Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Thank you Alan I will pursue that line of inquiry further. On 9/23/2013 8:18 PM, Alan DeKok wrote: Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} -> root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description "no_ip_phone_desktop | ip_phone_desktop"
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} -> root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description "no_ip_phone_desktop | ip_phone_desktop"
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
On 20/07/13 14:56, Alan DeKok wrote: > Daniel Pocock wrote: >> Should this code be shared with the client project freeradius-client? > No. The freeradius-client code is pretty bad. > >> Or is it preferred to build a new client (or shared library) from the >> freeradius-server repository eventually? > The client code is already LGPL'd. So it could be used as a client. Could you please clarify that - it is possible to build a client library from the server source tarball? In Debian, I see "libfreeradius2" built from the server source tarball but that appears to be server-side library code, or is it also for client applications? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
The FTP masters just accepted the new freeradius-client package, it should be available to install now using "apt-get" I've opened a bug request for removal of the radiusclient-ng package from the Debian archive On 19/07/13 19:25, Daniel Pocock wrote: > > On 15/07/13 23:21, Daniel Pocock wrote: >> >> On 15/07/13 21:51, Alan DeKok wrote: >>> Daniel Pocock wrote: >>>> I just opened this report against radiusclient-ng in Debian (see below), >>>> can anybody else comment on the situation, in particular, for >>>> compatibility? Is there any urgency for Debian to update to the new >>>> client code? >>> It has a number of bugs fixed. The old radiusclient-ng code is no >>> longer maintained. >> I'm in the pkg-voip group at Debian so I can potentially package this >> new version of the library >> > I've uploaded this today, it is in Debian's approval queue now > > For anybody who can't wait, packaging artifacts are here: > > Vcs-Git: git://git.debian.org/pkg-voip/freeradius-client.git > > Vcs-Browser: > http://git.debian.org/?p=pkg-voip/freeradius-client.git;a=summary > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
On 15/07/13 21:53, Alan DeKok wrote: > Daniel Pocock wrote: >> Can anybody comment on which client code should be used for long >> extended attributes? >> >> I see that the freeradius-client project predates RFC 6929. > > By a LONG ways. > > There's no client code for the extended attributes. The RFC was just > published. So far as I know, FreeRADIUS is the only open source RADIUS > system which supports it. > >> Is there any module in the server project that provides a good example >> of using these long values from requests? > > src/lib/radius.c is the RADIUS encoder / decoder. > Should this code be shared with the client project freeradius-client? Or is it preferred to build a new client (or shared library) from the freeradius-server repository eventually? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
On 15/07/13 23:21, Daniel Pocock wrote: > > > On 15/07/13 21:51, Alan DeKok wrote: >> Daniel Pocock wrote: >>> I just opened this report against radiusclient-ng in Debian (see below), >>> can anybody else comment on the situation, in particular, for >>> compatibility? Is there any urgency for Debian to update to the new >>> client code? >> >> It has a number of bugs fixed. The old radiusclient-ng code is no >> longer maintained. > > I'm in the pkg-voip group at Debian so I can potentially package this > new version of the library > I've uploaded this today, it is in Debian's approval queue now For anybody who can't wait, packaging artifacts are here: Vcs-Git: git://git.debian.org/pkg-voip/freeradius-client.git Vcs-Browser: http://git.debian.org/?p=pkg-voip/freeradius-client.git;a=summary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
On 15/07/13 21:51, Alan DeKok wrote: > Daniel Pocock wrote: >> I just opened this report against radiusclient-ng in Debian (see below), >> can anybody else comment on the situation, in particular, for >> compatibility? Is there any urgency for Debian to update to the new >> client code? > > It has a number of bugs fixed. The old radiusclient-ng code is no > longer maintained. I'm in the pkg-voip group at Debian so I can potentially package this new version of the library >> I think the wiki page referenced below is not up to date, it refers to a >> CVS repository but it appears that the client code is not in github > > It's on github, as freeradius-client. Ok, my mistake, I did see it in github - it was just a wiki issue >> Also, is anybody aware of C++ wrappers for this code or a C++ alternative? > > Nope. C++? What's that? :) That's what we use in reSIProcate - we have a very basic wrapper for rlm_digest auth: https://svn.resiprocate.org/viewsvn/resiprocate/main/rutil/RADIUSDigestAuthenticator.cxx?view=markup We have a GSoC student helping us out this summer and he will probably have a go at generalising that code to work with rlm_hmac (for STUN/TURN) as well as existing SIP support. It may be possible for us to contribute the most general part of our solution back to the client library project - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client code for long extended attributes?
Can anybody comment on which client code should be used for long extended attributes? I see that the freeradius-client project predates RFC 6929. Is there any module in the server project that provides a good example of using these long values from requests? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: radiusclient-ng in Debian
I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? I think the wiki page referenced below is not up to date, it refers to a CVS repository but it appears that the client code is not in github Also, is anybody aware of C++ wrappers for this code or a C++ alternative? Original Message Subject:radiusclient-ng in Debian Date: Mon, 15 Jul 2013 14:41:54 +0200 From: Daniel Pocock To: Debian Bug Tracking System Package: libradiusclient-ng2 Version: 0.5.6-1.1 Severity: normal I've just read through the wiki at: http://wiki.freeradius.org/glossary/Radiusclient If I understand correctly, a) freeradius-client is the continuation of radiusclient-ng (which was the continuation of a previous project) b) it is not a fork of the previous projects c) it should be compatible (or almost compatible) with code that was built for radiusclient-ng d) it is NOT built from the main FreeRADIUS source tree or repository, it is built from a standalone repository Therefore, this leaves me feeling that Debian should drop the libradiusclient-ng2 package and distribute FreeRADIUS client instead and there will be no significant side-effects of doing so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
maintaining reSIProcate compatibility with FreeRADIUS
Hi, A few years ago, I adapted the RADIUS client code from SER to work in reSIProcate and specifically the SIP proxy, repro I'm now reviewing the code to work out how to extend it for reTurn, the TURN server and to see if any other changes are necessary. Things have changed slightly since reSIProcate originally adopted RADIUS support. The original implementation is based on http://tools.ietf.org/html/draft-sterman-aaa-sip-04 and that works with FreeRADIUS (or it did work at the time) although the draft is now expired. Since that time, RFC 5090 has emerged I notice various differences in the RFC, e.g. the RADIUS server must provide nonces: http://tools.ietf.org/html/rfc5090#section-2.1.5 and may also provide other values. reSIProcate currently generates it's own nonces and passes all the auth parameters to FreeRADIUS for verification. This brings me to some questions: Is anybody already working on migrating FreeRADIUS to the RFC variation of DIGEST support? If so, will older clients stop working? How to handle STUN/TURN? I notice STUN only uses "nonce" and not "qop" or any of the other values, yet RFC 5090 suggests that a RADIUS server can demand that the challenge uses those attributes. I'm also not sure just what value for "method" would be used with STUN. However, it would seem desirable to support STUN/TURN from a single RADIUS server. STUN auth (inherited by TURN) is described here: http://tools.ietf.org/html/rfc5389#section-10.2 This all leaves me feeling that STUN/TURN may need it's now module in FreeRADIUS. Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
Thanks for replying and sorry if I'm being vague, I'll try and be more specific. On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers wrote: > On 10/22/2012 09:13 AM, Daniel Ekman wrote: >> >> Hi list, >> >> I have a fairly large user base doing WPA2-enterprise from various >> OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is >> authenticating via LDAP and things are running pretty well, only snag >> I have currently with this is when people change their password. I > > > Change their password where? Elsewhere, right? So, you want to prompt the > clients to enter a new password, because the user has changed passwords on > the server. > Yes, clients change their password on the server via a custom web interface on top of the LDAP and this then obviously do not get automatically updated on the wireless settings on the clients computer. > >> in the latest version allow_retry and retry_msg in the mschap module >> was implemented and this works great on my mac and linux userbase, >> however it does not work for the windows users, the FreeRADIUS server >> is still sending the same things to the user but for some reason there >> is no popup telling the user to change their password so here is my >> actual question, is this supposed to work? should the windows users >> also get the popup saying "please change password"? > > > Your terminiology is confusing. Do you mean "change password" or "re-enter > your password". Because the two are very, very different. Re-enter the password in the wireless setup if they do not get authenticated. > > To be honest, your email is sort of vague and specific at the same time, if > that makes any sense - there's some LDAP, some different set of accounts, > something else... > > I've got no idea if Windows can even behave the way you want > > >> >> judging from what some threads say like this for example >> >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html > > > That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to > support password *change* (see why I said it was confusing?). So I'd be > cautious about reading too much into it. > > >> seems to indicate there are problems but it also sounds like there is >> a solution. >> >> I have also tried adding the send_error setting in eap.conf but that >> only broke things like I read somewhere it would. > > > ...vague much? the send_error was added to version 2.1.11 as a bug fix "Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error"." This was said in earlier version to solve issues for some clients but *may* also cause other clients to stop working. The setting is also not included in version 2.1.12 eap.conf. > > Seriously: "radiusd -X" radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. > > If I have time today, I'll try to resurrect our "for comparison" NPS server > and see what Microsoft do. It's possible you just can't prompt Windows in > the way you want. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-V2 allow_retry on ldap authentification
Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I realize this has been discussed before because I have spent a lot of time reading through this list and other sources. So current setup is OpenLDAP in a central location, a slave is set up remote with FreeRADIUS on top of that to allow for WPA2, this also means there is no correlation between user accounts on computers and domains so when people change their LDAP password their WPA2 username/password remain the same and the user needs to change it manually. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying "please change password"? judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. Thanks for reading :) Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap_xlat in unlang with Chars not allowed in an ldap search
Am 20.09.2012 18:28, schrieb Phil Mayers: > If you edit rlm_ldap.c around line 1231, and change: >if (!radius_xlat(url, sizeof(url), fmt, request, func)) > ...to: >if (!radius_xlat(url, sizeof(url), fmt, request, ldap_escape_func)) > ...this should work. I'll submit a one-liner. I just upgraded to Version 2.2.0, included that small patch (and the one from John Dennis to keep the Radius Clients in LDAP) and it works perfecly. Thanks a lot! smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Chap Authentication Error
Hi Alan It seems you voted for the winning party. However the customer was adamant they had the correct password, we changes the password to something simple and the device immediately logged in successfully. What confused me was the " Using clear text password "1234" for user f3207...@surf4sure.net authentication" which I thought meant that the end device was using the given password. After capturing the traffic I realised that with CHAP there is no way freeradius knows what password the end device is using so it must mean what freeradius is using to generate the CHAP hash Thanks for your response Daniel -Original Message- From: freeradius-users-bounces+daniel=intelliworkspace@lists.freeradius.org [mailto:freeradius-users-bounces+daniel=intelliworkspace@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 14 September 2012 20:55 To: FreeRadius users mailing list Subject: Re: Chap Authentication Error Daniel Niasoff wrote: > This is what I see in the logs > > Fri Sep 14 17:22:37 2012 : Info: [chap] login attempt by > "f3207...@surf4sure.net" with CHAP password Fri Sep 14 17:22:37 2012 : Info: > [chap] Using clear text password "1234" for user f3207...@surf4sure.net > authentication. > Fri Sep 14 17:22:37 2012 : Info: [chap] Password check failed Well, that's clear. > However if I try to repeat the test using radtest with -t chap it works fine. > > Fri Sep 14 17:22:32 2012 : Info: [chap] login attempt by > "f3207...@surf4sure.net" with CHAP password Fri Sep 14 17:22:32 2012 : Info: > [chap] Using clear text password "1234" for user f3207...@surf4sure.net > authentication. > Fri Sep 14 17:22:32 2012 : Info: [chap] chap user f3207...@surf4sure.net > authenticated successfully > > Now where do I go from here? Fix the client so it works. You can believe one of two things: a) FreeRADIUS randomly does CHAP wrong b) the client is broken My vote is (b). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chap Authentication Error
Hi I have had freeradius working for a while without issues serving ppp authentication requests. I am now getting a strange chap issue. A customer is unable to login even though the password is correct This is what I see in the logs Fri Sep 14 17:22:37 2012 : Info: [chap] login attempt by "f3207...@surf4sure.net" with CHAP password Fri Sep 14 17:22:37 2012 : Info: [chap] Using clear text password "1234" for user f3207...@surf4sure.net authentication. Fri Sep 14 17:22:37 2012 : Info: [chap] Password check failed However if I try to repeat the test using radtest with -t chap it works fine. Fri Sep 14 17:22:32 2012 : Info: [chap] login attempt by "f3207...@surf4sure.net" with CHAP password Fri Sep 14 17:22:32 2012 : Info: [chap] Using clear text password "1234" for user f3207...@surf4sure.net authentication. Fri Sep 14 17:22:32 2012 : Info: [chap] chap user f3207...@surf4sure.net authenticated successfully Now where do I go from here? Thanks Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using ldap_xlat in unlang with Chars not allowed in an ldap search
Hi!
