RE: Hints file and Strip-User-Name
You are right actually, not having a good day today.
I unbroken my config, found what was originally not working, had to uncomment
the "key" setting in the files {} configuration block to match
Stripped-User-Name in the users file.
Thanx
Paul
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:47 PM
To: FreeRadius users mailing list
Subject: RE: Hints file and Strip-User-Name
authenticate{}??? What are they doing there. Files are a part of
authorize{} section.
Ivan Kalik
Kalik Informatika ISP
Dana 3/6/2008, "Paul Khavkine" <[EMAIL PROTECTED]> piše:
>
>
>files is there in authentication { } section.
>
>authenticate {
>#
># PAP authentication, when a back-end database listed
># in the 'authorize' section supplies a password. The
># password can be clear-text, or encrypted.
>Auth-Type PAP {
>pap
>}
>
>#
># Most people want CHAP authentication
># A back-end database listed in the 'authorize' section
># MUST supply a CLEAR TEXT password. Encrypted passwords
># won't work.
>Auth-Type CHAP {
>chap
>}
>
>#
># MSCHAP authentication.
>Auth-Type MS-CHAP {
>mschap
>}
>
>#
># If you have a Cisco SIP server authenticating against
># FreeRADIUS, uncomment the following line, and the 'digest'
># line in the 'authorize' section.
># digest
>
>#
># Pluggable Authentication Modules.
># pam
>
>#
># See 'man getpwent' for information on how the 'unix'
># module checks the users password. Note that packets
># containing CHAP-Password attributes CANNOT be authenticated
># against /etc/passwd! See the FAQ for details.
>#
># unix
>
># Uncomment it if you want to use ldap for authentication
>#
># Note that this means "check plain-text password against
># the ldap database", which means that EAP won't work,
># as it does not supply a plain-text password.
># Auth-Type LDAP {
># ldap
># }
>
>#
># Allow EAP authentication.
>eap
>files
> }
>
>
>Paul
>
>
>
>-Original Message-
>From:
>[EMAIL PROTECTED]
>rg
>[mailto:[EMAIL PROTECTED]
>radius.org] On Behalf Of Ivan Kalik
>Sent: June 3, 2008 2:07 PM
>To: FreeRadius users mailing list
>Subject: Re: Hints file and Strip-User-Name
>
>>
>>When run radiusd -W I can see it enter the preprocess module and match
>>an entry, but the suffix is not being stripped and entry in users file
>>not being matched:
>>
>
>Not being stripped? You think that's the problem.
>
>>
>>
>>Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
>>
>>Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
>suffix
>>(rlm_realm) for request 0
>...
>>Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
>>preprocess (rlm_preprocess) for request 0
>>
>...
>>Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
>>(Auth-Type) configuration found for the request: Rejecting the user
>>
>
>You haven't hacked away at the default configuration by any chance?
>Users file entry is not matched because you prevented the server from
>looking there. Even if you put "files" back in it still won't work as
>you have broken every single authentication method. Well done! Now put
>the configuration back the way it was and watch it work.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints file and Strip-User-Name
files is there in authentication { } section.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
files
}
Paul
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:07 PM
To: FreeRadius users mailing list
Subject: Re: Hints file and Strip-User-Name
>
>When run radiusd -W I can see it enter the preprocess module and match
>an entry, but the suffix is not being stripped and entry in users file
>not being matched:
>
Not being stripped? You think that's the problem.
>
>
>Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
>
>Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
>(rlm_realm) for request 0
..
>Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
>preprocess (rlm_preprocess) for request 0
>
..
>Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
>(Auth-Type) configuration found for the request: Rejecting the user
>
You haven't hacked away at the default configuration by any chance?
Users file entry is not matched because you prevented the server from
looking there. Even if you put "files" back in it still won't work as
you have broken every single authentication method. Well done! Now put
the configuration back the way it was and watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints file and Strip-User-Name
Hi.
I'm trying to match a suffix in the username using the hints file and
strip the suffix.
