Debug show cleartext password
Hi All i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? Many Thanks Marco Aresu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
now i can logon into the switch but i can with all USERS. Where i can specify who can access to the switch? I add a rown in the USERS file "user Auth-Type := Reject" but nothing change. thanks Marco Marco Aresu On 23 July 2013 10:06, Martin Kraus wrote: > On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote: > > i am getting some problem with authorization in free radius > > i configured the users file as below : > > > > DEFAULT Auth-Type := System > > cisco Auth-Type := System > > Service-Type = NAS-Prompt-User > > cisco-avpair = "shell:priv-lvl=15", > > If all you want is enable mode after login then send just > > Service-Type := Administrative-User > > and don't send the cisco-avpair at all. > > mk > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
i created two users on freeradius server and when i tried to login with the
new user that is not specify in the USERS file i ve got the same error
"Authorization Failed"
I think that i am editing the wrong USERS file but the directory is
"/etc/raddb/users"
Marco Aresu
On 22 July 2013 17:19, Matthew Newton wrote:
> On Mon, Jul 22, 2013 at 04:44:29PM +0200, Marco Aresu wrote:
> > here the debug after authentication:
> >
> > Found Auth-Type = PAP
> > # Executing group from file /etc/raddb/sites-enabled/default
> > +- entering group PAP {...}
> > [pap] login attempt with password "secret"
> > [pap] Using CRYPT password
> >
> "$6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/"
> > [pap] User authenticated successfully
> > ++[pap] returns ok
> > # Executing section post-auth from file /etc/raddb/sites-enabled/default
> > +- entering group post-auth {...}
> > ++[exec] returns noop
> > Sending Access-Accept of id 70 to 172.31.61.224 port 1812
> ...
>
> The RADIUS server sent an Access-Accept. That means that if you
> still can't get in, it's the switch that has the problem.
>
> Matthew
>
>
>
> --
> Matthew Newton, Ph.D.
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253,
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
the only file to edit for the authorization is the Users file? thanks Marco Marco Aresu On 22 July 2013 17:03, Alan DeKok wrote: > Marco Aresu wrote: > > here the debug after authentication: > > If you're not going to follow instructions, you shouldn't be posting > questions on this list. > > Since you're not willing to post the full debug output here, we can't > help you. Go read it yourself. > > > i don't understand when he tried to find the authorizaziont because if i > > add a comment in the row of the user in the Users file, i get the same > > error. > > If only there was some way for you to figure out what the server was > doing. Like maybe a debug mode? > > That would be wonderful. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization failed in cisco switch
Hi All
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=15",
When i try to login into a switch i receive the errore : Authorization
Failed
and during the debug i ve got :
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[++[reply_log] returns ok
++[exec] returns noop
Can someone help me?
thanks
Marco Aresu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
here the debug after authentication:
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "secret"
[pap] Using CRYPT password
"$6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 70 to 172.31.61.224 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 70 with timestamp +12
Ready to process requests.
i don't understand when he tried to find the authorizaziont because if i
add a comment in the row of the user in the Users file, i get the same
error.
Marco Aresu
On 22 July 2013 16:37, Alan DeKok wrote:
> Marco Aresu wrote:
> > i am getting some problem with authorization in free radius
> > i configured the users file as below :
> >
> > DEFAULT Auth-Type := System
> > cisco Auth-Type := System
> > Service-Type = NAS-Prompt-User
> > cisco-avpair = "shell:priv-lvl=15",
>
> Is it *exactly* that? i.e. did you format the entries correctly?
>
> > When i try to login into a switch i receive the errore : Authorization
> > Failed
> > and during the debug i ve got :
> >
> > # Executing section post-auth from file /etc/raddb/sites-enabled/default
> > +- entering group post-auth {...}
> > [++[reply_log] returns ok
> > ++[exec] returns noop
>
> You have rather a lot more than that.
>
> The whole point of the debug output is to READ IT.
>
> ALL of it.
>
> What ELSE does it say? Does the server return an Access-Accept? If
> so, blame the switch. Otherwise, READ THE DEBUG OUTPUT to see what's
> going on.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius error LDAP Authentication
Hi All,
i am new about FreeRadius. I am moving from Cisco ACS Tacacs to FreeRadius.
During LDAP configuration i am getting the follow error :
[ldap] bind as cn="User",ou=people,dc="domain",dc=it/"Password" to
"ldapserver":636
[ldap] waiting for bind result ...
[ldap] cn="user",ou=people,dc="domain",dc=it bind to "ldapServer":636
failed No such object
[ldap] (re)connection attempt failed
Any idea about the error?
Below the ldap configuration
server = "ldapserver"
port = 636
identity = "cn="user",ou=people,dc="domain",dc=it"
password = "password"
basedn = "dc="domain",dc=it"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=groupofuniquenames)"
Thanks
Marco Aresu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication using LDAP for 802.1x
Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a
Cisco-AVPair = "audit-session-id=C0A86363062C77AFDED6"
NAS-Port-Type = Ethernet
NAS-Port = 50007
NAS-Port-Id = "GigabitEthernet0/7"
State = 0xab1bf9b7af0becd1d339d19378335aaa
NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 78 to 192.168.99.99 port 1645
EAP-Message =
0x011100451580003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7
Message-Authenticator = 0x
State = 0xab1bf9b7ae0aecd1d339d19378335aaa
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79,
length=275
User-Name = "a4"
Service-Type = Framed-User
Cisco-AVPair = "service-type=Framed"
Framed-MTU = 9000
Called-Station-Id = "AC-A0-16-58-EB-07"
Calling-Station-Id = "00-23-32-CF-1D-A2"
EAP-Message =
0x0211002f158000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3
Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4
Cisco-AVPair = "audit-session-id=C0A86363062C77AFDED6"
NAS-Port-Type = Ethernet
NAS-Port = 50007
NAS-Port-Id = "GigabitEthernet0/7"
State = 0xab1bf9b7ae0aecd1d339d19378335aaa
NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 47
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 37
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify
TLS Alert read:warning:close notify
[ttls] WARNING: No data inside of the tunnel.
