Re: expired user accounts between two dates
Le 27/05/2010 10:46, Marco Jaraiz a écrit : hello, i want to use expiration module to validate user account, but i need check the expirtation between two dates, init and finish date. somebody help me. As you already may know the expiration module only works for expiration date. When I had this need (a long time ago and with FR1) I just did the following: * I added a new personnal/local attribute in /etc./raddb/dictionnary ATTRIBUTE My-Local-Date 3000string * setup the hint module to add the Date for incomming requests: DEFAULT NAS-IP-ADDRESS == 192.168.1.4 My-Local-Date = `%D` * Then I use the local attribute to check the date (for instance if you use the rlm_sql module): mysql select UserName,Attribute,op,Value from radcheck where UserName='myloginname'; +-++++ | UserName| Attribute | op | Value | +-++++ | myloginname | NAS-IP-Address | =~ | 192.168.1.[4]{1} | | myloginname | My-Local-Date | = | 20090731 | | myloginname | My-Local-Date | = | 20090526 | | myloginname | Login-Time | := | Wk0700-2200| | myloginname | Cleartext-Password | := | THEPASS| +-++++ 5 rows in set (0.00 sec) However, I think that FR now tags incoming access-request with an internal Date-like attribute (i don't know the attribute name) so it should be easy to add a test on this specific attribute. The test could use unlang instead of users or rlm_sql check attributes. Hope this helps, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Le 11/05/2010 10:09, htt thanh a écrit : Hi, I don't know why the user-password id encrypted, how can I make a cleartext secret...;(( The pb is with your client shared secret: the secret you set in /etc/raddb/clients.conf and in your NAS configuration. It seems that you haven't set the same secret in your FR configuration and in your NAS so that the password sent to FR is not correctly decrypted. Thibaukt thank in advance On 11 May 2010 14:23, Alan Buxey a.l.m.bu...@lboro.ac.uk mailto:a.l.m.bu...@lboro.ac.uk wrote: Hi, User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ note the mess ..then note this warning: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! not sure how much more help the server can give you. you have incorrect shared secret. double check your values...trailing space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PopTop
- Message de hutch...@tarcanfel.org - Date : Mon, 19 Apr 2010 19:41:44 -0500 De : Jonathan Hutchins hutch...@tarcanfel.org Répondre à : FreeRadius users mailing list freeradius-users@lists.freeradius.org Objet : Re: PopTop À : FreeRadius users mailing list freeradius-users@lists.freeradius.org On Monday 19 April 2010 07:16:52 pm Thibault Le Meur wrote: Please can you explain why you think it is obsolete ? It addresses the configuration in single-file format rather than the distributed file format that the current packaging (for Debian at least) uses. Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration. In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-) By the way, since I wrote this page, I have switched to 2.1.8 without pb. Arg! Were you able to continue using the same configuration, or did it require a full rebuild? No of course, when I switched to FR2 I rewrite all my configuration because I wanted a clean setup. It was time for me to remove old tricks I used in FR1 and replace them by unlang. FR2 is so much more powerful. I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null realm. Curiously, it later displays the username as DOMAIN/name. I can't help here, because I'm not using realm for PopTop authentication. However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section. The current Debian packaging also requres that the mschap module file be edited, and that a sites-available file be linked to sites-enabled. Yes this is the new approach. Thanks for the reply. I think it's always harder to maintain/upgrade an existing configuration moved to a new platform than to build one from scratch. Yes, especially this FR1 to FR2 migration requires some time, but it's worth it ;-) Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PopTop
Jonathan Hutchins a écrit : On Tuesday 20 April 2010 01:00:42 pm John Dennis wrote: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. [mschap] No Cleartext-Password configured. Cannot create LM-Password. You have to either have a Cleartext password for the user or an ntlm hash if you're going to use ntlm_auth, apparently you don't have either defined for the user jonathan According to http://wiki.freeradius.org/PopTop though, I shouldn't need to define a user. The 1.x configuration does not appear to have required this either. Did it default to using local /etc/passwd or PAM? Did the old mschap module know to use samba? Oh, of course the PopTop howto supposes that you have a working FR setup, and that you're able to authenticate your user using MSCHAP ! Where ado you plan to manage your users account ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PopTop
Is it possible to set up a new account on the wiki, or does that require an administrator? I wanted to mark the page http://wiki.freeradius.org/PopTop as obsolete and applying only to the 1.x versions of freeradius. These are the instructions I was originally folowing, and they distinctly do not work with 2.1.8. If anybody has a working 2.1.8 setup for PopTop I would greatly appreciate your advice. Humm, I'm the one who wrote this page. I must admit I've never updated it, but to be honest I don't see what is so wrong about it and FR 2.1.8. Please can you explain why you think it is obsolete ? By the way, since I wrote this page, I have switched to 2.1.8 without pb. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple EAP-TLS modules with different certificates
Hi All, I just wanted to mark this thread as resolved. Alan DeKok a écrit : Yes. Others use multiple certs multiple EAP modules. Thanks for this answer, this confirms that I'm on the right way. Indeed it works now ;-) I'll make more tests and will triple check my setup now I know that it's possible. I had 2 issues: * My Access point controler wasn't really affecting the per-SSID NAS-Identifier attribute. I had to fix the setup. * My new certificate PEM file wasn't concatenated with the full certification path in correct order (moreover I was said the that respecting a bottom-up certification path order is sometimes important for the MSWindows supplicant). Many thanks to Alan for his great help. Best regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple EAP-TLS modules with different certificates
Hi Alan, Thank you for your prompt answer. Alan DeKok a écrit : Yes. Others use multiple certs multiple EAP modules. Thanks for this answer, this confirms that I'm on the right way. A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate. I don't think that's in the debug log. You're right it's not clearly writtent in the FR logs, but the fact the TLS exchanges just stop at a given time help me suppose the origin of the problem (which is confirmed bu reconfiguring the supplicant). Is there a client tool to check which certificate is used by FR ? wireshark might do it. You're right, I'll do this. Have I missed something in the setup ? Did you test each piece in isolation before putting it all together? No because I'm working on my production radius server and I didn't want to break my old SSID (which I unintentionally did anyway for 5 minutes). I'll make more tests and will triple check my setup now I know that it's possible. Many thanks again for your answer. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple EAP-TLS modules with different certificates
Hi, I'm about to change the CA of my radius server certificate. At the same time I've installed a new wifi network and plan to change the SSID as well (authentication is EAP-TTLS or EAP-PEAP). In order to avoid a complete breakout when I change the certificate of my radius server (because a manual operation is required on the supplicant side to select the new CA), I'd like to configure FR so that: * when the WiFi client connects to the SSID1, the server uses the old certificate and key, * and when the client uses the SSID2, the radius server uses the new certificate and key Is this possible ? I've already tried such a configuration by: * defining 2 eap modules let's say eapOld and eapNew (each with its own key and cert) * making sure that depending on the SSID, the access-point sets a different NAS-Identifier (let's say ID1 and ID2) in the Access-request * in the virtual FR server, I've used unlang to run either eap module: in authorize: if (%{request:NAS-Identifier} == ID1) { eapOld { ok = return } if (%{request:NAS-Identifier} == ID2) { eapNew { ok = return } in authenticate: Auth-Type eapNew { eapNew } Auth-Type eapOld { eapOld } in eap.conf: the two eap modules only differ from their certificate/key, they redirect to the same inner-tunnel virtual server. The result so far is that with such setup my wireless clients can't connect at all when they check the certificate, but can connect when they don't (no matter what setup is done on the client side). Of course I've installed the 2 certificates on the client to check this. A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate. Is there a client tool to check which certificate is used by FR ? Have I missed something in the setup ? I've tried to turn on Windows EAP log, but they aren't very easy to read as far as TLS/TTLS/PEAP authentication is concerned ! Environement: FR is 2.1.1, client used Windows XP SP3 and Windows 7. Thanks a lot for your ideas, proposals, ... Best regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules instance name restrictions
Hi, I recently came up with a small issue concerning modules instances name (especially when they set Auth-Type). * I defined my own pap module with the name 'pap-myorg' and expected it to set Auth-Type to PAP-MYORG, but in fact it wasn't setting the Auth-Type at all (moreover I saw no notice in the log about not beeing able to set the Auth-Type). * I changed the instance name to 'papmyorg' and now the module sets the Auth-Type to PAPMYORG. I tried to find in the doc where the restrictions on module instances names were defined, but didn't found any reference to this. And given the fact that some standard modules have specific chars such as '_' or '-', I thought there was little constraints. Is there any module instance naming convention written somewhere in the provided documentation (or online)? Maybe be it could be interresting to have a warning in the radius debug log in order to notice the administrator that Auth-Type wasn't set due to module naming restrictions? Best regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openvpn client ip attrib
Hegedus Gabor a écrit : HI! Can you help me, I don't know how can i send back the client ip address to the openvpn client. The cisco vpn 3000 works correctly with cvpn3000 directory. Are there any directory for openvpn? or which return attrib name I can use? This is a little off-topic for this list as this is related to your NAS (which is openvpn). Basically I do this by returning the standard Framed-IP-Address attribute to the openvpn server. This implies that your openvpn server is able to understand and process this attribute: I use the openvpn radius plugin for this (http://www.nongnu.org/radiusplugin/) as the simple pam_radius option for openvpn doesn't handle Framed-IP-Addtributes. For more information, I think the openvpn mailing list will be better suited. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