I have the following configured:
raddb/hints:
DEFAULT Suffix == ".d", Strip-User-Name = Yes
Hint = "Dynamic"
raddb/users:
DEFAULT Hint == "Dynamic"
Framed-IP-Address := 255.255.255.254,
Fall-Through = Yes
userCleartext-Password := "password"
Service-Type = Framed-User,
Framed-IP-Address = XXX.XXX.XXX.XXX,
Framed-Protocol = PPP,
Framed-Routing = None,
Session-Timeout = 604800,
Idle-Timeout = 86400,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
When run radiusd -W I can see it enter the preprocess module and match
an entry, but the suffix is not being stripped and entry in users file
not being matched:
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No '@' in User-Name =
"user.d", looking up realm NULL
Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No such realm "NULL"
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[suffix] returns noop
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Tue Jun 3 12:54:15 2008 : Debug: hints: Matched DEFAULT at 79
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[preprocess] returns ok
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Tue Jun 3 12:54:15 2008 : Debug: auth: Failed to validate the user.
Tue Jun 3 12:54:15 2008 : Auth: Login incorrect: [user.d/password]
(from client ERX-LAB port 2152726802 cli #ERX01.OTWODDS#BLC01.OTW23DS
atm 3/1:0.35#)
Tue Jun 3 12:54:15 2008 : Debug: Found Post-Auth-Type Reject
Tue Jun 3 12:54:15 2008 : Debug: +- entering group REJECT
Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Tue Jun 3 12:54:15 2008 : Debug: expand: %{User-Name} -> user.d
Tue Jun 3 12:54:15 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Tue Jun 3 12:54:15 2008 : Debug: Delaying reject of request 0 for 1
seconds
Tue Jun 3 12:54:15 2008 : Debug: Going to the next request
Tue Jun 3 12:54:15 2008 : Debug: Waking up in 0.9 seconds.
Tue Jun 3 12:54:16 2008 : Debug: Sending delayed reject for request 0
Tue Jun 3 12:54:16 2008 : Debug: Waking up in 4.9 seconds.
Tue Jun 3 12:54:21 2008 : Debug: Cleaning up request 0 ID 5 with
timestamp +79
Tue Jun 3 12:54:21 2008 : Debug: Ready to process requests.
Any ideas ?
I'm running FreeRADIUS 2.0.3.
Thanx
Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching Realm names only.
Hi. I'm setting up a LAC for L2TP tunneling users to a remote LNS. On the LAC side I want it to obtain the tunneling parameters only based on the realm. What would be the simplest way to setup FreeRADIUS to only match the realm and return tunneling attributes. If the realm is not configured, then reject the authentication ? Is it possible to match the Realm in the users file like: DEFAULTRealm == "dsl.myisp.com" Service-Type = Framed-User, Tunnel-Type = L2TP, Tunnel-Server-Endpoint = "X.X.X.X", Tunnel-Medium-Type = IP Doesn't seem to work, do I need to include Auth-Type or anything else ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check items in rlm_files
Hi. Is it possible to access check items from the users file that were added to the request by previous modules ? I have rlm_ldap adding some items in authz section that I want to check later on in the users file. Or is there a way to map attributes from LDAP to the request pairs instead ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Global address pool
Hi folks. I'm looking into ways to implement a "global address pool" for multiple NASes and multiple RADIUS servers. I see that there's 2 possible ways of doing it with FreeRADIUS. 1) use rlm_ippool 2) use rlm_sqlippool I'm leaning towards rlm_sqlippool since it can be used to "lease" an address to a subscriber for a period of time so they get same ip address for the duration of the "lease". Is there any other ways to implement NAS independent address pool and be able to "lease" same address to a subscriber ? Is anyone using sqlippool in production ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Server logs say users authenticate, but they don't (Now with more details!)
Title: RE: Server logs say users authenticate, but they don't (Now with more details!)
Is the server multihomed ?
It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system.
If your system has multiple IP addresses, u can set "bind_address" to the one you want to use.
Cheers
Paul
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ernie Dunbar
Sent: Fri 11/3/2006 2:02 PM
To: freeradius-users@lists.freeradius.org
Subject: Server logs say users authenticate, but they don't (Now with more details!)
This isn't a duplicate, I've just included more information about our
configuration.
We have a Cisco AS5300 for our dialup pool. It is able to log into our new
FreeRadius server and make authentication requests, but users are not able
to authenticate.
It's very strange, because FreeRadius produces logs like this:
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XX/XX] (from client
dialup port 8)
But the client gets "Error 691: Your username or password are incorrect".
I can tell that it's authenticating properly, because when a user gets
their password wrong, I see this instead:
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
We're using FreeRadius' mysql support for authentication, and I'm
absolutely positive that part is working fine. It even creates accounting
data in the database.
