Re: eap-ttls proxy and ldap
i don t want cancel proxying i m doing eap-ttls , and user with realm @etab1 have to be proxied to another radius server , proxy works fine but authentication is done with anonymous witch don t work the first server don t send good username logs on the second server ( end server ) rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0011.bb08.1750 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0x0bcc9455270523eb776eee73ffb48e7e EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 569 NAS-IP-Address = NAS-Identifier = AP1100_WDS_MANAGER Proxy-State = 0x313630 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to yyy:389, authentication 0 rlm_ldap: bind as ... dc=enc,dc=sorbonne,dc=fr/x to yyy:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: Attribute Password is required for authentication. rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 Sending Access-Reject of id 0 to xxx port 1814 Proxy-State = 0x313630 and on the first server ( proxy server ) Re-sending Access-Request of id 0 to yyy port 1812 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0011.bb08.1750 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0x EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 623 NAS-IP-Address = NAS-Identifier = AP1100_WDS_MANAGER Client-IP-Address = Stripped-User-Name = anonymous Realm = enc.sorbonne.fr EAP-Type = Identity Realm = enc.sorbonne.fr Proxy-State = 0x313834 rad_recv: Access-Reject packet from host yyy:1812, id=0, length=25 Proxy-State = 0x313834 Login incorrect (Home Server says so): [anonymous/no User-Password attribute] (from client localhost port 623 cli 0002.2d70.02a2) Alan DeKok a écrit : basile wrote: i try with a user in the users file : same probleme [EMAIL PROTECTED] and [EMAIL PROTECTED] dont work ( proxy a request with user-name = anonymous ) [EMAIL PROTECTED] and [EMAIL PROTECTED] works You can cancel proxying for anonymous users. DEFAULT User-Name =~ ^anonymous, Proxy-To-Realm := LOCAL This requires a LOCAL realm in proxy.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls proxy and ldap
hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity [EMAIL PROTECTED] and username [EMAIL PROTECTED] first server proxy to the second a request with anonymous as username so it don t work if i use outer identity [EMAIL PROTECTED] ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well thanks rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000d.eddf.7aa6 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = xxx Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module enc returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute Password is required for authentication. modcall[authenticate]: module pap returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls proxy and ldap
i try with a user in the users file : same probleme [EMAIL PROTECTED] and [EMAIL PROTECTED] dont work ( proxy a request with user-name = anonymous ) [EMAIL PROTECTED] and [EMAIL PROTECTED] works i have two differents versions of freeradius on the two server hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity [EMAIL PROTECTED] and username [EMAIL PROTECTED] first server proxy to the second a request with anonymous as username so it don t work if i use outer identity [EMAIL PROTECTED] ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well thanks rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000d.eddf.7aa6 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = xxx Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module enc returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute Password is required for authentication. modcall[authenticate]: module pap returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with mysql accounting
hi
i try to account with mysql
here are the mysql start stop and update definition
accounting_start_query = INSERT into radaact SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = %{NAS-Port},\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'
accounting_update_query = UPDATE radaact SET\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{Acct-Input-Octets}',\
`Acct-Output-Octets` = '%{Acct-Output-Octets}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1
accounting_stop_query = UPDATE radaact SET\
`Timestamp Stop` = NOW(),\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{Acct-Input-Octets}',\
`Acct-Output-Octets` = '%{Acct-Output-Octets}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}',\
`Acct-Terminate-Cause` = '%{Acct-Terminate-Cause}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1
update works fine
rlm_sql (sql): sql_set_user escaped user -- ''
radius_xlat: 'UPDATE radaact SET??`Acct-Session-Time` =
'292',??`Acct-Input-Octets` = '94237',??`Acct-Output-Octets` =
'937628',??`Acct-Input-Packets` = '597',??`Acct-Output-Packets` =
'816'?WHERE `Acct-Unique-Session-Id` = '814b38bc0e9c60f4'?LIMIT 1 '
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 2
modcall[accounting]: module sql returns ok for request 61
modcall: leaving group accounting (returns ok) for request 61
but start and stop not
rlm_sql (sql): sql_set_user escaped user -- ''
radius_xlat: 'INSERT into radaact SET '
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): Couldn't insert SQL accounting START record - You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' at line 1
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]: module sql returns ok for request 59
modcall: leaving group accounting (returns ok) for request 59
rlm_sql (sql): sql_set_user escaped user -- ''
radius_xlat: 'UPDATE radaact SET '
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): Couldn't update SQL accounting STOP record - You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' at line 1
rlm_sql (sql): Released sql socket id: 3
modcall[accounting]: module sql returns fail for request 60
modcall: leaving group accounting (returns fail) for request 60
i use mysql 4.1 , freeradius 1.1
thanks for help
basile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
why radwho doesn t work
hi i have a radius server which authenticate users on wireless network i configure radutmp module but when i use radwho there is nobody connected my radutmp file is not empty but i have no idea , so if someone can help me and explain me how it works thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why radwho doesn t work
i use freeradius 1.1.1 all files have good right to be writen i do a lot of authentication but nothing writen in radutmp basile a écrit : hi i have a radius server which authenticate users on wireless network i configure radutmp module but when i use radwho there is nobody connected my radutmp file is not empty but i have no idea , so if someone can help me and explain me how it works thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem after upgrading
i upgrade freeradius , and now when i try to authenticate with user in an ldap directory , ldap section good passed and after i have auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. what it means thanks for help because nothing work basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password header in ldap definition
hi is it possible to have multiple password header definition in an ldap section ( because we have differents encryption in our ldap directory ) thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + LDAP with crypted PWs?
