Re: Termination when there is no traffic
On Thursday 06 April 2006 04:29, Johnny wrote: I do not know which parameter I have to change so that connections wont be terminated automatically anymore. That's a function of the NAS and/or the user's PC. Read NAS docs on session timeout value. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 06:56, Venu Gopal wrote:
Hi All,
Any one can help me juniper equiqments are configured
on free radius? If so please help me out the server
side configuration of users on Redhat. If there are
any referral web links please do let me know.
A quick response in this regard would be highly
appreciated.
Google 'Juniper radius configuration' or read the 'help topic system
radius-server' from the router cli. Juniper specific attributes are listed
there.
On Juniper router:
[edit system]
radius-server server-address {
port number;
secret password;
retry number;
timeout seconds;
}
On freeRADIUS make entries for the router as you would for any NAS in
clients.conf and user using any of the applicable attributes.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS MAC Addres Atribute
On Friday 10 March 2006 22:25, Alex M wrote: Hi Is the attribute for NAS MAC address is: NAS-Identifier? Examine what your NAS sends, read the NAS docs. My devices send the NAS MAC address as Called-Station-Id. Yours may be different or not send it at all. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not found
On Saturday 14 January 2006 15:22, Mathieu Clément wrote:
rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared
object file: No such file or directory
radiusd.conf[9]: eap: Module instantiation failed.
..
# peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
#}
Check what you have commented out or left uncommented.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Openldap authentication
On Monday 02 January 2006 05:46, [EMAIL PROTECTED] wrote: Here is my problem: When I start the radtest binary: radtest test supersecret localhost 2 testing123 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20 You have set your server to do EAP. radtest does not do EAP use radeapclient for testing. Here is the log on the radius server (Started with radiusd -X): rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 3 modcall: group authorize returns ok for request 3 LDAP seems to be working. The RADIUS users file: DEFAULT Auth-Type := EAP Fall-Through = 1 # Reply-Message = LDAP Don't set Auth-Type in the users file. Let the server figure it out. I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system. Documentation and how-tos are available in your source doc directory, www.freeradius.org and wiki.freeradius.org. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 06:32, Alhagie Puye wrote:
rlm_eap: Loaded and initialized type tls
rlm_eap: No such sub-type for default EAP type peap
Bus error (core dumped)
bash-2.05b#
Do you have
peap {
default_eap_type = mschapv2
}
in your eap.conf?
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote:
Do you have
peap {
default_eap_type = mschapv2
}
in your eap.conf?
Yes, I do.
And, was MSCHAP instantiated?
A complete debug output might help since the problem may begin elsewhere and
only manifest itself as an error when dependencies are required.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote: rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I take it all back. It shouldn't have dumped core. I looked right over that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius +TLS (base on openssl)
On Saturday 31 December 2005 17:29, Bustamante David wrote: Disculpas, en este momento estoy de vacaciones y no podré responder los mensajes. David Can someone unsubscribe him? He's auto-responding to his own auto-responses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP auth + PEAP
On Tuesday 06 December 2005 04:10, debik wrote: The problem is that i connect to the netowrk but i don't se the network. Ican't not ping any hosts. And what have you done to troubleshoot your connection? You must check your network. If the supplicant connects as you say, then either the network information you've given it is unusable or the NAS is not forwarding traffic. Everything will do what you tell it to do. It's basic network stuff and not for the FreeRADIUS mailing list. When connected, check your supplicant (Windows XP SP2, this is *not* the client). Look at the detailed status of the connection. Is the address, subnet mask, gateway usable on your network? Check the NAS (*this* is the client, not your Windows PC). Is it in agreement that the supplicant is authenticated and ready to forward traffic? Those are questions to ask yourself and check. We don't need to know the answers. You do. There is nothing anyone on this list can do to help you if all you can give are vague, general statements of your problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Sunday 27 November 2005 06:52, Christian Poessinger wrote: Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos. MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced. At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 08:50, Christian Poessinger wrote: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. The lines just before the reject hold the clue. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 12:27, Christian Poessinger wrote: Zoltan A. Ori wrote: On Saturday 26 November 2005 08:50, Christian Poessinger wrote: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. The lines just before the reject hold the clue. Zoltan Ori What to do? Im running the latest version out of the FreeBSD portage tree. I can't find anything on google. I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 13:58, Christian Poessinger wrote: Zoltan A. Ori wrote: I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I tripplechecked the configs and found nothing. As i said, radtest works fine. Ist this EAP thing. Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in your logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius WPA Problèm
