Re: IPv6 Pool
I updated my ippool table to increase the length of the varchar. Then I set the Pool-Name attribute to an IPv6 pool. I set up this in mysql base: radcheck 6 | testadsl-sagem-ds-1 | Pool-Name | := | poolipv6 radippool 5 | poolipv6 | 2a0a:8e80:0400:0202::/64 | | | | NULL| | | | 6 | poolipv6 | 2a0a:8e80:0400:0203::/64 | | | | NULL| | | | 7 | poolipv6 | 2a0a:8e80:0400:0204::/64 | | | | NULL| | | | 8 | poolipv6 | 2a0a:8e80:0400:0205::/64 | | | | NULL| | | But I got this result [sqlippool] Invalid IP number [2a0a:8e80:0400:0202::/64] returned from database query. Should I change the Pool-Name attribute ? Is there a attribute trigger for IPv6? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Pool
> You may be able to re-use the module, just with a different configuration. Is there a way to change the %reply returned by rlm_sqlippool? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Pool
Ok thanks for the reply. >Not right now. I'd suggest writing SQL queries to handle that. The >sql_ippool module should be able to do it, if the queries are updated. I aim to use the module to manage IPv4 pool and IPv6 prefix pool. Do you think I should update the module or create another one? Actually, I'm pretty lost and I don't know where to start. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 Pool
Hello, I'm running FreeRadius 2.1.12 and I would like to know if it is able to manage IPv6 address pool? I would like my freeradius to provide IPv6 Prefix to the clients. If so, could you point me the way to do it? I checked ip_pool and sql_ippool with no luck. Best regards, William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need your help!!!!
Hi Fajar and friends. What I need is that one you see that a user is authenticated and can not be another person (identity theft) use the same user to authenticate to another machine. What I do is, when this happens, the authentication attempt is rejected for second time, or only the user may thereby be online only from a customer, not both at the same time. Let me explain better?. Thank you all. - Mensaje original - De: "Guillermo William Llanes Suárez" Para: "FreeRadius users mailing list" Enviados: Sábado, 17 de Diciembre 2011 8:35:08 Asunto: Re: I need your help Hola Fajar y amigos. Lo que necesito es, que una ves que un usuario se encuentre ya autenticado no pueda otra persona (robo de identidad) usar ese mismo usuario para autenticarse en otro equipo. Lo que quiero hacer, es, cuando esto suceda, que el intento de autenticacion por segunda ves sea rechazado, o sea, que solo el usuario puieda estar online solo desde un cliente, no de dos al mismo tiempo. Me explico mejor?. Gracias a todos. - Mensaje original - De: "Fajar A. Nugraha" Para: "FreeRadius users mailing list" Enviados: Viernes, 16 de Diciembre 2011 15:35:33 Asunto: Re: I need your help 2011/12/17 Guillermo William Llanes Suárez : > Hello Friends: > I am writing to give me ideas on how to apply the following policy in > freeradius: > - I need a user is only registered at the same time just one time, so when > the user is registered with that other users can not register. That doesnt' make sense. > I hope I miss understand. > Thank you very much. Do you mean simultaneous use? If yes, check the list archive. There's a long thread about it recently. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need your help!!!!
Hola Fajar y amigos. Lo que necesito es, que una ves que un usuario se encuentre ya autenticado no pueda otra persona (robo de identidad) usar ese mismo usuario para autenticarse en otro equipo. Lo que quiero hacer, es, cuando esto suceda, que el intento de autenticacion por segunda ves sea rechazado, o sea, que solo el usuario puieda estar online solo desde un cliente, no de dos al mismo tiempo. Me explico mejor?. Gracias a todos. - Mensaje original - De: "Fajar A. Nugraha" Para: "FreeRadius users mailing list" Enviados: Viernes, 16 de Diciembre 2011 15:35:33 Asunto: Re: I need your help 2011/12/17 Guillermo William Llanes Suárez : > Hello Friends: > I am writing to give me ideas on how to apply the following policy in > freeradius: > - I need a user is only registered at the same time just one time, so when > the user is registered with that other users can not register. That doesnt' make sense. > I hope I miss understand. > Thank you very much. Do you mean simultaneous use? If yes, check the list archive. There's a long thread about it recently. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need your help!!!!
Hello Friends: I am writing to give me ideas on how to apply the following policy in freeradius: - I need a user is only registered at the same time just one time, so when the user is registered with that other users can not register. I hope I miss understand. Thank you very much. Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force_check_config - how to use?
According to Alan DeKok on Thu, 01/20/11 at 09:23: > > How does the server now that some random module will expand some > random string in the configuration file? > > FYI, it's possible to have "%{...}" in a string which *isn't* > dynamically expanded. I think we are having a misunderstanding here. I don't disagree with what you say above. > > Proper _syntax_ checking > > would have caught this gnarly typo. Discovering the actual problem was > > made more difficult by admins assuming that -XC was more than the above > > described superficial configuration test. Thank you for your repsonses. > > The only way to test run-time expansions is by running packets through > the server. This is true - but this is not my current issue. > If you have a *patch* which helps, great. Until then... You said yourself to not look at the source code. Patches are unlikely in that atmosphere. My point: _syntax_ checking for valid _syntax_ at a time _other_ than run time _is_ _possible_ without having to go the extra mile of semantic checking, as in, variable expansion. I am not talking about variable expansion, since that is only possible by running packets through the server (at run time). Since I am not allowed to inspect the source code, I would not have been able to discover the following comments relevant to this thread: conffile.c - Yep I should learn to use lex & yacc, or at least write a decent parser. conffile.c - FIXME: Add support for ${foo:-bar}, like in xlat.c conffile.c - The parser is getting to be evil. conffile.c - I really really really hate this file. conffile.c - More sanity checking. This is getting to be a horrible hack. conffile.c - yuck... xlat.c - Did I mention that this parser is garbage? If my employer would permit, and if you would allow me to look at the source, I would be happy to supply a patch. Neither of these are likely to happen in any event. This thread was created to shed some light on the issue. I do appreciate your comments. Thanks again. :-) Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force_check_config - how to use?
According to Alan DeKok on Thu, 01/20/11 at 04:09: > > > > This was changed by an adminstrator to --username=%{mschap:User-Name:-None} > > except that the leading left brace ("{") was omitted... :-( > > That's a run-time expansion. Checking the config won't help. I got that. See below. > > My question: is there any way to parse and check the "value" of the > > ntlm_auth variable in the modules/mschap file for valid syntax? > > No. It can only be checked by running the server. You are partly right. See below. > > It doesn't seem that this ntlm_auth variable was expanded when the config > > file was read. > > It's not. It's expanded at *run time*, when the server receives a packet. True. The variable expansion can only occur at run time. > No. "-XC" succeeding means that the configuration is *superficially* > OK. It's not a substitute for doing functional tests. Clearly. :-) > The ntlm_auth line is expanded at run time, using data taken from the > packet. That is the *only* time that the server can discover an error. > It can't discover the error when it loads the configuration, because > the server core doesn't know which strings should be expanded, and what > data should be put in the expansion. This it true: the ntlm_auth line is expanded at run time. My question in this thread is for the consideration of more throrough _syntax_ checking - without expansion - during the -XC process. Proper _syntax_ checking would have caught this gnarly typo. Discovering the actual problem was made more difficult by admins assuming that -XC was more than the above described superficial configuration test. Thank you for your repsonses. Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force_check_config - how to use?
According to Alan DeKok on Wed, 01/19/11 at 13:57: > > I *think* it's something you can add to a module configuration to > force it to instantiate itself. Normally, when "radiusd -C" is used, > the SQL module is skipped, because checking the config doesn't mean > opening 50 sockets to the SQL server. Adding "force_check_config=yes" > will make modules like SQL instantiate themselves, including opening 50 > sockets to the SQL server. Thanks. I came across this while trying to debug a gnarly situation with the mschap module. The configs in modules/mschap include at the end: #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" This was changed by an adminstrator to --username=%{mschap:User-Name:-None} except that the leading left brace ("{") was omitted... :-( The output of radiusd -XC concluded that "Configuration appears to be OK." when in fact mschap authentications could never recover the User-Name when ntlm_auth was given --username=%mschap:User-Name:-None} to deal with... My question: is there any way to parse and check the "value" of the ntlm_auth variable in the modules/mschap file for valid syntax? Inside cf_item_parse() in src/main/conffile.c there is a PW_TYPE_STRING_PTR case of the switch statement. In this case there is the following comment: /* * Expand variables which haven't already been * expanded automagically when the configuration * file was read. */ It doesn't seem that this ntlm_auth variable was expanded when the config file was read. After this comment is an if statement "if (value == dflt)" which, if true, results in a call to cf_expand_variables() passing the above ntlm_auth string value as "value". It appears to me that this if statement will never be true, since the default value for ntlm_auth is NULL, so any string value (right hand side of ntlm_auth variable) will not be NULL, nor will the pointers match. And if they did, what is the purpose of expanding a variable which is NULL? The net result is that the human error (see typo above) was not discovered while configuration checking with -XC which gave a false positive indication. Very confusing... Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
force_check_config - how to use?
