Re: eap-ttls proxy and ldap
i don t want cancel proxying i m doing eap-ttls , and user with realm @etab1 have to be proxied to another radius server , proxy works fine but authentication is done with anonymous witch don t work the first server don t send good username logs on the second server ( end server ) rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0011.bb08.1750 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0x0bcc9455270523eb776eee73ffb48e7e EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 569 NAS-IP-Address = NAS-Identifier = AP1100_WDS_MANAGER Proxy-State = 0x313630 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to yyy:389, authentication 0 rlm_ldap: bind as ... dc=enc,dc=sorbonne,dc=fr/x to yyy:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: Attribute Password is required for authentication. rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 Sending Access-Reject of id 0 to xxx port 1814 Proxy-State = 0x313630 and on the first server ( proxy server ) Re-sending Access-Request of id 0 to yyy port 1812 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0011.bb08.1750 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0x EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 623 NAS-IP-Address = NAS-Identifier = AP1100_WDS_MANAGER Client-IP-Address = Stripped-User-Name = anonymous Realm = enc.sorbonne.fr EAP-Type = Identity Realm = enc.sorbonne.fr Proxy-State = 0x313834 rad_recv: Access-Reject packet from host yyy:1812, id=0, length=25 Proxy-State = 0x313834 Login incorrect (Home Server says so): [anonymous/no User-Password attribute] (from client localhost port 623 cli 0002.2d70.02a2) Alan DeKok a écrit : basile wrote: i try with a user in the users file : same probleme [EMAIL PROTECTED] and [EMAIL PROTECTED] dont work ( proxy a request with user-name = anonymous ) [EMAIL PROTECTED] and [EMAIL PROTECTED] works You can cancel proxying for anonymous users. DEFAULT User-Name =~ ^anonymous, Proxy-To-Realm := LOCAL This requires a LOCAL realm in proxy.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls proxy and ldap
hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity [EMAIL PROTECTED] and username [EMAIL PROTECTED] first server proxy to the second a request with anonymous as username so it don t work if i use outer identity [EMAIL PROTECTED] ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well thanks rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000d.eddf.7aa6 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = xxx Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module enc returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute Password is required for authentication. modcall[authenticate]: module pap returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls proxy and ldap
i try with a user in the users file : same probleme [EMAIL PROTECTED] and [EMAIL PROTECTED] dont work ( proxy a request with user-name = anonymous ) [EMAIL PROTECTED] and [EMAIL PROTECTED] works i have two differents versions of freeradius on the two server hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity [EMAIL PROTECTED] and username [EMAIL PROTECTED] first server proxy to the second a request with anonymous as username so it don t work if i use outer identity [EMAIL PROTECTED] ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well thanks rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000d.eddf.7aa6 Calling-Station-Id = 0002.2d70.02a2 Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = xxx Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module enc returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute Password is required for authentication. modcall[authenticate]: module pap returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with mysql accounting
hi i try to account with mysql here are the mysql start stop and update definition accounting_start_query = INSERT into radaact SET\ `User-Name` = '%{User-Name}',\ `Calling-Station-Id` = '%{Calling-Station-Id}',\ `Called-Station-Id` = '%{Called-Station-Id}',\ `NAS-IP-Address` = '%{NAS-IP-Address}',\ `NAS-Port` = %{NAS-Port},\ `Timestamp Start` = NOW(),\ `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}' accounting_update_query = UPDATE radaact SET\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{Acct-Input-Octets}',\ `Acct-Output-Octets` = '%{Acct-Output-Octets}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1 accounting_stop_query = UPDATE radaact SET\ `Timestamp Stop` = NOW(),\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{Acct-Input-Octets}',\ `Acct-Output-Octets` = '%{Acct-Output-Octets}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}',\ `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1 update works fine rlm_sql (sql): sql_set_user escaped user -- '' radius_xlat: 'UPDATE radaact SET??`Acct-Session-Time` = '292',??`Acct-Input-Octets` = '94237',??`Acct-Output-Octets` = '937628',??`Acct-Input-Packets` = '597',??`Acct-Output-Packets` = '816'?WHERE `Acct-Unique-Session-Id` = '814b38bc0e9c60f4'?LIMIT 1 ' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: '' rlm_sql (sql): Released sql socket id: 2 modcall[accounting]: module sql returns ok for request 61 modcall: leaving group accounting (returns ok) for request 61 but start and stop not rlm_sql (sql): sql_set_user escaped user -- '' radius_xlat: 'INSERT into radaact SET ' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: MYSQL check_error: 1064 received rlm_sql (sql): Couldn't insert SQL accounting START record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 radius_xlat: '' rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 59 modcall: leaving group accounting (returns ok) for request 59 rlm_sql (sql): sql_set_user escaped user -- '' radius_xlat: 'UPDATE radaact SET ' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 1064 received rlm_sql (sql): Couldn't update SQL accounting STOP record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns fail for request 60 modcall: leaving group accounting (returns fail) for request 60 i use mysql 4.1 , freeradius 1.1 thanks for help basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
why radwho doesn t work
hi i have a radius server which authenticate users on wireless network i configure radutmp module but when i use radwho there is nobody connected my radutmp file is not empty but i have no idea , so if someone can help me and explain me how it works thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why radwho doesn t work
i use freeradius 1.1.1 all files have good right to be writen i do a lot of authentication but nothing writen in radutmp basile a écrit : hi i have a radius server which authenticate users on wireless network i configure radutmp module but when i use radwho there is nobody connected my radutmp file is not empty but i have no idea , so if someone can help me and explain me how it works thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem after upgrading
i upgrade freeradius , and now when i try to authenticate with user in an ldap directory , ldap section good passed and after i have auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. what it means thanks for help because nothing work basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password header in ldap definition
hi is it possible to have multiple password header definition in an ldap section ( because we have differents encryption in our ldap directory ) thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + LDAP with crypted PWs?
