeradius-server/src/lib/libfreeradius-radius.la -framework DirectoryService -lresolv -lpthread \ /Users/raymont/freeradius-server/libltdl/libltdl.la -lcrypto -lssl -lcrypto Undefined symbols for architecture x86_64: _SSL_CTX_set_psk_client_callback, referenced from: _init_tls_ctx in tls.o _SSL_CTX_set_psk_server_callback, referenced from: _init_tls_ctx in tls.o You have two versions of OpenSSL installed. Fix that. Edit Make.inc. Look for lines referencing OPENSSL, and fix them to have the correct C compiler / linker flags. Alan DeKok. - Thank you. After straightening out the paths to openssl lib include, I'm now able to compile FR 3.0 successfully. Best Regards, Y.J. Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to log successful/unsuccessful login requests
Hi,
I am having suse 11.1 radius(2.1.6) in raddb/radiusd.conf , you can
check log section. In my case it is by default enabled to log to files
the file is ${logdir}/radius.log. So in your case log file would be
/usr/local/var/log/radius/radius.log
Also You can configure radius in log section to log onto syslog or to
stderr , change the facility etc..
Regards,
Prateek
On Thu, Jul 19, 2012 at 4:38 AM, John Giordano john.giord...@ttmi.uswrote:
Howdy,
So we have installed FreeRADIUS 2.1.7 via YUM on a 5.6 CentOS Server and
2.1.12 from source on a 5.1 RHEL Server.
Both are working and are running pretty sweet. What I can't seem to get
working though is getting the RADIUS server to log somewhere that user
joe-bob logged in, then user daisy-duke failed to login, etc. If I run the
server in debug mode via radiusd -X I do see this spit to STDOUT. However,
how can I get it to log to a file somewhere on the disk is my question.
This is from the RHEL 5.1 server running latest, stable of the FreeRadius
Server:
[root@foo radacct]# pwd
/usr/local/var/log/radius/radacct
[root@foo radacct]# ls -la
total 8
drwx-- 2 root root 4096 Jul 18 17:01 .
drwx-- 3 root root 4096 Jul 18 17:01 ..
[root@ttmi-nms2 radacct]#
Nada
I have this in the radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
and
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
Any ideas? Thanks!
-jg
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
