FreeRadius web GUI
Hi, Could anyone recommend the best web based management for FreeRADIUS 2.x? Is there a Webmin module? Thank you Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x problems
the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for kledford with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \022E=691 R=1 EAP-Message = 0x04120004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \022E=691 R=1 EAP-Message = 0x04120004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 198 to 172.17.6.205 port 32770 EAP-Message = 0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e Message-Authenticator = 0x State = 0x0282fb8e0591e22c7ff0f6bedc08a825 Finished request 77. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, length=224 User-Name = kledford Calling-Station-Id = 00-11-95-D9-07-77 Called-Station-Id = 00-1F-9E-CE-2D-70:PAWS-Secure NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = South6 Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1999 EAP-Message = 0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8 State = 0x0282fb8e0591e22c7ff0f6bedc08a825 Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = kledford, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 19 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - kledford attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 78 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 78 Sending Access-Reject of id 199 to 172.17.6.205 port 32770 EAP-Message = 0x04130004 Message-Authenticator = 0x Waking up in 3.5 seconds. Cleaning up request 70 ID 191 with timestamp +511079 Cleaning up request 71 ID 192 with timestamp +511080 Waking up in 0.1 seconds. Cleaning up request 72 ID 193 with timestamp +511080 Cleaning up request 73 ID 194 with timestamp +511080 Cleaning up request 74 ID 195 with timestamp +511080 Waking up in 0.1 seconds. Cleaning up request 75 ID 196 with timestamp +511080 Cleaning up request 76 ID 197 with timestamp +511080 Cleaning up request 77 ID 198 with timestamp +511080 Waking up in 1.0 seconds. Cleaning up request 78 ID 199 with timestamp +511080 -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x problems
On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote: Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No log destination specified.
On Wed, 10 Dec 2008, Marcel Grandemange wrote: |- |-|-I have a problem where I upgraded v1 to v2 of freeradius and now I can |-only |-|-start it with mode radius -X , if I try use script is simply does |-following. |-|- |-|-/usr/local/etc/rc.d]# ./rc.radiusd start |-|-Starting FreeRADIUS:radiusd: Error: No log destination specified. |-|-Radius |-== |-logdir = /var/log |-# |-# The logging messages for the server are appended to the |-# tail of this file. |-# |-log_file = ${logdir}/radius.log |-== I am still running 1.1.7. We only have about 200 dialup users left, so I have never upgraded beyond that version as I don't feel the need and dialup is the only thing we use Radius for. Two things, one, have the config options between the 1.x and 2.x changed for logging? I have not looked at v2 so I don't know. The other is possibly permissions on the file or directory. But I don't think that is it as you would probably get a different error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Hi, Yes this is why I started looking at the debugs to see what was happening and found the attribute rewrite issue where it says it cannot find the configuration token, if I take the Configuration token out of the radgroup reply it shows one, if I take the attrib-rewrites out it only shows one in the access accept packet. So it looks like the Attrib rewrite is actually adding a second attrib rather than editing the original one, and thus the errors in the debug log. Does the radius give the resultant reply to attrib rewrite to check before sending it out, is there a way to programmatically display the reply attributes somehow, so I can see what the reply packet looks like before the attrib rewrite edits it, by maybe logging to a file or something Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, February 09, 2008 11:33 PM To: FreeRadius users mailing list Subject: Re: Newslists Hi, Ok but then The thing about the attr_rewrite module is that it looks at ALL attributes in the list. In this case, you have two Configuration-Tokens. One has value SHAPED_NORMAL, and the other UNSHAPED_NORMAL. It doesn't match the first, but it does match the second. After that, it says it couldn't find any more. Where does it get the second Configuration-Token from ? well, from your debug I see this: Sending Access-Accept of id 195 to 196.43.1.92 port 1820 Framed-Protocol := PPP Configuration-Token := SHAPED_NORMAL Session-Timeout := 86340 Acct-Interim-Interval := 3600 Configuration-Token = SHAPED_NORMAL Reply-Message = Your maximum monthly usage time has been reached Proxy-State = 0x313030 there are 2 Configuration-Token attributes. possibly because it was added in an incorrect way, or adjusted/set incorrectly originally? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
UserName='%{%k}' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),0) } sqlcounter MonthlyShaped { counter-name = Monthly-Traffic-Shaped check-name = Max-Monthly-Blended-Shaped reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly Reply-Message = You have reached your SHaped bandwidth cap for this Month query = SELECT IF(((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024)- (Select Value from radcheck where UserName='%{%k}' and Attribute = 'Max-Prepaid-Limit') from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NS' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024)- (Select Value from radcheck where UserName='%{%k}' and Attribute = 'Max-Prepaid-Limit') from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NS' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),0) } sqlcounter MonthlyLocal { counter-name = Monthly-Traffic-Local check-name = Max-Monthly-Local reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly Reply-Message = You have reached your Local bandwidth cap for this Month query = SELECT IF(((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024)- (Select Value from radcheck where UserName='%{%k}' and Attribute = 'Max-Prepaid-Limit') from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NL' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),SELECT ((SUM(AcctInputOctets) + SUM(AcctOutputOctets))/1024)- (Select Value from radcheck where UserName='%{%k}' and Attribute = 'Max-Prepaid-Limit') from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NL' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),0) } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = /bin/echo %{User-Name} input_pairs = request output_pairs = reply } exec POD { wait = yes program = ../../perl/bin/perl.exe ${confdir}/DisconChkAlt.pl %{User-Name} %{Framed-IP-Address} %{NAS-IP-Address} %{X-Ascend-Session-Svr-Key} input_pairs = request output_pairs = reply # packet_type = Accounting-Request } } instantiate { exec expr MonthlyUnShaped MonthlyShaped MonthlyLocal } authorize { auth_log # digest hxdsl sql group { reply_logUn AttrRewrite_MonthlyBlendedUnshaped reply_logUnFin MonthlyUnShaped { reject = 1 ok = return } reply_logSh AttrRewrite_MonthlyBlendedShaped reply_logShFin MonthlyShaped { reject = 1 ok = return } reply_logLoc AttrRewrite_MonthlyLocal reply_logLocFin MonthlyLocal { reject = 1 ok = return } AttrRewrite_Limited } reply_logEnd pap } authenticate { Auth-Type PAP { pap } unix } preacct { preprocess acct_unique hxdsl files } accounting { detail sql Acct-Type LOCAL-AUTH { sql radrelay } Acct-Type REMOTE-AUTH { sql } Acct-Type interim { sql POD } } session { sql } post-auth { sql sql_log Post-Auth-Type REJECT { # Login failed: log to SQL database. sql sql_log } } pre-proxy { # pre_proxy_log } post-proxy { # post_proxy_log } Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, February 10, 2008 12:36
RE: Newslists
Alan, I appreciate you coming back to me, I apologise for my inappropriate comments yesterday, I am as frustrated to hell. I should have asked what was required first. Ok what confuses me is, A user logs in with shaped access, the group reply sets Configuration token to SHAPED_NORMAL ok nowhere else is the Configuration-Token setup. The attrib-rewrite for unshaped kicks in and should check to see if the Configuration-token is UNSHAPED_LOCAL and if it can't find it rewrite it to SHAPED_LOCAL is that not right. Then if the sqlcounter fails move into the next attrib-rewrite. But in the debug it is looking for SHAPED_NORMAL in the UNSHAPED attrib rewrite. Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' You say it looks at all the attributes where does is see I have SHAPED_NORMAL and UNSHAPED_NORMAL set ? This confuses me a little, surely when the rewrite does its job it overwrites the existing attribute values or does it just add another ? Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Saturday, February 09, 2008 9:43 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: Ok you asked for the debug log here it is. The extra '-x' (which prints the time) is unnecessary, and makes it harder to read the output. Still.. Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: attribute = Configuration-Token Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: searchfor = UNSHAPED_NORMAL Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: searchin = reply Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: replacewith = SHAPED_NORMAL Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: append = no Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: ignore_case = yes Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: new_attribute = no Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: max_matches = 1 Fri Feb 8 17:24:47 2008 : Debug: Module: Instantiated attr_rewrite (AttrRewrite_MonthlyBlendedShaped) One instance of attr_rewrite... Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling AttrRewrite_MonthlyBlendedShaped (rlm_attr_rewrite) for request 3 Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from AttrRewrite_MonthlyBlendedShaped (rlm_attr_rewrite) for request 3 The thing about the attr_rewrite module is that it looks at ALL attributes in the list. In this case, you have two Configuration-Tokens. One has value SHAPED_NORMAL, and the other UNSHAPED_NORMAL. It doesn't match the first, but it does match the second. After that, it says it couldn't find any more. There is a bug. The first no match found line prints the value of the attribute that didn't match, NOT the value it was looking for. Carefully reading the debug output makes this clear: - it says no match - it says changed value from UNSHAPED_NORMAL - returns from module AttrRewrite_MonthlyBlendedShaped i.e. the FIRST line is wrong. You were getting confused because you have *other* attr_rewrite modules which re-write SHAPED_NORMAL. So reading the debug log here, it looked like it was trying to re-write SHAPED_NORMAL. But it wasn't, because it was NOT running the AttrRewrite_MonthlyLocal module. The only issue I see is that one debug line is wrong, and therefore confusing. Is there anything else? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Ok but then The thing about the attr_rewrite module is that it looks at ALL attributes in the list. In this case, you have two Configuration-Tokens. One has value SHAPED_NORMAL, and the other UNSHAPED_NORMAL. It doesn't match the first, but it does match the second. After that, it says it couldn't find any more. Where does it get the second Configuration-Token from ? Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Saturday, February 09, 2008 6:17 PM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: A user logs in with shaped access, the group reply sets Configuration token to SHAPED_NORMAL ok nowhere else is the Configuration-Token setup. The attrib-rewrite for unshaped kicks in and should check to see if the Configuration-token is UNSHAPED_LOCAL and if it can't find it rewrite it to SHAPED_LOCAL is that not right. Yes. Then if the sqlcounter fails move into the next attrib-rewrite. But in the debug it is looking for SHAPED_NORMAL in the UNSHAPED attrib rewrite. No. As I said, that debug message is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Alan, Thanks once again for your realistic comments (Sarcastic none the less). I will find alternative support as this user list is totally none the less.. Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 11:52 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: No not at all, and I don’t expect it. It sounds like you did... hence the complaint about no answer. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply So you did expect a reply... with a constructive answer rather than replying with sarcastic comments. Reality isn't sarcasm. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. You posted an edited piece of the debug log. If you knew how to configure it and read the debug log, it would be appropriate to edit the debug log. Since you don't know how to configure it, your edits very likely removed all information that could be used to help you. Hence the comments about reality. If you want people to help you, make it easy for them to help you. Making it hard to help you, and then complaining about the lack of free support is ... unproductive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
No not at all, and I don’t expect it. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply with a constructive answer rather than replying with sarcastic comments. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. Regards Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 9:44 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies… Is there a contractual obligation requiring people to support you? In any case, you haven't followed the instructions in the FAQ, README, INSTALL, etc. You've already announced that you don't read the documentation people write, so why would anyone write more on this list? Regards Keith *From:* Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] *Sent:* Thursday, February 07, 2008 9:08 PM *To:* ' *Subject:* attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module MonthlyUnShaped returns reject for request 2 radius_xlat: 'UNSHAPED_NORMAL' rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token modcall[authorize]: module AttrRewrite_MonthlyBlendedShaped returns ok for request 2 can anyone help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Ok you asked for the debug log here it is. Fri Feb 8 17:24:47 2008 : Info: Starting - reading configuration files ... Fri Feb 8 17:24:47 2008 : Debug: reread_config: reading radiusd.conf Fri Feb 8 17:24:47 2008 : Debug: Config: including file: ../etc/raddb/proxy.conf Fri Feb 8 17:24:47 2008 : Debug: Config: including file: ../etc/raddb/clients.conf Fri Feb 8 17:24:47 2008 : Debug: Config: including file: ../etc/raddb/snmp.conf Fri Feb 8 17:24:47 2008 : Debug: Config: including file: ../etc/raddb/sql.conf Fri Feb 8 17:24:47 2008 : Debug: main: prefix = .. Fri Feb 8 17:24:47 2008 : Debug: main: localstatedir = ../var Fri Feb 8 17:24:47 2008 : Debug: main: logdir = ../var/log/radius Fri Feb 8 17:24:47 2008 : Debug: main: libdir = ../lib Fri Feb 8 17:24:47 2008 : Debug: main: radacctdir = ../var/log/radius/radacct Fri Feb 8 17:24:47 2008 : Debug: main: hostname_lookups = no Fri Feb 8 17:24:47 2008 : Debug: main: max_request_time = 60 Fri Feb 8 17:24:47 2008 : Debug: main: cleanup_delay = 6 Fri Feb 8 17:24:47 2008 : Debug: main: max_requests = 25600 Fri Feb 8 17:24:47 2008 : Debug: main: delete_blocked_requests = 0 Fri Feb 8 17:24:47 2008 : Debug: main: port = 0 Fri Feb 8 17:24:47 2008 : Debug: main: allow_core_dumps = no Fri Feb 8 17:24:47 2008 : Debug: main: log_stripped_names = no Fri Feb 8 17:24:47 2008 : Debug: main: log_file = ../var/log/radius/radius.log Fri Feb 8 17:24:47 2008 : Debug: main: log_auth = yes Fri Feb 8 17:24:47 2008 : Debug: main: log_auth_badpass = yes Fri Feb 8 17:24:47 2008 : Debug: main: log_auth_goodpass = yes Fri Feb 8 17:24:47 2008 : Debug: main: pidfile = ../var/run/radiusd/radiusd.pid Fri Feb 8 17:24:47 2008 : Debug: main: bind_address = xx.xx.xx.xx IP address [xx.xx.xx.xx] Fri Feb 8 17:24:47 2008 : Debug: main: user = (null) Fri Feb 8 17:24:47 2008 : Debug: main: group = (null) Fri Feb 8 17:24:47 2008 : Debug: main: usercollide = no Fri Feb 8 17:24:47 2008 : Debug: main: lower_user = after Fri Feb 8 17:24:47 2008 : Debug: main: lower_pass = no Fri Feb 8 17:24:47 2008 : Debug: main: nospace_user = after Fri Feb 8 17:24:47 2008 : Debug: main: nospace_pass = before Fri Feb 8 17:24:47 2008 : Debug: main: checkrad = ../sbin/checkrad Fri Feb 8 17:24:47 2008 : Debug: main: proxy_requests = yes Fri Feb 8 17:24:47 2008 : Debug: proxy: retry_delay = 5 Fri Feb 8 17:24:47 2008 : Debug: proxy: retry_count = 3 Fri Feb 8 17:24:47 2008 : Debug: proxy: synchronous = no Fri Feb 8 17:24:47 2008 : Debug: proxy: default_fallback = yes Fri Feb 8 17:24:47 2008 : Debug: proxy: dead_time = 120 Fri Feb 8 17:24:47 2008 : Debug: proxy: post_proxy_authorize = no Fri Feb 8 17:24:47 2008 : Debug: proxy: wake_all_if_all_dead = no Fri Feb 8 17:24:47 2008 : Debug: security: max_attributes = 200 Fri Feb 8 17:24:47 2008 : Debug: security: reject_delay = 1 Fri Feb 8 17:24:47 2008 : Debug: security: status_server = no Fri Feb 8 17:24:47 2008 : Debug: main: debug_level = 0 Fri Feb 8 17:24:47 2008 : Debug: read_config_files: reading dictionary Fri Feb 8 17:24:47 2008 : Debug: read_config_files: reading naslist Fri Feb 8 17:24:47 2008 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Feb 8 17:24:47 2008 : Debug: read_config_files: reading clients Fri Feb 8 17:24:47 2008 : Debug: read_config_files: reading realms Fri Feb 8 17:24:47 2008 : Debug: radiusd: entering modules setup Fri Feb 8 17:24:47 2008 : Debug: Module: Library search path is ../lib Fri Feb 8 17:24:47 2008 : Debug: Module: Loaded exec Fri Feb 8 17:24:47 2008 : Debug: exec: wait = yes Fri Feb 8 17:24:47 2008 : Debug: exec: program = (null) Fri Feb 8 17:24:47 2008 : Debug: exec: input_pairs = request Fri Feb 8 17:24:47 2008 : Debug: exec: output_pairs = (null) Fri Feb 8 17:24:47 2008 : Debug: exec: packet_type = (null) Fri Feb 8 17:24:47 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Fri Feb 8 17:24:47 2008 : Debug: Module: Instantiated exec (exec) Fri Feb 8 17:24:47 2008 : Debug: Module: Loaded expr Fri Feb 8 17:24:47 2008 : Debug: Module: Instantiated expr (expr) Fri Feb 8 17:24:47 2008 : Debug: Module: Loaded SQL Counter Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: counter-name = Monthly-Traffic-UnShaped Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: check-name = Max-Monthly-Blended-UnShaped Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: reply-name = Session-Timeout Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: key = User-Name Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: sqlmod-inst = sql Fri Feb 8 17:24:47 2008 : Debug: sqlcounter: query = SELECT IF((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'),(SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='%{%k}' AND Class REGEXP '^NU' AND
RE: Newslists
I posted this all before, I just trimmed the debug file down to where the error was... The attrib rewrite section ... attr_rewrite AttrRewrite_MonthlyBlendedUnshaped { attribute = Configuration-Token searchin = reply searchfor = LOCAL_LIMITED replacewith = UNSHAPED_NORMAL ignore_case = yes new_attribute = yes max_matches = 1 append = no } attr_rewrite AttrRewrite_MonthlyBlendedShaped { attribute = Configuration-Token searchin = reply searchfor = UNSHAPED_NORMAL replacewith = SHAPED_NORMAL ignore_case = yes new_attribute = no max_matches = 1 append = no } attr_rewrite AttrRewrite_MonthlyLocal { attribute = Configuration-Token searchin = reply searchfor = SHAPED_NORMAL replacewith = LOCAL_NORMAL ignore_case = yes new_attribute = no max_matches = 1 append = no } attr_rewrite AttrRewrite_Limited { attribute = Configuration-Token searchin = reply searchfor = LOCAL_NORMAL replacewith = LOCAL_LIMITED ignore_case = yes new_attribute = no max_matches = 1 append = no } The authorize section authorize { auth_log # digest hxdsl sql group { AttrRewrite_MonthlyBlendedUnshaped MonthlyUnShaped { reject = 1 ok = return } AttrRewrite_MonthlyBlendedShaped MonthlyShaped { reject = 1 ok = return } AttrRewrite_MonthlyLocal MonthlyLocal { reject = 1 ok = return } AttrRewrite_Limited } pap } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 08, 2008 4:39 PM To: FreeRadius users mailing list Subject: Re: Newslists Hi, But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. post the relevant part of your config file? We arent seeing the whole picture. when you take a car to the garage, the mechanic hears your story AND sees the car. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