About twenty months ago, a commit to src/main/modules.c occurred with the following comment: Allow administrators to force_check_config There is a check inside find_module_instance() in that file for a value pair of that name with a value of "yes": cp = cf_pair_find(cs, "force_check_config"); if (cp) value = cf_pair_value(cp); if (value && (strcmp(value, "yes") == 0)) goto print_inst; cf_log_module(cs, "Skipping instantiation of %s", instname); The use of force_check_config doesn't seem to be documented anywhere. The only hits on Google are from the above commit. I have seached back three years on this list for the string force_check_config to no avail. I assume I need to have a force_check_config value pair with a value of "yes" somewhere in the request, but I don't know how to make that happen. Any pointers would be appreciated. Thanks. Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eapclient
Hello, Is the FreeRADIUS-provided EAP test client able to simulate a TLS client? Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get LEAP working [beginner]
It appears you have your Auth-Type set to EAP (Auth-Type = EAP) in your users file.. Do not set the Auth-Type, the RADIUS server is smart enough to figure it out based on the Access-Request packet. Just set your user w/ the following: UserName Cleartext-Password := "password" Sincerely, William Burnett burnet...@gmail.com On Fri, Oct 29, 2010 at 11:57 AM, David Jea wrote: > Hi, > > I installed freeradius and have radtest passed. Playing with it with Cisco > gears. The system includes freeRadius (ip: 60.60.0.9 on vlan 660) and Cisco > controller(ip: 60.62.0.11)/AP (on vlan 662). Using a Windows 7 laptop + > Intel 6200 wifi chipset as the client. > > I understand LEAP is not secure, but it is simple, so this is just hope see > if they can all work together. However, client was unable to connect. Here > are the debug outputs from 'radiusd -X'. Please let me know if you have some > clues on what might go wrong. > > Thank you, > > David > > > r...@djea-ubuntu:/usr/local/etc/raddb# > r...@djea-ubuntu:/usr/local/etc/raddb# radiusd -X > FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Oct 27 2010 > at 00:44:31 > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License v2. > Starting - reading configuration files ... > including configuration file /usr/local/etc/raddb/radiusd.conf > including configuration file /usr/local/etc/raddb/proxy.conf > including configuration file /usr/local/etc/raddb/clients.conf > including files in directory /usr/local/etc/raddb/modules/ > including configuration file /usr/local/etc/raddb/modules/exec > including configuration file /usr/local/etc/raddb/modules/etc_group > including configuration file /usr/local/etc/raddb/modules/pam > including configuration file /usr/local/etc/raddb/modules/krb5 > including configuration file /usr/local/etc/raddb/modules/detail > including configuration file /usr/local/etc/raddb/modules/counter > including configuration file /usr/local/etc/raddb/modules/realm > including configuration file /usr/local/etc/raddb/modules/always > including configuration file /usr/local/etc/raddb/modules/ippool > including configuration file /usr/local/etc/raddb/modules/cui > including configuration file /usr/local/etc/raddb/modules/sradutmp > including configuration file /usr/local/etc/raddb/modules/smsotp > including configuration file /usr/local/etc/raddb/modules/ntlm_auth > including configuration file /usr/local/etc/raddb/modules/opendirectory > including configuration file /usr/local/etc/raddb/modules/otp > including configuration file /usr/local/etc/raddb/modules/preprocess > including configuration file /usr/local/etc/raddb/modules/files > including configuration file /usr/local/etc/raddb/modules/passwd > including configuration file /usr/local/etc/raddb/modules/pap > including configuration file /usr/local/etc/raddb/modules/checkval > including configuration file /usr/local/etc/raddb/modules/digest > including configuration file /usr/local/etc/raddb/modules/unix > including configuration file /usr/local/etc/raddb/modules/radutmp > including configuration file /usr/local/etc/raddb/modules/linelog > including configuration file /usr/local/etc/raddb/modules/perl > including configuration file /usr/local/etc/raddb/modules/detail.example.com > including configuration file > /usr/local/etc/raddb/modules/sqlcounter_expire_on_login > including configuration file /usr/local/etc/raddb/modules/echo > including configuration file /usr/local/etc/raddb/modules/inner-eap > including configuration file /usr/local/etc/raddb/modules/sql_log > including configuration file /usr/local/etc/raddb/modules/attr_rewrite > including configuration file /usr/local/etc/raddb/modules/ldap > including configuration file /usr/local/etc/raddb/modules/dynamic_clients > including configuration file /usr/local/etc/raddb/modules/expiration > including configuration file /usr/local/etc/raddb/modules/wimax > including configuration file /usr/local/etc/raddb/modules/expr > including configuration file /usr/local/etc/raddb/modules/mschap > including configuration file /usr/local/etc/raddb/modules/smbpasswd > including configuration file /usr/local/etc/raddb/modules/chap > including configuration file /usr/local/etc/raddb/modules/mac2vlan > including configuration file /usr/local/etc/raddb/modules/acct_unique > including configuration file /usr/local/etc/raddb/modules/attr_filter > including configuration file /usr/local/etc/raddb/modules/mac2ip > including configuration file /usr/local/etc/raddb
Re: Toggle Calling-Station-Id check item based on Framed-Protocol?
Thinking this over I may have thought of a solution, but if anyone can suggest something better let me know... I write another SQL module call it sql_ppp and change the query so that it omits any records with an attribute == Calling-Station-Id, and the use unlang to call that module when Service-Type == PPP. Unless there's a way to use unlang to strip the check item, i don't know how else to accomplish this. Sincerely, William Burnett burnet...@gmail.com On Fri, Oct 15, 2010 at 4:21 PM, William Burnett wrote: > Hello all.. > > I'm trying to setup my Radius server so that it will map MAC addresses > to TTLS user/pass for 802.1x. I have that part working fine. The > problem is, the same user/pass pair I'm also using for the clients > PPPoE authentication. > > I want the Calling-Station-Id to be verified when an EAP/TTLS session > is being authenticated, but I don't want to check the > Calling-Station-Id when the PPPoE session is authenticating. This is > because the TTLS device is known and controlled by me, the PPPoE > device may be any MAC address that I don't want to have to maintain a > list of. > > My question is, using unlang is there an option do delete a check item > attribute based on another attribute? > > IE: > > if (Framed-Protocol == PPP) { > update-control { > Calling-Station-Id !* # Not sure > if I'm using the !* operator properly here > } > } > > That code just yields errors, but thats essentially what I'm trying to do... > > Sincerely, > > William Burnett > burnet...@gmail.com > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Toggle Calling-Station-Id check item based on Framed-Protocol?
Hello all.. I'm trying to setup my Radius server so that it will map MAC addresses to TTLS user/pass for 802.1x. I have that part working fine. The problem is, the same user/pass pair I'm also using for the clients PPPoE authentication. I want the Calling-Station-Id to be verified when an EAP/TTLS session is being authenticated, but I don't want to check the Calling-Station-Id when the PPPoE session is authenticating. This is because the TTLS device is known and controlled by me, the PPPoE device may be any MAC address that I don't want to have to maintain a list of. My question is, using unlang is there an option do delete a check item attribute based on another attribute? IE: if (Framed-Protocol == PPP) { update-control { Calling-Station-Id !* # Not sure if I'm using the !* operator properly here } } That code just yields errors, but thats essentially what I'm trying to do... Sincerely, William Burnett burnet...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional Restrictions for users
Alright, Glad I asked, I've been trying different variations for half an hour. I ended up just created an if - elsif statement since I only had three static groups, but thought the regexp model would be less taxing than processing each if statement. if (Service-Type == "Login-User") { if (SQL-Group == "ssh-admin") { update control { Auth-Type := "Accept" } } elsif (SQL-Group == "ssh-write") { update control { Auth-Type := "Accept" } } elsif (SQL-Group == "ssh-read") { update control { Auth-Type := "Accept" } } else { update control { Auth-Type := "Reject" } } } Thanks again for the pointers. Sincerely, William Burnett burnet...@gmail.com On Mon, Sep 27, 2010 at 11:41 AM, Alexander Clouter wrote: > William Burnett wrote: >> >> Thanks that helped I've got the conditions to match. However I've >> setup multiple groups: >> >> ssh-admin >> ssh-read >> ssh-write >> >> and want to use a regexp to match anything containing ssh-* to allow >> those users to authenticate instead of multiple lines matching each >> value. Can I use regex matching with SQL-Group ? >> >> The following seems to be evaluated as "ssh.*" and not anything >> containing "ssh.." >> >> if (!SQL-Group =~ /ssh.*/ && (Service-Type == "Login-User")) { >> .reject } >> > Does not work like that. You will need to construct a SQL xlat > statement that does the check for you, so: > > if ("%{sql:SELECT }" ) { > > > or however SQL modules function, I'm an LDAP man myself. > > Cheers > > -- > Alexander Clouter > .sigmonster says: Are you a turtle? > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional Restrictions for users
Alan, Thanks that helped I've got the conditions to match. However I've setup multiple groups: ssh-admin ssh-read ssh-write and want to use a regexp to match anything containing ssh-* to allow those users to authenticate instead of multiple lines matching each value. Can I use regex matching with SQL-Group ? The following seems to be evaluated as "ssh.*" and not anything containing "ssh.." if (!SQL-Group =~ /ssh.*/ && (Service-Type == "Login-User")) { .reject } Sincerely, William Burnett burnet...@gmail.com On Sat, Sep 25, 2010 at 12:09 AM, Alan DeKok wrote: > William Burnett wrote: >> What is the best way to go about this? I was trying to use unlang to >> query my database but can't seem to get the syntax right. > > The "sql" module queries databases. > > ... >> if ( %{group_membership_query} == "ssh") { > > This won't do what you want. Instead, use > > if (SQL-Group == "ssh") { > > This is documented in raddb/sql.conf. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Additional Restrictions for users
I currently have my RADIUS servers setup to handle authentication for my various NAS's to grant users access to network resources. I would like to use the same servers to handle authentication for SSH for various routers. This all works, but I'm having a hard time getting the RADIUS server to only accept requests from users of the "ssh" group. I obviously don't want john.doe accessing my core routers. What is the best way to go about this? I was trying to use unlang to query my database but can't seem to get the syntax right. contents of sites-enabled/default: ...authorize { preprocess if (Service-Type == "Login-User") if ( %{group_membership_query} == "ssh") { update reply { ok-to-continue } } else { update reply { Auth-Type := Reject } } The group_membership_query would reference this: group_membership_query = "SELECT groupname \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY priority" Any help/suggestions would be much appreciated. Sincerely, William Burnett burnet...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS error between JRadius Simulator (1.3.0) and FreeRADIUS (2.16)
Hello, I am trying to run JRadius client Simulator against FreeRADIUS using EAP-TLS authentication. I was under the impression that these two offerings worked together right out of the box. I have tested my certs against FreeRADIUS using Microsoft supplicant and all is well. Will someone tell me what they think might be the problem. Please see the FreeRADIUS TLS messages, below. Your help will be greatly appreciated. Bill --> User-Name = user1 [tls] --> BUF-Name = 3eTI Test Cert (rsa1) [tls] --> subject = /C=US/ST=Maryland/O=3eTI/OU=Engineering/CN=3eTI Test Cert (rsa1)/emailaddress=wbickf...@efjohnson.com [tls] --> issuer = /C=US/ST=Maryland/O=3eTI/OU=Engineering/CN=3eTI RSA Engineering Test Intermediate CA/emailaddress=wbickf...@efjohnson.com [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] >>> TLS 1.0 Alert [length 0002], fatal unexpected_message TLS Alert write:fatal:unexpected_message TLS_accept:failed in SSLv3 read certificate verify B rlm_eap: SSL error error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using Oracle with FreeRADIUS - I need a clue
According to Alan DeKok on Tue, 02/02/10 at 14:29: > > > If Oracle support in FreeRADIUS is meant to at least include logging > > of session records, if RADIUS requests arrive at two FreeRADIUS server > > instances (say, primary and backup/failover), say Acct-Start to server > > "A" and the corresponding Acct-Stop to server "B" for the same RADIUS > > session, would both accounting log records end up in the same Oracle > > table (assuming both server "A" and server "B" are configured to send > > session logs to an Oracle instance on server "C")? > > That's a database replication issue, not a FreeRADIUS confi question. Just to clarify, given a server "C" running an instance of Oracle, and given the two FreeRADIUS boxes "A" and "B", if they both are configured to "talk" to Oracle on server "C" (just what that means is left as an exercise for me), there is nothing preventing a Acct-Start record from a RADIUS session 123 from server "A" _plus_ a Acct-Stop record from the same session 123 from server "B" being directed to the Oracle server "C", correct? This scenario hypothetizes the unlikely circumstance where server "A" is unavailable after the session 123 Acct-Start is received and hence the Acct-Stop fails-over to server "B". Given all that, it does seem to boil down to an Oracle issue, but I had to start here for FreeRADIUS. Next step: ask some Oracle expert about updating this one table, in real time, from two _different_ connections. Thanks for your timely reply. Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using Oracle with FreeRADIUS - I need a clue
