RE: ipad ssl error in free radius
John, The IPhone Configuration Utility can do remote debugging with iPads, it helped me diagnose some EAP-TLS issues. John. From: freeradius-users-bounces+jcarter=identitynetworks@lists.freeradius.org [mailto:freeradius-users-bounces+jcarter=identitynetworks.com@lists.freeradi us.org] On Behalf Of val john Sent: 19 September 2013 05:28 To: FreeRadius users mailing list Subject: ipad ssl error in free radius hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS works but not PEAP/EAP-TLS
Hi, I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Is there anything I'm missing? The problem appears to be that the client doesn't send over the client cert. I know Windows is very fussy with what it accepts as a cert for EAP-TLS, but I'm confused as to why it works for one and not the other. Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11 Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 005a], ClientHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 0031], ServerHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 053e], Certificate Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 000d], CertificateRequest Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate request A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase ... Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state 0x7c569f3d755a860c did not finish! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Info: Ready to process requests. radius.log: http://pastebin.com/9fBdxfYt eap.conf: http://pastebin.com/7dL69pmQ inner-tunnel: http://pastebin.com/BGzJSKz0 Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a eap inner-eap section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote: On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New/updated dictionary files for Meru and Trapeze
Hi, Please find attached a brand-new Meru dictionary file and an updated Trapeze dictionary file (updated based on 2.2.0). Do you want diffs? Regards, John. dictionary.trapeze Description: Binary data dictionary.meru Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New/updated dictionary files for Meru and Trapeze
Sorry, never used Git. Is it essential? -Original Message- From: freeradius-users-bounces+jcarter=identitynetworks@lists.freeradius.org [mailto:freeradius-users-bounces+jcarter=identitynetworks.com@lists.freeradi us.org] On Behalf Of Arran Cudbard-Bell Sent: 28 March 2013 14:42 To: FreeRadius users mailing list Subject: Re: New/updated dictionary files for Meru and Trapeze On 28 Mar 2013, at 10:35, John Carter jcar...@identitynetworks.com wrote: Hi, Please find attached a brand-new Meru dictionary file and an updated Trapeze dictionary file (updated based on 2.2.0). Do you want diffs? No... a pull request on GitHub would be nice though :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Access-Challenge in detail log
Hi, We're using 2.1.12. We require a full log of everything that gets sent between a controller and freeradius. We've configured detail.log, inner-tunnel and default to log authentications and replies which work for us, but is there any way to also log Access-Challenge? I've read some very old posts that haven't helped. Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huawei WiMax ASN-GW FreeRadius as AAA
Hi, I am looking to utilise FreeRadius as the AAA infrastructure behind a Huawei WASN-Gateway on a bleeding edge WiMax network we have implemented for low cost VOIP in Africa. I was wondering if anyone on the forum has experience with Freeradius on WiMax and would be able to help us achieve this on a paid-for basis? Work would be remote via VPN into our infrastructure, or you could join us in Uganda! Let me know if anyone could help with this, or even just point me in the right direction. Unfortunately we don't have capacity in our current team to do this and are looking for someone to jumpstart the effort. Thanks so much Paul CIO Smile Communications www.smilecoms.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hot spot, each additional minute scenario
Hi, I am wondering if anyone out there has implemented freeradius in a wifi hotspot where you bill a user's credit card for amount for a certain amount of time that they purchase upfront and then for each additional minute that they want to continue, its an additional charge per minute? I am kind of hung up on how the additional minutes can be added for a user in freeradius in conjunction with how the credit card processing would work in this type of scenario. Currently we have it so that once the user hits their expiration in radius, they have to buy more time to keep going. Any ideas would be great. -will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Can you give me another hint as to how I can get the rlm_expiration functionality? What I said was: The server core supplies that functionality. You don't need the module. Ok, understood. However, the reason I was thinking along the lines of needing the rlm_expiration module is because of information in this post: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044785. html Tomas 'tt' krag tt at krag.org wrote: Unfortunately as Joachim Bloche pointed out in a mail Session-Timeout not set with pending Expiration on this list, it seems that Freeradius does NOT set the Session-Timeout based on an Expiration date in the future. Same problem I am having. Alan DeKok aland at ox.org wrote: That's not good. I've fixed the CVS head, and will take a look into doing this in 1.0.x Alan DeKok. Does this mean that you fixed this Session-Timeout not set with pending Expiration bug in the core? I do not understand what fixed in the CVS head means. Jaco van Tonder jaco at alwayson.co.za wrote: The rlm_expiration module in the latest CVS DOES include code to set the session-timeout and it actually works. Hmm. That sounded good. Also, this sounded good from the radiusd/doc/rlm_expiration doc: Module to expire user accounts. This module can be used to expire user accounts. Expired users receive an Access-Reject on every authentication attempt. use Expiration := 23 Sep 2004 12:00 The nas will receive a Session-Timeout attribute calculated to kick the user off when the Expiration time occurs. This is exactly what I want. So, at this point, I was thinking that I needed this rlm_expiration module so that my nas will get a session-timeout. Alan DeKok aland at ox.org wrote: The feature is part of 1.0.4, and you don't need another module. If it doesn't work, file a bug. I am hesitant to file a bug. Firstly, because I don't know how to and would probably not do it correctly. Secondly, with what Jaco van Tonder says, it seems to be addressed with this rlm_expiration module, which I realize goes against what you just said. I don't want file a bug that isn't valid and waste more of anyone's time. So now, my next step is to figure out how to file this as a bug. Would you agree? Thanks, will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. I executed these commands... $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd now I have a radiusd folder with what seems like all the files I need to compile. executing this configure... ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules configure debug make make install -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 12:12 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? Yes. This is *exactly* how 1.0.4 was created. It's just a tar file from that process. When I attempt this, I get a set of files but am not successful at compiling them. Are you willng to say what errors you're seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Hmmm...looked at it again. In my terminal I see errors/warnings that are not appearing in the txt file when I do something like... Make configure.txt How do I get the error/warning messages to appear in the text file? -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 4:02 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. Which doesn't show any errors or problems. So... I'm not sure what to tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
doesn't start. There are no files in my /etc/raddb at this point. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Julius Igugu Sent: Friday, July 29, 2005 4:27 PM To: FreeRadius users mailing list Subject: RE: newbie questions using freeradius as wifi access point I think you have succesfully compiled and installed FreeRADIUS. Try, radiusd -X --- Will Carter [EMAIL PROTECTED] wrote: Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. I executed these commands... $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd now I have a radiusd folder with what seems like all the files I need to compile. executing this configure... ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules configure debug make make install -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 12:12 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? Yes. This is *exactly* how 1.0.4 was created. It's just a tar file from that process. When I attempt this, I get a set of files but am not successful at compiling them. Are you willng to say what errors you're seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Julius Igugu SouthWork Co. Ltd. Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I am not sure what I am looking for but it appears something is going wrong after the make command. I did not continue to make install. These happen after .configure... configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. This is at the very end after the make command gmake[4]: *** [client.o] Error 1 gmake[4]: Leaving directory `/root/radiusd/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/radiusd/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/radiusd/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/radiusd' make: *** [all] Error 2 the full log is here: http://wcarter.webitects.com/log.txt from ./configure ... to make I very much appreciate your help! -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 4:49 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: doesn't start. There are no files in my /etc/raddb at this point. Then the build and/or make install failed. $ script log.txt $ configure $ make $ make install If you see errors at any point DO NOT go to the next step. You should be able to post a summary of the errors in a message to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
You are absolutely right, I was careless to overlook the the cvs command...stupid. Anyways, I was successful at compiling the release_1_0 branch and I can run that version of the freeradius server now. BUT, my problem still remains, as is discussed here: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044785. html It seems that there is no rlm_expiration module in the version that I just got: cvs release_1_0 branch. I looked in /radiusd/src/modules and don't see it. Does this sound correct? If so, how can I get a build that will compile and has the rlm_expiration module? Thanks again. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 5:56 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: This is at the very end after the make command gmake[4]: *** [client.o] Error 1 gmake[4]: Leaving directory `/root/radiusd/src/main' gmake[3]: *** [common] Error 2 The real errors are above that. the full log is here: http://wcarter.webitects.com/log.txt You appear to NOT have followed the instructions. You have a copy of the latest CVS version, not the release_1_0 branch. I've fixed a minor problem in the CVS head, but that doesn't solve the problem that you haven't follow directions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Hmm...I am trying hard to understand, but am not doing so well. Can you give me another hint as to how I can get the rlm_expiration functionality? Here's a question. when I visit: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/ I see a rlm_expiration module Do I somehow get it from there? Hmm... and if I visit here... http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_expirat ion/ I see that this was added like six weeks ago. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 7:39 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: It seems that there is no rlm_expiration module in the version that I just got: cvs release_1_0 branch. That's because it doesn't exist in that branch. The server core supplies that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I tried this (adding the with-static-modules=expiration) when configuring. Am I barking up the wrong tree? ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules --with-static-modules=expiration I dont seem to have this 'rlm_expiration' folder or files underneath Why could this be? /freeradius-1.0.2/modules/rlm_expiration/.libs/rlm_expiration.a am -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 27, 2005 7:17 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: The Max-All-Session attribute is working great if I want to allow a user to buy a block of time and they can use it in increments. But say I want a user to be able to buy a block of time that will expire at a certain time regardless of how long they spend online during that time. Can you give me an idea of the direction I should go to accomplish this? Login-Time, or Expiration. See the README's. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
freeradius-1.0.2
I noticed that the docs I was looking at that mentioned rlm_expiration was a
different version. So that explains why I wouldn't have that module.
