Re: EAP-success Id mis-match?
Hi Alan, We tested with eap-ttls and eap-tls, there was no id+1 behavior. So i went into the code in eap-sim. src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c In functions eap_sim_sendstart(EAP_HANDLER * handler), eap_sim_sendchallenge(EAP_HANDLER * handler), and eap_sim_sendsuccess(EAP_HANDLER * handler), there is code like this ‘*newvp->vp_integer = ess->sim_id++;’ this makes the server uses the increased id when sending out the eap-success. I believe this the cause of the problem. What's your opinion? thanks and regards, zhen On Mon, Feb 4, 2013 at 12:11 PM, Alan DeKok wrote: > Cao,Zhen (cz) wrote: >> What’s the standard way then? > > RFC 2284 Section 2.2.2 says this for EAP-Success: > >Identifier > > The Identifier field is one octet and aids in matching replies to > Responses. The Identifier field MUST match the Indentifier field > of the Response packet that it is sent in response to. > > This is what FreeRADIUS does. See src/modules/rlm_eap/eap.c, > eap_compose() function. Success and Failure send the same ID. Other > EAP packet types increment the ID. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM error on reboot of the RADIUS client
If I dont configure step 4, I am not locked out on the client. 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so Thanks On Mon, Feb 4, 2013 at 4:47 PM, Deepti kulkarni wrote: > Hello, > > I have a debian machine that acts as RADIUS client talking with the > Freeradius server. I have configured PAM on the client, so made following > changes. > > 1 - Added radiusd to /etc/pam.d which contains - > @include common-auth > @include common-account > @include common-password > @include common-session > > > 2 - Added following line to /etc/pam.d/common_auth > auth sufficient pam_radius_auth.so > > 3 - Added following line to /etc/pam.d/common_account > account required pam_radius_auth.so > > 4- Added following line to /etc/pam.d/common_session > session required pam_radius_auth.so > > 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf > > Authentication and accounting works fine after I configure the above on > the client. As soon as I reboot client, login fails with error - "cannot > make/remove an entry for the specified session". Cannot login into the > client. > > Thanks > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM error on reboot of the RADIUS client
Hello, I have a debian machine that acts as RADIUS client talking with the Freeradius server. I have configured PAM on the client, so made following changes. 1 - Added radiusd to /etc/pam.d which contains - @include common-auth @include common-account @include common-password @include common-session 2 - Added following line to /etc/pam.d/common_auth auth sufficient pam_radius_auth.so 3 - Added following line to /etc/pam.d/common_account account required pam_radius_auth.so 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - "cannot make/remove an entry for the specified session". Cannot login into the client. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
So my radius client was missing some configuration. Now the client sends accounting packets to the server. Thanks for the help on that. Deepti On Sun, Feb 3, 2013 at 7:56 PM, Alan DeKok wrote: > Deepti kulkarni wrote: > > No, my "production" client is not sending any accounting packets. I am > > completely not sure how that can be set. > > If the NAS documentation doesn't say how to configure accounting, then > it doesn't do accounting. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups and profiles
Chris Taylor wrote:
>
>
> I have RADIUS running with multiple realms and multiple LDAP back ends
> that stores all my user attributes. I am trying to apply different user
> profiles to different groups. What I did was setup the profile in the
> USERS file, add the group attributes to the ldap config file, and on the
> user’s LDAP account I added the attribute radiusGroupName with the value
> “residential_profile”, but I can’t seem to get it to work correctly.
The debug output is pretty clear. It does an LDAP search, and the
object isn't found.
Make sure that (a) the object is in LDAP, and (b) you've configured
FreeRADIUS to do the right LDAP search.
> It
> doesn’t seem to query the correct backend.
For backend-specific queries, prefix the LDAP-Group with the backend name:
> ldap ldap2.REALM-2.ca {
> basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca"
To query this backend, use "ldap2.REALM-2.ca-LDAP-Group == ..."
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends that
stores all my user attributes. I am trying to apply different user profiles to
different groups. What I did was setup the profile in the USERS file, add the
group attributes to the ldap config file, and on the user's LDAP account I
added the attribute radiusGroupName with the value "residential_profile", but
I can't seem to get it to work correctly. It doesn't seem to query the correct
backend. I am sure that I have something wrong but I am not sure what I looked
at rlm_ldap and searched the archive list but haven't been able to find
anything any help would be appreciated.