This is what we have in the users file:
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
and this is what radiusd.conf looks like without the comments:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = after
nospace_pass = after
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = off
$INCLUDE ${confdir}/proxy.conf
# proxy.conf has:
# realm LOCAL {
# type = radius
# authhost = LOCAL
# accthost = LOCAL
#}
$INCLUDE ${confdir}/clients.conf
# clients.conf has:
# client XXX.XXX.XXX.XXX {
# secret = XX
# nastype = cisco
# shortname = dialup
#}
$INCLUDE ${confdir}/snmp.conf
# snmp.conf has nothing.
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
# eap.conf has:
# eap {
# default_eap_type = md5
# timer_expire = 60
# ignore_unknown_eap_types = no
# cisco_accounting_username_bug = no
#
# md5 {
# }
#
# leap {
# }
#
# gtc {
# auth_type = PAP
# }
#
# mschapv2 {
# }
# }
mschap {
authtype = MS-CHAP
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
radiusd crashing on FreeBSD 6.0
Hi Guys. I have radiusd 1.1.2 from the latest FreeBSD port crashing strangly during a stress test. I'm not sure where exactly it occurs because no core dump is produced. Even when ran inside gdb, i can't get any backtrace info at all: srv03# gdb /usr/local/sbin/radiusd GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... (gdb) run -f Starting program: /usr/local/sbin/radiusd -f warning: Unable to get location for thread creation breakpoint: generic error [New LWP 100255] Mon Jun 12 16:39:46 2006 : Info: Starting - reading configuration files ... [New Thread 0x8077000 (LWP 100255)] Program terminated with signal SIGABRT, Aborted. The program no longer exists. (gdb) bt No stack. (gdb) My system is FreeBSD 6.0-RELEASE-p2. Core dumps are turned on in radiusd.conf, the system core file limit is set to unlimited and i'm running the server as root. It does crash when run with -x with a free() error: in free(): error: chunk is already free Program terminated with signal SIGABRT, Aborted. The program no longer exists. (gdb) bt No stack. (gdb) It does NOT crash when ran with -X Does anyone have an idea how i can debug it further ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building on Solaris 10
Hi guys. When building FreeRADIUS on Solaris, which compiler should i use ? Has anyone built FR with the Sun compiler ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Fri, 2006-01-13 at 23:26 -0500, Dusty Doris wrote: > On Fri, 13 Jan 2006, Alan DeKok wrote: > > > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > >> Any clues ? bug in OpenLDAP library maybe ? > > > > Looks that way to me. > > > > What version of openldap are you using for this and how did you install > it? For example, perhaps you installed freeradius from ports and it > pulled in openldap-client as well for the build? > OpenLDAP version is 2.3.9. Nothing is installed from ports, everything is built manually. Thanx Paul > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Hi folks. I was finally able to get a core dump under FreeBSD 6.0-RELEASE/SMP/libthr. rlm_ldap: ldap_get_conn: Got Id: 15 rlm_ldap: (re)connect to ldap01.mtlcnds.int.distributel.net:389, authentication 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert Directory to /usr/local/radiusd/current/etc/raddb/certs/ rlm_ldap: ldap_get_conn: Checking Id: 9 Assertion failed: (LBER_VALID( ber )), function ber_free_buf, file io.c, line 171. rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem Program received signal SIGABRT, Aborted. [Switching to Thread 0x81c6f00 (LWP 100232)] 0x28231773 in thr_kill () from /lib/libc.so.6 (gdb) bt #0 0x28231773 in thr_kill () from /lib/libc.so.6 #1 0x281eb701 in pthread_mutex_unlock () from /usr/lib/libthr.so.2 #2 0x281e60b7 in pthread_kill () from /usr/lib/libthr.so.2 #3 0x281e4b02 in raise () from /usr/lib/libthr.so.2 #4 0x282a2c5c in abort () from /lib/libc.so.6 #5 0x2828100c in __assert () from /lib/libc.so.6 #6 0x28330a3b in ber_free_buf () from /usr/local/lib/liblber-2.3.so.1 #7 0x28330ae0 in ber_free () from /usr/local/lib/liblber-2.3.so.1 #8 0x283094e9 in ldap_free_request_int () from /usr/local/lib/libldap_r.so #9 0x28309601 in ldap_free_request () from /usr/local/lib/libldap_r.so #10 0x282f55e6 in try_read1msg () from /usr/local/lib/libldap_r.so #11 0x282f48f4 in wait4msg () from /usr/local/lib/libldap_r.so #12 0x282f40fa in ldap_result () from /usr/local/lib/libldap_r.so #13 0x282f8a57 in ldap_extended_operation_s () from /usr/local/lib/libldap_r.so #14 0x2831bd62 in ldap_start_tls_s () from /usr/local/lib/libldap_r.so #15 0x2834e762 in