I have a Problem using the ldap Module to search in the ldap Tree for a
specific Attribute Containing a (.
I am using FreeRadius (2.1.12) for 802.1X Authentification (EAP-TLS) which
is working fine. After successful EAP Authentication, I want to check if the
User has an Entry in the LDAP:
During authenticate (I just changed a bit of formattig to have it readable
here):
Auth-Type eap {
eap
# Some Code to react to EAP Auth Failures
if ( "%{TLS-Client-Cert-Common-Name}" != "" ) {
update control {
Tmp-String-1 =
"%{ldap_WLAN_auth:
ldap:///cn=UserAccounts,dc=DE?cn?sub?
(
&
(CommonName=%{TLS-Client-Cert-Common-Name})
(allowedSSID=%{Aruba-Essid-Name})
)}"
}
if ("%{control:Tmp-String-1}" == "") {
update control {
Auth-Type := "Reject"
}
update reply {
Reply-Message = "The user %{User-Name} is not known or
allowed to access the SSID %{Aruba-Essid-
Name}"
}
reject
}
Now the {TLS-Client-Cert-Common-Name} contains a ( and a ) which leads to a
bad search filter:
|Debug: [ldap_WLAN_auth] - ldap_xlat
|Info:expand:
ldap:///cn=UserAccounts,dc=NI-NGN,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))
-> ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug: [ldap_WLAN_auth] ldap_get_conn: Checking Id: 0
|Debug: [ldap_WLAN_auth] ldap_get_conn: Got Id: 0
|Debug: [ldap_WLAN_auth] performing search in cn=UserAccounts,dc=DE, with
filter (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data))
|ldap_search() failed: Bad search filter: (&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug: [ldap_WLAN_auth] Search returned error
|Debug: [ldap_WLAN_auth] ldap_release_conn: Release Id: 0
|Info:expand:
%{ldap_WLAN_auth:ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))}
->
If I have searched correctly it should work if I rewrite the Attribute with
\28 for ( and \29 for ) (as ascii string, not escaped :-))
As it seems the rewrite Module is not the solution as i could not get it to
do this :-)
It works as I expected it to do if the CommonName does not contain the
Parentheses.
Any Ideas to work around these Parentheses? Preferably using any Char
allowed in the Common Name, as i expect it to contain Umlauts or an & Char.
Greetings,
Daniel
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not sending all trusted CA Certificates in EAP-TLS Server Hello
Hi! As far as I can see the Server does not send the full certificates, but only announces the certificates the server knows. I did not read the RFC yet, but I assume that this only informs the client which certificates can be requested to verify the server certificate chain. Am 04.01.2012 15:09, schrieb Alan DeKok: >> Is it possible to change the behaviour that only the certs in the >> certificate_file are used? > > Use CA_path instead of CA_file. That might help. It does indeed help. Thanks! -- Regards Daniel Finger smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not sending all trusted CA Certificates in EAP-TLS Server Hello
Hi!
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
Our Config looks like this:
private_key_file = ${certdir}/radius_server.key
Containing the private Key of the Radius Server
certificate_file = ${certdir}/radius_server.crt
This contains the radius certificate and the corresponding self-signed
CA certificate.
CA_file = ${cadir}/trusted_ca.pem
Contains different sub-CA certifikates and the self-signed root
certificate of the sub-CA used to issue client certs (!= server cert)
During EAP-TLS negotiation the Radius Server sends all known certificates
(the ones in the certificate_file and the one in the CA_file) to the client.
Is it possible to change the behaviour that only the certs in the
certificate_file are used?
This should be enough for the clients to verify the server certificate.
--
Regards
Daniel Finger
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Fajar, > So you mean radutmp was the root cause of your problem? I don't know, but it's better now. =) > What does FR log says? Does it say it recives duplicate or conflicting packets? > If yes, then the db is still slow. You still need to fix it. If not, > then the problem might be somewhere else (e.g. congested network > causing dropped packets) This is strange! When starting radius in debug mode I don't see any error, in normal mode duplicate or conflicting packages have disappeared. Always the statistics in MikroTik shows 2, 4 resends and timeouts .. a few. I'll try other ways, first, change the DB engine. Tomorrow i'll write about. Thanks. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Arran, > It doesn't support row level locking for one. Which absolutely cripples selects against the radacct/postauth table when there are > high levels of inserts/updates. > > MyISAM should *NOT* be used for the postauth and radacct. Version 3 schema has been updated to use INNODB for these tables. > > https://github.com/alandekok/freeradius-server/blob/master/raddb/sql/mysql/s chema.sql Hmm, I get it now. I'll change the engine and report the results. Thanks. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Alan, > If you know better than the RADIUS experts, why are you asking > questions on this list? I don't know better than anyone, I'm simply asking to understand where I'm lost. Sorry if you feel bad with my questions .. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Tim, > 1. User the InnoDB Engine in MySQL. I read about it and don't know if it's the best way. Why InnoDB engine? MySAM engine is more fast. > 2. Increase the number of SQL sockets in sql.conf (num_sql_socks). The > default is 5, try 25. Ok. > 3. Increase the number of connections (max_connections) in my.cnf to match > the number of SQL sockets in sql.conf. Ok. > 4. Enable the MySQL slow query log (slow_query_log) in my.cnf. > 5. Check the MySQL slow query log file for problems. I've enable the slow query and set up to 2 sec. The log don't show any slow query .. It's much time? I've tested whith mtop[1] too, no slow queries. Thanks! Sds, --- Daniel Menezes Links: [1] http://mtop.sourceforge.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Fajar,
I had radutmp and SQL commented out in account {}.
I don't know why, a possible mistake.
After mark radutmp and restart freeradius I don't see new errors in log.
In the NAS (MikroTik) statistics sometimes have a few resends and timeouts,
it's normal?
Sds,
---
Daniel Menezes
-Mensagem original-
De: freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org
[mailto:freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org]
Em nome de Fajar A. Nugraha
Enviada em: quarta-feira, 26 de outubro de 2011 13:19
Para: FreeRadius users mailing list
Assunto: Re: FreeRadius + MySQL | radacct: Errors and Warnings
> Another thing to try, are you using radutmp? If no (e.g.
> session/simultaneous use check is using sql), just mark all instance
> of radutmp from sites-available/default (and whatever other virtual
> server you use).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Yes, there is a large number of rows in the radacct and radposauth tables. The attribute 'Acct-Interim-Interval' works very well but makes many records. I rotate these tables to archive old records, I think I'll do this every month. Of course, the script wouldn't solve all my problems, but it was very useful. Maybe I really need some customization to the backend, I'll think about it. Thank you. Sds, --- Daniel Menezes -Mensagem original- De: freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org [mailto:freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org] Em nome de Fajar A. Nugraha Enviada em: quarta-feira, 26 de outubro de 2011 13:17 Para: FreeRadius users mailing list Assunto: Re: FreeRadius + MySQL | radacct: Errors and Warnings On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes wrote: > I read something about slow backend, tables indexes and other things. > I've used the backend script 'mysqltuner.pl' to adjust the performance. > It's better now, but the warnings and erros persists. > > Can anyone help me on this? Obviously the automated script-based adjustment isn't enough. Get a dba. I haven't seen a script that's good enough to magically solve all problems that it can replace an actual expert. A dba would be able to do a deep dive into your configuration and come up with the best solution based on your particular situation. Who knows, one of the advices might be "delete these indexes" (no, I'm not kidding) or "you need to archive accounting records older than x days". -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + MySQL | radacct: Errors and Warnings
Hi all, First, sorry my bad English. I have a FreeRadius + MySQL setup with MikroTik as NAS. And a few days ago I have some warnings and errors in the log: Tue Oct 25 04:02:41 2011 : Info: Released IP xxx.xxx.xxx.xxx (did via-pppoe-01 cli xx:xx:xx:xx:xx:xx user dmnzs-test) Tue Oct 25 05:30:36 2011 : Error: Received conflicting packet from client my-pppoe-01 port 39595 - ID: 75 due to unfinished request 625066. Giving up on old request. Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request 784, in module radutmp component accounting I read something about slow backend, tables indexes and other things. I've used the backend script 'mysqltuner.pl' to adjust the performance. It's better now, but the warnings and erros persists. Can anyone help me on this? Thanks in advance. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
Hi, I have done this ... But I still don't have any luck (please see my last message.) Could the problem be related to the version of radius auth for apache in the Debian repos perhaps? Daniel > -Original Message- > From: freeradius-users-bounces+daniel.abels=leica- > microsystems@lists.freeradius.org [mailto:freeradius-users- > bounces+daniel.abels=leica-microsystems@lists.freeradius.org] On > Behalf Of Alan DeKok > Sent: Monday, 29 August 2011 8:25 PM > To: FreeRadius users mailing list > Subject: Re: Radius Access-Challenge and Apache > > Daniel Abels wrote: > > On the command line, this also works using radtest, see below: > > So... run the server in debugging mode, and see what happens when you > send it a packet from Apache. That information is useful. > > There's a *reason* we suggest using debugging mode. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS Authentication for user=dra password= OK. Cookie expiry in 5 minutes\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1258): Adding cookie 393dda94ff105f4d6dad2c1a509a3a344e5c210a\n [Tue Aug 30 09:25:18 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 130 to 108 : URL /test/index.html Any ideas? Thanks again, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Access-Challenge and Apache
Hi all,
I have developed a rlm_perl script for FreeRadius to provide an
Access-Challenge response upon an initial successful login (i.e. enter
username & password, receive access-challenge, then enter a code.)
I'm having some trouble getting the an access-challenge "reply message"
to display on a web browser. I'm not sure if I have something
configured incorrectly, or If my expectations of what the apache module
(mod-auth-radius) should be doing is wrong.
According to the documentation from the mod_auth_radius README, when the
module receives an "Access-Challenge" response:
"...you'll see your username displayed, along with the RADIUS
Reply-Message at the top of the authentication window."
But I see no such reply-message in the browser. It just displays the
same Authentication Realm message ("Radius Authentication Test") for
each prompt (tested in Firefox.) I was expecting the reply-message
(which is "Please Enter Code") to be displayed instead, is that
possible? Upon examining the source code for the module, there appears
to be code to handle this.
Using Wireshark, it also appears that this message is not returned to
the browser.
Anyway, if the user enters the correct code at this point, they can
reach the web page successfully, so the authentication side of things is
not a problem.
