Users classes
How can I create classes of users in Radius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User group in freeradis
I have VPn with user authetication with RADIUS+LDAP. Now I need to do user group in freeradius therefore I could permit users acess freeradius and give them credits/week (minutes/week). My idea is create credits like a cell phone companys. How can I do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
POPTOP + RADIUS + LDAP
I am trying to install this: PPTP Client (Linux/Win XP/Win 2k) > RADIUS ---> LDAP I have problem with user authentication with RADIUS and LDAP. Does someone could help me? My RADIUS already can do user authentication by GNUGK (VOIP/H.323). Help me please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with openldap
Send me your configuration. On Mon, 28 Feb 2005, helder martins wrote: > hello, > i'm having problems when i try to authenticate an user using freeradius and > ldap. > i'm usind freeradius-1.0.1 and openldap-2.2.15 and i need someone to help me > correctly configuring my radius server to authenticate against ldap > database. > thanks > > _ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP + RADIUS+LDAP
My RAdius show me this: rad_recv: Access-Request packet from host 146.164.247.230:32776, id=41, length=70 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "marcelo" Calling-Station-Id = "X.X.Y.198" NAS-IP-Address = X.X.Y.230 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "digest" returns noop for request 3 rlm_realm: No '@' in User-Name = "marcelo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for marcelo radius_xlat: '(uid=marcelo)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=marcelo) rlm_ldap: Added password teste in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding Cisco-AVPair as Cisco-AVPair, value h323-ivr-in=terminal-alias:marcelo,025983355 & op=11 rlm_ldap: user marcelo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 3 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 3 rlm_chap: Attribute "CHAP-Password" is required for authentication. modcall[authenticate]: module "chap" returns invalid for request 3 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 3 modcall: group Auth-Type returns reject for request 3 auth: Failed to validate the user. - PS: My radius is okay whith GNUGK authentication. On Fri, 25 Feb 2005, Alan DeKok wrote: > Anderson Alves de Albuquerque <[EMAIL PROTECTED]> wrote: > > I have freeradius with LDAP to do users authentication, now I need to use > > VPN (pptp) connect freeradius to do users authetication. Is this possible? > > Yes. > > > I am doing the steps in > > http://poptop.sourceforge.net/dox/radius_mysql.html, but I have problems > > with authentication. > > > > Does someone known like help me? > > If you're not going to post any information about what's wrong (see > the FAQ), then it is impossible for anyone to help you. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP + RADIUS+LDAP
I have freeradius with LDAP to do users authentication, now I need to use VPN (pptp) connect freeradius to do users authetication. Is this possible? I am doing the steps in http://poptop.sourceforge.net/dox/radius_mysql.html, but I have problems with authentication. Does someone known like help me? My poptop (pptp) is okay when I use config without "plugins radius.so", then VPN read chap-secret file in /etc/ so find users and password. But I need to use LDAP and freeradius to do users authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + LDAP
Look this: http://www.lh.freeradius.org/radiusd/doc/ldap_howto.txt On Wed, 23 Feb 2005, anderson souza wrote: > Good morning to all!! > > > > He/she would like to know some of the friends > > he/she knows some referring documentation > > the poptop implementation + freeradius + LDAP or even > > same a possible "road of the stones" for > > the configuration in the debian sarge!!! > > > > at once I thank attention of all... > > > > Att. > > Anderson > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VPN and Freeradius
How can I do authetication of the users in VPN using FreeRadius. I want that freeradius make authetication. Before my users use VPN, Freeswan would need to do authentication in freeradius. Is this possible? Is FreeSwan the best to work with FreeRadius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
I can't store userpassword in format clean TXT. Is this possible? This is my system: ---[Server]-- CHAP --> [Radius]--clean TXT --> [LDAP Server] I need that the password of the users stay in format crypt or DES, ie. After I need that RADIUS use crypt or DES to have password in clean txt. How could I tell RADIUS use crypt or DES to have clean TXT? Remenber that CHAP HASH to send password from [server] to [RADIUS]. If RADIUS know like have original password is stored in LDAP the RADIUS could done the HASH. Then RADIUS could know if this hash is like of the hash that RADIUS receive of the [aplication]. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
