Freeradius 2.1.12 Second LDAP Server
Hello, i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? These are my current Settings: /etc/freeradius/modules/ldap: ldap ldap1 { server = serv01.xyz.local basedn = dc=xyz,dc=local filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ldap ldap2 { server = serv02.xyz.local basedn = dc=xyz,dc=local filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } /etc/samba/smb.conf: [global] workgroup = XYZ dns proxy = no security = ads password server = serv01.xyz.local password server = serv02.xyz.local winbind separator = + /etc/freeradius/sites-enabled/inner-tunnel: authenticate { ntlm_auth … /etc/freeradius/sites-enabled/default: authenticate { ntlm_auth … /etc/freeradius/users: DEFAULT Auth-Type = ntlm_auth Thanks for Help! BeliarsFire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 - Host Account Authentication Only
That did the trick perfectly. I am only using the default virtual server. Is there any reason I would add this to the authorize section for the inner-tunnel? Thanks. -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us@lists.f reeradius.org [mailto:freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us @lists.freeradius.org] On Behalf Of alan buxey Sent: Wednesday, April 25, 2012 2:53 PM To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 - Host Account Authentication Only Hi, Currently FreeRadius will send back Access-Accepts for *both* user and machine/host accounts (in the Active Directory context of those terms). I would like to configure FreeRadius to ignore or reject authentication requests using the user creditionals. I spent the better part of yesterday afternoon searching the mailing list but I couldn't seem to conjure up the correct search terms to find out which configuration files I need to delve into to make this setting. I guess a simple way would be something like this in authorise {} section of the server if (%{User-Name} !~ /^host\/.*\.yourAD\.realm$/i){ update reply { Reply-Message = Not an host/machine login! } reject } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/MSCHAPv2 - Host Account Authentication Only
= /etc/freeradius/certs/server.pem CA_file = /etc/freeradius/certs/ca.pem private_key_password = SECRET dh_file = /etc/freeradius/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module suffix from file /etc/freeradius/modules/realm realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module files from file /etc/freeradius/modules/files files { usersfile = /etc/freeradius/users acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /etc/freeradius/modules/radutmp radutmp { filename = /var/log/freeradius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.access_reject from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = /etc/freeradius/attrs.access_reject key = %{User-Name} } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module digest from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module preprocess from file /etc/freeradius/modules/preprocess preprocess { huntgroups = /etc/freeradius/huntgroups hints = /etc/freeradius/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module acct_unique from file /etc/freeradius/modules/acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module detail from file /etc/freeradius/modules/detail detail { detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module attr_filter.accounting_response from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/freeradius/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 - List info/subscribe/unsubscribe? See http://www.freeradius.org
PEAP/MSCHAPv2 / Freeradius / AD
Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use b...@acme.edu instead b...@abc.acme.edu as username. My question is can you modify the realm behind the user's back? (during EAP process). Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-client lib documentation
Hello, I have to make an application using a RADIUS lib. I want to use the freeradius-client lib, but I can't find the documentation. I downloaded the bz2 archive as said on the wiki, and installed it, but I don't have any help with it, neither ad in the wiki. Is there a doc somewhere ? A example program at least ? I've looked at the .h in the include folder, but there is too much funcs for me to understand how to use it just with that. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Attribute Subtypes
2010/10/4 Alan DeKok al...@deployingradius.com: Kevin Baier wrote: As I can see the attribute itself has two subtyped values. How can I declare them in the dictionary file? You don't. Nested subtypes are non-standard, and are not supported in 2.0.4. They will likely be supported in 2.2.0, which will be out some time next year. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html @ Alan Thank you for your response! -- Kevin Baier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Attribute Subtypes
Hi List, My freeradius version is 2.0.4 shipped with standard debian lenny package. I have to implement some special attribute to control the users bandwidth on an Special NAS. Here ist the attribute: Type: 26 Length = 12 Vendor ID: 3902 Vendor-Type = 3 Vendor-Length = 14 Sub-Type = 1 Forward maximum gross aggregate bandwidth value Length = 6 Vendor-Value = 1 – 2**32 -1(binary value of the gross aggregate bandwidth for the user, in bits per second) Sub-Type = 2 Reverse maximum gross aggregate bandwidth value Length = 6 Vendor-Value = 1 – 2**32 -1(binary value of the gross aggregate bandwidth for the user, in bits per second) As I can see the attribute itself has two subtyped values. How can I declare them in the dictionary file? Thank you for your help! -- Kevin Baier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/15/10 11:07 AM, schilling wrote: For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate? Just a note on this, you can get a single certificate with SANs (Subject Alternative Names), and use the same cert on both machines. It's sometimes cheaper to go this route. Also, you can add more SANs and get the CA to issue you a new cert. This also allows you to have your two production machines, and a test machine that use the same cert. That way you can test new configurations without having to worry about PKI issues. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyRDh4ACgkQ0l216NgIDrwtawCfYWUWwHQwqM/d1Pr40wL7sn2A UjUAniQqSI2tqzmTWVk0N/T6x5w3yx10 =Jncp -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/10 11:38 AM, Alan Buxey wrote: Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPxQUACgkQ0l216NgIDryV7ACfdCwwbjP6y4dWsNUOQS0x5woK JQ4Amwa3WK5kSoGHvzX1FPiUxJp1cQt9 =opmK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Data Mangling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/10 2:30 PM, Alan DeKok wrote: Kevin Ehlers wrote: Is it possible to modify attributes returned from ldap? E.g. We're trying to do wpa-enterprise with peap-mschapv2. We store our nt hash passwords as {nthash}hash instead of {nt}hash. It looks like the mschap module doesn't auto-detect the hash-type correctly, and says that it never received a valid password hash. All authentication fails at this point. The PAP module is the one which does the password mangling. We store it as {nthash} because that's what our other radius servers (radiator) expect to see. I can add the {nthash} format for 2.1.10. In the mean time, try putting this into the authorize section, just before the pap module: if (control:User-Password =~ /^{nthash}(.*)/) { update control { User-Password := {nt}%{1} } } Hi Alan, Thanks for pointing me in the right direction. I found a solution that works in the mean-time by writing a perl module. I'm using the perl module during the authorize section in the inner-tunnel virtual server. What it does is query ldap, and get the nt-password attribute from our ldap server. It then does a $nt-password =~ /^{nthash}(.*)$/. From there, I update the control packet $RAD_CHECK{NT-Password} = $1. And then it returns OK. It looks like the ldap module rejects the password and doesn't store it in the User-Password or NT-Password field. I tried updating the ldap.attrmap, and it still didn't store it. When I tried the control:User-Password =~ /regex/, there was nothing to match it to. Thanks, - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyHuFEACgkQ0l216NgIDrys/QCfUg8v3U3ZObjpS7G6FswGkaH2 5uoAoIC3dFLS1cXNrAdnEZ/sYjvZElIZ =0f4H -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Data Mangling
Hi, Is it possible to modify attributes returned from ldap? E.g. We're trying to do wpa-enterprise with peap-mschapv2. We store our nt hash passwords as {nthash}hash instead of {nt}hash. It looks like the mschap module doesn't auto-detect the hash-type correctly, and says that it never received a valid password hash. All authentication fails at this point. We store it as {nthash} because that's what our other radius servers (radiator) expect to see. I searched the archives, but was unable to find anything about that. Thanks, -- Kevin Ehlers Network Engineer University of Oregon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coa proxy'ing with a NAC device
I'm having a really hard time with proxying or just dealing with CoA's. The documentation just isn't working for me. I can configure the coa server. I can get the originate-coa server up too. I can send CoA's to the server, but I can't get it to proxy them or re-send them as if it was originating the CoA. I see that they're being processed when looking at debug mode. But I just don't know how to do anything with them. This is what I want to do: [lots of switches doing dot1x]-[freeradius]-[NAC device, PacketFence in this case] I want to be able to send a CoA request from PacketFence (or another management server) to freeradius, and have it relay that CoA to a specific switch. E.g. I have determined that a user needs to be quarantined, so I run a script on the backend, and part of that requires having that user re-authenticate and get assigned a quarantine vlan. PF determines which switch they're on, sends a CoA to FreeRadius, FreeRadius then sends the CoA to the correct switch. Is there a way to do this without configuring a client entry for every edge device? Should I be using the proxy.conf in some way? I'm not really clear about how to use the virtual servers in regard to proxying. Thanks, -- Kevin Ehlers Network Engineer University of Oregon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
