Re: NAS IPs

2009-08-17 Thread lolo 
Le Monday 17 August 2009 16:48:35 Irina, vous avez écrit :
 Hello,

 I need to allow a block of 8 IP addresses in 'nasname' column in NAS table.
  Can I use

   xx.xx.xx.112/29

 Thank you for your help in advance

 Kindest Regards,
 Irina
 ===

No !
/29 give not 8 IP but only 6

But could be done by /28
As 192.168.1.112/28
Gives :
Network:   192.168.1.112/28
HostMin:   192.168.1.113
HostMax:   192.168.1.126
Broadcast: 192.168.1.127

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap and auto_header

2008-11-11 Thread lolo 
Le mardi 11 novembre 2008 20:48, Tim Palmer a écrit :
 [pap] Found existing Auth-Type, not changing it.
 ++[pap] returns noop
 Found Auth-Type = PAP
 +- entering group PAP {...}
 [pap] login attempt with password testing
 [pap] Using clear text password {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm.
 [pap] Passwords don't match

For me there's no sense to have :
[pap] Using clear text password {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm.

Is your clear text password is {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. ?
No ?

As said Alan Devok :
Because you told it that the userPassword LDAP field was a clear-text
password.  The PAP module is *supposed* to do the auto-header thing
itself.  It can't, because you told it that the above text WAS the password.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -x gives error Could not link driver rlm_sql_mysql: rlm_sql_mysql.so

2008-11-06 Thread lolo 
Le jeudi 6 novembre 2008 13:14, hsuan a écrit :
 Hi all :

 I have install mysql-libs(/usr/lib/mysql) and Package mysql-devel -
 5.0.45-7.el5.i386 is already installed by  yum install mysql-devel .

Install the libmysqlclient devel !
In Debian the name is : libmysqlclient15-dev

So with Fedora/RedHat, I don't know the name of package !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-30 Thread lolo 
Le mardi 28 octobre 2008 10:07, lolo a écrit :
 Hi,
 Is someone have installing and configuring accounting with hostapd and
 freeradius ?

Stupid I am !  :/

Here a part of hostapd.conf (wrong) :
# serveur auth
auth_server_addr=10.1.1.254
auth_server_port=1812
auth_server_shared_secret=theerrorisnothere

# serveur acct
acct_server_addr=10.1.1.254
acct_server_port=1813
auth_server_shared_secret=theerrorisnothere
^^ but here !
acct_server_shared_secret=theerrorisnothere # works fine !

I had twice auth_server_shared_secret...

But realy, many thank's to all !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-29 Thread lolo 
Le mercredi 29 octobre 2008 08:38, Anders Holm a écrit :
 We really didn't need to know what the secret *was*...
Realy ? :)
But it was just to show another word than secret, that was more generic but 
less true.
All secrets are the same !

- I had think that the longer of secret was wrong. So I tried 8-9-10.16 
caracters, allways this message, and no data storing ! :(

- I tried on other machine, freeradius+MySQL (PC1), and hostapd (PC2)... Same 
issue !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-29 Thread lolo 
Le mercredi 29 octobre 2008 10:54, [EMAIL PROTECTED] a écrit :
 Try radtest from remote to the radius server. Does that have secret
 issues? If it doesn't hostapd is broken. If it does - OS (crypto
 libraries) on one of the PCs is broken.

Hi,

I have started a kubuntu Live CD to test.
$ radtest bea herscret 10.1.1.254 1812 verysecret
Sending Access-Request of id 115 to 10.1.1.254 port 1812
User-Name = bea
User-Password = herscret
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 10.1.1.254:1812, id=115, length=86
NAS-Identifier = debian-nas
NAS-Port = 0
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 10.3.1.1
Framed-Routing = None
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = 10.3.1.253
Framed-Protocol = PPP
Service-Type = Framed-User

And I tested :
echo 
User-Name=lolo,Password=secret,Framed-Protocol=PPP,Acct-Session-Id=48F7C09B-0021,Acct-Status-Type=Start,Calling-Station-Id=00-1A-70-AE-D4-53
 | 
radclient 10.1.1.254:1813 acct verysecret

And in radiusd -X :
 [sql_log] Processing sql_log_accounting
[sql_log]   expand: %{User-Name} - lolo
[sql_log]   expand: %{%{User-Name}:-DEFAULT} - lolo
[sql_log] sql_set_user escaped user -- 'lolo'
[sql_log]   expand: INSERT INTO radacct (AcctSessionId, UserName,
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctTerminateCause) VALUES
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', 
'%{Framed-IP-Address}', '%S', '0', '0', ''); - 
INSERT INTO radacct (AcctSessionId, UserName,  NASIPAddress, 
FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, 
AcctTerminateCause) VALUES
('48F7C09B-0021', 'lolo', '10.1.1.254', '', '2008-10-29 
17:13:48', '0', '0', '');
[sql_log]   
expand: /usr/var/log/radius/radacct/sql-relay - 
/usr/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
[attr_filter.accounting_response]   expand: %{User-Name} - lolo
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 142 to 10.1.1.254 port 32920
Finished request 32.

