Re: EAP-PEAP - MSCHAPV2 option not working
On Fri, Mar 26, 2010 at 12:54 PM, Alan Buxey wrote: > only if you break or play with the config. you shouldnt need to proxy the > inner-tunnel mschapv2 anywehere - the default server doesnt so you've edited > the default config. Which is what I did. Thanks for pointing that out I'll begin again from an out of the box config - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP - MSCHAPV2 option not working
On Fri, Mar 26, 2010 at 1:50 AM, dev nath wrote: > Hi, > > I am trying to authenticate my xsupplicant with freeradius using PEAP option, > but seems to fail with the below error message. Complete debug message is > attached to the email. > I have tried following in my users file > > David User-Password=="freeradius" you left behind the third option, the only one working: David User-Password :="freeradius" On a side note, in freeradius 2.1.8 I'm having a *hard" time porting a perfectly working pre-2.x.x peap-mschapv2 server to the new freeradius concept. The tls negotiation works but when it comes to mschapv2: Failed to create a new socket for proxying requests. ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. This server is working on the arbitrary ports 1818 and 1819 for authz + auth and acct. There is another server on the same machine working on the standard ports. What's the usual meaning of these messages? If I know where to look I might solve it without bothering anyone with the complete debug output. I already googled my way through the ML archives for there error messages, without much success. In pre-2.x.x versions of freeradius peap-mschapv2 is handled cleanly and linearly, is there really the need to proxy the inner mschapv2 auth? Am I doing something wrong? Most probably yes. Am I doing something silly? Most probably yes. bye inverse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxed EAP and eduroam project
On Feb 18, 2008 12:32 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > cleartext? not really. the proxied traffic will be at least This regards EAP-TLS: I meant that at least the username is shown, and you can get additional information reading the attribute values. Other than that, everything else seems useless but I just say the conversation is not completely encapsulated if that's what you mean. Anyways I'm not worried. > encapsulated via a shared secret between each RADIUS end point. snip > would give greater security. however, EAP-TLS is the defacto > top-level way of doing it. platinum service, as it were - but > you've got to have a full PKI infrastructure for creation, > deployment and revokation. We have our PKI, we routinely revoke certificates and distribute the crl. This happens not without our share of anality, taken care of by scripts (written with my blood, over human skin) that restart radiusd and check that everything is still working fine, including the event of an expired/invalid crl or an out of service PKI. So, if there is any configuration option to encapsulate the full UDP payload without revealing anything, I'm more than glad to hear something about it because I must admit ignorance regarding this particular matter. If there isn't one, never mind, just means I misunderstood. > looking to the future, RADSEC will be involved in 'beefing up' > the RADIUS to RADIUS communication channel. as well as the > automatic assignment/discovery of AAA end point systems. seems interesting bye! Inverse -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxed EAP and eduroam project
On Feb 18, 2008 11:12 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Yes. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxed EAP and eduroam project
hi all, rather than a problem, this is a question. I assume you know what eduroam is, but just in case: What is eduroam eduroam which stands for Education Roaming, is a RADIUS-based infrastructure that uses 802.1X security technology to allow for inter-institutional roaming. Substitute institutional with 'university' and you get the picture. So basically this is a hierarchy of radius servers at european level. Implementing it from my side (that of a university) has been rather trivial. What happens is that the EAP conversation traverls in cleartext across the public internet (really the inter-university networks). I would assume that EAP-TLS is highly safe from this point of view, am I right? Bye Inverse -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with accounting
On Jan 14, 2008 9:15 AM, Marinko Tarlac <[EMAIL PROTECTED]> wrote: > Hi > > We have FreeRadius 1.1.4 and Mikrotik (as a NAS) with MySql as a database. > Accounting works fine for all users except for one user. Authentication > works fine and NAS sends updates as I specify for all users and I can't find > any reason why it doesn't work for specific username. > > In debugging mode (radiusd -X and radiusd -x) I can see updates but MySql is > empty... > Hi, I suggest you try first with the latest freeradius version available. 1.1.4 is not recent and there have been many bugfixes since that. -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
