Re: [Help] radtest mschap problem

[Chitrang Srivastava]

Most likely your host file didnt have entry of your domain name,
dump your hostname and /etc/hosts file here and then we can comment better

On Thu, Apr 25, 2013 at 10:52 PM, Andres  wrote:

> Hello All,
>
> I'm trying to test mschap with radtest but it gives me strange error
> message.
> I've tried to solve it several days, but had no success.
>
> I'm using syntax like that:
>
> $ radtest -t mschap user password 127.0.0.1 0 secret
>
> radclient : Failed to find IP address for host user: Success
>
>
> radclient: $Id$ built on Jan 22 2013 at 23:55:37
> FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
> 2013
>
> host file looks fine
>
> I would appreciate it if someone can help me
> ,
>
> Andres
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Originate CoA Request After Receiving Access-Accept

[Okis Chuang]

Dear all,

 

>From the originate-coa documentation, it seems I can't originate coa-request
at the section of pre-proxy or post-proxy.

It's documented, pretty clear. I'm not sure whether it is the cause of my
following questions.

 

But what if I need two steps below finished continually both in the same
move:

1.  *proxy* auth request to other AAA dispatcher(also FreeRADIUS) to
decide where to authenticate.

2.  Getting Access-Accept in post-auth, then originate coa request at
once in order to change redirect profile to forward profile for subscriber.

 

But I got the warning that *cannot proxy and originate CoA packets at the
same time*. 

Actually I move the coa origination to my AAA dispatcher, it also can't
works and occurs the same warning.(It makes sense because both are doing coa
request after proxying auth request I guess.

 

So here are my questions:

1.  Does this flow works possibly in my scenario? I mean can I originate
coa at once after getting Access-Accept?

2.  What if I set a *virtual coa server* for receiving coa request from
itself, then send to gateway at the section of 

recv-coa {

  update coa {

...

}

}

Does it make sense?

 

Thanks in advance!

 

Okis

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

this way looks my hosts file:

# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1   localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.58.5.58  radius.mydomain.com radius

Andres



2013/4/26 Chitrang Srivastava 

> Most likely your host file didnt have entry of your domain name,
> dump your hostname and /etc/hosts file here and then we can comment better
>
> On Thu, Apr 25, 2013 at 10:52 PM, Andres  wrote:
>
>> Hello All,
>>
>> I'm trying to test mschap with radtest but it gives me strange error
>> message.
>> I've tried to solve it several days, but had no success.
>>
>> I'm using syntax like that:
>>
>> $ radtest -t mschap user password 127.0.0.1 0 secret
>>
>> radclient : Failed to find IP address for host user: Success
>>
>>
>> radclient: $Id$ built on Jan 22 2013 at 23:55:37
>> FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
>> 2013
>>
>> host file looks fine
>>
>> I would appreciate it if someone can help me
>> ,
>>
>> Andres
>>
>>
>>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Alan DeKok]

Andres wrote:
> this way looks my hosts file:

  Well... something is wrong with DNS on your system.

  The only advantage to using radtest is that it's simpler than
radclient.  But it's just a wrapper around radclient.  You can edit
radtest to remove the DNS lookups, or write your own wrapper which
doesn't do DNS lookups.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS server is dumping core

[Alan DeKok]

ramakrishna wrote:
> I am using FreeRADIUS in solaris sever in which valgrind is not supported.

  Well... see if the same configuration fails on Linux, and run valgrind
there.

> Do you suspect access errors in RADIUS server for the dump based on the
> gdb log?

  I don't know what to expect.

> In Solaris, we use dbx or bcheck to find access errors or memory leaks.
> Is it ok if i produce logs of those tools?

  Sure, so long as they're understandable by normal people.  I've never
used them, and know nothing about them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Originate CoA Request After Receiving Access-Accept

[Alan DeKok]

Okis Chuang wrote:
> From the originate-coa documentation, it seems I can’t originate
> coa-request at the section of pre-proxy or post-proxy.
> 
> It’s documented, pretty clear.

  It's nice to hear that the documentation helps. :)

> I’m not sure whether it is the cause of my following questions.

