dialupadmin and php5
Hi folks, I'd want to know is anyone is using dialupadmin along with php5.. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About mismatching shared secret
radiusPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x6cb0ac0 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel-peap { # from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = control listen { socket = /usr/local-test/var/run/radiusd/radiusd.sock } } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } listen { type = auth ipaddr = 127.0.0.1 port = 18121 } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel Ready to process requests. any ideas? -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/12 Fajar A. Nugraha l...@fajar.net: On Thu, Jul 12, 2012 at 3:17 AM, Sergio Belkin seb...@gmail.com wrote: Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. If you're still interested in getting full NAS-Identifier, you should store accounting data in sql table. Even if you don't want to manage separate sql server (e.g. mysql), you can use something like sqlite to store the data. Needs some effort (e.g. the module is not built by default), but should be doable. -- Fajar - Thanks Fajar, I wanted to get the last access of users. I was getting that informaNAS-Identifiertion parsing log files, but I found that radlast is a simple but useful thing except the NAS-Identifier characters limit. Storing data in a sql db looks interesting. I've never configured it. If I use sql only for logging is /etc/raddb/sql.conf the main file that I have to look? Do sql storing exclude from using plain log files? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Tamás Becz tamas.b...@ericsson.com: -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... You're getting upset at people who are trying to help you. Be nice, or you can be unsubscribed and banned from the list. Alan DeKok. - Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. In fact, a kind of such a message could have been private. It's not my habit, to be sarcastic. But ok, perhaps it was my mistake, it was not my will offend to Tamas, so my apologies. Thanks as always. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
2012/6/25 Fajar A. Nugraha l...@fajar.net: NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Well, I don't think that. NAS is sending its public IP, I mean the nat device IP, not its actual IP. Except that I am doing something wrong... Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin seb...@gmail.com wrote: Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with nas-ip-address behind NAT
Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log What does that mean? but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) As *ALWAYS*, read the debug output. You're very dedicated to giving as little information as possible. Why? OK, you're right in my next message I will include it :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) You've not really explained what you've done. However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config. Yes, you guess well Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before. So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap. Nice to know it :) I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened. I've tested it and works, nice! But please keep on reading: Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters). Totally untested unlang. if (%{EAP-Message} =~ /^0x19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x15/) { detail_log_ttls } else { detail_log_other } Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first. Good, but it sounds somewhat complex :) I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows... Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl
Re: Problems with Huntgroup
2012/6/5 Matthew Newton m...@leicester.ac.uk: On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. How a module is added? Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Yes it is Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that? The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote: I've added this files because I like to separate logs when supplicants are using PEAP or TTLS I'd still use just one file, and filter the logs instead. Is there a better way of doing that? There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes. PEAP connections will have an EAP-Message attribute that matches the regexp /^0x19/, whereas TTLS connections will match /^0x15/. Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2. Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Apologies - you're right, it is being called. ++[files] returns noop :-) Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :) TIA Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? You edited the default configuration and broke it. Don't do that. You've set copy_request_to_tunnel, which is good. It means that the huntgroup check will work. You've deleted files from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok. - Thanks Alan for you answer. I haven't deleted anything respect to configuration files per default: 32,36c32,36 listen { ipaddr = 127.0.0.1 port = 18120 type = auth } --- #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} 142c142 # ldap --- ldap 230,232c230,232 # Auth-Type LDAP { # ldap # } --- Auth-Type LDAP { ldap } 271a272,274 # Sergio reply_log 376a380,382 # Sergio post_proxy_log Did I missed something? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do Mi current file is: listen { ipaddr = 127.0.0.1 port = 18121 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { post_proxy_log eap } EOF Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan Alan, I have three logs, I have the following parameter on radiusd.conf: requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log For example for today, I have /var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls) var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap) /var/log/radius/radiusd-DEFAULT-20120117.log The weird thing is that I've found one user that has entries *only* in /var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel For example: Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client AP-PVIII-VI port 2 cli 00-11-00-E4-67-EE) But neither wterra nor 00-11-00-E4-67-EE have entries in /var/log/radius/radiusd-inner-tunnel-* log files Please could you explain me? I don't use mac based authentication... Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/17 Sergio Belkin seb...@gmail.com 2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan Alan, I have three logs, I have the following parameter on radiusd.conf: requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log For example for today, I have /var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls) var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap) /var/log/radius/radiusd-DEFAULT-20120117.log The weird thing is that I've found one user that has entries *only* in /var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel For example: Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client AP-PVIII-VI port 2 cli 00-11-00-E4-67-EE) But neither wterra nor 00-11-00-E4-67-EE have entries in /var/log/radius/radiusd-inner-tunnel-* log files Please could you explain me? I don't use mac based authentication... Thanks in advance! Note: I've copied the entry from yesterday log because of that you see Mon Jan 16 but the question it's the same: Why is there an entry on DEFAULT logs but not in inner-tunnel logs Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eapol_test giving up and win-like error?
