user-name on EAP-TTLS authentication
Hello, is there a way to log on MySQL database the real user-name when using EAP-TTLS authentication (instead of anonymous user-name) The file radius.log contains it but I don't know if there is a radius-attribute for this. Thanks to all, David begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install error in Solaris 8, freeradius-1.0.3
I'm in the same case too on Redhat 9 with i386 host. See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. -- gmake[6]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules/rlm_checkval' gmake[5]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules' gmake[4]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/modules' Making install in main... gmake[4]: Entering directory `/root/install_temp/freeradius-1.0.3/src/main' /root/install_temp/freeradius-1.0.3/libtool --mode=install /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /usr/local/sbin /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /usr/local/sbin/radiusd /root/install_temp/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.13402#: Format de fichier non reconnu gmake[4]: *** [install] Erreur 1 gmake[4]: Leaving directory `/root/install_temp/freeradius-1.0.3/src/main' gmake[3]: *** [common] Erreur 2 gmake[3]: Leaving directory `/root/install_temp/freeradius-1.0.3/src' gmake[2]: *** [install] Erreur 2 gmake[2]: Leaving directory `/root/install_temp/freeradius-1.0.3/src' gmake[1]: *** [common] Erreur 2 gmake[1]: Leaving directory `/root/install_temp/freeradius-1.0.3' make: *** [install] Erreur 2 Nuno Pais Fernandes a crit : Hello Same thing here with Whitebox 3. gmake[5]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/modules' gmake[4]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/modules' Making install in main... gmake[4]: Entering directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/main' /usr/src/redhat/BUILD/freeradius-1.0.3/libtool --mode=install /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /var/tmp/freeradius-1.0.3-2-buildroot/usr/sbin libtool: install: warning: `/usr/src/redhat/BUILD/freeradius-1.0.3/src/lib/libradius.la' has not been installed in `/usr/lib' /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /var/tmp/freeradius-1.0.3-2-buildroot/usr/sbin/radiusd /usr/src/redhat/BUILD/freeradius-1.0.3/install-sh -c -m 755 -s radwho /var/tmp/freeradius-1.0.3-2-buildroot/usr/bin strip: /var/tmp/freeradius-1.0.3-2-buildroot/usr/bin/#inst.18757#: File format not recognized gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.3/src' Nuno Fernandes On Monday 06 June 2005 07:45, lei chen wrote: After make, when running make install,the flowing error. freeradius-1.0.3,Solaris 8, binutils-2.11.2 How to do with it? -- make[6]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules/rl m_checkval' make[5]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules' make[4]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/modules' Making install in main... make[4]: Entering directory `/export/home/cl/inst/freeradius-1.0.3/src/main' /export/home/cl/inst/freeradius-1.0.3/libtool --mode=install /export/home/cl/ins t/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /export/home/cl/fr/sbin /export/home/cl/inst/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /exp ort/home/cl/fr/sbin/radiusd BFD: /export/home/cl/fr/sbin/stSAaqfc: warning: allocated section `.interp' not in segment /export/home/cl/inst/freeradius-1.0.3/install-sh -c -m 755 -s radwho/export/ home/cl/fr/bin strip: /export/home/cl/fr/bin/#inst.1071#: File format not recognized make[4]: *** [install] Error 1 make[4]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/export/home/cl/inst/freeradius-1.0.3' make: *** [install] Error 2 ___ G http://cn.mail.yahoo.com/?id=77071 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard - List info/subscribe/unsubscribe? See
TLS in place of TTLS : help for debugging