  It is.

> But what if I need two steps below finished continually both in the same
> move:
> 
> 1.  **proxy** auth request to other AAA dispatcher(also FreeRADIUS)
> to decide where to authenticate.

  That's easy.

> 2.  Getting Access-Accept in post-auth, then originate coa request
> at once in order to change redirect profile to forward profile for
> subscriber.

  That's hard.  At least with "originate-coa".

  The short answer is that you can run "radclient" as an external
program from the post-proxy section.  It's ugly, but it will work.

> But I got the warning that **cannot proxy and originate CoA packets at
> the same time**.

  Yes.  We're looking into fixing that for 3.0.

> Actually I move the coa origination to my AAA dispatcher, it also can’t
> works and occurs the same warning.(It makes sense because both are doing
> coa request after proxying auth request I guess.

  Originating a CoA packet is really proxying it.  And the server can't
proxy to two different destinations.

> So here are my questions:
> 
> 1.  Does this flow works possibly in my scenario? I mean can I
> originate coa at once after getting Access-Accept?

  Not today.

> 2.  What if I set a **virtual coa server** for receiving coa request
> from itself, then send to gateway at the section of

  That won't change anything.

  It may be easy to originate CoA packets *after* proxying.  Just so
long as it doesn't do both at the same time.

  I'll see if I have time to look into it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wireshart shows wrong information

[Juan Pablo L.]

i realise now that i may have not been very clear in my explanation of the 
problem, that problem is that all values for the fields are the wrong values, 
for example, this is my code:
pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
 T_OP_EQ));

and this is what travels on the wire:
subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 
value = f3 08 48 12 

and this happens for all values ... i might be missing something  thanks!

From: jpablolorenze...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: wireshart shows wrong information
Date: Thu, 25 Apr 2013 21:00:51 +




i m sorry i accidentally press the wrong combination of keys and the mail left 
 resuming my message below .
this is the data that tcpdump show as being transmitted for this attribute:
type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 
subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 
value = f3 08 48 12 subtype = 02 
(3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 
subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 
00 88 fa
i dont see where i m doing wrong ... any help will be appreciated.
From: jpablolorenze...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: wireshart shows wrong information
Date: Thu, 25 Apr 2013 20:53:58 +




Hi, i m implementing a module in which i m using some TLV for which i modified 
the dictionary.3gpp2 as very well suggested in a different thread, but i see 
that the data for those TLV fields are not encoded properly or at least that is 
what wireshark is showing even thou debugging freeradius it shows that the data 
being sent is the correct it differs from the data captured using tcpdump ... 
here is my dictionary entry:
ATTRIBUTE   3GPP2-Prepaid-Acct-Quota90  tlvBEGIN-TLV
   3GPP2-Prepaid-Acct-QuotaATTRIBUTE   
3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1   integerATTRIBUTE   
3GPP2-Prepaid-Acct-Quota-VolumeQuota2   integerATTRIBUTE   
3GPP2-Prepaid-Acct-Quota-VolumeThreshold4   integerEND-TLV 
3GPP2-Prepaid-Acct-Quota

and for that i m writing the following code:
pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
 
T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100",
 
T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100",
 T_OP_EQ)); 
 -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

[Wang, Yu]

Hi, Alan,

Thanks for the suggestion. I added "&log_request_attributes;" in authorize 
function and it already has sub log_request_attributes in the perl script. When 
run FR in debug mode, the Aruba-Location-ID does present but when I call $ 
RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.

Any more suggestions? Thanks again.

