RE: Log auth message
Microsoft Outlook has changed first letter :(
log {
destination = files
file = /app_log/radius/radius.log
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
When i use parameter -x, everythink works correct ( i see auth log message ):
WARNING: Ignoring sql (see raddb/mods-available/README.rst)
WARNING: Ignoring ldap (see raddb/mods-available/README.rst)
WARNING: Ignoring sql (see raddb/mods-available/README.rst)
WARNING: Ignoring sql (see raddb/mods-available/README.rst)
radiusd: Opening IP addresses and Ports
Listening on proxy address * port 0
Listening on auth address * port 1812 as server default
Listening on auth address * port 1645 as server default
Ready to process requests.
Waking up in 0.3 seconds.
(0) # Executing section authorize from file
/storage/app/radius/raddb/auth/sites-enabled/default
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair Acct-Session-Id = d597d9250ac7aeba
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Calling-Station-Id = 42199522
rlm_perl: Added pair Called-Station-Id = GRETEST01BB2.VPS
rlm_perl: Added pair Framed-Protocol = GPRS-PDP-Context
rlm_perl: Added pair User-Name = g...@test.sk
rlm_perl: Added pair NAS-Identifier = ggsn-01-bb2.orange.sk
rlm_perl: Added pair User-Password = tojejedno
rlm_perl: Added pair Acct-Multi-Session-Id = d597d92505600f87
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair Stripped-User-Name = gre
rlm_perl: Added pair NAS-IP-Address = 213.151.211.225
rlm_perl: Added pair Current-Time = 1371622553
rlm_perl: Added pair Password-With-Header =
{SSHA}TypEiJb0E3IVkhcPcO5Eybq/SYYPcrk+Ix1kTg==
rlm_perl: Added pair VPDN_SERVICE_ID = User-GPRS-GRE
(0) # Executing group from file
/storage/app/radius/raddb/auth/sites-enabled/default
(0) pap : login attempt with password tojejedno
(0) pap : Using SSHA encryption.
(0) pap : User authenticated successfully
(0) Login OK: [g...@test.sk/tojejedno] (from client localhost port 0 cli
42199522)
(0) # Executing section post-auth from file
/storage/app/radius/raddb/auth/sites-enabled/default
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair Acct-Session-Id = d597d9250ac7aeba
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = GRETEST01BB2.VPS
rlm_perl: Added pair Calling-Station-Id = 42199522
rlm_perl: Added pair Framed-Protocol = GPRS-PDP-Context
rlm_perl: Added pair User-Name = g...@test.sk
rlm_perl: Added pair User-Password = tojejedno
rlm_perl: Added pair NAS-Identifier = ggsn-01-bb2.orange.sk
rlm_perl: Added pair Acct-Multi-Session-Id = d597d92505600f87
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair NAS-IP-Address = 213.151.211.225
rlm_perl: Added pair Stripped-User-Name = gre
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 10.10.10.1
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair SSHA1-Password =
0x4f2a448896f413721592170f70ee44c9babf49860f72b93e231d644e
rlm_perl: Added pair Current-Time = 1371622553
rlm_perl: Added pair Password-With-Header =
{SSHA}TypEiJb0E3IVkhcPcO5Eybq/SYYPcrk+Ix1kTg==
rlm_perl: Added pair Auth-Type = PAP
rlm_perl: Added pair VPDN_SERVICE_ID = User-GPRS-GRE
Waking up in 1.7 seconds.
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org
[mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Wednesday, June 19, 2013 3:11 AM
To: FreeRadius users mailing list
Subject: Re: Log auth message
BALSIANOK, Peter wrote:
Configuration ( for logging in radiusd.conf ):
Log {
Log? Or log ? It is case sensitive.
destination = files
file = /app_log/radius/radius.log
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
Difference between cases are runtime parameters:
1. /storage/app/radius/freeradius-3.0.0/sbin/radiusd -d
/storage/app/radius/raddb/auth 2.
/storage/app/radius/freeradius-3.0.0/sbin/radiusd -x -d
/storage/app/radius/raddb/auth
...
I will not see any auth log message in the main radius log file
/app_log/radius/radius.log ( somethink like ):
Tue Jun 18 08:12:55 2013 : Auth: Login OK: [g...@test.sk/tojejedno]
(from client IPSECgtw-01-BB1 port 997 cli 42199522)
The messages should be there.
Run it in debugging mode to see if the auth* configuration items are parsed
correctly.