I still should be able to make an insert into radcheck such as the following
and expect my nas to get a session-timeout, correct?
insert into radcheck
(username, attribute, op, value)
values ('testUser','Expiration',':=','25 May 2006 15:31')
seems that I am having the same sort of problem as this post.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-March/042308
.html
any ideas?
-will
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Thursday, July 28, 2005 1:04 PM
To: FreeRadius users mailing list
Subject: Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote:
When I configured the freeradius install I used
--with-experimental-modules.
So, I checked out what rlm*.so modules are in
/usr/local/lib/
rlm_expiration is not there
Which version of the server are you running?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I installed version 1.0.4 reconfigured and tried again. Still getting the same issue. Any ideas? Thanks, will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 1:04 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: When I configured the freeradius install I used --with-experimental-modules. So, I checked out what rlm*.so modules are in /usr/local/lib/ rlm_expiration is not there Which version of the server are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I apologize for posting again.
Am I correct in thinking that this issue has been addressed after the 1.0.4
release? This post is making me think this.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044769.
html
Am I correct to think that if I install one of the nightly builds that is
after the 1.0.4, then this issue should be addressed. I actually tried to
install the 07282005 snapshot but it wouldn't compile.
Thanks and please excuse my ignorance. Any info you can provide would be
greatly appreciated.
will
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Will
Carter
Sent: Thursday, July 28, 2005 1:35 PM
To: 'FreeRadius users mailing list'
Subject: RE: newbie questions using freeradius as wifi access point
freeradius-1.0.2
I noticed that the docs I was looking at that mentioned rlm_expiration was a
different version. So that explains why I wouldn't have that module.
I still should be able to make an insert into radcheck such as the following
and expect my nas to get a session-timeout, correct?
insert into radcheck
(username, attribute, op, value)
values ('testUser','Expiration',':=','25 May 2006 15:31')
seems that I am having the same sort of problem as this post.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-March/042308
.html
any ideas?
-will
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Thursday, July 28, 2005 1:04 PM
To: FreeRadius users mailing list
Subject: Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote:
When I configured the freeradius install I used
--with-experimental-modules.