I mentioned exactly that last week but he disregarded it! Subject: Re: eapol_test giving up and win-like error? From: p.may...@imperial.ac.uk Date: Mon, 23 Jan 2012 10:12:08 + To: freeradius-users@lists.freeradius.org Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-session did no finish! (Linux)
Are we still having problems with this 'never ending' issue? Sending you Alberto another email Date: Tue, 17 Jan 2012 13:18:57 +0100 Subject: Re: EAP-session did no finish! (Linux) From: alberto_marti...@deusto.es To: freeradius-users@lists.freeradius.org The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. Maybe, but the only change made was the address where to point at. However, i should check that too. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Framed-MTU = 1100 from debug fragment_size = 1024 eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio InformáticoUniversidad de DeustoAvda. de las Universidades, 24 48007 - Bilbao (SPAIN)Phone: +34 - 94 413 90 00 Ext 2684Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only Out-of-tunnel
detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Always Login incorrect: Could not extract EAP-Message from RADIUS message
/detail-20111216 [detail] expand: %t - Fri Dec 16 09:50:00 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - kiki333 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - kiki333 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 160 to 192.168.2.53 port 49603 Finished request 13. Cleaning up request 13 ID 160 with timestamp +12 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253 User-Name = SOYKADORNA NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023 State = 0x869e7309879c6a16768684a64fbb490b Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} - [auth_log] expand: /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d - /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] expand: %t - Fri Dec 16 09:50:01 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 14 for 1 seconds Going to the next request - -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I have a really weird problem. We have a lot of NAS'es and no one of them had this problem, except only one! It gets always login incorrect. Throw the NAS in the garbage. If I run eapol_test it complains saying. I've tried replacing the nas a few times What does that mean? Ooops, sorry it says could not extract EAP-Message from RADIUS message and makes no difference. And it doesnt' matter what user tries to connect. Please take a look to user interup with outer identity SOYKADORNA Am I doing something wrong? No. The problems are *not* RADIUS problems. The NAS is broken, or there's something else wrong in the network. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Ooops, sorry it says could not extract EAP-Message from RADIUS message That's a message on the NAS. Ask the NAS manufacturer what it means. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan It's not a RADIUS problem. OK, I believe you :) The debug output you posted shows the server receiving duplicate packets *many* seconds apart. They're not detected as duplicates, because the retransmissions are too late. Find the one thing you *didn't* change in the network, and blame it for the problems. And no, it's still not a RADIUS problem. It's a remote site that has only an Acess Point, from other sites we have no problem. It's a weird thing that it started to happen suddenly. Perhaps the firewall its doing some rude thing with packets... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: 2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again I think I've found something about it http://www.ietf.org/rfc/rfc3579.txt 2.6.3 (Conflicting message) That could be the problem? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
-Address = 192.168.2.53,Acct-Session-Id = 0025-000A,User-Name = kiki333' [acct_unique] Acct-Unique-Session-ID = a10966e1e5dda57e. ++[acct_unique] returns ok [suffix] No '@' in User-Name = kiki333, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216 [detail]expand: %t - Fri Dec 16 09:50:00 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - kiki333 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - kiki333 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 160 to 192.168.2.53 port 49603 Finished request 13. Cleaning up request 13 ID 160 with timestamp +12 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253 User-Name = SOYKADORNA NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023 State = 0x869e7309879c6a16768684a64fbb490b Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} - [auth_log] expand: /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d - /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] expand: %t - Fri Dec 16 09:50:01 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 14 for 1 seconds Going to the next request - -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 ready?
Ciao. Just wondering if FR supports IPv6 addresses since I'm unable to start the server when using IPv6. I've changed (or uncommented) a couple of lines in radiusd.conf under 'listen' section: ipv6addr = :: and then I tried to start the server but no way. It works ok when using IPv4. FR spits out: Failed binding to authentication address 0:0: port 1812: Bad file descriptor. FR server has been built with IPv6 support. Another question is: are you aware of any (client) tool for testing FR when using IPv6 addresses? eapol_test doesn't seem to know anything about :: or ::1 Do the below lines from radiusd.conf require any change when IPv6? ... ... detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log } ... ... Sorry about asking many questions at the same time but they're all related. Sergio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Thanks again for your help. Sergio. Date: Mon, 31 Oct 2011 08:52:46 + From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready? Hi, Just wondering if FR supports IPv6 addresses since I'm unable to start the server when using IPv6. yes. we use it fine with IPv6 - both receiving and sending RADIUS packets. Another question is: are you aware of any (client) tool for testing FR when using IPv6 addresses? eapol_test doesn't seem to know anything about :: or ::1 eapol_test - use hostnames (eg in /etc/hosts ?) ? Do the below lines from radiusd.conf require any change when IPv6? ... ... detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log yes, Client-IP-Address doesnt exist in IPv6 world - you can use one of the source address attributes instead - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? Date: Mon, 31 Oct 2011 15:46:47 + From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready? On 31/10/11 15:32, Sergio NNX wrote: Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Really? Which OS? There's no built-in xlat that allows you to do a substitute; you'll have to use rlm_perl or rlm_python, or an exec script, to translate the name. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Cool, what can i do about it? I'm new to FR so I don't know how to implement a rule or something like that. Can you provide an example or an url where I can find more info? Cheers. Date: Mon, 31 Oct 2011 16:08:21 + From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready? On 31/10/11 15:58, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? I can tell you for absolute certain it won't without even having to try. It's a Windows limitation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Thanks for all your ideas and suggestions. I'm trying to 'patch' (sorry for this) rlm_detail and replace all ':' with '.' (obviously, when on Windows). I'll try sql as well. Let's keep in touch. Date: Mon, 31 Oct 2011 17:02:36 + From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready? On 31/10/11 16:19, Sergio NNX wrote: Cool, what can i do about it? I'm new to FR so I don't know how to Personally I'd advise running it on a Unix system at the moment. implement a rule or something like that. Can you provide an example or an url where I can find more info? wiki.freeradius.org? The docs that come with the server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS certificate compatibility warning
Ciao. We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test. We've also followed the steps available in http://wiki.freeradius.org/Certificate_Compatibility. However, no one seems to know the answer/solution to this issue. Just bear in mind I'm new to this project and my ignorance may contribute to . you know! Thanks in advance. Sergio. From: martin.ub...@uwe.ac.uk To: freeradius-users@lists.freeradius.org Date: Mon, 24 Oct 2011 11:25:01 +0100 Subject: RADIUS certificate compatibility warning I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6. I've got right through (again) to the final Configuring FreeRADIUS to use ntlm_auth for MS-CHAP stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails. The 'radiusd -X' output finishes with : WARNING: !! WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS). The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error::lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email. Can anyone tell me what I'm doing wrong? Thanks Martin. Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf client.cnf files eap.conf: 'eapol_test' errors/warnings : RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error::lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0x) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 112 bytes pending from ssl_out SSL: 112 bytes left to be sent out (of total 112 bytes) EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=122) : 'radiusd -X' errors/warnings : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: USERNAME [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - --username=USERNAME [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]... expanding second conditional [mschap]expand: --domain=%{%{mschap:NT-Domain
RE: EAP Testing - Newbie
= 0x74657231163014060355040b130d4954204465706172746d656e74311630140603550405130d554b4c4f4e444f4e535256303131343032060355040d132b5465737420536572766572204365727469666963617465202850454150202d20467265655241444955532930819f300d06092a864886f70d010101050003818d0030818902818100d0912be92981af2f9ee8e1c827c30b70a9710463fbe052bde41c7a96af52bc770a83daa7bbc286da3beff1f7f71394c806f0214b2b1fae41aafb045efc1e49b5a70082fd2eace9f7c098dbea777b6bd8d6d80c99d42a2a6184f763756838faff97048737f92bdbc41cd803e12ed17cc4cfed295797d6f6 EAP-Message = 0xdb799f5bbc4b53ce810203010001a38202913082028d300f0603551d130101ff04053003020100300e0603551d0f0101ff0404030203f8301d0603551d0e04160414c7c514ad16237701f629bf2c1d18c24c8186188f3082010b0603551d23048201023081ff80148c042872c8603f29a58ac14fdb9a62ff9aadc3faa181e3a481e03081dd310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73746572311c301a060355040a13134d617465415220495420536f6c7574696f6e7331173015060355040b130e504b49204465706172746d656e7431223020060355040313195465 EAP-Message = 0x737420526f6f742043412028 Message-Authenticator = 0x State = 0x26b3a7ae27b1b26bc177f1c70c867315 -- I've tried almost everything. I'd appreciate any pointers/help here. Is there any other tool I could use instead of eapol_test? Thanks again. Sergio. Date: Mon, 17 Oct 2011 09:30:32 +0100 From: a.l.m.bu...@lboro.ac.uk To: tim.sylves...@networkradius.com; freeradius-users@lists.freeradius.org CC: sfhac...@hotmail.com Subject: Re: EAP Testing - Newbie hi, ...please dont send eapol_test output - send the output from radiusd -X from the log sent it looks like the client isnt get a response from the server (note the 3 default timeouts at the end) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Testing - Newbie
Hi Alan, Thanks for your reply. That's all ... after the following lines: EAP-Message = 0x737420526f6f742043412028 Message-Authenticator = 0x State = 0x26b3a7ae27b1b26bc177f1c70c867315 I just get: Finished request 1 Going to the next request Waking up in 4.8 seconds Cleaning up request 0 ID 0 with timestamp . Waking up in 0.1 seconds Cleaning up request 1 ID 1 with timestamp Ready to process requests. That's all. No more output! Any help is greatly appreciated! Ciao. Date: Mon, 17 Oct 2011 11:56:34 +0100 From: a.l.m.bu...@lboro.ac.uk To: sfhac...@hotmail.com CC: tim.sylves...@networkradius.com; freeradius-users@lists.freeradius.org Subject: Re: EAP Testing - Newbie hi, your radiusd -X output was not all there... it just stopped. need to see it all to see where/when the fail is occuring. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Testing - Newbie
Ciao all, First of all, I'm new to this project so I may ask 'dumb' questions and I may be slow to understand. Be patient! I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard setup. I've been following the following user guide: http://deployingradius.com/documents/configuration/pap.html. Very useful, by the way. PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to pass. I've tries almost everything, including: http://deployingradius.com/documents/configuration/eap-problems.html I need some help! Thanks in advance. Sergio. Test output - radtest -t eap-md5 ... (it works ok) (Client side) Sending Access-Request packet to host 127.0.0.1 port 1812, id=229, length=0 User-Name = testuser User-Password = testpw NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 EAP-Code = Response EAP-Type-Identity = testuser Message-Authenticator = 0x00 EAP-Message = 0x02e4000d017465737475736572 Received Access-Challenge packet from host 127.0.0.1 port 1812, id=229, length=97 Reply-Message = Hello, testuser EAP-Message = 0x01e5001604103823185ef840cc37ad7436a904db9605 Message-Authenticator = 0xf5a2da42e33cfe56a80104afb9931946 State = 0x3dcf853c3d2a813191ce5fb05bf39134 EAP-Id = 229 EAP-Code = Request EAP-Type-MD5 = 0x103823185ef840cc37ad7436a904db9605 Sending Access-Request packet to host 127.0.0.1 port 1812, id=230, length=93 User-Name = testuser User-Password = testpw NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 EAP-Code = Response Message-Authenticator = 0x EAP-Type-MD5 = 0x105a160cce9524d55843b32d1fcbaedb6b EAP-Id = 229 State = 0x3dcf853c3d2a813191ce5fb05bf39134 EAP-Message = 0x02e5001604105a160cce9524d55843b32d1fcbaedb6b Received Access-Accept packet from host 127.0.0.1 port 1812, id=230, length=71 Reply-Message = Hello, testuser EAP-Message = 0x03e50004 Message-Authenticator = 0xa9e17bcb7d0b8e0ad062f9b3c5d0399c User-Name = testuser EAP-Id = 229 EAP-Code = Success Total approved auths: 1 Total denied auths: 0 (Server side) Ready to process requests. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log ++[auth_log] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop [files] users: Matched entry testuser at line 29 ++[files] returns ok [eap] EAP packet type response id 228 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 ++[eap] returns handled Finished request 0. Going to the next request Waking up in 4.9 seconds. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log ++[auth_log] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop [files] users: Matched entry testuser at line 29 ++[files] returns ok [eap] EAP packet type response id 229 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 229 with timestamp +14 Cleaning up request 1 ID 230 with timestamp +14 Ready to process requests. - EAP-MD5 test - http://deployingradius.com/scripts/eapol_test/ eapol_test.exe -c md5.conf -s testing123( it doesn't work!) Output: Reading configuration file 'md5.conf' Line: 1 - start of a new network block ssid - hexdump_ascii(len=7): 45 78 61 6d 70 6c 65 Example eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x1 identity - hexdump_ascii(len=8): 74 65 73 74 75 73 65 72 testuser password - hexdump_ascii(len=6): 74 65 73 74 70 77 testpw ca_cert - hexdump_ascii(len=40): 63 3a 2f 46 72 65 65 52 41 44 49 55 53 2f 65 74 c
Re: Broken Pipe with ssh
2011/10/12 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Ssh users are suffering of broken pipe when NASes use the WPA Enterprise schema. I wonder is I have something misconfigured that is causing nosense reconnection or thinks alike. Please could could you help me and take a look to my config and tell me if I should fix something? Thanks in advance! not really a RADIUS issue - unless your authentications are taking too long and therefore timing out - causing the clients to lose actuall connectivity. you need to see what is happeing on the client when these events are taking place - eg look at system messages or wireless stuff to see if somethings not right there ...what is the session-timeout? do you chance their VLAN - are different APs delivering different VLANs - do you see the clients being mobile at all? lots of things - its the wireless medium that is causing the issue I believe... and FR 2.1.1 is very very old, I'd recommend that you upgrade alan Yup. It seems that is no a radius issue. Sorry, of course is not that the problem arised and I think Oh is a freeradius issue indeed. It happens that is some problem that we have since a long time, and it's some difficult find the cause, so I think for a moment that I was doing something wrong (I was not blaming to radius developers, it's no my way of doing things). But finally we've found that it seems that firewall device at the edge of the network is causing such that issues. Thanks -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Broken Pipe with ssh
/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Local Auth if Proxy Auth fails ---OR--- Proxy Auth if Local Auth fails
Are we in a bad mood? Date: Tue, 11 Oct 2011 08:46:28 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Local Auth if Proxy Auth fails ---OR--- Proxy Auth if Local Auth fails Яцко Эллад Геннадьевич (ngs) wrote: I am beginner in RADIUS. I guessed you talked about sites-available/default because Cisco does not use any realms when sends its packets to the RADIUS. I talked about realms because I wanted to talk about realms. I think it's needed expanding of my task boundaries :-) I want to make Cisco devices authenticate users when ther enter the device via telnet/ssh. It would be three-stage procedure: - Windows DC if IAS (Microsoft RADIUS) is accessible; - if no - RADIUS local DB if it is accessible; - if no - Cisco's local DB (NAS local authentication). So If I correctly understood I need to use authenticate section. No. My example was correct. But what is further I don't clearly imagine. I guess when Access-Request is incoming, RADIUS in accordance with suggested scheme must change realm of request and continue process packet with new conditions, is it right? No. My example was correct. I must define new realm, for example ias, and I must define home-server for it, do I? That's the only thing you got right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Sergio Belkin requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Sergio Accept invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_elYOdj8RdP0Qdz59bPdPgABRukxjbPgVcjoQejoNd3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/0VnP8RczkTc3gSckALqnpPbOYWrSlI/svi/ -- Why might connecting with Sergio Belkin be a good idea? Sergio Belkin's connections could be useful to you: After accepting Sergio Belkin's invitation, check Sergio Belkin's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future. -- (c) 2011, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + xmpp server
Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I'd like to read experiences about it. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:31, Sergio Belkin wrote: Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:58, Sergio Belkin wrote: I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. So, would the idea be that: * client connects to XMPP server * client sends username/password * XMPP server sends PAP request * radius server replies with yes/no The easiest way is probably PAM and pam_radius, but it only does authentication. But I assume you want to do something more complex? - The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no Interesting. Since the client is sending user/password, why do you want to translate that to an MSCHAP request? Well, I don't know really but there was a plugin from jradius that could do that, but as I said is somewhat dated radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. This is an attribute where? In a radius packet? Is an ldap attribute and AFAIK is a checkiTem, I have the following in ldap.attrmap: checkItem Cleartext-Password radiusPassword I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... Have you tried PAM and pam_radius? - No yet :) -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid signature
