Username format

2013-10-14 Thread Dean, Barry
I think I know the answer to this question but I wanted to check with the Gurus!

Does FreeRADIUS give a fig about what the username is? If it were all numeric, 
say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS?

If there was to be an issue, it would be the back end authentication system 
Unix/LDAP/AD etc and what it finds acceptable right?

Thanks as always...

Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department

List info/subscribe/unsubscribe? See

rlm_perl issue

2013-08-22 Thread Dean, Barry
An interesting one for the list ...

We are installing a Palo Alto firewall and it has a way to pass Username/IP 
mappings from FreeRADIUS to a Windows "User ID Agent", which is then queried by 
the firewall.

The method employed is to use a Perl module (PAN::API), which has a simple API, 

$var = PAN::API::UID-new( "ip of server" );
$var->add( "type ", username, Framed-IP-Address );

which is added in the "sub preacct ()" of the perl module...

then call this in preacct {}

There are a couple of issues with this module that I am going to try and 

1) Connections
"new" only instantiates an empty object
"add" adds the values to a hash
"submit" opens an TCP SSL connection, sends the hash as XML, then 
closes the connection.
With all the work being done in "submit" you have to create and tear down an 
SSL TCP connection for EVERY accounting record! Which is a lot at my site!

2) Errors
If the socket set-up fails, the PAN::API module calls croak(), which on 
my system terminated FreeRADIUS, which seems like what would happen?

Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = 
/etc/raddb/ , func = preacct exit status= Unable to connect socket.  at 
/etc/raddb/ line 474

Socket setup failed I am guessing because of all the open/close socket 
activity? Looks like the Windows 2008R2 server either blocked this as a 
suspected DOS or the agent failed to cope with this kind of TCP activity?

Obviously for problem 1, a better model would be to implement new methods on 
the object to open and close the SSL connection, then use a pattern like:

{ # Static block start
my $object = PAN::API::UID->new( "" );

sub preacct {
$object->add(  );

closing the SSL would not be needed in effect as we run "forever", and I 
wouldn't know where to place it as there is no function called on an rlm_perl 
module when FreeRADIUS is about to terminate, unless I am missing something.

For problem 2, are there rules about what you should not do in an rlm_perl 
module? I would have thought exit(), die(), croak() etc are all bad and that 
returning quietly, optionally setting an error code, would be better? Then back 
in "sub preacct ()" you could check the error and log with &radiusd::radlog() 
and do a "return RLM_MODULE_NOOP"?

Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?

Anyone want to throw in 2 cents/pennies worth to this?

Thanks in advance, as always, for your time ...

Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department

List info/subscribe/unsubscribe? See

Re: global hash variable perl

2011-02-28 Thread Dean, Barry
Yes. Do something like this:

my %static_global_hash = ();

sub post_auth {

static_global_hash will then be available on each call to the subs so you can 
store some kind of state between requests that you handle.

The trick is placing the whole lot into a {} block. Perl can be odd at times...

On 25 Feb 2011, at 20:25, Vinh Nguyen wrote:

hi all,

I was able to setup my freeradius to use perl and mysql. Things are working
ok. I wanted to use a global hash variable to store information. This way
all other requests can also access this hash variable. Is this doable? I
know you can use mysql for this purpose, but i wanted to reduce the # of
mysql hits.


Computer Science B.S. at Texas A&M
C# .Net Developer
Server Analyst.

List info/subscribe/unsubscribe? See

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department


Nice boy, but about as sharp as a sack of wet mice.
   -- Foghorn Leghorn

List info/subscribe/unsubscribe? See

Re: Hash username or mac address to assign user to different vlan

2011-02-18 Thread Dean, Barry

On 18 Feb 2011, at 14:26, Phil Mayers wrote:

> On 18/02/11 14:16, Dean, Barry wrote:
>> I have been asked to do just this and I am working on the solution
>> now.
>> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
>> to one pool and "Students"# to the other. Then to select a VLAN
>> within the pool, use a hashing function and select a VLAN.
>> One concern I have is when is post-auth called? Would it get called
>> for interim authentication requests? Because I don't want to be
>> changing the VLAN mid sessions, which could potentially happen with a
>> non-deterministic hash!
> There is no such thing as an "interim" authentication request.
> Post-auth is called after every auth.
> I suspect you are referring to feature(s) on the switch(es) you use 
> where it will "re-auth" the client after X minutes. That's just another, 
> separate authentication as far as FreeRadius is concerned

Yep, I was referring to the entries I see in my logs for 
"Interim-Update", which is of course an Accounting record, and I had always 
assumed this went with an Auth as well, but have never looked in detail to see! 
So I am most likely talking rubbish!

>> In my tests I have been creating a hash from the 'State' attribute
> That's a very bad idea. It will change mid-session and cause you huge 
> problems.