ldap_connect (instance=0x8066800, dn=0x811d4e0 "cn=xx,dc=distributel,dc=net", password=0x807f9d0 "xxx", auth=0, result=0xbebef72c, err=0x0) at rlm_ldap.c:2069 #16 0x2834eebc in perform_search (instance=0x8066800, conn=0x811e810, search_basedn=0xbebef8d4 "ou=passwd,ou=NIS,dc=distributel,dc=net", scope=2, filter=0xbebefcd4 "(uid=ip_fixe)", attrs=0x8066900, result=0xbebef7cc) at rlm_ldap.c:772 #17 0x28351221 in ldap_authorize (instance=0x8066800, request=0x81c6600) at rlm_ldap.c:1247 #18 0x08055457 in modcall (component=1, c=0x8127580, request=0x81c6600) at modcall.c:236 #19 0x080559fb in call_one (component=0, p=0x8127580, request=0x81c6600, priority=0xbebf01a0, result=0xbebf01a4) at modcall.c:269 #20 0x080556bf in modcall (component=1, c=0x81222c0, request=0x81c6600) at modcall.c:324 #21 0x080559fb in call_one (component=0, p=0x81222c0, request=0x81c6600, priority=0xbebf0220, result=0xbebf0224) at modcall.c:269 #22 0x080556bf in modcall (component=1, c=0x8122100, request=0x81c6600) at modcall.c:324 #23 0x08054a10 in indexed_modcall (comp=1, idx=100232, request=0x81c6600) at modules.c:469 #24 0x0805207a in rad_authenticate (request=0x81c6600) at auth.c:589 #25 0x0804c16e in rad_respond (request=0x81c6600, fun=0x8051fb0 ) at radiusd.c:1642 #26 0x080579ba in request_handler_thread (arg=0x81c47e0) at threads.c:517 #27 0x281ed05d in pthread_create () from /usr/lib/libthr.so.2 #28 0x in ?? () (gdb) Any clues ? bug in OpenLDAP library maybe ? Thanx Paul On Thu, 2006-01-12 at 15:57 -0500, Paul Khavkine wrote: > On Tue, 2006-01-10 at 18:42 -0500, Alan DeKok wrote: > > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > > The server is running as root, core dumps are allowed in the config, it > > > crashes with either signal 6 or signal 11 when running with -x or -xx, > > > does not crash when running -X > > > > Ah... your OS may not support threaded core dumps. Yuck. > > > > It sounds like a thread problem to me, but I don't know why. What > > OS are you using? What version of FreeRADIUS? Where is it core > > dumping? Can you run freeradius under "gdb"? > > > Afte a few days investgation it seems like a threading problem on > FreeBSD 5.4-RELEASE and 6.0-RELEASE. > > The problem can be reproduced when: > > 1) running FreeRADIUS 1.0.5 > 2) running SMP kernel > 3) radiusd is linked against libpthread > 4) Using start_tls with LDAP > > Under 5.4-RELASE the process will die with an Abort trap and not dump > core when linked against libpthread. If radiusd is linked against > libthr (1:1 threading library) it simply jams and stops responding > but does not terminate. Killing it with signal 9 or 6 does not produce > a core dump. > When run inside gdb it crashes gdb and DOES produce gdb.core, but > gdb.core is useless since gdb is not compiled with -g > > > Under 6.0-RELEASE when linked against libpthread, the result is the same > as 5.4-RELEASE > > When linked against libthr it does not crash and has passed my stress > tes
Re: Compiling FR 1.1.0
On Fri, 2006-01-13 at 17:11 +0800, Rohaizam Abu Bakar wrote: > > Tested with FBSD 4.11 error with rlm_attr_rewrite... After remove the > folder... then error with rlm_otp > > ### > Making all in cardops ... > gmake[6]: Entering directory > `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops' > gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall > -D_GNU_SOURCE -DNDEBUG -I../../../include -DOTP_MODULE_NAME="rlm_otp" > -DFREERADIUS -c cryptocard.c -o cryptocard.o > In file included from /usr/include/openssl/des.h:66, > from ../otp.h:32, > from cryptocard.c:26: > /usr/include/openssl/opensslconf.h:177: warning: `OPENSSL_NO_KRB5' > redefined > *Initialization*:1: warning: this is the location of the previous > definition > cryptocard.c: In function `cryptocard_updatecsd': > cryptocard.c:230: syntax error before `PRIx32' > cryptocard.c: In function `cryptocard_isconsecutive': > cryptocard.c:255: syntax error before `SCNx32' > cryptocard.c:252: warning: unused variable `nextewin' > cryptocard.c: At top level: > cryptocard.c:260: syntax error before `++' > cryptocard.c:58: warning: `cryptocard_name2fm' defined but not used > cryptocard.c:78: warning: `cryptocard_keystring2keyblock' defined but > not used > cryptocard.c:110: warning: `cryptocard_nullstate' defined but not used > cryptocard.c:139: warning: `cryptocard_challenge' defined but not used > cryptocard.c:184: warning: `cryptocard_response' defined but not used > cryptocard.c:226: warning: `cryptocard_updatecsd' defined but not used > cryptocard.c:251: warning: `cryptocard_isconsecutive' defined but not > used > cryptocard.h:59: warning: `cryptocard_maxtwin' declared `static' but > never defined > cryptocard.h:62: warning: `cryptocard_printchallenge' declared > `static' but never defined > gmake[6]: *** [cryptocard.o] Error 1 > gmake[6]: Leaving directory > `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops' > gmake[5]: *** [cardops/cryptocard.lo] Error 2 > gmake[5]: Leaving directory > `/var/src/freeradius-1.1.0/src/modules/rlm_otp' > gmake[4]: *** [common] Error 2 > gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' > gmake[3]: *** [all] Error 2 > gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' > gmake[2]: *** [common] Error 2 > gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src' > gmake[1]: *** [all] Error 2 > gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src' > gmake: *** [common] Error 2 > *** Error code 2 > ###3 > > > Tested with FBSD 6.0... OK with rlm_attr_rewrite but problem with > rlm_otp with different from FBSD4.11 This problem is also present in FreeBSD 6.0-RELEASE sys/un.h is not included properly. Looking at the file i see this: #if defined(__linux__) || defined(__APPLE__) #include #endif Removing the #if defined made it build properly, this file should be included for at least the BSD platforms. Cheers Paul > # > otp_state.c: In function `otp_state_connect': > otp_state.c:482: error: storage size of 'sa' isn't known > otp_state.c:482: warning: unused variable `sa' > gmake[5]: *** [otp_state.o] Error 1 > gmake[5]: Leaving directory > `/var/src/freeradius-1.1.0/src/modules/rlm_otp' > gmake[4]: *** [common] Error 2 > gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' > gmake[3]: *** [all] Error 2 > gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' > gmake[2]: *** [common] Error 2 > gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src' > gmake[1]: *** [all] Error 2 > gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src' > gmake: *** [common] Error 2 > *** Error code 2 > ## > > > --haizam > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Tue, 2006-01-10 at 18:42 -0500, Alan DeKok wrote: > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > The server is running as root, core dumps are allowed in the config, it > > crashes with either signal 6 or signal 11 when running with -x or -xx, > > does not crash when running -X > > Ah... your OS may not support threaded core dumps. Yuck. > > It sounds like a thread problem to me, but I don't know why. What > OS are you using? What version of FreeRADIUS? Where is it core > dumping? Can you run freeradius under "gdb"? Afte a few days investgation it seems like a threading problem on FreeBSD 5.4-RELEASE and 6.0-RELEASE. The problem can be reproduced when: 1) running FreeRADIUS 1.0.5 2) running SMP kernel 3) radiusd is linked against libpthread 4) Using start_tls with LDAP Under 5.4-RELASE the process will die with an Abort trap and not dump core when linked against libpthread. If radiusd is linked against libthr (1:1 threading library) it simply jams and stops responding but does not terminate. Killing it with signal 9 or 6 does not produce a core dump. When run inside gdb it crashes gdb and DOES produce gdb.core, but gdb.core is useless since gdb is not compiled with -g Under 6.0-RELEASE when linked against libpthread, the result is the same as 5.4-RELEASE When linked against libthr it does not crash and has passed my stress test with flying colors. Both FreeBSD releases seems to have no problem with UP kernel and libpthread. I'm going to a a longer stress test to see if indeed FreeBSD 6.0/SMP/libthr is stable. Thanx Paul > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Fri, 2005-12-30 at 15:09 -0500, Alan DeKok wrote: > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > So anyone have an idea how can i fugure out where the server is crasing > > or how to force it to produce a core dump ? > > Run it in debugging mode. Set "ulimit". It SHOULD dump core. > > Alan DeKok. > - Hi Alan. I did run the server in debug mode and ulimit -c unlimited and I still do not get a core dump file to analyze. The server is running as root, core dumps are allowed in the config, it crashes with either signal 6 or signal 11 when running with -x or -xx, does not crash when running -X Any ideas ? Thanx Paul > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 1.0.5 rlm_ldap crashing