Hi, I am receiving error from some NAS: rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. It's a werd thing, because the secret on both radius server and NASes are the same! I don't understand the problem! Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid signature
2011/5/11 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. server doesnt lie. check the shared secret for the ACCOUNTING part of the NAS alan Oops, sorry it's my fault. I forget to append append $var acct_server_shared_secret=$secret $N to openwrt NAS. It resulted in an OT but I hope that helps someone using OpenWRT. Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on users and NAS
Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access per NAS
Hi, Is there a way to restrict an LDAP user to be authorized only from an specific NAS (Access Point)? I'm using FreeRADIUS Version 2.1.1 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Half OT: Windows XP won't connect
Hi, I have a freeradius with LDAP, supplicants use either EAP-PEAP or EAP-TTLS. Sometimes, Windows (mainly XP) systems won't connect, packages arrive only to Access Point but no to radius server. Generally, solution is rebooting the AP but I wonder if I need to tweak something on AP, this the result from tcpdump: 12:45:07.808808 00:22:5f:43:f4:31 (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 12:45:07.815594 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 94: 0x: 8001 007a 1018 0001 0001 ...z 0x0010: 0008 0x0020: 0016 0022 5f43 f431 776c 3000 ..._C.1wl0. 0x0030: 3014 0100 000f ac02 0... 0x0040: 0100 000f ac04 0100 000 ac01 12:45:07.819711 EAPOL start (1) v1, len 0 12:45:07.825580 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._C.1wl0. 0x0030: 0101 00... 12:45:18.821489 IP 192.168.188.131.17500 192.168.188.255.17500: UDP, length 127 12:45:20.417512 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:20.417682 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:45:28.095608 ARP, Request who-has 192.168.188.131 tell 192.168.188.1, length 28 12:45:28.098097 ARP, Reply 192.168.188.131 is-at 00:1f:5b:bb:77:f2 (oui Unknown), length 28 12:45:31.165528 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:45:31.169815 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:45:48.919456 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:48.919612 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:46:04.655521 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:46:04.656464 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:46:09.114950 EAPOL start (1) v1, len 0 12:46:09.115553 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._.1wl0. 0x0030: 0101 00... 12:46:14.920025 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:46:14.920228 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: Causes of Failed binding
Hi, How does freeradius consider that Bind as user failed Thanks in advance!! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: SSL issues
: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating post_proxy_log detail post_proxy_log { detailfile = /usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = /usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. You can read wireshark dump on: http://pastebin.com/ZH2SfTFq Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Empty SubjectAltName on server certificate (EAP-PEAP)
Hi, I have a certificate with xpextensions but its SubjectAltName is empty. Is Mandatory or only is wrong when its content doesn't match with FQDN? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User enabled for one only NAS
2010/4/5 Sergio Belkin seb...@gmail.com: Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Hmmm.. I wonder either if questions is somewhat stupid or freeradius can't do that... Greets. -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User enabled for one only NAS
Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/30 Julien Savoie julien.sav...@usainteanne.ca: Check if you have this enabled in radiusd.conf mschap { with_ntdomain_hack = yes } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } and proxy.conf realm DEFAULT { strip } If you only have one domain this will work. If you have different domains you'll need to setup the individual realms. Sounds like in your case you don't though. Hi Julien, file /etc/raddb/modules/mschap is as original one. I use no domain, only user+password. Sorry, but I forget the subject before. Thanks in advance! Sergio Belkin wrote: There are a few log entries like as as follows Auth: Login incorrect (rlm_ldap: User not found): [QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via TLS tunnel) Please could you help me to find a fix? - -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/31 Julien Savoie julien.sav...@usainteanne.ca: Sergio Belkin wrote: and proxy.conf realm DEFAULT { strip } If you only have one domain this will work. If you have different domains you'll need to setup the individual realms. Sounds like in your case you don't though. Hi Julien, file /etc/raddb/modules/mschap is as original one. I use no domain, only user+password. Sorry, but I forget the subject before. Then you want to by default strip any realm/domain information off the request. Information provided should be sufficient. Really thanks, but the problem is that users use their personal notebooks, they are students, not employees, so Windows login usernames are not the same that ldap ones. It seems that Vista wants to use SSO and sends their credential before. Because of that subject is somewhat OT, but I guess that someone here was run into that problem... thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Hi, I am using FR 2.1.1, for host x86_64, with LDAP 802.1x/WPA + OpenLDAP for wireless network access. I've found that some clients using EAP-PEAP using mainly Windows Vista sends notebook credentials despite that is disabled automatically use of credentials... There are a few log entries like as as follows Auth: Login incorrect (rlm_ldap: User not found): [QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via TLS tunnel) Please could you help me to find a fix? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug fixes on v2.1.8
Hi people, and developers, i can see that you finally fixed a bug that i and others like me mentioned at this forum at least one year ago. I'm glad to see it :) To be precise, i'm talking about the fix that sign client certificates with CA, rather than server certs. And here i was, talking alone one year ago on this thread: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls) In spite of that, i'd like to say that freeradius is a great job, congratulations to its developers. I think is the most configurable server. OCSP would be great!! bye and thanks :) -- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dict_addattr: attribute name too long error when running raclient by cron
Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Sergio Belkin seb...@gmail.com: Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- Sorry, I fix myself I wanted to mean radclient on subject and launched by cron... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long You have multiple versions of FreeRADIUS installed. Fix that. Alan DeKok. - Oh yeah, my fault, there was a really stupid mistake, current binaries are not on cron path, as you say there was unused and older binaries on /usr/bin, and cron was picking radclient from there. Thanks! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About FreeRADIUS-Stats-Client-IP-Address
Hi, When I issue the following command on the shell: echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 35, FreeRADIUS-Stats-Client-IP-Address = 10.128.255.80 | radclient localhost:18120 status MySecret It gets global statistic and *not only* those of Client. Is there a way to get *only* stats from Client? Thanks in advance! -- -- SB http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with NoCatAuth+RADIUS+LDAP
Hi my name is Sergio Ormeño, i am from Chile, and i with some partners are trying to create a Captive portal with NoCatAuth+RADIUS+LDAP and we have problems with the conection between RADIUS+LDAP with a radtest everything if fine and the packet is accepted, but in the login page of NoCat dosn`t log, here are the log of the radtest -X after a try with the login of NoCat [r...@ldap nocat]# radiusd -X FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Jan 21 2010 at 11:30:47 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes
Question About rlm_sql_log (it was Re: Time connected)
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: 2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. Ivan Kalik Kalik Informatika ISP - Hi, I was reading about rlm_sql_log. I mean I don't want to rely on sql for authorization and authentication. Can I use that module only for easiest log handling *only* ? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question About rlm_sql_log (it was Re: Time connected)
2009/11/3 Ivan Kalik t...@kalik.net: Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. I was reading about rlm_sql_log. Why? That has nothing to do with anything you would want. I mean I don't want to rely on sql for authorization and authentication. So don't. Use it just for accounting. Can I use that module only for easiest log handling *only* ? What does that mean? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I want to find some way to analyze logs, and so can get eg: last user status or how long a time that a user has been connected. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time connected
Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time connected
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status X User
Hi, Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status X User
2009/10/23 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. your data - SQL SELECT * FROM postauth WHERE user_name = 'blar' AND packet_type = 'Access-Reject' ORDER BY timestamp DESC LIMIT 1 Then for the latter replace 'Access-Accept' with 'Access-Reject'? Cheers -- Alexander Clouter .sigmonster says: Zeus gave Leda the bird. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ooops, I have no mysql, except that there is a way to dump log files to mysql database :) Sorry if the question sounds stupid :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa/wpa2 on logs
2009/10/14 Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/10/2009 18:53, Sergio Belkin wrote: Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! No. Information about the security association is not contained in EAP authentication attempts. Thanks Arran! At least it's good to know that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weekly and daily logs
Sorry for the stupid question Is possible on FreeRADIUS Version 2.1.1 create log files both on daily and weekly basis? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/1 Ivan Kalik t...@kalik.net: I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. PEAP and TTLS will have OKs for both inner and outer identities. PAP, MSCHAP etc will have only single OK. Ivan Kalik Kalik Informatika ISP Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS or PEAP. So I don't understand why some OK's was sent to default server log. Because of that now I use requests = ${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no entries on default log server, I wonder if what I am doing is right, I mean if I am omitting some OK doing that... Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/3 Sergio Belkin seb...@gmail.com: 2009/9/1 Ivan Kalik t...@kalik.net: I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. PEAP and TTLS will have OKs for both inner and outer identities. PAP, MSCHAP etc will have only single OK. Ivan Kalik Kalik Informatika ISP Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS or PEAP. So I don't understand why some OK's was sent to default server log. Because of that now I use requests = ${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no entries on default log server, I wonder if what I am doing is right, I mean if I am omitting some OK doing that... Thanks in advance! Sergio Belkin - Sorry for be repeating but I meant: I don't understand why some OK's was sent to default server log *only*. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/8/31 Sergio Belkin seb...@gmail.com: Hi, I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: grep OK /var/log/radius/radiusd-*-$date.log | awk '{print $10}' | sort -fu | wc -l That way I get how many users could get an Access-Accept. Well I've found that that is not right. Because some supplicant can send different identities into and out of tunnel. So I'd like to use: grep OK /var/log/radius/radiusd-inner*-$date.log | awk '{print $10}' | sort -fu | wc -l But I've found that some OK are sent to default server log file. So I can't get right statistic. Please could you help to do it? Below are debug info: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. I don't understand why if I have on radiusd.conf log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } on debug messages *only* appears: log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } Now I am using requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log but I don't know if it is right because ${logdir}/radiusd-%DEFAULT}-%Y%m%d.log from DEFAULT server (out of tunnel) are not generated at all, and they were useful because showed the Mac Address of supplicant. If you want to see more of my config you can do it on: http://pastebin.com/m65441172 -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Logs in database (It was Re: rlm_ldap logs)