So, I checked out what rlm*.so modules are in
/usr/local/lib/
rlm_expiration is not there
Which version of the server are you running?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Ok, now I am completely into new territory. Never did a cvs checkout before. Learn something new every day. Just to be clear before I keep going down this track... My underlying problem is that I am setting an Expiration value in radcheck, but Session-Timeout is not getting being returned in the authorization request that is in line with the Expiration value I inserted. Based on this post: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044769. html I believe that a fix was made to this problem that is not in the 1.0.4 release and somehow I have to get my hands on a version of freeradius has the fix (rlm_expiration module is in there). Am I correct? Thanks, -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 5:23 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Hmm... that's not good. Anyways, the latest snapshots change a *lot* more than you need. I suggest doing a cvs checkout yourself: $ cvs -d :pserver:[EMAIL PROTECTED]:/source login blah $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Should get you 1.0.4 with a few fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Ok, I am not getting this to work after numerous tries and am feeling frustrated and ignorant. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? When I attempt this, I get a set of files but am not successful at compiling them. Thanks and I appreciate your patience or advice you can give. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 5:23 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Hmm... that's not good. Anyways, the latest snapshots change a *lot* more than you need. I suggest doing a cvs checkout yourself: $ cvs -d :pserver:[EMAIL PROTECTED]:/source login blah $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Should get you 1.0.4 with a few fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Thanks for pointing in the right direction with rlm_sqlcounter. I think I have it working correctly, but I am not seeing how the following situation can be accounted for. The Max-All-Session attribute is working great if I want to allow a user to buy a block of time and they can use it in increments. But say I want a user to be able to buy a block of time that will expire at a certain time regardless of how long they spend online during that time. Can you give me an idea of the direction I should go to accomplish this? Thanks again for the help and please excuse my ignorance as I am just muddling through this. Thanks, will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, July 18, 2005 4:35 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: 1. I have a separate database from radius that authenticates the user's login/password. I delete all rows from from radcheck for this user. I delete all rows from radreply for this user. I add back a radcheck record and radreply session-timeout record that corresponds to how much time left that they have paid for. Now I log them in (using an xml command to my nas). Wow... why not just use the sqlcounter module, which keeps track of all of this for you? The underlying problem with this set up is that ... it's unnecessarily complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and clients.conf?
It seems that when I start radius in debug mode, it is correctly reading my clients.conf file, but when I start it normally, it is not recognizing my nas device. Its as if it's not reading the correct clients.conf. Any ideas why this would be? -will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie questions using freeradius as wifi access point
Hi, First, sorry for the long post... I am new to radius in general and freeradius and am attempting to set up a credit card based wifi access point where you can buy time to surf the internet for certain alotments of time. The configuration should kick them off when their alloted paid for time expires and redirect them to a web page so that they can buy more time. I have some questions the progress we have made and would very much appreciate any information anyone could provide. I apologize for any ignorance or assumptions about how the set up would work, as I am just fumbling through. I have set up freeradius on a linux server and I have it successfully talking to a mySQL database that has radcheck, radreply, radacct tables, etc. I am able to use the natradping utility to get accept/reject messages from it based on entries in radcheck. I have a NAS device (nomadix ag-2000w) that I can get it to correctly recognize a wireless laptop and authenticate against entries in the radius database. I am sending a session-timeout attribute in my reply message and my nas is correctly coming up with an expiration time based on that. Basically my process is like this. Login: 1. I have a separate database from radius that authenticates the user's login/password. I delete all rows from from radcheck for this user. I delete all rows from radreply for this user. I add back a radcheck record and radreply session-timeout record that corresponds to how much time left that they have paid for. Now I log them in (using an xml command to my nas). My nas correctly reports the expire time based on the session-timeout that I inserted. After the user is logged in, I add another row to radcheck that is an auth-type reject. This is so that when the nas time expires and it tries to reauthenticate with radius, it will get a reject message and not allow surfing to continue. I believe this is the wrong way to be doing things and I think radacct is the table for this but I do not understand how that table fits in or if the nas device is supposed to be inserting into radacct or what. My question here is that should I be using radacct in some way to influence the reject/accept response when the session times out for the user. By the way, if the user tries to login again, they wont be hit with the auth-type reject in their response because I am clearing out radcheck and radreply first. User is trying to add time: I update my non-radius database with how much time they have purchased. I log the user out of my nas device (using an xml command). I delete everything from radcheck and radreply for this user. I add back a radcheck record for this user. I add a session-timout record to radreply for this user that corresponds to how much additional time they just purchased. I log the user back in, resyncing the nas