I will not be using this then :-)

> We do pervasive VLAN assignment on a large scale here, and my advice is 
> the same as others in the thread - don't use a hash value. Just map a 
> user or group to a vlan.
> If you need to "balance the numbers of users on a vlan" (why?) then you 
> should log the vlan assignments to SQL and run a post-processing script 
> that changes the assignment to keep the "load balanced".
> Personally we just run big subnets to reduce the waste of IP space and 
> configuration overhead.

I don't design the wireless network here, I just make the RADIUS work as best I 
can. It has been decided to have smaller private IP ranges each associated with 
a VLAN and balance the routing of these across two routers. Then I was asked if 
I can distribute the users across these VLANS evenly.

I am beginning to think a round robin allocation might just do!

However, the goal posts could move again yet! Latest news is that we will have 
1 pool of VLANs, so time to tear up the existing code and take a fresh look! I 
currently have no idea how big these subnets will be either.

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
Skype: barryvdean


Nice boy, but about as sharp as a sack of wet mice.
   -- Foghorn Leghorn

List info/subscribe/unsubscribe? See

Re: Hash username or mac address to assign user to different vlan

2011-02-18 Thread Dean, Barry
I have been asked to do just this and I am working on the solution now.

We wanted to use multiple pools of VLANs/Subnets and assign "Staff" to one pool 
and "Students"# to the other. Then to select a VLAN within the pool, use a 
hashing function and select a VLAN.

One concern I have is when is post-auth called? Would it get called for interim 
authentication requests? Because I don't want to be changing the VLAN mid 
sessions, which could potentially happen with a non-deterministic hash!

In my tests I have been creating a hash from the 'State' attribute which seems 
reasonably random and gives me a good even share across the VLANs in my pools, 
but would be completely non-deterministic. (My tests are not real world so this 
could prove untrue).

A hash on User-Name may be more deterministic, but may not give me the balance 
I need.

Students and Staff have different format usernames so I am sure this would 
result in un-balanced sharing across the VLAN pools. And we have un-even 
numbers of students on different courses and their usernames start the same.

I am using a perl module called within post-auth that does some LDAP lookups as 
well to find the type of the user.

Nothing is set in stone yet and I am still experimenting, I feel sure whatever 
method I use will end up being a "I wouldn't start from here" solution in 12 
months time!

# Staff in our world means Staff + Research Postgrads and Students are Students 
+ Taught Postgrads...

On 17 Feb 2011, at 23:52, Kenneth Marshall wrote:

> On Thu, Feb 17, 2011 at 02:26:14PM -0800, Brett Littrell wrote:
>>I agree breaking the network up into separate VLANs then routing between 
>> them would help with broadcasting but I do not agree that hashing values and 
>> then using those hashing values as we randomizing agents to distribute 
>> vlans.  There has to be a more elegant way to do this, I believe there is.
>>   First off by randomizing what network a host is going to be on is going to 
>> be extremely confusing when you try and troubleshoot other issues, for 
>> instance a virus outbreak, now you have to figure out who is on what subnet 
>> and who is sending what etc.. I can think of a lot of other issues that 
>> would cause headaches, suffice to say it is not a good idea.
>>The better way to do this is to break people up by some logical means, 
>> such as Accounting, testing, personnel etc.  Then create groups and assign 
>> group ids based on the users in those groups.  This gives the benefit of 
>> segmenting and securing like minded traffic as well, maybe accounting can 
>> only talk to accounting, personnel can only talk to these servers, or those 
>> servers etc.  Of course you would have to route to other subnets if you want 
>> them to talk but now you have control to say only this group of people can 
>> talk to that group of people and not just open it up for everyone.  
>>Even if you assign users by Group1, Group2, Group3 and you have a virus 
>> outbreak now you can at least look at it and say right away all Group1 
>> subnet is crazy and have a list of all the stations/users in that group.
>>Anyway, that is my 2 cents on the whole deal.
>> Brett Littrell
>> Network Manager
> I agree with you that random VLAN selection is not a good idea and it
> wrecks havoc with most clients too. However, the problem we ran into was
> balancing the usage of all of the VLANS to get both good performance and
> minimize infrastructure costs. This can be done by assigning to groups
> and then placing in the VLAN according to that group, but then you have
> the problem of balancing the assignment to the named groups. In the end,
> we used the hash function because it would deterministically assign a
> user to a VLAN and balanced the hardware usage reasonably well. We used
> the simple crc32, but a better hash function would distribute them even
> better if all were connected simultaneously, but a crc32 was easy and
> the size of the groups was within 10%. Calculating the group members
> is easy, but they already have that information from VLAN/IP address of
> the machine. It is also easy to have the network gear return who is
> attached and what VLAN they are in. 
> My 1.5 cents. :)
> Ken
> On Thursday, February 17, 2011 at 11:26 AM, in message 
> , Alexander Clouter 
>  wrote:
>> schilling  wrote:
>>> I get dynamic VLAN assignment working in post-auth section with 
>>> help/hints from a lot of list members. Now I want to do one more 
>>> steps. I would like to hash the username or mac-address to distribute 
>>> users to different VLANs. The idea is to use freeradius to spread the 
>>> load on different smaller subnets to reduce the broadcast in bigger 
>>> VLANs.
>> You are however not reducing the broadcast domain, you might be 
>> segregating the noise though.  If you have large L2 broadcast domains, 
>> splitting people up into different V

Re: When to ldap?