So anyone have an idea how can i fugure out where the server is crasing or how to force it to produce a core dump ? Thanx Paul On Thu, 2005-12-29 at 20:27 -0500, Paul Khavkine wrote: > > -Original Message- > From: freeradius-users-bounces > [EMAIL PROTECTED] on behalf of Alan > DeKok > Sent: Thu 12/29/2005 7:06 PM > To: FreeRadius users mailing list > Subject: Re: FreeRADIUS 1.0.5 rlm_ldap crashing > > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > Crashed at about same place. > > doc/bugs > > The server is not producing a core dump. I did compile it with > --enable-developer > and allow_core_dumps is set to yes. The server is running as root. > Still no core. > > > Thanx > Paul > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 1.0.5 rlm_ldap crashing
Title: RE: FreeRADIUS 1.0.5 rlm_ldap crashing -Original Message- From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Thu 12/29/2005 7:06 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 1.0.5 rlm_ldap crashing "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > Crashed at about same place. doc/bugs The server is not producing a core dump. I did compile it with --enable-developer and allow_core_dumps is set to yes. The server is running as root. Still no core. Thanx Paul Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Here's another one: rlm_ldap: (re)connect to ldap01.mtlcnds.int.distributel.net:389, authentication 0 User-Password = "test123" NAS-IP-Address = 1.1.1.1 rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: ldap_start_tls_s() User-Name = "[EMAIL PROTECTED]"rlm_ldap: performing user authorization for ip_fixe rlm_ldap: performing user authorization for ip_fixe rlm_ldap: could not start TLS Connect error rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: performing user authorization for ip_fixe rlm_ldap: ldap_get_conn: Checking Id: 0 User-Password = "test123"rlm_ldap: ldap_get_conn: Checking Id: 1 rad_recv: Access-Request packet from host 10.224.4.117:65039rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connection attempt failed rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem, id=86, length=69 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: search failed rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/ NAS-IP-Address = 206.80.253.241rlm_ldap: ldap_get_conn: Checking Id: 3 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_release_conn: Release Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 3 User-Name = "[EMAIL PROTECTED]"radiusd in free(): error: chunk is already free rlm_ldap: ldap_get_conn: Checking Id: 4 Abort Crashed at about same place. Thanx Paul On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > rlm_ldap: setting TLS CACert File > > to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem > > rlm_ldap: setting TLS CACert File > > to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem > > That second entry should be a directory, not a file. There's a typo > in the debugging output which makes that harder to figure out. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: > "Paul Khavkine" <[EMAIL PROTECTED]> wrote: > > rlm_ldap: setting TLS CACert File > > to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem > > rlm_ldap: setting TLS CACert File > > to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem > > That second entry should be a directory, not a file. There's a typo > in the debugging output which makes that harder to figure out. > Alan, I'm not sure i follow. I don't have a CA cert directory set. Only a file. Should i also set tls_cacertdir ? Thanx Paul > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.0.5 rlm_ldap crashing
Hi Guys. I'm doing a stress test on 1.0.5 running on FreeBSD 5.4-RELEASE and when start_tls is enabled radiusd crashed somwhere in the rlm_ldap module. I can't seem to make it produce a core file to properly inspect it. The server is running as root and core dumps are enabled in the config file. When i disable start_tls it does not crash. It always crased with signal 6 at random periods. Here's an error: rlm_ldap: attempting LDAP reconnection rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Got Id: 1 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem radiusd in free(): error: chunk is already free rlm_ldap: starting TLS Abort Any pointers on how to debug this problem ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR and Pgsql