with the session-timeout in radius. After they are logged in again I add back a auth-type reject to radcheck so that when their time runs out again they will be kicked off. The underlying problem with this set up is that the order of the logout/login/insert reject into radcheck bits seem not to happen in order. I am issuing xml commands to my nas to do the login/logout. So sometimes it seems that the logout happens after the login xml command or the login happens after the reject row is inserted, effectively blocking the user incorrectly. Basically, I would like some advice as to where I am going wrong in the process and what is the correct way that radacct comes into play. I have my nas set up to have accounting enabled and I see radacct getting written to but I don't understand how AcctStartTime, AcctStopTime comes into play although that looks interesting. Any guidance here would be great. Thanks for any info or direction you can provide. -will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
Marco's observations about XP's supplicant behavior are true. Microsoft made a rather poor implementation of 802.1x in Windows XP. By default, XP does not respond to a 1x challenge, or attempt a 1x logon until the user enters credentials into GINA. This is unfortunate, because the host may require network access prior to this point. For example, a host joined to an AD domain will need to reach the AD controller in order to authenticate the user, but Microsoft's 1x supplicant will not yet have attempted a 1x logon. Nor will Windows have responded to a 1x challenge from the network. The port will be in an unauthorized state, so Windows will be unable to authenticate the user to AD. Cisco provides a solution for this problem, with the directive (dot1x guest-vlan 555). If an attached host is unresponsive to 1x challenges within a configurable timeout (dot1x timeout tx-period 15), the port will be placed into a state similar to authorized, but assigned to the configured guest vlan. This works fine for non-1x hosts, such as printers, but creates a headache on XP hosts, because of the hosts DHCP client timeout, etc. Windows XP also has a solution for this problem, which Marco was struggling with in this thread. The Network Connections - Properties - Authentication tab has an option Authenticate as computer... That option, along with a Supplicant Mode registry key tweak will cause XP to behave more like the Supplicant PAE State- Machine described in the IEEE standard, though not wholly so. It appears that the Authenticate as computer... option is the only way to pre-authenticate the network port. Pre-authenticate, in my environment, means to place the port into an authenticated state, but in a tightly limited vlan. Hosts can reach nothing from this vlan, except the AD controller. The Authenticate as computer... option accomplishes this very well. The problem with the Authenticate as computer... option is that it requires integration with Active Directory. You cannot choose one auth type for as computer... and another for the normal user login. The as computer... option uses the NT hostname and secret within the PEAP/MSCHAP conversation. It would be difficult to make those AD hostnames/passwords available to freeradius, so freeradius must proxy these requests to a Microsoft Authentication Server. That is exactly what I'm doing, and it is working well enough... however I'm not happy about this forced dependence upon a Microsoft service, which has already shown some odd behavior and signs of unreliability. It bothers me that the great and flexible freeradius must bow to IAS. I would like to simply accept all of these requests, and assign them into the restricted vlan. I have no need to authenticate them against AD, or at all. My purpose is to have XP behave properly, not to authenticate some service account on each hosts. If only I could configure rlm_eap to always EAP-Accept these host/hostname.domainname requests, I could avoid this overly complex scenario. I haven't found configuration directives that would allow this. I cannot send an Accept-Accept, because the NAS is expecting an EAP-Accept. Does anyone know whether rlm_eap can be directed to immediately return success for an EAPOL-Start in an Access-Request packet? Thanks, Coates Carter University of Richmond, Virginia From freeradius-users@lists.freeradius.org Mon Oct 4 09:37:15 2004 From: freeradius-users@lists.freeradius.org (M.Cerqui - PUBLISHERIA) Date: Mon, 04 Oct 2004 10:37:15 +0200 Subject: Freeradius, Cisco Catalyst 2950, Windwos Domain Message-ID: [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Montag, 4. Oktober 2004 17:52 To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: Are you sure with this? If cofnigured correctly, yes. The catalyst and Freeradius don't even move a bit before a successful windows login if I only use this use user information from windows login option. So you've configured the AP windows machine to NOT use FreeRADIUS for authentication. Only when I activate Authenticate as computer when information is available the Freeradius Server does something before a successful login. Since you're not going to post the debug log to explain what does something means, even after you were asked to post it, I really help you. Alan DeKok. -Original Message- From freeradius-users@lists.freeradius.org Mon Oct 4 09:37:15 2004 From: freeradius-users@lists.freeradius.org (M.Cerqui - PUBLISHERIA) Date: Mon, 04 Oct 2004 10:37:15 +0200 Subject: Freeradius, Cisco Catalyst 2950, Windwos Domain Message-ID: [EMAIL PROTECTED] Hello I'm now trying more than a week to find a solution for my needs: Equipment: Windows XP Client, Cisco Catalyst 2950, Freeradius Server
RE: FR help
Title: Message consultants and nominal fees are oxymoron's. Where are you located? -arc -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy G DavisSent: Tuesday, November 02, 2004 3:27 PMTo: [EMAIL PROTECTED]Subject: FR help ok, i give up. i have been trying to configure FR for months now. can someone on the list please recommend a consultant etc who can help me for a nominal fee. i have FR 1.0.0, RH AS 3, mySQL 4.0.21. i have basics working just not the particulars. i have several NAS boxes all PIX firewalls. i want to be able to restrict access by NAS IP address, Calling Station Id. i have a campus LDAP server i want to use for authentication except for certain exceptions that will be maintained locally inside mysql db. i also want to return certain ACLs. i think i would prefer 'groups' for each NAS/pix.
