user-name on EAP-TTLS authentication
Hello, is there a way to log on MySQL database the real user-name when using EAP-TTLS authentication (instead of anonymous user-name) The file radius.log contains it but I don't know if there is a radius-attribute for this. Thanks to all, David begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install error in Solaris 8, freeradius-1.0.3
I'm in the same case too on Redhat 9 with i386 host. See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. -- gmake[6]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules/rlm_checkval' gmake[5]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules' gmake[4]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules' Making install in main... gmake[4]: Entering directory `/root/install_temp/freeradius-1.0.3/src/main' /root/install_temp/freeradius-1.0.3/libtool --mode=install /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /usr/local/sbin /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /usr/local/sbin/radiusd /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.13402#: Format de fichier non reconnu gmake[4]: *** [install] Erreur 1 gmake[4]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/main' gmake[3]: *** [common] Erreur 2 gmake[3]: Leaving directory `/root/install_temp/freeradius-1.0.3/src' gmake[2]: *** [install] Erreur 2 gmake[2]: Leaving directory `/root/install_temp/freeradius-1.0.3/src' gmake[1]: *** [common] Erreur 2 gmake[1]: Leaving directory `/root/install_temp/freeradius-1.0.3' make: *** [install] Erreur 2 Nuno Pais Fernandes a crit : Hello Same thing here with Whitebox 3. gmake[5]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/modules' gmake[4]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/modules' Making install in main... gmake[4]: Entering directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/main' /usr/src/redhat/BUILD/freeradius-1.0.3/libtool --mode=install /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /var/tmp/freeradius-1.0.3-2-buildroot/usr/sbin libtool: install: warning: `/usr/src/redhat/BUILD/freeradius-1.0.3/src/lib/libradius.la' has not been installed in `/usr/lib' /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /var/tmp/freeradius-1.0.3-2-buildroot/usr/sbin/radiusd /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s radwho /var/tmp/freeradius-1.0.3-2-buildroot/usr/bin strip: /var/tmp/freeradius-1.0.3-2-buildroot/usr/bin/#inst.18757#: File format not recognized gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src' Nuno Fernandes On Monday 06 June 2005 07:45, lei chen wrote: After make, when running make install,the flowing error. freeradius-1.0.3,Solaris 8, binutils-2.11.2 How to do with it? -- make[6]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules/rl m_checkval' make[5]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules' make[4]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules' Making install in main... make[4]: Entering directory `/export/home/cl/inst/freeradius-1.0.3/src/main' /export/home/cl/inst/freeradius-1.0.3/libtool --mode=install /export/home/cl/ins t/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /export/home/cl/fr/sbin /export/home/cl/inst/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /exp ort/home/cl/fr/sbin/radiusd BFD: /export/home/cl/fr/sbin/stSAaqfc: warning: allocated section `.interp' not in segment /export/home/cl/inst/freeradius-1.0.3/install-sh -c -m 755 -s radwho/export/ home/cl/fr/bin strip: /export/home/cl/fr/bin/#inst.1071#: File format not recognized make[4]: *** [install] Error 1 make[4]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3' make: *** [install] Error 2 ___ G http://cn.mail.yahoo.com/?id=77071 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard - List info/subscribe/unsubscribe? See
TLS in place of TTLS : help for debugging
Hi everybody,
as frequently here, an other EAP-TTLS problem ;)
I use WinXP + SecureW2 + Cisco AP1100 + freeRADIUS 1.0.1 1.0.2
freeradius see TLS packet but it's EAP-TTLS (with PAP) so authentication
doesn't works. Of course eap is set in radiusd.conf (authentication and
authorization section)
My eap.conf is here :
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
md5 {
}
# EAP-TLS
tls {
# default_eap_type = ttls
private_key_password = astronomie
private_key_file =
${raddbdir}/certs/vega.maquette.grenet.fr.pem
certificate_file =
${raddbdir}/certs/vega.maquette.grenet.fr.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
#peap {
# default_eap_type = mschapv2
#}
#mschapv2 {
#}
}
When I launch radiusd -X, this is what it says :
...
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/vega.maquette.grenet.fr.pem
tls: certificate_file = /etc/raddb/certs/vega.maquette.grenet.fr.pem
tls: CA_file = /etc/raddb/certs/root.pem
tls: private_key_password = astronomie
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
...
When I try to authenticate, is below...
rad_recv: Access-Request packet from host 10.1.1.2:21672, id=106, length=132
User-Name = david
Framed-MTU = 1400
Called-Station-Id = 000e.8440.bbb0
Calling-Station-Id = 000d.54aa.a39c
Service-Type = Login-User
Message-Authenticator = 0x150c704b98ad730ead5764e4be788835
EAP-Message = 0x0202000a016461766964
NAS-Port-Type = Wireless-802.11
NAS-Port = 7080
NAS-IP-Address = 10.1.1.2
NAS-Identifier = ap-maquette
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = david, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = david
rlm_realm: Proxying request from user david to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 2
rlm_eap: EAP packet type response id 2 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 2
users: Matched david at 19
modcall[authorize]: module files returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: EAP Identity
rlm_eap: processing type tls = why ? it should
be TTLS !!!