Jack D. Martin Jr. a écrit : I wasn't questioning your skills - trust me. I have read many of your responses on the list, you helped me deploy my server without ever talking to me. I am just looking for a solution. Basically what I have is a billing solution that automatically suspends customers by scrambling their passwords. When that happens - I don't want the customers to be rejected, but to be assigned to a different group. Is that a better way of asking? What I am looking for is to not reject people with bad passwords, but to assign them a particular IP pool. Then why don't you simply make your billing solution to put your users exceeding their quota to an Exceeded_Quota group (either in sql DB or in LDAp, or any backend). Don't scramble their password. This way an authenticated use belonging to the Exceeded_Quota group would be assigned a given IP_Pool, and those not in this group would be assigned another IP_Pool. Does my answer make sense? (i admit I've not read the preceeding posts). Thibault Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? As I said: The server can't turn a reject into an accept. Doing so will require source code patches. I wrote much of the server. I *think* I know how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : Hi all, I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) or an LDAP server answering on LDAP connections that are then secured by Start-TLS (LDAP on port 389 + Start-TLS) ? These are 2 different options. ldap people_search { server = ldap1.stvincents.com.au port = 636 == This implies an ldaps server identity = cn=admin,o=org,c=au password = *** filter = (cn=%u) basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes == this is not compliant with and ldaps server use start_tls=no By the way, Alan and other Gurus, I think there is a small typo in the comment: # using ldaps (port 689) connections Should be # using ldaps (port 636) connections HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, Maybe but keep it to no it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ -- cacertfile= /etc/openssl/certs/SVMHS_CA_SSL_Server.cer - The doc states that tls_cacertfile is a a PEM-encoded file: I think your CAcert is a DER encoded one (extension.cer usually is). --- cacertdir = /etc/openssl/certs/ --- The doc states that tls_cacertdir is in hash format (see openssl verify) Also check that the directory and files are accessible/readable by the user running the radius server. My 2 cents,... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution
Alexandros Gougousoudis a écrit : Hi Ivan, Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added make caclient.pem to produce client certificates and cleanca to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well. Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). I had an issue once when using client certs generated with TinyCA, this was due to the fact that, by default, TinyCA includes the emailAddress in the DN subject. Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de Your CA cert's DN includes the emailAddress, though this was not exactly the issue I had (mine was related to the client certs), I would recommend not adding this emailAddress to the DN and test again. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem with PEAP and openldap
Michael Poser a écrit : Hello, native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via freeradius against openldap with an md4 encoded utf-16e password hash. This is just not possible. PEAP (mschapv2) requires you can read the user password either as a cleartext password or as a NTLM-hashed password in your DB. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1
Hi John, Nice to meet you ;-) John Dennis a écrit : John Dennis wrote: Thibault Le Meur wrote: T I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/modulename.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ... I don't know if I should report this to the package maintainer or not. What do you think ? I'm here :-) The files under /etc/raddb/modules are configuration files. Configuration files by definition are available for editing. It is usually considered bad practice for rpm during an upgrade to overwrite user modified configuration files. I agree ;-) If rpm thinks a configuration file has been modified instead of overwriting the configuration file with the version from the new package it instead lays a new copy of that file down with the .rpmnew extension. I understand, and this runs great _for most other softwares because the xxx.rpmnew files are not read_ by the application at startup: * the applications are correctly updated, * the configuration files that were customized by the system administrator are not overwritten and are still read at the application startup, * _usually_ the updated applications are working well, despite having old configuration files. This is because new configuration files usually have new optional parameters (for which a default value is assumed by the application). However, as far as FR is concerned, all files in /etc/raddb/modules/ matching the regex /[a-zA-Z0-9_.]+/ are read, this includes any xxx.rpmnew file: In fact adding an xxx.rpmnew file in /etc/raddb/modules has the same effect as to modify the configuration files ! This will cause most Freeradius 2.x upgrades (using RPM) to end up with an updated server which is not working anymore It's your job as a system administrator to pay attention to the presence of .rpmnew files, during installation it will warn you such files were created which is your signal to investigate. This may mean that automatic updates of FR should be disabled by default in the OS, maybe in /etc/yum.conf for Fedora ? If you miss the warnings you should still periodically check under /etc for the presence of .rpmnew files and .rpmsave by the same token. No need to do this: I've been warned immediately by my users that the network access wasn't possible anymore ;-) Now having said that, it's entirely possible there is a packaging problem and the .rpmnew files should not have been created, I'll go off and take a look at that issue. My recollection is that rpm is smart enough to detect the case where the old version of a config file differs from the new version but the old version was not locally edited. I believe this is case you're describing. No, I've modified the old configuration file, the problem is that the .rpmnew files is read by the server at startup and thus this overwrites my old customizations. I've looked at the packaging with respect to how the .rpmnew files are being handled and I believe everything is correct. What is probably missing is documentation on this so I've updated the FreeRADIUS Red Hat FAQ (http://wiki.freeradius.org/Red_Hat_FAQ) and added a section describing what happens to configuration files during a RPM upgrade (http://wiki.freeradius.org/Red_Hat_FAQ#How_are_configuration_files_handled_during_an_RPM_upgrade.3F) Thanks this is very valuable. Maybe 'we' should add a specific paragraph concerning /etc/raddb/modules configuration .rpmnew files as they are read by FR at startup? Do you want me to do so? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1
Hi Gurus, I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some authentications stop working. For these specific authentications the ldap module is used to retrieve the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is used to compare the passwords (auto_header is turned on in the pap module). Before 2.1.1 everything was working. After 2.1.1, I get Authentication Failures because passwords don't match. I've analysed the debug log and I wonder if the auto_header of the pap module is really working! Here is an abstract of the radius debug logs (usernames,passwords, and IP address have been obfuscated): rad_recv: Access-Request packet from host 10.1.1.1 port 54251, id=6, length=94 User-Name = username User-Password = USERPASSWD NAS-IP-Address = 10.1.1.1 NAS-Port = 6 Service-Type = Dialout-Framed-User Calling-Station-Id = 10.1.1.10 NAS-Identifier = OpenVpn NAS-Port-Type = Virtual server mycompany-vpn-perso-ovpn { +- entering group authorize {...} ++[preprocess] returns ok ... [files_mycompany_vpn_perso_ovpn] users: Matched entry DEFAULT at line 2 ... ++[files_mycompany_vpn_perso_ovpn] returns ok ++- entering policy redundant {...} [ldap1] performing user authorization for username [ldap1] expand: %{Stripped-User-Name} - [ldap1] expand: %{User-Name} - username [ldap1] expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(MyCompany-AccountStatus=active)) - ((uid=username)(MyCompany-AccountStatus=active)) [ldap1] expand: dc=mycompany, dc=fr - dc=mycompany, dc=fr .. rlm_ldap: extracted attribute Pool-Name from generic item Pool-Name:=Ovpn_Main_Pool [ldap1] Added User-Password = {MD5}/9sLgyXJRml0Lds4xd6rOg== in check items [ldap1] looking for check items in directory... rlm_ldap: mycompanyNTPassword - NT-Password == 0xe0b531f2a8a5cb7ecd2b4951b1d79E1d [ldap1] looking for reply items in directory... [ldap1] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok ... == Until this line everything is ok: the userPassword attribute is added to User-Password because I have the line password_attribute = userPassword uncommented in my ldap module setup. Note also that I have the password in NT-Hashed format as well, but I don't intend to use it in this particular authentication process. ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password USERPASSWD [pap] Using clear text password {MD5}/9sLgyXJRml0Lds4xd6rOg== [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. } # server mycompany-vpn-perso-ovpn Using Post-Auth-Type Reject == I have no reference to the User-Password attribute in my setup (either in the user file or in the radiusprofile taken from the ldap directory. It seems like the ldap module adds the User-Password attribute and then the PAP module decides to change it to Cleartext-Password instead of processing the auto_header feature and setting the MD5-Password. What do you think ? Is there somewhere in my setup where I could have broken the normal FR processing ? Many thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1
Thanks a lot for your answer, [EMAIL PROTECTED] a écrit : I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some authentications stop working. For these specific authentications the ldap module is used to retrieve the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is used to compare the passwords (auto_header is turned on in the pap module). It doesn't look on. Post the debug of the server startup. You're quite right, the pap module isn't instantiated with the expected values. Here the abstract of the starting block of the debug log: - Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } - I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/modulename.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ... Most of my setup was working because I use specific instance of the modules such as ldap-mycompany and not the default ldap name. However, I use the std name for the pap module... I may change this in the future to avoid such issues after upgrade. I don't know if I should report this to the package maintainer or not. What do you think ? Again, thanks a lot for your help. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + VPN Clients
Sending Access-Accept of id 177 to 127.0.0.1 http://127.0.0.1 port 51289 Finished request 0 Going to the next request Great, then you've been authenticated by the LDAP server and the RAdius server is sending an Access-Accept message to you VPN server. As far as FreeRadius is concerned everything is ok. it seems that your VPN server may be expecting more from the Radius server in order to establish the VPN connection, please check the documentation of this NAS. For instance, it may be expecting the Radius server to send the IP address of the client in a Framed-IP-Address attribute (if your NAS is setup to serve an IP pool). Hope this helps, Thibault PS: by the way your LDAP encrypted password has been sent to the mailinglist as an MD5 hash. If this is not a test paswword you should consider changing it. SAme for the password used to search entries in your LDAP direcotry (ldap: identity = cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr), but I guess this one is really a test password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pptpd / MySql / MD5
Sascha Kiefer a écrit : Hi, Thanks to http://wiki.freeradius.org/PopTop i can authenticate my vpn users using an remote radius server using MS-CHAPv2 You're welcome ;-) Passwords are stored in clear in the mysql database. PopTop is responsible for the remoteip. Everything works. Now, is it possible? * to use md5 passwords in db; i had this in the first place but authentication failed No, with MS-CHAPv2 your radius server needs either to know the NTLM-Hash version of your password or the plaintext version of your password. MD5 is not supported by design. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+pptpd+mysq - rc_avpair_new: unknown attribute 6
Alan DeKok a écrit : What am I doing wrong? Below I've copypasted config files of pptpd radius and their debug logs. sigh Do NOT post the FreeRADIUS dictionaries to this list. There is nothing wrong with the dictionaries. DO configure pptpd to point to the RADIUS dictionaries it needs. I've written a little tuto on this, maybe it can help you: http://wiki.freeradius.org/PopTop Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment issue with poptop