I did explain what I was trying to do with the failover and the attr_rewrite function, what more can a person say about the attrib rewrite, other than the attribute rewrite is supposed to check for an attribute in a packet in this case the reply packet, if it finds the attribute, change it and basically carry on But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. When you take your car to the garage for a brake problem, you don’t explain how the engine, fan, wheels, boot opener works, you say the car does not stop when I push the breaks. If the mechanic asks for more info then you tell him. rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edvin Seferovic Sent: Friday, February 08, 2008 12:14 PM To: 'FreeRadius users mailing list' Subject: RE: Newslists Constructive answer like always is to analyze what you want to achieve with freeradius. Rethink the configuration, read the documentation for you setup needs and ask straight-forward question. You cannot just post the debug output and hope that someone can understand what you actually need. Try to elaborate your setup, the steps you have already done and of course the debugging output. Alan will probably give you simple answer like yes/no and point to the right direction. But again - you cannot expect someone to do the installation and setup for you ! People are usually paid for that ! Although Alan might be sarcastic, he has never let anyone down who was willing to learn and accept the mistakes ( including myself ). Regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Dovale - HostworX.co.za Sent: Freitag, 08. Februar 2008 10:46 To: 'FreeRadius users mailing list' Subject: RE: Newslists No not at all, and I don’t expect it. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply with a constructive answer rather than replying with sarcastic comments. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. Regards Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 9:44 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies… Is there a contractual obligation requiring people to support you? In any case, you haven't followed the instructions in the FAQ, README, INSTALL, etc. You've already announced that you don't read the documentation people write, so why would anyone write more on this list? Regards Keith *From:* Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] *Sent:* Thursday, February 07, 2008 9:08 PM *To:* ' *Subject:* attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module
RE: Newslists
Dear GOD, I am quite prepared to pay someone to resolve my problems if necessary, however the point of this news list is supposed to be people helping people, learn from others who have been there etc, and not being a bill gates society. All I can say is, if you spent as much time helping people as you did coming up with crap comments the world would be a better place. I have been subscribed to this news list for a short while now, and you of all people continually give people sarcastic comments.. Get a Life... You have spent more time giving me crap comments, than one decent one saying exactly what you would expect or need to look at this issue to resolve it. You constantly have some crap comment to make, Like I said before I will find out from another source. Instead of coming out with what you require you make these little noises about how pathetic the poster is and shirk them off. You obviously have SDS... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 4:07 PM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: what more can a person say about the attrib rewrite, other than the attribute rewrite is supposed to check for an attribute in a packet in this case the reply packet, if it finds the attribute, change it and basically carry on While that is possible, it's not evident from the debug log you posted. But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. See my previous response. When you take your car to the garage for a brake problem, you don’t explain how the engine, fan, wheels, boot opener works, you say the car does not stop when I push the breaks. If the mechanic asks for more info then you tell him. Mechanics are used to people claiming all sorts of interesting problems with there cars that are unrelated to what is *really* broken. C: My car won't start! The starter motor is broken! M: Is there gas in the car? C: Err... no. M: Right then... here's the bill. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr rewrite issue
Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module MonthlyUnShaped returns reject for request 2 radius_xlat: 'UNSHAPED_NORMAL' rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token modcall[authorize]: module AttrRewrite_MonthlyBlendedShaped returns ok for request 2 can anyone help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newslists
My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies. Regards Keith From: Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] Sent: Thursday, February 07, 2008 9:08 PM To: ' Subject: attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module MonthlyUnShaped returns reject for request 2 radius_xlat: 'UNSHAPED_NORMAL' rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token modcall[authorize]: module AttrRewrite_MonthlyBlendedShaped returns ok for request 2 can anyone help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Help Needed Please freeradius traffic limiting
Regards Keith Dovale http://www.hostworx.co.za/ From: Keith Dovale Sent: Tuesday, January 15, 2008 6:24 PM To: 'FreeRadius users mailing list' Subject: Help Needed Please freeradius traffic limiting Ok I need to do this and if someone could help I would appreciate it as I am new to this 1. I Need to limit users by traffic and NOT session time (I setup the monthly counters to check but the counters cannot go beyond 2,148,000,000 and they fail I think this is due to the counters using the type as integer. If I can get this value to go beyond this this then sorts out my problem based on traffic.) 2. I need to execute a query to check the clients total traffic usage and compare it to their limit, if they have gone beyond their limit I need to be able to execute a disconnect. (The disconnect side I have got working manually, so if there is a way to trigger / execute a program on a interim update which will force a discon that will help, else if this can be done another way please let me know. 3. Any recommendations on how to go about the above issues which will do this in an easier way please let me know. Regards Keith Dovale http://www.hostworx.co.za/ image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Possible Spam : Low Spam probability - : sqlcounter continue after failed match
Hi Etienne, are you also limiting your users based on traffic usage ? Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etienne Pretorius Sent: Tuesday, January 15, 2008 6:30 PM To: FreeRadius users mailing list Subject: Possible Spam : Low Spam probability - : sqlcounter continue after failed match Hello List, I have managed to get sqlcounter working for tracking the octets in the accounting database. Could someone give me a hint as how I would say allow a user for group 'A' to use up their octets and if the user also belongs to group 'B' to then allow an addtional amount of octets (10%) for example. I actually only need a Fall-Though like attribute for the authorize section as I have both queries working individually but when the user fails to pass sqlcounter on a group 'A' bases, then the Access-Reject packet is sent without FreeRadius attempting to process group 'B' sqlcounter. Kind Regards Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help Needed Please freeradius traffic limiting
FFs, Lol Hi List, Ok I need to do this and if someone could help I would appreciate it as I am new to this 1. I Need to limit users by traffic and NOT session time (I setup the monthly counters to check but the counters cannot go beyond 2,148,000,000 and they fail I think this is due to the counters using the type as integer. If I can get this value to go beyond this this then sorts out my problem based on traffic.) 2. I need to execute a query to check the clients total traffic usage and compare it to their limit, if they have gone beyond their limit I need to be able to execute a disconnect. (The disconnect side I have got working manually, so if there is a way to trigger / execute a program on a interim update which will force a discon that will help, else if this can be done another way please let me know. 3. Any recommendations on how to go about the above issues which will do this in an easier way please let me know. Regards Keith Dovale http://www.hostworx.co.za/ LogoNBG image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Possible Spam : Low Spam probability - : Re: SQL Counter Problem
Thanks alan, I have tested and it definitely seems to be a problem, the field is using a varchar(255) in sql I thought this was an issue but it is not. Is there any way you could rebuild the sqlcounters for freeradius.net ? have a compiled version already. I have seen some mention about the sqlcounter being compiled using a traffic based option and not looking at the session time Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, January 11, 2008 2:41 PM To: FreeRadius users mailing list Subject: Possible Spam : Low Spam probability - : Re: SQL Counter Problem Keith Dovale wrote: Is there a limitation with the SQLCounter routine using a value above 2,148,000,000 in the checkfield ? As if I set this value to anything below this figure the routine works as planned however if I go above this value it rejects the user as no available time. The counters are 32 bits, so that is likely the source of the limitation. I am trying to use the sqlcounter to check to see if the user has available bandwidth and if so give them access, but this now limits me to this value. I am using the freeradius port for cygwin, can anyone help me out with this as I need to set this figure to above 30Mb value 30Mb should work. If you need 64-bit counters, the code will have to be modified. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Counter Problem
Is there a limitation with the SQLCounter routine using a value above 2,148,000,000 in the checkfield ? As if I set this value to anything below this figure the routine works as planned however if I go above this value it rejects the user as no available time. I am trying to use the sqlcounter to check to see if the user has available bandwidth and if so give them access, but this now limits me to this value. I am using the freeradius port for cygwin, can anyone help me out with this as I need to set this figure to above 30Mb value - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate patches for EAP TLS module