It should also print the Login OK messages in debugging mode, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
call exec when proxy authentication success
Hi
I did google alot and still did not manage to find an answer, so I ask
here, hope someone can help on this,
my freeradius is running as a proxy, and I want to add a exec command when
authentication is successful.
so I add exec in the post-proxy { ,
but how to filter by the authentication result ? I want to trigger it only
when Access-Accept,
if dont have this filter, then how to pass the Access-Accept or
Access-Reject into my script ?
thanks very much
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: call exec when proxy authentication success
that means I want to differentiate the Access-Accept or Access-Reject
in the post-proxy section,
On Wed, Jun 19, 2013 at 2:27 PM, Bill Yuan byc...@gmail.com wrote:
Hi
I did google alot and still did not manage to find an answer, so I ask
here, hope someone can help on this,
my freeradius is running as a proxy, and I want to add a exec command when
authentication is successful.
so I add exec in the post-proxy { ,
but how to filter by the authentication result ? I want to trigger it
only when Access-Accept,
if dont have this filter, then how to pass the Access-Accept or
Access-Reject into my script ?
thanks very much
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: call exec when proxy authentication success
On 19 Jun 2013, at 08:14, Bill Yuan byc...@gmail.com wrote:
that means I want to differentiate the Access-Accept or Access-Reject
in the post-proxy section,
In 3.0.0.
Post-Proxy-Type Access-Reject {
}
Just like you would in Post-Auth.
Honestly can't remember if it's supported in 2.0.0.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: call exec when proxy authentication success
but the latest release version is 2.2.0, Can someone help to explain how to filter it on 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log auth message
Hi, When i use parameter -x, everythink works correct ( i see auth log message ): that'll be because with -x or -X the service runs as root. without those arguments it will run as th user configured in the radiusd.conf - please ensure that user/group is able to write into that location alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log auth message
Hi, I never run radiusd as root user ( for both cases ). The user/group is able to write, because i see general log message Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Ready to process requests. I didnt see log message about authentification ( correct / incorrect login ) for case, when i run [path]/sbin/radiusd -d [configuration file]. -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Wednesday, June 19, 2013 10:25 AM To: FreeRadius users mailing list Subject: Re: Log auth message Hi, When i use parameter -x, everythink works correct ( i see auth log message ): that'll be because with -x or -X the service runs as root. without those arguments it will run as th user configured in the radiusd.conf - please ensure that user/group is able to write into that location alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log auth message
Hi, Hi, I never run radiusd as root user ( for both cases ). yes you do - when you are running in '-x' mode The user/group is able to write, because i see general log message Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Ready to process requests. IIRC that stuff is done before the server drops down to lower priv check your permissions, check your audit logs (if running SELinux). standard installs do not have this issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log auth message
Hi, Hmm, sorry but if i am logged in as none root user ( for example as radiusd user ). Its not important if i will run [path]/sbin/radiusd -d [config file] or [path]/sbin/radiusd -x -d [config file] from command line ( both service will be run under radiusd environment, not root ). -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Wednesday, June 19, 2013 12:30 PM To: FreeRadius users mailing list Subject: Re: Log auth message Hi, Hi, I never run radiusd as root user ( for both cases ). yes you do - when you are running in '-x' mode The user/group is able to write, because i see general log message Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Ready to process requests. IIRC that stuff is done before the server drops down to lower priv check your permissions, check your audit logs (if running SELinux). standard installs do not have this issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 14:11, Marco Streich wrote:
Hi all
We have deployed FreeRADIUS on OS X before, but our configuration was rather
ugly. What we would do is authenticate users locally, having the machine
attached to our OpenDirectory server directly using the Connect Network
Account Server functionality provided by OS X.
I have seen this question getting asked a lot but still wasn't able to fill
my gap in understanding the whole process.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.
And the debug log explains it :
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
[snip]
At this moment, I cannot wrap my mind around what is going on here.
I understand that ldap tries to authenticate the user by itself, instead of
handing it to the LDAP server. But what is different when I run radtest?
Debug from radtest:
...
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by a4 with password whatever
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
[ldap] (re)connect to ldap.hopro.edu:389, authentication 1
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
ldap.hopro.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user a4 authenticated successfully
++[ldap] returns ok
...
