Wireless EAP-TLS Login from Notebook with User and PASSWORD
Hey there, I’ve setup a freeradius Server and am using EAP-TLS, and would need some help from you. The users file contains the username and the password beeing allowed to connect after TLS Connection has been established, and this is working on an android phone with no problems so far. One can setup the -CA Cert -User Cert -Login Name and -Password But I dont’t have an option to enter a password when I try to connect from the notebook, running Windows7. Is there an add on tool one can use to deliver the password as well, or do I have to drop the user-pass auth from ttls completely? FR is V2 EAP is set to allow TLS only Users file contains cleartext passwort auth (used from ttls, which has been used before) Thanks in advance and best regards Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless EAP-TLS Login from Notebook with User and PASSWORD
On 11/07/2012 08:33 AM, sierramailp...@gmx.de wrote: Hey there, I’ve setup a freeradius Server and am using EAP-TLS, and would need some help from you. The users file contains the username and the password beeing allowed to connect after TLS Connection has been established, and this is working on an android phone with no problems so far. One can setup the -CA Cert -User Cert -Login Name and -Password But I dont’t have an option to enter a password when I try to connect from the notebook, running Windows7. EAP-TLS doesn't *use* a username/password. Just the client cert. If you want passwords, you want PEAP or TTLS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Coa problem
Hello, I have a problem with originate-coa I want to send coa to mikrotik to change bandwith But if I do that I get the folowing error: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted (core dumped) I'm using freeradius version 3.0 (I have tried it with radius version 2.1.10, error was slightly different go a segmentation fault) here is the code within sites-enables/default update coa { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} Framed-IP-Address = %{Framed-IP-Address} Mikrotik-Rate-Limit = 256K/256K } This is send from accounting { I put originate-coa in the sites-enabled and I have made the folowing config: home_server mikrotik-test-coa { type = coa # # Note that a home server of type coa MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 192.168.8.97 port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a client section. secret = same as in clients.conf, because in the NAS it is the same # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } server originate-coa.mikrotik { pre-proxy { #update proxy-request { #NAS-IP-Address = 127.0.0.1 #} ok } # # Handle the responses here. # post-proxy { switch %{proxy-reply:Packet-Type} { case CoA-ACK { ok } case CoA-NAK { # the NAS didn't like the CoA request ok } case Disconnect-ACK { ok } case Disconnect-NAK { # the NAS didn't like the Disconnect request ok } # Invalid packet type. This shouldn't happen. case { fail } } # # These methods are run when there is NO response # to the request. # Post-Proxy-Type Fail-CoA { ok } Post-Proxy-Type Fail-Disconnect { ok } } } I have tried many many different settings in originate-coa when I use radclient I can send a coa with succes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Didn't you make another fix afterward regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft. I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise it fails ;) On 2012-11-06, at 10:15 AM, Alan DeKok wrote: Phil Mayers wrote: Was that after 2.2.0 was released? No, before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
On 7 Nov 2012, at 11:25, Mixmasterontour PureDJ mixmasteront...@hotmail.com wrote: Hello, I have a problem with originate-coa I want to send coa to mikrotik to change bandwith But if I do that I get the folowing error: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted (core dumped) Can haz backtrace plz? Or that core dump file if you know where it went... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Maybe is that Samba bug? The one that makes it apparently work: [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success but the client refuses to go on? I can't search the archive right now, but I think it would be useful to know the Samba version. 2012/11/7 Matthew Newton m...@leicester.ac.uk On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote: [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled OK, mschap seems to succeed. } # server inner-tunnel [peap] Got tunneled reply code 11 ... [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 173 to ip_AP_cisco port 1645 EAP-Message = 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91 ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68 a1ccd3f6714ea7a663b7c98ff3904cf9 Message-Authenticator = 0x State = 0x2bebcbfd2de2d2392b8b84ab35544cf2 Finished request 386. Going to the next request Waking up in 4.9 seconds. Client is sent the access challenge for the user's device with the mschap success. rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174, length=167 User-Name = DOMAIN\\userADaccount Framed-MTU = 1400 Called-Station-Id = 003a.994b.fd40 Calling-Station-Id = e02a.8255.86ba Service-Type = Login-User Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920 EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536 User's device sends back an EAP Identity [eap] EAP packet type response id 2 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation Which is why this isn't picked up as part of the previous PEAP conversation, so the client isn't sent an Access-Accept ... Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel ... ++[eap] returns handled Sending Access-Challenge of id 180 to ip_AP_cisco port 1645 EAP-Message = 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52 72a032112af4c2f1af939b470d00b30b Message-Authenticator = 0x State = 0xf9273f5cff2e268144e0f611590a6390 Finished request 393. Going to the next request Waking up in 2.4 seconds. ... repeat of last time. The client has given up (that much is certain), so check EAP logs on the client. If it's Windows, you probably don't stand much of a chance of getting much useful (easy to read) logs. Check things like certificates expiring (but it doesn't sound like this). But first I'd restart winbind and see if it all works again. Then check your domain join (net ads testjoin or similar). I've seen similar before when everything individually worked OK, but the clients didn't like something that was sent back. [0] I think something has broken with the domain join, or winbind - it isn't at all obvious, but the client doesn't like it. You could also try re-joining the server to the domain. Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a security vulnerability in anything older. Cheers Matthew [0] http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/ -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys, Thanks for your help. After reading your suggestions, i installed a new version of FreeRADIUS (FreeRADIUS 2.2.1). I haven't worked with the the patch yet (i'm going to do that later) but, just to show what i got with the new version 2.2.1 and changing the content of the simtriplets.dat 1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different rand...) 19017653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 19017653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400 19017653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00 19017653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000 i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything -- authentication failed . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = 19017653 NAS-Port-Id = ap_hotspot NAS-Port-Type = Wireless-802.11 Acct-Session-Id = 822e Acct-Multi-Session-Id = 00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E Calling-Station-Id = A8-7E-33-3E-9C-5B Called-Station-Id = 00-0C-42-64-41-9D:YANN EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f NAS-Identifier = MT_Yann NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 19017653, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 108 ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.10.212 port 38803 EAP-Message = 0x016c0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x870e2a6987623891aa6e49c2b1bcc9b6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287 Service-Type = Framed-User Framed-MTU = 1400 User-Name = 19017653 State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = ap_hotspot NAS-Port-Type = Wireless-802.11 Acct-Session-Id = 822e Acct-Multi-Session-Id = 00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E Calling-Station-Id = A8-7E-33-3E-9C-5B Called-Station-Id = 00-0C-42-64-41-9D:YANN EAP-Message = 0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = MT_Yann NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 19017653, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 108 length 52 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++ EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = 19017653 State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = ap_hotspot
Dynamic Home Server For Sending CoA
Hi, I have problem with Home servers for sending CoA packets. This service works fine, but i have clients in sql (rml_sql). When NAS are in sql, home servers for configuring coa must be in sql too. But now they are stationary in text file defined. Is there some way how to change this ? Or I overlook some configuration options or functionality ? Stanislav Lorenc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
The core dump was off, now when I enable the coredumps radiusd won't dump anymore. Every other program dumps with SEGV signal, but radiusd won't So I don't know how te get a dump. now it aborts with: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted Thanks in advance From: mixmasteront...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: Coa problem Date: Wed, 7 Nov 2012 12:25:48 +0100 Hello, I have a problem with originate-coa I want to send coa to mikrotik to change bandwith But if I do that I get the folowing error: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted (core dumped) I'm using freeradius version 3.0 (I have tried it with radius version 2.1.10, error was slightly different go a segmentation fault) here is the code within sites-enables/default update coa { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} Framed-IP-Address = %{Framed-IP-Address} Mikrotik-Rate-Limit = 256K/256K } This is send from accounting { I put originate-coa in the sites-enabled and I have made the folowing config: home_server mikrotik-test-coa { type = coa # # Note that a home server of type coa MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 192.168.8.97 port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a client section. secret = same as in clients.conf, because