Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:43 PM, Erich Titl erich.t...@think.ch wrote: Hi Fajar on 08.11.2012 08:16, Fajar A. Nugraha wrote: ... IIRC only one of them will be used. I suggest you dop MD5 (since it's useless for your purpose) and Cleartext (you don't want that, right?) and verify you use the correct NT-Password (use smbencrypt if you haven't already done so) Yes, it appears that authentication using NT-Password hash works fine for M$. What would be the least common setting in a multi vendor environment. I guess, OSX, for example, is using a different protocol. Most other supplicants can use EAP-MSCHAPv2 just fine, so you shouldn't have any problems with other OS. NT-Password should work with PAP as well, so PAP and TTLS-PAP should also work, if you need to choose that for some reason. Also note that storing NT-Passwords should be considered as insecure as storing cleartext password (since cracking MD4 hash is easy-enough), but at least you won't see the cleartext password in the database. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:08 PM, Erich Titl erich.t...@think.ch wrote: 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P :-( Do you have a recommendation for AP's that pass this information? ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. It is a ZyXEL, so basically a black box, even to the local vendor. Just to be sure, you HAVE enabled sql in accounting section, right? If you want to be extra sure, run FR in debug mode, and do a login-logout using a client (e.g. notebook) to the NAS (i.e. AP). FR should print out what packets it received. If it DOESN'T show any accounting packets, then your NAS doesn't send them, or hasn't been configured to do so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
On 8 Nov 2012, at 07:38, Mixmasterontour PureDJ mixmasteront...@hotmail.com wrote: Well, that's a typo. I've pushed another fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Perfect, it's working now! Thanks one other small thing: in freeradius-server/raddb/sql/mysql/dialup.conf there is an error Fixed. Thanks. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
I had just the same trouble as you. Here is my thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg73649.html And another here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg78218.html Both make reference to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6563 The bug is known to be solved in 3.5.16 onwards, so upgrade it. 2012/11/8 dvmp dvmp...@gmail.com Maybe is that Samba bug? The one that makes it apparently work: [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success but the client refuses to go on? I can't search the archive right now, but I think it would be useful to know the Samba version. Hello Alberto #smbd -V Version 3.4.0 ** ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Coa problem
Fixed. Thanks. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, but you fixed the accounting start, actually it contains 23 values now, should be 22 the error was in accounting interim-update - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
On 8 Nov 2012, at 08:23, Mixmasterontour PureDJ mixmasteront...@hotmail.com wrote: Fixed. Thanks. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, but you fixed the accounting start, actually it contains 23 values now, should be 22 the error was in accounting interim-update You didn't specify which query it was, but I noticed after editing the file that you meant the alternate update query so swapped out the commit. https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sql/mysql/dialup.conf Contains the right fix... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa problem
On 8 Nov 2012, at 09:05, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 8 Nov 2012, at 08:23, Mixmasterontour PureDJ mixmasteront...@hotmail.com wrote: Fixed. Thanks. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, but you fixed the accounting start, actually it contains 23 values now, should be 22 the error was in accounting interim-update You didn't specify which query it was, but I noticed after editing the file that you meant the alternate update query so swapped out the commit. Actually you did, but it's pre-coffee, sorry. https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sql/mysql/dialup.conf Contains the right fix... And I swapped out the commits within a couple of minutes of making the change, so I guess you were just looking at the commit feed instead of actually checking the files? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
on 08.11.2012 09:01, Fajar A. Nugraha wrote:
...
It is a ZyXEL, so basically a black box, even to the local vendor.
Just to be sure, you HAVE enabled sql in accounting section, right?
