Re: Upgrading from 2.0.5 to 2.1.8
On Mon, February 8, 2010 11:07, Alan DeKok wrote: They should mostly be OK. There are some changes, but they are minor compared to the difference between 1.x and 2.x Thanks, that's what I needed to hear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 2.0.5 to 2.1.8
Greetings, I'd like to upgrade an existing setup from version 2.0.5 to 2.1.8. Are there any gotchas/config changes/problems that I need to be aware of? For example, will the existing config files be OK, or will they require tweaks 'n things? Any comments are appreciated. Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control a wpa_supplicant client request can only send to a hostapd NAS?
2009/7/9 Ivan Kalik t...@kalik.net If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 That's one way - NAS mac address will be in Called-Station-Id. Or use NAS-IP-Address. The RADIUS log -- rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0, length=168 User-Name = 00:0F:1E:34:28:B4 NAS-IP-Address = 192.168.1.45 Called-Station-Id = 00-0F-1E-34-26-50: rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1, length=186 User-Name = 00:0F:1E:34:28:B4 NAS-IP-Address = 192.168.1.44 Called-Station-Id = 00-0F-1E-00-00-83: Ivan Kalik Kalik Informatika ISP http://www.freeradius.org/list/users.html Hi: Ivan Kalik Thank your suggestion! In that, The NAS1 MAC is 00:0F:1E:34:26:50, The NAS2 MAC is 00:0f:1e:00:00:83. The problem was that they all could received the request of The CLIENT1, so I couldn't known whether CLIENT1 under NAS1 or NAS2 in radius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:34:26:50* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:00:00:83* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---00:0f:1e:34:26:50---* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---**00:0f:1e:00:00:83**---* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:34:26:50* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:00:00:83* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS
Re: rlm_perl authentication override
Quoting t...@kalik.net: Using rlm_perl, if a request is received and I want to accept the login without performing any normal auth (in authorize()), what would I need to return? Auth-Type Accept. Thanks Ivan. I eventually figured out by trial and error that the following needs to be done in authorize(): ... $RAD_CHECK{'Auth-Type'} = 'Accept'; return RLM_MODULE_OK; Cheers Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Perhaps if I try another approach: Using rlm_perl, if a request is received and I want to accept the login without performing any normal auth (in authorize()), what would I need to return? Constructing the $RAD_REPLY packet is no problem. What to return to force an Access-Accept has me stymied. RLM_MODULE_OK will lead to normal auth (and failure); RLM_MODULE_HANDLED results in no further processing (ie, no response is sent to the NAS); RLM_MODULE_UPDATED also proceeds to normal auth (and failure). RLM_MODULE_HANDLED seems to be the answer, but how do I first send the Access-Accept response in authorize() followed by return RLM_MODULE_HANDLED; to stop further processing? Unfortunately there isn't a RLM_MODULE_ACCEPT return value. Any pointers to relevant docs or comments would be appreciated. Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: Is there a way to change the reply from Access-Reject, to Access-Accept? There is a way to change the packet type but it is a bad idea. Placing unauthorized users in something like a guest VLAN should be the part of your NAS functionality, rather than (deliberately) breaking authentication on the radius server. Thanks for the response, Ivan. We don't have access to the NAS servers (we merely auth) and this is the only way we can do this cleanly (without physically unlocking the user, managing that process, etc). Can you provide pointers on how to change the reply? Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: Is there a way to change the reply from Access-Reject, to Access-Accept? Change freeradius.internal attribute Packet-Type in Post-Auth-Type Reject section. Changing freeradius.internal Packet-Type from Access-Reject to Access-Accept would affect ALL logins - even logins which *should* be rejected. I'm referring to changing Access-Reject to Access-Accept under certain circumstances only -- not globally for all logins. ...or am I misunderstanding what you're suggesting? Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Greetings, and thanks to Ivan and Alan for their feedback. I've been dumping variables, etc, in my rlm_perl script (using Devel::Symdump and Data::Dumper) trying to figure out where to change the Packet-Type from Access-Reject to Access-Accept without success. I've also gone over the rlm_perl.c file, etc, hoping something would jump out at me -- what I'm trying to do doesn't appear to be documented (for obvious reasons). I'm hoping someone on this list knows how to change the Packet-Type in a rlm_perl script. Any comments/pointers are appreciated. If I knew where to dig, I'd have at it. Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: So check the circumstances before changing the Packet-Type. Of course, you are right :p, thanks. I'm wondering though: during that small window period when the Packet-Type is changed and returned, would it be possible that it would affect other sessions running concurrently (separate threads)? Presumably the changed Packet-Type would have a limited scope (ie, visible to the current executing thread/session only, and not others)? Regards Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl authentication override
Greets, Using freeradius 2.0.5 and rlm_perl. Let's say we have a username which is locked in /etc/shadow. Normal authentication will prevent this user from logging in. I would like to override this behaviour in either authorize() or post_auth() and allow the user to login (but with modified $RAD_REPLY) despite the locked system user. In authorize(), changing $RAD_REPLY (to allow a modified service) is no problem, but I'm not sure what to return so radiusd will authenticate the user even though their password is incorrect (return RLM_MODULE_OK of course doesn't change this behaviour) - eg, rejecting a user is easy, just return RLM_MODULE_REJECT. Is there a way to change the reply from Access-Reject, to Access-Accept? Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not working as expected on 2.0.5
On Tue, August 12, 2008 11:08 am, Ivan Kalik wrote: You haven't got Auth-Type Perl { perl } in authentication section of inner-tunnel virtual server. You probably added it just to default one. In default configuration users file is common for all virtual servers. Excellent! Thanks, Ivan. I must have missed that requirement in the docs. Regards Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl not working as expected on 2.0.5