i think you cannot use encrypted password we had the same problem and decide yo use ttls with pap we use secureW2 as client for xp and 2000 basile Selon Martin Pauly [EMAIL PROTECTED]: Hi everyone, We have shortly migrated our user database to OpenLDAP, keeping the UNIX-crypted passwords. Now I would like to let wireless users authenticate against this LDAP Server. Since we do not have a PKI in place, I have set up an auth chain using PEAP/MSCHAPv2 (you might have guessed from my previous posts). For a first push, I split the chain and tested both LDAP and PEAP with cleartext passwords on the RADIUS side; they both work now. The big question is, of course, how to deal with the encrypted passwords. Any Challenge-Response protocol such as MSCHAPv2 won't quite cut it, unless you imagine fancy stuff like passing the seed for crypt to the client first who can then in turn do the required hash ... So what might be a feasible Option? TTLS has been a second option only so far, since PEAP is already wired into Windows XP -- which is still what most of our users will be running for some time :-| On the other hand, I haven't seen anything like PEAP-PAP so far, but I have seen there is TTLS-PAP and the like. Any suggestions? Thanks, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ce message a été envoyé par le Webmail Sorbonne via IMP. http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
netbios name in peap
i configure peap on xp and when i dont use the session information all works fine but when i use the session information the user name which is sent is NETBOISNAME\\user if someone can help me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap and xp client
hi i m trying to configure peap with xp clients i ve differents problems : first when i click properties for peap for a dell true mobile i have an error of windows ( explorer.exe send to microsoft etc ) if someone has had this problem ( i have all the services packs and hotfixes ) seconf with a cisco card if i choose to use the windows login information the user name which is send is COMPUTERNAME//username if i do not i have a prompt for the user name and password , but i have an access reject and i can t understand why here are the radius logs thanks basile rad_recv: Access-Request packet from host 195.220.107.24:21646, id=100, length=133 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xb809d96df9890c5bfabc6b1f08be1f40 EAP-Message = 0x0201000b01736972697332 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 100 to 195.220.107.24:21646 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x094dc0115bbe948141236dc0067c94f7 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 195.220.107.24:21646, id=101, length=146 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xffb041ae9c7d945e48b9abdc5ea8a289 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 State = 0x094dc0115bbe948141236dc0067c94f7 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 101 to 195.220.107.24:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x8887bc05e9ffad7ceea0ea8117356e79 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 195.220.107.24:21646, id=102, length=220 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xde91088232c648d7cebb392774185b42 EAP-Message = 0x02030050198000461603010041013d030140b70c853366006d649af9a24cbcb24b1341a33490c98189db2b40913e0f46ce1600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 State = 0x8887bc05e9ffad7ceea0ea8117356e79 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from
Fwd: eap_tls on cisco 1100 with xp and linux
Date: Mon, 01 Mar 2004 15:38:46 +0100
To: [EMAIL PROTECTED]
From: Basile Mathieu [EMAIL PROTECTED]
Subject: eap_tls on cisco 1100 with xp and linux
i have a cisco AP 1100
laptop under xp and linux redhat 7.3
a freeradius server
i want the eap_tls method for autenticate
here are the freeradius config files , the ap ( cisco 1100 ) config file
and the xsupplicant config files
nothing works
if someone can tell me what is wrong , i became crazy
thanks a lot
basile mathieu
ps
i did not put the radiusd.conf because my mail was reject
Radius is the log when the xp laptop try to connect
when the laptop under linux redhat 7.3 try to connect nothing happens (
the start EAPOL packet has destination 44:44:44:44:44:44 )