Yu Wang

-Original Message-
From: freeradius-users-bounces+ywang10=fsu@lists.freeradius.org 
[mailto:freeradius-users-bounces+ywang10=fsu@lists.freeradius.org] On 
Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: Thursday, April 25, 2013 5:44 PM
To: FreeRadius users mailing list
Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

hi,

tired eyes so might have missed something obvious...but can you add the 
following into your authorise subroutine at the top

&log_request_attributes;

and ensure you have the following at the bottom

sub log_request_attributes {
for (keys %RAD_REQUEST) {
&radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
}
}


..then run FR is debug mode again and see what comes out.

cheers

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

[Alex Sharaz]

Be nice to hear true solution to this as the same thing happens to me for the 
nas-ip-address attribute
A

On 26 Apr 2013, at 15:41, "Wang, Yu"  wrote:

> Hi, Alan,
> 
> Thanks for the suggestion. I added "&log_request_attributes;" in authorize 
> function and it already has sub log_request_attributes in the perl script. 
> When run FR in debug mode, the Aruba-Location-ID does present but when I call 
> $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
> 
> Any more suggestions? Thanks again.
> 
> Yu Wang
> 
> -Original Message-
> From: freeradius-users-bounces+ywang10=fsu@lists.freeradius.org 
> [mailto:freeradius-users-bounces+ywang10=fsu@lists.freeradius.org] On 
> Behalf Of a.l.m.bu...@lboro.ac.uk
> Sent: Thursday, April 25, 2013 5:44 PM
> To: FreeRadius users mailing list
> Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
> 
> hi,
> 
> tired eyes so might have missed something obvious...but can you add the 
> following into your authorise subroutine at the top
> 
> &log_request_attributes;
> 
> and ensure you have the following at the bottom
> 
> sub log_request_attributes {
>   for (keys %RAD_REQUEST) {
>   &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
>   }
> }
> 
> 
> ..then run FR is debug mode again and see what comes out.
> 
> cheers
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

[A . L . M . Buxey]

Hi,

> > Thanks for the suggestion. I added "&log_request_attributes;" in authorize 
> > function and it already has sub log_request_attributes in the perl script. 
> > When run FR in debug mode, the Aruba-Location-ID does present but when I 
> > call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.

logs?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

[A . L . M . Buxey]

Hi,

> Thanks for the suggestion. I added "&log_request_attributes;" in authorize 
> function and it already has sub log_request_attributes in the perl script. 
> When run FR in debug mode, the Aruba-Location-ID does present but when I call 
> $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.

and logs (radiusd -X) from this too. :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Chitrang Srivastava]

whats the hostname of ur system ?

On Fri, Apr 26, 2013 at 6:30 PM, Andres  wrote:

> this way looks my hosts file:
>
> # IP-Address  Full-Qualified-Hostname  Short-Hostname
> #
>
> 127.0.0.1   localhost
>
> # special IPv6 addresses
> ::1 localhost ipv6-localhost ipv6-loopback
>
> fe00::0 ipv6-localnet
>
> ff00::0 ipv6-mcastprefix
> ff02::1 ipv6-allnodes
> ff02::2 ipv6-allrouters
> ff02::3 ipv6-allhosts
> 10.58.5.58  radius.mydomain.com radius
>
> Andres
>
>
>
> 2013/4/26 Chitrang Srivastava 
>
>> Most likely your host file didnt have entry of your domain name,
>> dump your hostname and /etc/hosts file here and then we can comment better
>>
>> On Thu, Apr 25, 2013 at 10:52 PM, Andres  wrote:
>>
>>> Hello All,
>>>
>>> I'm trying to test mschap with radtest but it gives me strange error
>>> message.
>>> I've tried to solve it several days, but had no success.
>>>
>>> I'm using syntax like that:
>>>
>>> $ radtest -t mschap user password 127.0.0.1 0 secret
>>>
>>> radclient : Failed to find IP address for host user: Success
>>>
>>>
>>> radclient: $Id$ built on Jan 22 2013 at 23:55:37
>>> FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan
>>> 22 2013
>>>
>>> host file looks fine
>>>
>>> I would appreciate it if someone can help me
>>> ,
>>>
>>> Andres
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang and optimization

[Jason Frisvold]

Arran Cudbard-Bell wrote:
> Yes. In FreeRADIUS master branch. You can also do nice things like cache 
> group membership.

Excellent.

> Not supported, and won't be supported. Overloading of attributes like this is 
> slated for deprecation in 3.0/1, at which point we'll just standardise on 
> xlat function calls for all the comparisons.

Glad I asked instead of continuing to bang my head against it..  :)

I'm looking forward to seeing 3.0..