On Wednesday 23 November 2005 07:58, Patrice PAPOT wrote: I have configured freeradius with WPA support using suse Using Windowssmobile 2003 machine i could successfully authenticate. The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Which part of the authentication process is slow? Getting the username/ password prompt or connection after entering them? Both of these are delays you will see with Windows Mobile and neither has anything to do with FreeRADIUS. Your logs should show that the actual authentication happens in a matter of seconds or less unless your backend database is slow or you have a configuration issue. Check your logs and run in debug mode if you suspect a problem. Getting the prompt can be sped up by removing all but the essential profiles for your PDAs wireless networks and setting to connect to APs only. If your AP SSID is not broadcast, WM will have difficulty with it no matter what you do but is succesful if you are patient. Usually, after a successful connection, subsequent connections are quite snappy and don't require username and password entry as it will be cached. Connection after entering the user information is often slowed by the acquiring of the network address and doing all the NetBIOS announcements and registrations (whether you care about NetBIOS or not, it does it). Long delays or failures may occur if you are on the fringe of the reception area or there is interference from other APs and Ad-Hoc networks on the same or adjacent channel. Obstructions like walls, metal file cabinets, bodies, etc., must also be considered. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parsing detail files myself
On Tuesday 22 November 2005 20:59, Ming-Ching Tiew wrote: My observations :- 1. The number attributes in a records ( ie the number of lines in a record ) is not consistent. I have skipped those Cisco-AVPair in the files, and this is the stats :- Why skip anything? It will only confuse you and anyone else you show it to. acount=25, value=0 acount=26, value=0 acount=27, value=0 acount=28, value=0 acount=29, value=14 acount=30, value=16 acount=31, value=7290 acount=32, value=6724 acount=33, value=0 acount=34, value=0 acount=35, value=0 In other words, in my detail file, there are 14 records which have 29 attributes, 16 records with 30 attributes, 7290 records which have 31 attributes and 6724 records with 32 attributes. Question is why don't they have the same number of attributes ? Why should they? 2. Not only that, the occurances of the attributes are not consistent either :- Take for example, why Cisco NAS port has such low occurances in the detail file ? Similarly why h323-remote-address has such a low occurances ? Is it a Cisco thingy or free radius did not parse what Cisco sent correctly ? FreeRADIUS will log what it is sent and what you tell it to. You have 7849 records that have session-protocol and h323-remote-address in common. There are 6194 records with NAS-Port, NAS-Port-Type and Cisco-NAS-Port. 7849+6194 = 14043. The attributes that have that count (14043) are common to both types of records. There are 30 records that have no User-Name ( 14 + 16 = your shortest records?). I don't know why you have so many timestamps. If you are going to parse the detail files you should examine them with your eyes first to see what is being sent. How are Start records different from Stop? What type of record has gw-final-xlated-cdn? Then you will know that Apples + Oranges Brie Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel PEAP client Roaming Identity
On Thursday 15 September 2005 12:25, Ben Thompson wrote: Hi We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named Roaming Identity which as default was set to [EMAIL PROTECTED]. The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as [EMAIL PROTECTED] instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string? I couldn't think of a good way to deal with this on our site. I ended up putting the roaming identity in the users files to reject it. The owner of the device has to reconfigure their supplicant to fix the roaming identity. This can probably be handled a bit more elegantly and user friendly in radiusd.conf but I haven't really had time to work on it. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pb with EAP/MD5
On Monday 08 August 2005 03:54, Rafael DiazMaurin wrote: Hello, Cna someone help me ? I use : freeradius 1.0.4, and a switch CISCO 2950 I'm trying to configure EAP/MD5, but the client can't show the window of login/password, it's connected to the network without asking for the login/password, and the freeradius daemon is still : Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. A part of the log of the freeradius : Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) The Cisco 2950 is the client (or NAS). Is it configured? XP is the supplicant. If the Cisco 2950 (client) doesn't require login, then the supplicant will simply connect without any authentication dialog. The local tests are ok ! Then server is probably working just fine. Here is the configurations I tested : raddb/users : testAuth-Type := EAP, User-Password == test Service-Type = Framed-User Don't set the Auth-Type in users file. On the client (windows XP sp2) I configure the 802.1x properties on Type EAP : MD5-Challenge That is the supplicant. Now, configure the client. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting the User-Name attr
My problem is now that I want to change the User-Name attr for students
only, to [EMAIL PROTECTED] before proxying it to the other radius
server.
