Re: Alvarion BreezeMAX 4Motion Service Profiles
You could try your luck and ask Alvarion what attributes are required in the access-accept for the BreezeMAX to accept the connection. Even better, ask for a tcpdump of a successful, minimalistic network entry. Don't hold your breath though ... chances are they'll flip you off/have no clue what you're talking about/show no interest in helping because they want to sell you bridgewater at a ridiculous price. I see you are returning SP1 as your Filter-Id .. does that profile exist on the BreezeMAX station? I seem to recall it does .. but please double check :) - Kristoffer On 05/13/2011 08:44 AM, Ryan Williams wrote: Thanks Alan, I'm already running the master branch of Freeradius (as of two days ago). I have FreeRadius working with an Alvarion 4 Motion product but not with the Alvarion BreezeMax product. It seems to be ignoring my Access-Accept. Regards, Ryan Williams -Original Message- From: freeradius-users-bounces+ryan=integritynet.com...@lists.freeradius.org [mailto:freeradius-users-bounces+ryan=integritynet.com.au@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Friday, 13 May 2011 3:09 PM To: FreeRadius users mailing list Subject: Re: Alvarion BreezeMAX 4Motion Service Profiles Ryan Williams wrote: Has anyone been able to get the Alvarion BreezeMAX to apply a service profile for a subscriber through radius? Yes. Go to http://git.freeradius.org, and follow the instructions for downloading the git master branch. Then, edit share/dictionary to: - delete the $INCLUDE of the wimax alvarion dictionaries - add $INCLUDE dictionary.wimax.alvarion dictionary.alvarion.wimax (really) At that point it should be possible to return the non-standard attributes needed by Alvarion. The following access accept works with the Alvarion 4Motion product but not with the BreezeMAX. They appear to have completely different code bases, and completely different needs for RADIUS.sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong packing of attributes?
-Minimum-Reserved-Traffic-Rate 29.7integer ATTRIBUTE WiMAX-Maximum-Traffic-Burst 29.8integer ATTRIBUTE WiMAX-Tolerated-Jitter 29.9integer ATTRIBUTE WiMAX-Maximum-Latency 29.10 integer ATTRIBUTE WiMAX-Reduced-Resources-Code29.11 byte ATTRIBUTE WiMAX-Media-Flow-Type 29.12 byte ATTRIBUTE WiMAX-Unsolicited-Grant-Interval29.13 short ATTRIBUTE WiMAX-SDU-Size 29.14 short ATTRIBUTE WiMAX-Unsolicited-Polling-Interval 29.15 short ATTRIBUTE WiMAX-Media-Flow-Description-SDP29.16 string And should most definately *not* be included in the WiMAX-Packet-Flow-Descriptor. Am I messing up something here, or could there be a bug in the encoder? - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
On 03/25/2011 09:59 AM, Alan DeKok wrote: Kristoffer Milligan wrote: Am I messing up something here, or could there be a bug in the encoder? Bug in the encoder. Fixed pushed to git. WiMAX is *weird*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wohoo! I managed to spot something! :) Anyway, ~/freeradius-server# git pull Already up-to-date. Did it push to production? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
You want the master branch mate, git clone git://git.freeradius.org/freeradius-server.git http://git.freeradius.org/ On 03/25/2011 02:06 PM, David Peterson wrote: Excellent! I just ran a git pull but not sure if I am set up correctly. Here is the output I received. From git://git.freeradius.org/freeradius-server 03f1be4..92caaa4 master - origin/master 2ae298a..14f534a v2.1.x - origin/v2.1.x Should I make some changes to my git setup? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 8:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
On 03/14/2011 11:48 AM, Alan DeKok wrote: Kristoffer Milligan wrote: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? R3-IF-Name = foo R3-IF-ID = 1234 ... The server will take care of encapsulating them into the R3-IF-Descriptor when it sends a packet. Until then, don't worry about it. :) Will this also be taken care of for SUB-SUB TLVs? Example: Packet-Flow-Descriptor Packet-Data-Flow-ID Direction Transport-Type UplinkQoSID DownlinkQoSID Classifier ClassifierID Priority IP TOS/DSCP Range and Mask -whatever that is Direction As you can see, the classifier takes subattributes as well... - Kristoffer Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending attribute with sub-attributes