Thanks,

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang and optimization

[Jason Frisvold]

a.l.m.bu...@lboro.ac.uk wrote:
> are they your only groups? if so, one less call is a quick optimisation

No, there are a bunch of groups..  9 or 10 at the moment.

I do need to put a default in there though, so your solution will still
need to be used.  :)

> you could make a call to python or PERL which could have funky LDAP
> to pull back all the detail and then set the Tmp-String-0 to be what you
> need it to beor wait for FR 3.x which has a few new tricks up its sleeve

Hrm..  a perl call might work too.  In the interest of getting this
working now, though, I'll deal with the solution we have.  Modifying
this later is still an option.

Thanks,

> alan


-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

host name is radius
ip 10.58.5.58
Full Domain  host name:  radius.mydomain.com  radius

..
resolv.conf

search mydomain.com
nameserver 10.58.5.39
nameserver 10.58.5.45



/etc/hosts

127.0.0.1   localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.58.5.58  radius.dpd.ee radius



radius:/etc # ping mydomain.com
PING mydomain.com (10.58.5.39) 56(84) bytes of data.
64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=1 ttl=128 time=0.301 ms
64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=2 ttl=128 time=0.414 ms


radius:/etc # ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.039 ms

radius:/etc # ping6  localhost
PING localhost(localhost) 56 data bytes
64 bytes from localhost: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from localhost: icmp_seq=2 ttl=64 time=0.054 ms

.

radius:/etc # radtest -t mschap testing passme 127.0.0.1 0 testing123456
radclient: Failed to find IP address for host testing: Success

.
radius:/etc # radtest testing passme 127.0.0.1 0 testing123456
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "passme"
NAS-IP-Address = 10.58.5.58
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=177,
length=20


Yast2 network settings > Hostname/DNS


Network Settings
  ┌Global
Options──Overview──Hostname/DNS──Routing───┐
  │┌Hostname and Domain
Name┐│
  ││Hostname   Domain Name
 ││
  ││radius mydomain.com
▒▒▒││
  ││[x] Change Hostname via DHCPNo interface with dhcp
 ││
  ││[ ] Assign Hostname to Loopback IP
 ││

│└┘│
  │Modify DNS configuration Custom Policy Rule
  │
  │Use Default Policy▒↓ ▒↓
  │
  │┌Name Servers and Domain Search
List─┐│
  ││Name Server 1   ┌Domain Search┐
││
  ││10.58.5.45▒ │mydomain.com
   │ ││
  ││Name Server 2   │ │
││
  ││10.58.5.39▒ │ │
││
  ││Name Server 3   │ │
││
  ││▒▒▒ └─┘
││
  │└

I cannot figure out what is the cause of it, that radtest -t mschap dont
work.
Is it related to DNS or IPv6?  Did I something wrong...

I'm using( as Windows 2008 domain member):
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2

FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
2013 at 23:55:29



I'd be very grateful if someone would care to assist me with this problem

Andres















2013/4/26 Chitrang Srivastava 

> whats the hostname of ur system ?
>
>
> On Fri, Apr 26, 2013 at 6:30 PM, Andres  wrote:
>
>> this way looks my hosts file:
>>
>> # IP-Address  Full-Qualified-Hostname  Short-Hostname
>> #
>>
>> 127.0.0.1   localhost
>>
>> # special IPv6 addresses
>> ::1 localhost ipv6-localhost ipv6-loopback
>>
>> fe00::0 ipv6-localnet
>>
>> ff00::0 ipv6-mcastprefix
>> ff02::1 ipv6-allnodes
>> ff02::2 ipv6-allrouters
>> ff02::3 ipv6-allhosts
>> 10.58.5.58  radius.mydomain.com radius
>>
>> Andres
>>
>>
>>
>> 2013/4/26 Chitrang Srivastava 
>>
>>> Most likely your host file didnt have entry of your domain name,
>>> dump your hostname and /etc/hosts file here and then we can comment
>>> better
>>>
>>> On Thu, Apr 25, 2013 at 10:52 PM, Andres wrote:
>>>
 Hello All,

 I'm trying to test mschap with radtest but it gives me strange error
 message.
 I've tried to solve it several days, but had no success.