I guess the fact that I have entries in the radacct table which
correspond to actual connection attempts should prove that.
mysql select username,acctstarttime,acctstoptime,acctinputoctets from
radacct;
+--+-+-+-+
| username | acctstarttime | acctstoptime| acctinputoctets |
+--+-+-+-+
| test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 |
| test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 |
| test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 |
| test | 2012-11-07 21:20:53 | 2012-11-07 21:24:13 | 0 |
| test | 2012-11-07 21:41:50 | 2012-11-07 21:42:13 | 0 |
| test | 2012-11-07 21:42:43 | 2012-11-07 21:47:14 | 0 |
| test | 2012-11-08 07:52:42 | 2012-11-08 07:55:45 | 0 |
| test | 2012-11-08 08:35:15 | 2012-11-08 08:50:22 | 0 |
| test | 2012-11-08 09:56:24 | 2012-11-08 10:02:28 | 0 |
| test | 2012-11-08 10:06:58 | 2012-11-08 10:07:23 | 0 |
| test | 2012-11-08 10:11:31 | 2012-11-08 10:12:06 | 0 |
| test | 2012-11-08 10:12:20 | 2012-11-08 10:12:35 | 0 |
| test | 2012-11-08 10:12:42 | 2012-11-08 10:13:11 | 0 |
| test | 2012-11-08 10:13:27 | 2012-11-08 10:14:38 | 0 |
| test | 2012-11-08 10:14:51 | NULL| 0 |
+--+-+-+-+
If you want to be extra sure, run FR in debug mode, and do a
login-logout using a client (e.g. notebook) to the NAS (i.e. AP). FR
should print out what packets it received. If it DOESN'T show any
accounting packets, then your NAS doesn't send them, or hasn't been
configured to do so.
I _guess_ it shows some accounting
rad_recv: Accounting-Request packet from host 194.124.158.62 port 47037,
id=165, length=135
Acct-Session-Id = 509ACAB9-000F
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = test
NAS-Port = 0
Called-Station-Id = 50-67-F0-38-A9-E5:ZyXEL
Calling-Station-Id = 74-F0-6D-07-9B-91
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
# Executing section preacct from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in
request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address =
194.124.158.62,Acct-Session-Id = 509ACAB9-000F,User-Name = test'
[acct_unique] Acct-Unique-Session-ID = de12b16f3f8a6cf8.
++[acct_unique] returns ok
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 194.124.158.62
[detail]expand:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108
[detail]
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108
[detail]expand: %t - Thu Nov 8 10:22:38 2012
++[detail] returns ok
[sql] expand: %{User-Name} - test
[sql] sql_set_user escaped user -- 'test'
[sql] expand: %{Acct-Delay-Time} -
[sql] ... expanding second conditional
[sql] expand:INSERT INTO radacct
(acctsessionid,acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime,acctstoptime, acctsessiontime,
acctauthentic,connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay,xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
Erich
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 4:27 PM, Erich Titl erich.t...@think.ch wrote: I _guess_ it shows some accounting rad_recv: Accounting-Request packet from host 194.124.158.62 port 47037, id=165, length=135 Acct-Session-Id = 509ACAB9-000F Acct-Status-Type = Start Do some stuff first with the client (e.g. browsing), then disconnect. Look for accounting stop packet. If it doesn't show Acct-In-Octets and friends, then your AP is seriously broken. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys,
i'm still looking for a solution for the eapsim authentication. Now i use the
Freeradius 3.0.0 and i made some changes in the 'eapsimlib.c' regarding
AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde). I still have the
same problem, the client is able to send two Acces-Request but unable to send
the third Access-Request to close the authentication.
I use a Nokia E52 as supplicant, did anybody realize the test successfully with
another mobile phone (except android phones)?
Does anyone know how i can debug the mobile phone?
any helpfull ideas?