On 9/18/07, Massimiliano Macrì <[EMAIL PROTECTED]> wrote: > I'm trying to close the connection of a pre-paid mobile user, after he > reached a limited amount of traffic (ie. 100 megabytes), the network > device is a Cisco router. > I've found may way to rate-limit the traffic bandwidth but not one to do > this. > Is radius the correct way to achieve this goal? It'all about vsa? Radius isn't supposed to terminate anything on its own, it just takes note of a user session history and validates logins. What you should do is to find some way of telling Cisco that a particular session is to be disconnected when a certain limit is reached. If your Cisco can output real time stats AND can accept external disconnection commands, then it might be possible to implement what you want. But honestly this process should be implemented completely inside the Cisco, and then, when a disconnect triggers, your Cisco should tell Radius about it. The opposite isn't bound to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
and make sure to use check_crl = yes in eap.conf On 9/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Revoke the certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not getting authentication in 1.1.0
most probably, radius.conf and the users file are no longer compatible. You must rebuild them manually. There error is probably in the users file: auth: type "" ERROR: Unknown value specified for Auth-Type. Cannot perform requested Also look at eap.conf, tls section. On 9/14/07, mallika <[EMAIL PROTECTED]> wrote: > > As you said i compiled my code in 1.1.0 because for intermediate CA > authentication 1.0.x series won't work but in 1.1.0 after compilation user > not getting authenticated.iam sending logs . authentication type is not > getting.please can help what are the things should i change in 1.1.0. > > > > radius_xlat: '(cn=default)' > radius_xlat: 'ou=users,dc=example,dc=com' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=users,dc=example,dc=com, with filter > (cn=default) > rlm_ldap: performing search in cn=default, ou=profiles,dc=example,dc=com, > with filter (objectclass=radiusprofile) > rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, > value 1 & op=11 > rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & > op=11 > rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 > rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 1800 & op=11 > rlm_ldap: Adding radiusClass as Class, value default & op=11 > rlm_ldap: Added password default in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding ntPassword as NT-Password, value > 7D891AB402CAF2E89CCDD33ED54333AC & op=21 > rlm_ldap: Adding lmPassword as LM-Password, value > 29D5C31BFF3D8D25AAD3B435B51404EE & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user default authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > *** AGENT Modifications* > modcall[authorize]: module "localhost" returns ok for request 1 > modcall: leaving group authorize (returns ok) for request 1 > rad_check_password: Found Auth-Type EAP > auth: type "" > ERROR: Unknown value specified for Auth-Type. Cannot perform requested > action. > rad_check_password() Returns: -1 > auth: Failed to validate the user. > xmlMessage: User default Failed Authentication > Login incorrect: [default/] (from client rad > port 0 cli 00-0F-76-00-87-D6) > Delaying request 1 for 1 seconds > Finished request 1 > Going to the next request > > -- > View this message in context: > http://www.nabble.com/not-getting-authentication-in-1.1.0-tf4442509.html#a12675286 > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate CA authentication failing
On 9/13/07, mallika <[EMAIL PROTECTED]> wrote: > > Thank you very much for your reply.Which freeradius server version will > support this facility.Because we are implenting it in our product.We are > using CENT OS -kernel 2.4.20 .Is there any patches are available to upgrade > freeradius.please help me. Mallika, I don't know if your product is going to use an embedded linux version with some weird hardware.. if that's not the case and you are using an unpatched kernel, you are running toward a shipload of problems. I'd suggest using a recent kernel, with all its bugs fixed. As for freeradius, you should download and compile the latest stable version (and upgrade the needed libraries as well) with its security fixes rather than looking for a patch which is unlikely to work and even to exist at all. Latest stable version is 1.1.7 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access reject packet
hi > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=194, length=20 > you should also post the output of radius -X , the relevant contents of radius.conf, clients.conf, huntgroups and the users file. without these, it's very difficult to tell anything - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On 7/27/07, Phil Mayers <[EMAIL PROTECTED]> wrote:
> DEFAULT
> Ldap-UserDn = `cn=%{User-Name},ou=whatever,...`
>
> Note that the DN need not be "real"
Hi Phil,
lol, I browsed the source too and I was gonna recompile it to exclude
the hardcoded uid search.