i think you cannot use encrypted password we had the same problem and decide yo use ttls with pap we use secureW2 as client for xp and 2000 basile Selon Martin Pauly [EMAIL PROTECTED]: Hi everyone, We have shortly migrated our user database to OpenLDAP, keeping the UNIX-crypted passwords. Now I would like to let wireless users authenticate against this LDAP Server. Since we do not have a PKI in place, I have set up an auth chain using PEAP/MSCHAPv2 (you might have guessed from my previous posts). For a first push, I split the chain and tested both LDAP and PEAP with cleartext passwords on the RADIUS side; they both work now. The big question is, of course, how to deal with the encrypted passwords. Any Challenge-Response protocol such as MSCHAPv2 won't quite cut it, unless you imagine fancy stuff like passing the seed for crypt to the client first who can then in turn do the required hash ... So what might be a feasible Option? TTLS has been a second option only so far, since PEAP is already wired into Windows XP -- which is still what most of our users will be running for some time :-| On the other hand, I haven't seen anything like PEAP-PAP so far, but I have seen there is TTLS-PAP and the like. Any suggestions? Thanks, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ce message a été envoyé par le Webmail Sorbonne via IMP. http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
netbios name in peap
i configure peap on xp and when i dont use the session information all works fine but when i use the session information the user name which is sent is NETBOISNAME\\user if someone can help me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap and xp client
hi i m trying to configure peap with xp clients i ve differents problems : first when i click properties for peap for a dell true mobile i have an error of windows ( explorer.exe send to microsoft etc ) if someone has had this problem ( i have all the services packs and hotfixes ) seconf with a cisco card if i choose to use the windows login information the user name which is send is COMPUTERNAME//username if i do not i have a prompt for the user name and password , but i have an access reject and i can t understand why here are the radius logs thanks basile rad_recv: Access-Request packet from host 195.220.107.24:21646, id=100, length=133 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xb809d96df9890c5bfabc6b1f08be1f40 EAP-Message = 0x0201000b01736972697332 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 100 to 195.220.107.24:21646 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x094dc0115bbe948141236dc0067c94f7 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 195.220.107.24:21646, id=101, length=146 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xffb041ae9c7d945e48b9abdc5ea8a289 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 State = 0x094dc0115bbe948141236dc0067c94f7 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 101 to 195.220.107.24:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x8887bc05e9ffad7ceea0ea8117356e79 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 195.220.107.24:21646, id=102, length=220 User-Name = siris2 Framed-MTU = 1400 Called-Station-Id = 000e.38f7.6600 Calling-Station-Id = 000e.83eb.3692 Message-Authenticator = 0xde91088232c648d7cebb392774185b42 EAP-Message = 0x02030050198000461603010041013d030140b70c853366006d649af9a24cbcb24b1341a33490c98189db2b40913e0f46ce1600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 276 State = 0x8887bc05e9ffad7ceea0ea8117356e79 Service-Type = Framed-User NAS-IP-Address = 195.220.107.24 NAS-Identifier = test_siris Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 users: Matched siris2 at 8 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from
Fwd: eap_tls on cisco 1100 with xp and linux
Date: Mon, 01 Mar 2004 15:38:46 +0100 To: [EMAIL PROTECTED] From: Basile Mathieu [EMAIL PROTECTED] Subject: eap_tls on cisco 1100 with xp and linux i have a cisco AP 1100 laptop under xp and linux redhat 7.3 a freeradius server i want the eap_tls method for autenticate here are the freeradius config files , the ap ( cisco 1100 ) config file and the xsupplicant config files nothing works if someone can tell me what is wrong , i became crazy thanks a lot basile mathieu ps i did not put the radiusd.conf because my mail was reject Radius is the log when the xp laptop try to connect when the laptop under linux redhat 7.3 try to connect nothing happens ( the start EAPOL packet has destination 44:44:44:44:44:44 ) the wifi card on the laptop are cisco 350 series pcmcia i use http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to generate the certificats and configure xp # # clients.conf - client configuration directives # ### ### # # Definition of a RADIUS client (usually a NAS). # # The information given here over rides anything given in the # 'clients' file, or in the 'naslist' file. The configuration here # contains all of the information from those two files, and allows # for more configuration items. # # The shortname