Hello list, I have compiled and am now running FR v3.0 and it seems to be working fine. I have reached the situation where I need to send attributes that contain sub TLVs for automatic configuration of WiMAX basestations. With great help from list user Ben Wiechman I have a dictionary that has been fit to match (as best possible) the specification provided by the equipment vendor. For automatic configuration of the basestation, one of the attributes required is for example: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
You could run a radiusd -v to check the version that's installed. if we are using the same vendor, it's likely that the unknown attributes are unknown simply because the vendor have messed them up .. :) - Kristoffer On 03/14/2011 01:54 PM, David Peterson wrote: I am working on the same issue, likely with the same NAS vendor. Is the order important? I am also seeing some uknown attributes in my pcap file. Perhaps I am on the wrong build. How do I verify if I am compiling 3.0 version? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, March 14, 2011 6:48 AM To: FreeRadius users mailing list Subject: Re: Sending attribute with sub-attributes Kristoffer Milligan wrote: Attribute R3-IF-Descriptor Sub-TLV R3-IF-Name R3-IF-ID PDFID These are all exposed in the dictionary .. but running a MySQL based freeradius configuration, how do I return this type of packet when a user requests access? R3-IF-Name = foo R3-IF-ID = 1234 ... The server will take care of encapsulating them into the R3-IF-Descriptor when it sends a packet. Until then, don't worry about it. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
Yep :) git clone git://git.freeradius.org/freeradius-server.git - Kristoffer On 03/14/2011 02:08 PM, David Peterson wrote: AHh ok great! It appears I am on v2.2. Should I be on 3.0 to support the sub-sub tlvs needed for this NAS? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: Monday, March 14, 2011 9:05 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Sending attribute with sub-attributes David Peterson wrote: I am working on the same issue, likely with the same NAS vendor. Is the order important? Yes. List them in order of attribute number, lowest to highest. Basically, the same order that they are in the dictionary. I am also seeing some uknown attributes in my pcap file. No... the pcap *viewer* you're using doesn't support the WiMAX attributes. This is not surprising. Wireshark grabbed the dictionaries from FreeRADIUS a few years ago, and haven't updated them since. Perhaps I am on the wrong build. How do I verify if I am compiling 3.0 version? $ radiusd -v Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling master branch
Due to the need for nested TLVs I'm trying to compile FreeRADIUS from the master branch: git clone git://git.freeradius.org/freeradius-server.git Also, I'm using FR for a WiMAX network, so I need the experimental modules: ./configure --with-experimental-modules The configuration works fine, but when I try to compile the project, it fails: root@radius:~/freeradius-server# make . gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -I/root/freeradius-server/src/modules/rlm_redis -c rlm_rediswho.c -fPIC -DPIC -o .libs/rlm_rediswho.o In file included from rlm_rediswho.c:32: /root/freeradius-server/src/modules/rlm_redis/rlm_redis.h:35:29: error: hiredis/hiredis.h: No such file or directory In file included from rlm_rediswho.c:32: /root/freeradius-server/src/modules/rlm_redis/rlm_redis.h:46: error: expected specifier-qualifier-list before 'redisContext' rlm_rediswho.c: In function 'rediswho_command': rlm_rediswho.c:124: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:125: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:125: error: (Each undeclared identifier is reported only once rlm_rediswho.c:125: error: for each function it appears in.) rlm_rediswho.c:127: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:129: error: 'REDIS_REPLY_STATUS' undeclared (first use in this function) rlm_rediswho.c:130: error: 'REDIS_REPLY_STRING' undeclared (first use in this function) rlm_rediswho.c:132: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_start': rlm_rediswho.c:264: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:264: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:265: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_alive': rlm_rediswho.c:281: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:281: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:282: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c: In function 'rediswho_accounting_stop': rlm_rediswho.c:299: error: 'REDISSOCK' has no member named 