option 82
Hi, I work at an ISP and we are looking at the possibility to use option 82 in FreeRADIUS. The other side is going to send us an ordernumber and then we want to send a configuration back (an ip address etc.). Been searching how to do this in FreeRADIUS, but haven't found much useful information. So, if somebody can point me in the right direction on how to set it up in FreeRADIUS. Any help will be greatly appreciated. Gr, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
On Mon, Jun 22, 2009 at 23:08, Ivan Kalik t...@kalik.net wrote: I installed freeradius 2 but my problem is still there. To remember it : I configured Freeradius to look in openldap directory to authenticate and authorize an user. The authentication phase is OK During the authorize phase, a ldap search is done : if the user is member of a group identified by the host ip he wants to connect, the user is authorized. The problem is here : freeradius receives an Access-Request packet with a NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the ip received in the packet but another one ! Dynamic expansion for Ldap and SQL-Group doesn't work in users file. I can replicate this. But it works in unlang: if(Ldap-Group == %{NAS-IP-Address}) { ... } will work just fine. Ivan Kalik Kalik Informatika ISP :) It works fine ! To help users who have the same problem, I put these lines in authorize section : if(Ldap-Group == %{NAS-IP-Address}) { ok } else { reject } Thanks ! -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
Hi, I installed freeradius 2 but my problem is still there. To remember it : I configured Freeradius to look in openldap directory to authenticate and authorize an user. The authentication phase is OK During the authorize phase, a ldap search is done : if the user is member of a group identified by the host ip he wants to connect, the user is authorized. The problem is here : freeradius receives an Access-Request packet with a NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the ip received in the packet but another one ! Why this attribute is modified ? Is there any cache (the other ip comes from another equipment) ? To precize : I think there is some cache enabled anywhere (the ip used for ldap filter is always the one of the first request), is there any way to disable it ? Before testing, I created the group for IP1 and I added the test user to it. Test 1: - I ran radiusd -X - I try to connect with IP 1. = OK - I try to connect with IP 2 = OK (not right result because to check the membership it's the first IP which is used) Then, I kill radiusd. test 2 : - I ran radiusd -X - I try to connect with IP2 = KO (expected because the group for IP 2 doesn't exist) - I try to connect with IP1 = KO (not expected because the group for IP1 exists) To help, the logs : -- rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34, length=80 NAS-IP-Address = 126.50.0.148 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = testuser Calling-Station-Id = 126.100.100.6 User-Password = X +- entering group authorize {...} ++[preprocess] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=example,dc=com - dc=example,dc=com [files] expand: (uid=%{User-Name}) - (uid=testuser) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/X to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: ((objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) - ((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter ((cn=126.50.0.147)((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))) rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147 rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for testuser [ldap] expand: (uid=%{User-Name}) - (uid=testuser) [ldap] expand: dc=example,dc=com - dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by testuser with password azerty12 [ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: starting TLS rlm_ldap: bind as uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user testuser authenticated succesfully ++[ldap] returns ok Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6) Sending Access-Accept of id 34 to 126.50.0.148 port 1645 Nokia-IPSO-User-Role = adminRole Nokia-IPSO-SuperUser-Access = 1 Service-Type = Login-User Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 34 with timestamp +52 Ready to process requests. -- -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address modified during Access-Request process
Hi everybody, I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and today it's the third day i'm looking for a solution :( Here is the problem: I configured Freeradius to look in openldap directory to auth and auth an user. The authentication phase is OK During the auth phase, a ldap search is done : if the user is member of a group identified by the host ip he wants to connect, the user is authorized. The problem is here : freeradius receives an Access-Request packet with a NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the ip received in the packet but another one ! Why this attribute is modified ? Is there any cache (the other ip comes from another equipment) ? Thanks for any helpful idea Here are /etc/raddb/users (I also tried with ldap-group == %{NAS-IP-Address} ) DEFAULT ldap-group == %{Client-Ip-Address}, Auth-Type := LDAP Service-Type = 1, Fall-Through = no DEFAULT Auth-Type := Reject Fall-Through = no, Reply-Message = You are not authorized to log in to this host :( /etc/raddb/clients.conf client 126.50.0.0/8 { secret = secretsecret shortname = shortname } radius LOG (with radiusd -X) rad_recv: Access-Request packet from host *126.50.0.148*:1645, id=17, length=82 NAS-IP-Address = *126.50.0.148* NAS-Port = 1 NAS-Port-Type = Virtual User-Name = testadmin Calling-Station-Id = XX.XX.XX.XX User-Password = X Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module preprocess returns ok for request 4 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=example,dc=com' radius_xlat: '(uid=testadmin)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: starting TLS rlm_ldap: bind as uid=radius,ou=applications,dc=example,dc=com/radiuspass to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter ((cn=* 126.50.0.147* )(|((objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147 rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 3 modcall[authorize]: module files returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testadmin radius_xlat: '(uid=testadmin)' radius_xlat: 'dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testadmin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 4 modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 4 rlm_ldap: - authenticate rlm_ldap: login attempt by testadmin with password X rlm_ldap: user DN: uid=testAdmin,uid=test01,ou=users,dc=example,dc=com rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: starting TLS rlm_ldap: bind as uid=testAdmin,uid=test01,ou=users,dc=example,dc=com/X to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testadmin authenticated succesfully modcall[authenticate]: module ldap returns ok for request 4 modcall: leaving group LDAP
Re: NAS-IP-Address modified during Access-Request process
thanks for the quick answer :) Indeed, the version installed is not the last one but the no longer maintained one I just did yum install freeradius. I will fix this right now Thanks again -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict access to certain groups
On Tue, Feb 10, 2009 at 1:54 PM, kevin leblanc kevinzebe...@gmail.comwrote: To remember : I want only user1 can access to host1. To illustrate it: root | -- || hosts users || -- ||| host1 user1 user2 | | members: | user1 I find a possible way. in radiusd.conf, I put: groupname_attribute = cn group_membership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) In the users file, I put: Ldap-Group == X Auth-Type:= LDAP X will be the IP/hostname of the host which try to connect. Is there any variable like %{LDAP-UserDN} which could give me this information ?? thanks for any help -- KeV I found the variable %{Client-IP-Address} which gives me host's ip. But is there any way to get the hostname instead of the ip ? By hostname, I mean the real hostname, not this defined in clients.conf with the attribute shortname. Other question, I don't want to store the identity/password attributes in radiusd.conf for security reasons. I tried with the line below in the users file, but that doesn't work : DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` Any idea ? Thanks -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access to certain groups
Hi I have a Freeradius which checks if an user has right to connect to a network equipment via LDAP. For security reasons, i want to restrict access to certain users (network administrator). At the beginning, I wanted to do it by adding host attribute to a user, it will contain all allowed hosts he can connect : I don't find a solution. But, i found another way : in my schema I added an OU which contains all computers in the network, and to allow a user to connect to one of them, I make it member of this host. So, I want to check if the user is member of the host he try to connect, to give him corresponding access. I don't know if it's possible and how to do this (if it's possible). May I change users file ? radiusd.conf ? cleints.conf ? I'm lost whereas I'm on it since the last week :( thanx for all possible solutions -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict access to certain groups