 I'm using syntax like that:

 $ radtest -t mschap user password 127.0.0.1 0 secret

 radclient : Failed to find IP address for host user: Success


 radclient: $Id$ built on Jan 22 2013 at 23:55:37
 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan
 22 2013

 host file looks fine

 I would appreciate it if someone can help me
 ,

 Andres







 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.f

Re: [Help] radtest mschap problem

[A . L . M . Buxey]

Hi,

what version of FreeRADIUS? are you sure you arent running old copies of 
radclient/radtest

ie you THINK you can do "-t mschap" but the wrapper or binary doesnt


radclient -v   ?

which radtest
then cat the resulting file.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS server is dumping core

[Alan DeKok]

ramakrishna wrote:
> I have tried to find the access errors using dbx debugger in solaris.
> 
> Please find the attached file for the access errors.
> 
> We are facing dump quite frequently because of these access errors.
> 
> Could you give us some idea where it might be going wrong?

  Your system is completely broken.  There seem to be tons of errors
which should never occur.

  My guess is that you're using incompatible versions of software.  i.e.
FreeRADIUS 1.x with a library from 2.x, or something like that.

  Double-check that you have only ONE version of the server installed.
Maybe try doing an install on a new Solaris machine.

  The server gets regular scans through valgrind && static analysis
tools.  There is *no way* that it could have a large number of errors,
as shown by the Solaris dbx tool.  There's something wrong with the
binaries.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

Hi,

I have done clean SLES11 install

FreeRADIUS  server Version: 2.1.1-7.16.1
also installed freeradius-server-libs and utils

FreeRADIUS server and libs and utils was installed via Yast.


radius:/etc # radclient -v
radclient: $Id$ built on Jan 22 2013 at 23:55:37


#
# Version:  $Id$
#

prefix="/usr"
exec_prefix="/usr"
bindir="/usr/bin"

usage() {
echo "Usage: radtest user passwd radius-server[:port]
nas-port-number secret [ppphint] [nasname]" >&2
exit 1
}

radclient=$bindir/radclient
if [ ! -x "$radclient" ] && [ -x ./radclient ]
then
radclient=./radclient
fi

if [ "$1" = "-d" ]
then
DICTIONARY="-d $2"
shift;shift
else
DICTIONARY=""
fi

if [ $# -lt 5 ] || [ $# -gt 7 ]
then
usage
fi

if [ "$7" ]
then
nas=$7
else
nas=`hostname`
fi

(
echo "User-Name = \"$1\""
echo "User-Password = \"$2\""
echo "NAS-IP-Address = $nas"
echo "NAS-Port = $4"
if [ "$6" ]
then
echo "Framed-Protocol = PPP"
fi
) | $radclient $DICTIONARY -x $3 auth $5






Andres


2013/4/26 

> Hi,
>
> what version of FreeRADIUS? are you sure you arent running old copies of
> radclient/radtest
>
> ie you THINK you can do "-t mschap" but the wrapper or binary doesnt
>
>
> radclient -v   ?
>
> which radtest
> then cat the resulting file.
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[A . L . M . Buxey]

Hi,

>FreeRADIUS  server Version: 2.1.1-7.16.1 
>also installed freeradius-server-libs and utils
>FreeRADIUS server and libs and utils was installed via Yast.
>radius:/etc # radclient -v
>radclient: $Id$ built on Jan 22 2013 at 23:55:37
>#
># Version:  $Id$
>#
>prefix="/usr"
>exec_prefix="/usr"
>bindir="/usr/bin"
>usage() {
>echo "Usage: radtest user passwd radius-server[:port]
>nas-port-number secret [ppphint] [nasname]" >&2

yes. thats your problem. OLD

the current one says this:

usage() {
echo "Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port
-number secret [ppphint] [nasname]" >&2
echo "-d RADIUS_DIR   Set radius directory" >&2
echo "-tSet authentication method" >&2
echo "type can be pap, chap, mschap, or eap-
md5" >&2
echo "-x  Enable debug output" >&2

etc etc etc


note, the tool has OPTIONS. yours doesnt. and because yours doesnt, it thinks
"-t" is the username and "mschap" is the password and therefore "testing" 
is the hostname
and you have no such host!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Alan DeKok]

Andres wrote:
> FreeRADIUS  server Version: 2.1.1-7.16.1 
> also installed freeradius-server-libs and utils

  Why?  That version is SEVEN YEARS old.