The server is Debian (squeeze) with freeradius (2.1.10+dfsg-2), apache
(2.2.16-6+squeeze1) and libapache2-mod-auth-radius (1.5.8-1)
The important portion of my apache configuration is below:
# Radius Server Authentication
AddRadiusAuth localhost:1812 testing123 5
AddRadiusCookieValid 5
# Test Radius Authentication
Options Indexes FollowSymLinks MultiViews
AuthType Basic
AuthName "Radius Authentication Test"
AuthBasicAuthoritative Off
AuthBasicProvider radius
AuthRadiusAuthoritative On
AuthRadiusActive On
Require valid-user
I have performed other tests using a Cisco VPN concentrator and Cisco's
VPN client on Windows 7, this works great - the "Access-Challenge"
response works (It returns the message "Please Enter Code".)
On the command line, this also works using radtest, see below:
# radtest user testing localhost 10 testing123
Sending Access-Request of id 150 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "testing"
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
rad_recv: Access-Challenge packet from host 127.0.0.1 port 1812, id=150,
length=50
Reply-Message = "Please Enter Code"
State = 0x6368616c6c656e6765
Any assistance on this matter would be greatly appreciated!
Regards,
Daniel Abels
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for TLS, TTLS and PEAP and subject validation
Hi Alan
Am 11.08.11 23:13, schrieb Alan DeKok:
> The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS:
>
> if ((EAP-Type == EAP-TLS) && \
> (%{TLS-Client-Cert-Subject}" !~ /\/O=MyCompany\//)) {
> ...
Thank you very much. This works great.
Regards,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config for TLS, TTLS and PEAP and subject validation
Hi
I currently run FreeRADIUS 2.1.6 and have a working configuration for
EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that,
I would like to allow our users to use their user certificate from a
public issuer to connect using EAP-TLS. This means that I have to check
if the subject contains our organisation. I read in previous threads
about checking the subject in the authenticate section:
authenticate {
Auth-Type eap {
eap
if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
reject
}
}
}
I have two questions about that:
- This would belong in the "outer" request as there is no inner request
with EAP-TLS, right?
- What happens to requests that don't provide a client certificate (the
users who still use EAP-TTLS or PEAP)?
In conclusion, is there a way to distinguish between EAP-TLS requests
and EAP-TTLS or PEAP requests? And if so, can I use a different server
section for EAP-TLS?
Thanks for help.
Best regards,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radutmp - key change
Fixed! I had:
key = %{Calling-Station-Id}
instead of:
username = %{Calling-Station-Id}
in:
/etc/freeradius/modules/radutmp
Many thanks.
-Original Message-
From:
freeradius-users-bounces+daniel.hurran=bglobalmetering@lists.freeradius.org
[mailto:freeradius-users-bounces+daniel.hurran=bglobalmetering@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 08 August 2011 15:04
To: FreeRadius users mailing list
Subject: Re: radutmp - key change
Hi,
> Hi Alan,
>
> Whatever I change it to, it still prints out at debug, username =
> "%{User-Name}".
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{Calling-Station-Id}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
thats with
username = %{Calling-Station-Id}
in modules/radutmp
are you editing the RIGHT directory and file?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Make Energy Count - that's what we do. Visit Bglobal's website at
www.bglobalmetering.com to find out how our smart meter service
delivers 100% accurate bills for our customers and helps them cut
costs, drive down consumption and reduce their carbon footprint.
This message is private and confidential. If you have received this in
error, please notify us at i...@bglobalmetering.com and remove it from
your system.
The recipient should check this email and any attachments for the
presence of viruses. Bglobal accepts no liability for any damage caused
by any virus transmitted by this email.
-
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.co.uk
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radutmp - key change
Hi Alan,
Whatever I change it to, it still prints out at debug, username =
"%{User-Name}".
-Original Message-
From:
freeradius-users-bounces+daniel.hurran=bglobalmetering@lists.freeradius.org
[mailto:freeradius-users-bounces+daniel.hurran=bglobalmetering@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 08 August 2011 14:12
To: FreeRadius users mailing list
Subject: Re: radutmp - key change
Hi,
username = %{Calling-Station-Id}
and then call the module using your name 'radutmp_CSID'
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Make Energy Count - that's what we do. Visit Bglobal's website at
www.bglobalmetering.com to find out how our smart meter service
delivers 100% accurate bills for our customers and helps them cut
costs, drive down consumption and reduce their carbon footprint.
This message is private and confidential. If you have received this in
error, please notify us at i...@bglobalmetering.com and remove it from
your system.
The recipient should check this email and any attachments for the
presence of viruses. Bglobal accepts no liability for any damage caused
by any virus transmitted by this email.
-
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.co.uk
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp - key change
Hi all,
I am trying to change the key in the radutmp module from username to
calling-station-id. I have made the change in the radutmp file, but I try
freeradius -X the debug says that username = "%{User-Name}".
I was expecting username= %{Calling-Station-Id}. Is this correct? Whatever I
put in the key, the debug says username.
Dan
--
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu
radutmp radutmp_CSID {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
key = %{Calling-Station-Id}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp_CSID" from file
/etc/freeradius/modules/radutmp
radutmp radutmp_CSID {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Make Energy Count - that's what we do. Visit Bglobal's website at
www.bglobalmetering.com to find out how our smart meter service
delivers 100% accurate bills for our customers and helps them cut
costs, drive down consumption and reduce their carbon footprint.
This message is private and confidential. If you have received this in
error, please notify us at i...@bglobalmetering.com and remove it from
your system.
The recipient should check this email and any attachments for the
presence of viruses. Bglobal accepts no liability for any damage caused
by any virus transmitted by this email.
-
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.co.uk
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 73, Issue 8
I finally got this figured out. It did not have anything do do with
freeradius, but since others using the program might run into it, I
figured I should post it here.
The arp cache of the server was limited by default to 128 addresses,
which was running out pretty quickly. So I inserted and applied the
values below in sysctl.conf and everything works great now.
net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024
Dan
On 05/04/2011 01:51 AM, freeradius-users-requ...@lists.freeradius.org
wrote:
Message: 3
Date: Tue, 3 May 2011 20:56:12 +0100
From: Alexander Clouter
Subject: Re: ldap server connection timeout
To:freeradius-users@lists.freeradius.org
Message-ID:
Daniel Davidson wrote:
>
> My new wireless network tested great, but now that I have rolled it out
> to the entire building, I get error messages like:
>
> Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
> out while waiting for server to respond. Please increase the timeout.
>
> And when these trigger, nearly everyone gets disconnected for about 5
> seconds. Possible relevant code from ldap module:
>
> ldap {
> #private stuff<-- BUT CRUCIAL!
> ldap_connections_number = 15
> timeout = 10
> timelimit = 10
> net_timeout = 5
> }
>
> The only existing firewalls are on the machines themselves and the ip
> range of the servers are open with each other. Any ideas?
>
I am guessing your LDAP server is*way* too slow when processing the
queries are making it munch through. Typical 'first-timer' mistakes are
that you are not indexing the important attribtues. For example our
filter looks like:
filter =
"(&(objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
This takes ~0.02s to respond for us, how long does it take to process
the query at your end (test with the following and remember to test
the server when it is under load, which is probably why it worked
before you widely deployed it):
time ldapsearch -h ldap-server.example.com -x -LLL ''
Where is what you see FreeRADIUS make in the output of 'radiusd
-X'.
Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
W dniu 2011-05-07 20:50, Robert Mc Cready pisze: The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem with Windows XP clients, I get a " [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Try to uncomment the ntdomain line in the authorize section of site configuration. This will split the realm (computer name) and login. Maybe you'll also need to set the with_ntdomain_hack = yes in mschap module configuration. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap server connection timeout
Upon seeing Alan's response, i took the step of installing openldap on the radius machine and then trying it with the ldap module pointing to localhost. I am still seeing the same results from this. The server is up and taking requests. Any other ideas as to what could be causing this? Dan On 05/03/2011 05:00 AM, freeradius-users-requ...@lists.freeradius.org wrote: Daniel Davidson wrote: > My new wireless network tested great, but now that I have rolled it out > to the entire building, I get error messages like: > > Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed > out while waiting for server to respond. Please increase the timeout. Make sure your LDAP server is up and reachable. > The only existing firewalls are on the machines themselves and the ip > range of the servers are open with each other. Any ideas? It's a networking issue and has nothing to do with FreeRADIUS. The server is just a victim of the underlying problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap server connection timeout
My new wireless network tested great, but now that I have rolled it out
to the entire building, I get error messages like:
Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
out while waiting for server to respond. Please increase the timeout.
And when these trigger, nearly everyone gets disconnected for about 5
seconds. Possible relevant code from ldap module:
ldap {
#private stuff
ldap_connections_number = 15
timeout = 10
timelimit = 10
net_timeout = 5
}
The only existing firewalls are on the machines themselves and the ip
range of the servers are open with each other. Any ideas?