Clearly that would have been useless.
Thanks for the hints suggestion.
The line above, modified to match the needed suffix and DN did the trick.
I also found there was no need to tweak the radiusd.conf file and move
ldap to the instantiate section. That's good news.
--
"In a sea of glass shards, I hear you screaming"
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
Hi,
I tried the suggestion and it didn't work, here are the involved
radiusd.conf sections.
You will also notice mschap and similars, that's because we also have
dialup users who need an ldap lookup for their belonging to a dialup
group and the password. I also need to check if chap still works with
this configuration...
instantiate {
exec
ldap
files
expr
}
authorize {
preprocess
auth_log
chap
mschap
suffix
eap
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
And this is the users file line:
[EMAIL PROTECTED] Cleartext-Password := "a", Ldap-Group == "wifi"
I also used this one:
[EMAIL PROTECTED] Ldap-Group == "wifi"
with EAP-TLS.
No way. Both first perform a user-existence check in the ldap_groupcmp() call.
Meaning these both work if user exists in the LDAP tree.
In the meanwhile I'm looking at the source code for this call... it
sounds like this search is hardcoded somewhere. Forgive my suckage.
T_T
Bye,
Inverse
On 7/26/07, inverse <[EMAIL PROTECTED]> wrote:
> > >
> > > users file line:
> > > [EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group ==
> > > "wifi"
> >
> > Totally wrong. You want:
> >
> > [EMAIL PROTECTED] Cleartext-Password := "a", Ldap-Group == "wifi"
> >
>
> Thanks, I owe you one
>
>
> Bye,
> Inverse.
>
--
"In a sea of glass shards, I hear you screaming"
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
> > > > users file line: > > [EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group == > > "wifi" > > Totally wrong. You want: > > [EMAIL PROTECTED] Cleartext-Password := "a", Ldap-Group == "wifi" > Thanks, I owe you one Bye, Inverse. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong behaviour of rlm_ldap module + users file
Hi,
this problem is simple (everything not shown here is v1.1.6
out-f-the-box radiusd configuration):
users file line:
[EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group == "wifi"
this is a test line, [EMAIL PROTECTED] uses EAP-MD5 , but I want to
check if he's in the Ldap-Group named 'wifi'.
radiusd.conf lines, ldap section:
filter ="(uid=%{User-Name})"
edir_account_policy_check=no
password_attribute = userPassword
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
This is where I actually suck. I think this is correct, but it won't
work as expected because:
rad_recv: Access-Request packet from host 149.132.5.108:35285, id=0, length=160
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x021f0170616f6c6f2e676169617264656c6c6940756e696d69622e6974
Message-Authenticator = 0x14b3675352d738629cc1bb21695f3122
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20070726'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20070726
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "test.com"
rlm_realm: Proxying request from user john.doe to realm test.com
rlm_realm: Adding Realm = "test.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=test,dc=com
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.test.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=ldapreader,ou=servizi,dc=test,dc=com/blargh to
ldap.test.com:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=test,dc=com, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(&(objectClass=GroupOfNames)([EMAIL PROTECTED]))'
This is where the problem arises. I don't want to check if
[EMAIL PROTECTED] esists.
rlm_ldap wants to, but that's not what I told him to do. I never told
rlm_ldap to verify if [EMAIL PROTECTED] is an LDAP user. Now he is,
but only because I created him.