2010-05-13 Thread Dean, Barry

On 13 May 2010, at 10:15, Alan DeKok wrote:

> Dean, Barry wrote:
> ...
>>  [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with 
>> filter (sAMAccountName=user)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that the 
>> user is configured correctly?
>  I mean, really... what's the issue?

The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But 
with 2.1.8 it fails.

The difference in the debug output is:

++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate

In FR 2.0.2 this "rad_check_password" is causing LDAP authentication, whereas 
is FR 2.1.8 the same section of debug output says:

++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.

> ...
>> [pap] WARNING! No "known good" password found for the user.  Authentication 
>> may fail because of this.
>  That should be a hint.

True. My problem was why was LDAP not being attempted for this basic request. 
No EAP, just a username and a password, which works just fine with FR 2.0.2.

In fact with 2.0.2 either:

if (!EAP-Message) {



Works in the authorise section as the Non-EAP request calls ldap either way.

With FR 2.1.8, both fail. They follow the same path and produce the "No 
authentication method ..." error.

All the complex EAP/TTLS/PEAP/MSCHAP etc stuff is working with FR 2.1.8 with my 
config, just the simple stuff is broken.

Maybe my question should have been:

"FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to 
authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no 
Auth-Type set and does not attempt LDAP authentication."

Complete output for working one:

rad_recv: Access-Request packet from host port 33158, id=66, 
User-Name = "user"
User-Password = "password"
NAS-IP-Address =
server radius {
+- entering group authorize
++[preprocess] returns ok
expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
rlm_detail: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to 
expand: %t -> Thu May 13 10:46:02 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "user"
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
users: Matched entry user at line 203
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
expand: %{Stripped-User-Name} -> user
expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> 
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to, authentication 0
rlm_ldap: bind as CN=radius-account,OU=Service 
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk, with 
filter (sAMAccountName=user)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
rlm_ldap: Setting Auth

Re: When to ldap?

2010-05-13 Thread Dean, Barry

On 13 May 2010, at 06:54, Alan DeKok wrote:

> Dean, Barry wrote:
>> I am working on a new radius config and have been trying to avoid the lookup 
>> in LDAP I have been seeing for the outer identity.
>> I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
>> I have an authorise section for the relevant virtual server that has:
>  *which* virtual server?

I have 3 virtual servers on this host, one is for just local 
authentication, one is for the JANET Roaming Service and one is for our local 
Guest Wireless service. The config section I posted was from the local auth 
virtual server.

Complete config:

# Local auth
server radius {
listen {
ipaddr = 
port = 0
type = auth
listen {
ipaddr = 
port = 0
type = acct
proxy_requests  = no

$INCLUDE local-clients.conf

authorize {
if ("%{User-Name}" =~ /forbidden/i) {
update reply {
Reply-Message = "Cannot use this user account"
eap {
ok = return
if (!EAP-Message) {

authenticate {
Auth-Type PAP {
Auth-Type CHAP {
Auth-Type MS-CHAP {
Auth-Type LDAP {
Auth-Type EAP {

preacct {
accounting {

session {

post-auth {
Post-Auth-Type REJECT {
pre-proxy {

post-proxy {

>> The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the 
>> outer identity, but if I want to send a basic User-Name/User-Password type 
>> auth request after checking with LDAP and returning "Remote access is 
>> permitted", I then see:
>> No authenticate method (Auth-Type) configuration found for the request: 
>> Rejecting the user
>  And the *rest* of the debug log says ?

Complete log is:
rad_recv: Access-Request packet from host port 63775, id=111, 
User-Name = "user"
User-Password = "password"
NAS-IP-Address =
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to 
[auth_log]  expand: %t -> Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap]  expand: %{Stripped-User-Name} -> user
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
[ldap]  expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> 
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to adse

When to ldap?

2010-05-12 Thread Dean, Barry
I am working on a new radius config and have been trying to avoid the lookup in 
LDAP I have been seeing for the outer identity.

I have moved to 2.1.8 with the inner-tunnel virtual host enabled.

I have an authorise section for the relevant virtual server that has:

authorize {
eap {
ok = return
if (!EAP-Message) {

The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the outer 
identity, but if I want to send a basic User-Name/User-Password type auth 
request after checking with LDAP and returning "Remote access is permitted", I 
then see:

No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

What am I missing to tell the "authenticate" section below what I want to do 

authenticate {
Auth-Type PAP {
Auth-Type CHAP {
Auth-Type MS-CHAP {
Auth-Type LDAP {
Auth-Type EAP {

I presume:

   if (!EAP-Message) {

Fails to set Auth-Type LDAP?