Greetings, I'm busy trying out Freeradius 2.0.5 before upgrading from 1.1.0, and so far everything looks good. I would like to try out rlm_perl since it presents some interesting possibilities, but am having a spot of bother. I followed the howto here: http://wiki.freeradius.org/Rlm_perl rlm_perl isn't event loaded/instantiated unless I add 'perl' to the instantiate section of radiusd.conf. Even if I do, however, I keep getting this error: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type Any pointers on what I'm missing/doing wrong would be appreciated. Thanks Henry Here's the debug: Mon Aug 11 15:58:53 2008 : Info: FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Aug 8 2008 at 18:56:21 Mon Aug 11 15:58:53 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Mon Aug 11 15:58:53 2008 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Mon Aug 11 15:58:53 2008 : Info: PARTICULAR PURPOSE. Mon Aug 11 15:58:53 2008 : Info: You may redistribute copies of FreeRADIUS under the terms of the Mon Aug 11 15:58:53 2008 : Info: GNU General Public License v2. Mon Aug 11 15:58:53 2008 : Info: Starting - reading configuration files ... Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/radiusd.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/proxy.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/clients.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/snmp.conf Mon Aug 11 15:58:53 2008 : Debug: including files in directory /usr/local/freeradius-2.0.5/etc/raddb/modules/ Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/policy Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/acct_unique Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/unix Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/chap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/preprocess Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/expiration Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/mac2vlan Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/mschap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/ippool Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/files Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/krb5 Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/passwd Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/radutmp Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/attr_rewrite Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/echo Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/etc_group Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/pap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/realm Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/pam Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/always Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/exec Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/logintime Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/sql_log Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/smbpasswd Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/sradutmp Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/counter Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/ldap Mon Aug 11 15:58:53 2008 : Debug
Restricting users to login to specific Cisco router
I am trying to understand how I can seutp a specific user to allow login to specific routers. I am using freeradius 1.0.0. I defined the client and shared secret in the clients.conf file and the user id in the users file with Service-Type = Shell-User and Cisco-AVPair =shell:Priv-lvl=7. The login works, but I need to restrict what clients it can login to. Is there a way to do this. I am just starting to learn Radius and Google isn't finding me an answer for this. Thanks. Henry === NOTICE === This e-mail message is intended only for the named recipient(s) above. It may contain confidential information that is privileged or that constitutes confidential work product. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you. == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary Permissions
I would appreciate it if someone could let me know what perms I should either set /etc/freeradius/dictionary file or the /usr/share/freeradius/dictionary/ folder to be to get radclient to be able to read the dictionary file through dialupadmin. I'm using Debian Sarge unstable and I tried chmoding the above file and folder but still no success. Do I have to change the ownership of these files or folders and if so to what? I would appreciate any and all help thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary Permissions
So Alan, are you saying that Debian could be the problem? I tried it using testing but it still didn't work and I'm almost sure woody doesn't have the freeradius binaries precompiled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary Permissions
Alan DeKok wrote: lifroy Henry [EMAIL PROTECTED] wrote: So Alan, are you saying that Debian could be the problem? I tried it using testing but it still didn't work and I'm almost sure woody doesn't have the freeradius binaries precompiled. I have no idea what the problem could be. You've said there was a permissions problem, The problem is with Dialupadmin not being able to use radlient with the diction ary file beacause it doesn't have permission radclient: dict_init: Couldn't open dictionary /etc/freeradius/dictionary: Permission denied , I'm juat guessing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
Thanks for your responding. I downloaded freeradius-0.9.3-0.i586.rpm (I guessed there is a typo here, should be ...i386..) I tried to install using rpm, but I got some errors relate to dependencies (i.e. insserv, fillup, libasn1.so.6, etc), where can I download these packages? Thanks Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
I tried yum but still did not take care all of my dependencies. I guess I have to search one by one then. Thank you very much Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 i586 is right (that means it is for pentium class machines). Got rpmfind.net and search for them or try googling them. A nice tool called yum ( http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1.rh90.noarch.rpm ) can help with installing rpms with dependencies. A 'yum install freeradius' will take care of all the dependencies. Good luck --- Henry Le [EMAIL PROTECTED] wrote: Thanks for your responding. I downloaded freeradius-0.9.3-0.i586.rpm (I guessed there is a typo here, should be ...i386..) I tried to install using rpm, but I got some errors relate to dependencies (i.e. insserv, fillup, libasn1.so.6, etc), where can I download these packages? Thanks Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filed to link EAP-Type/md5: file not found
Hi all, Would anyboby please help me with this? I have installed Freeradius-0.9.3 on my Red Hat Linux 9.0 and I run Freeradius in debug mode and got this error, how can I fix it? Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Filed to link EAP-Type/md5: file not found Build it with disable-share option before install it Thanks Hung - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html