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=com, with filter
(&(cn=wifi)(&(objectClass=GroupOfNames)([EMAIL PROTECTED])))
rlm_ldap::ldap_groupcmp: User found in group wifi
and THIS is what I want rlm_ldap to do.
I want to check this and only this, since [EMAIL PROTECTED] is a
member of wifi and doesn't exist anywhere else in the LDAP tree. He
isn't a user. He's just an object in group wifi.
That's what happens in my production environment. john'doe's login
fails because the first useless search fails.
I know I'm doing something horribly wrong, and I can't find out what's
my major malfunction.
Help!
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry [EMAIL PROTECTED] at line 32
Bye,
Inverse.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to capture wireless EAP packets on Windows XP?
On 7/25/07, Josh Howlett <[EMAIL PROTECTED]> wrote: > I usually find it simplest to use tcpdump on the RADIUS server, although > I've used Wireshark in the past on Windows supplicants. then there's the NDIS interface problem. Most windows drivers have problems at capturing in promisc and none will support monitor mode. So if it hasn't been tried yet, I suggest trying a capture with promiscuous mode disabled on the supplicant side.. if you want to compare it against the the radiusd side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership
handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): starting 8
rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
rlm_sql_mysql: Starting connect to MySQL server for #8
rlm_sql (sql): Connected new DB handle, #8
rlm_sql (sql): starting 9
rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
rlm_sql_mysql: Starting connect to MySQL server for #9
rlm_sql (sql): Connected new DB handle, #9
rlm_sql (sql): starting 10
rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
rlm_sql_mysql: Starting connect to MySQL server for #10
rlm_sql (sql): Connected new DB handle, #10
rlm_sql (sql): starting 11
rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
rlm_sql_mysql: Starting connect to MySQL server for #11
rlm_sql (sql): Connected new DB handle, #11
rlm_sql (sql): starting 12
rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
rlm_sql_mysql: Starting connect to MySQL server for #12
rlm_sql (sql): Connected new DB handle, #12
rlm_sql (sql): starting 13
rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
rlm_sql_mysql: Starting connect to MySQL server for #13
rlm_sql (sql): Connected new DB handle, #13
rlm_sql (sql): starting 14
rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
rlm_sql_mysql: Starting connect to MySQL server for #14
rlm_sql (sql): Connected new DB handle, #14
rlm_sql (sql): starting 15
rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
rlm_sql_mysql: Starting connect to MySQL server for #15
rlm_sql (sql): Connected new DB handle, #15
rlm_sql (sql): starting 16
rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
rlm_sql_mysql: Starting connect to MySQL server for #16
rlm_sql (sql): Connected new DB handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
Module: Instantiated sql (sql)
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host :32802, id=0, length=160
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0
Message-Authenticator = 0x**
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/**/auth-detail-20070716'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/**/auth-detail-20070716
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm ".it" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm ".it"
rlm_realm: Proxying request from user testuser to realm **.it
rlm_realm: Adding Realm = "***.it"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 122
users: Matched entry DEFAULT at line 159
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
Found Autz-Type LDAP
Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: '([EMAIL PROTECTED])'
radius_xlat: 'dc=*,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.**.it:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=,ou=servizi,dc=**,dc=it/***
to ldap.**.it:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=**,dc=it, with filter
([EMAIL PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 0
modcall: leaving group LDAP (returns notfound) for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to * port 32802
Reply-Message = "Access Denied"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 469b4247
Nothing to do. Sleeping until we see a request.
PS
Thanks in advance for your help
Bye,
Inverse
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SIGHUP working?