Hi everybody, as frequently here, an other EAP-TTLS problem ;) I use WinXP + SecureW2 + Cisco AP1100 + freeRADIUS 1.0.1 1.0.2 freeradius see TLS packet but it's EAP-TTLS (with PAP) so authentication doesn't works. Of course eap is set in radiusd.conf (authentication and authorization section) My eap.conf is here : eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types md5 { } # EAP-TLS tls { # default_eap_type = ttls private_key_password = astronomie private_key_file = ${raddbdir}/certs/vega.maquette.grenet.fr.pem certificate_file = ${raddbdir}/certs/vega.maquette.grenet.fr.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes # check_crl = yes # check_cert_cn = %{User-Name} } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } #peap { # default_eap_type = mschapv2 #} #mschapv2 { #} } When I launch radiusd -X, this is what it says : ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/vega.maquette.grenet.fr.pem tls: certificate_file = /etc/raddb/certs/vega.maquette.grenet.fr.pem tls: CA_file = /etc/raddb/certs/root.pem tls: private_key_password = astronomie tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) ... When I try to authenticate, is below... rad_recv: Access-Request packet from host 10.1.1.2:21672, id=106, length=132 User-Name = david Framed-MTU = 1400 Called-Station-Id = 000e.8440.bbb0 Calling-Station-Id = 000d.54aa.a39c Service-Type = Login-User Message-Authenticator = 0x150c704b98ad730ead5764e4be788835 EAP-Message = 0x0202000a016461766964 NAS-Port-Type = Wireless-802.11 NAS-Port = 7080 NAS-IP-Address = 10.1.1.2 NAS-Identifier = ap-maquette Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = david, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = david rlm_realm: Proxying request from user david to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched david at 19 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls = why ? it should be TTLS !!! rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 106 to 10.1.1.2:21672 Service-Type = Framed-User Framed-MTU = 1500 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 402 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0xdcb2b96e379c8bc2dcb4b5b405a23cab Finished request 2 Going to the next request --- Walking
Re: help for using eap and TTLS
I was having same message (rlm_eap_tls: Requiring client certificate) because there was a mistake in eap.conf. Look at default_eap_type = ttls line under eap { or tls { (not sur efor the right place because I've a similar problem to your now) eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types md5 { } # EAP-TLS tls { # default_eap_type = ttls private_key_password = astronomie EAP-TTLS has two phase : one to establish tunnel (server send it certificate), second to authenticate client (it send encrypted username/password) Hope to help you (else, contact me directly in french david.roumanet $ grenet.fr) David Maurice.Bourguel a écrit : Hello all, I'm using freeradius-1.0.2 with AceesPoint Cisco ap1100; I'm using eap/ttls to authenticate users. I try to connect to with Xp clients or Mac osX clients; All go wrong. When using Mac OSX client and 802.1X setup ( authentification TTLS alone with PAP Authentication interne TTLS) Mac OSX client obtain the two certificates: authoritative and server. But it is not connecting. It loops on authentication process. Here is the trace from /usr/local/sbin/radiusd -X -A: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 127 to 139.124.3.235:21661 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x37a760f21d2a0b8d0fdd492ccd5e7d17 Finished request 2 Going to the next request --- Walking the entire request list --- What means rlm_eap_tls: Requiring client certificate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 2 How should I fix this? Any help will be appreciated. I have configured freeradius and openssl using these articles: http://www.alphacore.net/spip/article.php3?id_article=45 http://www.alphacore.net/spip/article.php3?id_article=33 http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html Regards, Maurice *** * e-mail : [EMAIL PROTECTED] * -- * Maurice Bourguel +* * CIRM - MENRT-CNRS-SMF +* * case 916, 163 Avenue de Luminy + tel (33) 04 91 83 30 23* * 13288 Marseille Cedex 9+ fax (33) 04 91 83 30 05* *** *http://www.cirm.univ-mrs.fr * *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troubleshoot EAP-TTLS : I can't understand why it's not working.
do you want my real IP addresses, passwords and a direct access to my networks ? ;) I know that, it's just for security... however, thanks to you to have took some time to respond to me :) (sorry if my english is bad, it's not my best quality)... David [EMAIL PROTECTED] a écrit : NAS-IP-Address = 10.256.256.256 256 has never been a vaild octet in an IP address. Use a real IP address and I suspect that your results will be much better. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Troubleshoot EAP-TTLS : I can't understand why it's not working.