Re: Is there some kind of trick to make Cisco LEAP work???
Richard,
Thanks for that input, it sounds very straightforward to me. I'll try
your patches on Tuesday (Monday is a holiday here). Have you brought
this up with Cisco? If not, I will open a case next week. I'd like to
know whether Cisco's leap/eap developers intended for the ID to not
increment-- or whether they've made a mistake against their own
standard.
I'd like to use the same freeradius server for WLSE/APs as for other
non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c
should only kick in when reply-type.type == PW_EAP_LEAP, there should
be no problem, wouldn't you say?
Thanks again,
Coates Carter
University of Richmond
On Sep 1, 2004, at 6:04 AM, Richard Timsit wrote:
James,
We have gotten LEAP to work with Cisco access points. My last posting
on the subject might help if you haven't gotten there yet...
However, we have not been able to get LEAP for Cisco's WDS worked out.
All of the access points in the group authenticate successfully, but
the WLSE does not.
Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't
increment the EAP ID as said in doc/rfc/leap.txt :
-
4. RS-AP: Access-Challenge/EAP Success (with EAP id++)
+ State (may be different than the satate send in 2)
-
So with this first patch in
freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
---
--
--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200
+++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200
@@ -147,7 +147,10 @@
/*
* Do this only for Success.
*/
- handler-eap_ds-request-id = handler-eap_ds-response-id + 1;
+ /* RT Oops WLSE don't like CISCO LEAP standard
+ handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */
+
+ handler-eap_ds-request-id = handler-eap_ds-response-id ;
handler-eap_ds-set_request_id = 1;
/*
---
The WLSE accept the response of freeradius and send an
Access-Request/EAP
Request/LEAP
But in stage 6 the WLSE does not accept the SUCCESS response of RS if
the
normal id++
so i made a second patch of eap.c in
freeradius-1.0.0/src/modules/rlm_eap :
---
--- eap.c.FCS 2004-08-16 18:25:05.0 +0200
+++ eap.c 2004-08-16 18:28:47.0 +0200
@@ -393,6 +393,16 @@
hdr-code = (reply-code 0xFF);
hdr-id = (reply-id 0xFF);
+
+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS
do
*/
+ if((reply-code == PW_EAP_RESPONSE)
+ (reply-type.type == PW_EAP_LEAP)
+ (reply-type.length == 30)) { hdr-id -= 1 ;}
+
+DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d,
+ reply-type.type,reply-type.length);
+/* END MODIF RT */
+
total_length = htons(total_length);
memcpy(hdr-length, total_length, sizeof(uint16_t));
---
Since i have freeradius working with thousands of users with many
protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645
only for
Cisco WDS !!!