In trying to come up with a our own solution to the same problem I discovered the following previous patch proposal by Michael Joosten from 2005. Incorporating this functionality would be greatly appreciated: configurable checking of user identity (i.e. what the supplicant tells via EAP Identity) and the actual client/user certificate. I couldn't find any comments on this (other than another person interested in seeing it adopted), any chance this could make it into a future version? 2.0? -Keith From [EMAIL PROTECTED] Thu Mar 10 05:16:40 2005 From: [EMAIL PROTECTED] (Michael Joosten) Date: Thu, 10 Mar 2005 06:16:40 +0100 Subject: certificate patches for EAP TLS module, plus some questions.. Message-ID: [EMAIL PROTECTED] This is a multi-part message in MIME format. --010606020309030200040704 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello, due to internal demand I'm providing a patch that provides the following new functionality for EAP TLS: 1) configurable checking of user identity (i.e. what the supplicant tells via EAP Identity) and the actual client/user certificate. There is already a check for commonName, but in many cases Joe User isn't unique enough - and some PKIs even uses different X509 attributes, like those who want to implement a Microsoft SmartCard Login compatible infrastructure. And yes, stuff from Subject Alternative Name is also supported. This patch is implemented as additional config options for the EAP TLS module section in eap.conf, providing plain text names for attributes and even search lists, in case two different versions/generations of user certificates must be supported: use_as_cert_cn = email,UPN,TCGID,CN # search the user cert for email (both in Subject Alt. Name and Subject), Microsoft Universal Principal Name, Trust Center Global ID (Guardeonic thingy), and commonName, in this order and return first hit. check_cert_cn = %{User-Name} # kept from previous impl., uses CN if use_as_cert_cn is not set, otherwise whatever was found above first 2) for accounting and informing the gateway/NAS, the most relevant X509 attributes of a verified user certificate can be exported as AV pairs. Similar to 1), a list can be specified or all defined attributes are 'exported': export_cert_attributes = * - or - export_cert_attributes = CN,email,UPN,TCGID This will end up as UserCert-CN = Joe User UserCert-Email = [EMAIL PROTECTED] UserCert-UPN = [EMAIL PROTECTED] UserCert-TCGID = USERJ0001234 and some other usual X.509 attributes. If I'm not mistaken, this has been requested a few times in the mailing lists, hasn't it ? These avpairs are created at the end of eaptls_authenticate() and added to the reply list - I hope that's the right place?! My question is now under which namespace these attributes should go. They are not really company-specific and could go into the common range 255, but there are currently about 20 defined. I could also use some Siemens enterprise ID to fix them, though. Currently, I added a new dictionary file (dictionary.siemens) and put them there under some Siemens IANA enterprise number. And the prefix 'UserCert-' is also changeable, by using, e.g., cert_attributes_prefix = X509-Attr- The patch adds a new file in the rlm_eap_tls directory and maked some minor mods to the existing files, and is therefore completely restricted to rlm_eap_tls. Except of the changes in share/dictionary and share/dictionary.siemens and an update of the EAP TLS documentation in doc/rlm_eap. Adding additional X509 attributes is very simple, usually just adding them to an internal table in cert.c is sufficient. With some more work/time, this mapping table could even be read from a configuration file. Looking forward for some comments, Michael --010606020309030200040704 Content-Type: text/plain; name=freeradius102-patch1.txt Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename=freeradius102-patch1.txt diff -urN -x '*~' ../orig/freeradius-1.0.2/doc/rlm_eap ./doc/rlm_eap --- ../orig/freeradius-1.0.2/doc/rlm_eap Tue Dec 16 04:50:34 2003 +++ ./doc/rlm_eap Wed Mar 9 00:35:59 2005 @@ -155,6 +155,96 @@ EAP-SIM will send WEP attributes to the resquestor. +EAP TLS server + + EAP TLS, TTLS and PEAP use public key based certificates for the server, + while TLS even uses them for authentication of the client (aka + supplicant). Consequently, TLS is usually employed for deployments that + intend or already have an organization-wide PKI (Public Key + Infrastructure). Currently, provided that the supplicant (user client) + has a valid certificate, ANY identity that it provides in the + EAP-Identity phase of the protocol is accepted, which clearly make few + sense for accounting and authorization. Whilst the rlm_eap_tls
Re: Certificate patches for EAP TLS module
I think I understand the concern as to part 2 of Michael's patch proposal, but would that apply to incorporating part 1, extending the check_cert_cn functionality? Would it be useful rework and submit a patch that just addressed that? A first step? -Keith On May 18, 2007, at 1:17 PM, Alan DeKok wrote: Keith Moores wrote: In trying to come up with a our own solution to the same problem I discovered the following previous patch proposal by Michael Joosten from 2005. Incorporating this functionality would be greatly appreciated: ... I couldn't find any comments on this (other than another person interested in seeing it adopted), any chance this could make it into a future version? 2.0? I had some discussion with him off-list at the time. My main concern is that it always adds these attributes, even if they're not needed. I would prefer that the patch register dynamic callbacks for these attributes, so that they cost nothing if they're not used. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
CRL's are not the best way to conduct authorization for EAP-TLS, their control is too coarse when the goal is to enable/disable the use of valid certificates use for different purposes and don't let you assign other authorization info like what VLAN a user should be assigned to. The only option that currently works for access to real authorization with EAP-TLS is to use the: check_cert_cn = %{User-Name} option in the tls section of eap.conf so you can be sure the outer identity (User-Name) matches the inner identity in the certificate, its then valid to check User-Name against another source for authorization. If you don't perform this check you can't be sure the outer identity (User-Name) has any relation to the the identity represented by the certificate. This is only an option if your user certificates contain the unique user id you will lookup for authorization in the Common Name field, not in the Subject Alternative Name - Principle Name field (which many organizations use as their User certificate Common Names are not unique user identifiers). -Keith On May 17, 2007, at 1:49 AM, Alan DeKok wrote: [EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Inner/Outer identity
I'm trying to find a solution to a wireless authorization issue. Background When using EAP-TLS both Windows (XP/Vista) and Mac OS supplicants by default set the outer identity equal to the user certificate Subject Alternative Name - Principle Name (OID 1.3.6.1.4.1.311.20.2.3) when it exists (not the Common Name). This is somewhat similar to S/MIME using the Subject Alternative RFC822 Name (not the Common Name). This is significant usability benefit as users don't have to enter a separated user name to connect, which in my experience a lot of supplicants require. During authentication the outer identity becomes the User-Name in FreeRadius and can be used for authorization (such as LDAP). Independently the certificate (which contains the inner identity) can be validated. We use client certificates for access to multiple services (web sites and more than one wireless networks), thus need the ability to control access to each independently. i.e. One class of users does not have any access to a particular wireless network with their user certificate but does have access to another wireless network (and/or web resources) with their user certificate. CRL are not the solution in this case as they invalidate the user certificate for all uses. Problem The outer identity can be set by the user to anything the user wants, meaning it shouldn't be trusted/used for an authorization lookup. In FreeRadius it does not appear possible to directly lookup authorization based on the inner identity, only to check the inner identity Common Name against a the outer identity, i.e. check_cert_cn = %{User-Name} Our Common Names are not unique (which seems typical of other CAs as well) so there may be two certs for different users that have the Common Name John A. Smith which is why our CA populates the Subject Alternative Name - Principle Name (among other fields) with the users unique user ID. http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite- profile-current.html#PrincipalName http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 In Cisco ACS land we could accomplish this with Certificate SAN Comparison http://www.cisco.com/en/US/products/sw/secursw/ps2086/ products_configuration_guide_chapter09186a0080721d80.html#wp999517 Questions Is there a way to perform an authorization lookup based on the EAP- TLS inner identity Subject Alternative Name - Principle Name? Any chance for adding support for checking the outer identity against the Subject Alternative Name - Principle Name, i.e. check_cert_san = % {User-Name} I found this old comment in list archives, does the same answer still hold on access to other certificate fields? Alan DeKok freeradius-users@lists.freeradius.org Fri, 08 Apr 2005 12:46:31 -0400 =?iso-8859-1?Q?Alejandro_Mart=EDnez_Marcos?= [EMAIL PROTECTED] wrote: I would need an option check_cert_uid instead of check_cert_cn, because my client certificates don't have a cn. Is it possible at the moment? In other case, how can we achieve it? Source code edits. The TLS module should really export a way to check all fields in the certificate, via something like %{tls:}. That way the check_cert_foo stuff could go away. Alan DeKok. Thanks in advance, -Keith Keith Moores mailto:[EMAIL PROTECTED] Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with nagios
On Wed, 17 Jan 2007, Mike wrote: |-All, |-When trying to use the radauth tool from nagios to monitor |-freeradius, I get the following in the freeradius log: |- |-Error: WARNING: Malformed RADIUS packet from host ... too long (length |-18432 maximum 4096) |- |-radtest seems to be ok. has anyone else experienced this or knows |-what is wrong? I know what some monitoring tool I used a while ago (whats up Gold I think) I had to add the Ip of the whatsup server as a NAS to the allowed list with the shared secret to monitor an old livingston radius server. I have not tried with my Freeradius box yet, but I think I might just to see. The FR is not in production as of yet so I'm not worried about it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to handle EAP/LDAP or files with same server
I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and mostly having great success (performance is so much better!) but can't seem to figure out how to handle two different types of wireless authentication in separate non-overlapping ways. Case 1 is EAP/TLS where user ID (email address from cleint cert) is also looked up via LDAP. Case 2 is MAC authentication using the users file. I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load. authorize { preprocess files ldap { notfound = return } eap } The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms? I'm having trouble understanding if/how those can influence the authorize section. Thanks, -Keith Keith Moores mailto:[EMAIL PROTECTED] Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nortel Shasta BSN
Anyone using a Nortel Shasta with FreeRadius? I'd like to cutover the PPPoE customers on the Shasta from an old Livingston radius server to our FR server. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users fil vs sql
