Re: Alvarion BreezeMAX 4Motion Service Profiles
You could try your luck and ask Alvarion what attributes are required in the access-accept for the BreezeMAX to accept the connection. Even better, ask for a tcpdump of a successful, minimalistic network entry. Don't hold your breath though ... chances are they'll flip you off/have no clue what you're talking about/show no interest in helping because they want to sell you bridgewater at a ridiculous price. I see you are returning SP1 as your Filter-Id .. does that profile exist on the BreezeMAX station? I seem to recall it does .. but please double check :) - Kristoffer On 05/13/2011 08:44 AM, Ryan Williams wrote: Thanks Alan, I'm already running the master branch of Freeradius (as of two days ago). I have FreeRadius working with an Alvarion 4 Motion product but not with the Alvarion BreezeMax product. It seems to be ignoring my Access-Accept. Regards, Ryan Williams -Original Message- From: freeradius-users-bounces+ryan=integritynet.com...@lists.freeradius.org [mailto:freeradius-users-bounces+ryan=integritynet.com.au@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Friday, 13 May 2011 3:09 PM To: FreeRadius users mailing list Subject: Re: Alvarion BreezeMAX 4Motion Service Profiles Ryan Williams wrote: Has anyone been able to get the Alvarion BreezeMAX to apply a service profile for a subscriber through radius? Yes. Go to http://git.freeradius.org, and follow the instructions for downloading the git master branch. Then, edit share/dictionary to: - delete the $INCLUDE of the wimax alvarion dictionaries - add $INCLUDE dictionary.wimax.alvarion dictionary.alvarion.wimax (really) At that point it should be possible to return the non-standard attributes needed by Alvarion. The following access accept works with the Alvarion 4Motion product but not with the BreezeMAX. They appear to have completely different code bases, and completely different needs for RADIUS.sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong packing of attributes?
-Minimum-Reserved-Traffic-Rate 29.7integer ATTRIBUTE WiMAX-Maximum-Traffic-Burst 29.8integer ATTRIBUTE WiMAX-Tolerated-Jitter 29.9integer ATTRIBUTE WiMAX-Maximum-Latency 29.10 integer ATTRIBUTE WiMAX-Reduced-Resources-Code29.11 byte ATTRIBUTE WiMAX-Media-Flow-Type 29.12 byte ATTRIBUTE WiMAX-Unsolicited-Grant-Interval29.13 short ATTRIBUTE WiMAX-SDU-Size 29.14 short ATTRIBUTE WiMAX-Unsolicited-Polling-Interval 29.15 short ATTRIBUTE WiMAX-Media-Flow-Description-SDP29.16 string And should most definately *not* be included in the WiMAX-Packet-Flow-Descriptor. Am I messing up something here, or could there be a bug in the encoder? - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
On 03/25/2011 09:59 AM, Alan DeKok wrote: Kristoffer Milligan wrote: Am I messing up something here, or could there be a bug in the encoder? Bug in the encoder. Fixed pushed to git. WiMAX is *weird*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wohoo! I managed to spot something! :) Anyway, ~/freeradius-server# git pull Already up-to-date. Did it push to production? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
You want the master branch mate, git clone git://git.freeradius.org/freeradius-server.git http://git.freeradius.org/ On 03/25/2011 02:06 PM, David Peterson wrote: Excellent! I just ran a git pull but not sure if I am set up correctly. Here is the output I received. From git://git.freeradius.org/freeradius-server 03f1be4..92caaa4 master - origin/master 2ae298a..14f534a v2.1.x - origin/v2.1.x Should I make some changes to my git setup? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 8:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
On 03/14/2011 11:48 AM, Alan DeKok wrote: Kristoffer Milligan wrote: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? R3-IF-Name = foo R3-IF-ID = 1234 ... The server will take care of encapsulating them into the R3-IF-Descriptor when it sends a packet. Until then, don't worry about it. :) Will this also be taken care of for SUB-SUB TLVs? Example: Packet-Flow-Descriptor Packet-Data-Flow-ID Direction Transport-Type UplinkQoSID DownlinkQoSID Classifier ClassifierID Priority IP TOS/DSCP Range and Mask -whatever that is Direction As you can see, the classifier takes subattributes as well... - Kristoffer Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending attribute with sub-attributes