the wifi card on the laptop are cisco 350 series pcmcia
i use http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to
generate the certificats and configure xp
#
# clients.conf - client configuration directives
#
###
###
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the
# 'clients' file, or in the 'naslist' file. The configuration here
# contains all of the information from those two files, and allows
# for more configuration items.
#
# The shortname is be used for logging. The nastype, login and
# password fields are mainly used for checkrad and are optional.
#
#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
#
# The shared secret use to encrypt and sign packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password= someadminpas
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client IP/24 {
secret = basile
shortname = borne_siris
nastype = other
}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client IP0/24 {
secret = basile
shortname = borne_siris
nastype = other
}
#client 10.10.10.10 {
# # secret and password are mapped through the secrets file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password= someadminpas
#}
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups
Re: eap_tls
A 09:41 26/02/2004 -0500, vous avez écrit :
Basile Mathieu [EMAIL PROTECTED] wrote:
here is the output of radius when the laptop try to autehticate
because i m not radius master :) if someone can tell me what
is not going well
The AP seems to be ignoring the response of the RADIUS server. I
believe this is in the FAQ.
i bind the server on one ip address like said in the FAQ
but without effect
i have new log and it seems that it s better but no still good
thanks for your help
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: bind_address = 195.220.107.24 IP address [195.220.107.24]
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/certs/basile.pem
tls: certificate_file = /usr/local/etc/raddb/certs/basile.pem
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/root.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dh
tls: random_file = /usr/local/etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp
Re: eap_tls
i have a question i look at good log and after the tls conversation there is : module eap returns ok and for me it s module eap returns handled my question : what it means and is it a problem basile A 11:03 26/02/2004 -0500, vous avez écrit : Basile Mathieu [EMAIL PROTECTED] wrote: i bind the server on one ip address like said in the FAQ but without effect The debug log has changed, therefore there WAS an effect. You now see: Sending Access-Accept of id 40 to 195.220.106.100:21646 MS-MPPE-Recv-Key = 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d MS-MPPE-Send-Key = 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = sentinelle So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ignoring request from unknown client 127.0.0.1
i use freeradius-snapshot-20040224 on a redhat 7.3
all seems to work fine but when i use radtest
the server tell me
Ignoring request from unknown client 127.0.0.1
i add the loopback in client and client.conf
i don t understand
thanks
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/basile.pem
tls: certificate_file = /usr/local/etc/raddb/basile.pem
tls: CA_file = /usr/local/etc/raddb/root.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/DH
tls: random_file = /usr/local/etc/raddb/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown host 127.0.0.1
i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf i just had 127.0.0.1 to client , and had a users but when i use radtest i have the same error Ignoring request from unknown client 127.0.0.1 does i forget to do something ? with older version all works fine basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown host 127.0.0.1
A 10:18 25/02/2004 -0500, vous avez écrit :
Basile Mathieu [EMAIL PROTECTED] wrote:
i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf
i just had 127.0.0.1 to client
It's included by default.
but when i use radtest i have the same error
Ignoring request from unknown client 127.0.0.1
does i forget to do something ?
here is the log when i launch radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
and there is something strange
in the radtest output
the NAS-IP-Address is not 127.0.0.1 or localhost but the name of the
machine on internet
i don t change anything else in the default configuration
I don't think so. I'm using the CVS snapshot almost every day for
testing, and I don't have this problem.
Are you sure it's reading the clients file you're editing?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
probleme with eap_tls on freeradius-snapshot-200221028
i use this howto http://www.impossiblereflex.com/9021x/eap-tls-HOWTO.htm to authenticate wifi users . i get the versions in this howto i am on a redhat 7.3 i can launch freeradius but when a AP try to authenticate i have /usr/local/sbin/radiusd relocation error /usr/local/lib/rlm_eap_tls-0.8-pre.so undefined symbol SSL_set_msg_callback_arg if someone can help me i try with freeradius 0.9.3 and 0.9.3-3 and i try differents versions of openssl but without any success i become crazy :( basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