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS + Symbian = weird behaviour
W dniu 2011-04-10 14:25, Zeus V Panchenko pisze: Daniel Deptuła (daniel.dept...@gmail.com) [11.04.10 14:16] wrote: ... the same device works fine (getting authorized well) via one AP in my LAN and remote VPN, but receiving ... Have you installed the CA certificate on the phones?? You can check it propably somewhere in Menu-> Settings -> Phone -> Phone management -> Security -> Certificates management. For example in Nokia 5800 there are only VeriSign's CA certs installed by default. as written above, *the_same_device* with *the_same_certificates_(CA_and_personal)* works via one AP but not via another ... it worth to be mentioned, that as it written, the last packet from radiusd is challenge after what "EAP session for state ... did not finish!" appears ... while other OS-es works perfectly in any point. I assume SSIDs for both WLANs are the same. Have your tried to connect the remote AP in your LAN? Maybe Nokia saves something about the certain AP in the network profile? Or maybe there's a problem with timeouts or packet fragmentation caused by the VPN tunnel... Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS + Symbian = weird behaviour
W dniu 2011-04-10 11:08, Zeus V Panchenko pisze: Hi, may somebody advice, please i have: uname FreeBSD 8.1-RELEASE amd64 radiusd -v radiusd: FreeRADIUS Version 2.1.10, for host amd64-portbld-freebsd8.1, built on Apr 4 2011 at 22:44:15 radiusd configured with EAP-TLS only and works fine with xNIX-es, WinXP, Android and Maemo with Symbian (Nokia E51, E52) i face much weird picture ... the same device works fine (getting authorized well) via one AP in my LAN and remote VPN, but receiving !! !! EAP session for state ... did not finish! !! Please read http://wiki.freeradius.org/Certificate_Compatibility !! via another AP (in remote VPN, while other OS still authorized well) AP are the same models and configured the same way what can cause this behaviour? Have you installed the CA certificate on the phones?? You can check it propably somewhere in Menu-> Settings -> Phone -> Phone management -> Security -> Certificates management. For example in Nokia 5800 there are only VeriSign's CA certs installed by default. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Hi again, I have installed a clean new freeRadius 2.1.10 and set it up. It is working fine, and I am also receiving the MSK key (without doing any modifications to the code). How come I can get the MSK key, but not the EMSK? I would expect freeradius either to export both of them, or to not export both of them (for security reasons as you said). Thanks again, Daniel. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3356264.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Alan DeKok-2 wrote: > > Daniel wrote: >> I am new to radius and am using it in for a wimax based EAP TLS/TTLS >> network. >> Right now, I have freeradius 1.1.7 already installed and working. > > > It won't really work for WiMAX. You'll need 2.1.10, or maybe even the > most recent git "master" branch. > > It’s already working. I am running a full wimax network, and it’s running smoothly. Alan DeKok-2 wrote: > > >> What I need is to retrieve the calculated EMSK key (for testing purposes) >> from the radius server to the NAS. >> I have managed to get the MSK key, but for some reason I cannot retrieve >> the >> EMSK key. >> What do I need to do? > > Edit the source code to export the EMSK. It's not *supposed* to be > exported for security reasons. > > Can you please give me some kind of directions on how to do that? -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3355192.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TTLS: Getting the EMSK key
Hi all, I am new to radius and am using it in for a wimax based EAP TLS/TTLS network. Right now, I have freeradius 1.1.7 already installed and working. What I need is to retrieve the calculated EMSK key (for testing purposes) from the radius server to the NAS. I have managed to get the MSK key, but for some reason I cannot retrieve the EMSK key. What do I need to do? Would upgrading to a newer version of freeradius help? Thanks, Daniel. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3354606.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
I agree with what you say, but anyone can solve for mysql Ver 14.12 Distrib 5.0.51a - Original Message - From: "Marius Pesé" To: "FreeRadius users mailing list" Sent: Tuesday, October 12, 2010 11:50 AM Subject: RE: SQL query error; rejecting user That's not a bug, that is someone trying to use the MS SQL schema on a MySQL server. Obviously those files will only work for the database server they were written for. -Original Message- From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org [mailto:freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org] On Behalf Of Daniel Sandulescu Sent: Tuesday, October 12, 2010 10:46 AM To: FreeRadius users mailing list Subject: Re: SQL query error; rejecting user If I want to upload schema.sql same bug as here: http://www.mail-archive.com/freeradius-users@ lists.freeradius.org/msg61853.html - Original Message - From: "Alan Buxey" To: "FreeRadius users mailing list" Sent: Tuesday, October 12, 2010 11:20 AM Subject: Re: SQL query error; rejecting user Hi, So I did, I deleted everything in / etc / raddb and I configuration, again depending on the requirements there. check that the raddb directory is the right onw - I seem to recall that one of your logs showed it was /usr/local/etc/raddb/ the default configuration works for basic tests etc - it certainly doesnt have the blank query error that you posted. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
If I want to upload schema.sql same bug as here: http://www.mail-archive.com/freeradius-users@ lists.freeradius.org/msg61853.html - Original Message - From: "Alan Buxey" To: "FreeRadius users mailing list" Sent: Tuesday, October 12, 2010 11:20 AM Subject: Re: SQL query error; rejecting user Hi, So I did, I deleted everything in / etc / raddb and I configuration, again depending on the requirements there. check that the raddb directory is the right onw - I seem to recall that one of your logs showed it was /usr/local/etc/raddb/ the default configuration works for basic tests etc - it certainly doesnt have the blank query error that you posted. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Here it is installed :
radiusd: Loading Virtual Servers
server { # from file /usr/local/etc/raddb/radiusd.conf
And this is the error :
rad_recv: Access-Request packet from host 127.0.0.1 port 57115, id=255,
length=115
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "phlander"
CHAP-Challenge = 0xf73651aeca5a7c950c9aa1bb7c2717b2c069a238e8
CHAP-Password = 0x73ebd7551d76b3caa221e5b64085a07b1d
Calling-Station-Id = "00:42:15:11:24:57"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
WARNING: Empty authorize section. Using default return values.
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 255 to 127.0.0.1 port 57115
Waking up in 4.9 seconds.
- Original Message -
From: "Alan Buxey"
To: "FreeRadius users mailing list"
Sent: Tuesday, October 12, 2010 11:20 AM
Subject: Re: SQL query error; rejecting user
Hi,
So I did, I deleted everything in / etc / raddb and I configuration,
again
depending on the requirements there.
check that the raddb directory is the right onw - I seem to recall that
one
of your logs showed it was /usr/local/etc/raddb/
the default configuration works for basic tests etc - it certainly doesnt
have the blank query error that you posted.
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
So I did, I deleted everything in / etc / raddb and I configuration, again depending on the requirements there. My question was, if I can see where misuse. Sincerely, Daniel - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Monday, October 11, 2010 6:23 PM Subject: Re: SQL query error; rejecting user Daniel Sandulescu wrote: Returning, we came up here and do not know where erroarea .. If you're not going to read the messages on this list, then I don't see why you are posting questions. You have DELETED the entire configuration. Why? Use the configuration from 2.1.10. It's not hard. Delete the existing /etc/raddb directory (or move it somewhere else), and install it again. And then CHECK the configuration directory. If it's empty, don't bother posting to the list. Go fix it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Returning, we came up here and do not know where erroarea .. rad_recv: Access-Request packet from host 127.0.0.1 port 58178, id=244, length=115 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "phlander" CHAP-Challenge = 0x4ff1c005798fc649dd7acb1270f8d142d169b3e1f4 CHAP-Password = 0x14362cd1151241b3faf7b4826269ee9771 Calling-Station-Id = "00:42:15:11:24:57" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 WARNING: Empty authorize section. Using default return values. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 244 to 127.0.0.1 port 58178 Waking up in 4.9 seconds. Cleaning up request 0 ID 244 with timestamp +13 Ready to process requests. - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Monday, October 11, 2010 4:44 PM Subject: Re: SQL query error; rejecting user Daniel Sandulescu wrote: I upgraded to version 2.1.10 and now I have this erroare: The entire point of the debug output is to *read* it. You have the same problem as last time. And even worse, you "upgraded" to 2.1.10, and left all of the problematic configuration files in place. Instead, use the 2.1.10 configuration files, and then edit them. See "man radiusd" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
I upgraded to version 2.1.10 and now I have this erroare:
rad_recv: Access-Request packet from host 127.0.0.1 port 48934, id=235,
length=116
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "phlander"
CHAP-Challenge = 0x697c26c79cb6f40f57fbbbddb6bc63d8e805ee6a9b75
CHAP-Password = 0x8c0a8927b6df3d0ac0c6f0cc6444b19ed9
Calling-Station-Id = "00:42:15:11:24:57"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 1
++[sql] returns fail
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 235 to 127.0.0.1 port 48934
Waking up in 4.9 seconds.
Cleaning up request 3 ID 235 with timestamp +164
Ready to process requests.
- Original Message -
From: "Alan DeKok"
To: "FreeRadius users mailing list"
Sent: Monday, October 11, 2010 3:21 PM
Subject: Re: SQL query error; rejecting user
Daniel Sandulescu wrote:
Hello!
I got a erroarea following logging and do not know where to look.
Can someone ajunte me?
It means you've edited the default configuration, and broken it.
modcall[authorize]: module "mschap" returns noop for request 0
radius_xlat: ''
i.e. the SQL query is empty. It shouldn't be empty.
You're also running 1.1.x. I *strongly* suggest upgrading to 2.1.10,
which was released last week.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL query error; rejecting user
Hello! I got a erroarea following logging and do not know where to look. Can someone ajunte me? rad_recv: Access-Request packet from host 127.0.0.1:42096, id=227, length=116 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "phlander" CHAP-Challenge = 0x153961bc09eaeddf1226af8d60538ee6819b24ede1c1 CHAP-Password = 0xacf1701244e94be1dffe4e11ee08f0caa4 Calling-Station-Id = "00:42:15:11:24:57" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 rad_lowerpair: User-Name now 'phlander' rad_rmspace_pair: User-Name now 'phlander' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 radius_xlat: '' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 227 to 127.0.0.1:42096 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 227 with timestamp 4cb2ee7d Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES ( NULL , 'test-user', 'user-password', '==', 'test-pass'); INSERT INTO radreply ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'test-user', 'Framed-IP-Address', '=', '192.168.0.100'); So we created user. - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Saturday, October 09, 2010 10:59 AM Subject: Re: Clear text password not available Daniel Sandulescu wrote: Hi ! Login incorrect (rlm_chap: Clear text password not available): [phlander/] Does anyone know where to change? Tell the server the "correct" password for the user? See the FAQ for an example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clear text password not available
Hi ! Login incorrect (rlm_chap: Clear text password not available): [phlander/] Does anyone know where to change? Tks!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth: Failed to validate the user.
Hello!
I got a following and do not know where erroare mistake.
cylon2:/etc/freeradius# radtest test-user test-pass 192.168.1.1 10 danieladmin
Sending Access-Request of id 198 to 192.168.1.1 port 1812
User-Name = "test-user"
User-Password = "test-pass"
NAS-IP-Address = 192.168.1.1
NAS-Port = 10
rad_recv: Access-Reject packet from host 192.168.1.1 port 1812, id=198,
length=20
---
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test-user/test-pass] (from client cyclon2 port 10)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> test-user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 192.168.1.1 port 39973
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +21
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp only show one user
d-IP-Netmask = 255.255.255.0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 12.12.12.20:21647, id=4,
length=210
Acct-Session-Id = "0C0C0C1405000389"
Cisco-AVPair = "client-mac-address=0018.7170.f202"
Framed-Protocol = PPP
User-Name = "daxocam"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/1/130"
NAS-Port = 0
NAS-Port-Id = "0/0/1/130"
Service-Type = Framed-User
NAS-IP-Address = 12.12.12.20
Event-Timestamp = "Oct 6 2010 08:42:08 CEST"
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 1
modcall[preacct]: module "preprocess" returns noop for request 1
rlm_acct_unique: Hashing 'Cisco-AVPair =
"client-mac-address=0018.7170.f202",NAS-Port = 0,Client-IP-Address =
12.12.12.20,NAS-IP-Address = 12.12.12.20,Acct-Session-Id =
"0C0C0C1405000389",User-Name = "daxocam"'
rlm_acct_unique: Acct-Unique-Session-ID = "a0be1505d293aa2d".
modcall[preacct]: module "acct_unique" returns ok for request 1
rlm_realm: No '@' in User-Name = "daxocam", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 1
acct_users: Matched entry DEFAULT at line 7
modcall[preacct]: module "files" returns ok for request 1
modcall: leaving group preacct (returns ok) for request 1
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 1
radius_xlat: '/var/log/radius/radacct/12.12.12.20/detail-20101006'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/12.12.12.20/detail-20101006
modcall[accounting]: module "detail" returns ok for request 1
modcall[accounting]: module "unix" returns ok for request 1
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'daxocam'
modcall[accounting]: module "radutmp" returns ok for request 1
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module "dani_pool" returns noop for request 1
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module "main_pool" returns noop for request 1
modcall: leaving group accounting (returns ok) for request 1
Sending Accounting-Response of id 4 to 12.12.12.20 port 21647
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 3 with timestamp 4cac0a6a
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 4 with timestamp 4cac0a6b
Nothing to do. Sleeping until we see a request.
--
Daniel Soto
Dep. Comunicaciones U.A.X
Daniel Soto
Dep. Comunicaciones U.A.X
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp only show one user
hi,
mi name is Daniel.
my problem is about simultaneous-use, i need use this attribute, but when i
try use it, only the last user logged apply this attribute.
i think the problem is radutmp, when i execute the radwho command i only can
see the last user logged.
is possible a problem whit the nas-port (ever is nas port 0), too i received
this message
Error: rlm_radutmp: Logout entry for NAS cisco_pruebas port 0 has wrong ID
when the user that appear in radwho is disconnected.
this is my radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = yes
main: snmp = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = 12.12.12.40 IP address [12.12.12.40]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "10.40.30.80"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "ou=prf, dc=uax,dc=es"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{clear}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_ch
Re: still not working (newbie for radius)
I think it tells you in your debug what the problem is Gahn:
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
--- On Sun, 19/9/10, gahn wrote:
From: gahn
Subject: still not working (newbie for radius)
To: freeradius-users@lists.freeradius.org
Date: Sunday, 19 September, 2010, 22:35
Hi all:
I apologize for the emails for such simple issue...:)
it is still not working. I have done all of your guys advised and tried to read
through the documents, but...:(
here is my "client.conf" file:
client 192.168.255.138 {
secret = testing123
nastype = juniper
}
for my "users" file:
bob Auth-Type := Local
User-Password = "bob",
Juniper-Local-User-Name = "labrat"
I started radius with "radiusd -X" and also started tcpdump process.
here is what i got from freerediaus debugging:
rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202,
length=57
User-Name = "bob"
User-Password = "bob"
NAS-Identifier = "lab-r8"
NAS-IP-Address = 150.150.0.1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry bob at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 202 to 192.168.255.138 port 54462
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202,
length=57
Sending duplicate reply to client r8 port 54462 - ID: 202
Sending Access-Reject of id 202 to 192.168.255.138 port 54462
Waking up in 2.9 seconds.