2009/8/28 Sergio Belkin seb...@gmail.com: Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Shame on me! That's is something that already logs do: Fri Aug 28 18:48:08 2009 : Auth: Login incorrect (rlm_ldap: User not found): [zz...@zz.zzz] (from client port 0 via TLS tunnel) Thanks y Sorry Even so I'd like to find a way to store radius logs on a database. Does exist such a tool? I need to perform some queries on them, for example, what users that had an incorrect login (eg bad password or certificate) after some time they could get an OK. Perhaps, some of you have an idea about how can I do that. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out and into tunnel log files
: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating post_proxy_log detail post_proxy_log { detailfile = /usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = /usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Ready to process requests. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap logs
Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent uid sharing or hot to allow use uid only once
Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-message and supplicant
Hi, Is possible that Reply-message can be seen from laptops running the supplicant? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan Does file attrs.access_reject has to with you are talking about? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 John Dennis jden...@redhat.com: Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does EAP-Message =* ANY mean? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... simultaneous-use - only allow one instance of the user/pass to be online at a time. Should I enable accouning for that? sure, another person might be on instead of John...but then John wont be able to get online...He'd very quickly be miffed that he'd lost his access due to someone else using his credentials alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still with ldap error
Hi, Some months ago I mentioned a problem that it seems to be non-fatal but it still is there: Fri May 22 10:00:50 2009 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Fri May 22 10:00:50 2009 : Info: rlm_ldap: Attempting reconnect This problem appears more or less every 90 seconds. on ldap logs you can see things like that: May 22 04:16:40 ldap-server slapd[27663]: conn=219 fd=14 ACCEPT from IP=127.0.0.1:56359 (IP=127.0.0.1:389) May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu method=128 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND anonymous mech=implicit ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu method=128 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 RESULT tag=97 err=0 text= May 22 04:18:01 ldap-server slapd[27663]: conn=219 fd=14 closed (idletimeout) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 ACCEPT from IP=IPADDRESS:57845 (IP=0.0.0.0:636) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 TLS established tls_ssf=256 ssf=256 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu method=128 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=1 UNBIND May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 closed May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 ACCEPT from IP=IPADDRESS:36313 (IP=0.0.0.0:636) May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 TLS established tls_ssf=256 ssf=256 I've tried modifying idletimeout y timelimit on slapd.conf, and modifying limits per ldap radius user. I was playing with timeout and timelimit and nothing changed it. Raising and lowering Using FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 I'd thank you your help! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
somewhat ot: Check radius server name on linux supplicant
Hi, I'm stuck with a problem to which I haven't found an easy solution. Let's say we use either EAP-PEAP or EAP-TTLS. Both on Windows you cave ways to check not only ca certificate but also radius server name. I've tried: *NetworkManager: It can't check radius server name. *wicd: You could use customized scripts but make things harder and replace NetworkManager which is the default network tool on modern distros. *kwlan: It's like wicd an more KDE oriented. *wpasupplicant: It can check server name! But also on Fedora 10 I haven't found a way for NetworkManager apply its config file. Mostly modern and end users distros don't pay attention to wpasupplicant config file. On Windows (and I am not presicely a MS fan) you can check server name either by itself or by SecureW2. On Mac it prompts you showing radius server name. Sadly, I haven't found on Linux to check radius server name. I fear this: Let's say I have a radius server which use a certificate signed by WhateverSign. You get a certificate signed by WhateverSign too. You use a trustable ca certificate, don't you? Well, you config a cheating Access Point. Then a user come and connect to that cheating Access Point. Please tell me if that risk exists and if is wothy of worrying. If it is, how I can do for check radius server name on modern distro Linux? Thanks in advance and happy new year -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP per user
Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP per user
2008/12/17 t...@kalik.net: AP uses DHCP not radius to assign IPs. So - no. You can reserve IPs for devices but not users. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, Sergio Belkin seb...@gmail.com piše: Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Thanks Ivan, I guess that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
2008/12/15 a.l.m.bu...@lboro.ac.uk: hi, why go backwards when you have the right wireless technology in place? you need to look at the windows client end of things. I'd suggest looking at automating the setup..the best thing would be to have another wireless SSID (eg 'setup for XYZ' - where XYZ is your current SSID) - and have that as an open wifi that can only (ONLY!) access one single IP on which lives a web server with auto setup tools - eg .NET or VBS for MS windows, XML for MAC and even a setup file for iPhone/iPod touch etc. (this would have to be a webredirect so as soon as they associate, any DNS or port 80/8080/3128 etc get sent to the index page.) - another web delivery option is to prepackage eg open1x (open1x.sf.net) or SecureW2 (another supplicant) and get them to use that as you did note, the problem is with the client setup.. thats the current difficulty with 802.1X. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... All in all, you and Paul have provided me interesting info... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex?supplicant at level end user?