To remember : I want only user1 can access to host1. To illustrate it: root | -- || hosts users || -- ||| host1 user1 user2 | | members: | user1 I find a possible way. in radiusd.conf, I put: groupname_attribute = cn group_membership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) In the users file, I put: Ldap-Group == X Auth-Type:= LDAP X will be the IP/hostname of the host which try to connect. Is there any variable like %{LDAP-UserDN} which could give me this information ?? thanks for any help -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WISPr-Bandwidth question
On Thu, 2008-12-18 at 15:05 +0100, Alan DeKok wrote: kevin wrote: IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? The RADIUS client (NAS) that receives the WISPr-Bandwidth attribute is responsible for enforcing it. OK, I think I understand this better. If I was using PPPOE or similar (so long as it honoured the WISPr-Bandwidth attribute), the client would handle and enforce these parameters. A NAC would not be required if authentication is direct by that method. Sorry for the off-topic nature this thread is taking, but I'm thinking out loud, here. On the other hand, I think I've narrowed down my choices for NAC. I will look further into UNI-FY, but right now I think my best option, without having to go to open-wrt or whatever, with some version of chilli (or derivative) integration, is looking like ZeroShell: http://www.zeroshell.net Apparently, it can be configured to use a remote Radius server for AAA. I'm just noticing that chilli based AAA has limitations which I don't want to deal with. I don't want to use a router with firmware update because I'd like more options and don't want to deal with vendor lock-in. And from what I can see, zeroshell offers a lot of extra, low-level control. As mentioned in another part of this thread, being able to manage office users using WISPr-Bandwidth and similar controls, allowing me to aggregate all bandwidth with a single point of authentication which is what I'm looking at. My own cloud, if you will. I know freeradius is part of the puzzle and I want to do this only once. Changing from my old infrastructure, to a new, robust, and scalable system. I'm currently using smoothwall and I don't have the time, energy, or resources to fix and modify to suit my needs and others like pfsense or ipcop or wifidog seem to be at about similar as far as limitations. Cheers, Kevin What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WISPr-Bandwidth question
While an out of the box solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections. I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used. IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls? Hope that made sense. Cheers, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WISPr-Bandwidth question
Thanks, Leigh... Yes, that does make more sense. How you explained it. So basically, I would need to put a NAC (network access controller) at each remote location. BUT... I wouldn't necessarily have to put a traditional captive portal at each location, even though they would probably provide pretty much the same features. thx... Kevin On Wed, 2008-12-17 at 12:49 -0500, Leigh Martell wrote: Hello Kevin, I can't answer definitively, but I would assume that it would be done on your NAS(depending on your hardware these rules could be propagated to the child devices). It would defy all logic for it to be done on the clie nt, Just as you would in an unauthenticated wired/wireless network it is always best to control traffic at the distribution point. Hope that helps. Take Care, Leigh Martell On Wed, Dec 17, 2008 at 12:14 PM, kevin r...@yia.ca wrote: While an out of the box solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections. I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used. IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls? Hope that made sense. Cheers, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not responding on machine specific IPs
Hi Alan, OK, you pointed me in the right direction. I did run radius in debug and came up with no errors as shown in a previous message to the list that was cut from this continuation. What I didn't realize nor think of, is that I could run radtest against the debug run. Every reference to debug mode simply indicated to run in debug, check if there were errors, and the ctrl-X and run freeradius again in standard mode. So I ran freeradius in debug mode an then ssh'd into the server again in another instance. Ran radtest again and found these output results: rad_recv: Access-Request packet from host 192.168.3.199:41953, id=15, length=56 Ignoring request from unknown client 192.168.3.199:41953 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. unh-hunh... FR was getting the request, and IGNORING IT... so the client never knew that FR had received the request. Great for security (looks like the port was closed), so that pointed me in the wrong direction, thinking it wasn't open or getting requests. Anyhow, I changed the clients.conf to include the external IP of the server, ran the test again, and it worked as expected: r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret Sending Access-Request of id 60 to 192.168.3.199 port 1812 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.3.199:1812, id=60, length=20 rad_verify: Received Access-Reject packet from client 192.168.3.199 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Thanks to all helping me figure this out... Cheers, Kevin On Sat, 2008-12-13 at 08:45 +0100, Alan DeKok wrote: kevin wrote: I'm using fake data to send to the radius server. I do not care if it passes or fails. I simply want the server to respond when I send a message to x.x.3.199 (the network address of the machine) just as it does when I send a request to the localhost address on the machine. It's not clear from your messages if you're running the server in debugging mode for these tests. If you are, the possible outcomes are: 1) it doesn't receive the packet. This usually means firewall issues. 2) it receives the packet, and doesn't respond. Debug output explains why. 3) it receives the packet and responds, but the client doesn't see the response. This usually means firewall issues. It does respond to localhost, it does not respond to the network address. That's where the problem lies, that I am trying to figure out. As always, READ the debug output. From your messages it looks like you are NOT looking at the debug output when you send requests from outside of localhost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius not responding on machine specific IPs
I was loathe to ask a newbie question, but it appears I have one. How does one configure freeradius to listen on all IPs specific to a machine? I have a remote Ubuntu 7.10 server (32bit) which I want to use for authentication via freeradius. It (freeradius 1.1.6-2) installed all nice and is running properly in default config, or it would seem. I cannot get a response when a remote authenticate is made. When I ssh into the server, it appropriately responds to the following: r...@server3:/home/kevin# radtest fred wilma 127.0.0.1 1812 mysecret Sending Access-Request of id 1 to 127.0.0.1 port 1812 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 1 to 127.0.0.1 port 1812 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=1, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) When I try radtest on the network IP, it fails, as per: r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret Sending Access-Request of id 5 to 192.168.3.199 port 1812 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 5 to 192.168.3.199 port 1812 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 etc... I have tried setting the listen in Radiusd.conf to be the network IP of the machine (x.x.3.199), but that gave the same results. Any thoughts on what this n00b is doing wrong? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not responding on machine specific IPs
Just to be sure, iptables has been set to accept all. A netstat shows: udp0 0 *:radius*:* udp0 0 *:radius-acct *:* So radius appears to be listening to the ports on ALL IPs. If the above is correct, then I should be able to do a radtest on any IPs associated with the box and get a response. Yet I am only able to get a response using localhost (127.0.0.1)... Just to be sure, I also did a localhost radtest on the machine: radtest fred wilma localhost 1812 mysecret And it resolved localhost as 127.0.0.1 (as expected) and responded the same as when I used 127.0.0.1 In radiusd.conf, bind_address = * and listen { } is all commented out. Running freeradius -XXX -A provides the following output: r...@server3:/home/kevin# freeradius -XXX -A Fri Dec 12 13:53:24 2008 : Info: Starting - reading configuration files ... Fri Dec 12 13:53:24 2008 : Debug: reread_config: reading radiusd.conf Fri Dec 12 13:53:24 2008 : Debug: Config: including file: /etc/freeradius/proxy.conf Fri Dec 12 13:53:24 2008 : Debug: Config: including file: /etc/freeradius/clients.conf Fri Dec 12 13:53:24 2008 : Debug: Config: including file: /etc/freeradius/snmp.conf Fri Dec 12 13:53:24 2008 : Debug: Config: including file: /etc/freeradius/eap.conf Fri Dec 12 13:53:24 2008 : Debug: Config: including file: /etc/freeradius/sql.conf Fri Dec 12 13:53:24 2008 : Debug: main: prefix = /usr Fri Dec 12 13:53:24 2008 : Debug: main: localstatedir = /var Fri Dec 12 13:53:24 2008 : Debug: main: logdir = /var/log/freeradius Fri Dec 12 13:53:24 2008 : Debug: main: libdir = /usr/lib/freeradius Fri Dec 12 13:53:24 2008 : Debug: main: radacctdir = /var/log/freeradius/radacct Fri Dec 12 13:53:24 2008 : Debug: main: hostname_lookups = no Fri Dec 12 13:53:24 2008 : Debug: main: max_request_time = 30 Fri Dec 12 13:53:24 2008 : Debug: main: cleanup_delay = 5 Fri Dec 12 13:53:24 2008 : Debug: main: max_requests = 1024 Fri Dec 12 13:53:24 2008 : Debug: main: delete_blocked_requests = 0 Fri Dec 12 13:53:24 2008 : Debug: main: port = 0 Fri Dec 12 13:53:24 2008 : Debug: main: allow_core_dumps = no Fri Dec 12 13:53:24 2008 : Debug: main: log_stripped_names = no Fri Dec 12 13:53:24 2008 : Debug: main: log_file = /var/log/freeradius/radius.log Fri Dec 12 13:53:24 2008 : Debug: main: log_auth = no Fri Dec 12 13:53:24 2008 : Debug: main: log_auth_badpass = no Fri Dec 12 13:53:24 2008 : Debug: main: log_auth_goodpass = no Fri Dec 12 13:53:24 2008 : Debug: main: pidfile = /var/run/freeradius/freeradius.pid Fri Dec 12 13:53:24 2008 : Debug: main: user = freerad Fri Dec 12 13:53:24 2008 : Debug: main: group = freerad Fri Dec 12 13:53:24 2008 : Debug: main: usercollide = no Fri Dec 12 13:53:24 2008 : Debug: main: lower_user = no Fri Dec 12 13:53:24 2008 : Debug: main: lower_pass = no Fri Dec 12 13:53:24 2008 : Debug: main: nospace_user = no Fri Dec 12 13:53:24 2008 : Debug: main: nospace_pass = no Fri Dec 12 13:53:24 2008 : Debug: main: checkrad = /usr/sbin/checkrad Fri Dec 12 13:53:24 2008 : Debug: main: proxy_requests = yes Fri Dec 12 13:53:24 2008 : Debug: proxy: retry_delay = 5 Fri Dec 12 13:53:24 2008 : Debug: proxy: retry_count = 3 Fri Dec 12 13:53:24 2008 : Debug: proxy: synchronous = no Fri Dec 12 13:53:24 2008 : Debug: proxy: default_fallback = yes Fri Dec 12 13:53:24 2008 : Debug: proxy: dead_time = 120 Fri Dec 12 13:53:24 2008 : Debug: proxy: post_proxy_authorize = no Fri Dec 12 13:53:24 2008 : Debug: proxy: wake_all_if_all_dead = no Fri Dec 12 13:53:24 2008 : Debug: security: max_attributes = 200 Fri Dec 12 13:53:24 2008 : Debug: security: reject_delay = 1 Fri Dec 12 13:53:24 2008 : Debug: security: status_server = no Fri Dec 12 13:53:24 2008 : Debug: main: debug_level = 0 Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading dictionary Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading naslist Fri Dec 12 13:53:24 2008 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading clients Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading realms Fri Dec 12 13:53:24 2008 : Debug: radiusd: entering modules setup Fri Dec 12 13:53:24 2008 : Debug: Module: Library search path is /usr/lib/freeradius Fri Dec 12 13:53:24 2008 : Debug: Module: Loaded exec Fri Dec 12 13:53:24 2008 : Debug: exec: wait = yes Fri Dec 12 13:53:24 2008 : Debug: exec: program = (null) Fri Dec 12 13:53:24 2008 : Debug: exec: input_pairs = request Fri Dec 12 13:53:24 2008 : Debug: exec: output_pairs = (null) Fri Dec 12 13:53:24 2008 : Debug: exec: packet_type = (null) Fri Dec 12 13:53:24 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Fri Dec 12 13:53:24 2008 : Debug: Module: Instantiated exec (exec
RE: freeradius not responding on machine specific IPs
Thanks Jason, but I might have been unclear. Sorry about that. I'm using fake data to send to the radius server. I do not care if it passes or fails. I simply want the server to respond when I send a message to x.x.3.199 (the network address of the machine) just as it does when I send a request to the localhost address on the machine. It does respond to localhost, it does not respond to the network address. That's where the problem lies, that I am trying to figure out. Thanks again, though. The network I am trying to authenticate is remote from the radius server, so I cannot use localhost. Otherwise, I wouldn't worry about it... Eventually, the remote location will be running covachilli or something similar. But for security (equipment) reasons, I cannot put a server at that end, so must do authentication remotely, at this end. Cheers, Kevin On Fri, 2008-12-12 at 16:11 -0500, Jason Wittlin-Cohen wrote: Kevin, The relevant line is: rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) The shared secret to authenticate a client to the RADIUS server (for RADIUS, not EAP traffic) is either not set, or you're using the wrong secret. By default there is no shared secret set for localhost. Edit clients.conf, search for 127.0.0.1. You'll find a line that looks like: ipaddr = 127.0.0.1 Now, add this line beneath: secret = secret Restart freeradius and try again. The message should go away. Remember, you're still going to get an access-reject response unless you setup the user account and password your authenticating with in the users file. Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 jason.wittlin-co...@yale.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unresponsive Child in component authorize
FreeRadius version is? Version of Freeradius is 2.0.5 That may be a side-effect of something else taking long amounts of time. Usually, this is SQL. I believe this may have been a side effect of perhaps all my ldap threads being utilized. I have increased the number of ldap threads and have adjusted the timeout values somewhat. I'll keep an eye on it. Thanks! From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Marinko Tarlac Sent: Wednesday, October 08, 2008 3:36 AM To: FreeRadius users mailing list Subject: Re: Unresponsive Child in component authorize @kesm0724 FreeRadius version is? On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED] wrote: kesm0724 wrote: Does the Unresponsive Child in module files component authorize allude to something I have misconfigured in the virtual server or a process that is hung? The server is blocked somewhere. Tue Oct 7 12:14:43 2008 : Error: WARNING: Unresponsive child (id 3054615440) for request 8, in module files component authorize Hm... that's a little surprising. The files module doesn't take much CPU time. It doesn't use locks. So there's no reason for it to block for long periods of time. That may be a side-effect of something else taking long amounts of time. Usually, this is SQL. Or, if you're putting hostnames in the users file, instead of numerical IP addresses... and your DNS server is down. The server won't be able to create the reply because it needs the IP address. It won't be able to create the IP address because DNS is down. Don't use hostnames. Or, fix DNS so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: autentication against active directory does not work
Have you verified that Samba was joined to your domain successfully using wbinfo -t? You should see checking the trust secret via RPC calls succeeded If that is successful try: [EMAIL PROTECTED] ~]# ntlm_auth --username your_user --password users_password --domain your_ad_domain --request-nt-key Should see: NT_STATUS_OK: Success (0x0) If the two steps above aren't successful you will need to correct those issues first before proceeding. In the mschap module my ntlm_auth configuration is as follows: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Good luck. -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 19, 2008 3:40 PM To: freeradius-users@lists.freeradius.org Subject: Re: autentication against active directory does not work i have read allready the documentation at http://deployingradius.com/documents/configuration/active_directory.htm l Read it again. my freeradius debug is pasted at http://pastebin.ca/1206001 1. You are using an outdated version of the server which has a default entry in users file setting Auth-Type Sistem if all else fails. Upgrade or at least comment that out since you have removed unix from the configuration. 2. Read the obvious WARNING in the debug and fix that. 3. You have configured AD integration (ntlm_auth) in mschap module. And then sent pap request. No wonder it's not working. Send mschap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performance report?
Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance report?
Well, Radius protocol is not just machine-to-machine issue. I think you don't understand how request protocol can be simulated by hammering with our tool. We have tested various protocols by this tool. Per our test results, radius can reach the limit of requests by hammering easily but CPU was still low. We have various statistics on all these. My point is that radius was not able to use full cpu resource until reaching max number of handful requests. Your point with more clients does not make sense because we already reached max reqeusts hammering by our tool and that was same regardless of adding more clients under multi-threaded enviroment. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:52:20 PM Subject: Re: performance report? Re: performance report? I still do ... I’ve had 10 multi core boxes hammering one server, still not enough .. You need more clients .. ;) RADIUS as such requires very little from the server side in terms of CPU. All it really does is compare x with y and then respond yes or no, once you strip down all the various variants of auth protocols. That’s not a high requirement. I’m confident if you use a SSL enabled protocol, your CPU on the server is spending more time per request doing the necessary SSL stuff than RADIUS related work .. A pint of unspecified beverage says you’ll need more client CPU .. I’ll agree with the pint .. //anders On 20/08/2008 20:45, Kevin J [EMAIL PROTECTED] wrote: Well, that's why I am saying we used the nas simulation tool. We can hammer a lot of traffic with this multi-threaded tool and also we tried at least three client boxes so don't assume our traffic was not enough. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:25:19 PM Subject: Re: performance report? Re: performance report? It is not likely your actually putting too much strain on the server side. You’ll need quite a lot of machines hammering the RADIUS server before it’ll break into a sweat. The client side would have higher CPU utilization then the server side, per request. Comparing one program to another is not exactly comparing apples with apples. It’s more like comparing a duck with a fork lift. One flies, the other just doesn’t (or rather, when it does, you don’t want to be there to see it) ... //anders On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote: Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Goodbye SNMP, hello statistics.
On Friday 20 June 2008 09:48:53 Alan DeKok wrote: I've commited some code (~1K LoC) to CVS head that will go into 2.0.6. In short, there's no point in using SNMP any more. The good news is that the Status-Server packet is overloaded to get all sorts of statistics that weren't available in SNMP. For more information, see: share/dictionary.freeradius The changes sound great! I'd cutover to this if I were still at the company that used FR and SNMP monitoring stuff... Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two Daemons on One Box?