Thanks, My Radius with LDAP is OKAY now. How can I configure the password in LDAP with MD5. Example: in the LDAP I put: rootpw {MD5}aY3BnUicTk23PiinE+qwew== In the Radius.conf I put: ldap { server="ldaps.xxx.com" identity="cn=root,dc=com" password={MD5}aY3BnUicTk23PiinE+qwew== . . . } -- But radius don´t get to do authentication. How can I put password LDAP in radius.conf with HAS MD5 or SHA1 ou SSHA? On Mon, 10 Jan 2005, Willey Kurt D wrote: > Use port 636 to your ldaps server, and let the radius server do the > work. The hardest part is generating the certificate trust. > > Sample radiusd.conf for ldaps to Win2K AD: > server = "127.0.0.1" > port = 636 > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > password = yourpass > basedn = "dc=domain,dc=com" > filter = > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > start_tls = no > tls_cacertfile = > /usr/local/ssl/certs/sslcertificate.pem > tls_cacertdir = /usr/local/ssl/certs/ > > If you can get ldapsearch to work, radiusd is a breeze. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Monday, January 10, 2005 9:18 AM > To: freeradius-users@lists.freeradius.org > Subject: Radius with SSL > > > > I need one manual about Radius + SSL. > > I have RADIUS making authentication in LDAP Server, but I need to pass > the authentication with SSL. > How can I make ? > How cak I help me ? Please... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Userpassword in LDAP
I need that my schema has a attribute userpassword, but is necessary that the attribute password is encrypt and FreeRADIUS understand. FreeRadius need to acess LDAP in attribute userpassword to authenticate. But userpassword need to be encrypt. How can I do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS
Im my debug I see this message: Does someone know wuat is the problem? -- debug -X Cleaning up request 0 ID 41 with timestamp 41fc77b9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 146.x.y.x:10958, id=41, length=142 User-Name = "anderson" CHAP-Password = 0x264687ce992af9084804a7d3fe6d654eae NAS-IP-Address = 146.x.y.235 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41fbbfc3 Framed-IP-Address = 146.x.y.x Cisco-AVPair = "h323-ivr-out=terminal-alias:anderson,025980011;" rad_lowerpair: User-Name now 'anderson' rad_rmspace_pair: User-Name now 'anderson' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_realm: No '@' in User-Name = "anderson", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anderson" rlm_realm: Proxying request from user anderson to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 modcall[authorize]: module "digest" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anderson radius_xlat: '(&(uid=anderson)(objectclass=radiusprofile))' radius_xlat: 'ou=users,dc=br' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /home/brunoos/temp/certs/rootCA.crt rlm_ldap: setting TLS CACert File to /home/brunoos/temp/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: setting TLS Cert File to /home/brunoos/temp/certs/server.crt rlm_ldap: setting TLS Key File to /home/brunoos/temp/certs/server.key rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 1 modcall: group authorize returns fail for request 1 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS
With option debug "-X" I don´t see radius show anuthing about TLS. I only put this config: -- section LDAP {} --- start_tls = yes tls_mode = yes tls_cacertfile = /certs/rootCA.crt tls_cacertdir = /certs/ port=636 tls_certfile = /certs/server.crt tls_keyfile = /certs/server.key Are There other config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + TLS
Now, I need to use RADIUS with TLS. But I am have problem. I don´t know RADIUS+TLS speak with LDAP+TLS. When I use ldapsearch the comunication with LDAP Server+TLS is OKAY in port LDAPS (636). In the Radius I put: --- start_tls = yes tls_mode = yes tls_cacertfile = /radius/rootCA.crt tls_cacertdir = /radius/ port=636 tls_certfile = /radius/server.crt tls_keyfile = /radius/server.key - My ldapseach is OKAY to connect with LDAP+TLS server, But RADIUS not. Below I show problems with RADIUS: PS: I use "netstat -at" to look port ldaps(636) UP before. - Cleaning up request 4 ID 131 with timestamp 41fa6269 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 146.164.247.235:10047, id=131, length=142 User-Name = "anderson" CHAP-Password = 0xc69679dfcd6222a04b11fb35fa5d4d5489 NAS-IP-Address = z.y.x.35 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41f7feae Framed-IP-Address = z.y.x.98 Cisco-AVPair = "h323-ivr-out=terminal-alias:anderson,025980011;" rad_lowerpair: User-Name now 'anderson' rad_rmspace_pair: User-Name now 