On 7/6/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Roy Walker wrote: > I've spent a fair amount of time looking into proper HUP handling. It > turns out *no one* does it well. Almost all daemons simply restart. > > Alan DeKok. talking again about it.. as you already know, my problem is CRL reloading. Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA cert when needed? (i.e. when there's an EAP TLS auth going on)? I'm willing to give it at least a try with ver 1.1.6 which I'm currently using -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing problem
Alan wrote: > NFS mounted? Don't. If NFS goes away, any application using those > directories will lock, and be unkillable. it's part of a red hat cluster, and it's managed by that software suite. If a machine dies a transparent switch occurs. If it fails I'll get angry with red hat --so far it didn't happen (and I didn't bother finding out if it's nfs-based or something else). This feature is not critical, ok. I can live without it. It just works, and simplifies analisys a lot. I've got other reasons to be angry with red had, but this is not the case. Personally I like sshfs much more than nfs, but it's prone to similar problems as those above. So I won't use it. bye, inverse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing problem
On 6/29/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Accounting start on the fisrt back-end server and the accounting stop > > on the second backend server. > > is this a bug or a problem of configuration ? > > It's the way load balancing works. It's documented as working this > way. Requests get randomly load balanced between different home servers. in my setup, log dirs live in a shared filesystem, as for accounting.. the SQL server is one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
On 6/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > thing you would need to do there is to add the switch into clients.conf. and set a secret, and set that secret in the switch too. Then he might post a tcpdump capture of the conversation, with the options -vv -s 65535 -X to say one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.0 -> 1.1.6 DB Schema conversion
On 6/15/07, Francesco Cristofori <[EMAIL PROTECTED]> wrote: > I'm going to upgrade freeradius from v.1.0.0 to v.1.1.6 and I noticed that > the database structure has changed. > Are there any tools to quickly migrate the db? > having noticed a few changes myself, I just edited the sql.conf's to fit my needs without midifying the database structure. To be honest my sql queries were already heavily modified to perform additional tasks, like tracking wireless users who modify their framed IP address or checking some other data coming from the NAS, so that wasn't a problem for me.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error while executing the command radiusd -X
On 6/12/07, Mahalakshmi Vijayakumar <[EMAIL PROTECTED]> wrote: > Hi, > i downloaded freeradius-1.0.2 and installed it when i give the cmd > radiusd -X, i get the foll, this version is incredibly old, you should download and compile version 1.1.6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 slow to respond
On 6/12/07, Andrew Long <[EMAIL PROTECTED]> wrote: > > I am getting slow response time from the server for authentication requests > (chap/mschap) that eventually fail (users submitting wrong password). The > problem is that the NAS is sending about 3 requests before getting a > response. By the time the deny arrives, it is out of order and the NAS logs > an unexpected packet (though it correctly denies the user). I am wondering if > disabling all authentication/authorization methods except chap/mschap would > solve this by speeding the response time. The server is not the speediest > machine... I suggest you should upgrade to version 1.1.6. Also, try runninng the radiusd process with the -X option and post the output here. Other than that, are you checking the users against an sql or ldap server? If ldap, is the uid indexed? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP stops radiusd
> In our case, using freeradius 1.1.6, if I HUP the radiusd process it > crashes/stops. Running 'radiusd -X', the tail part shows: > Mon May 14 13:38:54 2007 : Error: rlm_eap_tls: Error reading certificate > file on HUP the radiusd process probably tries to switch to a non-root user. That might the source of your message. I think, however, this isn't the true reason for the reliable segfaults I'm observing on or right after HUP. BTW, I'm using EAP-TLS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls authentication with free radius 1.1.5
On 5/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: anoop, please fix your quoting. Configurations are not interchangeable between the snapshot tree, 1.1.5 and 1.1.6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sig HUP?