'reply' rlm_rediswho.c:299: error: 'REDIS_REPLY_INTEGER' undeclared (first use in this function) rlm_rediswho.c:300: error: 'REDISSOCK' has no member named 'reply' make[6]: *** [rlm_rediswho.lo] Error 1 make[6]: Leaving directory `/root/freeradius-server/src/modules/rlm_rediswho' make[5]: *** [rlm_rediswho] Error 2 make[5]: Leaving directory `/root/freeradius-server/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/freeradius-server/src/modules' make[3]: *** [modules] Error 2 make[3]: Leaving directory `/root/freeradius-server/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-server/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/root/freeradius-server' make: *** [all] Error 2 What lib am I missing ? Or what flag can I throw at --without- to circumvent the problem? - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Logging
Hello again, I'm still fighting my little battle in copying attributes from the inner to the outer tunnel etc. I have now gotten as far that logging access-accepts is working as I want, but I'm now struggling logging access-rejects. Here's my SQL from dialup.conf: postauth_query = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES \ ('%{reply:SQL-User-Name}', '%{reply:Packet-Type}', \ '%{reply:Calling-Station-Id}', '%S'); From a rejected session, I get this: Fri Jan 28 09:48:05 2011 : Info: (5) [ttls] Got tunneled reply code 3 Filter-Id = OBFUSCATED SQL-User-Name = OBFUSCATED Calling-Station-Id = OBFUSCATED MS-CHAP-Error = \226E=691 R=1 Fri Jan 28 09:48:05 2011 : Info: (5) +- entering group REJECT {...} Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand: %{Stripped-User-Name} - {am=1}OBFUSCATED Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - {am=1}OBFUSCATED Fri Jan 28 09:48:05 2011 : Info: (5) [sql] sql_set_user escaped user -- '{am=1}OBFUSCATED' Fri Jan 28 09:48:05 2011 : Info: (5) [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{reply:SQL-User-Name}', '%{reply:Packet-Type}', '%{reply:Calling-Station-Id}', '%S'); - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('', 'Access-Reject', '', '2011-01-28 09:48:05'); Fri Jan 28 09:48:05 2011 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('', 'Access-Reject', '', '2011-01-28 09:48:05'); From an accepted session, everything works fine and the SQL-User-Name and Calling-Station-Id are logged as expected. How come the attributes are empty, even though they are in the reply, only when an access-reject is given? - Kristoffer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Logging
So there is no way to get hold of them ? - Kris On 01/28/2011 10:36 AM, Alan DeKok wrote: Kristoffer Milligan wrote: From an accepted session, everything works fine and the SQL-User-Name and Calling-Station-Id are logged as expected. How come the attributes are empty, even though they are in the reply, only when an access-reject is given? The attributes aren't copied on reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Authentication Rejects
radiusd: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Apr 30 2010 at 09:48:09 root@hostname:~# lsb_release -a Distributor ID:Ubuntu Description:Ubuntu 9.10 Release:9.10 Codename:karmic Good day list, I am trying to set up some logging on my radius server. The server is responsible for a WiMAX network running on equipment from Alvarion. After a troublesome start, things are starting to straighten out. I've now reached the point where I want to apply some additional logging to start ironing out minor bugs. Running FR in debug mode, I see the occasional access-reject (mostly caused by wrongly configured username/passwords), and I would like to log these to my database. In my default tunnel, I have added sql_log module to the post-auth section, subsection Post-Auth-Type REJECT. The default SQL looks like this: # Post-Auth = INSERT INTO ${postauth_table} \ #(username, pass, reply, authdate) VALUES\ #('%{User-Name}', '%{User-Password:-Chap-Password}', \ #'%{reply:Packet-Type}', '%S'); which would provide a line of log (in my case) looking something like this: Incremental Id, =F8=f334534534645645645...@wimax.com, '', 'Access-Reject', DATETIME. (The username is jus something I typed out, but that's what they look like). This data is good to give me an idea of how many access rejects I am getting, but I have no clue from what usernames they are coming, nor WHY they were rejected. I know that the username in the inner tunnel is plaintext as well, meaning it looks like i.e kristof...@wimax.com. My question is; What should my SQL look like if I want to log the following data: Incremental id, 'Attempted/Cleartext Username', 'Attempted/Cleartext password', 'Access-Reject - {Rejection-Reason}', DATETIME ? Looking forwards to your replies.. Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Logging Access-Reject