This is what my configuration files look like;
USERS
DEFAULT Ldap-Group == residential_profile
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.x.x 0.0.0.15 eq 25",
Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25",
Cisco-AVPair += "ip:inacl#300=permit ip any any",
Fall-Through = No
ldap ldap2.REALM-2.ca {
basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca"
filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"
ldap ldap1.REALM-1.ca {
basedn = "ou=radius,o=REALM-1.ca,dc=container,dc=ca"
filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
Output from radius -X
[files] users: Matched entry DEFAULT at line 214
[ldap2.REALM-2.ca] Entering ldap_groupcmp()
[files] expand: ou=radius,o=REALM-2.ca,dc=container,dc=ca ->
ou=radius,o= REALM-2ca,dc= container,dc=ca
[files] expand: %{Stripped-User-Name} -> 112boy
[files] expand:
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))
-> (&(uid=112boy)(objectclass=posixAccount)(cn=true))
[ldap2. REALM-2.ca] ldap_get_conn: Checking Id: 0
[ldap2. REALM-2.ca] ldap_get_conn: Got Id: 0
[ldap2. REALM-2.ca] attempting LDAP reconnection
[ldap2. REALM-2.ca] Bind was successful
[ldap2. REALM-2.ca] performing search in ou=radius,o= REALM-2.ca,dc=
container,dc=ca, with filter (&(uid=112boy)(objectclass=posixAccount)(cn=true))
[ldap2. REALM-2.ca] object not found
rlm_ldap::ldap_groupcmp: search failed
[ldap2. REALM-2.ca] ldap_release_conn: Release Id: 0
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote: > i've got question about EAP/TLS and authentification for a client > through a certificate ? > I succeed setting up. But , i notice that freeradius matches client > login with certificate CNAME. > Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error syntax in sql accounting.
Hocine M wrote: > Hi everybody, > > I always have an error in radius.log file : > > Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL > accounting START record - Erreur de syntaxe pr�s de '' � la ligne 1 Don't edit the configuration files and break them. You do understand what "Erreur de syntaxe" means, right? > I made my radacct accounting table with the schema founf in > /etc/freeradius/sql/mysql/schema.sql. > I use a mysql server databse. > > in my sql.conf i use the standard queries for accounting. It looks like you don't. Run the server in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. Only that will tell you what's really going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error syntax in sql accounting.
Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:01 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:06 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:10 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:15 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:24 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:26 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:34 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:47 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:54 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP/TLS] Authenfication through a certificate
Dear everybody, i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup failure for EAP-AKA configuration
Mark Sincerbox wrote: > Relatively new to freeradius. Have had success testing an EAP-MD5 > and EAP-TLS configuration. I have patched freeradius-server-2.1.10 > to add EAP-AKA support but am experiencing a radiusd startup failure > as follows: If you're patching the code... it helps to understand how it works. And where did you get the patch? You're asking us to support some un-named third party software? Why not go ask the authors of the patch why their software doesn't work? > /usr/local/etc/raddb/users[3]: Parse error (check) for entry akauser@domain: > Unknown value AKA for attribute EAP-Type Hmm.. see share/dictionary.freeradius.internal. It has "VALUE EAP-Type UTMS 23". That looks to be wrong. It should be AKA. > Errors reading /usr/local/etc/raddb/users > /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" > /usr/local/etc/raddb/sites-enabled/inner-tunnel[124]: Failed to load module > "files". > /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize > section. > > > Struggling with determining what is missing in my configuration that > might be causing this issue. I see that the above error > is coming from src/lib/valuepair.c but am having difficulty > determining the root cause. I've read doc and man pages > but so far cannot spot the problem. Don't look at the source. Look at the dictionaries. > +ATTRIBUTE EAP-Type-AKA3100octets > +ATTRIBUTE EAP-Sim-AUTN3101octets > +ATTRIBUTE EAP-Aka-IK 3102octets > +ATTRIBUTE EAP-Aka-CK 3103octets > +ATTRIBUTE EAP-Sim-RES 3104octets Don't do that. It's not necessary. > +#akauser@domainAuth-Type := EAP, EAP-Type := AKA Delete "EAP-Type := AKA". It's not necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup failure for EAP-AKA configuration
Hi, > Relatively new to freeradius. Have had success testing an EAP-MD5 > and EAP-TLS configuration. I have patched freeradius-server-2.1.10 > to add EAP-AKA support but am experiencing a radiusd startup failure ^^ I would assume that something is not right with your EAP AKA patch alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd startup failure for EAP-AKA configuration
Hi,
Relatively new to freeradius. Have had success testing an EAP-MD5
and EAP-TLS configuration. I have patched freeradius-server-2.1.10
to add EAP-AKA support but am experiencing a radiusd startup failure
as follows:
radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Feb 2
2013 at 14:23:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