Hello list, I have compiled and am now running FR v3.0 and it seems to be working fine. I have reached the situation where I need to send attributes that contain sub TLVs for automatic configuration of WiMAX basestations. With great help from list user Ben Wiechman I have a dictionary that has been fit to match (as best possible) the specification provided by the equipment vendor. For automatic configuration of the basestation, one of the attributes required is for example: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
You could run a radiusd -v to check the version that's installed. if we are using the same vendor, it's likely that the unknown attributes are unknown simply because the vendor have messed them up .. :) - Kristoffer On 03/14/2011 01:54 PM, David Peterson wrote: I am working on the same issue, likely with the same NAS vendor. Is the order important? I am also seeing some uknown attributes in my pcap file. Perhaps I am on the wrong build. How do I verify if I am compiling 3.0 version? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, March 14, 2011 6:48 AM To: FreeRadius users mailing list Subject: Re: Sending attribute with sub-attributes Kristoffer Milligan wrote: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? R3-IF-Name = foo R3-IF-ID = 1234 ... The server will take care of encapsulating them into the R3-IF-Descriptor when it sends a packet. Until then, don't worry about it. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
Yep :) git clone git://git.freeradius.org/freeradius-server.git - Kristoffer On 03/14/2011 02:08 PM, David Peterson wrote: AHh ok great! It appears I am on v2.2. Should I be on 3.0 to support the sub-sub tlvs needed for this NAS? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: Monday, March 14, 2011 9:05 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Sending attribute with sub-attributes David Peterson wrote: I am working on the same issue, likely with the same NAS vendor. Is the order important? Yes. List them in order of attribute number, lowest to highest. Basically, the same order that they are in the dictionary. I am also seeing some uknown attributes in my pcap file. No... the pcap *viewer* you're using doesn't support the WiMAX attributes. This is not surprising. Wireshark grabbed the dictionaries from FreeRADIUS a few years ago, and haven't updated them since. Perhaps I am on the wrong build. How do I verify if I am compiling 3.0 version? $ radiusd -v Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling master branch
Due to the need for nested TLVs I'm trying to compile FreeRADIUS from the master branch: git clone git://git.freeradius.org/freeradius-server.git Also, I'm using FR for a WiMAX network, so I need the experimental modules: ./configure --with-experimental-modules The configuration works fine, but when I try to compile the project, it fails: root@radius:~/freeradius-server# make . gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -I/root/freeradius-server/src/modules/rlm_redis -c rlm_rediswho.c -fPIC -DPIC -o .libs/rlm_rediswho.o In file included from rlm_rediswho.c:32: /root/freeradius-server/src/modules/rlm_redis/rlm_redis.h:35:29: error: hiredis/hiredis.h: No such file or directory In file included from rlm_rediswho.c:32: /root/freeradius-server/src/modules/rlm_redis/rlm_redis.h:46: error: expected specifier-qualifier-list before 'redisContext' rlm_rediswho.c: In function 'rediswho_command': rlm_rediswho.c:124: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:125: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:125: error: (Each undeclared identifier is reported only once rlm_rediswho.c:125: error: for each function it appears in.) rlm_rediswho.c:127: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:129: error: 'REDIS_REPLY_STATUS' undeclared (first use in this function) rlm_rediswho.c:130: error: 'REDIS_REPLY_STRING' undeclared (first use in this function) rlm_rediswho.c:132: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_start': rlm_rediswho.c:264: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:264: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:265: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_alive': rlm_rediswho.c:281: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:281: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:282: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_stop': rlm_rediswho.c:299: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:299: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:300: error: 'REDISSOCK' has no member named 'reply' make[6]: *** [rlm_rediswho.lo] Error 1 make[6]: Leaving directory `/root/freeradius-server/src/modules/rlm_rediswho' make[5]: *** [rlm_rediswho] Error 2 make[5]: Leaving directory `/root/freeradius-server/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/freeradius-server/src/modules' make[3]: *** [modules] Error 2 make[3]: Leaving directory `/root/freeradius-server/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-server/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/root/freeradius-server' make: *** [all] Error 2 What lib am I missing ? Or what flag can I throw at --without- to circumvent the problem? - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Logging