mot de passe est XXX alors on affecte l'utilisateur dans le vlan402 david Auth-Type := local, User-Password == XX Service-Type = Framed-User, Framed-MTU = 1500, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 402 # === I could give others files if necessary (I wouldn't write a too long mail)... Thanks for any help, David ROUMANET I've a small begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Re: accounting EAP
Accounting should be enabled first on AP ! here is an example on Cisco Aironet 1100 : ... aaa new-model aaa group server radius rad_eap server 192.168.1.11 auth-port 1812 acct-port 1813 ... then, check on your radius server at radiusd.conf : ... prefix = /usr/local/freeradius localstatedir = ${prefix}/var logdir = ${localstatedir}/log/radius radacctdir = ${logdir}/radacct ... there, you should see your logs for each NAS ! in my case : /usr/local/freeradius/var/log/radius/radacct/ :) below, an extract from my accounting log : ... Thu Mar 31 15:06:55 2005 Acct-Session-Id = 0149 Called-Station-Id = 00-0E-84-40-B4-AA Calling-Station-Id = 00-0D-54-AA-A4-1C Cisco-AVPair = ssid=AP-EAP Cisco-AVPair = nas-location=unspecified Cisco-AVPair = vlan-id=20 Cisco-AVPair = auth-algo-type=eap-ttls Acct-Authentic = RADIUS Cisco-AVPair = connect-progress=Call Up ... Hope that's help you... Jacques VUVANT a écrit : Hi all some can tell me how to active accounting on freeradius for EAP Thanks jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
Try this : Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 13, It works on my FreeRADIUS Horschtel a crit : Hi my situation is freeradius give the switch wrong attribute parameters. The users config file says: Username Auth-Type == EAP, User-Password == xxx Framed-Type = Framed, Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 13 . on freeradius debuging I can see: .. Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Tunnel-Private-Group-Id = 13 and thats the problem. I think the Tunnel-Private-Group-Id is not more an Integer The Switch Radius Debug 04:57:06: Attribute 65 6 0106 04:57:06: Attribute 64 6 010D 04:57:06: Attribute 81 5 0131334F Attribute 65 and 64 are ok but Attribute 81 is the problem Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP and FreeRADIUS accounting
Thanks for the script and the link... I will work with these tomorrow ! Rok Papez a écrit : Hello David. Dne sreda 16 februar 2005 10:23 je David ROUMANET napisal(a): in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) I'm attaching the script. - The script tails the DHCP log file and updates the client records with the assigned IP numbers. (freeradius is configured to log to MySQL DB) - Old unclosed records are checked at the AP via SNMP (we use Cisco AP12xx) to be valid. If not, they are closed. You might be interested also in the freeradius, mysql and dhcp configurations. They are available at http://www.arnes.si/dostop/wlan. Unfortunately the pages are not open yet to the public :-( and I'll provide you with a username/password via a private e-mail. If anyone else is interested in access please contact me privately. -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP and FreeRADIUS accounting
Hello, in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) Could anybody help me ? thanks a lot, David - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and proxyRADIUS (with FreeRadius)
Hi there ! I've a problem with my proxyRADIUS server : I've configured two freeradius server (each in v1.0.1, EAP-TTLS activated). When I log on the first server (from a Cisco AP-1100), it's OK. I change IP address of the radius server on the NAS : direct login is ok. Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and clients.conf on each servers of course) but I've this log on the second server : rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000e.8440.bbb0 Calling-Station-Id = 000d.54a1.6e8e Service-Type = Login-User Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9 EAP-Message = 0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 8731 NAS-IP-Address = 192.168.7.1 NAS-Identifier = ap-maquette Proxy-State = 0x323035 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 2 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 158 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e) Delaying request 5 for 1 seconds Finished request 5 I don't understand where is my mistake but the message is clear : rlm_eap: Identity does not match User-Name, setting from EAP Identity. is this patch usefull ? or isn't possible to have EAP-TTLS proxified ? http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html In the archive list, I've found a solution with the file hints but I'm not able to understand the syntax (the guy says he has used this) : %{Stripped-User-Name:-%{User-Name}} Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and proxyRADIUS (with FreeRadius)