in the NAS it is the same # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } server originate-coa.mikrotik { pre-proxy { #update proxy-request { #NAS-IP-Address = 127.0.0.1 #} ok } # # Handle the responses here. # post-proxy { switch %{proxy-reply:Packet-Type} { case CoA-ACK { ok } case CoA-NAK { # the NAS didn't like the CoA request ok } case Disconnect-ACK { ok } case Disconnect-NAK { # the NAS didn't like the Disconnect request ok } # Invalid packet type. This shouldn't happen. case { fail } } # # These methods are run when there is NO response # to the request. # Post-Proxy-Type Fail-CoA { ok } Post-Proxy-Type Fail-Disconnect { ok } } } I have tried many many different settings in originate-coa when I use radclient I can send a coa with succes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Home Server For Sending CoA
On 7 Nov 2012, at 13:52, Stanislav Lorenc stanislav.lor...@cernovice.net wrote: Hi, I have problem with Home servers for sending CoA packets. This service works fine, but i have clients in sql (rml_sql). When NAS are in sql, home servers for configuring coa must be in sql too. But now they are stationary in text file defined. Is there some way how to change this ? Or I overlook some configuration options or functionality ? No, dynamic home servers are not currently supported. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
Mixmasterontour PureDJ wrote: The core dump was off, now when I enable the coredumps radiusd won't dump anymore. Every other program dumps with SEGV signal, but radiusd won't So I don't know how te get a dump. now it aborts with: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted I've pushed a fix. It should not have been an assert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot Authenticate Local User
Hi, I am new to using FreeRadius and I need help trying to authenticate a local user account using FreeRadius. I have installed FreeRadius 2.1.12 on Centos 6.3 I have created a local user with the following details: Username : rtest Password :rtest When I use the radtest rtest rtest localhost 0 testing123 I receive a Access-Reject packet Output: -- [root@localhost Downloads]# radtest rtest rtest localhost 0 testing123 Sending Access-Request of id 24 to 127.0.0.1 port 1812 User-Name = rtest User-Password = rtest NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=24, length=20 --- I am using the default configuration as below: Output : --- [root@localhost raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Jun 22 2012 at 11:10:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary
RE: Coa problem
Small update. I have run radiusd -X in gdb And get this as result: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Program received signal SIGABRT, Aborted. 0x76b97425 in raise () from /lib/x86_64-linux-gnu/libc.so.6 Hope this give some ideas? Subject: Re: Coa problem From: a.cudba...@freeradius.org Date: Wed, 7 Nov 2012 12:00:14 + To: freeradius-users@lists.freeradius.org On 7 Nov 2012, at 11:25, Mixmasterontour PureDJ mixmasteront...@hotmail.com wrote: Hello, I have a problem with originate-coa I want to send coa to mikrotik to change bandwith But if I do that I get the folowing error: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted (core dumped) Can haz backtrace plz? Or that core dump file if you know where it went... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
Thanks, This is much better, it won't crash anymore. It doesn't work yet, but now I have something to search for. I get this error, maybe someone knows where to look for (1) update coa { (1) WARNING: List 'coa' doesn't exist for this packet (1) } # update coa = invalid As what I can make of it, it's not allowed to use coa here, but I could use a coa update in accounting { .. } can I? Date: Wed, 7 Nov 2012 09:14:59 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Coa problem Mixmasterontour PureDJ wrote: The core dump was off, now when I enable the coredumps radiusd won't dump anymore. Every other program dumps with SEGV signal, but radiusd won't So I don't know how te get a dump. now it aborts with: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted I've pushed a fix. It should not have been an assert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql, Accounting and DialupAdmin
Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. mysql select username,acctstarttime,acctstoptime,acctoutputoctets,acctoutputoctets from radacct; +--+-+-+--+--+ | username | acctstarttime | acctstoptime| acctoutputoctets | acctoutputoctets | +--+-+-+--+--+ | test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 |0 | | test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 |0 | | test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 |0 | +--+-+-+--+--+ Thanks for hints Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
