MAC based Vlan problem
Hi, we're using freeradius to switch different computer into various vlans on our switches. We have had a working configuration for freeradius 1.x, but for 2.1.6 (running on SLES) this configuration is working different. We're including a file looking like this: --- # VLAN 14 # # DEFAULT Tunnel-Private-Group-ID = 14, Foundry-802_1x-enable = 0, Fall-Through = 1 # aaabbbcccddd User-Password == aaabbbcccddd # VLAN 15 # # DEFAULT Tunnel-Private-Group-ID = 15, Foundry-802_1x-enable = 0, Fall-Through = 1 # bbbcccdddaaa User-Password == bbbcccdddaaa --- On the new freeradius *all* valid mac addresses are getting the vlan Tunnel-Private-Group-ID from the first statement. All other vlan id's are ignored. The advantage was, to group all mac according to the vlan-id. Now you have to add all settings to each mac Is there a way to group the mac addresses with one header ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 attachment: pkoch.vcf smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x+WLAN and radtest
Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain radtest and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Hi,
enclose the output from radiusd -X
first using radtest, the switching on the WLAN with the
same useranme and password:
=radiusd -X out
rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228,
length=68
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Looking up realm ice.mpg.de for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Proxying request from user pkoch to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module suffix returns updated for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
Sending Access-Request of id 6 to 193.174.75.134 port 1812
User-Name = [EMAIL PROTECTED]
User-Password = PASSWD
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Proxy-State = 0x323238
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6,
length=25
Proxy-State = 0x323238
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
attr_filter: Matched entry DEFAULT at line 103
modcall[post-proxy]: module attr_filter returns updated for request 7
modcall[post-proxy]: module eap returns noop for request 7
modcall: leaving group post-proxy (returns updated) for request 7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423
modcall[authorize]: module auth_log returns ok for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module suffix returns noop for request 7
modcall[authorize]: module eap returns noop for request 7
modcall[authorize]: module files returns notfound for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: 'uid=_'
radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 7
modcall: leaving group authorize (returns ok) for request 7
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 7
modcall[post-auth]: module ldap returns noop for request 7
modcall: leaving group post-auth (returns noop) for request 7
Sending Access-Accept of id 228 to 141.5.16.151 port 2234
Finished request 7
Going to the next request
Waking up in 6 seconds...
===Now the same over WLAN===
--- Walking the entire request list ---
Cleaning up request 7 ID 228 with timestamp 480f2719
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173,
length=201
User-Name = [EMAIL PROTECTED]
MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa
MS-CHAP2-Response =
Re: 802.1x+WLAN and radtest
Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb: This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd not starting
Hi, we updated yesterday one of our server running Novell SLES 9. After the update the raidusd (not the sles version, self compiled) did not work correctly (the load was getting higher and higher). Therefore I installed the current version of the freeradius-server (2.0.3) from http://download.opensuse.org/repositories/network:/aaa/ After fixing a few things in the /etd/raddb/users the server is running fine, when I do a radiusd -X also radius -f seem's to work. But neither a radiusd not /etc/init.d/freeradius start is launching the radiusd-Daemon. But I can not see WHY the raidusd is not starting as daemon. Any idea ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd not starting
Hi,
but even as root:root it's not working !
Shouldn't there be a access denied or smoething like this ?
Here is the startup:
## more Rad2.log#
FreeRADIUS Version 2.0.3, for host i686-suse-linux-gnu, built on Mar 19
2008 at 10:23:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 80
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
user = root
group = root
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
[EMAIL PROTECTED] schrieb:
Hi,
we updated yesterday one of our server running Novell SLES 9.
After the update the raidusd (not the sles version, self compiled)
did not work correctly (the load was getting higher and higher).
Therefore I installed the current version of the
freeradius-server (2.0.3) from
http://download.opensuse.org/repositories/network:/aaa/
After fixing a few things in the /etd/raddb/users
the server is running fine, when I do a
radiusd -X
also
radius -f
seem's to work.
But neither a
radiusd
not
/etc/init.d/freeradius start
is launching the radiusd-Daemon. But I can not see
WHY the raidusd is not starting as daemon.
Any idea ?
permissions - and if you ran radiusd -x you might even see that -
its probably unabled to read some /etc/raddb files, or write to /var/log/radius
etc etc -
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Mit freundlichem Gruss
Peer-Joachim Koch
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