  Upgrade.  Really.

  And you're using a version of radclient which doesn't support mschap.
 So... why are you trying to use mschap?

  We presume that you're running a recent version of the server.  Also,
that you read the documentation which comes with the server.  If
"radtest -h" doesn't say it supports the "-t" parameter, then it doesn't
support the "-t" parameter.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Timeout

[Peter Lambrechtsen]

It would depend on your NAS. What does the manual of the NAS say? The
maximum number is the unsigned 32bit integer max of 4billion which is just
a few years ;) so I don't really expect you want that.
On Apr 27, 2013 10:06 AM, "David Peterson" 
wrote:

> What is the largest integer that can be used for the Session-Timeout
> attribute?
>
> ** **
>
> | *David Peterson* | Senior Engineer | Wireless Connections |
> | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 |
> *www.*wirelessconnections.net * *|
> | 166 Milan Ave |  Norwalk OH 44857 | 
>
> ** **
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Session-Timeout

[David Peterson]

They say | David Peterson | Senior Engineer | Wireless Connections |
| Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 |
 www.wirelessconnections.net | 
| 166 Milan Ave |  Norwalk OH 44857 | 

 

From:
freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Peter Lambrechtsen
Sent: Friday, April 26, 2013 6:30 PM
To: FreeRadius users mailing list
Subject: Re: Session-Timeout

 

It would depend on your NAS. What does the manual of the NAS say? The
maximum number is the unsigned 32bit integer max of 4billion which is just a
few years ;) so I don't really expect you want that.

On Apr 27, 2013 10:06 AM, "David Peterson" 
wrote:

What is the largest integer that can be used for the Session-Timeout
attribute?

 

| David Peterson | Senior Engineer | Wireless Connections |
| Office: 419.660.6100 ext 2287   | Cell:
419.706.7355| Fax: 419.668.4077 |  
www.wirelessconnections.net | 
| 166 Milan Ave |  Norwalk OH 44857 | 

 


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Session-Timeout

[David Peterson]

Sorry about that, they say its 16 bit.

 

 

From:
freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Peter Lambrechtsen
Sent: Friday, April 26, 2013 6:30 PM
To: FreeRadius users mailing list
Subject: Re: Session-Timeout

 

It would depend on your NAS. What does the manual of the NAS say? The
maximum number is the unsigned 32bit integer max of 4billion which is just a
few years ;) so I don't really expect you want that.

On Apr 27, 2013 10:06 AM, "David Peterson" 
wrote:

What is the largest integer that can be used for the Session-Timeout
attribute?

 

| David Peterson | Senior Engineer | Wireless Connections |
| Office: 419.660.6100 ext 2287   | Cell:
419.706.7355| Fax: 419.668.4077 |  
www.wirelessconnections.net | 
| 166 Milan Ave |  Norwalk OH 44857 | 

 


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wireshart shows wrong information

[Alan DeKok]

Juan Pablo L. wrote:
> i realise now that i may have not been very clear in my explanation of
> the problem, that problem is that all values for the fields are the
> wrong values, for example, this is my code:
> 
> pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
> T_OP_EQ));
> 
> and this is what travels on the wire:
> 
> subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)
> subtype-length = 06 
> value = f3 08 48 12 

  I don't see that in the wireshark output.  The value in the pcap file
is correct.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius-Users Digest, Vol 96, Issue 88

[Okis Chuang]

> Okis Chuang wrote:
> > From the originate-coa documentation, it seems I can?t originate
> > coa-request at the section of pre-proxy or post-proxy.
> >
> > It?s documented, pretty clear.
> 
>   It's nice to hear that the documentation helps. :)

I thought docs are very helpful at most of time. :p

> > I?m not sure whether it is the cause of my following questions.
> 
>   It is.
> 
> > But what if I need two steps below finished continually both in the
> > same
> > move:
> >
> > 1.  **proxy** auth request to other AAA dispatcher(also FreeRADIUS)
> > to decide where to authenticate.
> 
>   That's easy.
> 
> > 2.  Getting Access-Accept in post-auth, then originate coa request
> > at once in order to change redirect profile to forward profile for
> > subscriber.
> 
>   That's hard.  At least with "originate-coa".