attr_rewrite studenti {
attribute = User-Name
# may be packet, reply, proxy, proxy_reply or
config
searchin = proxy
searchfor = \(*\\.*\)
replacewith = [EMAIL PROTECTED]
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
Can you address me in the right direction?
Read doc/variables.txt.
Use %{0} instead of $1 if the students enter their username as name.surname
Zoltan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating and assigning DHCP addresses
On Saturday 09 July 2005 16:45, [EMAIL PROTECTED] wrote: My first question is: How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges. How can I implement a DHCPd server into my configuration? Since you are using VLANs and want different IP ranges for different access privileges, I would suggest you use Q-Trunks if your network equipment permits. Build a DHCP scope for each VLAN address range, then assign the gateway and helper address to each virtual interface of the trunks on your router. This has nothing to do with RADIUS and should be covered in your router, switch and access point manuals. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating and assigning DHCP addresses
On Saturday 09 July 2005 18:36, [EMAIL PROTECTED] wrote: We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else. That is what I meant. I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me. It should work that way. Is the DHCP request getting relayed properly? tcpdump or Ethereal will tell you. In addition, I also am wondering why I can only use Attribute=Password for successful authentication, and not Attribute=Crypt-Password. Crypt-Password works fine when tested through radtest. As far as I know, PEAP doesn't support crypt passwords. Try TTLS. Zoltan ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
On Wednesday 08 June 2005 15:54, N White wrote: That link doesn't give me anything. Page Not Found. I've done a lot of searching through the archives though and haven't really found anything like this. -Nick Mike Lampson wrote: Nick, http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842 .html Pay attention to details. Take note that the the link wraps. You can't just blindly click it. You'll have to enter the .html manually. The link is good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and mschapv2
On Saturday 21 May 2005 08:11, Jonathan Delizy wrote: Hi everyone, I've just installed FreeRadius on my server. I need to authnticate clients by using MSCHAPv2. I've followed this howto: http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html But, when I run radiusd -X, it says that it need a certificate. I use MSCHAPv2 as I don't want to have to distribute certificates to clients so, why Freeradius ask me a certificate and how can I solve the problem? Read the whole HOWTO. You may be using MSCHAPv2 but it is in conjuction with EAP. Start with http://www.tldp.org/HOWTO/8021X-HOWTO/intro.html and read each page. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running external script in FreeRadius
On Thursday 20 January 2005 19:15, Schoggins, George wrote: Could someone give me an example of the exec and how it is configured to run. See the 'exec-program-wait' script in your freeradius source. It has examples of use and quick explanation. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running external script in FreeRadius
On Friday 21 January 2005 05:52, Zoltan A. Ori wrote: On Thursday 20 January 2005 19:15, Schoggins, George wrote: Could someone give me an example of the exec and how it is configured to run. See the 'exec-program-wait' script in your freeradius source. It has examples of use and quick explanation. Zoltan Sorry! That is not what you asked but what I inferred that you wanted based on your previous posts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Permission denied on certificate-files
On Thursday 13 January 2005 06:39, Hedenborg Thomas wrote: Does somebody have a clue to why I get permission denied when trying to open the cacert.pem file? See the file-permissions below. ls -la cacert.pem -rw-r- 1 root radiusd 1346 Oct 5 02:14 cacert. try -rw-r--r-- instead. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure 802.1x on Mac OS X
Anyone plz help me. I don't know how to configure 802.1x on Mac OS X. I already update the latest airport 4.0 but still cannot authenticate. Windows XP 2000 can but not Mac OS X. TQ Try google 'mac osx 802.1x' https://onlineservices.artic.edu/guides/public/wireless/configure.shtml http://www.utdallas.edu/ir/cats/network/wlan/8021x/panther/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorizing user to assign a particular VLAN