Cleaning up request 0 ID 202 with timestamp +11
rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202,
length=57
User-Name = "bob"
User-Password = "bob"
NAS-Identifier = "lab-r8"
NAS-IP-Address = 150.150.0.1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry bob at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 202 to 192.168.255.138 port 54462
Waking up in 4.9 seconds.
Cleaning up request 1 ID 202 with timestamp +18
Ready to process requests.
for tcpdump:
17:07:11.998936 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS,
Access Request (1), id: 0xca length: 57
17:07:14.999487 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS,
Access Request (1), id: 0xca length: 57
Interestingly, I only saw 'Access Request" came in, but I didn't see Access
Reject messages.
any help would be greatly appreciated.
gahn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas-port 0
hi, i hope someone can help me to understand this case. from a nas cisco 1841 i send by pppoe a request to a freeradius Version 1.1.3. the response ever is NAS-Port=0 -- rad_recv: Accounting-Request packet from host xx:1646, id=114, length=168 Acct-Session-Id = "0C0C0C140071" Framed-Protocol = PPP Framed-Route = " 255.255.255.0" Framed-IP-Address = x User-Name = "xx" Acct-Session-Time = 177 Acct-Input-Octets = 10056 Acct-Output-Octets = 9579 Acct-Input-Packets = 147 Acct-Output-Packets = 125 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/1/130" Service-Type = Framed-User NAS-IP-Address = xxx Acct-Delay-Time = 0 when i try it from a cisco pix to same freeradius, the answer is different rad_recv: Access-Request packet from host xxx:1025, id=157, length=123 User-Name = "xx" User-Password = "" NAS-IP-Address = 10.x.x.254 NAS-Port = 157 NAS-Port-Type = Virtual Cisco-AVPair = "ip:source-ip=10.x.x.x" Calling-Station-Id = "ip:source-ip=10.x.x.x" both cisco, 1841 and pix authenticate in the same freeradius why? how i can configurate the cisco 1841 to receive the information of the nas-port and Calling-Station-Id ? thanks. -- rad_recv: Accounting-Request packet from host xx:1646, id=114, length=168 Acct-Session-Id = "0C0C0C140071" Framed-Protocol = PPP Framed-Route = " 255.255.255.0" Framed-IP-Address = x User-Name = "xx" Acct-Session-Time = 177 Acct-Input-Octets = 10056 Acct-Output-Octets = 9579 Acct-Input-Packets = 147 Acct-Output-Packets = 125 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/1/130" Service-Type = Framed-User NAS-IP-Address = xxx Acct-Delay-Time = 0 when i try it from a cisco pix to same freeradius, the answer is different rad_recv: Access-Request packet from host xxx:1025, id=157, length=123 User-Name = "xx" User-Password = "" NAS-IP-Address = 10.x.x.254 NAS-Port = 157 NAS-Port-Type = Virtual Cisco-AVPair = "ip:source-ip=10.x.x.x" Calling-Station-Id = "ip:source-ip=10.x.x.x" both cisco, 1841 and pix authenticate in the same freeradius why? how i can configurate the cisco 1841 to receive the information of the nas-port and Calling-Station-Id ? thanks. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Screwy RHEL problem
Nevermind, selinux was biting me in the rear again. Dan On Mon, 2010-08-23 at 15:33 -0500, Daniel Davidson wrote: > I am migrating our system to freeradius2, I have a test environment that > works well on my fedora system that I am moving to a new server. > > I can authenticate with the server perfectly if I start the server using > radiusd -X, however if I then cancel that and run it with the RHEL > startup script it doesnt work. I messed with the startup script so that > it would run with -X, and noticed my problem right away. If I run the > raidusd -X from command line it loads the ldap module, when I run the > script, it doesnt load the ldap module. I see no reason for this to > happen, does anyone have any experience with this problem? If so, what > is the solution? I double checked the permissions and they should be > correct. > > thanks, > > Dan > > > [r...@radius modules]# radiusd -X > FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec > 30 2009 at 13:46:28 > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License v2. > Starting - reading configuration files ... > including configuration file /etc/raddb/radiusd.conf > including configuration file /etc/raddb/proxy.conf > including configuration file /etc/raddb/clients.conf > including files in directory /etc/raddb/modules/ > ... > including configuration file /etc/raddb/modules/ldap > .. > successful auth > > [r...@radius modules]# /etc/init.d/radiusd start > Starting RADIUS server: FreeRADIUS Version 2.1.7, for host > x86_64-redhat-linux-gnu, built on Dec 30 2009 at 13:46:28 > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License v2. > Starting - reading configuration files ... > including configuration file /etc/raddb/radiusd.conf > including configuration file /etc/raddb/proxy.conf > including configuration file /etc/raddb/clients.conf > including files in directory /etc/raddb/modules/ > > no ldap line > . > failed auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Screwy RHEL problem
I am migrating our system to freeradius2, I have a test environment that works well on my fedora system that I am moving to a new server. I can authenticate with the server perfectly if I start the server using radiusd -X, however if I then cancel that and run it with the RHEL startup script it doesnt work. I messed with the startup script so that it would run with -X, and noticed my problem right away. If I run the raidusd -X from command line it loads the ldap module, when I run the script, it doesnt load the ldap module. I see no reason for this to happen, does anyone have any experience with this problem? If so, what is the solution? I double checked the permissions and they should be correct. thanks, Dan [r...@radius modules]# radiusd -X FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec 30 2009 at 13:46:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ ... including configuration file /etc/raddb/modules/ldap .. successful auth [r...@radius modules]# /etc/init.d/radiusd start Starting RADIUS server: FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec 30 2009 at 13:46:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ no ldap line . failed auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of "you're wrong", I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do "bind as user". That is, it hands the username&& password to the LDAP server, and asks "are these OK"? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does "return a password when an LDAP client queries it for a password" (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem&& solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does "return a password when an LDAP client queries it for a password" (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with LDAP backend for pptpd (via MS-CHAP)
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
"jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "dgomes"
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = "193.136.136.200"
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t -> Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
Thanks in advance,
Daniel Gomes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with a Cisco ASA 5510
Doing some more digging, it seems like the wireless clients being caught by eap for auth, whereas the ASA is falling through to files, and eventually system, which doesnt really do anything. Anyone know how to make the authenticating go to eap when the ASA connects, or show me a better workaround? Dan On Mon, 2010-06-14 at 15:05 -0500, Daniel Davidson wrote: > We have had a radius server running for years that we use to > authenticate our wireless users over wpa. It works flawlessly and > connections are authenticated as shown by the log below. > > Mon Jun 14 14:57:40 2010 : Auth: Login OK: [miyagi72/ attribute>] (from client 1s port 109133 cli d830.629b.3ae9) > > Above is an exact log entry. Now we are attempting to authenticate our > new ASA 5510 with radius for our vpn, authentication with it is failing. > > Mon Jun 14 14:59:07 2010 : Auth: Login incorrect: [danield/password] > (from client igbvpn port 26) > > In the example log above, I removed my password and replaced with the > word "password". > > My guess is that the password is being thrown into the wrong field, but > I have no idea how to resolve the issue. Can anyone point me in the > right direction. > > Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems authenticating with a Cisco ASA 5510
We have had a radius server running for years that we use to authenticate our wireless users over wpa. It works flawlessly and connections are authenticated as shown by the log below. Mon Jun 14 14:57:40 2010 : Auth: Login OK: [miyagi72/] (from client 1s port 109133 cli d830.629b.3ae9) Above is an exact log entry. Now we are attempting to authenticate our new ASA 5510 with radius for our vpn, authentication with it is failing. Mon Jun 14 14:59:07 2010 : Auth: Login incorrect: [danield/password] (from client igbvpn port 26) In the example log above, I removed my password and replaced with the word "password". My guess is that the password is being thrown into the wrong field, but I have no idea how to resolve the issue. Can anyone point me in the right direction. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: supplicant winxp+freeradius+ldap
as I have read,
http://deployingradius.com/documents/protocols/compatibility.html , isn´t
possible authenticate users with peap (mschapv2) in ldap.
when we use EAP to authenticate in ldap, only EAP-TTLS (PAP) works.
- Mensaje original -
De: "Daniel Soto"
Para: "FreeRadius users mailing list"
Enviados: Lunes, 3 de Mayo 2010 8:56:34
Asunto: Re: supplicant winxp+freeradius+ldap
sorry, didn´t include the log,
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib64"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib64
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "md5"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "10.40.30.80"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 15
ldap: timelimit = 15
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "ou=prf,dc=uax,dc=es"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{md5}"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ld
Re: supplicant winxp+freeradius+ldap
sorry, didn´t include the log,
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib64"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib64
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "md5"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "10.40.30.80"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 15
ldap: timelimit = 15
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "ou=prf,dc=uax,dc=es"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{md5}"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Add
Re: supplicant winxp+freeradius+ldap
thanks i´ll try. - Mensaje original - De: "John Dennis" Para: "FreeRadius users mailing list" CC: "Daniel Soto" Enviados: Viernes, 30 de Abril 2010 13:55:36 Asunto: Re: supplicant winxp+freeradius+ldap On 04/30/2010 02:50 AM, Daniel Soto wrote: > hi. > > i think that this problem is very similar to many people but i can´t > find the solution. > > i´m trying authenticate users of windows with is own supplicant, when i > try authenticate in local users no problem, however the problem is when > i try it with openldap. > > i received a message. > > Auth: rlm_ldap: Attribute "User-Password" is required for authentication. > Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client > wifi port 6145 cli 00-74-05-A6-91-BD) > > i have read most about this problem but i can´t find de solution. If your debug output (which you didn't provide) contains this line: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Then the likely problem is this line is missing from /etc/raddb/ldap.attrmap checkItem Cleartext-Password userPassword Here is what might be going on: Many authentication protocols (i.e. mschap) require that a clear text password be available to the radius server. Hopefully you have set the userPassword attribute for your users in your ldap server and protected it with an ACL. rlm_ldap will lookup the user in ldap and requests the attributes defined in /etc/raddb/ldap.attrmap labeled "checkItem" and then adds those attributes it found to the request. The attribute retrieved from ldap is the 3rd item on the line, the radius attribute which is added to the request is the 2nd item on the line. Thus what the above does is to add Cleartext-Password as a radius check item to the request with the value of the ldap attribute userPassword for the user. For reasons I do not understand the above line is missing from the default ldap.attrmap and this has tripped numerous people up. Alan: Is there a reason why ldap.attrmap omits the clear text password retrieval? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Daniel Soto Dep. Comunicaciones U.A.X Daniel Soto Dep. Comunicaciones U.A.X - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
supplicant winxp+freeradius+ldap
hi. i think that this problem is very similar to many people but i can´t find the solution. i´m trying authenticate users of windows with is own supplicant, when i try authenticate in local users no problem, however the problem is when i try it with openldap. i received a message. Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client wifi port 6145 cli 00-74-05-A6-91-BD) i have read most about this problem but i can´t find de solution. I think that the problem is in mschap. i hope can help me. thanks -- i received a message. Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client wifi port 6145 cli 00-74-05-A6-91-BD) i have read most about this problem but i can´t find de solution. I think that the problem is in mschap. i hope can help me. thanks -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how send more parameters?