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540


Nice boy, but about as sharp as a sack of wet mice.
   -- Foghorn Leghorn

List info/subscribe/unsubscribe? See

Compiling rlm_perl on Solaris 10

2010-04-19 Thread Dean, Barry
I have been having problems compiling rlm_perl on Solaris 10 Intel and have 
spent days googling for an answer.

Most answers say: "use --without-rlm_perl", which is not much use when you 
actually *need* it!

Here is what I did to solve it, hopefully this will save someone some pain:

Firstly, my source that built without rlm_perl fine on 9th April 2010, stopped 
compiling on 16th April 2010 after some Solaris patches!

I got an error telling me that ltdl.h was not found. This is fixed by defining 
CFLAGS in the environment before the ./configure stage:

setenv CFLAGS -I//libltdl(C shell type shells)
CFLAGS="-I//libltdl" ; export CFLAGS (sh shells and 

Over hurdle one! What caused this I still have no idea.

Now you have to do:

./configure --with-static-modules=perl

When that is complete, you have to edit /src/main/Makefile> and locate the line:


and edit it to include the path to your DynaLoader.a for your version of Perl, 
mine was as below:


Now build the source with make. It should compile!

Over hurdle two...

Before you can now run radiusd, you will need to do what it says at the end of 
the make, and add a library path to LD_LIBRARY_PATH so can be found, 
mine was:


and it all comes together and you get a radiusd with rlm_perl that actually 

Over the last hurdle!

All I have to do now is write some clever Perl, figure out where to call it and 
I will be on the home straight!

Best of luck to other Solaris users...

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department


Nice boy, but about as sharp as a sack of wet mice.
   -- Foghorn Leghorn

List info/subscribe/unsubscribe? See

Re: To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
Thanks for this, and thanks to Bob Franklin to. I have something  
working now by selecting on client name and re-writing the User-Name  
to append "bcm", then proxying that alone to the NAC servers. This  
leaves all the config I had before for my existing domains alone.

I might try the other virtual server approach as well as that is quite  

All I need now is for the blasted NAC server to recognise me as a  
client and actually do something instead of ignoring me!

Thanks again.

(I now speak some unlang!)

On 15 Oct 2009, at 15:50, Alan Buxey wrote:

> Hi,
>> if (domain is local AND authenticating from a local NAS) then
>>  authenticate locally by proxy to Bradford Campus Manager
>>  (Campus Manager will receive the stripped u...@realm as user and
>> proxy to the local server address)
>> else
>>  authenticate and return ACK/NACK to remote server in usual way for
>> one of our users visiting remote site
>> fi
>> The part I am not sure how to do is the last part, a conditional  
>> proxy
>> based on source NAS. I assume I need to dip into unlang, but can I  
>> put
>> that into the proxy.conf file?
> with 2.x ?   just ensure that clients are defined correctly - either  
> by
> doing as the other post said, or create a new virtual server (copy  
> your
> current one and rename it eg 'eduroam' and then define the proxies  
> as being
> handled by that server ie
> internal stuff -> [RADIUS server  {default/inner}] -> return  
> attributes etc
> external stuff -> [RADIUS server  {eduroam/inner}] -> no return  
> attributes etc
> look at the virtual_server definition in the clients.conf - that  
> says, basically,
> for any request from that client, slap it through that virtual server.
> this means you can actually have a very stripped down virtual  
> server... no need for
> anything wierd...anything coming from the proxies will be solely for  
> you (because
> the proxy has done the realm work already and decided on suitable  
> target) and
> you dont need to deal with settings VLANs etc. the only thing you  
> may want in place
> is an authorise section to deal with people who cannot remotely  
> authenticate - eg
> they've broken AUP or are infected with virus/reported as bad etc
> alan
> -
> List info/subscribe/unsubscribe? See

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department

Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn

List info/subscribe/unsubscribe? See

To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
I currently run two virtual servers, one for our local secure wireless  
and one for eduroam customers.

The local one receives RADIUS packets from Bradford Campus Manager,  
which is responsible for Network Access Control and stamps Auth-OK  
replies with the VLAN for the user.

What I want to do is combine these wireless services, so that we just  
have eduroam.

The functionality we will need, will be:

The requests will come to the eduroam server address.

if (no domain specified) then
who are ya?

if (domain is non-local) then
proxy to user's home site.

if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and  
proxy to the local server address)
authenticate and return ACK/NACK to remote server in usual way for  
one of our users visiting remote site

The part I am not sure how to do is the last part, a conditional proxy  
based on source NAS. I assume I need to dip into unlang, but can I put  
that into the proxy.conf file?

realm {
   if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
  set-up A
  set-up B

Or whatever (I don't speak unlang, yet!), or have I got to determine  
the source of the request somewhere else and use unlang to re-write  
the realm to some special sentinel value that would be caught in  
proxy.conf like:

realm {
do the normal thing

realm {
do the clever NAC proxy stuff

As usual, thanks for your time and hope someone can steer me in the  
right direction before my head explodes.