On Thursday 23 December 2004 12:41, Cool Man wrote: Hi all, I have successfully setup freeradius (version 1.0.1) auhentication. Now at the second step I want to limit the user activities in my network. In other words I want to authorize the users. Depending upon their authorization level I want to assign them a different VLAN. Now my question is how can I define the authorization levels in Freeradius server. Moreover, how can I establish which Authorization level will be assigned to which VLAN. How you define authorization levels is determined by you and the users database you have to work with. The method for assigning a VLAN is dependent on how you have defined the levels, your NAS configuration and what the NAS will accept from RADIUS (ie, Tunnel-Type, Filter-ID, etc). You will want to read up on users, possibly huntgroups and other docs, and the manual for your NAS then decide what is appropriate for your situation. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WRT54G and Freeradius
On Saturday 04 December 2004 13:19, Panagiotis Mavros wrote: Hi i want to configure freeradius and Linksys WRT54G . I want EAP-MD5 authentication but as fas as i have seen this AP has WPA authentication(WPA/Radius). EAP-MD5 is not offered for wireless ports on any equipment of which I am aware. Your supplicant will probably not give you the option either. You may use it for wired ports, though probably not on your Linksys. It seems to me very strange that i cannt use EAP so do i miss something? Can i use freeradius with WPA-AES or WPA_TKIP? Yes, you've missed something. Read the documentation of the AP and freeradius. Freeradius works fine for this and will most likely work immediately upon install after only some very small configuration. Whether you use WPA AES or TKIP is between your AP and supplicant. Radius doesn't care about that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WRT54G and Freeradius
On Saturday 04 December 2004 14:33, Panagiotis Mavros wrote: AP and freeradius use EAP over Radius when i configure the AP to use WPA-Radius authentication ?I dont get it. Check the documentation on the AP to be sure, but that's usually the way it is. I have windows XP as client , WRT54G as AP and freeradius as AAA server. I want to use 8021X authentication with EAP. The AP gives me WAP-radius with TKIP or AES. XP client supports WPA. What about freeradius?What authentication scheme must i use in radius conf? EAP? Soory to bother you but i am very confused You will use EAP-TLS, MSCHAP, PEAP and MSCHPv2 in the radiusd.conf, WPA TKIP (or AES) on the AP, and WPA TKIP (or AES) along with PEAP and MSCHAPv2 on the XP supplicant. This link is on freeradius.org. It explains it much better than I am able. The supplicant is linux but everything works the same. http://tldp.org/HOWTO/8021X-HOWTO/index.html Regards, Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: An Enterasys - Freeradius Question Again
On Wednesday 09 June 2004 04:41, Manuel Stadelmann wrote: We played with the Enterasys E1 Switch and Freeradius to get 802.1x to work. The latest firmware should be installed. Enable eapol on the swith and for each port you must set the auth-mode. set eapol enable set eapol auth-mode auto fe.0.x Uplink ports must be forced so that you won't block the switch from the rest of the network. set eapol auth-mode forced-authorized gi.1.x We tried diffrent Auth-Types (Local, EAP, CHAP) but none of them worked. When a user has Auth-Type = Local and the password matches, the Radius-Server returns a authenication success message back to the switch, but the switch refuses login anyway. I suppose, that the switch doesn't like the answer of the radius server with the successful authentication in the Auth-Type = Local-case. Are you using policies? If so, the switch expects you to return Filter-ID, it may expect it even if you do not use policies. Filter-ID = Enterasys:version=1:mgmt=:policy=Default mgmt can be su, rw, ro or blank policy would be whatever roles you use on the switch. The Auth-Type is dependent on the supplicant not the switch. I can give you more specific information if you describe how your switch is configured. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
