Re: NAS IPs
Le Monday 17 August 2009 16:48:35 Irina, vous avez écrit : Hello, I need to allow a block of 8 IP addresses in 'nasname' column in NAS table. Can I use xx.xx.xx.112/29 Thank you for your help in advance Kindest Regards, Irina === No ! /29 give not 8 IP but only 6 But could be done by /28 As 192.168.1.112/28 Gives : Network: 192.168.1.112/28 HostMin: 192.168.1.113 HostMax: 192.168.1.126 Broadcast: 192.168.1.127 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Le mardi 11 novembre 2008 20:48, Tim Palmer a écrit : [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. [pap] Passwords don't match For me there's no sense to have : [pap] Using clear text password {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. Is your clear text password is {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. ? No ? As said Alan Devok : Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the auto-header thing itself. It can't, because you told it that the above text WAS the password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -x gives error Could not link driver rlm_sql_mysql: rlm_sql_mysql.so
Le jeudi 6 novembre 2008 13:14, hsuan a écrit : Hi all : I have install mysql-libs(/usr/lib/mysql) and Package mysql-devel - 5.0.45-7.el5.i386 is already installed by yum install mysql-devel . Install the libmysqlclient devel ! In Debian the name is : libmysqlclient15-dev So with Fedora/RedHat, I don't know the name of package ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mardi 28 octobre 2008 10:07, lolo a écrit : Hi, Is someone have installing and configuring accounting with hostapd and freeradius ? Stupid I am ! :/ Here a part of hostapd.conf (wrong) : # serveur auth auth_server_addr=10.1.1.254 auth_server_port=1812 auth_server_shared_secret=theerrorisnothere # serveur acct acct_server_addr=10.1.1.254 acct_server_port=1813 auth_server_shared_secret=theerrorisnothere ^^ but here ! acct_server_shared_secret=theerrorisnothere # works fine ! I had twice auth_server_shared_secret... But realy, many thank's to all ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mercredi 29 octobre 2008 08:38, Anders Holm a écrit : We really didn't need to know what the secret *was*... Realy ? :) But it was just to show another word than secret, that was more generic but less true. All secrets are the same ! - I had think that the longer of secret was wrong. So I tried 8-9-10.16 caracters, allways this message, and no data storing ! :( - I tried on other machine, freeradius+MySQL (PC1), and hostapd (PC2)... Same issue ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mercredi 29 octobre 2008 10:54, [EMAIL PROTECTED] a écrit : Try radtest from remote to the radius server. Does that have secret issues? If it doesn't hostapd is broken. If it does - OS (crypto libraries) on one of the PCs is broken. Hi, I have started a kubuntu Live CD to test. $ radtest bea herscret 10.1.1.254 1812 verysecret Sending Access-Request of id 115 to 10.1.1.254 port 1812 User-Name = bea User-Password = herscret NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Accept packet from host 10.1.1.254:1812, id=115, length=86 NAS-Identifier = debian-nas NAS-Port = 0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.3.1.1 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 10.3.1.253 Framed-Protocol = PPP Service-Type = Framed-User And I tested : echo User-Name=lolo,Password=secret,Framed-Protocol=PPP,Acct-Session-Id=48F7C09B-0021,Acct-Status-Type=Start,Calling-Station-Id=00-1A-70-AE-D4-53 | radclient 10.1.1.254:1813 acct verysecret And in radiusd -X : [sql_log] Processing