(Yes I did read the docs, didn't help in this case!)

Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department

Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn

List info/subscribe/unsubscribe? See

Using multiple certificates

2009-09-07 Thread Dean, Barry
I have been asked it it possible to run two SSIDs on our wireless,  
lets call them A and B that authorise against a FreeRADIUS server  
running as two virtual servers radiusA and radiusB.

What we want is to have radiusA use a different server certificate  
from radiusB.

However, as I see it, this looks impossible as the EAP configuration  
is global in eap.conf and not per server instance. Is this true or am  
I not being creative enough!

Can you place the eap definition inside the site files in sites- 
availble and make it different per server instance is the question I  

Any help would be appreciated. A quick google reveals a similar  
question in 2007 which got no answers :-(

Barry Dean
Networks Group
University of Liverpool

Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn

List info/subscribe/unsubscribe? See

RE: RADIUSD amnesia!

2008-09-23 Thread Dean, Barry
Ah! Changed and seems to work now. I probably thought that using names would 
make me immune to IP address changes..

My eduroam user will be very pleased if this works again.


Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 23 September 2008 14:59
To: FreeRadius users mailing list
Subject: Re: RADIUSD amnesia!

Dean, Barry wrote:
> My RADIUS server forgot about some clients, all by itself, honest!

  Nope.  You have clients listed as *hostnames* rather than *addresses*.
 Who ever controls DNS changed the mapping of hostname to address, so
the old address is no longer accepted.

  Alan DeKok.
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

RADIUSD amnesia!

2008-09-23 Thread Dean, Barry
I am somewhat confused.

My RADIUS server forgot about some clients, all by itself, honest!

Users stopped being able to authenticate (I say users, we had one!), using 
eduroam from Portugal, turns out that some time after September 5th, the RADIUS 
server stopped recognising the JANET roaming RADIUS servers!

I had to restart the servers on September 8th after a failure of our Active 
Directory servers. RADIUS/Winbind did not recover without help when AD came 
back. It was the same config however.

There had been a restart on 17th March, 8th Sep and 23rd Sep, so RADIUS was 
running at the time it developed its amnesia.

-X output attached, with error at the bottom I am seeing when trying to 
authenticate from off-site.

Anyone got any ideas?

---cut here
# /usr/radius/sbin/radiusd -X

FreeRADIUS Version 2.0.2, for host i386-pc-solaris2.10, built on Mar  7 2008 at 
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/radius/etc/raddb/radiusd.conf
including configuration file /usr/radius/etc/raddb/proxy.conf
including configuration file /usr/radius/etc/raddb/snmp.conf
including configuration file /usr/radius/etc/raddb/eap.conf
including configuration file /usr/radius/etc/raddb/sql.conf
including configuration file /usr/radius/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/radius/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/radius/etc/raddb/policy.conf
including files in directory /usr/radius/etc/raddb/sites-enabled/
including configuration file /usr/radius/etc/raddb/sites-enabled/janet-roaming
including configuration file /usr/radius/etc/raddb/jrs-clients.conf
including configuration file /usr/radius/etc/raddb/sites-enabled/local-auth
including configuration file /usr/radius/etc/raddb/local-clients.conf
including dictionary file /usr/radius/etc/raddb/dictionary
main {
prefix = "/usr/radius"
localstatedir = "/usr/radius/var"
logdir = "/usr/radius/log"
libdir = "/usr/radius/lib"
radacctdir = "/usr/radius/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/radius/var/run/radiusd/"
user = "radius"
group = "radius"
checkrad = "/usr/radius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 realm LOCAL {
authhost = LOCAL
accthost = LOCAL
 realm NULL {
authhost = LOCAL
accthost = LOCAL
 realm {
authhost = LOCAL
accthost = LOCAL
 realm {
authhost = LOCAL
accthost = LOCAL
 realm DEFAULT {
authhost =
accthost =
secret = 
 realm DEFAULT {
authhost =
accthost =
secret = 
 } # realm DEFAULT
 realm DEFAULT {
authhost =
accthost =
secret = 
 } # realm DEFAULT
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
radiusd:  Loading Virtual Servers 
server jrsradius {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = "auto"
auto_header = yes
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
radwtmp = "/usr/radius/log/radwtmp"
 Module: Linked to module rlm_ldap

Realms and proxying

2008-08-19 Thread Dean, Barry
I currently have a realm defined:

realm {
type= radius
authhost= LOCAL
accthost= LOCAL

I now have one of my departments, which for various complex reasons, has been 
allowed to have its own user accounts.
They have the subdomain name "". I want to proxy RADIUS to their 

If I add:

realm {
type= radius

Is this position dependant? Does it have to appear before the realm 
to prevent "[EMAIL PROTECTED]" being caught by the first realm?