here my debug
radiusd: FreeRADIUS Version 3.0.0 (git #d3c7336), for host i586-pc-linux-gnu,
built on Nov 7 2012 at 14:54:31
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19,
length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = 19017...@wlan.mnc070.mcc901.3gppnetwork.org
NAS-Port-Id = ap_hotspot
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = 8253
Acct-Multi-Session-Id =
00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03
Calling-Station-Id = A8-7E-33-3E-9C-5B
Called-Station-Id = 00-0C-42-64-41-9D:YANN
EAP-Message =
0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = MT_Yann
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} - 192.168.10.212
(0) auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
- /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t - Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm wlan.mnc070.mcc901.3gppnetwork.org for
User-Name = 19017...@wlan.mnc070.mcc901.3gppnetwork.org
(0) suffix : Found realm ~.*.3gppnetwork.org$
(0) suffix : Adding Stripped-User-Name = 19017653
(0) suffix : Adding Realm = wlan.mnc070.mcc901.3gppnetwork.org
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20,
length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = 19017...@wlan.mnc070.mcc901.3gppnetwork.org
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = ap_hotspot
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = 8253
Acct-Multi-Session-Id =
00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03
Calling-Station-Id = A8-7E-33-3E-9C-5B
Called-Station-Id = 00-0C-42-64-41-9D:YANN
EAP-Message =
0x02850058120a0705be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = MT_Yann
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) auth_log : expand: %{Packet-Src-IP-Address} - 192.168.10.212
(1) auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src
Couple of typo's in policy.conf on the 2.x.x branch
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/raddb/policy.conf#L140 I think that the test for this block should be =~, not !~ (otherwise it rejects realms that do not start with a dot). There is also an errant space on line 142 in the middle of the += operator. Thanks, Adam Bishop Systems Development Specialist gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: ad...@jabber.dev.ja.net Janet, the UK’s research and education network. Janet is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Couple of typo's in policy.conf on the 2.x.x branch
On 8 Nov 2012, at 15:22, Adam Bishop adam.bis...@ja.net wrote: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/raddb/policy.conf#L140 I think that the test for this block should be =~, not !~ (otherwise it rejects realms that do not start with a dot). Hmm yes. There is also an errant space on line 142 in the middle of the += operator. Indeed there is. I'll go fix those now. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and DialupAdmin
Hi gents FR 2.0 I added a user to my datebase using the dialup_admin interface. The radcheck table shows the following mysql select * from radcheck - ; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 2 | test | NT-Password | := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 4 | test1| User-Password | := | $1$SQZqMcWE$doZxYeK1Sb24QQJvmYpYm0 | ++--+---+++ Now this is interesting. I can log in using the test account with the NT-Password attribute. The one created by dialup_admin with the name of test1 and the attribute User-Password cannot be used from the same M$ Windows 7 PC, as was to be expected from the compatibility table. I looked into admin.conf and found # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Erich Titl wrote: # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Change that from crypt to clear. Then PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP / MSCHAP / Certificate Troubles
Hey, I need a bit of assistance. Brief summary: I have two RADIUS servers connected to different Active Directory domains. I got through the basic setup, EAP-PEAP / MSCHAP were working successfully authenticating against both domains. Then: - I upgraded freeradius on both from 2.1.10 to 2.2.0. - I generated new 'production' certificates on both servers. Now one of them is broken. Broken to the point where I can't even get eapol_test to run with success (though ntlm_auth still authenticates against AD properly). Since I was getting the EAP session for state 0x56783e8f517027f8 did not finish! error, I figured I messed something up badly with my new certs, so I blew away my /etc/freeradius directory, reinstalled freeradius 2.2.0 again and started from the ground up (it recreated the default certs). Still the same problem. The other box is working flawlessly with 2.2.0 and 'production' certs. From Server: $ eapol_test -c peap-mschapv2.conf -s XXX Output on successful server: [snip] EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): fe a7 76 cd 59 70 e1 d2 fb 1d fe 66 32 7c 12 d5 5f f4 29 12 8b 82 0a 17 36 83 a1 b7 93 71 fb 61 EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS Output on failed server: [snip] EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=8 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 07 00 2e 53 3d 46 45 36 37 32 46 35 44 33 34 42 31 30 34 34 43 31 30 44 33 34 39 30 33 41 41 43 31 34 35 34 34 34 35 43 43 45 32 32 39 EAP-PEAP: received Phase 2: code=1 identifier=8 length=51 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 8 mschapv2_id 7 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: startWhen -- 0 EAPOL test timed out EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE And on the server debug, when it fails, I get an Access-Challenge, followed by EAP session for state 0x56783e8f517027f8 did not finish! It's not Windows though, so I'm puzzled. Server output on failure: Sending Access-Challenge of id 7 to 127.0.0.1 port 48493 EAP-Message = 0x0108005b19001703010050cdc6ba2c896eb5118cfb064080452617ab9dac048c60afbdb3a962afa01555069719ac14235bae1e3108e284d27ef322609824fe6898c5cc497db9833039b37e92c921285a0b9bdbcafc0861676b5082 Message-Authenticator = 0x State = 0xa24b0ed9a54317a0931e3b8d4f719448 Thu Nov 8 11:26:17 2012 : Info: Finished request 16. Thu Nov 8 11:26:17 2012 : Debug: Going to the next request Thu Nov 8 11:26:17 2012 : Debug: Waking up in 4.9 seconds. Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 9 ID 0 with timestamp +510 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 10 ID 1 with timestamp +510 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 11 ID 2 with timestamp +511 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 12 ID 3 with timestamp +511 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 13 ID 4 with timestamp +511 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 14 ID 5 with timestamp +511 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 15 ID 6 with timestamp +511 Thu Nov 8 11:26:22 2012 : Info: Cleaning up request 16 ID 7 with timestamp +511 Thu Nov 8 11:26:22 2012 : Debug: WARNING: !! Thu Nov 8 11:26:22 2012 : Debug: WARNING: !! EAP session for state 0xa24b0ed9a54317a0 did not finish! Thu Nov 8 11:26:22 2012 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Thu Nov 8 11:26:22 2012 : Debug: WARNING: !! Things I've already checked: - eap.conf is identical on both servers (I copied it over). - There were some old discussions about a Samba bug, but both servers are running 3.5.6. - radtest with PAP / users file is still working successfully. Can someone point me in the right direction? Where should I be looking? Is something lingering from my certificates failure or
Re: Accounting and DialupAdmin
Alan on 08.11.2012 19:10, Alan DeKok wrote: Erich Titl wrote: # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Change that from crypt to clear. Then PEAP will work. Yes, I know if I also change the attribute to Cleartext-Password. Any plans to support NT-Password hashes? Thanks Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Erich Titl wrote: Yes, I know if I also change the attribute to Cleartext-Password. Any plans to support NT-Password hashes? In dialup_admin? Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP / MSCHAP / Certificate Troubles
On 11/08/2012 06:45 PM, Jordan Dohms wrote: EAP-MSCHAPV2: Invalid authenticator response in success request This suggests the problem isn't certs, since you're inside the PEAP tunnel at this point. Check that samba/winbind are working ok, patched to the same level, etc. - it looks like the well known mangling mschap response issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + AD
Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? Thank´s -- Att, Maiquel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD
Does this help? http://deployingradius.com/documents/configuration/active_directory.html -- Blake Covarrubias On Nov 8, 2012, at 3:09 PM, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? Thank´s -- Att, Maiquel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD
On 8 Nov 2012, at 22:09, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? http://lmgtfy.com/?q=deploying+freeradius+with+activedirectory -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP / MSCHAP / Certificate Troubles
Thanks. Spent far too long looking at my certificates :) Just needed to give samba/winbind a restart. J On Thu, Nov 8, 2012 at 2:05 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 11/08/2012 06:45 PM, Jordan Dohms wrote: EAP-MSCHAPV2: Invalid authenticator response in success request This suggests the problem isn't certs, since you're inside the PEAP tunnel at this point. Check that samba/winbind are working ok, patched to the same level, etc. - it looks like the well known mangling mschap response issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Hi Alan
on 08.11.2012 21:06, Alan DeKok wrote:
Erich Titl wrote:
Yes, I know if I also change the attribute to Cleartext-Password. Any
plans to support NT-Password hashes?
In dialup_admin? Send a patch.
This works for me
diff -urN freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf
freeradius-server-2.2.0/dialup_admin/conf/admin.conf
--- freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf
2012-11-09 07:30:40.0 +0100
+++ freeradius-server-2.2.0/dialup_admin/conf/admin.conf
2012-11-09 07:44:28.0 +0100
@@ -133,7 +133,7 @@
general_radius_server_secret: XX
general_auth_request_file: %{general_base_dir}/conf/auth.request
#
-# can be one of crypt,md5,clear
+# can be one of crypt,md5,clear,smbpass
#
general_encryption_method: crypt
#
diff -urN
freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php
freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php
--- freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php
1970-01-01 01:00:00.0 +0100
+++ freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php
2012-11-09 07:43:43.0 +0100
@@ -0,0 +1,6 @@
+?php
+function da_encrypt($Input) {
+ // shamelessly taken from php.net
+ return(strtoupper(hash('md4',iconv('UTF-8','UTF-16LE',$Input;
+}
+?
cheers
Erich Titl
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
