Re: User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2 error
On 01/11/12 11:22, Gokhan Gunyol wrote: Hi; We upgraded our radius to Freeradius 2.1.10 version on Ubuntu 32bit from an old version Which old version. Our problem is windows xp clients cant login to wireless and radius has “User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2” error mesages Ok. At the old version freeradius atexactly same configuration clients had not any problem The mschap code has had some changes over the years. This might be one of them. You can find debug log export at below This is an incomplete debug. It doesn't show the error message you refer to. Where is it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
Thanks, Matt - that trick did allow radiusd to complete loading and run!
I still have to tweak the proxy.conf file, and I'm crossing my fingers that
authentication will work as smoothly as it does on the already running
server, but at least radiusd now responds to authentication requests.
Thank you,
Darren
ECPI Western Broadband
-Original Message-
Date: Wed, 31 Oct 2012 21:32:00 +
From: Matthew Newton m...@leicester.ac.uk
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
Message-ID: 20121031213200.gd6...@rootmail.cc.le.ac.uk
Content-Type: text/plain; charset=us-ascii
On Wed, Oct 31, 2012 at 03:55:29PM -0500, Darren Shea wrote:
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = ttls
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
rlm_eap: Failed to initialize type ttls
...
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = ttls
Try setting that to something other than ttls. For instance, mschapv2,
to match your PEAP section.
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services, I.T. Services,
University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 91, Issue 1
***
-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2742 / Virus Database: 2617/5855 - Release Date: 10/26/12
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenVPN Solution to Traffic Limitation
I need to limit the monthly traffic of OpenVPN users on my server. Example: After a 50G/month traffic limitation has been reached, the server will disconnect and reject connections from that user for that period of time. Everything seems to point out to Freeradius as the best solution! I'm just having problems finding any guidance to achieving this.. could someone please instruct? Thank you, Chiappa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
ToriTori wrote: I need to limit the monthly traffic of OpenVPN users on my server. Example: After a 50G/month traffic limitation has been reached, the server will disconnect and reject connections from that user for that period of time. Everything seems to point out to Freeradius as the best solution! I'm just having problems finding any guidance to achieving this.. could someone please instruct? Well, FreeRADIUS does RADIUS. OpenVPN does VPN, including traffic limits. You may be able to use RADIUS to tell OpenVPN to limit traffic. But this requires: a) configuring OpenVPN to do RADIUS authentication b) configuring FreeRADIUS to authenticate the OpenVPN users c) configuring FreeRADIUS to send back the attributes needed by OpenVPN For the last step, you'll need to consult the OpenVPN documentation for which attributes are required / supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
On Thu, Nov 1, 2012 at 9:23 PM, ToriTori cont...@toritori.fi wrote: I need to limit the monthly traffic of OpenVPN users on my server. Example: After a 50G/month traffic limitation has been reached, the server will disconnect I don't think openvpn has support for that. and reject connections from that user for that period of time. Should be possible. Assuming you know enough to integrate openvpn with radius. Everything seems to point out to Freeradius as the best solution! I'm just having problems finding any guidance to achieving this.. could someone please instruct? On FR's side there this: http://wiki.freeradius.org/modules/Rlm_sqlcounter That's the easy part. The openvpn and radius integration part is the hard one, and I'm afraid you need to look elsewhere. Try openvpn list, or hire someone with experience implementing this. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
A naive way would be, use OpenVPN's radiusplugin to authenticate user with a radius server. On the server side, use MySQL as data backend. Then you'll be able to run a crontab at a reasonable frequency to disable users who have used the quota already and reject new connection. If you need to kick users offline when that user used all quotas and still connecting, you may need to look into OpenVPN's management console. -- http://about.me/yegle On Thursday, November 1, 2012 at 10:23, ToriTori wrote: I need to limit the monthly traffic of OpenVPN users on my server. Example: After a 50G/month traffic limitation has been reached, the server will disconnect and reject connections from that user for that period of time. Everything seems to point out to Freeradius as the best solution! I'm just having problems finding any guidance to achieving this.. could someone please instruct? Thank you, Chiappa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
On Thu, Nov 1, 2012 at 9:39 PM, yegle cnye...@gmail.com wrote: A naive way would be, use OpenVPN's radiusplugin to authenticate user with a radius server. Correct. That's the first part of openvpn-radius integration. Which works, and still somewhat easy enough. Then you'll be able to run a crontab at a reasonable frequency to disable users who have used the quota already and reject new connection. No need for that. That's what sqlcounter is for. If you need to kick users offline when that user used all quotas and still connecting, you may need to look into OpenVPN's management console. This is probably the hardest part of the integration. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
On Nov 1, 2012, at 1:02 PM, bea...@gmail.com wrote:
If they are coming in as a Virtual connection, drop out of SQLIPPOOL and
just let freeradius auth the connection and then let OpenVPN use it's
predefined IP pool which we will in turn NAT?
This should be possible with a bit of unlang.
post-auth {
if(NAS-Port-Type != Virtual){
sqlippool
}
}
Or something of the sort. 'man 5 unlang' for more info.
--
Blake Covarrubias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
Also, not wishing to drag this too much into the OpenVPN support
group, but you can make OpenVPN use p2p mode which will allocate IP
addresses from a /24 or greater, or you can assign individual IP
addresses with a script. Obviously, these are things to research in
the OpenVPN configuration pages.