+--+
| ??? |
|{O-O} Richard Timsit |
| ^_ SIC STI|
|/ T \_ EPFL Lausanne |
| '` I 1015 Ecublens,SUISSE |
| M(021) 693 22 35|
| | | [EMAIL PROTECTED] |
| I I |
+--+
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... http://lists.freeradius.org/pipermail/freeradius-users/2004-August/ 035601.html However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. I've looked carefully at the debug output on freeradius as well as the debug output on the master Access Point. Freeradius debug shows that most of the EAP transaction takes place normally. The initial Access-Request, the Identity challenge, the Access-Request response to that, and the new Access-Challenge from radiusd are all just fine. But... the supplicant (WLSE) does NOT answer that final Access-Challenge... at all. Freeradius debug shows no indication of error or mis-configuration. Following this, I scrutinized the radius debug output on the master Access Point. In one test, the AP pointed to the freeradius server. In a second test, the AP pointed to a cisco ACS server (on another AP). Comparing the debug output from these two tests revealed only a small (but significant) difference. The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). Can someone who understands the nuances of this State value please help? freeradius-1.0.0 Red Hat Enterprise Linux AS release 3 (Taroon Update 2) openssl-0.9.7a-33.4.i686.rpm openldap-2.2.13 (on localhost) Thanks, Coates Carter University of Richmond ... James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. .. James D. Munroe [EMAIL PROTECTED] Fri, 25 Jun 2004 17:32:22 -0300 (ADT) Hello, Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Components: - Cisco AIR-AP1230B-A-K9 Access Points running IOS 12.2.15 Freeradius 0.9.3 installed from the Redhat ES 3.0 RPM, running on a Redhat ES 3.0 Server If so, would it be possible to get sanitized copies of your Freeradius configuration files (radiusd.conf, users, clients.conf, etc...)? Authenication to the AP itself using radius works prefect, have even setup EAP-TLS and it works prefect!! But leap is a no good... It's not a configuration issue on the Access Points themselves. Leap works fine when used against Cisco ACS (v3.2.3). However, for security reasons and cost of course we would like to use Freeradius for outside hosts rather than expose our internal ACS server. Also, I have been unable to get the WDS service working between the AP's and Cisco's WLSE.=A0 I'm not surprised since it uses Leap. It does work though with CiscoACS...but Freeradius is a no go. :-( Any help would be greatly appreciated!! Thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LEAP, LDAP NT-password
Thanks Matt Sapp,
I hadn't seen this before, and it solved my latest problem. Apparently the 0x prefix lets the appropriate rlm know that the value is already a hash, not to recalculate. I tried the following three simplified examples to demonstrate that what you said is true
#raddb/users
#This did not work
testy NT-Password := foobar, Auth-Type := eap
Service-Type = Login-User,
Fall-Through = No
#This did not work
testy NT-Password := BAAC3929FABC9E6DCD32421BA94A84D4, Auth-Type := eap
Service-Type = Login-User,
Fall-Through = No
#This DID work
testy NT-Password := 0xBAAC3929FABC9E6DCD32421BA94A84D4, Auth-Type := eap
Service-Type = Login-User,
Fall-Through = No
#radiusd.conf
authorize {
preprocess
detail
files
}
authenticate {
Auth-Type ldap {
ldap1
eap
}
eap
}
freeradius-1.0.0
Red Hat Enterprise Linux AS release 3 (Taroon Update 2)
openssl-0.9.7a-33.4.i686.rpm
openldap-2.2.13 (on localhost)
Coates Carter
University of Richmond
x-tad-bigger> I'm currently storing NT-Password hashes in a MySQL database, and they
> had to be in the format of 0xblahblahblah.. Authentication wouldn't
> work until I started storing then prefixed with the 0x. I'm not sure
> if they'd need to be in the same format in LDAP, but you might give that
> a try.
-Matt
MNU Internet System Administrator
MNU Network Security Administrator/x-tad-bigger
Re: Autz-Type not working as expected
Thanks Alan DeKok for pointing out the obvious that the Autz-Type
directive is meaningless until the authorize section has had a hit at
'files'. You got me over that hurdle.
However, I am now experiencing a problem that I saw Kostas Kalevras and
Ron Wahler discussing back in April. I couldn't find their resolution
in the archive.
As I mentioned earlier, my ultimate goal is use rlm_ldap to
authenticate the user without the initial search for the user.You
say...
Then don't list ldap in the authorize section.
Well, now I have...
DEFAULT Ldap-UserDN := `cn=%{User-Name},dc=richmond,dc=edu`, Auth-Type
= ldap
authorize {
files
}
authenticate {
Auth-Type ldap {
ldap1
}
}
...and the whole thing works, except it's still doing the initial
bind-and-search...
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=richmond,dc=edu/xxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=richmond,dc=edu, with filter
(cn=ccarter)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: cn=ccarter,dc=richmond,dc=edu
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as cn=ccarter,dc=richmond,dc=edu/ to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user ccarter authenticated succesfully
This happens contrary to the last bit of advice in
doc//freeradius-1.0.0/rlm_ldap.
Any suggestions?
Thanks,
Coates
On Aug 20, 2004, at 2:55 PM, Alan DeKok wrote:
Coates Carter [EMAIL PROTECTED] wrote:
The Autz-Type directive doesn't seem to behave the way I would expect,
based upon what I read in doc/freeradius-1.0.0/Autz-Type .
Autz-Type is applied after the authorize section has been processed.
In raddb/users...
