Re: EAP-success Id mis-match?
Hi Alan, We tested with eap-ttls and eap-tls, there was no id+1 behavior. So i went into the code in eap-sim. src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c In functions eap_sim_sendstart(EAP_HANDLER * handler), eap_sim_sendchallenge(EAP_HANDLER * handler), and eap_sim_sendsuccess(EAP_HANDLER * handler), there is code like this ‘*newvp->vp_integer = ess->sim_id++;’ this makes the server uses the increased id when sending out the eap-success. I believe this the cause of the problem. What's your opinion? thanks and regards, zhen On Mon, Feb 4, 2013 at 12:11 PM, Alan DeKok wrote: > Cao,Zhen (cz) wrote: >> What’s the standard way then? > > RFC 2284 Section 2.2.2 says this for EAP-Success: > >Identifier > > The Identifier field is one octet and aids in matching replies to > Responses. The Identifier field MUST match the Indentifier field > of the Response packet that it is sent in response to. > > This is what FreeRADIUS does. See src/modules/rlm_eap/eap.c, > eap_compose() function. Success and Failure send the same ID. Other > EAP packet types increment the ID. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM error on reboot of the RADIUS client
If I dont configure step 4, I am not locked out on the client. 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so Thanks On Mon, Feb 4, 2013 at 4:47 PM, Deepti kulkarni wrote: > Hello, > > I have a debian machine that acts as RADIUS client talking with the > Freeradius server. I have configured PAM on the client, so made following > changes. > > 1 - Added radiusd to /etc/pam.d which contains - > @include common-auth > @include common-account > @include common-password > @include common-session > > > 2 - Added following line to /etc/pam.d/common_auth > auth sufficient pam_radius_auth.so > > 3 - Added following line to /etc/pam.d/common_account > account required pam_radius_auth.so > > 4- Added following line to /etc/pam.d/common_session > session required pam_radius_auth.so > > 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf > > Authentication and accounting works fine after I configure the above on > the client. As soon as I reboot client, login fails with error - "cannot > make/remove an entry for the specified session". Cannot login into the > client. > > Thanks > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM error on reboot of the RADIUS client
Hello, I have a debian machine that acts as RADIUS client talking with the Freeradius server. I have configured PAM on the client, so made following changes. 1 - Added radiusd to /etc/pam.d which contains - @include common-auth @include common-account @include common-password @include common-session 2 - Added following line to /etc/pam.d/common_auth auth sufficient pam_radius_auth.so 3 - Added following line to /etc/pam.d/common_account account required pam_radius_auth.so 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - "cannot make/remove an entry for the specified session". Cannot login into the client. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
So my radius client was missing some configuration. Now the client sends accounting packets to the server. Thanks for the help on that. Deepti On Sun, Feb 3, 2013 at 7:56 PM, Alan DeKok wrote: > Deepti kulkarni wrote: > > No, my "production" client is not sending any accounting packets. I am > > completely not sure how that can be set. > > If the NAS documentation doesn't say how to configure accounting, then > it doesn't do accounting. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups and profiles
Chris Taylor wrote: > > > I have RADIUS running with multiple realms and multiple LDAP back ends > that stores all my user attributes. I am trying to apply different user > profiles to different groups. What I did was setup the profile in the > USERS file, add the group attributes to the ldap config file, and on the > user’s LDAP account I added the attribute radiusGroupName with the value > “residential_profile”, but I can’t seem to get it to work correctly. The debug output is pretty clear. It does an LDAP search, and the object isn't found. Make sure that (a) the object is in LDAP, and (b) you've configured FreeRADIUS to do the right LDAP search. > It > doesn’t seem to query the correct backend. For backend-specific queries, prefix the LDAP-Group with the backend name: > ldap ldap2.REALM-2.ca { > basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca" To query this backend, use "ldap2.REALM-2.ca-LDAP-Group == ..." Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends that stores all my user attributes. I am trying to apply different user profiles to different groups. What I did was setup the profile in the USERS file, add the group attributes to the ldap config file, and on the user's LDAP account I added the attribute radiusGroupName with the value "residential_profile", but I can't seem to get it to work correctly. It doesn't seem to query the correct backend. I am sure that I have something wrong but I am not sure what I looked at rlm_ldap and searched the archive list but haven't been able to find anything any help would be appreciated. This is what my configuration files look like; USERS DEFAULT Ldap-Group == residential_profile Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.x.x 0.0.0.15 eq 25", Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25", Cisco-AVPair += "ip:inacl#300=permit ip any any", Fall-Through = No ldap ldap2.REALM-2.ca { basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))" ldap ldap1.REALM-1.ca { basedn = "ou=radius,o=REALM-1.ca,dc=container,dc=ca" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName Output from radius -X [files] users: Matched entry DEFAULT at line 214 [ldap2.REALM-2.ca] Entering ldap_groupcmp() [files] expand: ou=radius,o=REALM-2.ca,dc=container,dc=ca -> ou=radius,o= REALM-2ca,dc= container,dc=ca [files] expand: %{Stripped-User-Name} -> 112boy [files] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) -> (&(uid=112boy)(objectclass=posixAccount)(cn=true)) [ldap2. REALM-2.ca] ldap_get_conn: Checking Id: 0 [ldap2. REALM-2.ca] ldap_get_conn: Got Id: 0 [ldap2. REALM-2.ca] attempting LDAP reconnection [ldap2. REALM-2.ca] Bind was successful [ldap2. REALM-2.ca] performing search in ou=radius,o= REALM-2.ca,dc= container,dc=ca, with filter (&(uid=112boy)(objectclass=posixAccount)(cn=true)) [ldap2. REALM-2.ca] object not found rlm_ldap::ldap_groupcmp: search failed [ldap2. REALM-2.ca] ldap_release_conn: Release Id: 0 Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote: > i've got question about EAP/TLS and authentification for a client > through a certificate ? > I succeed setting up. But , i notice that freeradius matches client > login with certificate CNAME. > Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error syntax in sql accounting.
Hocine M wrote: > Hi everybody, > > I always have an error in radius.log file : > > Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL > accounting START record - Erreur de syntaxe pr�s de '' � la ligne 1 Don't edit the configuration files and break them. You do understand what "Erreur de syntaxe" means, right? > I made my radacct accounting table with the schema founf in > /etc/freeradius/sql/mysql/schema.sql. > I use a mysql server databse. > > in my sql.conf i use the standard queries for accounting. It looks like you don't. Run the server in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. Only that will tell you what's really going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error syntax in sql accounting.
Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:01 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:06 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:10 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:15 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:24 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:26 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:34 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:47 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:54 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP/TLS] Authenfication through a certificate
Dear everybody, i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup failure for EAP-AKA configuration
Mark Sincerbox wrote: > Relatively new to freeradius. Have had success testing an EAP-MD5 > and EAP-TLS configuration. I have patched freeradius-server-2.1.10 > to add EAP-AKA support but am experiencing a radiusd startup failure > as follows: If you're patching the code... it helps to understand how it works. And where did you get the patch? You're asking us to support some un-named third party software? Why not go ask the authors of the patch why their software doesn't work? > /usr/local/etc/raddb/users[3]: Parse error (check) for entry akauser@domain: > Unknown value AKA for attribute EAP-Type Hmm.. see share/dictionary.freeradius.internal. It has "VALUE EAP-Type UTMS 23". That looks to be wrong. It should be AKA. > Errors reading /usr/local/etc/raddb/users > /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" > /usr/local/etc/raddb/sites-enabled/inner-tunnel[124]: Failed to load module > "files". > /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize > section. > > > Struggling with determining what is missing in my configuration that > might be causing this issue. I see that the above error > is coming from src/lib/valuepair.c but am having difficulty > determining the root cause. I've read doc and man pages > but so far cannot spot the problem. Don't look at the source. Look at the dictionaries. > +ATTRIBUTE EAP-Type-AKA3100octets > +ATTRIBUTE EAP-Sim-AUTN3101octets > +ATTRIBUTE EAP-Aka-IK 3102octets > +ATTRIBUTE EAP-Aka-CK 3103octets > +ATTRIBUTE EAP-Sim-RES 3104octets Don't do that. It's not necessary. > +#akauser@domainAuth-Type := EAP, EAP-Type := AKA Delete "EAP-Type := AKA". It's not necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup failure for EAP-AKA configuration
Hi, > Relatively new to freeradius. Have had success testing an EAP-MD5 > and EAP-TLS configuration. I have patched freeradius-server-2.1.10 > to add EAP-AKA support but am experiencing a radiusd startup failure ^^ I would assume that something is not right with your EAP AKA patch alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd startup failure for EAP-AKA configuration
Hi, Relatively new to freeradius. Have had success testing an EAP-MD5 and EAP-TLS configuration. I have patched freeradius-server-2.1.10 to add EAP-AKA support but am experiencing a radiusd startup failure as follows: radiusd -X FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Feb 2 2013 at 14:23:04 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no