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 106 to 10.1.1.2:21672
Service-Type = Framed-User
Framed-MTU = 1500
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := 402
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0xdcb2b96e379c8bc2dcb4b5b405a23cab
Finished request 2
Going to the next request
--- Walking
Re: help for using eap and TTLS
I was having same message (rlm_eap_tls: Requiring client certificate)
because there was a mistake in eap.conf.
Look at default_eap_type = ttls line under eap { or tls { (not sur
efor the right place because I've a similar problem to your now)
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
md5 {
}
# EAP-TLS
tls {
# default_eap_type = ttls
private_key_password = astronomie
EAP-TTLS has two phase : one to establish tunnel (server send it
certificate), second to authenticate client (it send encrypted
username/password)
Hope to help you (else, contact me directly in french david.roumanet $
grenet.fr)
David
Maurice.Bourguel a écrit :
Hello all,
I'm using freeradius-1.0.2 with AceesPoint Cisco ap1100; I'm
using eap/ttls to authenticate users.
I try to connect to with Xp clients or Mac osX clients; All go wrong.
When using Mac OSX client and 802.1X setup ( authentification TTLS alone
with PAP Authentication interne TTLS) Mac OSX client obtain the two
certificates: authoritative and server. But it is not connecting. It loops
on authentication process.
Here is the trace from /usr/local/sbin/radiusd -X -A:
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 127 to 139.124.3.235:21661
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010300060d20
Message-Authenticator = 0x
State = 0x37a760f21d2a0b8d0fdd492ccd5e7d17
Finished request 2
Going to the next request
--- Walking the entire request list ---
What means
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 2
How should I fix this?
Any help will be appreciated.
I have configured freeradius and openssl using these articles:
http://www.alphacore.net/spip/article.php3?id_article=45
http://www.alphacore.net/spip/article.php3?id_article=33
http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html
Regards,
Maurice
***
* e-mail : [EMAIL PROTECTED] *
--
* Maurice Bourguel +*
* CIRM - MENRT-CNRS-SMF +*
* case 916, 163 Avenue de Luminy + tel (33) 04 91 83 30 23*
* 13288 Marseille Cedex 9+ fax (33) 04 91 83 30 05*
***
*http://www.cirm.univ-mrs.fr *
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
begin:vcard
fn:David ROUMANET
n:ROUMANET;David
org:CICG
adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38
email;internet:[EMAIL PROTECTED]
title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau
tel;work:+33 (0)4 76 51 46 08
x-mozilla-html:TRUE
url:http://www.grenet.fr
version:2.1
end:vcard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troubleshoot EAP-TTLS : I can't understand why it's not working.
do you want my real IP addresses, passwords and a direct access to my networks ? ;) I know that, it's just for security... however, thanks to you to have took some time to respond to me :) (sorry if my english is bad, it's not my best quality)... David [EMAIL PROTECTED] a écrit : NAS-IP-Address = 10.256.256.256 256 has never been a vaild octet in an IP address. Use a real IP address and I suspect that your results will be much better. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Troubleshoot EAP-TTLS : I can't understand why it's not working.
mot de passe est XXX alors on affecte l'utilisateur dans le vlan402 david Auth-Type := local, User-Password == XX Service-Type = Framed-User, Framed-MTU = 1500, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 402 # === I could give others files if necessary (I wouldn't write a too long mail)... Thanks for any help, David ROUMANET I've a small begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Re: accounting EAP
Accounting should be enabled first on AP !
here is an example on Cisco Aironet 1100 :
...
aaa new-model
aaa group server radius rad_eap
server 192.168.1.11 auth-port 1812 acct-port 1813
...
then, check on your radius server at radiusd.conf :
...
prefix = /usr/local/freeradius
localstatedir = ${prefix}/var
logdir = ${localstatedir}/log/radius
radacctdir = ${logdir}/radacct
...
there, you should see your logs for each NAS !
in my case : /usr/local/freeradius/var/log/radius/radacct/ :)
below, an extract from my accounting log :
...
Thu Mar 31 15:06:55 2005
Acct-Session-Id = 0149
Called-Station-Id = 00-0E-84-40-B4-AA
Calling-Station-Id = 00-0D-54-AA-A4-1C
Cisco-AVPair = ssid=AP-EAP
Cisco-AVPair = nas-location=unspecified
Cisco-AVPair = vlan-id=20
Cisco-AVPair = auth-algo-type=eap-ttls
Acct-Authentic = RADIUS
Cisco-AVPair = connect-progress=Call Up
...
Hope that's help you...