When I have used FreeRADIUS in the past, it has been in the traditional "users" file model - that is, very simplistic installation. To date, I have not used FreeRADIUS with Oracle. Is the Oracle support in FreeRADIUS mature, or developmental, in its current state? I cannot determine this answer from a search of the mailing list archives dating back a couple of years. In addition to authentication using Oracle, is the Oracle support also meant for FreeRADIUS configuration, or session logging (accnt, auth, etc.), or some combination of the above? If Oracle support in FreeRADIUS is meant to at least include logging of session records, if RADIUS requests arrive at two FreeRADIUS server instances (say, primary and backup/failover), say Acct-Start to server "A" and the corresponding Acct-Stop to server "B" for the same RADIUS session, would both accounting log records end up in the same Oracle table (assuming both server "A" and server "B" are configured to send session logs to an Oracle instance on server "C")? It has been a while since I used FreeRADIUS, so a pointer to the RTFM would also be an acceptable answer. Thanks in advance. Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template ->| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
process auth request from any AP
Is there a way to configure FreeRADIUS to accept authentication requests from any AP. In other words, I don't want to have to pre-configure access points in the client.conf. Thank you, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting User-Name in pre-proxy
On May 22, 2009, at 6:33 AM, Alan DeKok wrote: The REQUEST hash is for the *request*. You are trying to edit the *proxy* request. Use: $RAD_REQUEST_PROXY{'Attr-name'} = "foo"; Alan DeKok. Hmmm i'll dbl check. Last time RAD_REQUEST_PROXY wasn't available. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting User-Name in pre-proxy
On May 22, 2009, at 6:13 AM, Alan DeKok wrote If you use the Perl module rather than exec'ing a program, it would be more efficient. Alan DeKok. - Hi Alan thanks for the response. I tried to use the perl module at first but the hash was read only. So I couldn't figure out how to get the value back into freeradius. Is it possible to do the same the with the perl module that I'm doing with the exec module ? So far I have tried modifying the REQUEST hash from pre_proxy in perl and also tried printing out My-Local-String like I'm doing in exec. Neither seem to work. Thanks, William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting User-Name in pre-proxy
On May 18, 2009, at 11:16 AM, William Taylor wrote: Im currently using freeradius 2.1.4 I need to lookup a username in a dbm and rewrite it before sending off the proxy request. I have achieved this by using the below method. But I was wondering if there was a better way. It would seem that invoking perl with every auth request might be bad. Thanks in advance! -William In: /etc/raddb/dictionary ATTRIBUTE My-Local-String 3000 string In: sites-available/default pre-proxy { rewrite update proxy-request { User-Name := "%{proxy-request:My-Local-String}" } } In: /etc/raddb/modules/rewrite exec rewrite { wait = yes program = "/etc/raddb/rewriteusername.pl %{User-Name} %{Stripped- User-Name} %{Realm}" input_pairs = proxy-request output_pairs = proxy-request shell_escape = yes } In: /etc/raddb/rewriteusername.pl #!/usr/bin/perl use strict; use DB_File; my %h; tie %h, "DB_File", "/etc/raddb/rewritemap.db", O_RDONLY, 0444, $DB_HASH or die "Cannot open file rewritemap.db: $!\n"; my $fuser = $ARGV[0]; my $suser = $ARGV[1]; my $realm = $ARGV[2]; if($realm eq "foobee.net") { if($h{$suser}) { print "My-Local-String=" . $h{$suser}; } else { print "My-Local-String=$suser"; } } else { print "My-Local-String=$suser"; } exit 0; Anyone doing something similar ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting User-Name in pre-proxy
Im currently using freeradius 2.1.4 I need to lookup a username in a dbm and rewrite it before sending off the proxy request. I have achieved this by using the below method. But I was wondering if there was a better way. It would seem that invoking perl with every auth request might be bad. Thanks in advance! -William In: /etc/raddb/dictionary ATTRIBUTE My-Local-String 3000 string In: sites-available/default pre-proxy { rewrite update proxy-request { User-Name := "%{proxy-request:My-Local-String}" } } In: /etc/raddb/modules/rewrite exec rewrite { wait = yes program = "/etc/raddb/rewriteusername.pl %{User-Name} %{Stripped- User-Name} %{Realm}" input_pairs = proxy-request output_pairs = proxy-request shell_escape = yes } In: /etc/raddb/rewriteusername.pl #!/usr/bin/perl use strict; use DB_File; my %h; tie %h, "DB_File", "/etc/raddb/rewritemap.db", O_RDONLY, 0444, $DB_HASH or die "Cannot open file rewritemap.db: $!\n"; my $fuser = $ARGV[0]; my $suser = $ARGV[1]; my $realm = $ARGV[2]; if($realm eq "foobee.net") { if($h{$suser}) { print "My-Local-String=" . $h{$suser}; } else { print "My-Local-String=$suser"; } } else { print "My-Local-String=$suser"; } exit 0; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (EAP) AES Key-wrap of MK issued to the authenticator
I'm trying to set up AES Key-wrap of MK issued to the authenticator. Is this possible? If it is, will someone please explain how to do it? Thank you, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(EAP) AES Key-wrap of MK issued to the authenticator
Please point me to documentation that shows how to set up "AES Key-wrap of the MK issued to the authenticator". I am trying to support FIPS140-2. Is this possible? Thank you, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
I have one answer, maybe its cause im newba in freeradius =] the situation is, sometimes my bd in mysql (that run on another computer) crash or have problems, how can i autenticate all users with any password or any usernames? Then i let my clients coneccted and can fix my db server how can i do this? thanks 4all William Esteves _ Confira vídeos com notícias do NY Times, gols direto do Lance, videocassetadas e muito mais no MSN Video! http://video.msn.com/?mkt=pt-br- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have resolved the issue. I created a new VLAN with matching encryption settings to the default VLAN. Thank you all for helping! I have become much more familiar with the Cisco debugging procedure in the process. -William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I may have solved my own problem - I have contradicting encryption settings for each VLAN on the Cisco access point. I was testing the setup by bumping the user from VLAN 200 (WPA-required) to VLAN 100 (open access). I'll give this a shot and post my results. -William On Sun, Jan 25, 2009 at 22:14, William Graeber wrote: > Here is the output of Cisco debugging with "use_tunneled_reply = yes": > http://dpaste.com/113022/ > > Again, I really appreciate your help. > > -William > > On Sun, Jan 25, 2009 at 18:29, wrote: >>>I have modified eap.conf and added "use_tunneled_reply = yes" in the >>>peap section. I have previously tried this, and obtained the same >>>results. Whenever a client tries to login, they get cycled from >>>authenticating/connecting very quickly. I've posted an example output >>>from a radius debug: http://dpaste.com/112927/ >>> >> >> You are getting an Access-Accept with VLAN attributes now: >> >> Sending Access-Accept of id 199 to 10.0.0.254 port 1645 >>Tunnel-Medium-Type:0 = IEEE-802 >>Tunnel-Type:0 = VLAN >>Tunnel-Private-Group-Id:0 = "100" >>User-Name = "wgraeber" >>MS-MPPE-Recv-Key = >> 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 >> 7bb4c52ab58f1 >>MS-MPPE-Send-Key = >> 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 >> 59d26a1100bfb >>EAP-Message = 0x030a0004 >>Message-Authenticator = 0x >> >> But AP is unhappy. Do debug dot11 aaa and see what is it complaining >> about. It's missing something (probably Service-Type). >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > -- William M. Graeber Furman University PMB 27335 3300 Poinsett Highway Greenville, SC 29613 864 905 9533 (Mobile) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of Cisco debugging with "use_tunneled_reply = yes": http://dpaste.com/113022/ Again, I really appreciate your help. -William On Sun, Jan 25, 2009 at 18:29, wrote: >>I have modified eap.conf and added "use_tunneled_reply = yes" in the >>peap section. I have previously tried this, and obtained the same >>results. Whenever a client tries to login, they get cycled from >>authenticating/connecting very quickly. I've posted an example output >>from a radius debug: http://dpaste.com/112927/ >> > > You are getting an Access-Accept with VLAN attributes now: > > Sending Access-Accept of id 199 to 10.0.0.254 port 1645 >Tunnel-Medium-Type:0 = IEEE-802 >Tunnel-Type:0 = VLAN >Tunnel-Private-Group-Id:0 = "100" >User-Name = "wgraeber" >MS-MPPE-Recv-Key = > 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 > 7bb4c52ab58f1 >MS-MPPE-Send-Key = > 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 > 59d26a1100bfb >EAP-Message = 0x030a0004 >Message-Authenticator = 0x > > But AP is unhappy. Do debug dot11 aaa and see what is it complaining > about. It's missing something (probably Service-Type). > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have modified eap.conf and added "use_tunneled_reply = yes" in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ Could you expand on the "set VLAN" option in the post-auth section? I have looked around a bit, but haven't found much of use. Also, I may try a vanilla install of FreeRADIUS, as I'm using the packaged version from the OpenBSD ports tree. There are a few config discrepancies, and I don't understand enough to know how they are having an effect. Thanks again, -William On Sun, Jan 25, 2009 at 12:03, Alan DeKok wrote: > William Graeber wrote: >> Here is the output of a client associating immediately after the >> server starts: http://dpaste.com/112843/ > > You're not assigning the attributes that tell the server to put the > user into a VLAN. > > Are you using the *default* configuration files in 2.0.5? It looks > like you're not, because editing the "users" file *should* get it to work. > > It looks like you need to either: > > - set use_tunneled_reply = yes in eap.conf, peap{} sub-section > > - add the "set VLAN" configuration to the post-auth section. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of a client associating immediately after the server starts: http://dpaste.com/112843/ Also, I am new to IOS, and there was no "debug aaa on" command. If you look closely at the top of the file I previously posted, I turned on about half of the options I thought relevant to debugging to aaa. I don't know if this would have an effect one showing what was relevant. I really appreciate the help everyone has given thus far. -William On Sun, Jan 25, 2009 at 04:23, wrote: >>The full log may be viewed at: http://dpaste.com/112610/ >> >>Also, I have posted my eap.conf here: http://dpaste.com/112615/ >> >>and radius.conf here: http://dpaste.com/112616/ >> >>and I don't think anyone would need it, but here is clients.conf as >>well: http://dpaste.com/112618/ >> > > You have posted everything apart from the most important thing - radiusd > -X debug. I can see those tunnel attributes on Cisco debug but not in > the Access-Accept packet (the one with MPPE keys). > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Tom was correct, and I have changed the Tunnel-Medium-Type to "6". The corresponding radtest output shows it is correctly translated to "IEEE-802". However, I am still not bumped into the correct VLAN. In the Cisco debug logs, I see these lines: *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ I am using FreeRADIUS version 2.0.5 on OpenBSD 4.4. I'm sure that there is something simple that I am missing, but I'm new to both the RADIUS protocol and Cisco access points. I luckily was able to score several 1130ag's cheap for personal use during an auction from the presidential campaign. Thanks again, William On Fri, Jan 23, 2009 at 11:30, wrote: >>I have been having trouble recently with getting dynamic VLAN >>assignment working on my Cisco AP. Clients are successfully >>authenticating with FreeRADIUS. However, they do not seem to be >>picking up extra attributes from the "users" file (below is the >>relevant portion of it). >> >>wgraeberNT-Password := "XXX" >> Tunnel-Type = VLAN, >> Tunnel-Medium-Type = 802, >> Tunnel-Private-Group-ID = 100 >> >>The users are just directed to their original VLAN instead of this >>portion overriding it. When I try to authenticate to the access point >>with "radtest," I get the following output: >> >># radtest wgraeber XXX 127.0.0.1 10 XXX >>Sending Access-Request of id 42 to 127.0.0.1 port 1812 >> User-Name = "wgraeber" >> User-Password = "XXX" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 10 >>rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 >> Tunnel-Type:0 = VLAN >> Tunnel-Medium-Type:0 = 802 >> Tunnel-Private-Group-Id:0 = "100" >> >>Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and >>Tunnel-Private-Group-Id attributes in the console when actually >>authenticating and watching the output of "radiusd -X" on another >>machine. The access point *should* support this out of the box >>according to the Cisco specs. This is my first FreeRADIUS >>implementation, so I don't know if I'm missing any magic options. >> > > You have done what you were suposed to on freeradius. Do debug aaa on > Cisco and see what has happened to the attributes. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1130ag dynamic VLAN assignment
I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the "users" file (below is the relevant portion of it). wgraeberNT-Password := "XXX" Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with "radtest," I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = "wgraeber" User-Password = "XXX" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "100" Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of "radiusd -X" on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. Also, I have searched the archives and tried several suggestions to no avail (in eap.conf, copy_request_to_tunnel and use_tunneled_reply under the PEAP segment). I will happily post more configuration options / debug info if needed. Thanks in advance, William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
I hate to resurrect this long thread from July 22-28, but I have the same problem and never saw a resolution. I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4 (latest to date). I'm using the bootstrap script to generate example certificates. I also created a client certificate using make client.pem. I configured wpa_supplicant with ca.pem, client.pem and client.key. EAP-TLS authentication fails with the "fatal unknown ca" message. If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. In last month's thread, Alan DeKok posted: > You need to follow the documentation in eap.conf. > ># If CA_file (below) is not used, then the ># certificate_file below MUST include not ># only the server certificate, but ALSO all ># of the CA certificates used to sign the ># server certificate. >certificate_file = ${certdir}/server.pem > > Have you done that? In my case, CA_file does indeed refer to ca.pem as created by the bootstrap script. So I'm assuming that I don't need to touch the server.pem file as created. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User restriction