On Mon, 18 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- While this is ok, how does radius get configured to use the sql table to |- send the replies, not the users file? |- |- Look in radiusd.conf for sql. You have to configure the SQL |-module. Snip from radiusd.conf: # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql This has been uncommented in radiusd.conf since the start. Which part of the SQL module needs to be configured? I'm not grokking that part. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message in radiusd -X
Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Any harm in the above message? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users fil vs sql
On Tue, 19 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- This has been uncommented in radiusd.conf since the start. Which part of |- the SQL module needs to be configured? I'm not grokking that part. |- |- See *all* references to sql in radiusd.conf. See doc/rlm_sql. I had read rlm_sql before, but did so again with a more careful eye and notice this for the flow of sql: 1. Search the radcheck table for any check attributes specific to the user 2. If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' Where is the read_groups directive? Or does it exist? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users fil vs sql
Ive got things working using 1.1.3, username in radcheck with crypt-password, using auth-type = Local in radgroupcheck. I'm using the flat Users file with a simple 6 line Default entry to make it all work. On my test bed this has been working quite well for the last 3 days. While this is ok, how does radius get configured to use the sql table to send the replies, not the users file? Ive tried commenting out all the files entries in radiusd.conf but radius sends back a access-accept but the client side gets rejected. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Sat, 9 Sep 2006, Keith Woodworth wrote: |-|- |-|- And while Radius seems to send an Access-Accept, the dialup user gets an |-|- error 691 password invalid. |-|- |-|- Because you're not sending the same reply attributes as in the |-|-previous example. Fix that. |-|- |-|- Again I get Access-Accept, but a 691 password error on the client side. |-|- |-|- Again because the replies are empty. |- |-Just testing a different way to do this I setup the users file with: |- |-DEFAULT Service-Type = Framed-User |-Framed-Protocol = PPP, |-Framed-Routing = None, |-Framed-IP-Netmask = 255.255.255.255, |-Framed-Compression = Van-Jacobsen-TCP-IP, |-Framed-MTU = 1500 |- |-Now when I try to login: |- Again had to put this aside for a few days (really starting to grind on me, its a wonder I actually get any work done) Anyway so started in again on this. One thing overall I think that has confused me is that I was trying to do everything from SQL, which now I dont think I need to do. Basicall: Have a user and their crypted password stored in SQL, have radius query the database for that info, if its ok, start a PPP session. Only way I could get that to work was have the username in both the radcheck AND usergroup tables. I didnt want it to work that way as it would be extra work to populate the database from our current radius setup, which uses Auth-Type System. I think I have figured it out, though not sure if its the correct way. Use a combination of users(5) and SQL. Have the user and password in radcheck, auth-type=local in radgroupcheck and use the users(5) file to do the rest and it seems to finally work. My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Sat, 9 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- Anyway here is the error: |- |- radiusd.conf: PAP modules aren't allowed in 'authorize' sections -- they |- have no such method. |- |- That's in 1.1.3. In 2.0, that is allowed. That error was from 1.1.2, now I'm running 1.1.3. |- And while Radius seems to send an Access-Accept, the dialup user gets an |- error 691 password invalid. |- |- Because you're not sending the same reply attributes as in the |-previous example. Fix that. |- |- Again I get Access-Accept, but a 691 password error on the client side. |- |- Again because the replies are empty. Which table do the replys come from? In the debug: radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user -- 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' Here is the select from radcheck, which has the user tester in it. rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' Radreply is populated, but the username tester is not listed there, so no match obvioiusly. radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 130 to 204.244.99.67 port 1645 So where to put the reply items? Should I not be using a default entry to reply to all users that authenticate? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
|- |- And while Radius seems to send an Access-Accept, the dialup user gets an |- error 691 password invalid. |- |- Because you're not sending the same reply attributes as in the |-previous example. Fix that. |- |- Again I get Access-Accept, but a 691 password error on the client side. |- |- Again because the replies are empty. Just testing a different way to do this I setup the users file with: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Now when I try to login: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=149, length=76 NAS-IP-Address = 204.244.98.67 NAS-Port = 27 NAS-Port-Type = Async User-Name = tester User-Password = test Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 users: Matched entry DEFAULT at line 19 modcall[authorize]: module files returns ok for request 2 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user -- 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 149 to 204.244.99.67 port 1645 Framed-Protocol = PPP Framed-Routing = None Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Finished request 2 Going to the next request Still get password rejected on client side though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Tue, 22 Aug 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- One of the things I did try was add PAP to the authorize section, but |- radius failed to start when I did that. |- |- And the error message was...? Had to put this project a side for the last 2 weeks...Hate when I have to do that. Also this post has lots of debug output. Anyway here is the error: radiusd.conf: PAP modules aren't allowed in 'authorize' sections -- they have no such method. radiusd.conf[1569] Failed to parse authorize section. Here is where I put pap, with all the comments stripped: authorize { preprocess # auth_log # attr_filter ### KEITH pap chap mschap # digest # IPASS # ntdomain #eap files sql # etc_smbpasswd # ldap # daily # checkval } |- Deployingradius.com did say there were very few circumstances to set |- Auth-Type, but not which ones. Guess I found one? |- |- Possibly. Much of this is fixed in CVS head, which is currently |-planned to be 2.0 before Christmas. The PAP module does more there, |-and there are MANY fewer cases where you have to set Auth-Type. At the rate I'm going, it will be Christmas before I'm ready to go. |- How stable is the current server version? Anyone using it in production? |- |- Yes. A number of people. There are 3 issues that need addressing |-before it's ready for an official 2.0, however. Would it be advisable to upgrade at this point or wait till its official? |- Sounds like I might have to be using the CVS version to do what I want |- properly of only having the user in one table and do PAP authentication |- with the crypt password stored in sql. |- |- 1.1.2 can do it, it just takes a little more configuration. |-Basically, for every user who has a Crypt-Password attribute, you have |-to set Auth-Type = Local.Not :=, but =. After having to put this aside for a few weeks I have finally done some testing. One. If the user has a crypt password in radcheck: 4 | tester | Crypt-Password | := | f3RCpSYQzT292 is listed in Usergroup: 14 | tester | default And default is in radgroupcheck: ++---+---++---+ | id | GroupName | Attribute | op | Value | ++---+---++---+ | 1 | default | Auth-Type | = | Local | This is the debug output: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92, length=76 NAS-Port-Type = Async User-Name = tester User-Password = test Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user -- 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Ok, so next change radgroupcheck so Auth-Type is PAP: ++---+---++---+ | id | GroupName | Attribute | op | Value | ++---+---++---+ | 1 | default | Auth-Type | := | PAP | and do another dialup try: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93, length=76 NAS-Port-Type = Async User-Name = tester User-Password = test Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall[authorize]: module files
Re: PAP questions.
On Tue, 22 Aug 2006, Phil Mayers wrote: |-Keith Woodworth wrote: |- |- Been trying to do PAP authentication with the crypt'd password stored in |- mysql. We, unfortunately have to do PAP. |- |- This has been done for the most part and works, but I had to go against |- what deployingradius.com said w/regards to using Auth-Type as I have not |- found an alternative that seems to work right. |- |-In current versions of the server, the pap module does not run in |-authorize, and does not set Auth-Type correctly to itself, so this is |-one of the FEW circumstances in which setting Auth-Type is correct in I |-think. Later versions of the server (i.e. CVS) perform correctly in |-this regard, which is much more consistent. |- |-Many people leave the Auth-Type at the default of Local, which |-confusingly does similar but not identical things to the pap module, |-and hence don't see this problem with their PAP requests. One of the things I did try was add PAP to the authorize section, but radius failed to start when I did that. Deployingradius.com did say there were very few circumstances to set Auth-Type, but not which ones. Guess I found one? |- I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to |- no. |- |-You can't possibly be, since sql is commented out in that! Even slight |-differences can be important. Bah, you are right. I forgot, I did set the SQL module. |- To make this work I added a user to radcheck with a crypt'd password: |- |- +++++---+ |- | id | UserName | Attribute | op | Value | |- +++++---+ |- | 1 | bob| Password | == | test | |- | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | |- +++++---+ |- |-Your op should be := Ok thanks. |- The one main issue is that the user has to be both in the usergroup table |- and the radcheck table for this to work. Is there a way to just have the |- username in just radcheck for example? What is needed to setup a default |- profile for all users to authenticate via PAP w/o having to set |- auth-type=pap? Is that possible? |- |-Not if you're using the pap module on the current server version. How stable is the current server version? Anyone using it in production? Sounds like I might have to be using the CVS version to do what I want properly of only having the user in one table and do PAP authentication with the crypt password stored in sql. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scripts.