is be used for logging. The nastype, login and # password fields are mainly used for checkrad and are optional. # # # Defines a RADIUS client. The format is 'client [hostname|ip-address]' # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # client 127.0.0.1 { # # The shared secret use to encrypt and sign packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 32 characters in length. # secret = testing123 # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... # # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. # # login = !root # password= someadminpas } #client some.host.org { # secret = testing123 # shortname = localhost #} # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client IP/24 { secret = basile shortname = borne_siris nastype = other } # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} client IP0/24 { secret = basile shortname = borne_siris nastype = other } #client 10.10.10.10 { # # secret and password are mapped through the secrets file. # secret = testing123 # shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password= someadminpas #} Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups
Re: eap_tls
A 09:41 26/02/2004 -0500, vous avez écrit : Basile Mathieu [EMAIL PROTECTED] wrote: here is the output of radius when the laptop try to autehticate because i m not radius master :) if someone can tell me what is not going well The AP seems to be ignoring the response of the RADIUS server. I believe this is in the FAQ. i bind the server on one ip address like said in the FAQ but without effect i have new log and it seems that it s better but no still good thanks for your help Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 195.220.107.24 IP address [195.220.107.24] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/basile.pem tls: certificate_file = /usr/local/etc/raddb/certs/basile.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/root.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp
Re: eap_tls
i have a question i look at good log and after the tls conversation there is : module eap returns ok and for me it s module eap returns handled my question : what it means and is it a problem basile A 11:03 26/02/2004 -0500, vous avez écrit : Basile Mathieu [EMAIL PROTECTED] wrote: i bind the server on one ip address like said in the FAQ but without effect The debug log has changed, therefore there WAS an effect. You now see: Sending Access-Accept of id 40 to 195.220.106.100:21646 MS-MPPE-Recv-Key = 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d MS-MPPE-Send-Key = 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = sentinelle So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ignoring request from unknown client 127.0.0.1
i use freeradius-snapshot-20040224 on a redhat 7.3 all seems to work fine but when i use radtest the server tell me Ignoring request from unknown client 127.0.0.1 i add the loopback in client and client.conf i don t understand thanks Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/basile.pem tls: certificate_file = /usr/local/etc/raddb/basile.pem tls: CA_file = /usr/local/etc/raddb/root.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/DH tls: random_file = /usr/local/etc/raddb/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown host 127.0.0.1
i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf i just had 127.0.0.1 to client , and had a users but when i use radtest i have the same error Ignoring request from unknown client 127.0.0.1 does i forget to do something ? with older version all works fine basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown host 127.0.0.1
A 10:18 25/02/2004 -0500, vous avez écrit : Basile Mathieu [EMAIL PROTECTED] wrote: i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf i just had 127.0.0.1 to client It's included by default. but when i use radtest i have the same error Ignoring request from unknown client 127.0.0.1 does i forget to do something ? here is the log when i launch radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. and there is something strange in the radtest output the NAS-IP-Address is not 127.0.0.1 or localhost but the name of the machine on internet i don t change anything else in the default configuration I don't think so. I'm using the CVS snapshot almost every day for testing, and I don't have this problem. Are you sure it's reading the clients file you're editing? Alan DeKok. - List info/subscribe/unsubscribe? See http
probleme with eap_tls on freeradius-snapshot-200221028
i use this howto http://www.impossiblereflex.com/9021x/eap-tls-HOWTO.htm to authenticate wifi users . i get the versions in this howto i am on a redhat 7.3 i can launch freeradius but when a AP try to authenticate i have /usr/local/sbin/radiusd relocation error /usr/local/lib/rlm_eap_tls-0.8-pre.so undefined symbol SSL_set_msg_callback_arg if someone can help me i try with freeradius 0.9.3 and 0.9.3-3 and i try differents versions of openssl but without any success i become crazy :( basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html