I have:

realm suffix {
format = suffix
delimiter = "@"

in radius.conf.

Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)

List info/subscribe/unsubscribe? See

RE: 1.1.7 to 2.0.2 config for Realms problem

2008-06-05 Thread Dean, Barry
Thanks. All working now!

One more thing, what happened to:


between 1.1.7 and 2.0.x? Are they still supported?

Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 05 June 2008 12:17
To: FreeRadius users mailing list
Subject: Re: 1.1.7 to 2.0.2 config for Realms problem

Dean, Barry wrote:
> I have a problem with a realm configuration that used to work with FR 1.1.7, 
> but does not work at all with 2.0.2 and virtual servers.
> I have a virtual server defined in sites-available/janet-roaming thus:
> server jrsradius {
> $INCLUDE jrs-proxy.conf

> jrs-proxy.conf contains:
> proxy server {
> default_fallback = no
> post_proxy_authorize = no
> }

  The proxy configuration is global.  The default configuration shows it
as global.

> home_server localhost {

  Home servers are also global.

> They are not mentioned during server startup with "-X and -xx" beyond:
> Thu Jun  5 11:57:16 2008 : Debug: including configuration file 
> /usr/radius/etc/raddb/sites-enabled/janet-roaming
> Thu Jun  5 11:57:16 2008 : Debug: including configuration file 
> /usr/radius/etc/raddb/jrs-proxy.conf
> so is the config being ignored because it is wrong?

  It's being ignored because the proxy && realm configurations are in
the server section.  They must be global.

  Alan DeKok.
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

1.1.7 to 2.0.2 config for Realms problem

2008-06-05 Thread Dean, Barry
I have a problem with a realm configuration that used to work with FR 1.1.7, 
but does not work at all with 2.0.2 and virtual servers.

I have a virtual server defined in sites-available/janet-roaming thus:

server jrsradius {
listen {
ipaddr =
port = 0
type = auth
listen {
ipaddr =
port = 0
type = acct
proxy_requests  = yes

$INCLUDE jrs-proxy.conf

$INCLUDE jrs-clients.conf

authorize {
eap {
ok = return

authenticate {
Auth-Type PAP {
Auth-Type CHAP {
Auth-Type MS-CHAP {
Auth-Type LDAP {

 ... some stuff removed for brevity!

jrs-proxy.conf contains:

proxy server {
default_fallback = no
post_proxy_authorize = no

home_server localhost {
type = auth
ipaddr =
port = 1812
secret = testing123
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3

realm LOCAL {
#  If we do not specify a server pool, the realm is LOCAL, and
#  requests are not proxied to it.
type= radius
authhost= LOCAL
accthost= LOCAL

realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL

realm {
type= radius
authhost= LOCAL
accthost= LOCAL

realm {
type= radius
authhost= LOCAL
accthost= LOCAL

(stuff for JENET NRPS servers removed)

But logging in as [EMAIL PROTECTED] I get:

Thu Jun  5 11:57:21 2008 : Debug: rlm_realm: Looking up realm 
"" for User-Name = "[EMAIL PROTECTED]"
Thu Jun  5 11:57:21 2008 : Debug: rlm_realm: No such realm ""

What have I done wrong in defining the realms for and
Wrong place? Wrong syntax?

They are not mentioned during server startup with "-X and -xx" beyond:

Thu Jun  5 11:57:16 2008 : Debug: including configuration file 
Thu Jun  5 11:57:16 2008 : Debug: including configuration file 

so is the config being ignored because it is wrong?


Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)

List info/subscribe/unsubscribe? See

RE: Freeradius and Active directory (An aside)

2008-05-20 Thread Dean, Barry
Alan DeKok said:

>  It is impossible to use CHAP to authenticate to AD.  You MUST use
> MS-CHAP, or PAP.

When testing my Radius server with AD and XSupplicant I found that EAP-TTLS 
with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all 

So you have explained why EAP-TTLS (CHAP) fails, thanks!

So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config 

Barry Dean
Networks Team

List info/subscribe/unsubscribe? See


2008-03-17 Thread Dean, Barry
I know this is not strictly a FreeRADIUS problem, but I am betting someone on 
this list has been here and got the tee shirt!

I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, winbindd 
3.0.25a) to our AD domain with the "net join" command. This worked 

Now when I test "ntlm_auth" I get the following odd goings on:

Scenario A: Works

Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
Result: NT_STATUS_OK: Success (0x0)

Scenario B: FAILS

Type: ntlm_auth --username=USER --domain=DOMAIN

Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)

What's different about the password handling between A and B?

The upshot is that the command issued by FreeRADIUS:

ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --

Also fails.

So my MSCHAPv2 auth is now broken.

This worked with our Test AD environment fine. I am told the only difference 
between test/production is:

1) Production is in "native mode"
2) Production supports logins using both "USER\DOMAIN" and "[EMAIL PROTECTED]" 

If the answer to my problem is "As the Samba list", I'll pop over there!