Use NTRadPing http://packetlife.net/armory/ntradping/ 2009/7/21 Ivan Kalik > > need send to check values like calling-station-id ?? > > > > i use auth into ldap and account into mysql and works.. now need send > more > > parameters like calling-stations-id or session-time.. how can i do that > > like > > test radclient > > man radclient. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store message "Multiple logins" in MySQL.
Thanks Kalik, think about this possibility. Alan, I use control simultaneous use using SQL, working perfectly. Why do I need to provide an Web interface to the Help Desk, to report the reason for which the user is not connected, and a generic message "Access-Reject" no difference if the error during the authentication is "invalid username or password" or problem of simultaneous use. The valuable information that I have is that it is restricted in radius.log Auth: Multiple logins (max 1) [MPP attempt]: [login @ realm. If it were possible to write the message "Multiple logins" in Database would be perfect, I suggested that the Kalik. Thank you. Daniel Aparecido Martins Rosa 2009/7/15 Alan DeKok > Daniel Aparecido Martins Rosa wrote: > > Hi All! > > I need to register in a database when occurs simultaneous use. Currently > > I stored by postauth_query through the variable '% (reply: > > Packet-Type)', but the message is generic, ranging from Access-Reject or > > Access-Accept. > > Why? Why not just use the simultaneous use queries && accounting logs > from the default config? > > > When a connection occurs simultaneously, The freeradius stores the > > message "Access-Reject" > > Because that's what you configured it to do. If you don't want it to > do that, don't configure SQL in the post-auth-type Reject section. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Store message "Multiple logins" in MySQL.
Hi All! I need to register in a database when occurs simultaneous use. Currently I stored by postauth_query through the variable '% (reply: Packet-Type)', but the message is generic, ranging from Access-Reject or Access-Accept. When a connection occurs simultaneously, The freeradius stores the message "Access-Reject" The problem is that this message "Access-Reject" is the same for when an error occurs the user or password invalid. Tell me about that you can do this by setting the Freeradius conf, without changing the source code? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius 1.1.6 ldap inner and outer identity
Hello, We use freeRadius v 1.1.6 and EAP-TTLS for our WiFi network. FreeRadius uses LDAP for users autentication. It is querying LDAP about inner identities and outer identities (anonymous usually). Is there any way to stop freeRadius from querying LDAP about outer identities? Thanks. -- "En el principio Dios creo * desde la línea de comandos" Daniel Daza Muñoz Responsable de programación. Área de Comunicaciones. Servicio de Informática y Comunicaciones. UNIVERSIDAD DE SEVILLA. Campus de Reina Mercedes. Edificio Rojo. Despacho 3.26 Avenida de Reina Mercedes, s/n 41012 Sevilla ESPAÑA KML de localización geográfica: https://jade.us.es/publico/ArCo.kml Web : http://www.us.es/servicios/sic/ Tlf : 95 455 11 97 Fax : 95 455 65 45 Mail: dan...@us.es Clave PGP: http://pgp.rediris.es:11371/pks/lookup?op=vindex&search=0xF7D11DDD97D2AEF5 begin:vcard fn;quoted-printable:Daniel Daza Mu=C3=B1oz n;quoted-printable:Daza Mu=C3=B1oz;Daniel org;quoted-printable:Universidad de Sevilla;=C3=81rea de Comunicaciones. Servicio de Inform=C3=A1tica y Comunicacione= s adr;quoted-printable:Avda. Reina Mercedes, s/n;;Campus de Reina Mercedes. Edificio Rojo. Despacho 3.26;Sevilla;Sevilla;41012;Espa=C3=B1a email;internet:dan...@us.es title;quoted-printable:Responsable de programaci=C3=B3n tel;work:954551115 tel;fax:954556545 note;quoted-printable:Fichero .kml de localizaci=C3=B3n geogr=C3=A1fica:=0D=0A= https://jade.us.es/publico/ArCo.kml=0D=0A= =0D=0A= Clave PGP: http://pgp.rediris.es:11371/pks/lookup?op=3Dvindex&search=3D0x= F7D11DDD97D2AEF5 x-mozilla-html:FALSE url:http://www.us.es/servicios/sic/ version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help & advice getting started with freeradius
I think I agree with you and will compile 1.7 from source. Would likely make this whole thing much easier as it seems like your suggesting. I will try make an rpm and send it to the PclinuxOS repositories as well if possible. That way other users will be able to get the up to date binary. :) On Mon, Apr 6, 2009 at 5:05 PM, Alan DeKok wrote: > daniel knox wrote: > > Basically I had to use radius 1.7 something as it was in the repos. > > Source code *does* exist for newer versions. > > > I have NTPassword in my ldap directory so i could use PEAP, however > > maybe through miss-configuration by me or the fact that my entry does > > not have a preceding 0x. Instead it just has 32digits without the > > preceding two characters could be why this wasnt working. However my > > ldap field is set to max 32chars long so not sure how to append these > > two characters and changing alot of entries if i fuzz up will be very > > bad news. > > Newer versions of the server will work without the 0x. > > > Atm the setup is like this: openldap directory and freeradius 1.7 on > > same server (xen), freeradius refers to ldap by localhost. Linksys > > wireless access point in enterprise mix mode which only has an ip for > > radius server and port options. Linksys point added to client.conf. > > Iphone for testing. > > Or... http://deployingradius.com/ > > There are step-by-step instructions for testing EAP from the command line. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help & advice getting started with freeradius
Okies long day trying to deploy radius, i think it might be in a working state though. Basically I had to use radius 1.7 something as it was in the repos. If problems persist Ill try and compile a binary up for the distro they are using (pclinuxOS). Off topic I agree with people that a server orientated OS such as centos would make life far easier more often. Anyways PclinuxOS it is currently. Initially got ldap up and running and local radtest worked well with a user from the directory, when i tried getting my iphone to connect problems ensued. quickly worked out that the iphone defaults to sending a PEAP eap request, which as your documentation states would stop the ldap bit as i hadnt touched anything to do with TLS, PEAP etc at that point. I have NTPassword in my ldap directory so i could use PEAP, however maybe through miss-configuration by me or the fact that my entry does not have a preceding 0x. Instead it just has 32digits without the preceding two characters could be why this wasnt working. However my ldap field is set to max 32chars long so not sure how to append these two characters and changing alot of entries if i fuzz up will be very bad news. So instead went with TTLS. This time i started from scratch as im convinced by now the config files were probally messed over, and this time when i set it up i still find that i can query ldap user with radtest locally which is good. Havnt tried the wireless point yet as the iphone requires a profile sent to it from the iphone configurator tool to set TTLS. However it also asks for inner authetication protocol. Ive set this to PAP as im assuming that ms-chap is going to require NT-password. Is this likely to work or do i have to do something to configure PAP. I realise if i get TTLS up and running im going to have to create some deployment stuff to get it out there but i will cross that bridge when it comes to it. Will post up if i get anymore problems tomorrow when i try the profiled iphone. As if it doesnt work I'm not sure what would be causing these problems so will send my configs and errors tomorrow. Atm the setup is like this: openldap directory and freeradius 1.7 on same server (xen), freeradius refers to ldap by localhost. Linksys wireless access point in enterprise mix mode which only has an ip for radius server and port options. Linksys point added to client.conf. Iphone for testing. On Sun, Apr 5, 2009 at 10:24 PM, Alexander Clouter wrote: > daniel knox wrote: > > > > Lol just actually read some stuff on WPA and learnt abit more about EAP. > I > > realise now that TTLS does not require client certificates like I > previously > > thought only the server. Apologies for this miss understanding. Although > I > > do realise now that SecureW2 would be required to give my Windows users > the > > ability to access this. Although this may not be to difficult to > distribute > > to them I would have to look into these possible issues. > > > You use server certificates for PEAP too, it's madness not to use a > server certificate in either case. If you do not then the clients are > more than happy to dish out user credentials to anyone who asks. > > I prefer TTLS as although PEAP is already built into Mac OS X and > Windows, neither can be easily autoconfigured with some kind of priming > script[1]. We use TTLS as it's not braindead[2] and in the case of > SecureW2 it can be trivially autoconfigured. If you tie it in with a > NSIS script then you can do some *really* nice things for wireless > workstation priming for your Windows userbase. > > Cheers > > [1] not that I know of anyway, and Mac OS X 10.5 seems to have dropped >support for wireless profile importing > [2] well from my perspective, I'm sure implentators out their might say >otherwise > > -- > Alexander Clouter > .sigmonster says: Neil Armstrong tripped. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help & advice getting started with freeradius
Lol just actually read some stuff on WPA and learnt abit more about EAP. I
realise now that TTLS does not require client certificates like I previously
thought only the server. Apologies for this miss understanding. Although I
do realise now that SecureW2 would be required to give my Windows users the
ability to access this. Although this may not be to difficult to distribute
to them I would have to look into these possible issues.
On Sun, Apr 5, 2009 at 9:35 PM, daniel knox wrote:
> Okie, I've spent some of this weekend looking into this and some of the
> files included in freeradius (havnt had a chance to play around testing it
> though).
> Am I right in guessing once i've configured the ldap group membership
> filter, i include the unlang statement:
>
> if (Ldap-Group == whatever) {
> reject
> }
> As Ivan suggested in my radiusd.conf file in the authorise part?
>
> Second up im still juggerling between what EAP type to use. It seems more
> an more PEAP is going to introduce a level of complexity which I would like
> to avoid. Whats the views of this list on what extension will be most
> suitable in this case. As i mentioned previously I would like to keep admin
> work down as much as possible in terms of certificates due to currently many
> of our users have to constantly come to ICT for help configuring their
> wireless. Hence the ideal of them just needing to use their username and
> password to firstly make it considerably easier for a user to get onto the
> wireless and to secondly increase the security of our wireless network. Also
> is the use of a different EAP type going to cause difficulty in terms of
> client compatability. Aka is a user with his poor windows laptop going to
> have to install something extra just to communicate with the wireless, or
> should it just be as simple as user sees wireless network, chooses it, it
> prompts for username and password and off he goes. Do I have to use a EAP
> type or can i get away with not having one / is this very ill advised?
> Basically if you were in my position how would you go about it, is
> probally what I'm asking for lols. I admit wireless security is something I
> have not gone very deep into before.
>
> Many thanks again.
>
> On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter wrote:
>
>> t...@kalik.net wrote:
>> >
>> >>In my scenario I would like to use PEAP if possible but not require the
>> user
>> >>client to have a certificate, just the radius-server (which is why i
>> believe
>> >>the TTLS solution will be in-efficient here as i would have to deal
>> with
>> >>handy out client certificates to hundreds of users). And to be asked
>> thern
>> >>their username and password to authticate onto our wireless. Would
>> combining
>> >>these two guides work to get these two intial sets up and running?
>> >>
>> >
>> TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS
>> means you put a verifiable server certificate on the *server* end that
>> the client can verify and know who it is talking to, then you can safely
>> even send the password in plain text.
>>
>> > PEAP will require passwords stored as clear text or nt hash. If your
>> > passwords are stored as something else they will have to be changed.
>> >
>> ...or...you use EAP-TTLS and get the client to send the passwords in
>> plaintext and then do an LDAP bind() to check if the credentials are
>> correct.
>>
>> Once you are doing this you can one day get around to (if you want to)
>> putting in plaintext passwords into your LDAP database that FreeRADIUS
>> can use and abuse.