Just a note to anyone moving from ICRadius to FreeRadius, the radacct table, while having a 4 extra fields in the structure in FR than IC, Ive been able to use the perl scripts I wrote to massage and pull data out of them with no modification to the scripts. Kind of nice to say the least. Also in my last message re: Auth-Type and setting it to PAP in radgroupcheck to read Crypt-Password from radcheck, was that the right way to do that? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP/mysql/crypt stuff
After working on this off and on for the last few days I believe I have gotten authentication working using a Crypt'd password stored in mysql but want to run this by to make sure I did it right. I setup a user in radcheck: tester | Crypt-Password | == | gmxwp4dfOcHAI In radgroupreply: admin | Service-Type | := | Administrative-User In radgroupcheck: admin | Auth-Type | := | PAP Then when I telnet to the NAS, I can login using tester with the right password and get a NAS prompt. I have to move one of our T1's to this test NAS to test PPP, but it seems to for now, be working using PAP authentication with the encrypted password stored in mysql. Is this the correct way to do this? Thanks for any info. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mySQL auth
We are consolidating servers and moving from a BSD/OS and ICRadius setup and auth'ing via passwd file to FreeBSD. I have run into an issue with authenticating and how I should do it. Our old setup had a web interface designed 7 yrs ago, written in C, which the developer is no longer around and most of the source has gone too that we entered users into the passwd file to login via dialup. So my options are to a) move the passwd file from another machine over the network and build a new one each time or b) auth via database. Will FreeRadius auth via mySQL using the unix crypt? I have no way of adding the users into a database with their passwords. Or long way of capturing each users password from ICRadius and adding them to the database. Has anyone else converted from a passwd file to a database of some variety? Thanks for any info. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL auth
On Fri, 11 Aug 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- Will FreeRadius auth via mySQL using the unix crypt? |- |- No... but it will read crypt'd passwords from the DB, and use them |-for authentication. Thats basically what I want, but didnt know now to express it properly. Just be able to take the username, crypted password and real name, stuff it into a database and read the database when someone dials up. Any pointers on how to setup radiusd.conf to do this? |- I don't know anything about the ICRadius schema. The FreeRADIUS |-schema is pretty rigid, so integrating the two might take a bit of |-work. Almost the same acutally. There are few things that ICRadius keeps in a database table, such as dictionary, hints, nas info and there are a few extra table columns in FreeRadius compared to ICRadius, but overall very similiar. Even the table names are the same. Ive already got an AS5200 we had sitting around using this FR setup, but have come to the point we need to move all users to a database now for ease of use mostly and for future portability. We have one NAS left in production and only ~600 users left on dialup. The rest of our user base is DSL now. Thanks for any pointers. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authorization for EAP-TLS authentication
I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users. EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user. DEFAULT Auth-Type := eap, Autz-Type := ldap authorize{ preprocess ldap eap } authenticate { eap } ldap { server = our-server.itc.virginia.edu identity = uid=uva-all,ou=ITC-User,ou=It,o=University of Virginia,c=US password = our-password basedn = o=University of Virginia,c=US filter = (wirelessAccess=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=Person) start_tls = no access_attr = wirelessAccess ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = yes } In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b o=University of Virginia,c=US wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail? I'm missing something, hopefully not too obvious... Keith Moores mailto:[EMAIL PROTECTED] Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up RADIUS with EAP
Hello everyone, I'm having trouble setting up my RADIUS to use EAP. Everthing appears normal but the client never gets past Attempting to Authenticate If anyone has experience solving this problem I'd appreciate any help provided :-) Regards, Log File*** Here is the log file from running /usr/sbin/radius -X -A rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0, length=127 User-Name = kosburn NAS-IP-Address = 192.168.2.253 Called-Station-Id = 0013109e63c9 Calling-Station-Id = 00904b624e10 NAS-Identifier = 0013109e63c9 NAS-Port = 60 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016b6f736275726e Message-Authenticator = 0x3fe229ff76ac5518897afd4bbacaade2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module preprocess returns ok for request 12 rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 12 rlm_realm: No '/' in User-Name = kosburn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module realmslash returns noop for request 12 rlm_realm: No '@' in User-Name = kosburn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 12 users: Matched entry kosburn at line 1 modcall[authorize]: module files returns ok for request 12 modcall: group authorize returns updated for request 12 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 12 modcall: group authenticate returns handled for request 12 Sending Access-Challenge of id 0 to 192.168.2.253:2049 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xbf80de34653e25d74ea49b2f2debeda9 Finished request 12 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0, length=139 User-Name = kosburn NAS-IP-Address = 192.168.2.253 Called-Station-Id = 0013109e63c9 Calling-Station-Id = 00904b624e10 NAS-Identifier = 0013109e63c9 NAS-Port = 60 Framed-MTU = 1400 State = 0xbf80de34653e25d74ea49b2f2debeda9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060319 Message-Authenticator = 0x65415f904ea823671c9fcdf5859edb5d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 13 rlm_realm: No '/' in User-Name = kosburn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module realmslash returns noop for request 13 rlm_realm: No '@' in User-Name = kosburn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 13 users: Matched entry kosburn at line 1 modcall[authorize]: module files returns ok for request 13 modcall: group authorize returns updated for request 13 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 13 modcall: group authenticate returns handled for request 13 Sending Access-Challenge of id 0 to 192.168.2.253:2049 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x0280af636895c756212430579c4c13bd Finished request 13 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0, length=213 User-Name = kosburn NAS-IP-Address = 192.168.2.253 Called-Station-Id = 0013109e63c9 Calling-Station-Id = 00904b624e10 NAS-Identifier = 0013109e63c9 NAS-Port = 60 Framed-MTU = 1400 State = 0x0280af636895c756212430579c4c13bd NAS-Port-Type = Wireless-802.11
First time conf issues
I've been using ICRadius for awhile and it's ran smoothly, but needed to upgrade to freeradius to do some WPA radius. It installed fine on a FreeBSD 4.11 system, reading the information in the MySQL Database. However I can't get it working and would like some help. if I start the server, when I run radtest it only seems to send the User-Name. It will say Sending Access-Request, User-Name = kpitcher and will then get a rad_recv error. I also seem to authenticate half way, and then it just doesn't go through. Any suggestions would be greatly appreciated. Keith rlm_sql (sql): sql_set_user escaped user -- 'kpitcher' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'kpitcher' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'kpitcher' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'kpitcher' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'kpitcher' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 1 modcall: group authorize returns updated for request 1 There was no response configured: rejecting request 1 Server rejecting request 1. reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = yes main: lower_pass = after main: nospace_user = yes main: nospace_pass = after main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = no proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module
NOOB: Coupla issues
Greetings, I have 2 questions: First: I would like to implement a general rule (i.e. script) which implements the following psuedocode: if $user-group{$foo} { return $vendor_specific_id_attr{$foo} } rather than creating a multitude of entries in the conf file (1 for each group) to do the same thing. Is this possible? In other words I want the radius server to always return the group nameof the useras the vendor-specific attribute Problem: I can't start the server - it appears to be looking for ldap.attrmap - a file which was not included in the distribution and for which I can find no information on how to create. Sun Dec 19 19:28:41 2004 : Error: rlm_ldap: Opening file /etc/raddb/ldap.attrmap failedSun Dec 19 19:28:41 2004 : Error: rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failedSun Dec 19 19:28:41 2004 : Error: radiusd.conf[724]: ldap: Module instantiation failed. Migrating from microsoftIAS/AD - nuking IAS first, so want to use AD as the LDAP server for now. Ayone got a sample file appropriate for AD? This is on Mandrake 10.1 Community. FWIW radiusd was fine until I monkeyed with ldap. Thanks -Keith Do you Yahoo!?Send a seasonal email greeting and help others. Do good. Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more.