So.. the core concept of *originate-coa* is just "proxy-the-coa"
instead of initiating a coa request?

> 
>   The short answer is that you can run "radclient" as an external program
> from the post-proxy section.  It's ugly, but it will work.
>  
Hmm..that is indeed an alternative, but like you said, it's kind of
not a neat way to achieve my goal.
And I'm worrying that might have some performance issue if supposed
I will have high traffic.

> > But I got the warning that **cannot proxy and originate CoA packets at
> > the same time**.
> 
>   Yes.  We're looking into fixing that for 3.0.

No offense, I'm curious that why can't view these two request:
"Proxy-Auth Request" and "CoA Request" as two independent request?
Or this is about some kind of concern on designation? I thought that
was intuitive until I saw the result and got your kind but hopeless response
: (

> > Actually I move the coa origination to my AAA dispatcher, it also
> > can?t works and occurs the same warning.(It makes sense because both
> > are doing coa request after proxying auth request I guess.
> 
>   Originating a CoA packet is really proxying it.  And the server can't
proxy
> to two different destinations.

Ok. I got your point.
 
> > So here are my questions:
> >
> > 1.  Does this flow works possibly in my scenario? I mean can I
> > originate coa at once after getting Access-Accept?
> 
>   Not today.

Does this would be a difficult demand? 
> 
> > 2.  What if I set a **virtual coa server** for receiving coa request
> > from itself, then send to gateway at the section of
> 
>   That won't change anything.
> 
>   It may be easy to originate CoA packets *after* proxying.  Just so long
as it
> doesn't do both at the same time.

What do you mean *after*? The next any-kind-of request?
But I really need they do it in the same sequence. It a bit upset
me.

>   I'll see if I have time to look into it.

Thanks Alan! Thanks your contribution and devotion to FreeRADIUS. 
It's really impressive. Not a compliment at all. lol

>   Alan DeKok.
> 
> 
> --
> 
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 96, Issue 88
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FW: Freeradius-UsRe: Originate CoA Request After Receiving Access-Accepters Digest, Vol 96, Issue 88

[Okis Chuang]

> Okis Chuang wrote:
> > From the originate-coa documentation, it seems I can?t originate 
> > coa-request at the section of pre-proxy or post-proxy.
> >
> > It?s documented, pretty clear.
> 
>   It's nice to hear that the documentation helps. :)

I thought docs are very helpful at most of time. :p

> > I?m not sure whether it is the cause of my following questions.
> 
>   It is.
> 
> > But what if I need two steps below finished continually both in the 
> > same
> > move:
> >
> > 1.  **proxy** auth request to other AAA dispatcher(also FreeRADIUS)
> > to decide where to authenticate.
> 
>   That's easy.
> 
> > 2.  Getting Access-Accept in post-auth, then originate coa request
> > at once in order to change redirect profile to forward profile for 
> > subscriber.
> 
>   That's hard.  At least with "originate-coa".

So.. the core concept of *originate-coa* is just "proxy-the-coa"
instead of initiating a coa request?

> 
>   The short answer is that you can run "radclient" as an external 
> program from the post-proxy section.  It's ugly, but it will work.
>  
Hmm..that is indeed an alternative, but like you said, it's kind of
not a neat way to achieve my goal.
And I'm worrying that might have some performance issue if supposed
I will have high traffic.

> > But I got the warning that **cannot proxy and originate CoA packets 
> > at the same time**.
> 
>   Yes.  We're looking into fixing that for 3.0.