This works because you're doing PAP. with radtest the user password is
sent in cleartext. so YES you can authenticate with ldap because you can
BIND to the ldap with the provided password.
you don't have this password with 802.1x/EAP. you work only with
challenges, hash and keys.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, I have managed to setup a simple test using eapol_test as per http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS thats a rather old...and random URL. why not look at official docs? and it all works as described except that I have to use ca.pem instead of server.pem. I think this might be because the example uses an older version of FreeRadius? yes, ca_cert=/home/carla/server.pem is wrong. thats basically checking the RADIUS server cert..not the CAeapol_test wants to verify the CA with that config option. What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. tell EAP to send the message to somewhere else other than inner-tunnel virtual server the inner-tunnel virtual server is a local instance you need to proxyso define a remote pool as per proxy.conf examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. ..EAP-TTLS/PAP ? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 13:11, Marco Streich wrote: When I run radtest from my laptop, the authentication is successful: radtest does not send eap. Download the wpa_supplicant sources and compile eapol_test to test EAP. WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? This suggests your LDAP server does not contain, or is not returning, password info. So auth would probably have failed... [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify [ttls] WARNING: No data inside of the tunnel. ...except it never gets as far as the inner tunnel because the client drops the EAP session. Most likely the client doesn't trust the server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 13:28, adrian.p.sm...@bt.com wrote: What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: On 19.06.2013 14:11, Marco Streich wrote: We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: call exec when proxy authentication success
On 19 Jun 2013, at 13:50, Martin Kraus lists...@wujiman.net wrote:
On Wed, Jun 19, 2013 at 04:10:49PM +0800, Bill Yuan wrote:
but the latest release version is 2.2.0,
Can someone help to explain how to filter it on 2.2.0
I've got on debian freeradius 2.1.12 this in post-auth config, so I guess it
should be working just the same.
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
attr_filter.access_reject
}
No, that's not the same. That will be run for non proxied requests to.
Just try the Post-Proxy-Type section, it might work in 2.0, if it doesn't
I know there's a way to get the proxy response code, I just can't remember
what it is.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminate eap-ttls
What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. okay. so you need to start by terminating the EAP on your server...so you need the current out of the box configuration and use the inner-tunnel...but then you want to then proxy the PAP authentication - that would be done with some 'update control' unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 14:54, adrian.p.sm...@bt.com wrote:
What I really need to do is proxy the inner message to another
Radius server which will do the authentication but I cannot get
this to work. Whatever I try, I always see an EAP-Message avp
heading off to the remote server. I have looked at the
proxy-inner-tunnel virtual server but am unsure how to use it.
This *is* proxying the inner tunnel; the inner tunnel auth is also
EAP, and you're sending it to the remote server.
Thanks, this is NOT what I want to do. I want to send the inner
message, not the tunnel and do PAP on the remote server.
You can only do PAP on the remote server if your inner auth method was
PAP. Basically, this means EAP-TTLS/PAP.
Doing that is simple:
server inner-tunnel {
authorize {
update control {
Proxy-To-Realm := THEREALM
}
}
}
If this isn't working, send a debug from radiusd -X
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)
That's pretty interesting, what's the if() you're doing to achieve that?
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
Note however that you can avoid this in master versions of the server
with:
server inner-tunnel {
authorize {
eap {
ok = return
}
}
}
...as the EAP module was updated to return ok on identity/mschap
responses. Yet another reason to upgrade!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, He he he... if I recall correctly I came up with something like: yes, thats the one. quoted as 'most evil unlang ever' if I recall have used it on many occasions...does the job well ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! yep...as well as proper pools of LDAP servers in 3.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, i have tried with one client and it's success to authenticate and access internet in wlan could this test we use multiple clients? i just try one client and success but when i use another client and it fails is it correct if i add other client in users and simtriplets.dat? ex: simtriplets.dat 151001xx,Rand1,SRES1,kC1 151001xx,Rand2,SRES2,kC2 151001xx,Rand3,SRES3,kC3 151002xx,Rand1,SRES1,kC1 151002xx,Rand2,SRES2,kC2 151002xx,Rand3,SRES3,kC3 and also in users 151001xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . 151002xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . thanx for your time and your advice best regards On Thu, Jun 20, 2013 at 11:24 AM, raptor raptor raptors...@gmail.comwrote: Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM
you missed to install rlm_sim_files 1. go to /src/modules/rlm_sim_files and sudo make 2. copy rlm_sim_files to library cp ./.libs/rlm_sim_files-2.2.0.so /usr/lib/freeradius 3. create link to usr/lib/freeradius/rlm_sim_files-2.2.0.so sudo ln -s /usr/lib/freeradius/rlm_sim_files-2.2.0.so/usr/lib/freeradius/rlm_sim_files.so that's it may this helps your problem On Thu, Jun 20, 2013 at 11:30 AM, romy rooman roomanro...@gmail.com wrote: Hi all, i have read many posts about eap sim i have create simtriplets.dat and i want to use eap sim for tests and i get notification that rlm_sim_files not found what should i do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