Thanks in advance.

Barry Dean
Networks Team

List info/subscribe/unsubscribe? See

RE: ClearText-Password?

2008-03-05 Thread Dean, Barry
> Hi,
>> rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, 
>> id=195, length=49 User-Name = "user"
>> User-Password = "passwd"
>> NAS-IP-Address = 138.253.XXX.XXX

>There. No MS-CHAP-Challenge. You are not supposed to process this packet with 
>the rlm_mschap module. Why does >it fail? ...

I see now why this was failing. Client was doing non-MSCHAP and there was no 
section telling RADIUS how to authenticate this type of request.

>> Config:
>> users:
>> DEFAULT Auth-Type = mschap
>> Acct-Session-Id = "Local",
>> Fall-Through = Yes

>Write a hundred times on the blackboard: "I will not set Auth-Type." The 
>server will figure out itself what to >do. In this case, PAP.

Duly removed. I inherited the config and assumed it had been added for good 
reason. It works without so it has been removed.

>> If I don’t force MSCHAP in users, how else do I get the user checked 
>> against AD when the only place ntlm_auth is called is inside the 
>> mschap module?

>You configure your AD server in the ldap {} section and uncomment the ldap 
>stanzas in authorize and >authenticate. You don't call ntlm_auth then, and 
>that is because you don't need ntlm_auth - user authentication >is done with 
>an LDAP bind() operation with the user credentials.

With some pain, I now have the LDAP to AD authentication working. I have not 
tested *all* methods, but the ones I am interested in supporting seem to work. 
EAP-MD5 fails, but that is an exercise for another day if I feel I need to fix 

>Stefan Winter

Thanks for your help. You pointed me in the right direction which was all I 
needed really.

Barry Dean
Networks Team

List info/subscribe/unsubscribe? See

RE: ClearText-Password?

2008-03-03 Thread Dean, Barry

rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, 
User-Name = "user"
User-Password = "passwd"
NAS-IP-Address = 138.253.XXX.XXX
+- entering group authorize
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /barred-user/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /barred-user/i) -> FALSE
++? if ("%{User-Name}" =~ /barred-user/i) -> FALSE
/usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
expand: %t -> Mon Mar  3 11:28:08 2008
++[auth_log] returns ok
++[mschap] returns noop
++[chap] returns noop
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "user"
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 211
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: No MS-CHAP-Challenge in the request
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [user/passwd] (from client EZProxy port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, 
Sending duplicate reply to client EZProxy port 47032 - ID: 195
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
Cleaning up request 0 ID 195 with timestamp +24
Ready to process requests.




DEFAULT Auth-Type = mschap
Acct-Session-Id = "Local",
Fall-Through = Yes


mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


If I don’t force MSCHAP in users, how else do I get the user checked against AD 
when the only place ntlm_auth is called is inside the mschap module?

Barry Dean
Networks Team

List info/subscribe/unsubscribe? See


2008-03-03 Thread Dean, Barry
I am migrating my RADIUS from:

a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups.


b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc.

I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the 
mschap module, changed the users file DEFAULT entry from LDAP to mschap, and 
bingo it works, almost!

At least both "a" and "b" work for 802.1x/EAP-TTLS clients. However for other 
clients such as EZProxy, only "a" works.

>From my new config, debug says:

+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: No MS-CHAP-Challenge in the request
++[mschap] returns reject

So it fails. 

My Question is:

"Where is no ClearText-Password configured?"

1) Is it the RADIUS client not providing one?
2) Is it the RADIUS config that is missing something?
3) Is it the AD directory that is missing a ClearText-Password?

Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)

List info/subscribe/unsubscribe? See

RE: unlang? - reject unknown?

2008-01-24 Thread Dean, Barry
>  "man unlang".  Look for "case-insensitive".  In this case, you would
> delete that "users" file entry, and use "unlang"
>  authorize {
>   ...
>   if ("%{User-Name}" =~ /special/i) {
>   update reply {
>   Reply-Message = "Cannot use this user account"
>   reject
>   }
>   }
>   ...
> That should work.

I added this to the "authorize" section of radiusd.conf just after "preprocess" 
and before "auth_log" and it gives the error:

radiusd.conf[1810]: ERROR: Unknown attribute reject
radiusd.conf[1808]: Failed to parse "update" subsection.
radiusd.conf[1788]: Errors parsing authorize section.

Have I messed up here by misunderstanding you completely! 

List info/subscribe/unsubscribe? See


2008-01-18 Thread Dean, Barry
I am testing my current 1.1.7 config with version 2.0.0.

I have 2 bits of config that are not quite right on 2.0.0

1) I have the line:

filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"

I am not sure why, I inherited this setup and I am still trying to understand 
it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir)

The "-X" output says:

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user)
expand: o=uol -> o=uol

What is the replacement for ":-" given I don't know what it did in the first 
place for "man unlang" to be any help!