Re: Freeradius and MySQL
Stefan escreveu: All, I've successfully set up my freeradius to lookup the users in MySql. I've two questions: 1. Is it possible to configure the RADIUS Clients in MySql too? There is a nas table in the db schema now but I don't know how it works. 2. would it be possible to write specific RADIUS Attributes into the accounting db? In some cases, I will get VSAs, which I have to keep for some days. In the text file accounting, I can find them. You can modify the standard accounting table and queries (in the sql.conf file) to include any attribute you nas returns in the accounting requests. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? My radacct table is over 500 MB / 1.3 million records right now. For now I'm just letting it grow. Make sure you have plenty of RAM though. If not, the database will become slow to query / insert and radius will stop dropping packets. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: I got 4 gigs of ram.. I hope its enough.. I've only got 1 so you should be fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module
Van Deuren Joris escreveu: Hi, Who can tell me in a few lines what the function of the expiration module is? How does it work? I'm not sure if there is a module or not but I use the Expiration attribute to automatically expire logins at a certain time (or date). For example, you can use Expiration := 23 Sep 2004 and the user will no longer be able to connect at 00:00 (midnight) on September 23rd, 2004. If you want a certain time (other than midnight) you can do this: Expiration := 23 Sep 2004 12:00. Someone might want to correct my syntax here?? The nas will receive a Session-Timeout attribute calculated to kick the user off when the Expiration time occurs. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not authenticating only bad guys
Mike Markowski escreveu: For a very open wireless network, we'd like to allow everyone to connect unless we know the MAC is a bad guy. That is, if the MAC address is *in* the postgres db, don't authenticate. If it's not in the db, authenticate. Can anyone think of a way to do this, or will I need to tweak the code? It depends on how your AP sends the MAC address to the radius server. In our case it's in the CallingStationId attribute. In the users file you can do this: DEFAULT Calling-Station-Id == 00:00:00:00:00:00, Auth-Type := Reject DEFAULT Auth-Type := Accept You can also do this with SQL tables but you have to modify the default queries. Hope that helps. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
Edgars escreveu: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? this is the second type of time counter i want to made:) There is a much easier solution: The Login-Time attribute. You can set a record in your db like this: Login-Time := Al0900-1700 and your user will be authenticated from 9:00 - 17:00 and as long as your nas supports the Session-Timeout attribute (almost all should) he will be disconnected at 17:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting CallingStationId
[EMAIL PROTECTED] escreveu: I could ban or reject a specific CallingStationID? , the only examples I seen is on a specific user or group of users, on file /etc/users ... and I think it worked just fine, the question now is, I could have this Called, and Calling stations id in a sql table, so my script for blocking/baning Called or Calling would be in a sql table and not restart radius each time I add a new rule on users file I changed the default SQL queries to do this. I'll try to explain how (using MySQL). First I created a table to store the bad CallingStationIDs. CREATE TABLE `bad_callingstationids` ( `CALLINGSTATIONID` varchar(18) NOT NULL default '', `OBSERVATION` varchar(100) NOT NULL default '', PRIMARY KEY (`CALLINGSTATIONID`) ) Then I changed the authorize_check_query in the sql.conf file to this: SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} LEFT JOIN bad_callingstationids ON '%{Calling-Station-Id}' = bad_callingstationids.CALLINGSTATIONID WHERE Username = '%{SQL-User-Name}' AND bad_callingstationids.CALLINGSTATIONID IS NULL ORDER BY id Hope that's understandable, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddb/users, having OR conditions
I'm sorry if this is a basic question here. I just set up freeradius, using it to authenticate to network devices (instead local auth). I got it up almost fine. In my raddb/users file, i have the following: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id == 10.19.5.1 Service-Type = Login, cisco-avpair=shell:priv-lvl=15 I understand that in the first line i can set up conditions, separated by commas which all have to be true to permit login. How can i set up an OR condition? I'm thinking about letting more IP-s in via radius, not only allowing login from ip 10.19.5.1. You can use regular expressions. The =~ operator indicates this. For example: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id =~ (10.19.5.1|10.19.5.2) Service-Type = Login, cisco-avpair=shell:priv-lvl=15 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Newbie] Questions about accounting
1. How do I limit the traffic for a user? 2. How do I shape the traffic for a user once they have gone over their limit? 3. How to I limit the time slots for a user? 4. How do I control the amount of time a user has been on? Users log in via pptpd (--version - PoPToP v1.1.3) radiusd (-v - FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Jun 16 2004 at 03:00:59) Logging into freeradius is done via a matched name in /etc/raddb/users.conf (default is accept since I am currently unable to get pppd to pass a password pair to freeradius) Thanks Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time-session limits and Time-of-day restrictions.
I was reading on Mailing List about a new (at least for me) attribute 'login-time' is this an standard? It is not shown in RFC2865 as a standard radius attribute, Is it supported by a new RFC? Moreover, I am implementing a web-based admin tool for freeradius, an specific solution for an Ecuadorian ISP, and I need Supporting for: 1. Time-session limits. 2. Time-of-day login restrictions depending of customer. What solutions can you recommend? Login-Time is an attribute that the server uses to decide if the user gets rejected or not. It will work with any nas. By time-session limits, do you mean that a user will be disconnected after x time? If so, you can use the Session-Timeout attribute. In this case the nas has to support it but I would imagine that almost all do. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to use the MAC as the key
I was wondering if it is possible to tell the Freeradius to use the MAC addr. as a validating key? I would like to store all my clients MAC addr. in a db, and use it as a backend for Freeradius, then when the clients starts, the AP sends the clients MAC addr. to Freeradius and the MAC addr. is used as a token for validating. Yes this is possible. You just need to find out where (what attribute) the AP puts the MAC in the request. It might be in Calling-Station-Id. Then you can treat it just like a password. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logs say I am authentication is OK but XP tells me it's not?
My guess is the pass to the accounting software fails. Any ideas? modcall: entering group Auth-Type for request 7 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 Sending Access-Accept of id 168 to 127.0.0.1:32771 MS-CHAP2-Success = 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 323937324536 MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logs say I am authentication is OK but XP tells me it's not?
Please disregard this message, I have checked /var/log/messages and found CHAP gave a Reject message. - Original Message - From: keith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 5:11 PM Subject: Logs say I am authentication is OK but XP tells me it's not? My guess is the pass to the accounting software fails. Any ideas? modcall: entering group Auth-Type for request 7 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 Sending Access-Accept of id 168 to 127.0.0.1:32771 MS-CHAP2-Success = 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 323937324536 MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: No MS-CHAP-Challenge in the request
freeradius 0.9.3 . rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 0 Any pointers appreciated. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan You set Auth-Type = MS-CHAP. Don't. OK. Any pointers appreciated. Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. What Auth Type would I use for the following? rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 Or do I change the users file? (Which I am about to try ) Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. What Auth Type would I use for the following? rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 using -chap -mschap -mschap-v2 in the pptpd options file and changing the Auth-Type to Accept. FreeRadius accepts the request and accounting begins So pptpd, pppd and freeradius work as long as I do not try to authenticate. Using +chap -mschap -mschap-v2 in the pptpd options file causes a failure with CHAP and changing the Auth-Type to Local. causes a failure with CHAP. radtest works. CHAP does not. My current guess/test is the radius plugin is failing to get/set the password. Any pointers appreciated. My current assumptions 1. The Kernel for Suse 8.1 will work without modification (I assumed this for SuSe 9.0 and it is correct for 9.0 ) I do not currently know how to test for this and I really want to avoid compiling a new kernel, (the target machine is 1000km away) I am prepared to drop encyption as all I want from the system is the accounting functions. 2. The source for radiusclient 0.3.2 from Suse will work with Suse pppd 2.4.2 This is the current assumption that I will test by removing the radiusclient and installing Suse binaries from Suse 8.1. 3. CHAP uses the password from /etc/shadow Pruned Log Follows for pppd. Jun 16 17:55:13 kbri-comms pppd[17207]: Plugin radius.so loaded. Jun 16 17:55:13 kbri-comms pppd[17207]: RADIUS plugin initialized. Jun 16 17:55:13 kbri-comms pppd[17207]: pppd 2.4.2 started by root, uid 0 Jun 16 17:55:13 kbri-comms pppd[17207]: using channel 100 Jun 16 17:55:13 kbri-comms pppd[17207]: Using interface ppp0 cut note=following line may be relevant/ Jun 16 17:55:13 kbri-comms pptpd[17206]: GRE: Bad checksum from pppd. cut note=following line may be relevant, why is the name reference kbri-comms (The name of the machine) / Jun 16 17:55:16 kbri-comms pppd[17207]: sent [CHAP Challenge id=0x43 a02158198d975ca8eabe710acfe16d46, name = kbri-comms] cut note=here the name for CHAP is as the user request/ Jun 16 17:55:16 kbri-comms pppd[17207]: rcvd [CHAP Response id=0x43 4a4198eeb36edfebfeef64f0dbebf0bf579c54ba7392c283fa566306189 e229a735573d1fd1bb0dd00, name = keith_xp] cut note=rc_avpair_new: unknown attribute 11 ??/ Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 11 Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 25 Jun 16 17:55:16 kbri-comms pppd[17207]: Jun 16 17:55:16 kbri-comms pppd[17207]: Peer keith_xp failed CHAP authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, What Auth Type would I use for the following? Generally, you *don't* set Auth-Type. The server will figure it out. OK. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 There's no password, so there's no way to authenticate the request. I found I can get a password by setting +chap in the pptpd options file. In this case, Auth-Type = Reject is the only thing to do. Agreed. Or do I change the users file? (Which I am about to try ) Don't make changes unless you know what you're changing, and why. You've hit the problem on the head, my lack of knowledge in relation to freeradius ...:-) The interesting part for me is I have had some success with two machines (mschap-v2 login ins and accounting - no encryption of data as yet), and the third, the one I have to produce the results on, is somehow different and beyond my current state of knowledge. Now about to try dropping the Auth-Type from the users file. Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, No. You're trying to get pppd to send radius requests which contain certain attributes. There is NOTHING you can do to FreeRADIUS which will make pppd send those attributes. Therefore, this list is NOT the right place to ask how to configure pppd. Understood, thanks. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