Hello again list, I'm still working on my FreeRADIUS server in connection with 4Motion equipment from Alvarion. It's getting better and better and more integrated, but I still have a few quirks I need to work out. My main problem now is the logging part. In the post-auth section, I have added some SQL logging. I am logging Access-Accept and Access-Reject. My problem is that access-rejects are appearing scrambeled.. Example: | 50 | us...@mydomain.tld | | Access-Accept | 2010-09-10 10:53:36 | | 51 | =7bam=3d1=7d917341235f4283123a58e52b623d2...@mydomain.tld | | Access-Reject | 2010-09-10 10:53:39 | | 52 | =7bam=3d1=7ac00fa703f004q25ed1ef4e3dcb5f4...@mydomain.tld | | Access-Reject | 2010-09-10 10:53:47 | | 53 | us...@mydomain.tld| | Access-Accept | 2010-09-10 10:53:58 | The SQL statement from sql_log module is: Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES\ ('%{SQL-User-Name}', '%{User-Password:-Chap-Password}', \ '%{reply:Packet-Type}', '%S'); How can I log the tried username in cleartext? - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext username
Hello list, I am currently using FreeRADIUS as my AAA server for a WiMAX network. Authentication is working perfectly, and the server is performing well. As part of my infrastructure-design I need to be able to forcibly kick users off the radiolink. As far as I have understood, this needs to be done using CoA/Disconnect-Request packets forged to match the NAS requirement. So far, so good. I have set up this query in my accounting section: if(%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}) { update disconnect { Reply-Message = You have been closed. } } as a small test. However, %{SQL-User-Name} is an encrypted version of the username, which of course will not match anything in my database. Thu Aug 26 11:16:42 2010 : Info: (2) expand: SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now' - SELECT value FROM radcheck WHERE UserName = '=8Ham=3D1=7A62345d3c567f85678749f233ebe4577fbad' and attribute = 'Acct-Logout-Now' Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 0 Thu Aug 26 11:16:42 2010 : Info: (2) SQL query did not return any results Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Released sql socket id: 0 Thu Aug 26 11:16:42 2010 : Info: (2) expand: %{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'} - Thu Aug 26 11:16:42 2010 : Info: (2) ? Evaluating (%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}) - FALSE Thu Aug 26 11:16:42 2010 : Info: (2) ++? if (%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}) - FALSE How can I get the username in a cleartext format? Thanks in advance, - Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext username
The same thing happens during authentication when the CPE intially enters the network .. but then the username/password is decrypted and successfully compared in the database. What's the difference between the accounting and the authentication .. apart from the info that's exchanged? - Kristoffer Milligan On 08/26/2010 01:11 PM, Alan DeKok wrote: Kristoffer Milligan wrote: as a small test. However, %{SQL-User-Name} is an encrypted version of the username, which of course will not match anything in my database. Ask the client PC why it's sending an encrypted user name. How can I get the username in a cleartext format? Figure out how the client PC is encrypting it, and decrypt it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault
Hello again list, Thanks for the prompt reply on my previous inquiry regarding the compiling error. Worked perfectly with a new checkout. A new problem has arrived though. I am trying to do some authentication on the WiMAX platform. radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Apr 27 2010 at 08:06:03 Everything seems to be working fine. Client sends access request. server sends challenge. This happens back and forth as it should, the user is identified and the final challenges are ment to be exchanged: Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got tunneled Access-Accept Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. Followed by Sending Access-Challenge of id 39 to 192.168.106.11 port 1812 EAP-Message = 0x0107005f1580005517030100503aaea6b28c1d5d90e71ec96d69f5846508965193166f92b750af976df6b0363867e15725dfc8a2370622601bc3e9487f6aa9843bf2e469cc773c7e9815c52e15755de3a962215e0674d1368fbab98f24 Message-Authenticator = 0x State = 0x912a18ab942d0dffd8d9c931385c748e Wed Apr 28 09:04:01 2010 : Info: (6) Finished request 6. Wed Apr 28 09:04:01 2010 : Debug: Going to the next request Wed Apr 28 09:04:01 2010 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.106.11 port 1812, id=40, length=194 User-Name = {am=1}15a251baf3194e3ca5681323e8284...