DEFAULT Ldap-UserDN := `uid=%{User-Name},,dc=richmond,dc=edu`,
Auth-Type = ldap, Autz-Type = ldap
If raddb/radiusd.conf has...
...
authorize {
Autz-Type ldap {
ldap1
}
#ldap1
}
You haven't listed files, so the users file will never be used,
and the Autz-Type will never be set.
However if I change raddb/radiusd.conf so that...
authorize {
#Autz-Type ldap {
# ldap1
#}
ldap1
}
... Then radiusd flows successfully through authorize and authenticate.
Because the ldap module sets Auth-Type := LDAP, if it wasn't
already set.
Ultimately, I want to prevent rlm_ldap from to doing the initial ldap
search for the user, as described in
doc/freeradius-1.0.0/rlm_ldap and just move on through to the
authentication part--- where rlm_ldap binds as the user.
Then don't list ldap in the authorize section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do I have unneeded modules enabled?
Hi again. First off, thanks Alan, your tips got me going in the right direction.
Unfortunately I dont get to play with radius very much so so it takes me a bit to get
back in gear after 2 years.
Second, am I running some things I dont need here? This shows my lack of understanding
of how this system even works but heres what I see.
Im authing off mysql... no realms, no accounting, and in ./radiusd -X we see we are
loading (see below for output) realms, files, detail, system, unix, radutmp, etc.
Can any of this be excluded because Im not using it?
Thanks
Chelsea
Module: Instantiated sql (sql)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = (null)
unix: group = /etc/group
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
�
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE. question about linked libraries
thanks so much! Turns out I didnt have the devel installed, and no wonder, I didnt install mysql , it came with the os (Im assuming it was a rpm) Anyways, Thanks! I remember having a test application that would test your server. Sound familiar? Thanks again. Chelsea On 12/31/1969, Shannon Sariman [EMAIL PROTECTED] wrote: Hi Chelsea, Instead of doing it the tedious way, try installing the mysql-development package that comes with your mysql source version. For example, on my machine I have all these installed: MySQL-3.23.58-1 MySQL-devel-3.23.58-1 MySQL-client-3.23.58-1 Depending on what version of MySQL you have, you must install it's development package and it's corresponding client package if you want FreeRadius to compile with MySQL. So, once your machine has at least all three packages above (matching your MySQL version) then, you can compile Freeradius with MySQL using ../configure. Also, when FreeRadius is compiling, check for the lines : checking for mysql/msql.h.yes checking for mysql_init in -lmysqlclientyes If you get a no for the above two lines then you are missing the devel package. But of course, installing the above three (or two, assuming you already have the MySQL source installed) packages will give you a yes for the two lines above. Once the compilation is done, you can go ahead and configure the the rest of FreeRadius and MySQL. Please also visit the following URL: http://www.frontios.com/freeradius.html Cheers, Shannon Sariman (Mr.) Lae City, Papua New Guinea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stage 2 : errors
Ok, im having this problem, Wed May 19 21:06:42 2004 : Error: Invalid operator for item Password: reverting to '==' Im not sure if this is why good usernames and passwords are rejecting. I did some searching and found this thread where alan was helping someone with a similar problem... http://lists.cistron.nl/pipermail/freeradius-devel/2002-August/003249.html Problem is, I dont understand where this == or = is located at or even where to go to fix it. Could it be a value returned by my database? Im using an old radiusd.conf and sql.conf Heres my old server, which i am trying to duplicate for backup purposes. radiusd: FreeRADIUS Version 0.5, for host i586-pc-linux-gnu, built on May 24 2002 at 09:28:10 heres some data I get from radiusd -X that looks relevant: rlm_sql: The 'op' field for attribute 'Password = pepper' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. rlm_sql: The 'op' field for attribute 'Framed-Compression = Van-Jacobson-TCP-IP' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. I have a feeling something may have changed since 2002 when i configured this last time ;) Any ideas? Thanks Chelsea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultanious logins / Time logged in
Is there a way to only allow one login, per open session??? I'm trying to assist my client in his ISP to accomplish two things: 1 Disallow multiple logins from more than one person while online. 2 Limit online time to a specified time limit, if exceeds then they are disconnected. I was told FreeRadius may be of some service. Client is using PM-3 Remote Access Servers. Any suggestions would be appreciated. If you want to reply off list, then send to tmcarter(removethis)@ultrastat.com Regards, Ty Carter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