Hi, hadi golestani a écrit : Hi, I wana use freeradius to dynamically assign ip to my vpn clients. so I defined an ip pool with the range of 10.3.3.1 http://10.3.3.1 to 10.3.3.255 http://10.3.3.255, with the radtest command , I'm getting the the ip in answer but while trying to connect from vpn client and at the same time looking the debug mod output there's no ip returned in answer. Look at the debug: below you can see: rlm_ippool: Found Framed-IP-Address attribute in reply attribute list. rlm_ippool: override is set to no. Return NOOP. It seems that your user meet 2 lines of your user files: users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 Line 173 for instance may assign Framed-IP-Address and since your rlm_ippool module is set not to override the already assigned IP address, then it does nothing (NO OPeration). See override = yes option in your ippool section. Hope this helps, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding the Expiration attribute
Terry Pelley a écrit : FreeRADIUS Version 1.1.7 on Novell SLES10 The question is simple but I can't seem to find the answer to it so I will apologize in advance. Can some one tell me the format for entering the date in the Expiration attribute? I'm using the users file to authenticate users on a small wireless network. ie. testuserUser-Password == testpass Expiration = ??? (lets use today 10 October 2007 as an example) Expiration is not a reply attribute but a configuration one, so you have to put is on the first line: testuser User-Password == testpass, Expiration := 30 Jun 2009 HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Reverse DNS Resolution
Hi, I currently have a IPSEC/L2TP setup that uses FreeRadis (for Active Directory auth). Radius is handing out the IP addresses to the clients. Is there a way to have it update my DNS server so it can create reverse-dns entries for them? Yes it is. In acct_users make a rule that run a custom program at Acct-Start and Acct-Stop time: DEFAULT NAS-IP-Address == A.B.C.D, Acct-Status-Type == Start Exec-Program = /path/to/dnsupdate/acct-nsupdate.sh Then your acct-nsupdate.sh can use the nsupdate tool to update the DNS server: Note these interresting parameters that are available in the environment: # ACCT_STATUS_TYPE = Start | Stop # FRAMED_IP_ADDRESS = attributed IP address # NAS_PORT # USER_NAME # ACCT_TERMINATE_CAUSE=User-Request (in normal case when Type=Stop) # NAS_IP_ADDRESS These parameters can be used to build the $newhostname, $assignedipaddr and $A, $B, $C, $D decimal octets of the assigne IP addr. For instance adding an IP: nsupdate -k $KEYFILE /dev/null EOF server $SERVER zone $ZONE prereq yxdomain $ZONE update delete $newhostname A update add $newhostname $TTL A $assignedipaddr send EOF (This is with secure update, and KEYFILE holds the TSIG key file (man dnssec-keygen)) Then updating reverse DNS: nsupdate -k $KEYFILE /dev/null EOF server $SERVER zone $ZONEREV prereq yxdomain $ZONEREV update delete $D.$C.$B.$A.in-addr.arpa. PTR update add $D.$C.$B.$A.in-addr.arpa. $TTL PTR $newhostname send EOF HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. Either: * use Clear-text passwords in the userpassword attribute * OR add an Ldap attribute that will hold the NTML hash version of the user password (with leading '0x'), then use ldap.attrmap to map NT-Password to your LDAP ntlm password attribute - Every users have an attribute or something to assign it a VLAN. You can use radiusReplyItem LDAP attribute OR create several radius profiles (one for each VLAN) and assign the one that corresponds to the user In the users file (for instance using LDAP-groups) I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? Yes it is possible in several ways... Find your own... HTH, Thibault -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Ldap Group Membership Requirements
Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == wireless. Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett You're using POSIXGroups: groupname_attribute = cn Groupmembership_filter = ((objectclass=posixGroup)(memberUid=%u)) No groupmembership_attribute. In you users file, for instance: DEFAULT LDAP-Group == wireless ... See /usr/share/doc/freeradius/rlm_ldap text file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem connecting from windows xp to pptp server
Hi Danny, Let me correct just some things... can you confirm ? After a lot of help from Thibault I was able to connect from xp client. the causes for the problem was : 1.missing raddattr plug-in to option.pptpd raddattr.so # after radius.so 2.un update dictionary (Microsoft merit) both in /etc/raddb /etc/radiusclient I think you don't have to update your FreeRADIUS dictionary at all: _you_ had to because you did some tests and willingly modified them, but I'm quite sure the one provided by the FreeRADIUS project are good enough for this purpose ;-) 3.include dictionary syntax ? should be : $INCLUDE /etc/raddb/dictionary.microsoft $INCLUDE /etc/raddb/dictionary.merit This is the standard syntax for FreeRADIUS, but INCLUDE syntax for radiusclient /etc/radiusclient/dictionary file was (as you wrote me in a private email): INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.merit 4.need to config the following options in option.pptpd refuse-pap refuse-chap refuse-mschap require-mppe +mschap +mschap-v2 Thanks Danny, for your summary to the list. For everyone else: I've begun a small tutorial on Poptop integration with FreeRADIUS: http://wiki.freeradius.org/PopTop It is currently linked to the http://wiki.freeradius.org/Example_Setups page. Feel free to update it and/or move it to a more appropriate page on the Wiki (maybe in howto) ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : No available IP Addresses in the pool ...
Hello everyone, FreeRadius 1.0.1 from RHEL 4. I get the following error (only shown in debug mode) after 1-2 weeks of server working fine, without any issues: rlm_ippool: Searching for an entry for nas/port: 172.25.254.218/9931392 rlm_ippool: No available ip addresses in pool. modcall[post-auth]: module pool_name returns notfound for request 0 The only fix so far was to remove the pool files and recreate them again. Any thoughts of what could be wrong ? First check if your assigned IP addresses are released from the pool: man rlm_ippool_tool If not, confirm that the pool module name is defined in the acctounting{} section of radiusd.conf and that your NAS sends accounting Stop messages. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : There appears to be another RADIUS server runningon the authentication port 1812
# netstat -tunelup Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name [...] udp 0 0 192.168.100.207:1812 0.0.0.0:* 0 7223 2012/mp_kerneld.x udp 0 0 192.168.100.207:1813 0.0.0.0:* 0 7224 2012/mp_kerneld.x udp 0 0 192.168.100.207:1814 0.0.0.0:* 0 7225 2012/mp_kerneld.x [...] There you are. Some program named mp_kerneld.x is occupying the port. That's why freeradius won't start. See this Thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg33532.h tml HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? Never mind I found the answer by looking at the code from rlm_ippool.c. Currently, when an Access-Request arrives, rlm_ippool: * looks in the pool for an 'active' entry (flagged as active) with the key=NAS-IP/NAS-port * If no entry is found == rlm_ippool allocates an @IP from the pool * If an active entry is found == it is considered as a stale entry and is marked as not active (active=0) == then a new IP is allocated If rlm_ippool is 'updated' to take Framed-IP-Address into account what shoudl be the behaviour ? A simple patch would consist of doing nothing at Post-Auth time if the request contains a Framed-IP-Address. A more complex patch should handle several different cases and decide what to do. For instance: * when Access-Request is received, look for an active entry in the pool with the search key NAS-IP/NAS-port * If no entry is found * If there is No Framed-IP-Address attribute in the Request == allocate a new @IP from the pool * If there is a Framed-IP-Address attribute in the Request * If the Framed-IP-Address belongs to the IP-range of the pool (but it is not assigned to this NAS-IP/NAS-port) == then issue a warning log (especially if this IP is allocated to an active entry for another NAS-IP/NAS-port) == do not allocate a new @IP ??? (Or should we enforce a new IP, without beeing sure the NAS will be able to use it ?) * If the Framed-IP-Address doesn't belong to the IP-range of the pool == do not allocate a new @IP * If an entry is found (there is already an allocated @IP for this NAS-IP/NAS-port) * If there is a Framed-IP-Address attribute in the Request * If this Framed-IP-Address is the same as the allocated IP from the entry found == then do nothing (no stale marking, no new @IP allocation) * If this Framed-IP-Address is NOT the same as the allocated IP from the entry found == then mark the current entry as staled (active=0) == report an error in the log because something went wrong (especially if the Framed-IP-Address received is allocated to another NAS-IP/NAS-port entry in the pool) == do not allocate a new @IP * If there is No Framed-IP-Address attribute in the Request == then mark the current entry as staled (active=0) == allocate a new @IP What do you think ? Is it already done in current developpement tree ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solution: IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. For those interested in an interim solution, here is a workaround: 1- make sure your NAS sends a Framed-IP-Address attribute in the Access-Request when a re-authentication is performed (that is to say for openvpn, use a patched version of radiusplugin) 2- Setup 2 Post-Auth-Types in the post-auth section: Post-Auth-Type postauth.ovpn { Ovpn_Main_Pool reply_log } Post-Auth-Type postauth.ovpn.reauth { reply_log } 3- in the users file (for instance) dispatch incomming Access-Requests based on the presence of the Framed-IP-Address attribute: DEFAULT Framed-IP-Address !* Any, Huntgroup-Name == srvs-vpn-ovpn, Post-Auth-type := postauth.ovpn Fall-Through = no DEFAULT Framed-IP-Address =* Any, Huntgroup-Name == srvs-vpn-ovpn, Post-Auth-type := postauth.ovpn.reauth Fall-Through = no Thanks Alan for your help, Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Re: freeradius problem : need help
Whats the output of 'ps auxf' on your box? Netstat will tell you what's using which port. Do instead: # netstat -tnp | grep 1812 example output: tcp0 0 192.168.30.107:49182192.168.30.1:5222 ESTABLISHED 5938/gaim And better if you have the lsof binary installed, try: # lsof -iUDP -P | grep 1812 Example output: radiusd 13804 radiusd3u IPv4 1334215 UDP *:1812 ^^ | Name of the binary having the port opened - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the dictionary path-to-dict-file line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file path-to-dict-file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) == I've attached the two files Regards, Thibault Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. - - m depend to ppp version? it's possible? - -- modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html dictionary.merit Description: Binary data
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 13:44 À : FreeRadius users mailing list Objet : Re: freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mitchell ha scritto: peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ -Where is User-Password attribute? Ask the NAS. what? In this case I have a suspicion the NAS could be radclient... How are you sending requests to freeRADIUS? Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ? If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
Hi, Very strange I didn't get this email ? See my comments below: Thibault Le Meur ha scritto: But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought. If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the dictionary path-to-dict-file line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file path-to-dict-file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) == I've attached the two files in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Don't write $INCLUDE but INCLUDE without the $: this is the syntax for radiusclient. But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Hi Alan, I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). I can see this in radiusd -X: modcall: entering group postauth.ovpn for request 3 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1 modcall[post-auth]: module Ovpn_Main_Pool returns ok for request 3 Where: * 192.168.1.1 is the NAS IP Address * 10.1.1.1 is the IP address allocated at connection time * 10.1.1.2 is the IP address allocated at re-authentication time Maybe I didn't understand you well: * Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is present in the Request ? OR * is it up to me to bypass the rlm_ippool (by setting another Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a Framed-IP-Address attribute is present in the Request) ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : freeradius, ldap error - HELP ME!