@domain.tld EAP-Message = 0x020700061500 Message-Authenticator = 0xfbce37cd2ed55658b94dbf0312e430fb NAS-Identifier = AAALAB NAS-IP-Address = 192.168.106.11 Calling-Station-Id = 00-12-CF-C7-4D-A8 WiMAX-BS-Id = 0x002f01010101 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 State = 0x912a18ab942d0dffd8d9c931385c748e Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authorize {...} Wed Apr 28 09:04:01 2010 : Info: (7) ++[preprocess] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) ++[wimax] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) ++[chap] returns noop Wed Apr 28 09:04:01 2010 : Info: (7) ++[mschap] returns noop Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Looking up realm domain.tld for User-Name = {am=1}15a251baf3194e3ca5681323e8284...@domain.tld Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Found realm domain.tld Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Stripped-User-Name = {am=1}15a251baf3194e3ca5681323e82848a0 Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Realm = nextnet.no Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Authentication realm is LOCAL. Wed Apr 28 09:04:01 2010 : Info: (7) ++[suffix] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP packet type response id 7 length 6 Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Continuing tunnel setup. Wed Apr 28 09:04:01 2010 : Info: (7) ++[eap] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) Found Auth-Type = EAP Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authenticate {...} Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Request found, released from the list Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP/ttls Wed Apr 28 09:04:01 2010 : Info: (7) [eap] processing type ttls Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Authenticate Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] processing EAP-TLS Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Received TLS ACK Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] ACK handshake is finished Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_verify returned 3 Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3 Segmentation fault Any ideas why radiusd is segfaulting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius
I'm trying to compile a fresh version of FreeRADIUS. I fetched the latest stable from git://git.freeradius.org/freeradius-server.git using the information provided at http://git.freeradius.org/. I am using the following configuration string: ./configure --with-experimental-modules I want the experimental modules to support WiMAX. Configuration works perfectly, but when building I get the following error: make[6]: Leaving directory `/root/freeradius-server/src/modules/rlm_wimax' make[5]: Leaving directory `/root/freeradius-server/src/modules' make[4]: Leaving directory `/root/freeradius-server/src/modules' Making all in main... /usr/bin/make -w -C main all make[4]: Entering directory `/root/freeradius-server/src/main' /root/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c -fPIC -DPIC -o .libs/event.o event.c:634: warning: no previous prototype for 'revive_home_server' event.c:852: warning: no previous prototype for 'mark_home_server_dead' event.c: In function 'wait_a_bit': event.c:1192: error: label 'stop_processing' used but not defined event.c: In function 'radius_signal_self': event.c:3819: warning: ignoring return value of 'write', declared with attribute warn_unused_result make[4]: *** [event.lo] Error 1 make[4]: Leaving directory `/root/freeradius-server/src/main' make[3]: *** [main] Error 2 make[3]: Leaving directory `/root/freeradius-server/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-server/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/root/freeradius-server' make: *** [all] Error 2 Any suggestions to what I am messing up? Thanks in advance, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Alvarion