sql_log_accounting [sql_log] expand: %{User-Name} - lolo [sql_log] expand: %{%{User-Name}:-DEFAULT} - lolo [sql_log] sql_set_user escaped user -- 'lolo' [sql_log] expand: INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%S', '0', '0', ''); - INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('48F7C09B-0021', 'lolo', '10.1.1.254', '', '2008-10-29 17:13:48', '0', '0', ''); [sql_log] expand: /usr/var/log/radius/radacct/sql-relay - /usr/var/log/radius/radacct/sql-relay ++[sql_log] returns ok [attr_filter.accounting_response] expand: %{User-Name} - lolo attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 142 to 10.1.1.254 port 32920 Finished request 32. All seam work ! And in radacct there's an entry of it ! It could be just a problem between hostap and radius ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mercredi 29 octobre 2008 17:42, [EMAIL PROTECTED] a écrit : Yes. hostapd radius client is broken. Or you have made a mistake in their configuration file. I had a look and they have separate secrets for auth and acct. Post these outputs, your failed accounting request (no point in posting EAP stuff - that works) and your configuration file to their list. My english is so bad : and your configuration file to their Means that you want my hostapd.conf ? I suppose, yes !:) So here my hostapd.conf : interface=ath0 ssid=Debian-AP driver=madwifi channel=9 logger_syslog=-1 logger_syslog_level=0 logger_stdout=--1 logger_stdout_level=0 debug=4 ctrl_interface_group=0 # Comment gérer les adresses MAC (adresse Hardware des cartes réseaux) # French bla bla macaddr_acl=2 #auth_algs=2 ieee8021x=1 # NAS client own_ip_addr=10.3.1.1 nas_identifier=private-network-1 # serveur auth auth_server_addr=10.1.1.254 auth_server_port=1812 auth_server_shared_secret=verysecret # serveur acct acct_server_addr=10.1.1.254 acct_server_port=1813 auth_server_shared_secret=verysecret #radius_retry_primary_interval=60 radius_acct_interim_interval=1800 # comment or not, change nothing radius_retry_primary_interval=1800 # comment or not, change nothing rsn_preauth=1 # comment or not, change nothing # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP #wpa_group_rekey=300 # comment or not, change nothing #wpa_gmk_rekey=6400 # comment or not, change nothing ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hostapd-0.5.5 and freeradius-server-2.1.1
Hi, I am not member of the list, cause I never received any answer !??? So write to my email ! Is someone have installing and configuring accounting with hostapd and freeradius ? I have some problems to understand why my configuration doesn't save any data in table radacct ? I have some data in radpostauth : 1 bea Access-Accept 2008-10-28 00:14:57 2 bea Access-Accept 2008-10-28 00:19:14 ... My configuration is based on LDAP with SQL to store data... Here my configuration : - On the same machine I have OpenLDAP+Hostapd+Freeradius - authenticating works ! - accounting request was send : (wireshark shoot) No. TimeSourceDestination Protocol Info 10 4.52062610.1.1.25410.1.1.254RADIUS Accounting-Request(4) (id=242, l=194) Frame 10 (238 bytes on wire, 238 bytes captured) Linux cooked capture Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.254 (10.1.1.254) User Datagram Protocol, Src Port: 33080 (33080), Dst Port: radius-acct (1813) Source port: 33080 (33080) Destination port: radius-acct (1813) Length: 202 Checksum: 0x18d9 [incorrect, should be 0x7400] Radius Protocol Code: Accounting-Request (4) Packet identifier: 0xf2 (242) Length: 194 Authenticator: 3A902C44595C10807918F491B63CDA2B Attribute Value