2) Rejecting a user

I have a specific user account (call it "special") it was barred using:

special Auth-Type := Reject
Reply-Message = "Cannot use this user account"

in the users file.

Variants like " special", "Special" and "SPECIAL" etc get by this check, and 
out LDAP server allows them!, so I added:

lower_user = before
lower_pass = no
nospace_user = before
nospace_pass = no

to radius.conf. These no longer seem to work. How do you achieve this with 
version 2.0.0?

Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)

List info/subscribe/unsubscribe? See

RE: Some users can't login after upgrade!

2007-11-13 Thread Dean, Barry
This fixed the problem for these users. Thanks to the list, and special thanks 
to Alan for solving this.

Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean, Barry
Sent: 13 November 2007 09:31
To: FreeRadius users mailing list
Subject: RE: Some users can't login after upgrade!

Our Novell experts have looked into the LDAP database and found that the 
affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact 
only a handful of accounts have it.

They are testing now. I will let you all know what happens.

Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 09 November 2007 15:11
To: FreeRadius users mailing list
Subject: Re: Some users can't login after upgrade!

Dean, Barry wrote:
> The debug output (private data masked) can be picked up from:
> Version 1.1.4 (Works):
> Version 1.1.7 (Broken):
> They are reasonably long so I did not want to post them as a long email!
> My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 
> and an "OK" to 1.1.4 for the
> same user account!

  Novell contributed a patch to allow changing the eDirectory NMAS
authentication option.  In the source, they look for "".  In
the debug logs you provide, eDirectory returns "--No default--".

  Try changinging "sasDefaultLoginSequence" to "" for the user.

  In short, the Novell patch doesn't seem to agree with the behavior of
Novell's eDirectory server.

  Alan DeKok.
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

RE: Some users can't login after upgrade!

2007-11-13 Thread Dean, Barry
Our Novell experts have looked into the LDAP database and found that the 
affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact 
only a handful of accounts have it.

They are testing now. I will let you all know what happens.

Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 09 November 2007 15:11
To: FreeRadius users mailing list
Subject: Re: Some users can't login after upgrade!

Dean, Barry wrote:
> The debug output (private data masked) can be picked up from:
> Version 1.1.4 (Works):
> Version 1.1.7 (Broken):
> They are reasonably long so I did not want to post them as a long email!
> My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 
> and an "OK" to 1.1.4 for the
> same user account!

  Novell contributed a patch to allow changing the eDirectory NMAS
authentication option.  In the source, they look for "".  In
the debug logs you provide, eDirectory returns "--No default--".

  Try changinging "sasDefaultLoginSequence" to "" for the user.

  In short, the Novell patch doesn't seem to agree with the behavior of
Novell's eDirectory server.

  Alan DeKok.
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

RE: Some users can't login after upgrade!

2007-11-09 Thread Dean, Barry
The debug output (private data masked) can be picked up from:

Version 1.1.4 (Works):
Version 1.1.7 (Broken):

They are reasonably long so I did not want to post them as a long email!

My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 
and an "OK" to 1.1.4 for the
same user account!

The debug traces contained the password, so I was able to check it was the 
same, it was.

Barry Dean
Networks Team

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 08 November 2007 16:21
To: FreeRadius users mailing list
Subject: Re: Some users can't login after upgrade!

Dean, Barry wrote:
> We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked 
> the user to login using that, failed with 1.1.7 RADIUS, changed it to use a 
> spare 1.1.4 server and they could login!

  Can you post the output of debugging mode for 1.1.4 where it works,
and 1.1.7 where it doesn't, all for the same user?

  Alan DeKok.
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

Some users can't login after upgrade!

2007-11-08 Thread Dean, Barry
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) 
authenticating to Novell eDirectory using LDAP.

All was fine...

I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found 
they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log 
files simply show:

Tue Nov  6 15:06:40 2007 : Auth: Login incorrect: [] (from client vpn3000 
port 13712 cli X.X.X.X)

We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the 
user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 
1.1.4 server and they could login!

User names are alphabetic only and less than 8 characters, passwords are 
alpha-numeric only and 8 characters.

I am reasonably new to RADIUS and cannot figure out why these two users are 
being singled out!

I thought at first it might be because we have "edir_account_policy_check=yes" 
and that given the ChangeLog for 1.1.7 says "Added more eDirectory support.", 
and the two users possibly have extra attributes as they are sysadmins, that 
something was being checked that was not with 1.1.4 and that was preventing 

However later in radiusd.conf in the post-auth section the LDAP server entries 
are commented out. and it says:

  #  Un-comment the following if you have set
#  'edir_account_policy_check = yes' in the ldap module sub-section of
#  the 'modules' section. 

So does this mean this feature is not in operation?

Has anyone any ideas where I should start looking?


Barry Dean
Networks Team
University of Liverpool

List info/subscribe/unsubscribe? See