Thanks again, Alan. Radius is now running and working fine. I tested it using radtest "radtest fpohl localhost 1812 " and I got an OK result "rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=162, length=20" My question is now regarding users. The user fpohl is a regular Unix user I created with useradd but it does not belong to the same group as radiusd. It is configured as follow: fpohl:x:1000:110:Fred:/home/fpohl:/bin/bash radiusd:x:107:109:Radius daemon:/var/lib/radiusd:/bin/false ns1:~ # id fpohl uid=1000(fpohl) gid=110 groups=110,16(dialout),33(video) ns1:~ # id radiusd uid=107(radiusd) gid=109(radiusd) groups=109(radiusd) How can I configure freeradius to only accept connections from users that belong to the same groups as radiusd? What I really need is to not allow all unix users to be a radius client, only the ones that belong to a specific group. If my questions are too basic and there are documents on the web that can help new users like me, please show me the way. Frederick Pohl -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: terça-feira, 5 de agosto de 2008 13:48 Para: FreeRadius users mailing list Assunto: Re: RES: Installation problem Hi, > > After running /sbin/ldconfig -v , I was able to execute radiusd. > > The only weird thing is that the daemon is not showing when I type ps aux. > > Even after running /usr/sbin/radiusd, nothing happens. yep - at this point you run radiusd -X to see whats wrong alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Installation problem
Thanks again, Alan. Radius is now running and working fine. I tested it using radtest "radtest fpohl localhost 1812 " and I got an OK result "rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=162, length=20" My question is now regarding users. The user fpohl is a regular Unix user I created with useradd but it does not belong to the same group as radiusd. It is configured as follow: fpohl:x:1000:110:Fred:/home/fpohl:/bin/bash radiusd:x:107:109:Radius daemon:/var/lib/radiusd:/bin/false ns1:~ # id fpohl uid=1000(fpohl) gid=110 groups=110,16(dialout),33(video) ns1:~ # id radiusd uid=107(radiusd) gid=109(radiusd) groups=109(radiusd) How can I configure freeradius to only accept connections from users that belong to the same groups as radiusd? What I really need is to not allow all unix users to be a radius client, only the ones that belong to a specific group. If my questions are too basic and there are documents on the web that can help new users like me, please show me the way. Frederick Pohl -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: terça-feira, 5 de agosto de 2008 13:48 Para: FreeRadius users mailing list Assunto: Re: RES: Installation problem Hi, > > After running /sbin/ldconfig -v , I was able to execute radiusd. > > The only weird thing is that the daemon is not showing when I type ps aux. > > Even after running /usr/sbin/radiusd, nothing happens. yep - at this point you run radiusd -X to see whats wrong alan Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: Installation problem
Thanks again, Alan. Radius is now running and working fine. I tested it using radtest "radtest fpohl localhost 1812 " and I got an OK result "rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=162, length=20" My question is now regarding users. The user fpohl is a regular Unix user I created with useradd but it does not belong to the same group as radiusd. It is configured as follow: fpohl:x:1000:110:Fred:/home/fpohl:/bin/bash radiusd:x:107:109:Radius daemon:/var/lib/radiusd:/bin/false ns1:~ # id fpohl uid=1000(fpohl) gid=110 groups=110,16(dialout),33(video) ns1:~ # id radiusd uid=107(radiusd) gid=109(radiusd) groups=109(radiusd) How can I configure freeradius to only accept connections from users that belong to the same groups as radiusd? What I really need is to not allow all unix users to be a radius client, only the ones that belong to a specific group. If my questions are too basic and there are documents on the web that can help new users like me, please show me the way. Frederick Pohl -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: terça-feira, 5 de agosto de 2008 13:48 Para: FreeRadius users mailing list Assunto: Re: RES: Installation problem Hi, > > After running /sbin/ldconfig -v , I was able to execute radiusd. > > The only weird thing is that the daemon is not showing when I type ps aux. > > Even after running /usr/sbin/radiusd, nothing happens. yep - at this point you run radiusd -X to see whats wrong alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Installation problem
Alan Thanks for the tip. After running /sbin/ldconfig -v , I was able to execute radiusd. The only weird thing is that the daemon is not showing when I type ps aux. Even after running /usr/sbin/radiusd, nothing happens. My ps aux | grep radiusd shows only the following: root 25770 0.0 0.0 2112 660 pts/1R+ 13:33 0:00 grep radiusd I tried installing using YAST and now I get the following error: ns1:~ # /etc/init.d/freeradius start Starting RADIUS daemon startproc: exit status of parent of /usr/sbin/radiusd: 1 failed This error message is probably not related to freeradius, but maybe someone has seen this error before and could clue me in on how to solve it. Thank you, Fred Pohl -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: segunda-feira, 4 de agosto de 2008 18:26 Para: FreeRadius users mailing list Assunto: Re: Installation problem Hi, > I am rather new to freeradius and I´m having trouble running the server after > installation > > > > I installed using: > > ./configure --sysconfdir=/etc okay - and the libraries have gone into /usr/local/lib as per the stuff that spews out when you do make install you need to ensure this is in your LDPATH can be done eg by adding /usr/local/lib to /etc/ld.so.conf and then running /sbin/ldconfig -v alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installation problem
Hello, I am rather new to freeradius and I´m having trouble running the server after installation I installed using: ./configure --sysconfdir=/etc Make Make install When I try running with radiusd I get the following error: /usr/local/sbin/radiusd: error while loading shared libraries: libfreeradius-radius-2.0.5.so: cannot open shared object file: No such file or directory The libfreeradius-radius-2.0.5.so file is located at the following directory: ns1:/usr/local # find / -name libfreeradius-radius-2.0.5.so /usr/local/lib/libfreeradius-radius-2.0.5.so This is my radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${prefix}/${localstatedir}/run/radiusd db_dir = /usr/local/lib/ libdir = ${exec_prefix}/lib >From what is configured above, the libdir should be /usr/local/lib which is >exactly where the file is located. Is there something I am missing? Thank you, Frederick Pohl Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: openLDAP & freeRADIUS
Alan, Sorry about before, I thought there was a simple thing I could fix. I have verified that PEAP was working with "users" file. It took a while (well before I wrote to this list about it) but I got working perfect - if I go back to that it works. Can you explain how I would get step 2 to work? How do I verify it isn't binding as user? And I believe step 3 is success for me, if I am not mistaken, so if you could provide a little expertise here it would be much appreciated. Thank you. William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Thursday, June 26, 2008 4:36 AM To: FreeRadius users mailing list Subject: Re: openLDAP & freeRADIUS William E. Russell wrote: > I have correctly set up freeRADIUS to read from my openLDAP. I can't > seem to authenticate my user. I have narrowed down the error to a single > line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of > searching online, I have realized that all this means is that there was an > error in the response packet. Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet. > I have no idea what error could have occurred. > I believe it may have to do with the password_attribute. I read something > documentation that said there was some issue with LDAP and passing a > cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. > Any body have any insight in to this type of thing? If I could just get some > help on how to set up the LDAP and RADIUS, that would be great - I have read > just about every single tutorial so please don't direct me to one of those. > I need someone who has a similar set up - what did you use for password > attribute? userPassword. Step 1: Get PEAP working with an entry in the "users" file. Step 2: Get LDAP working with PAP (radclient). Verify that it is NOT doing "bind as user" Step 3: Verify that PEAP works against LDAP. PLEASE show the debug output. The reason we ask for it is because it is the DEFINITIVE explanation of what's going on, and the ONLY way to help you solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: openLDAP & freeRADIUS
o RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x917f948 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201000a016e65774d45 Message-Authenticator = 0x196dd1b8cec5514107a36a5bac05e008 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for newME WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME) expand: dc=incnetworks,dc=com -> dc=incnetworks,dc
RE: openLDAP & freeRADIUS
How can I get the log or the out of it? It is so long that the terminal doesn't allow me to scroll all the way back to the top. Is there a log? I found radius.log, but it had nothing. Is there a command to generate the log? Thanks. I know I am close here... William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Thursday, June 26, 2008 4:36 AM To: FreeRadius users mailing list Subject: Re: openLDAP & freeRADIUS William E. Russell wrote: > I have correctly set up freeRADIUS to read from my openLDAP. I can't > seem to authenticate my user. I have narrowed down the error to a single > line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of > searching online, I have realized that all this means is that there was an > error in the response packet. Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet. > I have no idea what error could have occurred. > I believe it may have to do with the password_attribute. I read something > documentation that said there was some issue with LDAP and passing a > cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. > Any body have any insight in to this type of thing? If I could just get some > help on how to set up the LDAP and RADIUS, that would be great - I have read > just about every single tutorial so please don't direct me to one of those. > I need someone who has a similar set up - what did you use for password > attribute? userPassword. Step 1: Get PEAP working with an entry in the "users" file. Step 2: Get LDAP working with PAP (radclient). Verify that it is NOT doing "bind as user" Step 3: Verify that PEAP works against LDAP. PLEASE show the debug output. The reason we ask for it is because it is the DEFINITIVE explanation of what's going on, and the ONLY way to help you solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openLDAP & freeRADIUS
All, I am currently working with openLDAP and freeRADIUS. I have correctly set up freeRADIUS to read from my openLDAP. I can't seem to authenticate my user. I have narrowed down the error to a single line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of searching online, I have realized that all this means is that there was an error in the response packet. I have no idea what error could have occurred. I believe it may have to do with the password_attribute. I read something documentation that said there was some issue with LDAP and passing a cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. Any body have any insight in to this type of thing? If I could just get some help on how to set up the LDAP and RADIUS, that would be great - I have read just about every single tutorial so please don't direct me to one of those. I need someone who has a similar set up - what did you use for password attribute? William William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN and FreeRadius
All, I am trying to get the RADIUS server to not only authenticating the supplicant, but providing the NAS with a VLAN ID. I have tried certain resources and haven't been able to receive the VLAN ID. Can any provide any help in this area? Thanks William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS and WPA-2 Enterprise
All, We are trying to setup WPA2 Enterprise authentication to work with the FreeRadius server. We have configured EAP-PEAP authentication. We have installed all the certificates and corrected the EAP.conf certificate paths. We tried to connect from the supplicant from Windows XP. Windows asked for the login/password and this is the output of the radiusd -X. The user is configured in the users file. We couldn't see any error, however the authentication didn't succeed. Can anyone help? -- Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = "Sushil" NAS-IP-Address = 172.27.10.54 Called-Station-Id = "001d7ef3e8d2" Calling-Station-Id = "0019d24ee9a8" NAS-Identifier = "001d7ef3e8d2" NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000b0153757368696c Message-Authenticator = 0x8ee1244bc3cdc5889f20f495cfb28373 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Sushil", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xe5e45815e5e741bebb28e527c6b37a8d Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +35 Ready to process requests. User-Name = "Sushil" NAS-IP-Address = 172.27.10.54 Called-Station-Id = "001d7ef3e8d2" Calling-Station-Id = "0019d24ee9a8" NAS-Identifier = "001d7ef3e8d2" NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0153757368696c Message-Authenticator = 0xc7c1127b55267c9b175f4af387037759 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Sushil", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0xabace459abadfd4a371c1e7c34cafda3 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 1 with timestamp +144 Ready to process requests. William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 14, 2008 2:11 PM To: FreeRadius users mailing list Subject: Re: freeRADIUS and WPA-2 Enterprise Hi, > All, > > I have recently set up a freeRADIUS v2 server and would like some help > configuring the server to use WPA-2 Enterprise. I was wondering if anyone > had any tutorials, .conf files, etc. that would assist me in setting up my > server with the correct configuration. I have noticed some help on the > Internet, but most of the help is directed towards freeRADIUS v1, so I need > v2-specfic help. Thanks. a lot of the things regarding authorization, authentication, SQL and LDAP is true for v2 as it is for v1 when you say 'set up a freeradius v2 server' what have you done? ouyt of the box as a straight install, FR2 is ready to handle WPA2-enterprise. all you need to do is insta
freeRADIUS and WPA-2 Enterprise
All, I have recently set up a freeRADIUS v2 server and would like some help configuring the server to use WPA-2 Enterprise. I was wondering if anyone had any tutorials, .conf files, etc. that would assist me in setting up my server with the correct configuration. I have noticed some help on the Internet, but most of the help is directed towards freeRADIUS v1, so I need v2-specfic help. Thanks. Thank you, William Russell William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is it possible: PEAP and TTLS on one SSID?