Pairs AVP: l=19 t=Acct-Session-Id(44): 48F7C09B-0021 AVP: l=6 t=Acct-Status-Type(40): Stop(2) AVP: l=6 t=Acct-Authentic(45): RADIUS(1) AVP: l=5 t=User-Name(1): bea AVP: l=6 t=NAS-IP-Address(4): 10.3.1.1 AVP: l=8 t=NAS-Identifier(32): debian AVP: l=6 t=NAS-Port(5): 0 AVP: l=29 t=Called-Station-Id(30): 00-18-4D-76-22-19:Debian-AP AVP: l=19 t=Calling-Station-Id(31): 00-1A-70-AE-D4-53 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=22 t=Connect-Info(77): CONNECT 0Mbps 802.11 AVP: l=6 t=Acct-Session-Time(46): 27 AVP: l=6 t=Acct-Input-Packets(47): 63 AVP: l=6 t=Acct-Output-Packets(48): 21 AVP: l=6 t=Acct-Input-Octets(42): 7256 AVP: l=6 t=Acct-Output-Octets(43): 3623 AVP: l=6 t=Event-Timestamp(55): Oct 17, 2008 05:23:47.0 AVP: l=6 t=Acct-Terminate-Cause(49): User-Request(1) Here where to find my all configuration : http://www.system-linux.net/config/freeradius-ldap-hostapd/configuration/ Many thank's If my English is not perfect, it's because I'm not ! I am French ! ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mardi 28 octobre 2008 10:19, [EMAIL PROTECTED] a écrit : Have you enabled sql in the accounting section? Can you post the freeradius debug (radiusd -X)? Accounting-Request should be coming straight after Access-Accept. And a part of my hostapd debug : RADIUS message: code=1 (Access-Request) identifier=13 length=205 Attribute 1 (User-Name) length=5 Value: 'bea' Attribute 4 (NAS-IP-Address) length=6 Value: 10.3.1.1 Attribute 32 (NAS-Identifier) length=19 Value: 'private-network-1' Attribute 5 (NAS-Port) length=6 Value: 0 Attribute 30 (Called-Station-Id) length=29 Value: '00-18-4D-76-22-19:Debian-AP' Attribute 31 (Calling-Station-Id) length=19 Value: '00-1A-70-AE-D4-53' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=22 Value: 'CONNECT 0Mbps 802.11' Attribute 79 (EAP-Message) length=31 Value: 02 0f 00 1d 19 00 17 03 01 00 12 f9 58 45 e9 d6 44 be bd cf 76 8f 0e 15 39 6d 57 9d 58 Attribute 24 (State) length=18 Value: 2b 6f 35 1a 23 60 2c f5 d4 4f 03 71 be bd d5 61 Attribute 80 (Message-Authenticator) length=18 Value: 4e 6c 17 63 cb 4f 52 41 92 a0 25 8e 8b 93 ab 0e IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE RADIUS message: code=11 (Access-Challenge) identifier=13 length=96 Attribute 79 (EAP-Message) length=40 Value: 01 10 00 26 19 00 17 03 01 00 1b 09 9f db b8 c3 59 e2 08 0e af 65 29 c7 5e 1f 37 57 d3 f9 4b 08 bd 5a 01 bb 08 9b Attribute 80 (Message-Authenticator) length=18 Value: 55 9e 51 4e b2 1a b9 4f e1 80 9b c2 fd 58 78 a8 Attribute 24 (State) length=18 Value: 2b 6f 35 1a 22 7f 2c f5 d4 4f 03 71 be bd d5 61 RADIUS packet matching with station 00:1a:70:ae:d4:53 IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state REQUEST IEEE 802.1X: Sending EAP Packet to 00:1a:70:ae:d4:53 (identifier 16) TX EAPOL - hexdump(len=56): 00 1a 70 ae d4 53 00 18 4d 76 22 19 88 8e 02 00 00 26 01 10 00 26 19 00 17 03 01 00 1b 09 9f db b8 c3 59 e2 08 0e af 65 29 c7 5e 1f 37 57 d3 f9 4b 08 bd 5a 01 bb 08 9b IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 42 bytes from 00:1a:70:ae:d4:53 IEEE 802.1X: version=1 type=0 length=38 EAP: code=2 identifier=16 length=38 (response) IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state RESPONSE Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute RADIUS message: code=1 (Access-Request) identifier=14 length=214 Attribute 1 (User-Name) length=5 Value: 'bea' Attribute 4 (NAS-IP-Address) length=6 Value: 10.3.1.1 Attribute 32 (NAS-Identifier) length=19 Value: 'private-network-1' Attribute 5 (NAS-Port) length=6 Value: 0 Attribute 30 (Called-Station-Id) length=29 Value: '00-18-4D-76-22-19:Debian-AP' Attribute 31 (Calling-Station-Id) length=19 Value: '00-1A-70-AE-D4-53' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=22 Value: 'CONNECT 0Mbps 802.11' Attribute 79 (EAP-Message) length=40 Value: 02 10 00 26 19 00 17 03 01 00 1b 40 ca 97 50 69 d4 77 6f 15 57 b3 ee f3 ec 63 2e dd 93 b0 f1 7b f5 14 81 3b 7f 0b Attribute 24 (State) length=18 Value: 2b 6f 35 1a 22 7f 2c f5 d4 4f 03 71 be bd d5 61 Attribute 80 (Message-Authenticator) length=18 Value: 6d 79 43 5f 97 d1 ca c6 27 23 a3 60 11 a4 d1 7a IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:1a:70:ae:d4:53 REAUTH_TIMER entering state INITIALIZE RADIUS message: code=2 (Access-Accept) identifier=14 length=165 Attribute 26 (Vendor-Specific) length=58 Value: 00 00 01 37 11 34 81 e4 83 fe 13 8f 20 ac 61 72 f7 4d cc 93 46 7a 66 b5 ab 24 a8 47 a7 bf cf 0a 32 4a 70 03 88 d0 92 07 70 4e a0 8f cc d6 e2 7b 1a 9f b5 39 ad 2a 7e a5 Attribute 26 (Vendor-Specific) length=58 Value: 00 00 01 37 10 34 8a fb be 0d b7 12 ba 6f ff 36 d3 e6 b6 cf 6e 94 fb 85 99 41 66 62 bb b0 31 9e b9 ed 62 49 1a 21 bc 83 81 d1 c9 f9 05 d3 50 a6 9e 37 01 39 23 40 1d 68 Attribute 79 (EAP-Message) length=6 Value: 03 10 00 04 Attribute 80 (Message-Authenticator) length=18 Value: f5 48 97 70 6f 18 70 8d 27 46 16 8c e9 99 80 95 Attribute 1 (User-Name) length=5 Value: 'bea' RADIUS packet matching with station 00:1a:70:ae:d4:53 MS-MPPE-Send-Key - hexdump(len=32): [REMOVED] MS-MPPE-Recv-Key - hexdump(len=32): [REMOVED] RSN: added PMKSA cache entry for 00:1a:70:ae:d4:53 RSN: added PMKID - hexdump(len=16): 20 80 83 37 6b 8f 4c 12 1c ad 8a 0f 08 20 a7 93 IEEE 802.1X: 00:1a:70:ae:d4:53 BE_AUTH entering state SUCCESS IEEE 802.1X: Sending EAP Packet to 00:1a:70:ae:d4:53 (identifier
Re: Hostapd-0.5.5 and freeradius-server-2.1.1
Le mardi 28 octobre 2008 11:37, [EMAIL PROTECTED] a écrit : Chances are: 99.9% - shared secret is different (retype it both in clients.conf and hostapd konfiguration); 0.1% - crypto libraries on radius or hostapd machine are corrupt. Shared secret is fszd79772mvtib96 in hostapd.conf and in clients.conf ! ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
normal behaviour when Framed-Protocol = PPP is in the Auth request?
Hi list, I am very new in FreeRadius, and there is something which is a bit strange: 0] Current config I use FreeRadius 1.1.4, out of the box. I define my authorized clients in clients.conf. I define a user in the users file following the examples given in the same file: Mickey Auth-Type :=Local, User-Password == mouse Reply-Message = Hello mickey mouse -- 1] I send the following authentication packet (using radclient): Service-Type = Framed-User User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get accepted -- 2] I send the following authentication packet (same + Framed-Protocol = PPP): Service-Type = Framed-User Framed-Protocol = PPP User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get rejected -- 3] I create a Unix user Mickey with password mouse on the FreeRadius host, and I send again: Service-Type = Framed-User Framed-Protocol = PPP User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get accepted -- 4] Here is a short extract of the FreeRadius output when I get rejected: modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. -- I found a 'work-around' (using the Unix user), but could somebody explain me why do I get accepted or not depending on the Framed-Protocol == PPP flag sent in the request or not, and depending on the way I specify the user (file or Unix account)? Thanks a lot! Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html