'anderson' modcall: entering group authorize for request 6 rlm_realm: No '@' in User-Name = "anderson", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anderson" rlm_realm: Proxying request from user anderson to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 modcall[authorize]: module "digest" returns noop for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for anderson radius_xlat: '(&(uid=anderson)(objectclass=radiusprofile))' radius_xlat: 'ou=users,dc=voip,dc=nce,dc=ufrj,dc=br' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to z.y.x.16:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 6 modcall: group authorize returns fail for request 6 Finished request 6 Going to the next request - Some Does know like help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
I created de cacert.pem like http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html. I don´t understand what is ... There is other good paper in the Internet? On Thu, 13 Jan 2005, Willey Kurt D wrote: > I don't use slapd, but it looks like your CA isn't known (trusted): > "...tlsv1 alert unknown ca" > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:32 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > > In option debug of the LDAP I look this: > --- > . > . > . > . > tls_read: want=5, got=5 > : 15 03 01 00 02 . > tls_read: want=2, got=2 > : 02 30 .0 > TLS: can't accept. > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 > ^Cslapd shutdown: waiting for 0 threads to terminate > slapd stopped. > - > > > > On Thu, 13 Jan 2005, Willey Kurt D wrote: > > > Is your ldap server listening on that port? > > "...Can't contact LDAP server..." > > > > Does ldapsearch work? > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Thursday, January 13, 2005 12:02 PM > > To: freeradius-users@lists.freeradius.org > > Subject: RE: Radius with SSL > > > > > > > > I created the certificates with > > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > > radiusd.conf the configs below, but I have problems. look my debug in > > > the radiusd with "-x": > > > > --- > > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, > id=104, > > > > length=132 > > User-Name = "aaa" > > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > > NAS-IP-Address = 146.164.xxx.236 > > NAS-Identifier = "UFRJGK" > > NAS-Port-Type = Virtual > > Service-Type = Login-User > > CHAP-Challenge = 0x41e6bde1 > > Framed-IP-Address = 146.164.xxx.198 > > Attr-589825 = > > > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > > 3938303035343b > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for aaa > > ldap_get_conn: Got Id: 0 > > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > > 146.164.xxx.236:636 > > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > > 146.164.xxx.236:636 > > failed: Can't contact LDAP server > > rlm_ldap: (re)connection attempt failed > > rlm_ldap: search failed > > ldap_release_conn: Release Id: 0 > > -- > > > > > > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > > > Use port 636 to your ldaps server, and let the radius server do the > > > work. The hardest part is generating the certificate trust. > > > > > > Sample radiusd.conf for ldaps to Win2K AD: > > > server = "127.0.0.1" > > > port = 636 > > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > > password = yourpass > > > basedn = "dc=domain,dc=com" > > > filter = > > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > > start_tls = no > > > tls_cacertfile = > > > /usr/local/ssl/certs/sslcertificate.pem > > > tls_cacertdir = /usr/local/ssl/certs/ > > > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Anderson Alves de Albuquerque > > > Sent: Monday, January 10, 2005 9:18 AM > > > To: freeradius-users@lists.freeradius.org > > > Subject: Radius with SSL > &
RE: Radius with SSL
In option debug of the LDAP I look this: --- . . . . tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 30 .0 TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 ^Cslapd shutdown: waiting for 0 threads to terminate slapd stopped. - On Thu, 13 Jan 2005, Willey Kurt D wrote: > Is your ldap server listening on that port? > "...Can't contact LDAP server..." > > Does ldapsearch work? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:02 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > I created the certificates with > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > radiusd.conf the configs below, but I have problems. look my debug in > the radiusd with "-x": > > --- > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, > > length=132 > User-Name = "aaa" > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > NAS-IP-Address = 146.164.xxx.236 > NAS-Identifier = "UFRJGK" > NAS-Port-Type = Virtual > Service-Type = Login-User > CHAP-Challenge = 0x41e6bde1 > Framed-IP-Address = 146.164.xxx.198 > Attr-589825 = > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > 3938303035343b > rlm_ldap: - authorize > rlm_ldap: performing user authorization for aaa > ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > 146.164.xxx.236:636 > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > 146.164.xxx.236:636 > failed: Can't contact LDAP server > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > -- > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > Use port 636 to your ldaps server, and let the radius server do the > > work. The hardest part is generating the certificate trust. > > > > Sample radiusd.conf for ldaps to Win2K AD: > > server = "127.0.0.1" > > port = 636 > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > password = yourpass > > basedn = "dc=domain,dc=com" > > filter = > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > start_tls = no > > tls_cacertfile = > > /usr/local/ssl/certs/sslcertificate.pem > > tls_cacertdir = /usr/local/ssl/certs/ > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Monday, January 10, 2005 9:18 AM > > To: freeradius-users@lists.freeradius.org > > Subject: Radius with SSL > > > > > > > > I need one manual about Radius + SSL. > > > > I have RADIUS making authentication in LDAP Server, but I need to > pass > > the authentication with SSL. > > How can I make ? > > How cak I help me ? Please... > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
The is up: -- # netstat -at|grep ldap tcp4 0 0 *.ldaps*.*LISTEN tcp6 0 0 *.ldaps*.*LISTEN tcp4 0 0 *.ldap *.*LISTEN tcp6 0 0 *.ldap *.*LISTEN tcp4 0 0 146.164.247.236.4435 146.164.247.236.ldaps TIME_WAIT tcp4 0 0 146.164.247.236.3299 146.164.247.236.ldaps TIME_WAIT --- On Thu, 13 Jan 2005, Willey Kurt D wrote: > Is your ldap server listening on that port? > "...Can't contact LDAP server..." > > Does ldapsearch work? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:02 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > I created the certificates with > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > radiusd.conf the configs below, but I have problems. look my debug in > the radiusd with "-x": > > --- > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, > > length=132 > User-Name = "aaa" > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > NAS-IP-Address = 146.164.xxx.236 > NAS-Identifier = "UFRJGK" > NAS-Port-Type = Virtual > Service-Type = Login-User > CHAP-Challenge = 0x41e6bde1 > Framed-IP-Address = 146.164.xxx.198 > Attr-589825 = > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > 3938303035343b > rlm_ldap: - authorize > rlm_ldap: performing user authorization for aaa > ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > 146.164.xxx.236:636 > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > 146.164.xxx.236:636 > failed: Can't contact LDAP server > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > -- > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > Use port 636 to your ldaps server, and let the radius server do the > > work. The hardest part is generating the certificate trust. > > > > Sample radiusd.conf for ldaps to Win2K AD: > > server = "127.0.0.1" > > port = 636 > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > password = yourpass > > basedn = "dc=domain,dc=com" > > filter = > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > start_tls = no > > tls_cacertfile = > > /usr/local/ssl/certs/sslcertificate.pem > > tls_cacertdir = /usr/local/ssl/certs/ > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Monday, January 10, 2005 9:18 AM > > To: freeradius-users@lists.freeradius.org > > Subject: Radius with SSL > > > > > > > > I need one manual about Radius + SSL. > > > > I have RADIUS making authentication in LDAP Server, but I need to > pass > > the authentication with SSL. > > How can I make ? > > How cak I help me ? Please... > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
I created the certificates with http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my radiusd.conf the configs below, but I have problems. look my debug in the radiusd with "-x": --- rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, length=132 User-Name = "aaa" CHAP-Password = 0x658558a664c7032b44818a81b755804a11 NAS-IP-Address = 146.164.xxx.236 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41e6bde1 Framed-IP-Address = 146.164.xxx.198 Attr-589825 = 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c3032353938303035343b rlm_ldap: - authorize rlm_ldap: performing user authorization for aaa ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to 146.164.xxx.236:636 rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to 146.164.xxx.236:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 -- On Mon, 10 Jan 2005, Willey Kurt D wrote: > Use port 636 to your ldaps server, and let the radius server do the > work. The hardest part is generating the certificate trust. > > Sample radiusd.conf for ldaps to Win2K AD: > server = "127.0.0.1" > port = 636 > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > password = yourpass > basedn = "dc=domain,dc=com" > filter = > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > start_tls = no > tls_cacertfile = > /usr/local/ssl/certs/sslcertificate.pem > tls_cacertdir = /usr/local/ssl/certs/ > > If you can get ldapsearch to work, radiusd is a breeze. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Monday, January 10, 2005 9:18 AM > To: freeradius-users@lists.freeradius.org > Subject: Radius with SSL > > > > I need one manual about Radius + SSL. > > I have RADIUS making authentication in LDAP Server, but I need to pass > the authentication with SSL. > How can I make ? > How cak I help me ? Please... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
Ok. You are right. Thanks I make a test, now my radius is okay. On Wed, 12 Jan 2005, Dustin Doris wrote: > Was this a copy/paste? Look below in the radiusd.conf section. You put > in > > identify = "cn=root..." > > instead of > > identity = "cn=root..." > > That would explain why you are trying to login without a username, as > shown in your debug output. > > rlm_ldap: bind as /teste to 146.164.xx.236:389 > > On Wed, 12 Jan 2005, Anderson Alves de Albuquerque wrote: > > > > > > > ldapsearch -x -b "dc=br" -h x.y.z.w > > > > But, I use radius to authentication. When I use ldapsearch all is okay. > > Look may config ldap: > > --- > > include /usr/home/andersonalves/work/radius/core.schema > > include /usr/home/andersonalves/work/radius/gnugk.schema > > loglevel296 > > pidfile /var/run/slapd.pid > > argsfile/var/run/slapd.args > > allow bind_v2 > > databasebdb > > suffix "dc=br" > > rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" > > rootpw xxx > > directory /usr/home/andersonalves/work/radius/db/ > > index objectClass eq > > index uid eq > > mode0600 > > cachesize 2000 > > replogfile /usr/home/andersonalves/work/radius/log/replog > > - > > > > Look my radius config in ldap session: > > -- > > ldap { > > server="x.y.z.w" > > identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" > > *** that should be identity, not identify. > > > > > password=xxx > > basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br" > > filter="(&(uid=%u)(objectclass=radiusprofile))" > > start_tls = no > > tls_mode = no > > dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap > > ldap_cache_timeout = 120 > > ldap_cache_size = 0 > > ldap_connections_number = 10 > > password_attribute = userPassword > > timeout = 3 > > timelimit = 5 > > net_timeout = 1 > > compare_check_items = no > > } > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
ldapsearch -x -b "dc=br" -h x.y.z.w But, I use radius to authentication. When I use ldapsearch all is okay. Look may config ldap: --- include /usr/home/andersonalves/work/radius/core.schema include /usr/home/andersonalves/work/radius/gnugk.schema loglevel296 pidfile /var/run/slapd.pid argsfile/var/run/slapd.args allow bind_v2 databasebdb suffix "dc=br" rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" rootpw xxx directory /usr/home/andersonalves/work/radius/db/ index objectClass eq index uid eq mode0600 cachesize 2000 replogfile /usr/home/andersonalves/work/radius/log/replog - Look my radius config in ldap session: -- ldap { server="x.y.z.w" identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" password=xxx basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br" filter="(&(uid=%u)(objectclass=radiusprofile))" start_tls = no tls_mode = no dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 password_attribute = userPassword timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no } On Wed, 12 Jan 2005, Dustin Doris wrote: > Can you bind with that username/password using a command line such as > ldapsearch? > > > On Wed, 12 Jan 2005, Anderson Alves de Albuquerque wrote: > > > > > > > > > I only put "rootpw teste" in my slapd.conf. > > I put in slapd.conf 'rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"' > > and 'suffix "dc=br"'. > > After I use "ldapadd" to create my tree with all struct expect > > "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" . > > I don´t create "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br". > > > > > > > > Is this correct? > > > > Is there another step to config this ? > > > > > > > > > > I only make this steps to config my "cn=root". > > > > > > On Wed, 12 Jan 2005, Pete Conkin wrote: > > > > > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > > > > > > > My RADIUS is make authentication in LDAP, there this error: > > > > > > > > rlm_ldap: LDAP login failed: check login, password settings in ldap > > > > section of radiusd.conf > > > > rlm_ldap: (re)connection attempt failed > > > > > > This part of your log seems to indicated the cause of the problem. > > > > > > Might be best to check the login/password in the ldap section of > > > radiusd.conf :p > > > > > > Pete > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