Hello again,
I'm still fighting my little battle in copying attributes from the inner
to the outer tunnel etc. I have now gotten as far that logging
access-accepts is working as I want, but I'm now struggling logging
access-rejects. Here's my SQL from dialup.conf:
postauth_query = INSERT INTO ${postauth_table} \
(username, pass, reply, authdate)
VALUES \
('%{reply:SQL-User-Name}',
'%{reply:Packet-Type}', \
'%{reply:Calling-Station-Id}', '%S');
From a rejected session, I get this:
Fri Jan 28 09:48:05 2011 : Info: (5) [ttls] Got tunneled reply code 3
Filter-Id = OBFUSCATED
SQL-User-Name = OBFUSCATED
Calling-Station-Id = OBFUSCATED
MS-CHAP-Error = \226E=691 R=1
Fri Jan 28 09:48:05 2011 : Info: (5) +- entering group REJECT {...}
Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand:
%{Stripped-User-Name} - {am=1}OBFUSCATED
Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand:
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - {am=1}OBFUSCATED
Fri Jan 28 09:48:05 2011 : Info: (5) [sql] sql_set_user escaped user --
'{am=1}OBFUSCATED'
Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand: INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES
('%{reply:SQL-User-Name}', '%{reply:Packet-Type}',
'%{reply:Calling-Station-Id}', '%S'); - INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES ('',
'Access-Reject', '', '2011-01-28 09:48:05');
Fri Jan 28 09:48:05 2011 : Debug: rlm_sql (sql) in sql_postauth: query
is INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ('',
'Access-Reject', '', '2011-01-28 09:48:05');
From an accepted session, everything works fine and the SQL-User-Name
and Calling-Station-Id are logged as expected. How come the attributes
are empty, even though they are in the reply, only when an access-reject
is given?
- Kristoffer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Logging
So there is no way to get hold of them ? - Kris On 01/28/2011 10:36 AM, Alan DeKok wrote: Kristoffer Milligan wrote: From an accepted session, everything works fine and the SQL-User-Name and Calling-Station-Id are logged as expected. How come the attributes are empty, even though they are in the reply, only when an access-reject is given? The attributes aren't copied on reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Authentication Rejects
radiusd: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on
Apr 30 2010 at 09:48:09
root@hostname:~# lsb_release -a
Distributor ID:Ubuntu
Description:Ubuntu 9.10
Release:9.10
Codename:karmic
Good day list,
I am trying to set up some logging on my radius server. The server is
responsible for a WiMAX network running on equipment from Alvarion.
After a troublesome start, things are starting to straighten out.
I've now reached the point where I want to apply some additional logging
to start ironing out minor bugs. Running FR in debug mode, I see the
occasional access-reject (mostly caused by wrongly configured
username/passwords), and I would like to log these to my database.
In my default tunnel, I have added sql_log module to the post-auth
section, subsection Post-Auth-Type REJECT. The default SQL looks like this:
# Post-Auth = INSERT INTO ${postauth_table} \
#(username, pass, reply, authdate) VALUES\
#('%{User-Name}', '%{User-Password:-Chap-Password}', \
#'%{reply:Packet-Type}', '%S');
which would provide a line of log (in my case) looking something like this:
Incremental Id, =F8=f334534534645645645...@wimax.com, '',
'Access-Reject', DATETIME.
(The username is jus something I typed out, but that's what they look like).
This data is good to give me an idea of how many access rejects I am
getting, but I have no clue from what usernames they are coming, nor WHY
they were rejected. I know that the username in the inner tunnel is
plaintext as well, meaning it looks like i.e kristof...@wimax.com.
My question is;
What should my SQL look like if I want to log the following data:
Incremental id, 'Attempted/Cleartext Username', 'Attempted/Cleartext
password', 'Access-Reject - {Rejection-Reason}', DATETIME ?