Good luck doing that .. I've been working with alvarion equipment and trying to integrate with freeradius for several months now .. the alvarion support has been total sh.. uhh, poor. Let me know if you get anything working though .. I'd be interested. Kristoffer Milligan, Postmaster NextNet AS Phone: +47 4000 1999 Fax:+47 3832 2110 Web:http://www.nextnet.no Adr:Lasta 50, 4400 Flekkefjord, Norway I have never done MAC authentication and I need to know if anyone has managed to do it. Is it possible to do MAC authentication on a Alvarion Base Station with freeradius 1.1.7 and if possible how do I set it up. Yes, mac auth is just a pap request where mac address is sent as username. Is it possible and how to set it up - read Alvarion manual or ask *their* technical support. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Kristoffer Milligan, Postmaster NextNet AS Phone: +47 4000 1999 Fax:+47 3832 2110 Web:http://www.nextnet.no Adr:Lasta 50, 4400 Flekkefjord, Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Alvarion 4Motion
Hello again List My battle to make FreeRADIUS work with the Alvarion 4Motion system continues. I have been in contact with one of their engineers, and the only thing he saw that seemed invalid was a couple of missing attributes in the Access Accept response. Please look at the following url: https://www.norgespost.no/aaalog Now, in the tunneled response, there are two attributes: MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Why aren't these attributes passed to the access accept? Has anyone here integrated FreeRADIUS with the 4Motion system before? Desperate regards, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Alvarion 4Motion
It's set to yes I'm afraid: ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = inner-tunnel } On Fri, 2009-01-16 at 12:02 +0100, t...@kalik.net wrote: Change use_tunneled_reply to yes in ttls section of eap.conf. Ivan Kalik Kalik Informatika ISP Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piše: Hello again List My battle to make FreeRADIUS work with the Alvarion 4Motion system continues. I have been in contact with one of their engineers, and the only thing he saw that seemed invalid was a couple of missing attributes in the Access Accept response. Please look at the following url: https://www.norgespost.no/aaalog Now, in the tunneled response, there are two attributes: MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Why aren't these attributes passed to the access accept? Has anyone here integrated FreeRADIUS with the 4Motion system before? Desperate regards, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Alvarion 4Motion
That's a bit of my problem as well .. I'm not sure what goes where :) Regarding the problem, that's the second part that's confusing. The AAA says everything is OK. The ASN seemingly has what it needs, but the CPE doesn't connect to the network. I had an Alvarion engineer look at the FreeRADIUS log, and the only thing the could point out as mysterious, was the missing attributes .. so I figured I'd try to implement them and see if it would help. Kristoffer Milligan On Fri, 2009-01-16 at 13:08 +0100, t...@kalik.net wrote: I see. And WiMAX attributes have been copied. I don't know much about WiMAX bre you sure that these are not contained in MPPE outer reply keys? They are different to ones in inner-tunnel. What problem is caused by the lack of these attributes in the reply? Ivan Kalik Kalik Informatika ISP Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piše: It's set to yes I'm afraid: ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = inner-tunnel } On Fri, 2009-01-16 at 12:02 +0100, t...@kalik.net wrote: Change use_tunneled_reply to yes in ttls section of eap.conf. Ivan Kalik Kalik Informatika ISP Dana 16/1/2009, Kristoffer Milligan kristof...@nextnet.no piĹĄe: Hello again List My battle to make FreeRADIUS work with the Alvarion 4Motion system continues. I have been in contact with one of their engineers, and the only thing he saw that seemed invalid was a couple of missing attributes in the Access Accept response. Please look at the following url: https://www.norgespost.no/aaalog Now, in the tunneled response, there are two attributes: MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Why aren't these attributes passed to the access accept? Has anyone here integrated FreeRADIUS with the 4Motion system before? Desperate regards, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiMAX Auth