I only put "rootpw teste" in my slapd.conf. I put in slapd.conf 'rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"' and 'suffix "dc=br"'. After I use "ldapadd" to create my tree with all struct expect "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" . I don´t create "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br". Is this correct? Is there another step to config this ? I only make this steps to config my "cn=root". On Wed, 12 Jan 2005, Pete Conkin wrote: > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > > > My RADIUS is make authentication in LDAP, there this error: > > > > rlm_ldap: LDAP login failed: check login, password settings in ldap > > section of radiusd.conf > > rlm_ldap: (re)connection attempt failed > > This part of your log seems to indicated the cause of the problem. > > Might be best to check the login/password in the ldap section of > radiusd.conf :p > > Pete > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
IN ldap a put: suffix "dc=br" rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" rootpw teste In radiusd: ldap { server="146.164.xx.236" identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" password=teste basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br" filter="(&(uid=%u)(objectclass=radiusprofile))" . . . } On Wed, 12 Jan 2005, Pete Conkin wrote: > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > > > My RADIUS is make authentication in LDAP, there this error: > > > > rlm_ldap: LDAP login failed: check login, password settings in ldap > > section of radiusd.conf > > rlm_ldap: (re)connection attempt failed > > This part of your log seems to indicated the cause of the problem. > > Might be best to check the login/password in the ldap section of > radiusd.conf :p > > Pete > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with LDAP with error
My RADIUS is make authentication in LDAP, there this error: rad_recv: Access-Request packet from host 146.164.xx.235:10808, id=117, length=122 User-Name = "aaa" CHAP-Password = 0x6c662e7faba88fc9791bbf10558405bc0d NAS-IP-Address = 146.164.xx.235 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41e563f5 Framed-IP-Address = 146.164.xx.198 Cisco-AVPair = "h323-ivr-out=terminal-alias:aaa;" rlm_ldap: - authorize rlm_ldap: performing user authorization for aaa ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 146.164.xx.236:389, authentication 0 rlm_ldap: bind as /teste to 146.164.xx.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check login, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 146.164.xx.235:10808, id=117, length=122 Dropping packet from client localhost:10808 - ID: 117 due to dead request 16 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with SSL
I need one manual about Radius + SSL. I have RADIUS making authentication in LDAP Server, but I need to pass the authentication with SSL. How can I make ? How cak I help me ? Please... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with LDAP
Now, I am using Freeradius with LDAP. My system GNUGK make authentication in the FreeRadius, after Freeradius look in tne LDAP server. My authentication is Okay, but Free Radius need to send to GNUGK the ALIAS. This ALIAS is telephone Number E.164. In debug option in Freeraius with "-X" I look: - FreeRadius -- rlm_ldap: bind as cn=root,dc=mydomain,dc=com/teste to 146.164.247.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (&(uid=ufrj4)(objectclass=radiusprofile)) rlm_ldap: Added password teste in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding CISCO-AVPair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding CISCO-AV-Pair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding h323-ivr-out as Service-Type, value terminal-alias:ufrj4,025980002; & op=11 rlm_ldap: Adding h323-ivr-in as Service-Type, value terminal-alias:ufrj4,025980001; & op=11 rlm_ldap: user ufrj4 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group authtype for request 0 rlm_chap: login attempt by "ufrj4" with CHAP password rlm_chap: Using clear text password teste for user ufrj4 authentication. rlm_chap: chap user ufrj4 authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: group authtype returns ok for request 0 Sending Access-Accept of id 146 to 146.164.247.235:10061 Finished request 0 Going to the next request --- end --- I have other Freeradis tha make authentication in SQL server, in this Freeradius there is line with "sending". After this line radius send string "Cisco-AV-Pair". - Cisco-AV-Pair --- Sending Access-Accept of id 23 to 146.164.247.196:10201 Cisco-AVPair = "h323-ivr-in=terminal-alias:mauricio,02598" --- I don´t know how I can talk to freeradius send this string to GNUGK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subscribe
subscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAp + GK (GNUGK) + FreeRadius
Below I am sending my output with "radiusd -X": PS: I put spaces with when I looked the string "h323-ivr-in" . Output radiusd -X - rad_recv: Access-Request packet from host 146.164.247.235:10328, id=154, length=126 User-Name = "ufrj3" CHAP-Password = 0xbb41f80c43122acac71167064ece645380 NAS-IP-Address = 146.164.247.235 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41d9915e Framed-IP-Address = 146.164.247.198 Cisco-AVPair = "h323-ivr-out=terminal-alias:ufrj3;" rad_lowerpair: User-Name now 'ufrj3' rad_rmspace_pair: User-Name now 'ufrj3' modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ufrj3 radius_xlat: '(&(uid=ufrj3)(objectclass=radiusprofile))' radius_xlat: 'ou=users,ou=radius,dc=mydomain,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 146.164.247.236:389, authentication 0 rlm_ldap: bind as cn=root,dc=mydomain,dc=com/teste to 146.164.247.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (&(uid=ufrj3)(objectclass=radiusprofile)) rlm_ldap: Added password teste in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding h323-ivr-in as Service-Type, value terminal-alias:025980001 & op=11 rlm_ldap: user ufrj3 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group authtype for request 0 rlm_chap: login attempt by "ufrj3" with CHAP password rlm_chap: Using clear text password teste for user ufrj3 authentication. rlm_chap: chap user ufrj3 authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: group authtype returns ok for request 0 Sending Access-Accept of id 154 to 146.164.247.235:10328 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 154 with timestamp 41d959c1 Nothing to do. Sleeping until we see a request. ---- end of the Output radiusd -X - On Mon, 3 Jan 2005, Zoltan Ori wrote: > On Monday 03 January 2005 12:17, Anderson Alves de Albuquerque wrote: > > I´m thinking if I would need to modify my filter in radius.conf. > > Now, my radius.conf is: filter="(&(uid=%u)(objectclass=radiusprofile))" > > > > I look my "ldap sever log" and there is one search by h323-ivr-in. > > But when I look GNUGK in port 7000, I don´t receive the alias > > OK, your LDAP log shows the search. You still need to specify that the > attribute be xlated and sent in the reply from RADIUS. What does RADIUS show > it is doing? > > If you would include the debug output (radiusd -X), and what attribute needs > to be in the reply someone would be better equipped to tell you why it is not > getting sent. > > Zoltan Ori > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAp + GK (GNUGK) + FreeRadius
I´m thinking if I would need to modify my filter in radius.conf. Now, my radius.conf is: filter="(&(uid=%u)(objectclass=radiusprofile))" I look my "ldap sever log" and there is one search by h323-ivr-in. But when I look GNUGK in port 7000, I don´t receive the alias. On Mon, 3 Jan 2005, Zoltan Ori wrote: > > I have problem with configuration with FreeRadius + LDAP + GnuGK. > > Now, I have authetication, but my GnuGK don´t receive alias. My alias is > > the telephone number. > > My authentication use username and password, but I need to receive alias. > > > > What do I make to receive alias ? > > > > That's mostly a GnuGK question. For the LDAP and RADIUS part, you need to map > your end-point's E.164 alias from LDAP to RADIUS (examine raddb/ldap.attrmap > & dictionary to see how). Then, send it in the reply to GnuGK. > > Your 'users' file entry might look something like this: > > DEFAULT # whatever check items you deem appropriate > Tunnel-Type=IP, > Tunnel-Medium-Type=E.164, > Tunnel-Client-Endpoint=%{myLdapE164Alias} > > That's just a guess. Whatever attributes GnuGK is expecting > (Tunnel-Connection-Id, Tunnel-Private-Group-Id ?) , I don't know. It may not > even care about Tunnel-Type or Medium. You'll have to read up on that > yourself. > > Zoltan Ori > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAp + GK (GNUGK) + FreeRadius
I have problem in the configuration with FreeRadius + LDAP + GnuGK. Now, My GNUGK make authetication, but my GnuGK don´t receive alias (E.164). My alias is the telephone number (E.164). My authentication use username and password, but I need to receive alias. What do I need to make to receive alias (E.164) ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAp + GK (GNUGK) + FreeRadius
I have problem with configuration with FreeRadius + LDAP + GnuGK. Now, I have authetication, but my GnuGK don´t receive alias. My alias is the telephone number. My authentication use username and password, but I need to receive alias. What do I make to receive alias ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html