Looking forwards to your replies..
Sincerely,
Kristoffer Milligan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Logging Access-Reject
Hello again list,
I'm still working on my FreeRADIUS server in connection with 4Motion
equipment from Alvarion. It's getting better and better and more
integrated, but I still have a few quirks I need to work out.
My main problem now is the logging part. In the post-auth section, I
have added some SQL logging. I am logging Access-Accept and
Access-Reject. My problem is that access-rejects are appearing
scrambeled.. Example:
| 50 | us...@mydomain.tld | |
Access-Accept | 2010-09-10 10:53:36 |
| 51 | =7bam=3d1=7d917341235f4283123a58e52b623d2...@mydomain.tld |
| Access-Reject | 2010-09-10 10:53:39 |
| 52 | =7bam=3d1=7ac00fa703f004q25ed1ef4e3dcb5f4...@mydomain.tld |
| Access-Reject | 2010-09-10 10:53:47 |
| 53 | us...@mydomain.tld|
| Access-Accept | 2010-09-10 10:53:58 |
The SQL statement from sql_log module is:
Post-Auth = INSERT INTO ${postauth_table} \
(username, pass, reply, authdate) VALUES\
('%{SQL-User-Name}', '%{User-Password:-Chap-Password}', \
'%{reply:Packet-Type}', '%S');
How can I log the tried username in cleartext?
- Kristoffer Milligan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext username
Hello list,
I am currently using FreeRADIUS as my AAA server for a WiMAX network.
Authentication is working perfectly, and the server is performing well.
As part of my infrastructure-design I need to be able to forcibly kick
users off the radiolink. As far as I have understood, this needs to be
done using CoA/Disconnect-Request packets forged to match the NAS
requirement.
So far, so good.
I have set up this query in my accounting section:
if(%{sql:SELECT value FROM radcheck WHERE UserName =
'%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}) {
update disconnect {
Reply-Message = You have been closed.
}
}
as a small test. However, %{SQL-User-Name} is an encrypted version of
the username, which of course will not match anything in my database.
Thu Aug 26 11:16:42 2010 : Info: (2) expand: SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now' - SELECT value FROM radcheck WHERE UserName =
'=8Ham=3D1=7A62345d3c567f85678749f233ebe4577fbad' and attribute =
'Acct-Logout-Now'
Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Thu Aug 26 11:16:42 2010 : Info: (2) SQL query did not return any results
Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Released sql socket id: 0
Thu Aug 26 11:16:42 2010 : Info: (2) expand: %{sql:SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'} -
Thu Aug 26 11:16:42 2010 : Info: (2) ? Evaluating (%{sql:SELECT value
FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'}) - FALSE
Thu Aug 26 11:16:42 2010 : Info: (2) ++? if (%{sql:SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'}) - FALSE
How can I get the username in a cleartext format?
Thanks in advance,
- Kristoffer Milligan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext username
The same thing happens during authentication when the CPE intially
enters the network .. but then the username/password is decrypted and
successfully compared in the database.
What's the difference between the accounting and the authentication ..
apart from the info that's exchanged?
- Kristoffer Milligan
On 08/26/2010 01:11 PM, Alan DeKok wrote:
Kristoffer Milligan wrote:
as a small test. However, %{SQL-User-Name} is an encrypted version of
the username, which of course will not match anything in my database.
Ask the client PC why it's sending an encrypted user name.
How can I get the username in a cleartext format?
Figure out how the client PC is encrypting it, and decrypt it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault
Hello again list,
Thanks for the prompt reply on my previous inquiry regarding the
compiling error. Worked perfectly with a new checkout.
A new problem has arrived though. I am trying to do some authentication
on the WiMAX platform.
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu,
built on Apr 27 2010 at 08:06:03
Everything seems to be working fine.
Client sends access request.
server sends challenge.
This happens back and forth as it should, the user is identified and the
final challenges are ment to be exchanged:
Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got tunneled Access-Accept
Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got MS-CHAP2-Success,
tunneling it to the client in a challenge.