2008/12/15 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. We seem to have no real problems with SecureW2 and our userbase. Mac OS X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP users get a light time of it would my SecureW2 preconfiguration script with some NSIS wrapper action to spoonfeed them during problematic bits. Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment which is out current problem, however that's a grumble for another thread. The only problems we have is that we are 'awkward' and force WPA2 only and do not give into those WPA (version 1) TKIP weenies. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... Do not ever go down this route[1]. It completely negates the point of having a WPA Enterprise network when someone comes along with an evil twin network and gets the user to install a 'springboard' application to get onto the better network. It's as counterproductive as using PEAP/TTLS without full certificate validation :-/ If you want my NSIS and/or SecureW2 INF file do drop me an email. The springboard'ing issue we resolved by dumping everything onto a CD and distributed them to the masses that way. Even if this is not an option for you (like us in education with 'student welcome packs') if you make the CD's readily available near hotspots and what not in public areas people will find what they need. Cheers Alex [1] I have convinced my self it's safe for a wired network, getting non-802.1X clients 802.1X'ified, but just not worth the risk for wireless clients -- Alexander Clouter .sigmonster says: Succumb to natural tendencies. Be hateful and boring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Recently we upgraded from OpenWrt White Russian to Kamikaze. By now, problem about discarding packets is no more. Most of the issues were that at random times took long time get Access-Accept or even AP din't get any frames from supplicants... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slightly OT: Problem with Vista
2008/12/11 a.l.m.bu...@lboro.ac.uk: hi, which version of FreeRADIUS are you using? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Release 2.1.2, but it seems a supplicant issue... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
Hi, Currently I'm using: *OpenWRT Kamikaze in AP's *Freeradius 2.1.2 *LDAP End users either use ttls or peap on their notebooks, as I have a LDAP server, each use his username and a password. Problem with this approach is that is somewhat complex for end users, they must either install a software or do a complicated configuration (think in end users terms, please). I'd want to have a open wireless network and that each user access to captive portal and enter his username and password, that captive portal redirects request to freeradius and freeradius in turn queries to ldap server. I'd want to know if CoovaAP (or something similar, what?) can perform such task as portal captive installed on APs. I'd be glad to read suggestions Thanks in advance!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slightly OT: Problem with Vista
0x0020: 0005 001f 3a1b 4e8b 776c 3000 1000 :.N.wl0. 0x0030: 5000 fc59 fb00 0101 00PY. 00:10:40.337119 EAP code=1 id=1 length=0 Please, what could be the problem? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/5 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Your LDAP server is likely timeout out the connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My LDAP server has: idletimeout 30 timelimit 300 is not 30 enough? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/3 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Because you configured the ldap module *outside* of the tunnel, too. If you don't list it in sites-enabled/default, it will only do queries for inside of the TLS tunnel. Thanks Alan! That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:07:51 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:10:41 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:10:41 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:12:14 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:12:14 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:14:30 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:14:30 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:18:09 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:18:09 2008 : Info: rlm_ldap: Attempting reconnect What are these problem from? radius or ldap? ldap module config is as follows: ldap { server = ldap.palermo.edu identity = cn=freeradius,ou=applications,dc=palermo,dc=edu password = somepass basedn = ou=people,dc=palermo,dc=edu filter = (uid=%u) ldap_connections_number = 1 timeout = 60 timelimit = 120 net_timeout = 10 tls { cacertfile = /etc/raddb/cacert.pem randfile= /dev/urandom } access_attr = radiusAllowed dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no EOF Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius user queries for uid anonymous in ldap
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 ACCEPT from IP=123.45.67.89:56075 (IP=0.0.0.0:636) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 TLS established tls_ssf=256 ssf=256 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu method=128 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu mech=SIMPLE ssf=0 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 RESULT tag=97 err=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=glinde) Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=jinfan) Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:55:05 sinclair slapd[11285]: conn=1264 fd=15 closed (idletimeout) Does make sense to query for anonymous? Thanks in advance Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
I've upgraded to OpenWRT Kamikaze and problem seems goes away... 2008/11/6 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, thanks, That's really a quite convincing answer :) Yup. I'm not just a random loudmouth on this list. Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. shrug There are many, many, RADIUS client implementations that are nearly as bad. So, I'd be glad to know what AP's are standard compliant is there a list? Nope. I don't think very many are fully standards compliant. I suggest updating the Wiki with any issues you find. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Mac OS self asigned IP issues
Hi, I am using OpenWRT Kamikaze and sometimes there is a problem with Mac OS clients. Clients get Access-Accept, but Mac OS says that only gets a self asigned IP and then it can't surf the web. Problem happens using either TTLS or PAP. It is a problem of Mac OS or a OpenWRT one? I'd be glad to read suggestions and comments... Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-User?
Sorry for the stupid question, what does Framed-User stand for? I hope not to be stoned to death because of such a question :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User found on DEFAULT server log but not in tunneled virtual server log
= mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel-peap } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{% {Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 111.222.333.5 port = 0 } listen { type = acct ipaddr = 111.222.333.5 port = 0 } Listening on authentication address 111.222.333.5 port 1812 Listening on accounting address 111.222.333.5 port 1813 Ready to process requests. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/5 aland [EMAIL PROTECTED]: On Wed, Nov 05, 2008 at 12:43:07AM -0200, Sergio Belkin wrote: OK, AP's are broken, now with best regards, how I convince to my boss that he should buy more than 30 new AP's, should I tell him... read the freeradius mailing list? Tell him that I co-wrote RFC 5080, which says that these AP's are broken: When sending requests, RADIUS clients MUST NOT reuse Identifiers for a source IP address and source UDP port until either a valid response has been received, or the request has timed out. These AP's violate the standards, and are broken. I know, because my name is on the standards. My name is also on the RADIUS guidelines document, which says how people should use RADIUS in the future. And my name is going on 3-4 other RADIUS standards. So it's not people on the FreeRADIUS list told me, but instead the people who wrote the standards say that the AP is broken. Alan DeKok. - Alan, thanks, That's really a quite convincing answer :) Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. So, I'd be glad to know what AP's are standard compliant is there a list? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Which may be based on similar code to the original firmware. Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Fix the NAS. As you noted earlier, this doesn't happen with another NAS. The conclusion is that the NAS is broken. But what do you mean for fix the nas? Should I use another brand/model of AP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html