Much appreciate your reply. According to [EMAIL PROTECTED]: > > > For Windows supplicants, we will use PEAPv0/MS-CHAPv2. > > > > For non-Windows supplicants, we would use EAP/TTLS and > > MD5 as the inner method. > > > > I am confused as to how to configure FreeRADIUS 2.0.1 > > to accomplish this simultaneous behaviour. What causes > > me to be confused is this directive in the EAP module: > > > >default_eap_type = peap > > > > which could equally be this directive: > > > >default_eap_type = ttls > > > > but not at the same time since there can be only one > > default_eap_type (hence the word "default"). Is this > > even possible? And, if yes, why then does FreeRADIUS > > have the default_eap_type configuration item? Thanks. > > its causes no problem - just set the default type to be the one > you'll see most(!) - the daemon is quite happy at recognising > the other types that get thrown at it - be it TTLS, LEAP etc Thanks! Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible: PEAP and TTLS on one SSID?
For Windows supplicants, we will use PEAPv0/MS-CHAPv2. For non-Windows supplicants, we would use EAP/TTLS and MD5 as the inner method. I am confused as to how to configure FreeRADIUS 2.0.1 to accomplish this simultaneous behaviour. What causes me to be confused is this directive in the EAP module: default_eap_type = peap which could equally be this directive: default_eap_type = ttls but not at the same time since there can be only one default_eap_type (hence the word "default"). Is this even possible? And, if yes, why then does FreeRADIUS have the default_eap_type configuration item? Thanks. Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get WPA/2 and EAP-TTLS to work
According to [EMAIL PROTECTED]: > > from what i can see, rubbish. freeradius as an AAA does not > ask NAs about their VLANs - dynamic or otherwise! there a re > few things wonky or wrong. I didn't think Cisco's VLAN concept was accurate, but I couldn't expect them to know anything about FreeRADIUS... > first , what version of FR are you using exactly? i would STRONGLY > recommend 2.0.2 as 1.1.x (you appear to be 1.1.7 with patches...) > isnt as configurable. I have been following that thread on the list here, and am in the process up upgrading my FreeBSD ports _INCLUDING_ FreeRADIUS, but the 2.0.2 version is not in the FreeBSD ports tree yet (as of 2/14). > secondly > > > foo User-Password == "password" > > foo Cleartext-Password := "password" > > (as clearly in the docs) And just as clearly, I missed that one - yep, thanks. > > Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create > > attribute MS-MPPE-Recv-Key: Unknown attribute > > "MS-MPPE-Recv-Key" > > Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create > > attribute MS-MPPE-Send-Key: Unknown attribute > > "MS-MPPE-Send-Key" > > this aint good. you've got to have these in your TTLS or things arent > going to work. dictionary files all okay and present and loaded? > you arent filtering attributes from my quick scan of the config...unless > you've not copied that part. I commented out the Micro$loth dictionary since I wasn't using anything from Redmond in this setup. I will uncomment this and see what happens. Thanks for all your help. Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can't get WPA/2 and EAP-TTLS to work
00 State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE WPA: RX message 1 of 4-Way Handshake from 00:xx:xx:xx:xx:xx (ver=2) RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 RSN: PMKID from Authenticator - hexdump(len=16): 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 RSN: no matching PMKID found WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] WPA: reusing previous PMKSA entry RSN: no PMKSA entry found - trigger full EAP authentication Setting scan request: 0 sec 10 usec Added BSSID 00:xx:xx:xx:xx:xx into blacklist State: 4WAY_HANDSHAKE -> DISCONNECTED EAPOL: External notification - portEnabled=0 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys wpa_driver_bsd_del_key: keyidx=0 wpa_driver_bsd_del_key: keyidx=1 wpa_driver_bsd_del_key: keyidx=2 wpa_driver_bsd_del_key: keyidx=3 wpa_driver_bsd_del_key: addr=00:00:00:00:00:00 keyidx=0 State: DISCONNECTED -> SCANNING =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= When I contacted Cisco support, they said the two following lines which are from the above Cisco debug logs: Feb 14 13:40:56.990: dot11_auth_server_chk_ssid: Checking for SSID in server attributes Feb 14 13:40:56.990: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes indicated to them that FreeRADIUS was sending dynamic VLAN attributes to the access point. I do not have any VLAN or other tunnelling attributes set on the FreeRADIUS side. Jouni suggested that these lines from the wpa_supplicant "-dd" debug log above: RSN: PMKID from Authenticator - hexdump(len=16): 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 RSN: no matching PMKID found WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] RSN: added PMKSA cache entry for 00:xx:xx:xx:xx:xx RSN: no PMKSA entry found - trigger full EAP authentication indicated that the access point is not sending the correct keys. I cannot understand whether my problems lie in the FreeRADIUS area (my misconfiguration of which) or in the Cisco access point (my misconfiguration of which). I would be happy to include all or parts of my Cisco running configuration if necessary, but this email message is already too long. Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA and EAP-TTLS oddity
According to Thierry Chich <[EMAIL PROTECTED]>: > > For me, you have to specify > Auth-Type LDAP { > ldap > } > in the authenticate section. Thank you. Much appreciated. Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA and EAP-TTLS oddity
According to Ivan Kalik <[EMAIL PROTECTED]>: > > It's hard to do PAP when you delete it from the authenticate section. > Problems are the result of your butchering of the default configuration. Thank you! The comment for the PAP paragraph in the authenticate section mentions a backend database which I don't have since I am using the users file. This comment is what led me to comment out the PAP paragraph. Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA and EAP-TTLS oddity
xlat: '/var/log/radacct/127.0.0.1/auth-20080131' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-20080131 modcall[authorize]: module "auth_log" returns ok for request 5 rlm_eap: EAP packet type response id 6 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry foo at line 217 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: No such EAP type md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Trying to look up name of unknown client 127.0.0.1. Login incorrect: [foo/] (from client UNKNOWN-CLIENT port 261 cli 00-xx-xx-xx-xx-xx) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls TTLS: Freeing handler for user foo rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= This one has me stumped. :-( Regards, web... -- William Bulley Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MySQL + system auth
On Wednesday 23 January 2008 13:33:24 [EMAIL PROTECTED] wrote: > Hi, > > > In working to get my new radius server working I have run into a snag. > > I need to authenticate using a SQL database or system password file > > depending on where the request comes from, however the user may exist in > > both, with different passwords. How do I tell it to use the MySQL > > username/password pairs 'only' when it comes from a specific NAS? > > many many ways - you could use huntgroups and Autz-Type, you could > use virtual servers and proxy the request - if NAS is this or that > then use this server definition. Can you give me some examples, or documentation I could use to get this going. I tried Autz-Type but must have not understood it, or really messed ti up some how. > > > Suggestions, pointers to documentation I may have missed, etc are gladly > > welcomed. > > looks like you've told the server to do a Crypt-Password - and it > doesnt match. how ARE you storing the passwords in the SQL? > > alan Passwords in the SQL database are currently Cleartext-Password, due to some old NAS issues. Hopefully this round of updates will allow us to switch it to Crypt-Password, but as of this writing it isn't an option. Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with MySQL + system auth
Greetings, In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS? I have tried specifing the "Auth-Type := LOCAL" in my SQL reply tables, I have tried Autz-Type... I just don't seem to be able to get it working right. Debug output from last try is below. Currently I am not specifying a Auth-Type, but setting it to CHAP, PAP, or LOCAL doesn't work. Suggestions, pointers to documentation I may have missed, etc are gladly welcomed. ---begin DEBUG--- rad_recv: Access-Request packet from host 192.168.1.64 port 32780, id=20, length=59 User-Name = "azander" User-Password = "test321" NAS-IP-Address = 127.0.0.2 NAS-Port = 8 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "azander", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: %{Stripped-User-Name:-%{User-Name}} -> azander ++[files] returns noop expand: %{Stripped-User-Name} -> expand: %{User-Name} -> azander expand: %{%{Stripped-User-Name}:-%{User-Name}} -> azander rlm_sql (sql): sql_set_user escaped user --> 'azander' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'azander' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'azander' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'azander' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'azander' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'azander' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'azander' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'staff' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'staff' ORDER BY id rlm_sql (sql): User found in group staff expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'staff' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'staff' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "test321" rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [azander/test321] (from client flyer port 8) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> azander attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius +LDAP + Active Directory + Authenticate Only questions
Thanks, I got it working. Is there a reason that the ldap search that rlm_ldap performs functions differently from ldapsearch? With ldapsearch I can do a search without specifying an OU but with rlm_ldap, it fails? I do not have control of the Active Directory server here so I cannot apply the dsHeuristics setting as specified in the rlm_ldap docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, January 18, 2008 1:05 AM To: FreeRadius users mailing list Subject: Re: Freeradius +LDAP + Active Directory + Authenticate Only questions William Segura wrote: > I am trying to setup Freeradius to authenticate against an active > directory server. Only "bind as user" will work, and even then not always. > Here are the relevant files: Please do not post configuration files to the list. > Radius Log: ... > rad_recv: Access-Request packet from host 127.0.0.1:35655, id=159, > length=58 > User-Name = "user1" > User-Password = "\204\016V\332\226\325\007\347\254Hm\262}B\321M" Your shared secret is wrong. Fix it. > modcall[authorize]: module "preprocess" returns ok for request 0 > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > modcall[authorize]: module "pap" returns noop for request 0 You have re-ordered the modules in the "authorize" section. Why? Do you understand what the PAP module does? > rlm_ldap: Bind failed with invalid credentials Because the password was wrong. The password *should* be visible in debugging mode. It should NOT be binary garbage. > auth: Failed to validate the user. > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! Perhaps this message might be useful. Did you read it? Did you follow it's instructions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +LDAP + Active Directory + Authenticate Only questions