Here's my problem: Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: We cannot calculate MN-HA keys. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: Not calculating MN-HA keys My question is, where do I add these replies? I currently have my radius doing its lookups in a MySQL database. - Milligan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX Auth
mysql select * from radreply where username = 'kaffi'; +--+--+-++--+ | id | username | attribute | op | value| +--+--+-++--+ | 8614 | kaffi| Filter-ID | = | Default | | 8615 | kaffi| Session-Timeout | = | 3600 | | 8626 | kaffi| WiMAX-MN-NAI| = | %{User-Name} | | 8627 | kaffi| WiMAX-IP-Technology | = | 3| +--+--+-++--+ 4 rows in set (0.00 sec) My dictionary entry: ATTRIBUTE WiMAX-MN-NAI78 string My serverlog: Thu Dec 18 07:47:51 2008 : Info: +- entering group post-auth {...} Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-RK = 0x9682b6cc9925949cce138e6fd148e9ac21c94c9e552ef2173c3e996aef87bff96f50564a5dcf85a505300a4e319349dce56c5a1f0308e6bb7e29a5f89e0a4949 Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-SPI = 41f3aefe Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: We cannot calculate MN-HA keys. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: Not calculating MN-HA keys Thu Dec 18 07:47:51 2008 : Info: ++[wimax] returns updated Thu Dec 18 07:47:51 2008 : Info: ++[exec] returns noop Sending Access-Accept of id 223 to 192.168.106.2 port 1812 Filter-Id = Default Session-Timeout = 3600 WiMAX-MN-NAI = %{User-Name} WiMAX-IP-Technology = CMIP4 MS-MPPE-Recv-Key = 0x0d8927cde5e7cd69d7b1af9e38e7fb91948e2d4202cbdaa3b2273457423f9e03 MS-MPPE-Send-Key = 0x84eb7dad459a1bbda54348214562953f89220223440dc41d95181167c4cedc95 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = {am=1}155486b1a70ae371e7f2cacc01189ccc Thu Dec 18 07:47:51 2008 : Info: Finished request 15. Any idea what might be wrong? PS: Changing WiMAX-MN-NAI = %{User-Name} to 'kaffi' doesn't make a difference. Sincerely, Kristoffer Milligan On Wed, 2008-12-17 at 22:58 +0100, t...@kalik.net wrote: My question is, where do I add these replies? I currently have my radius doing its lookups in a MySQL database. radreply table. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + WiMAX + Authentication
Hello I'm trying to set up FreeRADIUS as a AAA for an Alvaristar ASN gateway. My current setup is this: CPE (Client) - WiMAX radiolink - Basestation - ASN GW - AAA Traffic is successfully traveling from one end to the other, and authentication is seemingly correct, but the CPE still doesn't connect for some reason. At this url is the logfile of the AAA server start, and the connection process: http://multigan.com/log.txt To me, it seems that the login is successful. What does raise a question though, is this line: Info: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Is this correct behavior, or ? Also, any ideas to why the CPE doesn't associate after (apparently) receiving a valid login? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + WiMAX + Authentication
OK This is starting to make sense. The EAP authentication is successful but I don't get any WiMAX keys to complete the authentication, because I haven't provided all the information needed. Now, according to the documentation in the module, it says: #MN-NAI is the Mobile node NAI. You have to create it, and put # it into the request or reply as something like: # # WiMAX-MN-NAI = %{User-Name} I'm a bit confused as to what information I need configure, and where to configure it. Do you have a sample? Kristoffer Milligan On Tue, 2008-12-16 at 15:11 +0100, Alan DeKok wrote: Kristoffer Milligan wrote: To me, it seems that the login is successful. What does raise a question though, is this line: Info: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Is this correct behavior, or ? You have not configured the server as per raddb/modules/wimax. Also, any ideas to why the CPE doesn't associate after (apparently) receiving a valid login? Because it doesn't get the WiMAX keys that it needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius and WiMAX
Good day list This is my first post to the list, so let me open by congratulating on a great piece of software. I'm impressed. I have the pleasure of working with WiMAX and a system called 4motion. We have chosen to use FreeRadius as our AAA server, but are experiencing some problems. http://pastebin.com/m269e9250 As far as I can tell, everything is fine till I get the [eap] NAK asked for unsupported type 21 error? Could anyone give me any pointer or ideas about what I am doing wrong, and how I can fix it? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html