All seam work !
And in radacct there's an entry of it !

It could be just a problem between hostap and radius ?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-29 Thread lolo 
Le mercredi 29 octobre 2008 17:42, [EMAIL PROTECTED] a écrit :
 Yes. hostapd radius client is broken. Or you have made a mistake in their
 configuration file. I had a look and they have separate secrets for auth
 and acct. Post these outputs, your failed accounting request (no point
 in posting EAP stuff - that works) and your configuration file to their
 list.

My english is so bad : and your configuration file to their
Means that you want my hostapd.conf ?
I suppose, yes !:)

So here my hostapd.conf :
interface=ath0
ssid=Debian-AP
driver=madwifi
channel=9

logger_syslog=-1
logger_syslog_level=0
logger_stdout=--1
logger_stdout_level=0
debug=4

ctrl_interface_group=0

# Comment gérer les adresses MAC (adresse Hardware des cartes réseaux)
# French bla bla

macaddr_acl=2

#auth_algs=2
ieee8021x=1

# NAS client
own_ip_addr=10.3.1.1
nas_identifier=private-network-1

# serveur auth
auth_server_addr=10.1.1.254
auth_server_port=1812
auth_server_shared_secret=verysecret

# serveur acct
acct_server_addr=10.1.1.254
acct_server_port=1813
auth_server_shared_secret=verysecret

#radius_retry_primary_interval=60
radius_acct_interim_interval=1800  # comment or not, change nothing
radius_retry_primary_interval=1800  # comment or not, change nothing

rsn_preauth=1  # comment or not, change nothing

# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
#wpa_group_rekey=300  # comment or not, change nothing
#wpa_gmk_rekey=6400  # comment or not, change nothing

...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-28 Thread lolo 
Hi,

I am not member of the list, cause I never received any answer !???
So write to my email !

Is someone have installing and configuring accounting with hostapd and 
freeradius ?

I have some problems to understand why my configuration doesn't save any data 
in table radacct ?
I have some data in radpostauth : 
1   bea Access-Accept   2008-10-28 00:14:57
2   bea Access-Accept   2008-10-28 00:19:14
...

My configuration is based on LDAP with SQL to store data...

Here my configuration :
- On the same machine I have OpenLDAP+Hostapd+Freeradius
- authenticating works !
- accounting request was send : (wireshark shoot)

No. TimeSourceDestination   Protocol Info
 10 4.52062610.1.1.25410.1.1.254RADIUS   
Accounting-Request(4) (id=242, l=194)

Frame 10 (238 bytes on wire, 238 bytes captured)
Linux cooked capture
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.254 (10.1.1.254)
User Datagram Protocol, Src Port: 33080 (33080), Dst Port: radius-acct (1813)
Source port: 33080 (33080)
Destination port: radius-acct (1813)
Length: 202
Checksum: 0x18d9 [incorrect, should be 0x7400]
Radius Protocol
Code: Accounting-Request (4)
Packet identifier: 0xf2 (242)
Length: 194
Authenticator: 3A902C44595C10807918F491B63CDA2B
Attribute Value Pairs
AVP: l=19  t=Acct-Session-Id(44): 48F7C09B-0021
AVP: l=6  t=Acct-Status-Type(40): Stop(2)
AVP: l=6  t=Acct-Authentic(45): RADIUS(1)
AVP: l=5  t=User-Name(1): bea
AVP: l=6  t=NAS-IP-Address(4): 10.3.1.1
AVP: l=8  t=NAS-Identifier(32): debian
AVP: l=6  t=NAS-Port(5): 0
AVP: l=29  t=Called-Station-Id(30): 00-18-4D-76-22-19:Debian-AP
AVP: l=19  t=Calling-Station-Id(31): 00-1A-70-AE-D4-53
AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=22  t=Connect-Info(77): CONNECT 0Mbps 802.11
AVP: l=6  t=Acct-Session-Time(46): 27
AVP: l=6  t=Acct-Input-Packets(47): 63
AVP: l=6  t=Acct-Output-Packets(48): 21
AVP: l=6  t=Acct-Input-Octets(42): 7256
AVP: l=6  t=Acct-Output-Octets(43): 3623
AVP: l=6  t=Event-Timestamp(55): Oct 17, 2008 05:23:47.0
AVP: l=6  t=Acct-Terminate-Cause(49): User-Request(1)