>>
>> > As for combining freeradius and ldap prehaps you should read
>> > freeradius documentation first (wiki or doc/rlm_ldap from the
>> > download) and then see is there any need to bother wiyh third party
>> > stuff.
>> >
>> Well PEAP without AD means you have to jump through a lot of hoops
>> manually configuring each client by hand. With something like SecureW2
>> you include a 'seeding' file and it will do all the hard manual priming.
>>
>> This is all overlooking that PEAP is horrible as if you want to play
>> with OTP's or other fun custom things, good luck doing that with PEAP.
>>
>> Cheers
>>
>> --
>> Alexander Clouter
>> .sigmonster says: Marriage causes dating problems.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help & advice getting started with freeradius
Okie, I've spent some of this weekend looking into this and some of the
files included in freeradius (havnt had a chance to play around testing it
though).
Am I right in guessing once i've configured the ldap group membership
filter, i include the unlang statement:
if (Ldap-Group == whatever) {
reject
}
As Ivan suggested in my radiusd.conf file in the authorise part?
Second up im still juggerling between what EAP type to use. It seems more
an more PEAP is going to introduce a level of complexity which I would like
to avoid. Whats the views of this list on what extension will be most
suitable in this case. As i mentioned previously I would like to keep admin
work down as much as possible in terms of certificates due to currently many
of our users have to constantly come to ICT for help configuring their
wireless. Hence the ideal of them just needing to use their username and
password to firstly make it considerably easier for a user to get onto the
wireless and to secondly increase the security of our wireless network. Also
is the use of a different EAP type going to cause difficulty in terms of
client compatability. Aka is a user with his poor windows laptop going to
have to install something extra just to communicate with the wireless, or
should it just be as simple as user sees wireless network, chooses it, it
prompts for username and password and off he goes. Do I have to use a EAP
type or can i get away with not having one / is this very ill advised?
Basically if you were in my position how would you go about it, is probally
what I'm asking for lols. I admit wireless security is something I have not
gone very deep into before.
Many thanks again.
On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter wrote:
> t...@kalik.net wrote:
> >
> >>In my scenario I would like to use PEAP if possible but not require the
> user
> >>client to have a certificate, just the radius-server (which is why i
> believe
> >>the TTLS solution will be in-efficient here as i would have to deal with
> >>handy out client certificates to hundreds of users). And to be asked
> thern
> >>their username and password to authticate onto our wireless. Would
> combining
> >>these two guides work to get these two intial sets up and running?
> >>
> >
> TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS
> means you put a verifiable server certificate on the *server* end that
> the client can verify and know who it is talking to, then you can safely
> even send the password in plain text.
>
> > PEAP will require passwords stored as clear text or nt hash. If your
> > passwords are stored as something else they will have to be changed.
> >
> ...or...you use EAP-TTLS and get the client to send the passwords in
> plaintext and then do an LDAP bind() to check if the credentials are
> correct.
>
> Once you are doing this you can one day get around to (if you want to)
> putting in plaintext passwords into your LDAP database that FreeRADIUS
> can use and abuse.
>
> > As for combining freeradius and ldap prehaps you should read
> > freeradius documentation first (wiki or doc/rlm_ldap from the
> > download) and then see is there any need to bother wiyh third party
> > stuff.
> >
> Well PEAP without AD means you have to jump through a lot of hoops
> manually configuring each client by hand. With something like SecureW2
> you include a 'seeding' file and it will do all the hard manual priming.
>
> This is all overlooking that PEAP is horrible as if you want to play
> with OTP's or other fun custom things, good luck doing that with PEAP.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Marriage causes dating problems.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help & advice getting started with freeradius
Hello everyone, this is my first time getting started with freeradius. I implement ICT at a local school and I would like to improve our wireless from a WPA pre-share key to a radius based system. We have an openldap server already with all our users and groups and use them to authticate them into our clients. I would like to extend this username and password requirement to our wireless systems rather than having to give out our wireless key. Our wireless users have a variety of Windows, OSX and Linux machines. Free-radius therefore seems to be the idea solution to this. First up i have read this guide: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUSto get me started on the idea of ldap and radius. Next up ive read this guide: http://ubuntuforums.org/archive/index.php/t-478804.html which works on the idea of PEAP. In my scenario I would like to use PEAP if possible but not require the user client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running? Second up how can i then extend this system so that i can ban specific users and groups from the wireless system. Obviously i could remove them from ldap but I would like to be able to have the flexibility to prevent a user using the wireless but to still be able to log onto one of our terminals. I believe in your FAQ article the section How do I deny access to a specific user, or group of users? would do this definatly for the user. If i make sure I add the user specifically before it goes onto the ldap auth. However how can i get it to deny access to ldap groups from this? Any help / guides online which you think will help me get pointed in the right direction would be super. Many Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with only some users. Monowall - Freeradius
Sorry I didn't understand.
I executed freeradius on debug mode, then I used the radtest command.
The message is almost the same, but the proxy (@dialup,usp.br - another
radius server in another city) returns OK.
Why using radtest it returns OK and using monowall it retorns Reject?
Thanks, sorry about my english.
Daniel
2009/2/3 SDamron
Looks like some kind of problem with your database. It clears when
> you auth against the radtest, but when you try to use a user in the
> database, it fails.
>
> On Tue, Feb 3, 2009 at 6:45 PM, Daniel Bojczuk wrote:
> > Hi!!
> >
> > I have a Monowall athorizing and accounting on a Freeradius 2.1.1
> >
> > When I execute:
> > radtest nbati...@dialup.usp.br *** 123.123.123.123 0 's3mf!o/'
> > I get the folowing answer:
> >Sending Access-Request of id 177 to 123.123.123.123 port 1812
> >User-Name = "nbati...@dialup.usp.br"
> >User-Password = "nat6672"
> >NAS-IP-Address = 123.123.123.123
> >NAS-Port = 0
> >rad_recv: Access-Accept packet from host 123.123.123.123 port 1812,
> > id=177, length=68
> >Framed-IP-Address = 255.255.255.254
> >Framed-MTU = 1500
> >Service-Type = Framed-User
> >Framed-Protocol = PPP
> >Framed-Compression = Van-Jacobson-TCP-IP
> >Session-Timeout = 86400
> >Framed-IP-Netmask = 255.255.255.0
> >Idle-Timeout = 3600
> >
> > Everything works fine. But when I try to login using Monowall login page
> on
> > debug mode I have this:
> >
> >
> ___
> >
> > rad_recv: Access-Request packet from host 124.124.124.124 port 63026,
> > id=166, length=150
> > NAS-IP-Address = 124.124.124.124
> > NAS-Identifier = "gwrp.semfio.usp.br"
> > User-Name = "nbati...@dialup.usp.br"
> > User-Password = "***"
> > Service-Type = Login-User
> > NAS-Port-Type = Ethernet
> > NAS-Port = 83
> > Framed-IP-Address = 125.125.125.125
> > Called-Station-Id = "00:11:2f:75:81:7c"
> > Calling-Station-Id = "00:1b:77:b5:34:9d"
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > [auth_log] expand:
> > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> ->
> > /usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
> > [auth_log]
> > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> > expands to
> > /usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
> > [auth_log] expand: %t -> Tue Feb 3 17:30:54 2009
> > ++[auth_log] returns ok
> > [suffix] Looking up realm "dialup.usp.br" for User-Name =
> > "nbati...@dialup.usp.br"
> > [suffix] Found realm "dialup.usp.br"
> > [suffix] Adding Realm = "dialup.usp.br"
> > [suffix] Proxying request from user nbatista to realm dialup.usp.br
> > [suffix] Preparing to proxy authentication request to realm "
> dialup.usp.br"
> > ++[suffix] returns updated
> > [sql] expand: %{User-Name} -> nbati...@dialup.usp.br
> > [sql] sql_set_user escaped user --> 'nbati...@dialup.usp.br'
> > rlm_sql (sql): Reserving sql socket id: 6
> > [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
> > WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
> > Attribute, Value, Op FROM radcheck WHERE Username =
> > 'nbati...@dialup.usp.br' ORDER BY id
> > rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> > rlm_sql_postgresql: query affected rows = 0 , fields = 5
> > [sql] expand: SELECT GroupName FROM radusergroup WHERE
> > UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
> > radusergroup WHERE UserName='nbati...@dialup.usp.br' ORDER BY priority
> > rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> > rlm_sql_postgresql: query affected rows = 0 , fields = 1
> > rlm_sql (sql): Released sql socket id: 6
> > [sql] User nbati...@dialup.usp.br not found
> > ++[sql] returns notfound
> > ++[pap] returns noop
> > Sending Access-Request of id 239 to 126.126.126.126 port 1812
> > NAS-IP-Address = 124.124.124.124
> > NAS-Identifier = "gwrp.semfio.usp.br"
> > User-Name = "nbat
Problem with only some users. Monowall - Freeradius
i 00:1b:77:b5:34:9d) Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 166 to 123.123.123.123 port 63026 Reply-Message = "\r\nYou are already logged in 2 times - access denied\r\n\n" Finished request 6. Going to the next request Waking up in 4.9 seconds. I understood that there are 2 sessions opened. am I correct? If I am how can I close these sessions? And why does radtest work? Thanks! Sorry about my English. Daniel Bojczuk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd crash after startup
hi list, i have problems with a self-compiled freeradius-2.11 on solaris10 (sparc v240). freeradius works perfectly in debugging-mode (radius -X) also with my config and my mysql-db. but when i start radiusd without -X it starts and crashs directly. here a snip of the radius.log: Fri Nov 7 17:17:59 2008 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Fri Nov 7 17:17:59 2008 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:3306/radius Fri Nov 7 17:17:59 2008 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Fri Nov 7 17:17:59 2008 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Fri Nov 7 17:17:59 2008 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Fri Nov 7 17:17:59 2008 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Fri Nov 7 17:17:59 2008 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 no error entry or anything else. can anyone help me? thanks daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLANs based on AD group membership
Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership? Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Ivan Kalik Sent: Tuesday, July 08, 2008 03:34 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLANs based on AD group membership >How do I configure FreeRADIUS to "read" the AD group membership >attribute, See group membeship section in ldap module configuration. >and how do I then pass the matching VLAN-ID back to the >switch? Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLANs based on AD group membership
Does anyone have a FreeRADIUS server handing out dynamic VLANs based on group membership in AD to a HP 2800 series switch that's configured for 802.1X? How do I configure FreeRADIUS to "read" the AD group membership attribute, and how do I then pass the matching VLAN-ID back to the switch? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logs in radacct
For some ready my accounting information isnt being written at all, even
though I cannot find a difference in the config file with another radius
server I am running. I have included what I believe to be the
appropriate parts or radiuxsd -x below. Seems like the
%{Client-IP-Address} directories are not created, but I dont know why.
I am using radius 1.1.5-1.
thanks,
Dan
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib64"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
...(skipping stuff).