I have been searching, but to be honest, I have no clue what I'm doing wrong here. Tried some different sections (authenticate, preact etc.) but all give the same warning. what do I do wrong? From: mixmasteront...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: Coa problem Date: Wed, 7 Nov 2012 15:35:44 +0100 Thanks, This is much better, it won't crash anymore. It doesn't work yet, but now I have something to search for. I get this error, maybe someone knows where to look for (1) update coa { (1) WARNING: List 'coa' doesn't exist for this packet (1) } # update coa = invalid As what I can make of it, it's not allowed to use coa here, but I could use a coa update in accounting { .. } can I? Date: Wed, 7 Nov 2012 09:14:59 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Coa problem Mixmasterontour PureDJ wrote: The core dump was off, now when I enable the coredumps radiusd won't dump anymore. Every other program dumps with SEGV signal, but radiusd won't So I don't know how te get a dump. now it aborts with: (0)update coa { ASSERT FAILED evaluate.c[1154]: output_vps Aborted I've pushed a fix. It should not have been an assert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot Authenticate Local User
On Wed, Nov 07, 2012 at 04:16:23PM +0200, Manjith Gajadhar wrote: I am new to using FreeRadius and I need help trying to authenticate a local user account using FreeRadius. I have installed FreeRadius 2.1.12 on Centos 6.3 I have created a local user with the following details: Created a 'local user' how? Added an entry to the users file? (In which case, did you add it to the top?) --- [root@localhost raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Jun 22 2012 at 11:10:43 ... Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. You've missed the rest of the log off that contains the actual authentication attempt, so we can't see what's broken. Try again with rtestCleartext-Password := rtest at the top of the users file. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
Mixmasterontour PureDJ wrote: I have been searching, but to be honest, I have no clue what I'm doing wrong here. Tried some different sections (authenticate, preact etc.) but all give the same warning. what do I do wrong? Nothing. I'll see if I can push a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
Nothing. I'll see if I can push a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks! If I could assist with something, let me know.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
Mixmasterontour PureDJ wrote: I have been searching, but to be honest, I have no clue what I'm doing wrong here. Tried some different sections (authenticate, preact etc.) but all give the same warning. I've pushed a fix. Please test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
I've pushed a fix. Please test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Alan, I've run the test.. It passes the the output_vps test, however I get a segmentation fault (0) expand: %{User-Name} - Groen (0) expand: %{Acct-Session-Id} - 80e1 (0) expand: %{NAS-IP-Address} - 192.168.8.97 (0) expand: %{Framed-IP-Address} - 10.0.1.199 Segmentation fault Strange thing is that in my update coa I have those variables but also Mikrotik-Rate-Limit = 256K/256K you won't see in the output. But when I comment out the line Mikrotik-Rate-Limit = 256K/256K I get the same output and result (segmentation fault) This is the update coa code: update coa { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} Framed-IP-Address = %{Framed-IP-Address} Mikrotik-Rate-Limit = 256K/256K } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
I've pushed a fix. Please test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Some extra info from gdb, I don't know if this is usefull: (gdb) exec-file /usr/local/sbin/radiusd -X (gdb) r Starting program: /usr/local/sbin/radiusd -f [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1. [New Thread 0x7307e700 (LWP 10291)] [Thread 0x7307e700 (LWP 10291) exited] [New Thread 0x7307e700 (LWP 10292)] [New Thread 0x7173e700 (LWP 10293)] [New Thread 0x70f3d700 (LWP 10294)] [New Thread 0x7fffebfff700 (LWP 10295)] [New Thread 0x7fffeb7fe700 (LWP 10296)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffebfff700 (LWP 10295)] 0x0044d747 in ?? () (gdb) info threads Id Target Id Frame 7Thread 0x7fffeb7fe700 (LWP 10296) radiusd 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 * 6Thread 0x7fffebfff700 (LWP 10295) radiusd 0x0044d747 in ?? () 5Thread 0x70f3d700 (LWP 10294) radiusd 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 4Thread 0x7173e700 (LWP 10293) radiusd 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 3Thread 0x7307e700 (LWP 10292) radiusd 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 1Thread 0x77fef700 (LWP 10288) radiusd 0x76c4e023 in select () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x0044d747 in ?? () #1 0x7fffebffdc90 in ?? () #2 0x0087d300 in ?? () #3 0x in ?? () (gdb) thread apply all bt full Thread 7 (Thread 0x7fffeb7fe700 (LWP 10296)): #0 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 No symbol table info available. #1 0x0043599a in ?? () No symbol table info available. #2 0x in ?? () No symbol table info available. Thread 6 (Thread 0x7fffebfff700 (LWP 10295)): #0 0x0044d747 in ?? () No symbol table info available. #1 0x7fffebffdc90 in ?? () No symbol table info available. #2 0x0087d300 in ?? () No symbol table info available. #3 0x in ?? () No symbol table info available. Thread 5 (Thread 0x70f3d700 (LWP 10294)): #0 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 No symbol table info available. #1 0x0043599a in ?? () No symbol table info available. #2 0x in ?? () No symbol table info available. Thread 4 (Thread 0x7173e700 (LWP 10293)): #0 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 No symbol table info available. #1 0x0043599a in ?? () No symbol table info available. #2 0x in ?? () No symbol table info available. Thread 3 (Thread 0x7307e700 (LWP 10292)): #0 0x7778afd0 in sem_wait () from /lib/x86_64-linux-gnu/libpthread.so.0 