Followed by
Sending Access-Challenge of id 39 to 192.168.106.11 port 1812
EAP-Message =
0x0107005f1580005517030100503aaea6b28c1d5d90e71ec96d69f5846508965193166f92b750af976df6b0363867e15725dfc8a2370622601bc3e9487f6aa9843bf2e469cc773c7e9815c52e15755de3a962215e0674d1368fbab98f24
Message-Authenticator = 0x
State = 0x912a18ab942d0dffd8d9c931385c748e
Wed Apr 28 09:04:01 2010 : Info: (6) Finished request 6.
Wed Apr 28 09:04:01 2010 : Debug: Going to the next request
Wed Apr 28 09:04:01 2010 : Debug: Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.106.11 port 1812,
id=40, length=194
User-Name = {am=1}15a251baf3194e3ca5681323e8284...@domain.tld
EAP-Message = 0x020700061500
Message-Authenticator = 0xfbce37cd2ed55658b94dbf0312e430fb
NAS-Identifier = AAALAB
NAS-IP-Address = 192.168.106.11
Calling-Station-Id = 00-12-CF-C7-4D-A8
WiMAX-BS-Id = 0x002f01010101
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
State = 0x912a18ab942d0dffd8d9c931385c748e
Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authorize {...}
Wed Apr 28 09:04:01 2010 : Info: (7) ++[preprocess] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) ++[wimax] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) ++[chap] returns noop
Wed Apr 28 09:04:01 2010 : Info: (7) ++[mschap] returns noop
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Looking up realm
domain.tld for User-Name =
{am=1}15a251baf3194e3ca5681323e8284...@domain.tld
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Found realm domain.tld
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Stripped-User-Name
= {am=1}15a251baf3194e3ca5681323e82848a0
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Realm = nextnet.no
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Authentication realm is LOCAL.
Wed Apr 28 09:04:01 2010 : Info: (7) ++[suffix] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP packet type response id 7
length 6
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Continuing tunnel setup.
Wed Apr 28 09:04:01 2010 : Info: (7) ++[eap] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) Found Auth-Type = EAP
Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authenticate {...}
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Request found, released from
the list
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP/ttls
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] processing type ttls
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Authenticate
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] processing EAP-TLS
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Received TLS ACK
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] ACK handshake is finished
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_verify returned 3
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3
Segmentation fault
Any ideas why radiusd is segfaulting?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius
I'm trying to compile a fresh version of FreeRADIUS. I fetched the latest stable from git://git.freeradius.org/freeradius-server.git using the information provided at http://git.freeradius.org/. I am using the following configuration string: ./configure --with-experimental-modules I want the experimental modules to support WiMAX. Configuration works perfectly, but when building I get the following error: make[6]: Leaving directory `/root/freeradius-server/src/modules/rlm_wimax' make[5]: Leaving directory `/root/freeradius-server/src/modules' make[4]: Leaving directory `/root/freeradius-server/src/modules' Making all in main... /usr/bin/make -w -C main all make[4]: Entering directory `/root/freeradius-server/src/main' /root/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c -fPIC -DPIC -o .libs/event.o event.c:634: warning: no previous prototype for 'revive_home_server' event.c:852: warning: no previous prototype for 'mark_home_server_dead' event.c: In function 'wait_a_bit': event.c:1192: error: label 'stop_processing' used but not defined event.c: In function 'radius_signal_self': event.c:3819: warning: ignoring return value of 'write', declared with attribute warn_unused_result make[4]: *** [event.lo] Error 1 make[4]: Leaving directory `/root/freeradius-server/src/main' make[3]: *** [main] Error 2 make[3]: Leaving directory `/root/freeradius-server/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-server/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/root/freeradius-server' make: *** [all] Error 2 Any suggestions to what I am messing up? Thanks in advance, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Alvarion