and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Don't write $INCLUDE but INCLUDE without the $: this is the syntax for radiusclient. Now.. without $ the /etc/freeradius/users file now contain: DEFAULT Auth-Type = MS-CHAP Fall-Through = yes Not a good idea ;-) But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Well.. I try now... and(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING the freeradius don't recive request (uff) That's because the NAS doesn't send packets (or because you have firewall rules droppig packets, but this shouldn't be the case since you got packets in the past). and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Or may it be an issue with the dictionnary files ? $INCLUDE /usr/share/freeradius/dictionary Avoid this one, it shouldn't be necessary. $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit Are these dictionaries from the radiusclient distro or did you copy the dictionaries from freeradius ? Please use only dictionaries from the radiusclient distributions. (Or try the one I posted if you don't have them in the distro). Let me know, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : RE : freeradius, ldap error - HELP ME!
MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Very very curious, I've checked radiusclient's original code and it seems it is $INCLUDE syntax that is the good one. So keep with this one for now. I just have no clue on why on my system only INCLUDE works !! Sorry for this wrong information ! Had you got new results ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
quote I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). /quote Curious this is not what I see here ?? What is/was your FR server version ? Anyway, Alan said that a 'good nas' should send the Framed-IP-Address in the Access-Request if it has been already assigned one: this wasn't done by radiusplugin, thus I think I'll keep the pacth. quote This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. /quote Sure, this is also true for my others NAS (pppd based), but they are quite robust (I hope openvpn is/will be as robust ;-)). quote I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. /quote Interesting, what could explain that mine allocate new IP addresses each time ? Should rlm_ippool allocate the same IP for a NAS-IP/NAS-port couple if the entry isn't cleaned from the pool ? (Anyway, I think it's better to have FR not re-send Framed-IP-Address since it would cause an unsuseful write to the client-config file from the radiusplugin.) quote Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. /quote I can trust you, but I don't know where to search for a setup mistake. Does someone has an idea ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 18:36 À : FreeRadius users mailing list Objet : Re: RE : RE : RE : freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok!!! Now I have this configuration INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Very Very Very Weird I'm curious about one thing: when you remove the last $INCLUDE line, does it work as described below ? I'm also wondering why only INCLUDE statement work unless the radiusclient code uses a hardoced $INCLUDE strncmp in dict.c Alan, I thought there was a plan to make the radiusclient hosted at freeradius.org so that It will benefit from Freeradius developpment: is it always a plan ? And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c274aba522 70d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Better, Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d463841343638303834373332313835434433353945383639333946 3645323432363332373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Ok, you're done with Freeradius. Well! it work! or not? As far as Freeradius is concerned yes. because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!! I realy don't now why... Just a question: who is suposed to assign the IP address: Freeradius in Framed-IP-Address Attribute or your pppoe server ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
but plog: [EMAIL PROTECTED]:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 -- tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. [EMAIL PROTECTED]:/home/peppeska# poff UFFA!!! I promitt that I send a Cassata Siciliana to who resolv my problem... plog may not be enough: could you check the /var/log/messages Moreover, what dictionnary.microsoft file are you using ? Maybe it is lacking some attributes and radiusclient doesn't understand them. If you're not using the one I posted today, could you test with this one instead ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mardi 20 mars 2007 10:34 À : FreeRadius users mailing list Objet : freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please freeradius User... HELP ME! So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration? look this! this is the freeradius output rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default Comment this line in your ldap section of radiusd.conf: # access_attr = dialupAccess HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default Comment this line in your ldap section of radiusd.conf: # access_attr = dialupAccess And comment this one too, like this : # access_attr_used_for_allow = yes HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool management and Re-authentication
Hi, I'm using a system (openvpn) with 'radiusplugin' to let FR authenticate users and manage IP Pools. Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. Do you know a standard Radius attribute that could be used for this ? As far as you know, are there other NASes using such a quirk ? Does this make sense ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Thanks for your reply, Thibault Le Meur wrote: Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? Because It's still beta ;-), I can fix this I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. Thanks a lot Alan. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP-TTLS outer identity accounting
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14 mars 2007 17:13 À : freeradius-users@lists.freeradius.org Objet : Re: EAP-TTLS outer identity accounting On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User-Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User-Name instead? Yes, by simply adding the User-Name = XXX to the reply items (that is to say not on the first line). Try something like this: DEFAULT Realm == test, Autz-Type := sql-test User-Name=`%{User-Name}` HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : ldap groups + freeradius
Hi, I have 4 NAS-IP-Addresses. My users are split into 6 groups (some are in multiple groups): public, faculty, staff, student, vpn, and admin. I would like the users to get access to the NAS by virtue of being in a group. 192.168.1.1 admin 192.168.1.2 vpn 192.168.1.3 192.168.1.4 faculty, staff, student public To make group of NASes use the huntgroup file, for instance: firstnas NAS-IP-Address == 192.168.1.1 ... lastnasNAS-IP-Address == 192.168.1.3 lastnasNAS-IP-Address == 192.168.1.4 Then define your LDAP server in radiusd.conf Then use the users file to make your rules such as: DEFAULT Huntgroup-Name == firstnas, Ldap-Group == admin Reply-Message = XXX Fall-Through = no For more info see: /usr/share/doc/freeradius/rlm_ldap /usr/share/doc/freeradius/ldap_howto.txt HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : New to FreeRadius, having a small issue
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de Marc Hultquist Envoyé : mardi 20 février 2007 10:38 À : freeradius-users@lists.freeradius.org Objet : New to FreeRadius, having a small issue Hey Everyone, I am new to freeradius, and when receiving a auth request to the server, in the /var/log/radius/radiusd.log file, I get the following line whenever the auth request comes though. Mon Feb 19 12:29:46 2007 : Error: Invalid operator for item User-Password: reverting to '==' You probably use User-Password = XXX in you users file instead of User-Password == XXX See http://wiki.freeradius.org/Operators By the way, have a look in /usr/(local)/share/doc/freeradius/, several files are giving expainations: begin with aaa.txt and processing_users_file (if using the files module) HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Setting up a VPN server with pptp and RADIUS for all sorts ofclients
I didn't meen a mistake, but was wondering if my radiusclient had a wrong mapping, that requests NT-password instead of User-password (as an example) Here is the output from the radius server: Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, id=109, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 MS-CHAP2-Response = 0x0800e2f1b3176070ca65916fe24cce80d27147f1823b 3c33996107424059c73866a135b07e51e08c2f4a Calling-Station-Id = yyy.yyy.yyy.yyy NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module detail returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user dupontd to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test )(ulhcharte=TRUE)))' radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter (|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test) (ulhcharte=TRUE))) rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 op=11 You see nothing like Adding userPassword here. For instance you could have something like: rlm_ldap: Added password rlm_ldap: Adding myldapNTPassword Could the freeradius admin check: * the ldap {} section: see the password_attribute = line (till FR 1.1.4) * the mapping in ldap.attrmap rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect How is/are your password(s) stored on the Ldap directory: in clear text, MD5-hashed, SHA-Hased, NTLM-Hashed ? What is/are the Ldap attribute(s) used to store your password(s) ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : 802.1x + freeradius authentication problem
Alan, Thanks for your response. We have tried to configure ttls as you suggested in your mail. Unfortunately we have not succeeded. To make things easier, we have tried to set up a completely new configuration, with just one local user called test. Our Windows XP client is using now SecureW2 (with EAP-TTLS/PAP). We attach the connection log. We see the 'negotiation' messages, but no sign of Success at the end (neither Wireless connection, of course). Any ideas? I only gave a quick look at the debug log... As a SecureW2 user myslef I would first check if this is not a certificate verification issue on the Client side (because I suspect the EAP-TLS connection to have been interrupted by the client). Can you: * make a test with verify server certificate disabled on SecureW2 * If this changes the debug log: make sure you have corectly installed your CA's certificate on the HOST certificate store on Windows XP, also check the server name you gave to SecureW2 (it should match your radius' server CN). Let me know, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, pap, and HP wireless edge services module
At this time, I did a radiusd -X and saw the debug information scroll across the screen, sitting at ready to process requests... However, no requests are coming in. I am attempting this by connecting from You say it yourself: no request reaches the Radius server. I propose to check if the internal linux firewall isn't blocking incomming packets. First try to disable the firewall: /etc/init.d/iptables stop Then test again the authentication. If it works, reconfigure your firewall: it must accept incoming requests to UDP ports 1812 and 1813. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : A couple of questions PoPToP+FreeRadius+IAS
2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: 0x333B0427013700010A1701C735C490B2116B014C b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for user21 But I know that these are VALUEService-TypeDialback-Framed-User4 and ATTRIBUTE MS-CHAP2-Response 25 octets as they are written in the dictionary file. There must be a mistake in your /etc/radiusclient/dictionary file. Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft' Check also the permissions ont he dictionary files. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : A couple of questions PoPToP+FreeRadius+IAS
It seems no mistakes in dictionary file. It is standard one from RH distribution. BTW, freeradius use $INCLUDE, not INCLUDE as you advised. With INCLUDE you will see something like -- Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: dict_init: /etc/raddb/dictionary[14] invalid keyword INCLUDE -- I'm talking about the radiusclient library's dictionaries, not the Freeradius ones: the ones that can be found on your PopTop server, not the Freeradius server. Look at the path I worte: it's not /etc/raddb/dictionary, but /etc/radiusclient/dictionnary. The issue here, is that the radiusclient package doesn't come with the necessary dictionaries. So check on you PopTop server that the /etc/radiusclient/dictionary contains an 'INCLUDE' and not '$INCLUDE' for the dictionary.microsoft file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : A couple of questions PoPToP+FreeRadius+IAS
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Marxy Envoyé : mercredi 17 janvier 2007 14:39 À : freeradius-users@lists.freeradius.org Objet : Re: A couple of questions PoPToP+FreeRadius+IAS Alan DeKok-4 wrote: Marxy wrote: 1. Accounting of Calling-station-id returns only first 4 characters of user's IP address. If that's what the RADIUS client is sending, then the only solution is to fix the client so it sends the correct information. My radius client is standard radiusclient software. But it seems no settings for that in its /etc/radiusclient/radiusclient.conf Alan DeKok-4 wrote: 2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: The client doesn't understand the response of the server. Again, the only solution is to fix the client. Yes. You are quite right. I add missing attributes to radiusclient dictionary file. ATTRIBUTE MS-CHAP2-Response 25 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer It might not be enough. Could you check this post and give it a try ? http://lists.freeradius.org/pipermail/freeradius-users/2007-January/059299.h tml Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password - and that is problem with auth. This is normal because it is an EAP authentication request: so this is not a problem for authentication as long as you have enabled and configured EAP in the freeradius configuration (see eap.conf). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : Problem with Freeradius+LDAP+wifi
Could you post this file ? I have only: eap { default_eap_type = tls tls { tls_cacertfile = /etc/freeradius/cert/ca.pem tls_certfile = /etc/freeradius/cert/radius.crt tls_keyfile = /etc/freeradius/cert/radius.key } } You're lacking the peap sub part: peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = yes use_tunneled_reply = yes # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to no to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes } Why have you deleted this entry? When you don't want to use a feature, just comment the section it'll make it easier to update the configuration in the future. BR, Rafal Kaminski HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : New Thread: EAP for Cisco AP.