Folks, I need to run two different configurations on one box. I guess the only way is to run two daemons on different ports. Any advice or concern? I also want to hear if there is known issues, bugs, or performance matters when more than one daemon run on the same box. Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expression
Is there a way that I can use for a regular expression to validate the username attribute? Something like User-Name =~ [0-9a-zA-Z.#_] I think . or # does not work. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile error
I tried to compile freeradius-1.1.7 and freeradius-server-2.0.3, but encountered the following error. Could someone help? Kevin SZ [EMAIL PROTECTED] ~]$ more /etc/redhat-release Red Hat Enterprise Linux ES release 4 (Nahant Update 4) [EMAIL PROTECTED] ~]$ ient.lo libeap/libeap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so /home/szhang/freeradius-1.1.7/src/lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lpthread -lssl -lcrypto libeap/.libs/libeap.so: undefined reference to `EVP_MD_size' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/szhang/freeradius-1.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/szhang/freeradius-1.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/szhang/freeradius-1.1.7' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dhcp+radius
Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dhcp+radius
Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 4:51 PM To: FreeRadius users mailing list Subject: Re: dhcp+radius There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dhcp+radius
Hi Ivan, Thanks again for the reply. Actually my scenario is like this: I have a box needs to be installed via PXE. The box will send out its mac address to get the ip of tftp server and the location of pxelinux.0. Without Radius, the box will talk to DHCP server directly for all The information it needs. If I want to implement the authentication Using RADIUS so net boot will continue only after the authentication succeed. I just want to know where RADIUS fit into this model step by step. Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 5:03 PM To: FreeRadius users mailing list Subject: RE: dhcp+radius Because it will never be asked for one. PPP negotaiation will not reach that stage. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 4:51 PM To: FreeRadius users mailing list Subject: Re: dhcp+radius There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql.so
On Friday 15 February 2008 05:20:21 [EMAIL PROTECTED] wrote: if you run the configure stage through some sanity checking, you get to see all the good stuffeg ./configure --with-blah-blah | grep WARN alan I prefer the following so you can go over all the output, not just the WARN lines: script ~/fr2-output ./configure --blah exit grep whatever ~/fr2-output -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap.c
In ldap.c:2660, there is a condition check to see if vals_idx is zero 2660if (!vals_idx){ 2661pairdelete(pairs, newpair-attribute); 2662} 2663pairadd(pairlist, newpair); this code line makes Radius not appending any reply attribute if the number of attribute is greater than 1. any thought in why we need this here? - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote: If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) Thanks muchly, Andrew Long EWS Can you run the radcheck query manually and post the output? Is the operator correct? Does it do the same thing when you move the SQL entry to the users file and make the same attribute name changes? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iCHAP?
Does anybody know about iCHAP? Kevin, - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius V2.0.0 Simultaneous-Use Problems
On Monday 21 January 2008 14:19:06 Dryw Paulic wrote: mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | dynamic | Auth-Type| == | Local | | 2 | static| Auth-Type| == | Local | Don't do this. The operator is incorrect as is nearly every use of Auth-Type. mysql SELECT COUNT(*) FROM radacct WHERE username = 'Kat' AND acctstoptime = 0; ... mysql select * from radacct where username ='Kat' \G; What is shown when you use the full where clause from the previous command? What version of MySQL are you using? I just tried this with 5.0.48 and 'datefield = 0' does not match on datetime fields. If you're using the V2.0.0 schema, that SQL query should be changed to 'acctstoptime IS NULL'. Try this from your SQL command line and see if it gives the desired results for both connected and disconnected users. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use both 1645 and 1812?
Is there a way to open two ports (1645 and 1812) for auth at the same time? We want to find a way to open 1645, 1812, 1646, and 1813 for auth and acct in parallel. Thanks, Kevin - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
On Thursday 10 January 2008 08:41:30 Amr el-Saeed wrote: but every time i wanted to snmpwalk from the radius i got that error RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this agent at this OID the command i execute is snmpwalk -v2c -c testsnmp -m /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt localhost radius same command is working fine on the old machine. i searched for that on google but found nothing . any one can help ?? What does debug mode (-X) show? Are there any errors in your snmpd log file? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user by realm
On Thursday 08 November 2007 11:19:48 Lisa Casey wrote: The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My boss would like me to restrict this so that (for example) lisa could log in as [EMAIL PROTECTED] but not [EMAIL PROTECTED] Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator. lisa Cleartext-Password := xxx, Realm == jellico.com ... Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == realmY, Auth-Type := Reject Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
On Thursday 25 October 2007 17:26:10 John Morris wrote: I then added a second switch to the freeradius client configuration (nas table), and encountered a problem. The password was being rejected. So I ran Freeradius -X so I could see what was going on. On the failed password attempt (second and now third switch in the list) I see something like this: rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 NAS-IP-Address = 192.168.x.z NAS-Port = 1 NAS-Port-Type = Virtual User-Name = username Calling-Station-Id = 192.168.x.y User-Password = r\306\324\333M\014\247\022\363\216K\257`\315#] Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa accounting command
On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote: Hi folks, Is there any method of keeping track of the commands issued by a user with Radius. Under the aaa option, there is aaa accounting command blah but for some reason, I'm not seeing the accounting information stored in the radacct information. I know a few years ago, this was an issue, but I'm not sure if it has been resolved. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html Does anyone have an alternative to accomplish this if it's not possible with Radius. TACACS+ Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Cisco AV Pairs per realm
On Friday 14 September 2007 11:28:51 Dan Goscomb wrote: Hi I have a number of realms on my radius server (FreeRADIUS Version 1.1.6). All users are valid in both realms (one is for dialup, one for broadband). e.g. [EMAIL PROTECTED] [EMAIL PROTECTED] All realm's are stripped so that the user (dang in the examples above) is authenticated. However, on dial.realm I need to return a couple of Cisco-Avpair attributes; how can this be done? You may be able to use the Realm attribute in the users file to add your specific attributes, depending on how the realms are stripped from the username. You can also use the hints file, which you already tried. I have tried a hints file, however although I get the message on debug: hints: Matched DEFAULT at 17 The data specifies is not sent back in the RADIUS reply. That's because you cannot list reply attributes in the hints file, but you can add a Hint that can be checked in the users file. Here is a short example that should work for you using the hints file: #hints DEFAULT User-Name =~ @dsl.realm Hint = DSL #/hints #users DEFAULT Hint == DSL Cisco-AVPair += ... #/users Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
healthcheck?
We want to reject slb health checks immediately. What is the best way to do that? tried to add healthcheck Auth := Reject but it still go through all authorization/authentication modules. Is there anyway that we can immediately reject it so we can make it lighter? Thanks in advance. Kevin - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on start freeradius + jradius
On Thursday 09 August 2007 15:05:55 George Beitis wrote: I read this post and for more than 8 hours i have been trying to install freeradius 1.1.5 -.6 and .7 unseccesfully. With versions 5 and 6 i get errors saying the glibc error. With 7 i get something different: with 1.1.7 + jradius patch i get the rlm_acct_unique is not a valid libtool archive error. For each installation i made sure i deleted the raddb folder before installing again. Should i give up and go back to 1.1.1 ? I am using ubuntu by the way regards George Can you post the actual 1.1.7 build output with errors? I have no idea what the jradius patch is, but does the build work without that patch? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem with mysql integration
On Tuesday 07 August 2007 12:08:07 ram wrote: rad_verify: Received Access-Reject packet from client x.x.x.x port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ... WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! ... any suggestions. ram Those messages seem pretty clear to me. Have you verified the secret is the same? -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS's and client's? what's the difference and where are they and where defined?
Hi, I have Debian Etch installed with Freeradius and dialupadmin packages. Versions are ii freeradius 1.1.3-3 a high-performance and highly configurable RADIUS server ii freeradius-dialupadmin 1.1.3-3 set of PHP scripts for administering a FreeRADIUS server ii freeradius-mysql1.1.3-3 MySQL module for FreeRADIUS server Now two months ago I set the system up and it authenticates an Epygi VOIP box and keeps accounts records for the calls made. Now I need to carry out further work - I had got things working but never fully cleared it in my head. My questions are fundemental. What are the differences between clients and NAS's? - Where should they be defined? I seem to have been able to connect the client box by adding an entry into client.com # 03/05/2007 - kbailey # Test connection to AF-IT Epygi box. client quadro.af-it.com { secret = password shortname = afit_test nastype = epygi } But this is not showing up under the NAS list in the dialupadmin interface - under Radius clients, NAS administration. Also, I see that the /etc/freeradius/naslist file is deprecated in favour of clients.conf - but there is also a /etc/freeradius-dialupadmin/naslist.conf file. This has some default servers in it. I'm almost tempted to think that the /etc/freeradius/clients.conf file is the only file which should be used - but I've heard that there are two things which are separate - clients and NAS's. Also, why are there the two references in the dialupadmin app - on web page and in naslist.conf? Thanks, Kevin -- Kevin Bailey IT Consultant Email: [EMAIL PROTECTED] Tel: 01752 268923 W: www.freewayprojects.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS's and client's? what's the difference and where are they and where defined?