> Can we use kill -HUP pid in the latest version or is it still not stable? from my observations: it somehow works, but the next EAP-TLS conversation causes a segfault. In short, no. Read the past recent threads, there are suggestions for alternatives - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stops working all of a sudden
On 5/5/07, Matt Neumark <[EMAIL PROTECTED]> wrote: > I have a radius server and it works great for days upon days then all of a > sudden it stops authenticating users… > > > > Sat May 5 00:17:07 2007 : Error: rlm_sql_mysql: Couldn't connect socket to > MySQL server [EMAIL PROTECTED]:freeradius > > Sat May 5 00:17:07 2007 : Error: rlm_sql_mysql: Mysql error 'Lost > connection to MySQL server during query' > > Sat May 5 00:17:07 2007 : Error: rlm_sql (sql): Failed to connect DB handle > #1 > > Sat May 5 00:17:07 2007 : Error: rlm_sql (sql): reconnect failed, database > down? sorry about the silly question, but.. have you tried connecting to the SQL server during one of the incidents? did it work for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance with Freeradius-1.1.4
> I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from > Access-Request till Access-Accept it takes more than 250ms to complete. Is are you doing it against an LDAP server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
>The build goes without a hitch, but when running the new version and > using the existing configuration files I get the following (relevant > output from 'radiusd -X'): the problem IMHO is in using the existing configuration: I had similar issues until I ported mine to the new configuration files, half an hour of work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with eap/tls after crl update
On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Login for any user
> Anybody got an idea on how the entry in the users-file has to look like something like DEFAULT Auth-Type := Eap, User-Password == "blah" with deafult eap type set to md5. I've yet to try it tho, may you report back if it works? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
> > Maybe we can add features that prevent the need for the HUP, and then > > remove support for HUP. That would be best, I think. > > Do you have in mind a favorite technique for signaling daemons that > the config files have changed? HUP is a common way to do it, but I'm > sure there are other ways. hi, I'm glad Milan Holub replied with a patch, thank you! Going back to the subject, a useful feature would be a periodical reload of certificate revocation lists and the users list. These two lists are prone to changing frequently in production environments: a production server usually has an otherwise stable configuration. I think nobody is willing to experiment on radiusd.conf during peak hours, on the other hand he will be busy adding/removing users or eventually certificate revocations if using EAP-TLS in the most advanced way. As for me, I was planning a CRL reload during off peak hours, so I guess I'll stick with just a full nighttime restart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradiusd segfaulting on HUP (check_crl enabled)
ain: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 65536 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: checkrad = "/usr/local/sbin/checkrad" main: debug_level = 2 main: proxy_requests = no log: syslog_facility = "daemon" proxy server: retry_delay = 5 proxy server: retry_count = 3 proxy server: default_fallback = yes proxy server: dead_time = 120 proxy server: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes rlm_sql (sql): Closing sqlsocket 19 rlm_sql (sql): Closing sqlsocket 18 rlm_sql (sql): Closing sqlsocket 17 rlm_sql (sql): Closing sqlsocket 16 rlm_sql (sql): Closing sqlsocket 15 rlm_sql (sql): Closing sqlsocket 14 rlm_sql (sql): Closing sqlsocket 13 rlm_sql (sql): Closing sqlsocket 12 rlm_sql (sql): Closing sqlsocket 11 rlm_sql (sql): Closing sqlsocket 10 rlm_sql (sql): Closing sqlsocket 9 rlm_sql (sql): Closing sqlsocket 8 rlm_sql (sql): Closing sqlsocket 7 rlm_sql (sql): Closing sqlsocket 6 rlm_sql (sql): Closing sqlsocket 5 rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 main: port = 1812 listen: type = "auth" listen: ipaddr = * listen: port = 0 listen: type = "acct" listen: ipaddr = * listen: port = 0 client 127.0.0.1: secret = "testing123" client 127.0.0.1: shortname = "localhost" client 127.0.0.1: nastype = "other" ***REMOVED REMAINDER OF CONFIGURED NAS / SECRETS*** [1]+ Segmentation fault radiusd -X [EMAIL PROTECTED] freeradius-server-snapshot-20070410]# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Apr 10 2007 at 11:00:16 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Thanks in advance for your help/comments/insults for being Cpt. Obvious, Inverse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