But, I don't completely understand PEAP, and how it relates to MS-CHAP v2. PEAP first establish a TLS tunnel (and thus uses the freeradius eap 'tls' module). Then a new Request is sent protected by this TLS tunnel. This inner request can be based on ms-chapv2 or another EAP method). I want to try to use PEAP to secure my network. Here is my current eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } Take care to setup the freeradius certificate/private key cause it will be used to establish the first TLS tunnel. Also take care to install the cacert in the client certificate store. peap { default_eap_type = mschapv2 } mschapv2 { } } I have eap in authenticate and authorize. What else do I need to do, and are there more dictionaries. Should be enough for the Freeradius part (I suppose you have define your APs in the clients.conf file). Configure the radius parameters in your AP and setup the PEAP client to check the freeradius server's name and certificate to be protected from Man in the middle attacks. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Problem with Freeradius+LDAP+wifi
authorize (returns ok) for request 2 Mon Jan 15 13:39:00 2007 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting Is 'eap' listed in our authorize section. It should be since this is an EAP request and Freeradius needs a way to set Auth-Type to EAP to proceed. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius IRC...
The issue is, I've done everything, a semi-competent Linux user with Critical thinking skills should do, I've been methodical. asnd disciplined and persistent. Yet still, I cannot succeed at this. This will make my University Career look bad. I just think I could use another pair of eyes, maybe I missed something. I feel like Edward Elric searching for the Philosopher's stone. I posted an idea and you decided not to reply to my questions ! I suspect that your VPN server doesn't know Microsoft Radius attributes and refuses to send them to the radius server. I've tested a bad setup (lack of Microsoft radius dictionary), and I get the same radiusd -X debug log: no MS-CHAP Challenge in the request... I asked have you checked possible error messages in /var/log/messages on the vpn server ? To be more specific, look for the following lines in you log file: rc_avpair_new: unknown attribute If you see such lines it might be that your radiusclient library (used by the PPPd plugin on your VPN server) doesn't understand the Microsoft attributes (for instance the MS-CHAP Challenge). Thus, the PPPd radius plugin doesn't send these attributes that are required for Freeradius to do MS-CHAP authentication. Could you really check that your dictionnary file on the VPN server side contains a line like: INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft and check the content of this file... HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius IRC...
- Message de [EMAIL PROTECTED] - Date : Sat, 13 Jan 2007 16:55:50 -0500 De : Evan Vittitow [EMAIL PROTECTED] Répondre à : FreeRadius users mailing list freeradius-users@lists.freeradius.org Objet : Re: FreeRadius IRC... À : FreeRadius users mailing list freeradius-users@lists.freeradius.org I posted an idea and you decided not to reply to my questions ! I suspect that your VPN server doesn't know Microsoft Radius attributes and refuses to send them to the radius server. I've tested a bad setup (lack of Microsoft radius dictionary), and I get the same radiusd -X debug log: no MS-CHAP Challenge in the request... I've ensured thet /etc/radiusclient/ and /etc/raddb have the same dictionary. (dictionary and dictionary.microsoft,.) I asked have you checked possible error messages in /var/log/messages on the vpn server ? To be more specific, look for the following lines in you log file: rc_avpair_new: unknown attribute No such error messages appear on my Radius Server. This error is to be seen on the PPPd server, not on the Freeradius server. It is an error from the PPPd radius plugin (in fact the radiusclient library). I had them once when I tried to change the dictionary to the one in /usr/share/freeradius, but I imported the official dictionary.microsoft one and they went away. Curiuous, I never had to change the microsoft dictionary from the official Freeradius distribution !!! If you see such lines it might be that your radiusclient library (used by the PPPd plugin on your VPN server) doesn't understand the Microsoft attributes (for instance the MS-CHAP Challenge). Thus, the PPPd radius plugin doesn't send these attributes that are required for Freeradius to do MS-CHAP authentication. Could you really check that your dictionnary file on the VPN server side contains a line like: INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft and check the content of this file... HTH, Thibault I found A possible culprit. Jan 13 16:54:41 kurama pppd[11364]: rc_avpair_new: unknown attribute 11 Jan 13 16:54:41 kurama pppd[11364]: rc_avpair_new: unknown attribute 25 This is not a possible culprit: This IS THE CULPRIT, and it confirms my diagnostic. On your PPPd server, you have to update you: * add a dictionary/microsoft file on the radiusclient dictionary directory (/etc/radiusclient or /usr/share/radiusclient-ng depending on your distro). * modify the dictionary file in this directory to INCLUDE this file (see below). Then your authentication should work fine. Let me know... Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: My Dictionaries seem corrupted
Working Dictionaries requested. Anyone with known working dictioniaries? Please stop changing the thread, it's hard to follow. About your PPPd+Radius+MS-CHAP issue: * On the freeradius server, get back to the standard dictionaries files (in case you have modified them). *On the VPN (PopTop server): - create the dictionary.microsoft and dictionary.merit file attached in your /etc/radiusclient directory - chmod them 644 so that any user can read them - check that you have 2 INCLUDE lines that point to these files at the end of the main /etc/radiusclien/dictionary file HTH, Thibault # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integerMicrosoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password19 string Microsoft ATTRIBUTE MS-New-ARAP-Password20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success26 string Microsoft ATTRIBUTE MS-CHAP2-CPW27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-UsageNot-Allowed 0 VALUE MS-BAP-UsageAllowed 1 VALUE MS-BAP-UsageRequired2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-ReasonJust-Change-Password1 VALUE MS-ARAP-PW-Change-ReasonExpired-Password2 VALUE MS-ARAP-PW-Change-ReasonAdmin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-ReasonPassword-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-TypeMD5 4 VALUE MS-Acct-EAP-TypeOTP 5 VALUE MS-Acct-EAP-TypeGeneric-Token-Card 6 VALUE MS-Acct-EAP-TypeTLS 13 # # Experimental extensions, configuration only (for check-items) # Names/numbers as per the MERIT extensions (if possible). # ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 string ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 string ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network 38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer # 8 is a MERIT extension. VALUE Service-Type
Re: My PPTP+802.1X+MS-CHAP+EAP+OpenLDAP+MySQL Project.
Hi, The issue with the VPNs is that even through Client Side PPP uses MS-CHAP, FreeRadius is causing pppd to think its authenticating normal CHAP. Jan 9 03:09:00 kurama pppd[12373]: Peer User failed CHAP authentication rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request Now, The Server works fine when I turn off the Radius plugin and enter the and enter stuff in the chap-secrets. This is the output of radisd -fX Humm... have you checked possible error messages in /var/log/messages (where pppd and the radius plugin output by default) ? I remember I had an equivalent problem once... could you check that your radiusclient on the VPN side has got the dictionary.microsoft file in its dictionary directory ? # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integerMicrosoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password19 string Microsoft ATTRIBUTE MS-New-ARAP-Password20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success26 string Microsoft ATTRIBUTE MS-CHAP2-CPW27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-UsageNot-Allowed 0 VALUE MS-BAP-UsageAllowed 1 VALUE MS-BAP-UsageRequired2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-ReasonJust-Change-Password1 VALUE MS-ARAP-PW-Change-ReasonExpired-Password2 VALUE MS-ARAP-PW-Change-ReasonAdmin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-ReasonPassword-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-TypeMD5 4 VALUE MS-Acct-EAP-TypeOTP 5 VALUE MS-Acct-EAP-TypeGeneric-Token-Card 6 VALUE MS-Acct-EAP-TypeTLS 13 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: My PPTP+802.1X+MS-CHAP+EAP+OpenLDAP+MySQL Project.