No offense, I'm curious that why can't view these two request:
"Proxy-Auth Request" and "CoA Request" as two independent request?
Or this is about some kind of concern on designation? I thought that
was intuitive until I saw the result and got your kind but hopeless response
: (

> > Actually I move the coa origination to my AAA dispatcher, it also 
> > can?t works and occurs the same warning.(It makes sense because both 
> > are doing coa request after proxying auth request I guess.
> 
>   Originating a CoA packet is really proxying it.  And the server 
> can't proxy to two different destinations.

Ok. I got your point.
 
> > So here are my questions:
> >
> > 1.  Does this flow works possibly in my scenario? I mean can I
> > originate coa at once after getting Access-Accept?
> 
>   Not today.

Does this would be a difficult demand? 
> 
> > 2.  What if I set a **virtual coa server** for receiving coa request
> > from itself, then send to gateway at the section of
> 
>   That won't change anything.
> 
>   It may be easy to originate CoA packets *after* proxying.  Just so 
> long as it doesn't do both at the same time.

What do you mean *after*? The next any-kind-of request?
But I really need they do it in the same sequence. It a bit upset
me.

>   I'll see if I have time to look into it.

Thanks Alan! Thanks your contribution and devotion to FreeRADIUS. 
It's really impressive. Not a compliment at all. lol

>   Alan DeKok.
> 
> 
> --

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Originate CoA Request After Receiving Access-Accept

[Okis Chuang]

> Okis Chuang wrote:

> > From the originate-coa documentation, it seems I can?t originate 

> > coa-request at the section of pre-proxy or post-proxy.

> >

> > It?s documented, pretty clear.

> 

>   It's nice to hear that the documentation helps. :)



I thought docs are very helpful at most of time. :p

 

> > I?m not sure whether it is the cause of my following questions.

> 

>   It is.

> 

> > But what if I need two steps below finished continually both in the 

> > same

> > move:

> >

> > 1.  **proxy** auth request to other AAA dispatcher(also FreeRADIUS)

> > to decide where to authenticate.

> 

>   That's easy.

> 

> > 2.  Getting Access-Accept in post-auth, then originate coa request

> > at once in order to change redirect profile to forward profile for 

> > subscriber.

> 

>   That's hard.  At least with "originate-coa".

 

So.. the core concept of *originate-coa* is just "proxy-the-coa"
instead of initiating a coa request?

 

> 

>   The short answer is that you can run "radclient" as an external 

> program from the post-proxy section.  It's ugly, but it will work.

>  

Hmm..that is indeed an alternative, but like you said, it's kind of
not a neat way to achieve my goal.

And I'm worrying that might have some performance issue if supposed
I will have high traffic.

 

> > But I got the warning that **cannot proxy and originate CoA packets 

> > at the same time**.

> 

>   Yes.  We're looking into fixing that for 3.0.



No offense, I'm curious that why can't view these two request:
"Proxy-Auth Request" and "CoA Request" as two independent request?

Or this is about some kind of concern on designation? I thought that
was intuitive until I saw the result and got your kind but hopeless response
: (

 

> > Actually I move the coa origination to my AAA dispatcher, it also 

> > can?t works and occurs the same warning.(It makes sense because both 

> > are doing coa request after proxying auth request I guess.

> 

>   Originating a CoA packet is really proxying it.  And the server 

> can't proxy to two different destinations.



Ok. I got your point.

> > So here are my questions:

> >

> > 1.  Does this flow works possibly in my scenario? I mean can I

> > originate coa at once after getting Access-Accept?

> 

>   Not today.

 

Does this would be a difficult demand? 

> 

> > 2.  What if I set a **virtual coa server** for receiving coa request

> > from itself, then send to gateway at the section of

> 

>   That won't change anything.

> 

>   It may be easy to originate CoA packets *after* proxying.  Just so 

> long as it doesn't do both at the same time.

 

What do you mean *after*? The next any-kind-of request?

But I really need they do it in the same sequence. It a bit upset
me.

 

>   I'll see if I have time to look into it.



Thanks Alan! Thanks your contribution and devotion to FreeRADIUS. 

It's really impressive. Not a compliment at all. lol

 

>   Alan DeKok.

> 

> 

> --

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html