Alan DeKok wrote: Kevin Bailey wrote: What are the differences between clients and NAS's? - Where should they be defined? A Network Access Server (NAS) is a RADIUS client. It should be defined in "clients.conf" I seem to have been able to connect the client box by adding an entry into client.com *Please* be careful about terminology. If you keep getting it wrong, you won't be able to remember what thing means what, and any answers here won't help you. Sorry - this should have been clients.conf # 03/05/2007 - kbailey # Test connection to AF-IT Epygi box. client quadro.af-it.com { secret = password shortname = afit_test nastype = epygi } But this is not showing up under the NAS list in the dialupadmin interface - under Radius clients, NAS administration. Because dialupadmin looks in an SQL database for the clients. It doesn't read the "clients.conf" file. So can clients be stored in various places? - or should I only use /etc/freeradius/clients.conf for the freeradius server. This was the place which seemed to work. Have spent several days reading as much online as possible and now have the system authenticating calls from a VOIP box - but it's a big subject to get on board! Thanks, Kevin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kevin Bailey IT Consultant Email: [EMAIL PROTECTED] Tel: 01752 268923 W: www.freewayprojects.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
On Monday 16 July 2007 08:05:15 Alan DeKok wrote: Osvaldohp wrote: This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not User-Password, as suggested in the FAQ. Alan DeKok. Don't forget to use the ':=' operator for the Cleartext-Password attribute, in addition to all of the above. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: figuration doubt
On Monday 16 July 2007 09:40:48 Osvaldohp wrote: I found a nice paper about freeradius+mysql, so far everything is installed and working fine. My guestion is which field of my radius database (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of the Internet from my HotSpot users? Session-Timeout is a reply item, so it can go into the user or group reply item tables. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
On Monday 16 July 2007 12:37:08 Nataniel Klug wrote: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). Your NAS should send an Accounting-On packet which you can use to flag the existing connections as offline/disconnected. You can also use checkrad to confirm the session is active. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on start freeradius + jradius
* moved to -users list... On Friday 13 July 2007 10:25:15 Renan Tateoka wrote: 2007/7/13, Alan DeKok [EMAIL PROTECTED]: Renan Tateoka wrote: hi everybody, I have installed freeradius 1.1.5 Why? Install 1.1.6. Alan DeKok. hi, i`m sorry, I think that the message went wrong... I have installed freeradius 1.1.5 and jradius patch 1.1.5... ... Module: Library search path is /usr/local/lib *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption (fasttop): 0x800fae98 *** What part of Alan's message was unclear? 1.1.5 has a bug that has been beaten to death on the users list. 1.1.6 doesn't. Use 1.1.6 or later, then try your tests again. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote: I have a feeling that the answer is blindingly obvious, but I can't figure it out... The 'users' file consists of: DEFAULT Auth-Type = Accept Simultaneous-Use := 1 Simultaneous-Use is a check item, not a reply item. In radiusd.conf I also have: session { sql } authorize { radius-user-auth } 'radius-user-auth' is an rlm_exec instance that invokes a script used to authenticate users. It works fine, but the 'session' section never gets processed. Why? josh. Because Simultaneous-Use is in the wrong place. Make it a check item and the session section should be processed. Kevin Bonner pgpvI8CdFN5pf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
On Monday 25 June 2007 10:14:07 Flavio Silvestrone wrote: If i enable the same pppoe profile (user: flavio, password: flavio) on the Access Point all work fine; When i disable the profile on the Access Point and i configure the radius client on the Access Point i have the problem This is the configuration on the file /etc/raddb/users for the user flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? Than's a lot Flavio Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner pgpuOvqj7Bku9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: If you are using a recent version of freeradius, you should have the ... The version of radius is freeradius-1.0.1-3. 1.0.1 is not recent. Use 1.1.6. flavio Cleartext-Password := flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Since you're using such an old version of freeradius, you cannot use Cleartext-Password here as it was available in 1.1.5 (I think) and later versions. You can use User-Password, but you should upgrade to a newer version. Kevin Bonner pgpwSTaVHg9Y8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin pgpzZ32ZnVcdH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics tool?
If you meant that I have to restart radius whenever I need the statistics, I will not do that. Is there a way that we can rotate radius.log then? Dennis Skinner [EMAIL PROTECTED] wrote: Kevin J wrote: I am wondering if there is a tool or way to check the statistics in real time. I need something that can tell me how many users got accepted and rejected so far since Radius started. Rotate the log whenever you restart radius then: grep -c OK radius.log grep -c Failed radius.log -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistics tool?
I am wondering if there is a tool or way to check the statistics in real time. I need something that can tell me how many users got accepted and rejected so far since Radius started. - Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql question
On Friday 08 June 2007 13:24:20 [EMAIL PROTECTED] wrote: radgroupreply: | 27 | dialup| Framed-IP-Address | 255.255.255.254 | == | | 28 | dialup| Framed-Compression | Van-Jacobson-TCP-IP | == | | 29 | dialup| Framed-IP-Netmask | 255.255.255.255 | == | | 30 | dialup| Framed-MTU | 576 | == | | 31 | dialup| Idle-Timeout | 900 | := | - change all ops to = Change all '==' to just '=' or ':=', depending on your needs. The operator for Idle-Timeout is correct. - is this (255.255.255.254) really the IP address you want to give your user; client is unlikely to accept IP address above 224 subnet The RFCs say that this IP tells the NAS to assign an IP from the dynamic pool. -Kevin pgpnDk4jIgQil.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On Friday 25 May 2007 04:11:24 Arran Cudbard-Bell wrote: Now which bloody wiki are you using, so I can look up the formatting rules :) http://wiki.freeradius.org/Special:Version says MediaWiki: 1.8.2. -Kevin pgpd5qhwcXFFw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server IP changed and FreeRADIUS+MySQL does not work
On Tuesday 15 May 2007 09:39:55 yao guoxian wrote: I have installed FreeRADIUS and MySQL on the same machine. FreeRADIUS + MySQL had worked well before Server IP changed. For some reason the server had to be carried to a new place and its IP must be changed. After the server IP changed, FreeRADIUS + MySQL does not work. I have edited sql.conf and changed IP to the new correct IP . I also edited the table user in the database mysql and altered the Host field from the old IP to the new correct IP. However these mendings do not work. As Alan stated, try connecting to MySQL from the command line to confirm that it works. You updated the IPs in mysql.user, but that doesn't affect the MySQL permissions. To apply any changes to the mysql privilege tables, you must either restart the MySQL service or run FLUSH PRIVILEGES. Kevin Bonner pgpVPKsiK9TTw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication
Does anybody know if FreeRadius supports the MAC Authentication? If so, how? Thanks in advance, Kevin - Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sig HUP?