Hi, The issue with the VPNs is that even through Client Side PPP uses MS-CHAP, FreeRadius is causing pppd to think its authenticating normal CHAP. Jan 9 03:09:00 kurama pppd[12373]: Peer User failed CHAP authentication rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request Now, The Server works fine when I turn off the Radius plugin and enter the and enter stuff in the chap-secrets. This is the output of radisd -fX Humm... have you checked possible error messages in /var/log/messages (where pppd and the radius plugin output by default) ? I remember I had an equivalent problem once... could you check that your radiusclient on the VPN side has got the dictionary.microsoft file in its dictionary directory ? # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integerMicrosoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password19 string Microsoft ATTRIBUTE MS-New-ARAP-Password20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success26 string Microsoft ATTRIBUTE MS-CHAP2-CPW27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-UsageNot-Allowed 0 VALUE MS-BAP-UsageAllowed 1 VALUE MS-BAP-UsageRequired2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-ReasonJust-Change-Password1 VALUE MS-ARAP-PW-Change-ReasonExpired-Password2 VALUE MS-ARAP-PW-Change-ReasonAdmin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-ReasonPassword-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-TypeMD5 4 VALUE MS-Acct-EAP-TypeOTP 5 VALUE MS-Acct-EAP-TypeGeneric-Token-Card 6 VALUE MS-Acct-EAP-TypeTLS 13 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : MySql and calling-station-id help please
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de Ackbar Joolia Envoyé : lundi 8 janvier 2007 14:07 À : freeradius-users@lists.freeradius.org Objet : MySql and calling-station-id help please Dear all, I want to do authentication based on calling-station-id and then to assign a static IP from my database to that requester. SO basically, all the requests coming in will have the same username and password, and I will only identify each of them through their calling-station-id, and then assign a Framed-IP-Address to them. Have you tried the files module with a users file like: MyUserUser-Password == MyPass, Calling-Station-Id==000 Framed-IP-Address=192.168.1.1 Fall-Through=no MyUserUser-Password == MyPass, Calling-Station-Id==001 Framed-IP-Address=192.168.1.2 Fall-Through=no When this setup is working, you''ll then be able to switch to a mysql backend if you want this to be in a database. I cannot get the above to work at all, can anyone please give me an idea of how to do the above? Thanks Al -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.29/607 - Release Date: 28/12/2006 12:31 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Authomated Access Accept/Deny
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de Tamba Ben-Jusu Envoyé : lundi 8 janvier 2007 15:01 À : Freeradius-Users@lists.freeradius.org Objet : Authomated Access Accept/Deny Hi All, I am running the freeradius server on an ubuntu server platform and it is running fine. However, I want to include a time factor in the operations: Users to be set in the following groups 1. Grant Access-Accept only between 8am to 6pm every day 2. Grant Access-Accept only between 6pm to 8am every day 3. Grant Access-Accept only weekends etc Please help me with information on how to set it up in the users file, other means of achieving this. see http://wiki.freeradius.org/FAQ#How_do_I_use_Login-Time_for_groups.2C_not_for _users.3F and http://wiki.freeradius.org/CONFIGURATION_FILES HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : rlm_sql: Password in Accounting Packet
Marco Stuhl Hello, Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect. I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : rlm_sql: Password in Accounting Packet
Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect. I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ? I agree on that one; still no workaround? I don't understand what you're trying to do. * If you want to record the user-password, why don't you record it at Authentication time (see the postauth section) ? * If you want to do this at during the Accounting process, you'll have do develop your own module to get the password that matches to the User-Login from the Accounting request: you will have to query your internal backend to get the user's password (if it is available in clear text, which is not certain). Can you be more specific as to why you are trying to do this... because there might be workarounds for this. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : rlm_sql: Password in Accounting Packet
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de Marco Stuhl Envoyé : vendredi 15 décembre 2006 13:47 À : FreeRadius users mailing list Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet Here's the scenario. I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions. So the password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations. Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there? Accounting is based on AcctSessionId (or AcctUniqueId, which can be computed by a FR module). AFAIK, there is no assumption about the 'unique username' thing: it is your session analyzer that makes such assumption. If you want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the true username. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : NotBefore and Epiration (was Temporary Accounts), Enhancement proposal
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Alan DeKok Envoyé : lundi 11 décembre 2006 19:47 À : FreeRadius users mailing list Objet : Re: NotBefore and Epiration (was Temporary Accounts), Enhancement proposal Thibault Le Meur wrote: Enhancement proposal Why not implement the NotBefore part in the FR server code as it is already done for Expiration ? Or, add a Date attribute, that will compare against the current date. You can then use configurations like: Date January 12 2006 13:00 And it should Just Work. Sure, this is a simpler way to do so. The only difference will be that the reply message will not say Password has expired or Password not valid yet... which, as far as I am concerned is not very important ;-) I'll see if I can get a patch into 1.1.4. Thanks a lot... Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : MySQL: don't logging to radacct
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Felipe Neuwald Envoyé : mardi 12 décembre 2006 18:06 À : freeradius-users@lists.freeradius.org Objet : MySQL: don't logging to radacct Hi Folks, I'm using freeradius-1.1.3_1 on FreeBSD 6.2-PRERELEASE and mysql-server-5.0.27. My database connection is ok, and I'm sucessfully authorizeing on MySQL databse. After user connection, a entry is added on radpostauth table. My problem is cause there is no entry on radacct table. Here is an authentication: [EMAIL PROTECTED] /usr/local/etc/raddb]# radtest brt adsl 127.0.0.1 0 teste Sending Access-Request of id 206 to 127.0.0.1 port 1812 User-Name = brt User-Password = adsl NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=206, length=20 Does somebody knows why there is no entry on my radacct table? Yes, look at your logs... radtest sends only an Access Request packet not an Accounting packet: that's why no accounting entry is added to raddact. Try radclient in order to send an accounting packet HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NotBefore and Epiration (was Temporary Accounts), Enhancement proposal
I post here a cleaner solution to my need, and propose the opportunity to have an even better way to code this (but requires a patch). The Goal I wanted to be able to manage temporary accounts for guests: * these accounts are created in advance, but mustn't be valid before a given date * these account have an expiration date * these account must be valid within a given time range One current solution to achieve this The current solution is to create a local String attribute (3000id4000) in the dictionary file /etc/raddb/dictionary: ATTRIBUTE My-Local-NotBefore 3000string Then in the hint file, I add the current date to the request (for my NAS 192.168.1.1): DEFAULT NAS-IP-ADDRESS == 192.168.1.1 My-Local-NotBefore = `%D` In the users file, I add the 'Myuser' user, who can log in within the following time range '12 Dec to 13 Dec 2006, from 8AM to 9 PM': Myuser NAS-IP-Address == 192.168.1.1, Auth-Type = Local, User-Password == MyPass, My-Local-NotBefore = 20061212, Login-Time := 'Wk0800-2100', Expiration := 14 Dec 2006 Fall-Through = no It is working, but is just a pity that the NotBefore and Expiration part are not handled the same way, though beeing quite similar. Enhancement proposal Why not implement the NotBefore part in the FR server code as it is already done for Expiration ? It would require (AFAIK): * Adding an offical NotBefore internal freeradius dictionary * Add a #define PW_NOTBEFORE definition in include/radius.h * Add a time check to the check_expiration function in main/auth.c * Optionnal ??? Add a notbeforecmp function and a paircompare_register call to main/valuepair.c However, I had no report so far that this could prove to be useful to someone else, so I wonder if It is worth implementing. If you think this could be useful, I'll try to propose a patch. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : FreeRadius + Ldap + TLS/SSL
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = ldap port = 636 #port = 389 ... filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no This last line is ok: it will ask not to try Start-TLS connection. # tls_cacertfile= /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ Why do you have both tls_cacertfile and tls_cacertdir ? # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines. However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server. #tls_mode = yes Argh... I think you have to uncomment this line. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Problem cheking multivalued attributes in LDAP schemas.