Good luck doing that .. I've been working with alvarion equipment and trying to integrate with freeradius for several months now .. the alvarion support has been total sh.. uhh, poor. Let me know if you get anything working though .. I'd be interested. Kristoffer Milligan, Postmaster NextNet AS Phone: +47 4000 1999 Fax:+47 3832 2110 Web:http://www.nextnet.no Adr:Lasta 50, 4400 Flekkefjord, Norway I have never done MAC authentication and I need to know if anyone has managed to do it. Is it possible to do MAC authentication on a Alvarion Base Station with freeradius 1.1.7 and if possible how do I set it up. Yes, mac auth is just a pap request where mac address is sent as username. Is it possible and how to set it up - read Alvarion manual or ask *their* technical support. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Kristoffer Milligan, Postmaster NextNet AS Phone: +47 4000 1999 Fax:+47 3832 2110 Web:http://www.nextnet.no Adr:Lasta 50, 4400 Flekkefjord, Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Alvarion 4Motion
Hello again List My battle to make FreeRADIUS work with the Alvarion 4Motion system continues. I have been in contact with one of their engineers, and the only thing he saw that seemed invalid was a couple of missing attributes in the Access Accept response. Please look at the following url: https://www.norgespost.no/aaalog Now, in the tunneled response, there are two attributes: MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Why aren't these attributes passed to the access accept? Has anyone here integrated FreeRADIUS with the 4Motion system before? Desperate regards, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Alvarion 4Motion
It's set to yes I'm afraid:
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = inner-tunnel
}
On Fri, 2009-01-16 at 12:02 +0100, t...@kalik.net wrote:
Change use_tunneled_reply to yes in ttls section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piše:
Hello again List
My battle to make FreeRADIUS work with the Alvarion 4Motion system
continues. I have been in contact with one of their engineers, and the
only thing he saw that seemed invalid was a couple of missing attributes
in the Access Accept response.
Please look at the following url:
https://www.norgespost.no/aaalog
Now, in the tunneled response, there are two attributes:
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Why aren't these attributes passed to the access accept?
Has anyone here integrated FreeRADIUS with the 4Motion system before?
Desperate regards,
Kristoffer Milligan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Alvarion 4Motion
That's a bit of my problem as well .. I'm not sure what goes where :)
Regarding the problem, that's the second part that's confusing. The AAA
says everything is OK. The ASN seemingly has what it needs, but the CPE
doesn't connect to the network.
I had an Alvarion engineer look at the FreeRADIUS log, and the only
thing the could point out as mysterious, was the missing attributes ..
so I figured I'd try to implement them and see if it would help.
Kristoffer Milligan
On Fri, 2009-01-16 at 13:08 +0100, t...@kalik.net wrote:
I see. And WiMAX attributes have been copied. I don't know much about
WiMAX bre you sure that these are not contained in MPPE outer reply
keys? They are different to ones in inner-tunnel. What problem is caused
by the lack of these attributes in the reply?
Ivan Kalik
Kalik Informatika ISP
Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piše:
It's set to yes I'm afraid:
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = inner-tunnel
}
On Fri, 2009-01-16 at 12:02 +0100, t...@kalik.net wrote:
Change use_tunneled_reply to yes in ttls section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piĹĄe:
Hello again List
My battle to make FreeRADIUS work with the Alvarion 4Motion system
continues. I have been in contact with one of their engineers, and the
only thing he saw that seemed invalid was a couple of missing attributes
in the Access Accept response.
Please look at the following url:
https://www.norgespost.no/aaalog
Now, in the tunneled response, there are two attributes:
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Why aren't these attributes passed to the access accept?
Has anyone here integrated FreeRADIUS with the 4Motion system before?