ng up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "user1" with password "??V�?�?��Hm�}B�M" radius_xlat: '(SamAccountName=user1)' radius_xlat: 'ou=North America,dc=subdomain,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldaps://ad-ldap.subdomain.domain.com, authentication 0 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as username/password to ldaps://ad-ldap.subdomain.domain.com TLS certificate verification: Error, unable to get local issuer certificate rlm_ldap: waiting for bind result ... request done: ld 0x558b2890 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=North America,dc=subdomain,dc=domain,dc=com, with filter (SamAccountName=user1) request done: ld 0x558b2890 msgid 2 rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: CN=William user1,OU=Users,OU=Headquarters,OU=North America,DC=subdomain,DC=domain,DC=com rlm_ldap: (re)connect to ldaps://ad-ldap.subdomain.domain.com, authentication 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as CN=William user1,OU=Users,OU=Headquarters,OU=North America,DC=subdomain,DC=domain,DC=com/??V�?�?��Hm�}B�M to ldaps://ad-ldap.subdomain.domain.com TLS certificate verification: Error, unable to get local issuer certificate rlm_ldap: waiting for bind result ... request done: ld 0x558badf0 msgid 1 rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 159 to 127.0.0.1 port 35655 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 478fad88 Nothing to do. Sleeping until we see a request. * William Segura | Product Development Lab Manager F5 Networks www.f5.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Thursday 17 January 2008 02:44:13 Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > you are calling the unix auth module before suffix - therefore the magic > > hasnt yet happened. I'd try putting the unix module after the modules > > that play around with User-Name > > i.e. the order in the default configuration is wrong, too. > > I've fixed it. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Thanks to both you and Alan Buxey for the help. That was exactly the problem. Now I need to deal with the old legacy users file entries. *ick!* Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Wednesday 16 January 2008 16:58:09 Alan DeKok wrote: > William wrote: > > The situation is that we have a lot of legacy users who only enter a > > username, without realm information, and passwords for their connections. > > Those work fine. When newer users enter [EMAIL PROTECTED] for their > > password I need to strip off the realm, and authenticate that user. > > In 2.0, add the following to proxy.conf: > > realm example.com { > } > > Once that's done, the default configuration in 2.0 will treat > "[EMAIL PROTECTED]" the same as "user". See the debug output, where it > shows it stripping the realm. > > > Our old system used the strip directive to do this. I cannot figure out > > how 2.0 does this. The problem becomes that if they put a different > > realm on the username, we will need to either proxy it (later > > configuration issue, not for now) or reject it. > That causes anyone using [EMAIL PROTECTED] to fail, yet if they just use username it works. (Debug output below) rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=35, length=62 User-Name = "test" User-Password = "mytest4" NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: %{Stripped-User-Name:-%{User-Name}} -> test users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "mytest4" rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test/mytest4] (from client flyer port 0) Sending Access-Accept of id 35 to 192.168.1.64 port 32775 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 35 with timestamp +7 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=43, length=76 User-Name = "[EMAIL PROTECTED]" User-Password = "mytest4" NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: Looking up realm "netonecom.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "netonecom.net" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm netonecom.net rlm_realm: Adding Realm = "netonecom.net" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: %{Stripped-User-Name:-%{User-Name}} -> test users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/mytest4] (from client flyer port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 43 to 192.168.1.64 port 32775 Waking up in 4.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Wednesday 16 January 2008 16:39:38 Alan DeKok wrote: > Configure... what, exactly? I think you're getting stuck on trying to > make particular configurations "work". You should instead state the > requirements as clearly as possible. Odds are that a simple > configuration will be straightforward. Fair enough. What I have is one local radius server. We will need to proxy later, but for now, I just want to get local users properly authenticated. The situation is that we have a lot of legacy users who only enter a username, without realm information, and passwords for their connections. Those work fine. When newer users enter [EMAIL PROTECTED] for their password I need to strip off the realm, and authenticate that user. Our old system used the strip directive to do this. I cannot figure out how 2.0 does this. The problem becomes that if they put a different realm on the username, we will need to either proxy it (later configuration issue, not for now) or reject it. We currently use the Linux system password file for authentication, though that is planned for migration to SQL at a later date. Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 1.0.2 to 2.0.0 problems
Greetings, I have looked at the documentation included with the 2.0 distribution for setting up radius 2.0 and I am either blind, or it doesn't have when I am looking for. What I am trying to do is set up my main realm to handle either no realm or deal with the default realm, The problem I am having is that I do not wish to proxy it back to itself to handle the realm (puts it in my log twice, and debug shows it re-submitting it back to itself). Where do I look to solve this? I tried in proxy.conf adding: realm myrealm.com { } and tried, at a different time: realm myrealm.com { auth_pool = my_auth_failover } Trying to use the configuration provided as a template. The first causes [EMAIL PROTECTED] to fail, and the second causes it to re-submit it to the server for authentication. How do I fix this, or where is there some detailed documentation on how to configure this? Thank you Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users outside /etc/raddb/users
Greetings, While this isn't the recommend way to generate such a large suer/password database (Some form of Ldap/SQL is) You can use the $include directive to include a different file for users. Using an older version of freeradius, we do that for a small group that we don't have in our /etc/passwd files. It works quite well for what you are asking. Wm Server Administrator NetOne Communications, Inc. On Friday 09 November 2007 13:31:58 Rui Meireles wrote: > Hi. I have a simple question. > > > > I want to create more than 400 freeradius users, all of them like this: > > [EMAIL PROTECTED] Auth-Type := Local, User-Password == . > > . > > > > I want to know if there is some way to have this information OUTSIDE the > /etc/raddb/users file, because it would massivly increase the size of this > file. > > If someone knows a way to have several user files, please help me. > > > > Thanks in advance, > > Rui Meireles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parse errors with Cisco-Avpair
I'm trying to use FreeRADIUS with a Cisco router to implement an authentication proxy. However when I try to define a test user in users, I'm getting a parse error on the spaces in the ACLs. Has anyone else implemented something similar? I found several guides for cisco logins, but they did not cover ACLs. Any help would be appreciated. Thanks! radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Jan 4 2007 at 13:58:04 radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/dictionary.cisco Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" */etc/raddb/users[3]: Parse error (check) for entry Cisco-Avpair="auth-proxy:proxyacl#1=permit: expecting '='* Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module "files". radiusd.conf[1773] Failed to parse authorize section. *users file:* steve Auth-Type := Local, User-Password == "testing" Cisco-Avpair="auth-proxy:priv-lvl=15", Cisco-Avpair="auth-proxy:proxyacl#1=permit tcp any any eq 26", Cisco-Avpair="auth-proxy:proxyacl#2=permit icmp any host 60.0.0.2", Cisco-Avpair="auth-proxy:proxyacl#3=permit tcp any any eq ftp", Cisco-Avpair="auth-proxy:proxyacl#4=permit tcp any any eq ftp-data", Cisco-Avpair="auth-proxy:proxyacl#5=permit tcp any any eq smt
Re: Another Installation Problem
On Tuesday 31 October 2006 17:13, kbajwa wrote: > Dennis: > > I have already done that. The first link is 'download', which takes to the > download site. The first link is 'download', and when I CLICK on it, I get > to the 'download' page. The first file todownload is: > > # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) > > Please note the extension 'bz2' > > I have been to this page several times before posting. This download file > is not the 'tar' file from which I install. This is a file from which we > extract a freeradius-1.1.3 folder. > > Please try again and re-direct to the 'tar' file from which I can do the > installation!! > > Thanks. > > Kirt > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Dennis Skinner > Sent: Tuesday, October 31, 2006 4:44 PM > To: FreeRadius users mailing list > Subject: Re: Another Installation Problem > > 1. Go to www.freeradius.org > 2. Click on the very first link > 3. The rest should be obvious Greetings, Download the freeradius-1.1.3.tar.bz2 file. Then from the command line issue the following commend to extract it: tar jxpf freeradius-1.1.3.tar.bz2 That will bunzip2 it, and untar the file all in one step. -- William pgpezXcWMZdpf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accepting any login attempt
On Tuesday 03 October 2006 09:18, John Williams wrote: > I need our radius servers to accept any login attempt regardless of what > the username is or the password. > > Is there a way of doing this? Yes. You can set a line in your users file like this: DEFAULT Auth-Type := Accept If you also have in your radius.conf file: log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes Then you should be able to collect the passwords sent to you if you use PAP authentication, from your $ACCOUNTING_PATH/radius.log file. Since all users will be able to connect, any user/password will work.You will get a lot of bogus ones, but those are easy enough to weed out.. We used this to collect passwords from our users without having to re-contact them when we had a major failure (Still using system password files for authentication for some connection). Took about a week and we had 90% of our users and passwords figured out. Wm pgpxHKHtsjpXu.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add group in freeradius
Hello,Can someone explain how to add groups in freeradius. And how to add the user in that group.Thanks. Try the new Yahoo! Philippines Front Page!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'-' Character in Group
When I use '-' character as Group name, the authentication fails. For example1.Group Name: -AResult : Aunthentication Fails2. Group Name: A-Result : Authentication SuccessfulWhat are the valid character and what is the explanation regarding this?Thank you very much. Try the new Yahoo! Philippines Front Page!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0
Greetings, I am having some probles with mod_auth_radius-2.0 on apache 2.0.54. The error I am receiving is: Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf I am running on suse 10.1-x86_64 and apache is compiled from source.Any suggestions? Help? -- William Server Administrator NetOne Communications, Inc. 231-734-2917 pgp369n88bQUE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using radius to block port 25 for all users except some?