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Detail Portion:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d:%H
detailperm = 0600
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with FreeRadius + Switch + Mac Based Auth - question
Hi, I'm hopping that you can help me, because i'm trying this for a lot of time I'm testing an SMC6248M switch to check if radius support is fine, so I configured a freeradius server in one fedora 8. I've made some tests adding clients to clients.conf and making requests via radtest to ensure that the radius is well configured, ex: [EMAIL PROTECTED] ~]# radtest 003084-87faf2 * 192.168.1.13 1812 oincoinc Sending Access-Request of id 116 to 192.168.1.13 port 1812 User-Name = "003084-87faf2" User-Password = "*" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 116 to 192.168.1.13 port 1812 User-Name = "003084-87faf2" User-Password = "omGtkKyB" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=116, length=20 rad_verify: Received Access-Reject packet from client 192.168.1.13 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) If i change switch configuration to Auth by Local,RADIUS and then try to access the administration interface with a password that i only have in RADIUS config i get: Username: dmgrilo Password: CLI session with the Tiger Stack 10/100 is opened. To end the CLI session, enter [Exit]. logs show: rad_recv: Access-Request packet from host 192.168.1.251:1815, id=204, length=55 User-Name = "dmgrilo" User-Password = "12345" NAS-IP-Address = 192.168.1.251 NAS-Identifier = "" Sending Access-Accept of id 204 to 192.168.1.251 port 1815 which is ok. But now i have a computer in ethernet 1/35 that i want to auth via RADIUS, so i changed the port to "dot1x port-control auto" and make the interface re-auth, i loose connection to that machine and switch claims that it is not authenticated. So, my question is, in the users from FreeRadius I have the mac-address for the machine and passowrd: # Green 000244-09a361 Auth-Type := Local, User-Password == "" Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 1 So why does the switch don't ask the RADIUS to get access? (nothing appears in logs) I don't want to have supplicants installed in client, because i want to connect phones too, but i guess with auth via MAC-Address it wouldn't need supplicants, right? One important thing is that when i check the show dot1x in the switch it doesn't determine the supplicant mac-address.. i guess it should right? 802.1X is enabled on port 1/35 reauth-enabled: Enable reauth-period: 3600 quiet-period: 60 tx-period: 30 supplicant-timeout: 30 server-timeout: 10 reauth-max: 2 max-req:2 Status Unauthorized Operation mode Single-Host Max count 5 Port-controlAuto Supplicant 00-00-00-00-00-00 Current Identifier 1 Authenticator State Machine State Connecting Reauth Count2 Backend State Machine State Idle Request Count 0 Identifier(Server) 0 Reauthentication State Machine State Initialize So My real (resumed) question: Do I need to have supplicants even so i want to authenticate with the mac-address, or could it be that this switch doesn't support this, and the normal behaviour should be that the switch asks RADIUS to have access showing the machine credentials (MAC Address)!? Tks in Adv. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Thank you for the quick reply. I beat my head against it again, and again. Then noticed the clients file. I got it working. Alan DeKok wrote: Daniel Durgin wrote: I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. It comes with CentOS 5, or one of them Yum Repos. I just needed a radius server to gateway for my LDAP server. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the lesson I learned a lot. -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership required
Hello,
I have search the archives and google, and there seems to be lots of
confusion on the subject: Requiring membership to and LDAP group to
authenticate.
I can seem to get it to work. Notice the misspelling og the member:
dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
cn: min_radius_wifi
objectClass: groupOfNames
objectClass: top
member: cn=tes guest,ou=Guests,dc=fu,dc=bar
The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login.
FreeRadius Version: freeradius-1.0.1
ldap {
server = "localhost"
identity = "uid=authman,dc=fu,dc=bar"
password = XXX
basedn = "dc=fu,dc=bar"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=person)"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#` access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute =
"cn=radius_wifi,ou=Group,dc=fu,dc=bar"
timeout = 4
timelimit = 3
net_timeout = 1
#compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = no
}
Thank you for the help,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using the attribute expiration with sql module
Hi, I need to use the attribute Expiration in the SQL tables. It is working fine on this way: +-+---++-++ |username | attribute | op |value| id | +-+---++-++ |daniel | User-Password | == |daniel | 1 | |daniel | Expiration| == | 08 Aug 2007 | 2 | +-+---++-++ But I want to put the attribute Expiration in the same line of the attribute User-Password. Is that possible? How I can do it? Thank's -- Daniel Bojczuk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using two tables (postgreSql) to validate users
Let me see if I understood. Shold I stop using the rlm_slq and start using rlm_perl with my own authentication script (using the freeradius' variables and functions, I read something about it)?? Thanks Daniel 2007/7/2, Krzysztof Olêdzki <[EMAIL PROTECTED]>: On 2007-06-30 17:24, Daniel Bojczuk wrote: > Hi again... > > I have a doubt: Is it possible to use two tables to check the users? I > need to do something like this... Freeradius checks if the user is valid > on the table 1, if it returns true the user is validated, but if the > return is false, freeradius checks the table 2, trying to validate the > user once again. > > Is it possible? Yes, for example with rlm_perl. Best reagards, Krzysztof Oledzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using two tables (postgreSql) to validate users
Hi again... I have a doubt: Is it possible to use two tables to check the users? I need to do something like this... Freeradius checks if the user is valid on the table 1, if it returns true the user is validated, but if the return is false, freeradius checks the table 2, trying to validate the user once again. Is it possible? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius+postgresql
Yes!!! You're right Freeradius doesn't have permission to select the tables. Now it's working fine. Thanks Daniel 2007/6/29, Pshem Kowalczyk <[EMAIL PROTECTED]>: Hi, You haven't pasted the whole log, but judging from the following lines: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN I suspect that freeradius can't talk to the database. Have a look at the beginning of the debug messages, you should be able to see the lines referring to the db connection. It's possible that even thought the connection is fine freeradius doesn't have rights to select from the tables. regards pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using freeradius+postgresql
Hi, I'm using Freeradius 1.1.6 with PostgreSQL 8.1. When I try to do #radtest joao senhasecreta 127.0.0.1:1812 0 testing123 Te radiusd (in debug mode) returns: #rad_recv: Access-Request packet from host 127.0.0.1:32779, id=220, length=56 #User-Name = "joao" #User-Password = "senhasecreta" #NAS-IP-Address = 255.255.255.255 #NAS-Port = 0 # Processing the authorize section of radiusd.conf #modcall: entering group authorize for request 0 # modcall[authorize]: module "preprocess" returns ok for request 0 #rlm_realm: No '@' in User-Name = "joao", looking up realm NULL # rlm_realm: No such realm "NULL" # modcall[authorize]: module "suffix" returns noop for request 0 #radius_xlat: 'joao' #rlm_sql (sql): sql_set_user escaped user --> 'joao' #radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'joao' ??ORDER BY id' #rlm_sql (sql): Reserving sql socket id: 4 #rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'joao' ? ORDER BY id #rlm_sql_postgresql: Status: PGRES_FATAL_ERROR #rlm_sql_postgresql: affected rows = #rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN #rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 #rlm_sql (sql): Connected new DB handle, #4 #rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'joao' ??ORDER BY id #rlm_sql_postgresql: Status: PGRES_FATAL_ERROR #rlm_sql_postgresql: affected rows = #rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN #rlm_sql (sql): failed after re-connect #rlm_sql_getvpdata: database query error #rlm_sql (sql): SQL query error; rejecting user #rlm_sql (sql): Released sql socket id: 4 # modcall[authorize]: module "sql" returns fail for request 0 #modcall: leaving group authorize (returns fail) for request 0 #Finished request 0 When I saw the "??" int the queries i changed te query in postgresql.conf putting al the query on the same line (deleting the "/")... but it doesn't work. I'm new on using freeradius, I don't know what I can do. Thank you.. Daniel Bojczuk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: server crashes with eap/tls after crl update
Hi, it's possible that the radiusd crashes on the next authentication - i only noticed that it runs for a few seconds up to some minutes and then crashes with a seg fault. But I wondering why I don't see any incoming requests when running "radiusd -X" before the seg fault. That would imply that radiusd crashes before it writes the first debug message. bye Daniel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von inverse Gesendet: Freitag, 20. April 2007 10:36 An: FreeRadius users mailing list Betreff: Re: server crashes with eap/tls after crl update On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server crashes with eap/tls after crl update
Hello, this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a Microsoft CA, which is downloaded and converted by a shell script every hour or has to be updated manually. If it changes, I have to reload the server config, right? Since the update the server crashes with a seg fault about a minute after the config reload - but only if the crl changed. For now I changed the reload (SIGHUP) to a complete restart as a work around. Before we used freeradius 1.1.4. --- debug info --- # ./radiusd -X ... --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. Reloading configuration files. reread_config: reading radiusd.conf Config: including file: /opt/freeradius/etc/raddb/proxy.conf Config: including file: /opt/freeradius/etc/raddb/clients.conf Config: including file: /opt/freeradius/etc/raddb/snmp.conf Config: including file: /opt/freeradius/etc/raddb/eap.conf Config: including file: /opt/freeradius/etc/raddb/sql.conf main: prefix = "/opt/freeradius" main: localstatedir = "/opt/freeradius/var" main: logdir = "/opt/freeradius/var/log/radius" main: libdir = "/opt/freeradius/lib" main: radacctdir = "/opt/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/opt/freeradius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms Thu Apr 19 19:07:23 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Apr 19 19:07:23 2007 : Error: radiusd.conf[1683] Auth-Type PAP already configured - skipping Thu Apr 19 19:07:23 2007 : Error: radiusd.conf[1692] Auth-Type CHAP already configured - skipping Thu Apr 19 19:07:23 2007 : Error: radiusd.conf[1698] Auth-Type MS-CHAP already configured - skipping Thu Apr 19 19:07:23 2007 : Info: radiusd.conf Auth-Type System already configured - skipping Thu Apr 19 19:07:23 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Thu Apr 19 19:07:24 2007 : Info: radiusd.conf Auth-Type eap already configured - skipping Thu Apr 19 19:07:24 2007 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Thu Apr 19 19:07:24 2007 : Info: rlm_sql (sql): Attempting to connect to XXXremovedXXX Thu Apr 19 19:07:24 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Thu Apr 19 19:07:24 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Thu Apr 19 19:07:24 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Thu Apr 19 19:07:24 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Thu Apr 19 19:07:24 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Thu Apr 19 19:07:24 2007 : Info: Ready to process requests. Segmentation fault --- debug info --- Does anyone have the same problem? Thanks! bye Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Ok, I have some more questions. > > It sounds like a database might be a better choice. pam_ldap, in > conjunction with nss_ldap should solve the problem. > If I use LDAP to authenticate with PAM and freeradius authenticates against LDAP as well am I able to still store session details with LDAP? I am trying to integrate my current hotspot database with my terminals so that users can authenticate on either using the same username and password. It is a ticket based system and they have a limited amount of time, this works fine on both systems with freeradius (mysql backend) but it is a pain to continually have to add users to /etc/passwd. This can all be administered througha set of PHP scripts. Thanks, Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Ok, I have gotten pam_radius_auth.so to work and it is working well, however, is there any way to get it to create a UID when it receives an auth accept? At the moment I have to run adduser every time I want a user to be able to log in, this would be ok if the users were fairly static, I could run a script every night to add new users to the system, unfortunately I have a lot of users and they need to be available immediately. Thanks for all your help so far. -Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Has anyone had any luck compiling pam_radius_auth on ubuntu? On Mon, 16 Apr 2007 15:13:49 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> I am trying to set up unix authentication using radius. >> Does the pam module support the maximum session times. > > No, because PAM has no provisions for enforcing maximum session times. This is ok, I can write a script that runs every minute that just logs the user off based on the results of an sql query of the radius database. Does the pam module support accounting packets (ie. send accounting packet to radius when user logs on?) > > The setrlimit function call can enforce CPU time restrictions, but > that is *not* clock time. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. I am trying to set up a system where linux users authenticate against my existing radius hotspot system and they are forced to log out when their session expires. Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> Apr 15 22:03:51 bill sshd[7861]: PAM unable to >> dlopen(/lib/security/pam_radius_auth.so) >> Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: >> /lib/security/pam_radius_auth.so: undefined symbol: > __stack_chk_fail_local] > > You've built the module with stack overflow checking turned on, and > haven't linked it (or SSH) to the necessary library. > > How to fix this depends on your local system. > >> Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: >> /lib/security/pam_radius_auth.so >> >> I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 >> >> The pam_radius_auth module seems to be quite old, does anyone know if it >> still works? > > A new release should be out shortly. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