Desperate regards,
Kristoffer Milligan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiMAX Auth
Here's my problem: Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: We cannot calculate MN-HA keys. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: Not calculating MN-HA keys My question is, where do I add these replies? I currently have my radius doing its lookups in a MySQL database. - Milligan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX Auth
mysql select * from radreply where username = 'kaffi';
+--+--+-++--+
| id | username | attribute | op | value|
+--+--+-++--+
| 8614 | kaffi| Filter-ID | = | Default |
| 8615 | kaffi| Session-Timeout | = | 3600 |
| 8626 | kaffi| WiMAX-MN-NAI| = | %{User-Name} |
| 8627 | kaffi| WiMAX-IP-Technology | = | 3|
+--+--+-++--+
4 rows in set (0.00 sec)
My dictionary entry:
ATTRIBUTE WiMAX-MN-NAI78 string
My serverlog:
Thu Dec 18 07:47:51 2008 : Info: +- entering group post-auth {...}
Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-RK =
0x9682b6cc9925949cce138e6fd148e9ac21c94c9e552ef2173c3e996aef87bff96f50564a5dcf85a505300a4e319349dce56c5a1f0308e6bb7e29a5f89e0a4949
Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-SPI = 41f3aefe
Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not
found in the request or in the reply.
Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: We cannot calculate
MN-HA keys.
Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology
not found in reply.
Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: Not calculating MN-HA
keys
Thu Dec 18 07:47:51 2008 : Info: ++[wimax] returns updated
Thu Dec 18 07:47:51 2008 : Info: ++[exec] returns noop
Sending Access-Accept of id 223 to 192.168.106.2 port 1812
Filter-Id = Default
Session-Timeout = 3600
WiMAX-MN-NAI = %{User-Name}
WiMAX-IP-Technology = CMIP4
MS-MPPE-Recv-Key =
0x0d8927cde5e7cd69d7b1af9e38e7fb91948e2d4202cbdaa3b2273457423f9e03
MS-MPPE-Send-Key =
0x84eb7dad459a1bbda54348214562953f89220223440dc41d95181167c4cedc95
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = {am=1}155486b1a70ae371e7f2cacc01189ccc
Thu Dec 18 07:47:51 2008 : Info: Finished request 15.
Any idea what might be wrong?
PS: Changing WiMAX-MN-NAI = %{User-Name} to 'kaffi' doesn't make a
difference.
Sincerely,
Kristoffer Milligan
On Wed, 2008-12-17 at 22:58 +0100, t...@kalik.net wrote:
My question is, where do I add these replies? I currently have my radius
doing its lookups in a MySQL database.
radreply table.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + WiMAX + Authentication
Hello I'm trying to set up FreeRADIUS as a AAA for an Alvaristar ASN gateway. My current setup is this: CPE (Client) - WiMAX radiolink - Basestation - ASN GW - AAA Traffic is successfully traveling from one end to the other, and authentication is seemingly correct, but the CPE still doesn't connect for some reason. At this url is the logfile of the AAA server start, and the connection process: http://multigan.com/log.txt To me, it seems that the login is successful. What does raise a question though, is this line: Info: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Is this correct behavior, or ? Also, any ideas to why the CPE doesn't associate after (apparently) receiving a valid login? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + WiMAX + Authentication
OK
This is starting to make sense. The EAP authentication is successful but
I don't get any WiMAX keys to complete the authentication, because I
haven't provided all the information needed.
Now, according to the documentation in the module, it says:
#MN-NAI is the Mobile node NAI. You have to create it, and put
# it into the request or reply as something like:
#
# WiMAX-MN-NAI = %{User-Name}
I'm a bit confused as to what information I need configure, and where to
configure it. Do you have a sample?
Kristoffer Milligan
On Tue, 2008-12-16 at 15:11 +0100, Alan DeKok wrote:
Kristoffer Milligan wrote:
To me, it seems that the login is successful. What does raise a question
though, is this line:
Info: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Is this correct behavior, or ?
You have not configured the server as per raddb/modules/wimax.
Also, any ideas to why the CPE doesn't associate after (apparently)
receiving a valid login?
Because it doesn't get the WiMAX keys that it needs.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius and WiMAX
Good day list This is my first post to the list, so let me open by congratulating on a great piece of software. I'm impressed. I have the pleasure of working with WiMAX and a system called 4motion. We have chosen to use FreeRadius as our AAA server, but are experiencing some problems. http://pastebin.com/m269e9250 As far as I can tell, everything is fine till I get the [eap] NAK asked for unsupported type 21 error? Could anyone give me any pointer or ideas about what I am doing wrong, and how I can fix it? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