Greetings, Anyone have similar for a cisco 5300 series? Or pointers to where I can get said info? William On Wednesday 25 May 2005 11:22 am, Stuart Harris wrote: > We use ascend modem banks, and simply send the > X-ascend-data-filter attributes: > > X-Ascend-Data-Filter += ip in forward tcp > X-Ascend-Data-Filter += ip in forward dstip 72.21.11.0/24 > X-Ascend-Data-Filter += ip in drop tcp dstport = 25 > X-Ascend-Data-Filter += ip in drop tcp srcport = 80 > X-Ascend-Data-Filter += ip in forward 0 > > It was shamelessly stolen from Qwest ;) > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Drew > Weaver > Sent: 25 May 2005 10:42 > To: freeradius-users@lists.freeradius.org > Subject: Using radius to block port 25 for all users except some? > > ��� Hi, with the proliferation of spam on the internet > we�re taking the added step of making our modem banks only accept port 25 > traffic destined for our SMTP servers, is there any way to use radius to > exclude certain people from this policy, or, alternatively is there any way > to use radius to enforce this policy altogether? We�re using a MAX tnt as > our modem bank, sorry if this is wholly off-topic. > > Thanks, > -Drew > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: RE: Would like Someone to setup radius + API
Greetings, I would love to see what your requirements are for such a system. We may be able to provide you with what you are looking for, but I will need to know more before I can quote prices, and time needed. William Server Administrator NetOne Communications, Inc. (v) 231-734-2917 On Wednesday 25 May 2005 02:29 am, John Holbrook wrote: > -Original Message- > From: John H - ACI Technologies, LLC [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 24, 2005 11:53 PM > To: 'freeradius-users@lists.freeradius.org' > Subject: RE: Would like Someone to setup radius + API > > > where would i find someone to setup freeradius.org for me for a dialup ISP, > and provide an API script so that an instant signup script can be > constructed? Also would accept any offers for ongoing small support as > needed. > > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.308 / Virus Database: 266.11.12 - Release Date: 5/17/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: errors in radius.log
Greetings, This error message means that your NAS's are sending a different ID when the user disconnects, than the one the NAS sent when the user conencted. Radius cannot associeate the disconnect with the connect without the same ID. Your NAS is the one sending the wrong ID's. On Wed, 04 May 2005 11:46:55 +0200 Ahmad Cheikh Moussa <[EMAIL PROTECTED]> wrote: > Hi! > > Do really nobody knows what this error messages mean, > or is this a stupid question ? If so, I'am sorry. > > Can someone give me a hint, where I can look at ? > > Regards, > Ahmad > > Ahmad Cheikh Moussa wrote: > > Hi! > > > > I have a freeradius 0.9.3 with Solaris 8. > > I got all the time these error messages: > > > > Thu Apr 28 07:21:55 2005 : Error: rlm_radutmp: Logout entry for NAS > > 1.1.1.1 port 1610613128 has wrong ID > > Thu Apr 28 07:22:05 2005 : Error: rlm_radutmp: Logout entry for NAS > > 1.1.1.1 port 1610613218 has wrong ID > > Thu Apr 28 07:22:13 2005 : Error: rlm_radutmp: Logout entry for NAS > > 1.1.1.1 port 1610612888 has wrong ID > > > > The NAS is a juniper dslam. > > I've searched the mailinglist, but I did't find anything which > > could explain this error. > > > > Can anyone tell me what this error means amd how can I get rid > > of this ? -- -William Ragsdale -http://www.netonecom.net -Server Administrator -Office Hours -NetOne Communications, Inc. -Work: 231-734-2917 10AM - 7PM -2186 US 10 -FAX: 231-734-6395 -Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I run two freeradius daemons on the same machine?
On Fri, 22 Apr 2005 15:56:21 -0400 Brian Gao <[EMAIL PROTECTED]> wrote: > > Hi all, > > Does anybody know that can I run two freeradius daemons on the same machine? Greetings, Just set them on different ports. I run one on port 1812, one on port 1635 and one on port (for debugging). Just create a seperate radiusd.conf file (I use entire directories) for each one and use the -d /path/to/radiusd.conf option. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users $INCLUDE files?
Greetings, I am trying to use the INCLUDE directive in the users file. Is this possible? If so, can someone point me to some examples. Mine doesn't seem to be working. OS: FreeBSD 4.11 Radius: Freeradius 1.0.2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Title: Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
RE: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Title: RE: Success PEAP/MSCHAPv2 + LDAP + Samba passwords Personally think that clear text is bad as anyone intercepting the packets can easily pick up anything in clear text. If one knows specifically that traffic is one a completely secure path from end to end then not such an issue. This leads one to have different standards for one transmission path over the other though. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:01 AM To: [EMAIL PROTECTED] Subject: Re: Success PEAP/MSCHAPv2 + LDAP + Samba passwords Hi, > OpenLDAP with NT and LM hashed samba password After having read similar stuff several times in the past weeks, what's the real advantage of using NT or LM hashed passwords over using simple clear text passwords? At least securitywise, I can't see any. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
RE: [ Tagged - SPAM ? ] Restricting VPN User
Title: RE: [ Tagged - SPAM ? ] Restricting VPN User The group policy on my VPN server dictates the accessible networks. I have several setups that only allow one specific IP address with a 255.255.255.255 subnet. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mahesh S Kudva Sent: Monday, October 18, 2004 2:14 AM To: [EMAIL PROTECTED] Subject: [ Tagged - SPAM ? ] Restricting VPN User Importance: Low Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards & Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
RE: Installing freeRadius on RH Linux 9.0
Title: RE: Installing freeRadius on RH Linux 9.0 Gene .. I had the same type errors until I made sure the mysql_devel RPM was installed .. Even then my make process completed with messages such as sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before "MYSQL" sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': My testing looks to be working but I am just not getting the other .conf files tailored. Brent Berry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan DeKok Sent: Friday, October 15, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Installing freeRadius on RH Linux 9.0 "Gene Rouse" <[EMAIL PROTECTED]> wrote: > Below I have included the error messages. I get. > > gmake[11]: Entering directory > `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > [ "xrlm_sql_mysql" = "x" ] || /root/freeradius-1.0.1/libtool --mode=install > /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la > /usr/local/lib/rlm_sql_mysql.la > libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Did the "make" process succeeed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
compiling errors ...
Title: compiling errors ... OK I am sure I am missing something simple .. I am trying to install on RH8 using MySQL .. I have mysql-3.23.52-3, mysql-devel-3.23.52-3 and mysql-server-3.23.52-3 installed and running but have not created the database structure yet .. during the ./configure I get the following at the end of the process .. Does this mean that I need to upgrade MySQL or did I miss something else?? sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before "MYSQL" sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of `sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of `result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': sql_mysql.c:62: `mysql_sock' undeclared (first use in this function) sql_mysql.c:62: (Each undeclared identifier is reported only once sql_mysql.c:62: for each function it appears in.) sql_mysql.c:65: parse error before ')' token sql_mysql.c:76: warning: implicit declaration of function `mysql_init' sql_mysql.c:77: warning: implicit declaration of function `mysql_real_connect' sql_mysql.c:84: `CLIENT_FOUND_ROWS' undeclared (first use in this function) sql_mysql.c:86: warning: implicit declaration of function `mysql_error' sql_mysql.c:86: warning: format argument is not a pointer (arg 3) sql_mysql.c: In function `sql_destroy_socket': sql_mysql.c:103: warning: unused parameter `config' sql_mysql.c: In function `sql_check_error': sql_mysql.c:122: `CR_SERVER_GONE_ERROR' undeclared (first use in this function) sql_mysql.c:123: `CR_SERVER_LOST' undeclared (first use in this function) sql_mysql.c:131: `CR_OUT_OF_MEMORY' undeclared (first use in this function) sql_mysql.c:132: `CR_COMMANDS_OUT_OF_SYNC' undeclared (first use in this function) sql_mysql.c:133: `CR_UNKNOWN_ERROR' undeclared (first use in this function) sql_mysql.c: In function `sql_query': sql_mysql.c:151: `mysql_sock' undeclared (first use in this function) sql_mysql.c:160: warning: implicit declaration of function `mysql_query' sql_mysql.c:161: warning: implicit declaration of function `mysql_errno' sql_mysql.c: In function `sql_store_result': sql_mysql.c:175: `mysql_sock' undeclared (first use in this function) sql_mysql.c:181: warning: implicit declaration of function `mysql_store_result' sql_mysql.c:184: warning: format argument is not a pointer (arg 3) sql_mysql.c:173: warning: unused parameter `config' sql_mysql.c: In function `sql_num_fields': sql_mysql.c:202: `mysql_sock' undeclared (first use in this function) sql_mysql.c:204:5: warning: "MYSQL_VERSION_ID" is not defined sql_mysql.c:207: warning: implicit declaration of function `mysql_num_fields' sql_mysql.c:211: warning: format argument is not a pointer (arg 3) sql_mysql.c:199: warning: unused parameter `config' sql_mysql.c: In function `sql_num_rows': sql_mysql.c:257: `mysql_sock' undeclared (first use in this function) sql_mysql.c:260: warning: implicit declaration of function `mysql_num_rows' sql_mysql.c:255: warning: unused parameter `config' sql_mysql.c: In function `sql_fetch_row': sql_mysql.c:277: `mysql_sock' undeclared (first use in this function) sql_mysql.c:286: warning: implicit declaration of function `mysql_fetch_row' sql_mysql.c:286: warning: assignment makes pointer from integer without a cast sql_mysql.c:275: warning: unused parameter `config' sql_mysql.c: In function `sql_free_result': sql_mysql.c:305: `mysql_sock' undeclared (first use in this function) sql_mysql.c:308: warning: implicit declaration of function `mysql_free_result' sql_mysql.c:303: warning: unused parameter `config' sql_mysql.c: In function `sql_error': sql_mysql.c:327: `mysql_sock' undeclared (first use in this function) sql_mysql.c:330: warning: return discards qualifiers from pointer target type sql_mysql.c:332: warning: return makes pointer from integer without a cast sql_mysql.c:325: warning: unused parameter `config' sql_mysql.c: In function `sql_close': sql_mysql.c:346: `mysql_sock' undeclared (first use in this function) sql_mysql.c:349: warning: implicit declaration of function `mysql_close' sql_mysql.c:344: warning: unused parameter `config' sql_mysql.c: In function `sql_finish_query': sql_mysql.c:364: warning: unused parameter `sqlsocket' sql_mysql.c:364: warning: unused parameter `config' sql_mysql.c: In function `sql_affected_rows': sql_mysql.c:395: `mysql_sock' undeclared (first use in this function) sql_mysql.c:397: warning: implicit declaration of function `mysql_affected_rows' sql_mysql.c:393: war
RE: new user - configuration question