Jacques VUVANT a écrit :
Hi all
some can tell me how to active accounting on freeradius for EAP
Thanks
jacques
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
begin:vcard
fn:David ROUMANET
n:ROUMANET;David
org:CICG
adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38
email;internet:[EMAIL PROTECTED]
title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau
tel;work:+33 (0)4 76 51 46 08
x-mozilla-html:TRUE
url:http://www.grenet.fr
version:2.1
end:vcard
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
Try this : Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 13, It works on my FreeRADIUS Horschtel a crit : Hi my situation is freeradius give the switch wrong attribute parameters. The users config file says: Username Auth-Type == EAP, User-Password == xxx Framed-Type = Framed, Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 13 . on freeradius debuging I can see: .. Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Tunnel-Private-Group-Id = 13 and thats the problem. I think the Tunnel-Private-Group-Id is not more an Integer The Switch Radius Debug 04:57:06: Attribute 65 6 0106 04:57:06: Attribute 64 6 010D 04:57:06: Attribute 81 5 0131334F Attribute 65 and 64 are ok but Attribute 81 is the problem Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP and FreeRADIUS accounting
Thanks for the script and the link... I will work with these tomorrow ! Rok Papez a écrit : Hello David. Dne sreda 16 februar 2005 10:23 je David ROUMANET napisal(a): in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) I'm attaching the script. - The script tails the DHCP log file and updates the client records with the assigned IP numbers. (freeradius is configured to log to MySQL DB) - Old unclosed records are checked at the AP via SNMP (we use Cisco AP12xx) to be valid. If not, they are closed. You might be interested also in the freeradius, mysql and dhcp configurations. They are available at http://www.arnes.si/dostop/wlan. Unfortunately the pages are not open yet to the public :-( and I'll provide you with a username/password via a private e-mail. If anyone else is interested in access please contact me privately. -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP and FreeRADIUS accounting
Hello, in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) Could anybody help me ? thanks a lot, David - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and proxyRADIUS (with FreeRadius)
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 000e.8440.bbb0
Calling-Station-Id = 000d.54a1.6e8e
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = ap-maquette
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module files returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and proxyRADIUS (with FreeRadius)
*oups* sorry !
option 'nostrip' in proxy.conf missed...
it works now !
Regards,
David
David ROUMANET a écrit :
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0,
length=162
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 000e.8440.bbb0
Calling-Station-Id = 000d.54a1.6e8e
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = ap-maquette
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module files returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli
000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
-
David ROUMANET Tel : 04 76 51 46 08
Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic vlan affectation and proxyRADIUS
Hi to all and my best wishes ! I'm trying to create a structure with proxy-RADIUS and multiples vlans on different sites (on a 802.1x WIFI network) My project is to differenciate a local user (with all rights on the local network) and a remote user (authentificated by a proxy-Radius). The first will fall in vlan 10, the second in vlan 20 (for example) even if groups are the same. Example : John DOE in job_titular group at Paris shouln't be considered as job_titular in New-York... (of course, vlan 10 in Paris doesn't match vlan 10 in NY but vlan 11 and vlan 20 in Paris correspond to vlan 12 in NY)... local authentification : group == vlan affectation remote authentification : group has to be changed in remote_job_titular == vlan affectation I'm a newbee with freeradius and have order the Radius book (but at present time, it is not disponible because re-printed), so I just need some help to know if it's possible and wich files should I modify... Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: discarding duplicate request - but duplicate it is not
Je le savais : j'aurai dû apprendre le C;) Alan DeKok a écrit : L.C. (Laurentiu C. Badea) [EMAIL PROTECTED] wrote: Two issues I noticed while looking at the source for my problem: in threads.c I believe it would be safer to end the fork_mutex critical section after the forkers structure is updated (after line 1069), not before (1051). Also it seems like if it ran out of slots it will return without unblocking SIG_CHLD (threads.c:1058). Not sure if this is intentional or not. Fixed, thanks. These will be in 1.0.2 and all later versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client can't get IP Address from DHCP
I've the same problem (however, one time it has works fine...) try to check your router configuration (Cisco need ip helper-address x.x.x.x on interfaces. x.x.x.x is DHCP server address.) For the rest, I don't know if there is an order in lines for users files... joe Auth-Type := local, User-Password == tonka Service-Type == Framed-User, Framed-MTU = 1500, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20 and I don't understand '==' for Service-Type and just '=' for Framed-MTU... what's the difference ? Friendly, David robert saab a écrit : Hi all, please give me any idea, I have installed the latest version of Freeradius and my Access Point is Proxim AP-4000 with 802.1x for authenticating method. Freeradius can accept my credentials when i try to connect from XP Pro, but there is no IP Address assigned from DHCP server. This is my 802.1x configuration. AP-4000 -- 10.7.3.252 DHCP Server -- 10.7.3.2, scope 10.7.3.129 - 10.7.3.254 Freeradius -- 192.168.1.5 it seems to be ok, or there is something wrong, please give some advice *Grins* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