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Erling Paulsen Envoyé : lundi 4 décembre 2006 15:11 À : FreeRadius users mailing list Objet : Problem cheking multivalued attributes in LDAP schemas. I try to make a decision based on checking for a value in a certain attribute of a LDAP schema. The problem is that this is a multivalued attribute, and it seems somewhat undefined when I try to check against it! My exact problem is checking against a eduPerson schema for an affiliation on an attribute called eduPersonAffiliation (which is multivalued). I want to check if a certain user has the right affiliation= before assigning a dynamic Vlan. I fetch the attribute in Authorization as LDAP-Affiliation (mapped as a checkItem in ldap.attrmap). This LDAP-Affiliation is not a standard Radius attribute... Have you defined it in freeradius dictionary files ? I've tried checking with the regular expression operator (i.e. for staff affiliation), but it seems to not give a match. Ex. check-statement from users file: LDAP-Affiliation :~ .*staff.* I do not know this :~ operator, have you tried =~ instead ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : return user group information to radius client
-Message d'origine- De : ganesh subramonian [mailto:[EMAIL PROTECTED] Envoyé : vendredi 1 décembre 2006 05:41 À : FreeRadius users mailing list Cc : [EMAIL PROTECTED] Objet : Re: RE : return user group information to radius client hi does that mean that sending/receiving of the group information would depend on the method used for auth at the radius server ? It's up to you to define if you want to return a given reply attribute: you can define different rules in order to select which reply attributes are returned given the NAS-Ip-Address, or Service-Type or any other check attributes... The issue here is to know what your NAS expects as the user Group information. What is your NAS ? What does the doc say about its support for replied radius attributes ? Can you explain exactly what you are trying to do ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : FreeRadius and LDAP
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1 Envoyé : jeudi 30 novembre 2006 23:51 À : freeradius-users@lists.freeradius.org Objet : FreeRadius and LDAP We don't use openldap or eDirectory - which is what the docs are Derived from. This shouldn't be an issue if your directory is really Ldap compliant. The information for FreeRADIUS and LDAP seems to suggest that I need to provide access to the LDAP server's password to the service account that the FreeRADIUS Server uses. This is often required, but not always: if you are using an authentication protocol that transmits the password in cleatext to the radius server (such as PAP), you can avoid this. What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that? * Enable the ldap module in the authorize section (so that Auth-Type is set to LDAP [FR = 1.1.3]) * if you are running FR = 1.1.3 then you'll have to set Auth-Type = LDAP manually (see the users file from rlm_files or the rlm_sql module) * Enable the ldap module in the authenticate section as well (so that a simple ldap bind authentication is performed) * In the ldap configuration section, you can use an LDAP account that do not have read access to the userPassword attribute BUT === Remember that this is NOT compatible with a lot of authentication protocols (MSCHAP, CHAP, PEAP, ...). It is working for PAP and EAP-TTLS/PAP. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : differentiating radius attribute
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de [EMAIL PROTECTED] Envoyé : vendredi 1 décembre 2006 17:16 À : freeradius-users@lists.freeradius.org Objet : differentiating radius attribute Hi everybody, I'm using freeradius to authenticate and authorize users to cisco switches/routers/FW. My issue is that i want to do aaa for 3 things on the same device: device administrators login (telnet), for 802.1x EAP/MD5 (, and to manage firewall FWSM ACLs (radius attribute in the response: filter-id=acl_name). My question is how to differentiate this 3 needs by a radius attribute in the request, to be able to send in the response only the good radius authorization attribute depending on aaa type asking. Could you run the radius server in debug mode (radius -X), and check what Attributes are present in the Request. May be something like Service-Type, Framed-Protocol, and NAS-Port could be used. For instance this is a request from a PPP server: rad_recv: Access-Request packet from host A.B.C.D:32776, id=171, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = MyLogin MS-CHAP-Challenge = 0xXX MS-CHAP2-Response = 0x NAS-IP-Address = X.Y.Z.T NAS-Port = 0 And this is a request from a WiFi access (not on the same NAS though): rad_recv: Access-Request packet from host A.B.C.D:1030, id=1, length=213 Message-Authenticator = 0x Service-Type = Framed-User User-Name = anonymous Framed-MTU = 1492 State = 0xX Called-Station-Id = MACADDR:SSID Calling-Station-Id = MACADDR NAS-Identifier = AP_Name NAS-Port-Type = Wireless-802.11 Connect-Info = 802.11g EAP-Message = 0x NAS-IP-Address = X.Y.Z.T NAS-Port = 1 NAS-Port-Id = STA port # 1 Check also in your NAS setup if you can add specific attributes to the Request depending on the service used. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : (no subject)
Also, I am under the understanding that EAP-TLS does NOT require a client side cert, and EAP-TTLS DOES require a EAP-TLS requires both server-side and client-side certs. EAP-TTLS requires only a server-side cert. The client-side authentication is performed through an inner TLS tunnel and is usually PAP (but can be any EAP method). Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : return user group information to radius client
Is there some standard way of telling the client that this user belongs to this group.If so how do i set this on the radius server. Several NASes support the Login-LAT-Group reply attribute for this purpose: check with your NAS doc. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Expiration
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sean Envoyé : mardi 28 novembre 2006 13:22 À : freeradius-users@lists.freeradius.org Objet : Expiration Hi, Just a quick question. Is expiration := Never valid in radcheck? At the moment I set dates a few years into the future for accounts that I don't want to expire, but I'm sure that they'll come back to haunt me later. Wouldn't it me easier just to not add an Expiration attribute to your radcheck list ? Indeed, AFAIK when no Expiration attribute is found in the list, there is no check on the user account expiration. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Expiration
I have a question with regard to expiration. I'd like to update the expiration to a new date once a user logs in for the first time. I've tried to add a query to the sql conf file where the radacct table gets updated when a user logs in, but I can't seem to add a new query that is recognized, or append a query to one that is there. Here is how I would do this: Define a new sql module in your sql.conf file: sql sql-update-expiration { XXX } Replace XXX with the SQL query you want. Then in your post-auth section add something like: Post-Auth-Type postauth.updateExpiration { sql-update-expiration } Then in your users file (or sql DB if your rules are handled by mysql): DEFAULT Huntgroup == MyNASWithExpirationUpdate, Post-Auth-Type := postauth.updateExpiration +List of reply attrs Replace the condition Huntgroup == MyNASWithExpirationUpdate with anything that could match the Accesses for which you want to update the Expiration attribute. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Temporary Accounts
I'm replying to myself because I found a very ugly solution to cope with my needs: Have an account not available before a given date. I post this here in case this could be useful to someone, and to get feedback if others have found better way to achieve this. At least the following checks do not work: * Current-Time 19 Nov 2006 * Current-Time 2006/11/19 The date format is the same as for Login-Time. Alan DeKok. If this is the case, then I'm afraid I won't be able to get the full date like 19 Nov 2006. Indeed, as far as I know (but I hope I'm wrong), the UUCP Time Strings doesn't contain the Month nor the Day of month (I've read http://www.delorie.com/gnu/docs/uucp/uucp_58.html). Is there another (Internal) Attribute, that could match these elements of a login date ? I eventually get it working by: * using the hint file: DEFAULT NAS-IP-ADDRESS == MYNASIP MYSTRINGAATRIBUTE-NOTBEFORE := `%D` * Checking the MYSTRINGATTRIBUTE-NOTBEFORE in the users file DEFAULT MYSQTRINGATTRIBUTE-NOTBEFORE = '20061128', Expiration := '29 Nov 2006' I have then 2 questions: * for the moment I use (or mis-use) an existing String-attribute from a vendor dictionary: is there a way to define 'private Radius attributes' in order to avoid this 'attribute usurpation' ? * I've seen in the code that adding the Not-Before config attribute (similar to Expiration) to Freeradius shouldn't be too tricky: is it something that could prove to be useful for other users ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP anonymous and inner User-name
The inner request will magically show up after the tunnel has been decoded. It is a new request, and will have its own User-Name attribute. Could you be mores specific as: * when did this feature appear ? * how does this differ from previous versions ? Indeed, I found out that with the latest release of FR, the debug isn't the same: previously (FR 1.0.1), I was able to read the Tunneled inner-request and attributes (with inner user name and password...) and the complete process of this 'new request' and now I don't this. Thanks in advance for any pointer that could help me understand the difference. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Is this hack possible?
into an Access Accept reply? Why on earth would I want this? Well, I would like to i.e. give a guest-net Vlan back to users that actually fail authentication, so that when they try to access the web they will instead get connected to a redirected guest-information webpage. I haven't tested this, but maybe it could be possible with the following setup: * At the end of your 'users' file, define a DEFAULT rule that enforces Auth-Type = Always-Ok - Check that this rule is only used for WiFi accesses - Enforce a Radius profile that apply the correct VLAN settings * Then in your radiusd.conf define the Auth-Type Always-Ok section as to reply always ok (it might be possible by having a look at the setups described in configurable-failover doc) There might be easier way to do so though, I let FR gurus comment. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : EAP anonymous and inner User-name
Thibault Le Meur [EMAIL PROTECTED] wrote: Indeed, I found out that with the latest release of FR, the debug isn't the same: previously (FR 1.0.1), I was able to read the Tunneled inner-request and attributes (with inner user name and password...) and the complete process of this 'new request' and now I don't this. Read eap.conf, and look for copy_request_to_tunnel Well... I already have this set to yes because I need to match outer attributes while processing the tunneled-request. My setup is working quite well, but I just think the radiusd -X debug log has changed a bit since I am not seeing the decoded inner request packet in it: I can only see a message Proceeding to decode tunneled attributes and then the authorize section is run without printing the decoded attributes of the tunneled request to the debug log. I get this: - rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall[authorize]: module eap returns noop for request 6 users: Matched entry DEFAULT at line 17 rlm_ldap: Entering ldap_groupcmp() ... - I might be wrong but I think older versions were printing the decoded inner request with _something_like_ that: - rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. ... Service-Type = Framed-User User-Name = My-inner-Identity User-Password = My-PAP-Passwd Framed-MTU = 1492 State = 0x50f69e12347f8a811f1334fa392048e Called-Station-Id = 00-01-52-44-55-85:MySSID Calling-Station-Id = 00-52-44-55-F7-38 NAS-Identifier = MyAP NAS-Port-Type = Wireless-802.11 ... - Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP anonymous and inner User-name
And, lastly, did you set copy_request_to_tunnel in eap.conf? Don't, because then your real inner user name gets overwritten by the outer one. Strange... I've set copy_request_to_tunnel and I haven't seen my inner User-Name be overwritten ! Are you sure it would overwrite the inner User-Name attribute with the outer one ? Another question: if you don't set copy_request_to_tunnel, could you still have a rule in the users file matching the user's ldap group (for the users in the inner request) and the Called-Station-Id (from outer request) ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP anonymous and inner User-name
Thibault Le Meur [EMAIL PROTECTED] wrote: Strange... I've set copy_request_to_tunnel and I haven't seen my inner User-Name be overwritten ! Doing that would be wrong. FreeRADIUS doesn't do that. I know, It would have broken my setup ;-) And, lastly, did you set copy_request_to_tunnel in eap.conf? Don't, because then your real inner user name gets overwritten by the outer one. No, absolutely not. That DOES NOT HAPPEN. Another question: if you don't set copy_request_to_tunnel, could you still have a rule in the users file matching the user's ldap group (for the users in the inner request) and the Called-Station-Id (from outer request) ? You could match LDAP group, because the username is in the inner request. You can't match Called-Station-Id, because it's in the outer request. Ok, so I had correctly interpreted this copy_request_to_tunnel option. Thus I thin the previous debug output showing th decoded inner request was better to troubleshoot tunneled authentication schemes. Thanks again for this clarification, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Freeradius is mad ! Or me...