*oups* sorry ! option 'nostrip' in proxy.conf missed... it works now ! Regards, David David ROUMANET a écrit : Hi there ! I've a problem with my proxyRADIUS server : I've configured two freeradius server (each in v1.0.1, EAP-TTLS activated). When I log on the first server (from a Cisco AP-1100), it's OK. I change IP address of the radius server on the NAS : direct login is ok. Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and clients.conf on each servers of course) but I've this log on the second server : rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000e.8440.bbb0 Calling-Station-Id = 000d.54a1.6e8e Service-Type = Login-User Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9 EAP-Message = 0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 8731 NAS-IP-Address = 192.168.7.1 NAS-Identifier = ap-maquette Proxy-State = 0x323035 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 2 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 158 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e) Delaying request 5 for 1 seconds Finished request 5 I don't understand where is my mistake but the message is clear : rlm_eap: Identity does not match User-Name, setting from EAP Identity. is this patch usefull ? or isn't possible to have EAP-TTLS proxified ? http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html In the archive list, I've found a solution with the file hints but I'm not able to understand the syntax (the guy says he has used this) : %{Stripped-User-Name:-%{User-Name}} Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic vlan affectation and proxyRADIUS
Hi to all and my best wishes ! I'm trying to create a structure with proxy-RADIUS and multiples vlans on different sites (on a 802.1x WIFI network) My project is to differenciate a local user (with all rights on the local network) and a remote user (authentificated by a proxy-Radius). The first will fall in vlan 10, the second in vlan 20 (for example) even if groups are the same. Example : John DOE in job_titular group at Paris shouln't be considered as job_titular in New-York... (of course, vlan 10 in Paris doesn't match vlan 10 in NY but vlan 11 and vlan 20 in Paris correspond to vlan 12 in NY)... local authentification : group == vlan affectation remote authentification : group has to be changed in remote_job_titular == vlan affectation I'm a newbee with freeradius and have order the Radius book (but at present time, it is not disponible because re-printed), so I just need some help to know if it's possible and wich files should I modify... Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: discarding duplicate request - but duplicate it is not
Je le savais : j'aurai dû apprendre le C;) Alan DeKok a écrit : L.C. (Laurentiu C. Badea) [EMAIL PROTECTED] wrote: Two issues I noticed while looking at the source for my problem: in threads.c I believe it would be safer to end the fork_mutex critical section after the forkers structure is updated (after line 1069), not before (1051). Also it seems like if it ran out of slots it will return without unblocking SIG_CHLD (threads.c:1058). Not sure if this is intentional or not. Fixed, thanks. These will be in 1.0.2 and all later versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client can't get IP Address from DHCP
I've the same problem (however, one time it has works fine...) try to check your router configuration (Cisco need ip helper-address x.x.x.x on interfaces. x.x.x.x is DHCP server address.) For the rest, I don't know if there is an order in lines for users files... joe Auth-Type := local, User-Password == tonka Service-Type == Framed-User, Framed-MTU = 1500, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20 and I don't understand '==' for Service-Type and just '=' for Framed-MTU... what's the difference ? Friendly, David robert saab a écrit : Hi all, please give me any idea, I have installed the latest version of Freeradius and my Access Point is Proxim AP-4000 with 802.1x for authenticating method. Freeradius can accept my credentials when i try to connect from XP Pro, but there is no IP Address assigned from DHCP server. This is my 802.1x configuration. AP-4000 -- 10.7.3.252 DHCP Server -- 10.7.3.2, scope 10.7.3.129 - 10.7.3.254 Freeradius -- 192.168.1.5 it seems to be ok, or there is something wrong, please give some advice *Grins* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html