No symbol table info available. #1 0x0043599a in ?? () No symbol table info available. #2 0x0004 in ?? () No symbol table info available. #3 0x0089bcc0 in ?? () No symbol table info available. #4 0x7287e000 in ?? () No symbol table info available. #5 0x0089bcc0 in ?? () No symbol table info available. #6 0x in ?? () No symbol table info available. ---Type return to continue, or q return to quit--- Thread 1 (Thread 0x77fef700 (LWP 10288)): #0 0x76c4e023 in select () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x77bc4c3d in fr_event_loop (el=0x882aa0) at event.c:391 i = 5 rcode = 1 maxfd = 17 when = {tv_sec = 0, tv_usec = 328971} wake = 0x7fffe4d0 read_fds = {fds_bits = {253952, 0 repeats 15 times}} master_fds = {fds_bits = {253952, 0 repeats 15 times}} #2 0x0044654f in ?? () No symbol table info available. #3 0x7fffe610 in ?? () No symbol table info available. #4 0x0042f3c7 in ?? () No symbol table info available. #5 0x7fffe6f8 in ?? () No symbol table info available. #6 0x00022800 in ?? () No symbol table info available. #7 0x0042f6ae in ?? () No symbol table info available. #8 0x in ?? () No symbol table info available. Hope this helps a bit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
Mixmasterontour PureDJ wrote: I've run the test.. It passes the the output_vps test, however I get a segmentation fault (0) expand: %{User-Name} - Groen (0) expand: %{Acct-Session-Id} - 80e1 (0) expand: %{NAS-IP-Address} - 192.168.8.97 (0) expand: %{Framed-IP-Address} - 10.0.1.199 Segmentation fault Well, that's a typo. I've pushed another fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth child domain
Hi, Just to update I was able to do what I intended to : Here what I did, In the authenticate of inner-tunnel and default I added this: Auth-Type MS-CHAP { group { mschap { reject = 1 ok = return } mschap_tata { reject = 1 ok = return } mschap_toto { ok = return } } } And in mschap module I added: Mschap { with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-%{Realm}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} } mschap mschap_tata { ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-tata} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } mschap mschap_toto { ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-toto} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } Also added in proxy.conf Realm tata { } Realm toto { } With this I was able to do what I wanted, I am able to permit users from both domain whether they write their user like tata\username, toto\username or just username I was also able to to peap authentification by just using the documentation, Now I’m looking at LDAP to check the group membership of user and only permit certain group and /or send attribute to those group. Thank you Yannick Ménard -- Ce courriel a �t� filtr� par ModusGate et Webshield afin de le certifier comme l�gitime et exempt de virus.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Wed, Nov 7, 2012 at 10:16 PM, Erich Titl erich.t...@think.ch wrote: Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted Because you use Windows client, which defaults to EAP-MSCHAPv2. See http://deployingradius.com/documents/protocols/compatibility.html If your main concern is I don't want to store cleartext password in db, you should be able to use NT-Password. Search the list archive, there's a recent thread about this. 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Sending tunneled request EAP-Message = 0x0208004f1a0208004a319afcbf0d90146863dcce62e55cbf6b263213a6 67f5405fe084a9e7291e326e0f0c68ce28482c998a0053554d4f4c434f4d50414c5c53433130 31383536 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = DOMAIN\\userADaccount State = 0xc282d9b6c28ac325c2d75d655a3b20bb EAP-Message parsed: 02 Code = 2 (EAP-Response) 08 Identifier = 8 00 4f Length = 79 1a Type = 26 (EAP-MSCHAPv2) 02 Opcode = 2 (Response) 08MS-CHAP-v2-Id = 8 00 4a MS-Length = 74 31 Value-Size = 49 9a fc bf 0d 90 14 Peer-Challenge 68 63 dc ce 62 e5 5c bf 6b 26 00 00 00 00 00 00 Reserved 00 00 32 13 a6 67 f5 40 5f e0 84 a9 e7 29 1e 32 NT-Response 6e 0f 0c 68 ce 28 48 2c 99 8a 00Flags = 0 53 55 4d 4f 4c 43 4f 4d 50 41 4c 5c 53 43 31 30 31 38 35 36 Name = SUMOLCOMPAL\SC101856 [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d443646424543334344343334373542443835343334333432 3745313831384243414639333030 Message-Authenticator = 0x State = 0xc282d9b6c38bc325c2d75d655a3b20bb EAP-Message parsed: 01 Code = 1 (EAP-Request) 09 Identifier = 9 00 33 Length = 51 1a Type = 26 (EAP-MSCHAPv2) 03 Opcode = 2 (Succes) 08MS-CHAP-v2-Id = 8 00 2e MS-Length = 46 53 3d 44 36 46 42 45 43 33 43 43 33 34 34 33 34 37 35 42 44 38 35 34 33 34 33 34 32 37 45 31 38 31 38 42 43 41 46 39 33 30 30 Message = S=D6FBEC3CC3443475BD854343427E1818BCAF9300 MSCHAPv2 is a mutual authentication protocol. Supplicant has interrupted authentication process just after it receive EAP-MSCHAPv2 Success request packet. It means that Success request packet was not calculated using proper user password. In other words user password available at supplicant and at authentication server does not match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