Why the command radiusd -A work fine and not /etc/init.d/raduisd start ??? When you run 'radiusd -A' (I suppose you're root), you are running the radius Server as Root. When you run /etc/init.d/radiusd start, it switches to the 'radiusd' user identity (in FC5). So it is possible that you have a permission issue on some config file. Try to run: # su - radiusd --shell /bin/bash $ radiusd -X You'll see if there is a permision issue. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Decreasing connection time (Session-Timeout)
freeRadius than calls accounting_stop_query located in sql.conf and UPDATES the radacct table and its attributes with all these new values. What I'd like to do now is to execute a personalised sql query right after this default accounting_stop_query so that I could save/modify all the info I want. Or maybe is there another way to grab this Acct-Session-Time and User-Name to update the correct user and modify his time left. Any ideas? I don't know if it's possible to add any number of SQL queries to the sql module: I let freeradius gurus the responsability to say... However you can instantiate a new sql module in sql.conf: sql my-sql-acct { ... Accounting_stop_query = MY Customized SQL query } Then in you radiusd.conf accounting section: accounting { sql my-sql-acct } You may also want to enable the 'my-sql-acct' only for your ChilliSpot NAS. You can do so by playing with Acct-Type (see doc/Acct-Type): * use acct_users to set Acct-Type:=custom-sql for your NAS-IP-Address * use an accounting section as below: Accouning { sql Acct-Type custom-sql { my-sql-acct } } HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
However you can instantiate a new sql module in sql.conf: sql my-sql-acct { ... Accounting_stop_query = MY Customized SQL query } Then in you radiusd.conf accounting section: accounting { sql my-sql-acct } I tried this and freeRadius hangs at startup and says my-sql-acct: Unknown Module. I added everything just like you said... That's weird... It means that your my-sql-acct module definition wasn't read or accepted. You should try to run radiusd with radiusd -X and carefully read the output: this will tell where the problem is. If you can't find the issue, post the result of your radiusd -X (you could also add your radiusd.conf and sql.conf) and I'll have a look at it. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Decisionmaking in FreeRADIUS Check/Reply Items
My actual problem relates to the following errors, pulled from radiusd -X: [/etc/raddb/users]:214 WARNING! Check item Pool-Name ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items The offending rules are in users: As you can read in the logs, Pool-Name is a check Item and must go to the first line of your users file. DEFAULT User-Bytes-Used 21474836480 , Group == 512k # user gets high speed service if under 20gb Pool-Name := 512k_high, Max-Download-Rate := 524288, Max-Upload-Rate := 262144 But... but... the bottom 3 attributes *aren't* check attributes! Pool-Name IS a check Item even and Check Item can be set in your users' rules. Try: DEFAULT User-Bytes-Used 21474836480 , Group == 512k, Pool-Name := 512k_high Max-Download-Rate := 524288, Max-Upload-Rate := 262144 HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : assigning vlan based on LDAP attribute
I'm a bit confused on this one. I want my users vlan'd based on their affiliation (ie, staff, student) In my radiusd.conf file, under ldap, I've put: groupmembership_attribute = eduPersonPrimaryAffiliation That's a good start, but sending the whole ldap configuration section would help. Do I need to do more in my radiusd.conf file than that? I think you hould check that you do not have groupname_attribute and groupmembership_filter set. I assume this means assign them to a group based on the value stored in the LDAP field eduPersonPrimaryAffiliation I then added to my users file: DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2, Tunnel-Type=VLAN, Fall-Through = no There are several things to check here: * is the NAS-IP-ADDRESS of the AccessPoint defined in the huntgroup myAP in your huntgroups file ? * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses other format). The best way to check this is to stop your radius server and run it manually with radiusd -X. Then send the debug log to the list (take care passwords are written cleartext). But this doesn't seem to work. My staff users do not get assigned to vlan 2. Do I need to make a huntgroup for myAP? Of course... Unless you remove the Huntgroup-Name == myAP, check item HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : assigning vlan based on LDAP attribute
My ldap section from radiusd.conf looks like: ldap { server = ldapserver.net.org identity = uid=name,dc=net,dc=org password = password basedn = ou=stuffdc=net,dc=org filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_attribute = eduPersonPrimaryAffiliation timeout = 4 timelimit = 3 net_timeout = 1 } It seems ok to me... My users file contains the following at the end: DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2, Tunnel-Type=VLAN, Fall-Through = no My huntgroups file has: myAPNAS-IP-Address == x.x.x.141 In my Debug I noticed that although I have them commented out of radiusd.conf, I still see: Debug: ldap: groupname_attribute = cn Debug: ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((obje ctClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) Strange... You asked: * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses other format). How do I check that? Check in your AP documentation ? But this format is the most commonly used, so I don't think this is the issue. Can you send a more complete debug. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE : RE : assigning vlan based on LDAP attribute
I think part of my problem is that I do not have the vlans defined in the Access Point. I incorrectly assumed that the AP would receive the vlan info from the Radius server, and tag all outgoing packets from the wireless client with that tag. However, I'm starting to think that that is completely incorrect?! I should probably be creating all the vlans within the AP right? It really depends on your Access Point. I use a Strix access point on which you do not have to define the vlans on the AP: you only have to set the interface to trunk mode (Tagged) and the AP uses the vlan assigned by the radius server for the wireless client. = this is the most common scenario However on my Proxim AP2000, I have to define some hidden SSIDs to the several vlans that can be affected by the radius server: * the wireless client authenticates itself to the braodcasted SSID (statically assigned a wrong vlan) * the radius server replies Access-Accept and assigns the vlan tag * the AP transparently retries an authentication of the client on the hidden SSID that corresponds to this vlan As you can see everything depends on your AP features. If that's the case, it looks like I need a separate SSID per Vlan (using Avaya gear here). I really hope that is not the case First of all, you have to determin if the radius server is replying Access-Accept and assigning the vlan tag. See the radiusd -X log. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : need help with error
I have noticed in my log's this error and do not know what it means, or where to look to start fixing it.. rlm_eap_tls: Length Included Mon Sep 25 08:58:16 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A I suppose you are using the EAP-TLS module to proceed the first part of another EAP protocol (such as EAP-TTLS or PEAP). In this case the EAP-TLS module is used to established the TLS tunnel without verifying the client certificate because in EAP-TTLS or PEAP there is no certificate on the client side. The EAP-TLS module is just reporting the lack of client certificate, which can be considered as an error if used in a full EAP-TLS exchange, but not in EAP-TTLS or PEAP. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default radiusd.conf and Auth-Type LDAP comment
Thibault Le Meur [EMAIL PROTECTED] wrote: * the inner PAP authentication is processed by the ldap module in which I don't need to define which password hashing method is used (I use at least CRYPT _and_ MD5 in the same directory for historical reasons) Version 2.0 has fixes that make it much easier to handle multiple hashing types in the same LDAP database. Yes, I remember having read something about this in the list... I'm longing to test this release ;-) * I don't need to have freeradius _read_ the passwords from the directory: the DN identity defined in the ldap module can only have auth and read access to radius entries but not to the passwords (which in my point of view is more secure) If all you're doing is PAP, sure. Most wireless deployments use PEAP, and then people wonder why bind as user doesn't work. It's frustrating. I understand (It's true that this list is nearly 30% about this kind of issue despite the faqs on this) :-( Again, I might not have caught your meaning: Are you saying that in the future the standards ldap module will be only an authorization module, and that a new ldap_bind module could be used in the authenticate section ? I think it's a good idea. Why not indeed ... (as long as there's a new ldap_bind module to replace the ldap 'authentication' part ;-) ). Thanks for this reply and for this great opensource project. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default radiusd.conf and Auth-Type LDAP comment
On Fri 22 Sep 2006 10:52, Thibault Le Meur wrote: Thibault Le Meur [EMAIL PROTECTED] wrote: * the inner PAP authentication is processed by the ldap module in which I don't need to define which password hashing method is used (I use at least CRYPT _and_ MD5 in the same directory for historical reasons) Version 2.0 has fixes that make it much easier to handle multiple hashing types in the same LDAP database. Yes, I remember having read something about this in the list... I'm longing to test this release ;-) ftp://ftp.freeradius.org/pub/radius/CVS-snapshots Thanks, in fact I know that by using the developpment version I could have a test at the 2.0 branch, but I'm a little frightened to test it in my production environment... I think I'll use the CVS code on my backup server. It gets better every day. :-) I have no doubt about this ;-) Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Default radiusd.conf and Auth-Type LDAP comment
Thanks, in fact I know that by using the developpment version I could have a test at the 2.0 branch, but I'm a little frightened to test it in my production environment... I just want to correct my words because I don't want users on the list to misunderstand my meaning: I think the CVS code is certainly enough stable now to be used, but I need to install my new radius server quickly and I don't currently have time to adapt my setup to the new 2.0 code. I think I'll use the CVS code on my backup server. I'll really do, because testing and reporting is also a way to contribute. Thanks to all developpers for this great work. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
I don't know if my chiming in will make a difference or not. But windows can authenticate with a machine certificate or a user certificate If you're doing the machine certificates, please say so, I'm a little confused as to what exactly you are doing now. I don't now if you're asking this to me or to Alexandros. The setup I propose corresponds to a machine authentication (Windows XP authenticates automatically at startup time) and not to a user authentication. The complete setup is explained in this previous post http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg28499.html I thought this was Alexandros's case as well as he wrote: I do only a machine-authentication, every machine which has a valid cert can connect to the network... I write the explicit hostname in the users file Alexandros do you confirm that you are not trying to authenticate the user, but only the host at boot time ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
Hi, it works now. Thanks Thibault, you saved my day, again! :-) You're welcome - the extension SubjectAltName must contain the Netbios name of the PC (I think) This had no meaning in my tests. Anyway, there must be chosen a type of that field. Did you take DNS-Name, Email or Raw? I use DNS-Name I took now DNS-Name, but in another case there was an email in that field and the systems authetifies without problems. So I think you can leave this field out. Ok. I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ? Yupp, this was the mistake. It is somehome on by default. I switched it off and created new certs as you wrote and the XP Machine works now too. Hell, I gonna print your mail and hang it in front of me. The problem is that Microsoft doesn't describe exactly how certificates must be generated in order to have host authentication nor how the EAP request is made (using host/Netbios-name as the identity). This is because (I presume), they want us to use IAS and their certificate management software. This is ok, but are the certificates _exactly_ generated in the same way ? Obiously not. As I made the same mistake over and over again. I have now only the problem of one W2K Machine, not even asking the Radius-Server. I'm not sure this will be an issue on the radius server. I assume it's some kind of inkompatibilty of drivers or NIC. I don't think so. I think it's Windows XP that doesn't recognize the host certificate as a valid one because its subject doesn't match exactly the netbios name of the host. Thanks for your help: Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif Thanks, could you send me a fridge as well to keep them fresh... It's hot in my office today ;-). Thibault. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html