Here where to find my all configuration :
http://www.system-linux.net/config/freeradius-ldap-hostapd/configuration/

Many thank's

If my English is not perfect, it's because I'm not ! I am French ! ;)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-28 Thread lolo 
Le mardi 28 octobre 2008 10:19, [EMAIL PROTECTED] a écrit :
 Have you enabled sql in the accounting section? Can you post the
 freeradius debug (radiusd -X)? Accounting-Request should be coming
 straight after Access-Accept.

And a part of my hostapd debug :
RADIUS message: code=1 (Access-Request) identifier=13 length=205
   Attribute 1 (User-Name) length=5
  Value: 'bea'
   Attribute 4 (NAS-IP-Address) length=6
  Value: 10.3.1.1
   Attribute 32 (NAS-Identifier) length=19
  Value: 'private-network-1'
   Attribute 5 (NAS-Port) length=6
  Value: 0
   Attribute 30 (Called-Station-Id) length=29
  Value: '00-18-4D-76-22-19:Debian-AP'
   Attribute 31 (Calling-Station-Id) length=19
  Value: '00-1A-70-AE-D4-53'
   Attribute 12 (Framed-MTU) length=6
  Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
  Value: 19
   Attribute 77 (Connect-Info) length=22
  Value: 'CONNECT 0Mbps 802.11'
   Attribute 79 (EAP-Message) length=31
  Value: 02 0f 00 1d 19 00 17 03 01 00 12 f9 58 45 e9 d6 44 be bd cf 76 8f 
0e 15 39 6d 57 9d 58
   Attribute 24 (State) length=18
  Value: 2b 6f 35 1a 23 60 2c f5 d4 4f 03 71 be bd d5 61
   Attribute 80 (Message-Authenticator) length=18
  Value: 4e 6c 17 63 cb 4f 52 41 92 a0 25 8e 8b 93 ab 0e
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
RADIUS message: code=11 (Access-Challenge) identifier=13 length=96
   Attribute 79 (EAP-Message) length=40
  Value: 01 10 00 26 19 00 17 03 01 00 1b 09 9f db b8 c3 59 e2 08 0e af 65 
29 c7 5e 1f 37 57 d3 f9 4b 08 bd 5a 01 bb 08 9b
   Attribute 80 (Message-Authenticator) length=18
  Value: 55 9e 51 4e b2 1a b9 4f e1 80 9b c2 fd 58 78 a8
   Attribute 24 (State) length=18
  Value: 2b 6f 35 1a 22 7f 2c f5 d4 4f 03 71 be bd d5 61
RADIUS packet matching with station 00:1a:70:ae:d4:53
IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:1a:70:ae:d4:53 (identifier 16)
TX EAPOL - hexdump(len=56): 00 1a 70 ae d4 53 00 18 4d 76 22 19 88 8e 02 00 00 
26 01 10 00 26 19 00 17 03 01 00 1b 09 9f db b8 c3 59 e2 08 0e af 65 29 c7 5e 
1f 37 57 d3 f9 4b 08 bd 5a 01 bb 08 9b
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 42 bytes from 00:1a:70:ae:d4:53
   IEEE 802.1X: version=1 type=0 length=38
   EAP: code=2 identifier=16 length=38 (response)
IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
RADIUS message: code=1 (Access-Request) identifier=14 length=214
   Attribute 1 (User-Name) length=5
  Value: 'bea'
   Attribute 4 (NAS-IP-Address) length=6
  Value: 10.3.1.1
   Attribute 32 (NAS-Identifier) length=19
  Value: 'private-network-1'
   Attribute 5 (NAS-Port) length=6
  Value: 0
   Attribute 30 (Called-Station-Id) length=29
  Value: '00-18-4D-76-22-19:Debian-AP'
   Attribute 31 (Calling-Station-Id) length=19
  Value: '00-1A-70-AE-D4-53'
   Attribute 12 (Framed-MTU) length=6
  Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
  Value: 19
   Attribute 77 (Connect-Info) length=22
  Value: 'CONNECT 0Mbps 802.11'
   Attribute 79 (EAP-Message) length=40
  Value: 02 10 00 26 19 00 17 03 01 00 1b 40 ca 97 50 69 d4 77 6f 15 57 b3 
ee f3 ec 63 2e dd 93 b0 f1 7b f5 14 81 3b 7f 0b
   Attribute 24 (State) length=18
  Value: 2b 6f 35 1a 22 7f 2c f5 d4 4f 03 71 be bd d5 61
   Attribute 80 (Message-Authenticator) length=18
  Value: 6d 79 43 5f 97 d1 ca c6 27 23 a3 60 11 a4 d1 7a
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE
RADIUS message: code=2 (Access-Accept) identifier=14 length=165
   Attribute 26 (Vendor-Specific) length=58
  Value: 00 00 01 37 11 34 81 e4 83 fe 13 8f 20 ac 61 72 f7 4d cc 93 46 7a 
66 b5 ab 24 a8 47 a7 bf cf 0a 32 4a 70 03 88 d0 92 07 70 4e a0 8f cc d6 e2 7b 
1a 9f b5 39 ad 2a 7e a5
   Attribute 26 (Vendor-Specific) length=58
  Value: 00 00 01 37 10 34 8a fb be 0d b7 12 ba 6f ff 36 d3 e6 b6 cf 6e 94 
fb 85 99 41 66 62 bb b0 31 9e b9 ed 62 49 1a 21 bc 83 81 d1 c9 f9 05 d3 50 a6 
9e 37 01 39 23 40 1d 68
   Attribute 79 (EAP-Message) length=6
  Value: 03 10 00 04
   Attribute 80 (Message-Authenticator) length=18
  Value: f5 48 97 70 6f 18 70 8d 27 46 16 8c e9 99 80 95
   Attribute 1 (User-Name) length=5
  Value: 'bea'
RADIUS packet matching with station 00:1a:70:ae:d4:53
MS-MPPE-Send-Key - hexdump(len=32): [REMOVED]
MS-MPPE-Recv-Key - hexdump(len=32): [REMOVED]
RSN: added PMKSA cache entry for 00:1a:70:ae:d4:53
RSN: added PMKID - hexdump(len=16): 20 80 83 37 6b 8f 4c 12 1c ad 8a 0f 08 20 
a7 93
IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state SUCCESS
IEEE 802.1X: Sending EAP Packet to 00:1a:70:ae:d4:53 (identifier