Regards,
--
Jon The Nice Guy Spriggs
On 1 November 2012 20:28, Blake Covarrubias bl...@covarrubi.as wrote:
On Nov 1, 2012, at 1:02 PM, bea...@gmail.com wrote:
If they are coming in as a Virtual connection, drop out of SQLIPPOOL and
just let freeradius auth the connection and then let OpenVPN use it's
predefined IP pool which we will in turn NAT?
This should be possible with a bit of unlang.
post-auth {
if(NAS-Port-Type != Virtual){
sqlippool
}
}
Or something of the sort. 'man 5 unlang' for more info.
--
Blake Covarrubias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with DHCP server functionality
List:
Hello. I have been working on this for a few days and have turned here
for help.
The server is listening on port 67 and when a DHCP packet comes in the
server processes it, but in debug mode it give an error No Pool-Name
defined.
I have done some reading and I have added the following to the users
file (for testing purposes).
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
This doesn't seem to define the Pool-Name nor do I see where the server
is processing any sql queries to determine the Pool-Name either.
Am I mistaken? I thought that I could get a DHCP packet to be
received/processed by the server and hand out a response.
Thanks in advance,
Duane Cox
debug:
Received DHCP-Discover of id 9daef956 from 10.11.156.70:68 to
10.12.100.90:67
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 1
DHCP-Transaction-Id = 2645490006
DHCP-Number-of-Seconds = 56
DHCP-Flags = 0
DHCP-Client-IP-Address = 0.0.0.0
DHCP-Your-IP-Address = 0.0.0.0
DHCP-Server-IP-Address = 0.0.0.0
DHCP-Gateway-IP-Address = 10.11.152.62
DHCP-Client-Hardware-Address = 00:d0:b7:c0:f6:8a
DHCP-Message-Type = DHCP-Discover
DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Broadcast-Address
DHCP-Parameter-Request-List = DHCP-Time-Offset
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-Hostname
server dhcp {
Trying sub-section dhcp DHCP-Discover {...}
+- entering group DHCP-Discover {...}
++[reply] returns noop
++[reply] returns noop
[mac2ip] Added DHCP-Your-IP-Address: '10.11.152.1' to reply_items
++[mac2ip] returns ok
++- entering policy dhcp_sqlippool.post-auth {...}
expand: DHCP-%{DHCP-Client-Hardware-Address} -
DHCP-00:d0:b7:c0:f6:8a
expand: %{DHCP-Client-Hardware-Address} - 00:d0:b7:c0:f6:8a
expand: %{DHCP-Gateway-IP-Address} - 10.11.152.62
expand: %{%{DHCP-Gateway-IP-Address}:-127.0.0.1} - 10.11.152.62
+++[request] returns ok
[dhcp_sqlippool] No Pool-Name defined.
[dhcp_sqlippool]expand: DHCP: No Pool-Name defined (did
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name}) - DHCP: No Pool-Name defined (did cli 00:d0:b7:c0:f6:8a
port user DHCP-00:d0:b7:c0:f6:8a)
DHCP: No Pool-Name defined (did cli 00:d0:b7:c0:f6:8a port user
DHCP-00:d0:b7:c0:f6:8a)
+++[dhcp_sqlippool] returns noop
+++? if (ok)
? Evaluating (ok) - FALSE
+++? if (ok) - FALSE
++- policy dhcp_sqlippool.post-auth returns noop
++[ok] returns ok
} # server dhcp
DHCP-Subnet-Mask = 255.255.255.192
DHCP-Router-Address = 10.11.152.62
DHCP-Domain-Name-Server = 4.2.2.1
DHCP-IP-Address-Lease-Time = 86400
DHCP-DHCP-Server-Identifier = 10.12.100.90
Sending DHCP-Offer of id 9daef956 to 10.11.152.62:68
Finished request 6.
Cleaning up request 6 ID -1649477290 with timestamp +219
Going to the next request
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
You can either use an unlang wrapper around the sqlippoolto either skip it or to call another sqlippool instanceor (and maybe better) define a virtual-server instance for queries coming from openvpn and have a totally different config for them (this keeps the server functionality isolated for each use case...leading to sanity later on ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with DHCP server functionality
On Fri, Nov 2, 2012 at 3:19 AM, Duane Cox duane...@gmail.com wrote:
List:
Hello. I have been working on this for a few days and have turned here
for help.
The server is listening on port 67 and when a DHCP packet comes in the
server processes it, but in debug mode it give an error No Pool-Name
defined.
I have done some reading and I have added the following to the users
file (for testing purposes).
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
This doesn't seem to define the Pool-Name nor do I see where the server
is processing any sql queries to determine the Pool-Name either.
Am I mistaken? I thought that I could get a DHCP packet to be
received/processed by the server and hand out a response.
My policy.conf has this:
#
# Assign compatibility data to request for sqlippool
dhcp_sqlippool.post-auth {
# Do some minor hacks to the request so that it looks
# like a RADIUS request to the SQL IP Pool module.
update control {
Pool-Name = DHCP-default
}
update request {
#
... and my sites-available/dhcp has additional instructions:
#
# * Create sqlippool table, if you haven't done so already.
# * Import the schema (see sql/mysql/ipool.sql).
# * Populate the records. At minimum each row must have
# Framed-IP-Address and Pool-Name = 'DHCP-default' (or whatever
# you set 'Pool-Name' to on policy.conf).
# * If you want to use static IP allocation, create a row on
# radippol table with 'callingstationid' set to client's MAC
# address (e.g. '00:16:3E:02:15:6B') and expiry time far in the
# future (e.g. '3000-01-01 00:00:00').
#
Try updating your policy.conf and follow that instruction.
If that works for you, I'll probably send a git pull request to update
instructions in the included config files.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