Andrea Gabellini escreveu: Hi, I'm using the post-auth section to log user's attempt. Is it possible, in case of REJECT, to log the full description of the rejection instead of the useless 'Access-Reject' string? I added a message field to the table and use the following query: INSERT into ${postauth_table} (id, user, pass, reply, message, date, callingstationid) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', REPLACE(REPLACE('%{reply:Reply-Message}', '=5Cr', ''), '=5Cn', ''), NOW(), '%{Calling-Station-Id}') Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User ID Password
vpopmail is used to add UID PW and the data is stored in vpopmail DB in MySQL. Now freeRADIUS also uses UID PW to authenticate and has its own data structure. I like to know if there is a way so that user data is stored in one table in MySQL so vpopmail and freeRADIUS can access the same information?? With vpopmail you can't change the db schema or queries but you CAN with Freeradius. I would suggest altering the Freeradius queries in sql.conf to pull data from the vpopmail table. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calculating Remaining Time for Session-Timeout
Rick, You'll want to use the rlm_sqlcounter module. You can set a Max-All-Session = 36000 to limit a user to 10 hours of total access for example. FreeRadius will calculate how much time was used and set the Session-Timeout attribute automatically. Hope that helps, Keith Yoder Rick Smith escreveu: OK, I have several Mikrotik based hotspots out there. They auth users via RADIUS. I'm now running FreeRadius 1.0.0. I right now can auth users on them via FreeRadius - works great - and I'm using MySQL which is even better. Only problem is, right now they all get non-expiring sessions when they paid for half-hour increments :) Mikrotik expects Session-Timeout back as a clue on when to kick the user to pay for more time. How do I tell FreeRadius that User x bought 15 minutes on a hotspot, and tell Mikrotik to kick him when his time's up ? I understand about putting the Session-Timeout value in the radcheck table - that works. Just need to figure out how to update that Session-Timeout value every time the user logs in and out Thanks, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calculating Remaining Time for Session-Timeout
Rick Smith escreveu: I know the rlm_sqlcounter module is there. I just need to find an example on how to set up FreeRadius to use it. /doc/rlm_sqlcounter tells you everything you need to know. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes I believe you want a Login-Time attribute like this: Al2000-0500 for all days of the week between 20:00 and 5:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
Gavin White escreveu: DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes Okay, looking at this more closely I think you need to use the := operator because this is a check item. Try Login-Time := Al2000-0500 Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time attribute
Alan DeKok escreveu: Keith Yoder [EMAIL PROTECTED] wrote: It seems as if Freeradius only recognizes the first Wk setting. The user can login from 7:30 - 8:30 but not from 15:30 - 18:30. Is this expected behaviour (only one time setting per day)? If not, how can I set up this limit? It should work. If it doesn't, I would suggest going through the code with a debugger, to see what's going on. Alan DeKok. Okay, I went digging through the code and found the solution. There are two operators, , and |, that can separate Day definitions. If I use a comma, Freeradius ignores the second day definition. Using a | everything works as expected. As a reminder: Wk0730-0830,Wk1530-1830 -- only authenticates between 0730 and 0830 any day of the week. Wk0730-0830|Wk1530-1830 -- authenticates between 0730 and 0830 and from 1530-1830 which is what I wanted :) Maybe the /doc/README file should be updated to describe this behavior? Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time attribute
Hello all, I have a user that is allowed access from 7:30 - 8:30 and from 15:30 - 18:30 on weekdays. I have configured the Login-Time attribute like this: Wk0730-0830,Wk1530-1830 It seems as if Freeradius only recognizes the first Wk setting. The user can login from 7:30 - 8:30 but not from 15:30 - 18:30. Is this expected behaviour (only one time setting per day)? If not, how can I set up this limit? Thanks, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Yes, that is possible. How you do it depends on what you're using to store check and reply attributes. If you're using the users file it could be done like this: DEFAULT Nas-Ip-Address != aaa.bbb.ccc.ddd, Simultaneous-Use := 1 Fall-Through = 1 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify more than one SQL query in SQL.CONF
[EMAIL PROTECTED] escreveu: Hi All, I can see accounting_update_query in SQl.conf which updates RADACCT table for each ACCOUNTINGT_UPDATE PACKET form NAS. My question is can I specify more than one query here. I want to decrement SESSION_TIMEOUT in RERPLY by min each time I receive Accounting update packets. So is it possible to Write . accounting_update_query = (UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'; Update RADREPLY set SESSION_TIMEOUT= SESSION_TIMEOUT-60 ) I've tried to write multiple MySQL queries in one Freeradius statement and it didn't work for me. In your case it seems you want to limit users time online (prepaid or something like that). If that is the case it would be much easier for you to use the sqlcounter module to do this for you. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter is not working
[EMAIL PROTECTED] escreveu: sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 Change that last line to: sqlmod-inst = sql There was a problem in the example file. I think it's been fixed in the CVS head. I once did the same thing :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql and freeRadius
John Que escreveu: As I understand , I must install the sources of MySql if I want to use rlm_sql in freeRadius (and not install the rpm for mySql Server and client). Actually, you can install the -devel rpms and that will allow you to compile the rlm_sql_mysql module. This will make sure all the libraries and header files get to the right places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate login
Bernie Liwanag escreveu: Thanks for the reply I found that there are certain users that has -00-00 00:00:00 value in their AcctstopTime in my SQL database.Unless I change the the Simultaneous-Use = 2 they will not be able to login again. So temporarily I changed the affected dialup users Simultaneous-Use = 2 until I solved the issue. What will I do to the radacct tables?Shall I delete the record of AcctStopTime and AcctStartTime of all affected users?How will I do it?Please Advise! Thanks again! Bernie If you know the RadAcctId you can do this to each record that needs a stop time: update radacct set AcctStopTime = NOW() where RadAcctId = yourRadAcctId That will make it appear as if the user has logged out but you will still have record of at least the connection start time. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UPCASE all incoming passwords
David Lomax escreveu: Has anyone ever configured the server to UPCASE all incoming access-request etc. The database I am using was all in UPCASE so I want to UPCASE all incoming to match the DB There is an option in the radius.conf file - lower_pass that converts the password the user types to lower case. But you want upper case. If you're using sql the sql.conf has examples of case insensitive queries to check passwords. Hope that helps. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special users only allowed to login to certain ras ports
JAMIE CRAWFORD escreveu: Hello, Is there a way to limit the users to login to certain ports on the ras server. For example, I need to allow the president of the company to dialin to the 1800number configured which would be port 3 on the ras sever. I need to make sure that he can get in at any time and no one else can take that port. The other ports are all local dialin numbers. Just to clarify. I have a patton 2960/16 connected to a bit-robbed T1. This allows us to have 16 concurrent dialup connections. But I only want 15 for general use, and the 16th for only the president. There is a NAS-Port-Id attribute. You'd have to check the authenticate packets that are arriving from your RAS to see if that contains 3 for port 3. If it does you can add a line to your users file: DEFAULT Nas-Port-Id == 3, User-Name != presidentlogin, Auth-Type := Reject That should reject anyone else but the president who tries to login on port 3. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Message Hi all, Please help me how to write a perl script to control user account: When prepaid user log on(authenticate), the script will check in database and send session-timeout to radiusd. If you're trying to do what I think you are, you don't need to use perl. Take a look at the rlm_counter (or rlm_sqlcounter) modules. You can use the Max-All-Session attribute to define the total number of seconds a user can be logged into your network. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to limit Upload/Download Rate
[EMAIL PROTECTED] escreveu: Hi All, I am working on a Wireless ISP project. I have installed Freeradius 0.9.3 with mysql under Mandrake LINUX 9.1 and everything is working fine. Freeradius can authenticate users against Mysql DB and I could use DIALUP_ADMIN for Radius user management. Couple of questions here: 1. How can I set a bandwidth limit for upload/download against each user Depends how your NAS limits bandwidth. Your NAS documentation show tell you which attributes you need to send. 2. How to receive user statistics in MySQL DB table Radacct? Add sql to the accounting {} section of the radiusd.conf file. I would like to have statistics on data uploaded/downloaded by each individual user. Look at the AcctInputOctets, AcctOutputOctets fields in the radacct table. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radcheck entries
Klaus Heck wrote: Hi, the radcheck table in my implementation specifies the MAC addresses of the users trying to access the net, e.g. idUserNameAttribute Valueop 1Charlie Brown Calling-Station-Id00025b3c48c3== Now I want allow more than one computer per user name, meaning I want to add another entry with the same name Charlie Brown, but with a different MAC address value. In the standard implementation of freeradius, this does not work. It seems as if it just checks the first value it read, or it checks more than one, but all need to match simultaneously. The first time the condition does not hold, the reject is sent. Is there a way to change the behavior of freeradius in order to have more than one entry for the same UserName? It should send an access-accept whenever at least one entry is true. As far as I know you can't do this with database tables. The user file will do this just fine. List each user with the Calling-Station-Ids. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about accounting.
If you were using mysql for accounting you could use the following query to find the accounting record: SELECT * FROM radius.radacct WHERE FramedIPAddress = xxx.xxx.xxx.xxx AND 2003-12-12 06:00:00 BETWEEN AcctStartTime AND AcctStartTime Keith Yoder Drew Weaver wrote: Right but I need to be able to do this when an abuse report crosses my desk from a week ago that says Johnny-jackhole decided to spam 900 people on one of my dial-ups and I need to figure out who it was so I can throttle them. -Drew -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: Re: Quick question about accounting. Drew Weaver [EMAIL PROTECTED] wrote: Hi, I'm authenticating from System and accounting to text files. Is there a way (a php script?) for me to find out what user was using an IP address at a specific time? radwho, to see who's logged on, and then grep for the IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary file for Star-OS
I am attaching the dictionary file for Valemount Network's Star-OS - a wireless acess point. If someone is interested it could be included with the server distribution. Thanks, Keith Yoder # # Valemount Networks Corporation specific radius attributes # [EMAIL PROTECTED] # # Version 1.0 - March 26, 2003 # VENDOR ValemountNetworks 16313 BEGIN-VENDORValemountNetworks # Rates to give PPPoE customers, can be used in Authentication replies. (in bits/s) ATTRIBUTE VNC-PPPoE-CBQ-RX1 integer ATTRIBUTE VNC-PPPoE-CBQ-TX2 integer # Fallback support for each direction. (1 / 0) ATTRIBUTE VNC-PPPoE-CBQ-RX-Fallback 3 integer ATTRIBUTE VNC-PPPoE-CBQ-TX-Fallback 4 integer END-VENDOR ValemountNetworks