I saw some email threads about HUP. Can we use kill -HUP pid in the latest version or is it still not stable? Thanks, Kevin - Ahhh...imagining that irresistible new car smell? Check outnew cars at Yahoo! Autos.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying by Nas-Ip-Address (was Proxy.conf regex )
On Monday 07 May 2007 07:45:36 Andrea Cerrito wrote: Hi to list, I've read the thread for Proxy.conf regex. I'd like to setup a proxy based on Nas-Ip-Address. I've tried two solutions: 1) add to users file (please note that 255.255.255.255 is done by radtest, and realm test.com is configured in proxy.conf) DEFAULT NAS-IP-Address == 255.255.255.255 Proxy-To-Realm = test.com 2) add to users file DEFAULT Huntgroup-Name == test Proxy-To-Realm = test.com And to huntgroups file test NAS-IP-Address == 255.255.255.255 Without success. All logins are tested locally. Any clue? Thank you Read what several others have posted to this thread. Proxy-To-Realm is a _check_ item. Make Proxy-To-Realm a check item and both of your solutions should work as expected. Kevin Bonner pgpnSS9BdZQJ2.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Thursday 19 April 2007 10:42:30 Jacob Jarick wrote: On the topic of password encryption. Kevin would you know how to encode a password for windows 2003 active directory server. I need a user with permission to do active directory searchs, it tries atm but fails because the password is not encrypted. Even if you know what the encryption they use is it would be a big help thanks. Win2k3? Never used it before. Active Directory? Ditto. =-) Maybe [1] or [2] will help push you in the right direction. Kevin Bonner [1] http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO [2] http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html pgpr1TWIInq7Y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Wednesday 18 April 2007 16:39:27 Sebastian Firpo wrote: Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a users file for authorize. Wow, that's quite a leap. I assume from 0.6 to 1.1.5? The server don't authorize and when a do a debug (radiusd -X) I saw the User-password in clear text. If I modify the User-password in the users file by the clear text one it works. Here are the debug and an entry of the users file: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched entry sebas at line 50 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 0 for 1 seconds users file sebas Auth-Type := Local, Crypt-Password == (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 Thanks very much!! Don't set Auth-Type, the server will figure it out. The operator for Crypt-Password should be changed to := as well. Kevin Bonner pgpsPajLfZa7I.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
html I almost ignored your message, as I don't parse HTML well. =) On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote: Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Another idea?? Thanks a lot, any way. $ perl -e 'print crypt(hello,(!) . \n;' (!BVoPlmea8cg Fix your Crypt-Password? How you are generating that encrypted string? -Kevin pgp07VlZL3nEM.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Monday 16 April 2007 07:52:43 Alan DeKok wrote: Kevin Bonner wrote: Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Please try the latest CVS. I've added a patch based on yours. Alan DeKok. Tested with the CVS head as of this morning and everything looks good to me, even the per-client data. I'm hitting a segfault when testing the cases I listed in bug#150, but I don't think it is related to the SNMP portion of the code. Segfault info is below. Kevin Bonner == cut == (gdb) bt #0 0x00fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6 #2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575 (gdb) up #1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6 (gdb) up #2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575 575 status = select(max_fd + 1, readfds, NULL, NULL, ptv); (gdb) list 570 #else 571 DEBUG2(Waking up in %d seconds..., 572(int) tv.tv_sec); 573 #endif 574 } 575 status = select(max_fd + 1, readfds, NULL, NULL, ptv); 576 if (status == -1) { 577 /* 578 * On interrupts, we clean up the request 579 * list. We then continue with the loop, (gdb) print ptv $1 = (struct timeval *) 0x0 (gdb) print readfds $2 = (fd_set *) 0xbfe05ea0 (gdb) print max_fd $3 = 10 == cut == pgpSJjuzOV29P.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Monday 16 April 2007 03:53:52 Stefan Winter wrote: Thanks for the tip. Looking up the net-snmp.spec file of openSUSE 10.2, it appears that ucd-snmp compat should be there... the compile switches --enable-local-smux and --enable-ucd-snmp-compatibility are there. Any other hints? Otherwise, I guess I'll need to source-compile net-snmp :-( Stefan Sorry, those few things were all I could think of. I don't have an openSUSE server lying around, so I can't even confirm it works at all. Hopefully the source compile of net-snmp and freeradius will uncover the actual problem. -Kevin pgpbzO8AwkkDp.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Friday 13 April 2007 08:53:26 Stefan Winter wrote: Hi, trying for the first time to get SNMP working, and I have come to a point where I'm really startled why stuff doesn't work. I've configured FreeRADIUS 1.1.6 with SNMP, and it's printing out that it is starting up the SMUX connection. Then the snmpd refuses the SMUX connection. This would usually mean I screwed up the shared secret, but I'm very sure I haven't. I even verified with tcpdump that FR sends the correct secret on the loopback wire. So the problem would appear to be that Net-SNMP is confused wrt the secret. But I configured it with the line smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret (also without the leading dot, in my desperation, didn't help). The password *is* verysecret on the FR side. Debug output says: ... Module: Instantiated detail (nas_reply_log) main: smux_password = verysecret main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register message send failed: Broken pipe Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. The broken pipe is because Net-SNMP closes the connection, it's log says: [smux_accept] accepted fd 9 from 127.0.0.1:4580 refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd and tcpdump reveals that the reason for refusing is authenticationFailure. Anyone else running a similar config? It's the version of Net-SNMP that came as RPM on SUSE 10.1. FR compiled freshly. Greetings, Stefan Winter I receive the same broken pipe error when the smuxpeer pass and smux_password aren't the same, though there is probably a more complex cause. Are there any non-standard characters in either config file? Is Net-SNMP configured with ucd-snmp compatibility? Kevin Bonner pgpu99VoRvAtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 04:40:47 Milan Holub wrote: - when trying to force reload using snmp: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` then 1st reload is OK but after then when trying to either run the snmp-read query or the snmp-write query radius seems to ignore it. * there is no debug activity when running with -X flag and the result of the snmp-read query is empty and result of snmp-write query is following: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` Error in packet. Reason: (noSuchName) There is no such variable name in this MIB. Failed object: radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.r adiusAuthServ.radiusAuthServConfigReset.0 Radius itself seems to react on radius packets; only snmp is ignored after the snmp-write query. Completely same behaviour is observed when doing reload via HUP signal(using my memory leakage patch for reload). Please advise. Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Kevin Bonner pgpktEd5UzlPw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 10:32:18 Kevin Bonner wrote: On Thursday 12 April 2007 04:40:47 Milan Holub wrote: Radius itself seems to react on radius packets; only snmp is ignored after the snmp-write query. Completely same behaviour is observed when doing reload via HUP signal(using my memory leakage patch for reload). Please advise. Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. It surprises me that it still applies cleanly (just offset) with the current CVS head. Feel free to test the patch and report results in the bug or on the list. It would be nice to see the bug squashed, but it's become a default patch for my local freeradius build so I haven't been bothered with the issue in a long time. Kevin Bonner pgppnkGkMNWtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote: and finally, how do you define a binding for the snmp module it's on, but I never explicitly bound it to anywhere :| unlike auth/acct that are bound with listen sections. Seems like there may be a need for a small extension to listen sections to allow type snmp . Arran, http://wiki.freeradius.org/SNMP_HOWTO That page should give some base info on setting up SNMP support. Kevin Bonner pgp4G1jfBRBqQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner pgpAUsH7FbwDX.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performace on chainging clients.conf and huntgroup
Alan, I noticed that more IPs I add to clients.conf and huntgroups, more steep performance declines FreeRadius got. Guessing the linked-list. Have we considered other data structures like hashing or btree? -Kevin Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Configuration
On Wednesday 04 April 2007 14:01:31 Norman Zhang wrote: Hi, I'm learning how to use freeradius. Does anyone have a working conf that works for cisco devices? Regards, Norman Zhang DEFAULT Auth-Type := Accept ... but seriously, what are you trying to do? Authenticate PPPoX sessions, admin sessions, or something else? Have you run in debug mode to see what the cisco is sending to the radius server? A little more information on what you are trying to do would be very helpful. The wiki has some info related to cisco configs [1]. Another source that should have some cisco-related info is the mailing list archives. Kevin Bonner [1] http://wiki.freeradius.org/Cisco pgpE4JK3pnVC6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Checkrad Redback
On Monday 02 April 2007 08:11:10 ahissi jean-françois wrote: Hello, I'am facing a Simultaneous-Use problem. We are ISP and we have adsl subscribers. The aaa is a freeradius 1.1.3 server and the NAS is a REDBACK SMS. The Simultaneous-Use don't work! We want plan to use checkrad but there is no snmp script for redback! The telnet options is not good i think because we have 18000 subscribers. Please help me with a snmp script for redback or with an other solution for Simultaneous-Use. Thinks! I agree that verifying a session via telnet is not a scaleable solution. Lucent probably has SNMP MIBS for the Redback, which should have a way to confirm active sessions. Kevin Bonner pgpMuUVY0TsK7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
On Friday 30 March 2007 09:13:17 Andrew Long wrote: In NTRADPING: username: hiegalleria ... rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5, length=59 User-Name = hiegalleria_cn3200 CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35 Am I missing something obvious? How is _cn3200 getting appended to the username? -- 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == -- You've heard several times that the attribute and operator need to be fixed. I'm just listing it again for emphasis. radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch e ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' -- 9 colubrisService-TypeAdministrative-User == -- If this is correct, your request will not match unless you send this particular Service-Type. Looking at the request above, I don't see this attribute being sent in the access-request. Kevin Bonner pgpFB6Yq6Th26.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
On Thursday 29 March 2007 12:47:38 satish patel wrote: Thanks for help i got it and now my freeradius working with snmpd and it is working fine now can u tell me what i monitor through snmpd means can i check how much users login currently and how much failed and what stat i can check throgh this feature The RADIUS mibs are in the mibs/ directory of the freeradius release. You should be able to monitor any of those values. -Kevin pgpdHQD20yMNo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
On Wednesday 28 March 2007 08:17:00 satish patel wrote: main: smux_password = verysecret main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. This looks good. It successfully registered with the local SNMP daemon, which means FreeRADIUS is built with SNMP support and is properly configured. Now i have run snmpwalk but i didnt get any output from radius $snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.67.1.1.1.1 End of MIB This looks correct as well. Make sure the public community has permission to view that OID tree. I did test my local SNMP config and receive the same results when I restrict the public community from accessing that OID. Kevin Bonner pgpgF2PbALtDG.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC 4590 Compliant?