Re: Hostapd-0.5.5 and freeradius-server-2.1.1

2008-10-28 Thread lolo 
Le mardi 28 octobre 2008 11:37, [EMAIL PROTECTED] a écrit :
 Chances are: 99.9% - shared secret is different (retype it both in
 clients.conf and hostapd konfiguration); 0.1% - crypto libraries on
 radius or hostapd machine are corrupt.

Shared secret is fszd79772mvtib96 in hostapd.conf and in clients.conf !
...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

normal behaviour when Framed-Protocol = PPP is in the Auth request?

2007-02-23 Thread lolo 

Hi list,

I am very new in FreeRadius, and there is something which is a bit strange:

0] Current config

I use FreeRadius 1.1.4, out of the box.

I define my authorized clients in clients.conf.

I define a user in the users file following the examples given in the same
file:

Mickey  Auth-Type :=Local, User-Password == mouse
Reply-Message = Hello mickey mouse

--

1] I send the following authentication packet (using radclient):


Service-Type = Framed-User
User-Name = Mickey
User-Password = mouse
NAS-IP-Address = 172.24.2.103
NAS-Port = 0


-- I get accepted
--

2] I send the following authentication packet (same + Framed-Protocol =
PPP):


Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = Mickey
User-Password = mouse
NAS-IP-Address = 172.24.2.103
NAS-Port = 0

-- I get rejected
--

3] I create a Unix user Mickey with password mouse on the FreeRadius host,
and I send again:


Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = Mickey
User-Password = mouse
NAS-IP-Address = 172.24.2.103
NAS-Port = 0

-- I get accepted
--

4] Here is a short extract of the FreeRadius output when I get rejected:


modcall[authorize]: module files returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.

--

I found a 'work-around' (using the Unix user), but could somebody explain me
why do I get accepted or not depending on the Framed-Protocol == PPP flag
sent in the request or not, and depending on the way I specify the user
(file or Unix account)?

Thanks a lot!
Laurent 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html