Hi Folks. I'm setting up FreeRADIUS with Postgres for accounting and there's one thing i can't seem to figure out. When a Start record gets written to radacct table, AcctStopTime is not being set to anything. The field is empty. Since AcctStopTime is of type "timestamp with time zone" it does not seem to equal to NULL or '0' or anything at all. radius=# select * from radacct where acctstoptime = NULL; radacctid | acctsessionid | acctuniqueid | username | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay ---+---+--+--+---+--+---+-+---+--+-+---+---+--+-+--+-+--++-++-++--- (0 rows) radius=# select * from radacct where acctstoptime = 0; radacctid | acctsessionid | acctuniqueid | username | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay ---+---+--+--+---+--+---+-+---+--+-+---+---+--+-+--+-+--++-++-++--- (0 rows) How do you buidl a query to fetch a list of sessions without AcctStopTime (sessions in progress for example) ? This is on PgSQL 8.1.0. Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius crashing
Hi Guys. I have FreeRadius 1.0.4 all of a sudden crash end exit. I have enabled core dumps but cannot find the core file anywhere. Where's the core file supposed to be written ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup trouble
H.. You are right. I don't know why i cahnged that. I've been stearinf at it for 2 hours. Sometimes it's hard to spot own mistakes :-) Thanx Paul Michael Griego wrote: > Since you didn't post your radiusd.conf, I'm going to have to assume > based on your output that your "preprocess" line in the authorize > section is *after* your "files" line. Why did you do this? This is not > the default. The preprocess module is first for a reason (also why it's > called *pre*process. > > Also, make sure you have the rlm_unix module loaded somewhere to process > those UNIX groups. > > --Mike > > On Thu, 2004-06-10 at 08:34, Paul Khavkine wrote: > > Hi folks. > > > > > > I'm trying to get Huntgroups to work with matching a NAS-IP-Address and > > a unix group. > > > > Here's raddb/huntgroups > > > > adslNAS-IP-Address == 10.0.0.1 > > Group = adslpppoe, > > Group = adsldedic, > > Group = employees, > > Group = adsl > > > > > > raddb/users: > > > > DEFAULT Huntgroup-Name == adsl, Simultaneous-Use := 3 > > Fall-Through := 1 > > > > DEFAULT Huntgroup-Name == dialup, Simultaneous-Use := 1 > > Fall-Through := 1 > > > > DEFAULT Auth-Type := System > > Framed-IP-Address = 255.255.255.254, > > Framed-MTU = 1500, > > Session-Timeout = 18001, > > Idle-Timeout = 1800, > > Service-Type = Framed-User, > > Framed-Protocol = PPP, > > Framed-IP-Netmask = 255.255.255.255, > > Framed-Routing = None, > > Framed-Compression = None > > > > The user does exist in the system and does belong to one of the groups: > > willie# id test123 > > uid=1035(test123) gid=800(adslpppoe) groups=800(adslpppoe) > > > > So everything seems correct, but still preprocess group fails: > > > > rad_recv: Access-Request packet from host 127.0.0.1:49659, id=74, > > length=59 > > User-Name = "test123" > > User-Password = "x" > > NAS-IP-Address = 10.0.0.1 > > NAS-Port = 9175 > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 2 > > rlm_realm: No '@' in User-Name = "test123", looking up realm NULL > > rlm_realm: Found realm "NULL" > > rlm_realm: Adding Stripped-User-Name = "test123" > > rlm_realm: Proxying request from user test123 to realm NULL > > rlm_realm: Adding Realm = "NULL" > > rlm_realm: Authentication realm is LOCAL. > > modcall[authorize]: module "suffix" returns noop for request 2 > > users: Matched DEFAULT at 8 > > modcall[authorize]: module "files" returns ok for request 2 > > No huntgroup access: [test123] (from client localhost port 9175) > > modcall[authorize]: module "preprocess" returns reject for request 2 > > modcall: group authorize returns reject for request 2 > > Invalid user: [test123/x] (from client localhost port 9175) > > > > > > Any pointers to what the problem might be ? > > > > > > Thanx > > Paul > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- > > --Mike > > -- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup trouble
Hi folks. I'm trying to get Huntgroups to work with matching a NAS-IP-Address and a unix group. Here's raddb/huntgroups adslNAS-IP-Address == 10.0.0.1 Group = adslpppoe, Group = adsldedic, Group = employees, Group = adsl raddb/users: DEFAULT Huntgroup-Name == adsl, Simultaneous-Use := 3 Fall-Through := 1 DEFAULT Huntgroup-Name == dialup, Simultaneous-Use := 1 Fall-Through := 1 DEFAULT Auth-Type := System Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Session-Timeout = 18001, Idle-Timeout = 1800, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None The user does exist in the system and does belong to one of the groups: willie# id test123 uid=1035(test123) gid=800(adslpppoe) groups=800(adslpppoe) So everything seems correct, but still preprocess group fails: rad_recv: Access-Request packet from host 127.0.0.1:49659, id=74, length=59 User-Name = "test123" User-Password = "x" NAS-IP-Address = 10.0.0.1 NAS-Port = 9175 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_realm: No '@' in User-Name = "test123", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test123" rlm_realm: Proxying request from user test123 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 users: Matched DEFAULT at 8 modcall[authorize]: module "files" returns ok for request 2 No huntgroup access: [test123] (from client localhost port 9175) modcall[authorize]: module "preprocess" returns reject for request 2 modcall: group authorize returns reject for request 2 Invalid user: [test123/x] (from client localhost port 9175) Any pointers to what the problem might be ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSCHAPv2
Hi folks. After some mucking around we got FreeRADIUS to work with PEAP. Now, everywhere i have seen examples for PEAP config, they all state in the users: Auth-Type := Local, User-Password == "mypass" When i tried that, the server would not recognize an EAP session and would allways give an error that it can't find User-Password in the request (like in a non-EAP request). After changing users file entry to: User-Password == "mypass" It would work properly. Is that a proper behavior ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Win XP Client using PEAP
Hi folks. I'm trying to authenticate WinXP clients using a Vivato Wi-Fi switch using EAP-PEAP. The server configuration seems to be same as i have seen from people that say they have PEAP working with Win XP. Any clues weither it is the server misconfiguration or the AP that is not working. Thanx Paul Debug: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius/raddb/proxy.conf Config: including file: /usr/local/freeradius/raddb/clients.conf Config: including file: /usr/local/freeradius/raddb/snmp.conf Config: including file: /usr/local/freeradius/raddb/eap.conf Config: including file: /usr/local/freeradius/raddb/sql.conf main: prefix = "/usr/local/freeradius" main: localstatedir = "/usr/local/freeradius/var" main: logdir = "/usr/local/freeradius/var/log/radius" main: libdir = "/usr/local/freeradius/lib" main: radacctdir = "/usr/local/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "wheel" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 120 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/freeradius/raddb/1x/bsd01.pem" tls: certificate_file = "/usr/local/freeradius/raddb/1x/bsd01.pem" tls: CA_file = "/usr/local/freeradius/raddb/1x/root.pem" tls: private_key_password = "mypass" tls: dh_file = "/usr/local/freeradius/raddb/1x/dh" tls: random_file = "/usr/local/freeradius/raddb/1x/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/freeradius/raddb/huntgroups" preprocess: hints = "/usr/local/freeradius/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/freeradius/raddb/users"
PEAP with winXP client
Hi folks. I'm trying to authenticate WinXP clients using a Vivato Wi-Fi switch using EAP-PEAP. The server configuration seems to be same as i have seen from people that say they have PEAP working with Win XP. Any clues weither it is the server misconfiguration or the AP that is not working. Thanx Paul Debug: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius/raddb/proxy.conf Config: including file: /usr/local/freeradius/raddb/clients.conf Config: including file: /usr/local/freeradius/raddb/snmp.conf Config: including file: /usr/local/freeradius/raddb/eap.conf Config: including file: /usr/local/freeradius/raddb/sql.conf main: prefix = "/usr/local/freeradius" main: localstatedir = "/usr/local/freeradius/var" main: logdir = "/usr/local/freeradius/var/log/radius" main: libdir = "/usr/local/freeradius/lib" main: radacctdir = "/usr/local/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "wheel" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 120 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/freeradius/raddb/1x/bsd01.pem" tls: certificate_file = "/usr/local/freeradius/raddb/1x/bsd01.pem" tls: CA_file = "/usr/local/freeradius/raddb/1x/root.pem" tls: private_key_password = "mypass" tls: dh_file = "/usr/local/freeradius/raddb/1x/dh" tls: random_file = "/usr/local/freeradius/raddb/1x/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/freeradius/raddb/huntgroups" preprocess: hints = "/usr/local/freeradius/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/freeradius/raddb/users"
PEAP with WinXP client
Hi guys. Could anyone send me a working config for FreeRADIUS servrer authenticating WinXP clients with EAP-PEAP/EAP-MSCHAPv2. Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