Hi, I just noticed a email thread http://arcknowledge.com/gmane.comp.freeradius.devel/2006-11/msg00040.html Any update on it? Can we say FreeRadius is RFC 4590 compliant? Kevin Don't get soaked. Take a quick peek at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use realms to access different mysql tables
On Tuesday 27 March 2007 18:13:09 Alexander Papenburg wrote: Hi Freeradius-Mailing-List, does anyone of you differentiate sql database table with realms? E.g.: Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius1 Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius2 .and so on. I already found out that it is possible to use multiple sql instances, but for what i understand is that they would be asked/checked one after another. That would be nice for failover scenarios but if there are about 20-30 realms to check it would be result in a very slow performance (depending on mysql host speed). So is there a better way to solve this Problem? All users in one database is at the time unfortunately no option... Thanks in advance Alex An example of this is below. In each sql definition you can define the different queries necessary to handle a particular realm. realm3 shows how to allow multiple realms to use the same db/SQL queries, so you can easily merge the databases over time and update the users file to reflect the db changes. Kevin Bonner == sql.conf == sql db1 { ... } sql db2 { ... } ... == sql.conf == == radiusd.conf == authorize { ... Autz-Type SQL1 { db1 } Autz-Type SQL2 { db2 } } == radiusd.conf == == users == DEFAULT Realm == realm1, Autz-Type := SQL1 DEFAULT Realm == realm2, Autz-Type := SQL2 DEFAULT Realm == realm3, Autz-Type := SQL2 ... OR DEFAULT User-Name =~ @realm1$, Autz-Type := SQL1 DEFAULT User-Name =~ @realm2$, Autz-Type := SQL2 DEFAULT User-Name =~ @realm3$, Autz-Type := SQL2 == users == pgpe2o0vglrsB.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
On Monday 26 March 2007 16:30:35 alex wrote: Hey guys, i just follow this guide. http://www.frontios.com/freeradius.html and everything looks ok, the users are already working and login without problem. But the accounting is not working, the mysql tables are empty, i checked when i user access and everything looks ok, and the radacct still empty. In my radiusd.conf i have accounting { detail radutmp sql } Other guy is checking in the AP, but i wanna be sure i have the correct values in the server. Any comment is appreciated. Alex Did you run in debug mode (-X)? If so, did the output show anything strange when processing an accounting packet? Is the NAS configured to send accounting records to the radius server? -Kevin pgpy71kZbTCgQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disconnect users from radius
On Wednesday 28 February 2007 10:40, satish patel wrote: Dear all I have installed freeradius on RHEL with MSSQL server and it is working fine but now i have facing problem regarding disconnecting of users my NAS is cisco Router it is l2tp so what i do for this ??? problem ?? and i want to connect my dialupadmin with mssql ? so it is possible?/ Satish Patel Since it is a cisco, it may support Packet of Disconnect (PoD) requests. [1] has some info about this. To verify that it is available and configure it, you should refer to the vendor documentation for your device. Kevin Bonner [1] http://wiki.freeradius.org/Disconnect_Messages pgpR7RBkMIfgo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius says client is unknown.
On Tuesday 27 February 2007 14:47, M. Onur ERGiN wrote: Just a moment ago, I noticed that I can't start radiusd daemon with 'service radiusd start' command. It gives the following error: [EMAIL PROTECTED] raddb]# service radiusd start Starting RADIUS server: Tue Feb 27 21:44:38 2007 : Info: Starting - reading configuration files ... 6490:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE 6490:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE 6490:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib:ssl_rsa.c:534: [FAILED] But I can start it with 'radiusd -X' Can the prooblem be related to that? By the way, I have signed a new certificate to be used in radius. But it seems okay. Thanks for any help, Onur. Sounds like a permissions issue to me. Check the user/group that is configured in radiusd.conf, then verify that the user can read the certificates and config files. Kevin Bonner pgphLZ52A7c3r.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check active threads
On Tuesday 20 February 2007 03:10, Tomas Hoger wrote: Freshly added to the Wiki FAQ as this has been covered countless times on the users list. Kevin, it may be better to add a bit more info to wiki, since combining SysV and BSD flags of ps is usually not permitted and -H flag is not recognized by older versions of ps. What about this: For older versions of ps, use: - ps -efm - ps auxm For newer versions of ps, you may prefer to use: - ps -efL - ps auxH th. Sounds fine with me. As it is a wiki, feel free to register an account and make that change. I only included the ps versions I had available at the time. -Kevin pgp7KlZ4UqwGU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check active threads
On Monday 19 February 2007 13:13, Andrew Long wrote: freeradius 1.4 on CentOS 4.4 How can I verify the number of threads? I only see one process with ps aux | grep radiusd I could have sworn I used to see each thread with 0.9 and I am concerned that the threads are not starting correctly as defined in radiusd.conf: thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } http://wiki.freeradius.org/FAQ#I_see_only_one_radiusd_in_the_process_list.__What_is_wrong.3F Freshly added to the Wiki FAQ as this has been covered countless times on the users list. Kevin Bonner pgpGUxgtGLaKb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite
On Monday 19 February 2007 15:29, Ben Butler wrote: Hi, I am having some problems with attr_rewrite. What I want to do is the following at a pre authorisation phase: User-Name = [EMAIL PROTECTED] To User-Name = somedomain.com I want to call by attr_rewrite function for each of the domains that I want to stip the username from prior to authorisation. I'm not very familiar with attr_rewrite, so I'm posting what I would do if I were presented with this issue. We use the hints file to rewrite the request username, as needed. A hints file example that should do what you want: DEFAULT User-Name =~ [EMAIL PROTECTED] User-Name := somedomain.com Then just define somedomain.com in your users file (or DB) and process it like a normal request. Kevin Bonner pgpE4ALVzj8VL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS will no longer start!
On Wednesday 24 January 2007 10:02, Michelle Gates wrote: read_config_files: reading clients /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name - Can anyone shed any light on this? Unfortunately for me, one of our developers was working on our production server but *claims* not to have changed anything of any consequence... I'm really unsure of where this is coming from! Has anyone seen this error before or could anyone at least point me in the right direction? Since you have multiple people poking around on a production config, you are using some sort of revision control... right? ;-) I tried to reproduce the error locally and here is what I've done to cause the same error message to show up. == clients.conf == client { secret = testing shortname = testing nastype = other } == clients.conf == [EMAIL PROTECTED] raddb.dial]# /usr/sbin/radiusd -X ... read_config_files: reading clients /etc/raddb/radiusd.conf[327]: Missing client name To fix the issue, find the broken client entry and either comment it out or restore it with the correct client IP. Kevin Bonner pgpZXQWGiPdYS.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting a realm in the User-Name based on Client-IP-Address
On Wednesday 24 January 2007 16:59, Jason E. Murray wrote: My question is there a better way to do this, this seems a bit kludgy. Using FreeRadius 1.1.4 Thanks in advance, Use the hints file like below, then configure freeradius as if the realm were included in the original request. == hints == DEFAULT User-Name !~ @, Client-IP-Address == A.B.C.D User-Name := [EMAIL PROTECTED] == hints == Kevin Bonner pgpt7dICXx56J.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best practices for redundant servers
On Friday 19 January 2007 14:02, Peter Nixon wrote: On Fri 19 Jan 2007 18:56, Graham Beneke wrote: Would it be possible for someone to dump all the man pages into the wiki? Please feel free to do it.. It is a wiki after all :-) Agreed. I've added a few things here and there, but that's just because I was poking around in those areas of freeradius recently. If you add stuff, I can clean up the page display, if necessary, after I find the box that contains my free time. =) -Kevin pgpZNwNzZwfyb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html