I have the same problem with Nokia E51 handset. EAP-SIM authentication interrupted by Nokia supplicant. Unfortunately there is no useful diagnostic on the handset. On other hand EAP-SIM authentication succeeds when I use wpa_supplicant on Windows using smart card reader with the same SIM card I've used with Nokia handset. Unfortunately I have neither iPhone nor Windows-based handset to test EAP-SIM against. Yann R. Moupinda wrote: i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything -- authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 03:35, Fajar A. Nugraha wrote: On Wed, Nov 7, 2012 at 10:16 PM, Erich Titl erich.t...@think.ch wrote: Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted Because you use Windows client, which defaults to EAP-MSCHAPv2. See http://deployingradius.com/documents/protocols/compatibility.html If your main concern is I don't want to store cleartext password in db, you should be able to use NT-Password. Search the list archive, there's a recent thread about this. Thanks, I read that URL, actually that one guided me to enter a Cleartext Password at all. mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value | ++--+++--+ | 1 | test | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 2 | test | NT-Password| := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 3 | test | Cleartext-Password | := | 1234 | ++--+++--+ 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P :-( Do you have a recommendation for AP's that pass this information? ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. It is a ZyXEL, so basically a black box, even to the local vendor. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:08 PM, Erich Titl erich.t...@think.ch wrote: Thanks, I read that URL, actually that one guided me to enter a Cleartext Password at all. See the column labeled NT hash? mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value | ++--+++--+ | 1 | test | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 2 | test | NT-Password| := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 3 | test | Cleartext-Password | := | 1234 | ++--+++--+ IIRC only one of them will be used. I suggest you dop MD5 (since it's useless for your purpose) and Cleartext (you don't want that, right?) and verify you use the correct NT-Password (use smbencrypt if you haven't already done so) 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P :-( Do you have a recommendation for AP's that pass this information? Nope. Sorry. Try looking at the archives, I think Cisco boxes sends them. As an alternative, if you're fine with captive-portal setup, chillispot sends accounting packets just fine. ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. It is a ZyXEL, so basically a black box, even to the local vendor. Then blame the vendor. Seriously. Why would you want to use something that even the local vendor can't support? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
Well, that's a typo. I've pushed another fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Perfect, it's working now! Thanks one other small thing: in freeradius-server/raddb/sql/mysql/dialup.conf there is an error in accounting { interim-update { the insert sql is not correct (value count is incorrect) was: query = \ INSERT INTO ${acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{NAS-Port}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(%{integer:Event-Timestamp} - \ %{%{Acct-Session-Time}:-0}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ '%{Acct-Session-Time}', \ '%{Acct-Authentic}', '', \ '%{%{Acct-Input-Gigawords}:-0}' 32 | \ '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' 32 | \ '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}') } should be: query = \ INSERT INTO ${acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{NAS-Port}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(%{integer:Event-Timestamp} - \ %{%{Acct-Session-Time}:-0}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ NULL, \ '%{Acct-Session-Time}', \ '%{Acct-Authentic}', '', '', \ '%{%{Acct-Input-Gigawords}:-0}' 32 | \ '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' 32 | \ '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}') } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 08:16, Fajar A. Nugraha wrote: ... IIRC only one of them will be used. I suggest you dop MD5 (since it's useless for your purpose) and Cleartext (you don't want that, right?) and verify you use the correct NT-Password (use smbencrypt if you haven't already done so) Yes, it appears that authentication using NT-Password hash works fine for M$. What would be the least common setting in a multi vendor environment. I guess, OSX, for example, is using a different protocol. 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. ... It is a ZyXEL, so basically a black box, even to the local vendor. Then blame the vendor. Seriously. Why would you want to use something that even the local vendor can't support? I am in an evaluation phase and this is a vendor with widespread acceptance here. Finding such a weakness is important as we will probably drop the product then. Unfortunately not everyone is really comfortable with open source products. This is just the kind of reality the vendors try to lock us in. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No EAP Start, assuming it's an on-going EAP conversation
Maybe is that Samba bug? The one that makes it apparently work: [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success but the client refuses to go on? I can't search the archive right now, but I think it would be useful to know the Samba version. Hello Alberto #smbd -V Version 3.4.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html