Title: RE: new user - configuration question Sorry I though I was sending in plain text .. Ok .. I can go back and install MySQL and rebuild. I will also go ahead and install Apache before rebuilding. It does look as though dialup_admin and SQL will provide a more secure and easier method to maintain the user lists. (Have to make sure the auditors stay happy) In any case, I still need the 'clients.conf' and update this anytime I add a new device correct? I think I am getting there now ... I was told that the configuration would be a challenge but not impossible and the results are worth the effort. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thor Spruyt Sent: Monday, October 11, 2004 10:37 AM To: [EMAIL PROTECTED] Subject: Re: new user - configuration question Hi, Please try sending "plain text" mail, so it's easier to respond to your questions! To have support for mysql in freeradius, you need to have the mysql client libraries installed on your system before you configure/make freeradius. The files 'clients', 'naslist' are deprecated in favor of 'clients.conf'. You should store your NASes in clients.conf -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: Berry, William To: [EMAIL PROTECTED] Sent: Monday, October 11, 2004 4:58 PM Subject: RE: new user - configuration question The current use for this server is to authenticate user access to our network hardware and eventually wi-fi access. The "next phase" is to get the user and device access configured. My test device is a Cisco 2600 router. According to the radius.conf the recommendation is to NOT use the client's or naslist. I took this as a recommendation to use SQL for storing the information. In reading through the installation for that was the comment that dialup_admin is used for management on the information in the SQL database. Brent From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Anson Rinesmith Sent: Monday, October 11, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: new user - configuration question It depends on what features you want to use, your "next phase" doesn't tell us much. There is no "NEED" to install MySQL or Apache, unless you want a feature that requires them. It has also been my experience, that if you do decide you need MySQL, you will need to have it installed, before installing freeradius. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Berry, William Sent: Monday, October 11, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: new user - configuration question This is my first attempt at setting up a RADIUS server. I have downloaded and successfully installed FreeRadius version 1.0.1 on a Red Hat 8.0 Linux server. It seems to work fine based upon the testing included in the installation instructions. I am now starting to read through the documentation to complete the next phase. I know I still need to configure the radiusd.conf but wanted to verify that I also need to install MySQL w/PHP support and Apache servers. Is there any other step that I am missing?? I am new to the Linux world on a learning curve so please bear with me. Any assistance is appreciated. Brent Berry Network Engineer Mueller Industries Inc. (901) 759-7470 * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents. * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the send
RE: new user - configuration question
The current use for this server is to authenticate user access to our network hardware and eventually wi-fi access. The “next phase” is to get the user and device access configured. My test device is a Cisco 2600 router. According to the radius.conf the recommendation is to NOT use the client’s or naslist. I took this as a recommendation to use SQL for storing the information. In reading through the installation for that was the comment that dialup_admin is used for management on the information in the SQL database. Brent From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson Rinesmith Sent: Monday, October 11, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: new user - configuration question It depends on what features you want to use, your “next phase” doesn’t tell us much. There is no “NEED” to install MySQL or Apache, unless you want a feature that requires them. It has also been my experience, that if you do decide you need MySQL, you will need to have it installed, before installing freeradius. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berry, William Sent: Monday, October 11, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: new user - configuration question This is my first attempt at setting up a RADIUS server. I have downloaded and successfully installed FreeRadius version 1.0.1 on a Red Hat 8.0 Linux server. It seems to work fine based upon the testing included in the installation instructions. I am now starting to read through the documentation to complete the next phase. I know I still need to configure the radiusd.conf but wanted to verify that I also need to install MySQL w/PHP support and Apache servers. Is there any other step that I am missing?? I am new to the Linux world on a learning curve so please bear with me. Any assistance is appreciated. Brent Berry Network Engineer Mueller Industries Inc. (901) 759-7470 * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents. * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
new user - configuration question
This is my first attempt at setting up a RADIUS server. I have downloaded and successfully installed FreeRadius version 1.0.1 on a Red Hat 8.0 Linux server. It seems to work fine based upon the testing included in the installation instructions. I am now starting to read through the documentation to complete the next phase. I know I still need to configure the radiusd.conf but wanted to verify that I also need to install MySQL w/PHP support and Apache servers. Is there any other step that I am missing?? I am new to the Linux world on a learning curve so please bear with me. Any assistance is appreciated. Brent Berry Network Engineer Mueller Industries Inc. (901) 759-7470 * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
Re: CHAP & PAP
11:00:36 2004 : Debug: Module: Instantiated detail (detail) Mon Sep 13 11:00:36 2004 : Debug: Module: Loaded radutmp Mon Sep 13 11:00:36 2004 : Debug: radutmp: filename = "/var/log/radutmp" Mon Sep 13 11:00:36 2004 : Debug: radutmp: username = "%{User-Name}" Mon Sep 13 11:00:36 2004 : Debug: radutmp: case_sensitive = yes Mon Sep 13 11:00:36 2004 : Debug: radutmp: check_with_nas = yes Mon Sep 13 11:00:36 2004 : Debug: radutmp: perm = 384 Mon Sep 13 11:00:36 2004 : Debug: radutmp: callerid = yes Mon Sep 13 11:00:36 2004 : Debug: Module: Instantiated radutmp (radutmp) Mon Sep 13 11:00:36 2004 : Debug: Listening on authentication *: Mon Sep 13 11:00:36 2004 : Debug: Listening on accounting *:1 Mon Sep 13 11:00:36 2004 : Debug: Listening on proxy *:10001 Mon Sep 13 11:00:36 2004 : Info: Ready to process requests. rad_recv: Access-Request packet from host 209.172.21.6:3562, id=23, length=98 User-Name = "test" User-Password = "test321" Framed-Protocol = PPP Called-Station-Id = "231345" Calling-Station-Id = "2318325965" NAS-Port = 1 NAS-Port-Type = Async NAS-IP-Address = 216.65.160.245 Service-Type = Framed-User Mon Sep 13 11:02:46 2004 : Debug: Processing the authorize section of radiusd.conf Mon Sep 13 11:02:46 2004 : Debug: modcall: entering group authorize for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: No '@' in User-Name = "test", looking up realm NULL Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: Found realm "NULL" Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: Adding Stripped-User-Name = "test" Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: Proxying request from user test to realm NULL Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: Adding Realm = "NULL" Mon Sep 13 11:02:46 2004 : Debug: rlm_realm: Authentication realm is LOCAL. Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Mon Sep 13 11:02:46 2004 : Debug: users: Matched DEFAULT at 142 Mon Sep 13 11:02:46 2004 : Debug: users: Matched DEFAULT at 545 Mon Sep 13 11:02:46 2004 : Debug: users: Matched DEFAULT at 552 Mon Sep 13 11:02:46 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Mon Sep 13 11:02:46 2004 : Debug: modcall: group authorize returns ok for request 0 Mon Sep 13 11:02:46 2004 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Mon Sep 13 11:02:46 2004 : Debug: auth: Failed to validate the user. Mon Sep 13 11:02:46 2004 : Auth: Login incorrect: [test/test321] (from client flyer port 1 cli 2318325965) Mon Sep 13 11:02:46 2004 : Debug: Delaying request 0 for 1 seconds Mon Sep 13 11:02:46 2004 : Debug: Finished request 0 Mon Sep 13 11:02:46 2004 : Debug: Going to the next request -- Forwarded message -- From: Alan DeKok <[EMAIL PROTECTED]> Date: Sat, 11 Sep 2004 09:21:56 -0400 Subject: Re: CHAP & PAP To: William <[EMAIL PROTECTED]> wrote: > Fri Sep 10 17:04:54 2004 : Auth: rlm_unix: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Please read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of message --- -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP & PAP
Greetings, I have a problem with FR1.0.0 and chap/pap. Knowns: FreeBSD 4.7-RELEASE FreeRadius 1.0.0 (downloaded today, not CVS) National dialup provider sending both PAP & CHAP requests. Problem: I have 2 types of authentication... those in the users file (for chap and locl pap when attributes have to be returned) and those in the unix password file.The problem I am having is when the national provider send a CHAP password. It generates the following error: Fri Sep 10 17:04:54 2004 : Auth: rlm_unix: Attribute "User-Password" is required for authentication. Cann ot use "CHAP-Password". Debug output: rad_recv: Access-Request packet from host 216.126.204.150:32813, id=67, length=136 NAS-IP-Address = 63.152.3.17 User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x01e954782973979c56336c6a5df5bf4ebc Called-Station-Id = "9069840005" Calling-Station-Id = "9066438271" NAS-Port = 13677 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User X-Ascend-PreSession-Time = 38 X-Ascend-Xmit-Rate = 50667 X-Ascend-Data-Rate = 24000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 users: Matched DEFAULT at 527 users: Matched DEFAULT at 546 users: Matched DEFAULT at 553 modcall[authorize]: module "files" returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "netonecom.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "netonecom.net" rlm_realm: Adding Stripped-User-Name = "tstandrew" rlm_realm: Proxying request from user tstandrew to realm netonecom.net rlm_realm: Adding Realm = "netonecom.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_chap: login attempt by "tstandrew" with CHAP password rlm_chap: Could not find clear text password for user tstandrew modcall[authenticate]: module "chap" returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/] (from client ikano port 13677 cli 9066438271) Delaying request 2 for 1 seconds Finished request 2 Going to the next request This is on a live server (emergency repair! old files and 3 sets of backups toast) any help would be apprecieated! -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need a way to limit users to X number of hours per month.
Greetings, I need a way to limit a user to X hours per month (I can convert to seconds if needed). I currently have Freeradius 0.8. Could someone help, or point me to a step by step guide on how to do this. These resources would need to be on the web, or via email, I don't have the free resourced to purchase the radius book (as soon as I do I will!). -- ·William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: pam-radius ?
Greetings, I think you have what I need backwards. I need pam to authenticate against an external freeradius server. On Mon, 1 Mar 2004 11:09:40 -0500 (EST) Sean O'Malley <[EMAIL PROTECTED]> wrote: > IIRC (I had this set up and working but we had to opt for a different > solution and I don't have a working configuration to use.) > > In your radiusd.conf > you need the pam section uncommented > the pam_auth = radiusd > ^ > this part needs to match up with your systems /etc/pam.d stuff > like linux you need to create a radiusd file in /etc/pam.d/ > or on solaris in the /etc/pam.conf you need to add entries beginning with > "radiusd" or it could be the "radius" in the users section. (I had them > linked to each other which is probably bad =) > > in your "users" file you need: > > DEFAULT Auth-Type := Pam > pam-auth="radius", > Fall-Through = Yes > > > > > > Greetings, > > I need some help with pam-radius and freeradius. I have a server > that I > > need to do raduis Auth from for access to certian programs. I tried > > setting up pam-radius like the instructions state, but it keeps > telling me > > that the radius server has not been specified. I put the configuration > > file where the instructions tell me to (/etc/raddb/server/pam.conf and > > pam_radius_auth.conf) as well as trying some of the alternate locations > > (/usr/local/etc) and it still doesn't detect it. Could someone point > me to > > the right location for this file? > > Thank you in advance. > > > > -- > > ·William Ragsdale ·http://www.netonecom.net > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam-radius ?
Greetings, I need some help with pam-radius and freeradius. I have a server that I need to do raduis Auth from for access to certian programs. I tried setting up pam-radius like the instructions state, but it keeps telling me that the radius server has not been specified. I put the configuration file where the instructions tell me to (/etc/raddb/server/pam.conf and pam_radius_auth.conf) as well as trying some of the alternate locations (/usr/local/etc) and it still doesn't detect it. Could someone point me to the right location for this file? Thank you in advance. -- ·William Ragsdale ·http://www.netonecom.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html