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] SSL_read Error
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> a4
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 79 to 192.168.99.99 port 1645
EAP-Message = 0x04110004
Message-Authenticator = 0x
Waking up in 3.7 seconds.
...
>[ttls] WARNING: No data inside of the tunnel.
At this moment, I cannot wrap my mind around what is going on here.
I understand that ldap tries to authenticate the user by itself, instead of
handing it to the LDAP server. But what is different when I run radtest?
Debug from radtest:
...
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "a4" with password "whatever"
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
[ldap] (re)connect to ldap.hopro.edu:389, authentication 1
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
ldap.hopro.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user a4 authenticated successfully
++[ldap] returns ok
...
Would someone from you guys guide me in the right direction?
Thank you in advance
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno gio, 06/06/2013 alle 09.21 +0200, Marco Marzetti ha scritto: > Il giorno mer, 05/06/2013 alle 13.41 -0400, Alan DeKok ha scritto: > > > Marco Marzetti wrote: > > > Also, if i understand it correctly, it makes sense to me since "==" is a > > > filtering > > > operator while ":=" add the attribute to the list for further checking > > > > > > Anyway, i've updated the record above and putting ":=" and it doesn't > > > work. > > > > It depends what you want to do. I thought you had said you wanted to > > *set* the huntgroups in SQL. If so, := is the correct thing to use. > > > > If you're just checking it, == is the right one. > > > Yes. I'm checking for a match between the NAS-IP-Address and the > specified username. > So, if user "foo" sends an authentication request through NAS > "192.0.2.1", FreeRADIUS should check if > that NAS-IP-Address address matches with the ones associated to the > Huntgroup named "APPARATI". > > > > > > The huntgroups are set in the "huntgroups" file. Have you looked there? > > > As said, the filter works if the user's Huntgroup-Name is set in the > radcheck table and it doesn't if it is set > in the radgroupcheck one. > > > > > > Alan DeKok. > > > Thank You > > Marco > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I eventually found this in rlm_sql: 5. For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. So there MUST be a match in radgroupcheck to make the user be a part of the group. Then you can't make an Huntgroup-Name check on a per group basis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno mer, 05/06/2013 alle 13.41 -0400, Alan DeKok ha scritto: > Marco Marzetti wrote: > > Also, if i understand it correctly, it makes sense to me since "==" is a > > filtering > > operator while ":=" add the attribute to the list for further checking > > > > Anyway, i've updated the record above and putting ":=" and it doesn't work. > > It depends what you want to do. I thought you had said you wanted to > *set* the huntgroups in SQL. If so, := is the correct thing to use. > > If you're just checking it, == is the right one. Yes. I'm checking for a match between the NAS-IP-Address and the specified username. So, if user "foo" sends an authentication request through NAS "192.0.2.1", FreeRADIUS should check if that NAS-IP-Address address matches with the ones associated to the Huntgroup named "APPARATI". > > The huntgroups are set in the "huntgroups" file. Have you looked there? As said, the filter works if the user's Huntgroup-Name is set in the radcheck table and it doesn't if it is set in the radgroupcheck one. > > Alan DeKok. Thank You Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno mer, 05/06/2013 alle 09.14 -0400, Alan DeKok ha scritto: > Marco Marzetti wrote: > > mysql> SELECT * FROM radgroupcheck; > > ++---+++--+ > > | id | groupname | attribute | op | value| > > ++---+++--+ > > | 1 | TECNICI | Huntgroup-Name | == | APPARATI | > > ++---+++--+ > > Read doc/rlm_sql. Or "man unlang". The operators are the same. > > You want ":=", not "==". > > Alan DeKok. Hello, Sorry, what do you mean with "The operators are the same" ? I put "==" because /etc/freeradius/users use that one root@tango:~# grep Huntgroup-Name /etc/freeradius/users #swilsonService-Type == Framed-User, Huntgroup-Name == "alphen" #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen" #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft And because "==" works in radcheck while ":=" doesn't. Also, if i understand it correctly, it makes sense to me since "==" is a filtering operator while ":=" add the attribute to the list for further checking Anyway, i've updated the record above and putting ":=" and it doesn't work. Is there anything else wrong? Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/**documents/protocols/** compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> but I hoped there could be some way around this. 2012/7/11 Phil Mayers > On 11/07/12 14:04, Marco Macala wrote: > >> > if you dont trust the network then you will also need to looking at >> using TLS to transport >> > things around - eg RADSEC or a VPN tunnel. >> >> isn't the point of PEAP that i don't need them because it is wrapped in >> an encrypted communication? >> > > Yes. > > > >> >> > as for NT hash - yes, there are security issues but only if you have >> access to them >> > or expose them - if you bind the FreeRADIUS system to an AD and use >> eg ntlm_auth then the NThash >> > isnt accessed. >> >> The thing is, i can't use AD to store the passwords. Specifically, i >> would like to store the password as a salted hash. >> > > You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires > plaintext or NT hash exist SOMEWHERE. See: > > http://deployingradius.com/**documents/protocols/**compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> > > > > >> I want something like this: >> - encrypted channel between authenticator and radius server >> > > PEAP or TTLS will provide this. > > > - passwords stored as a salted hash >> > > Only TTLS-PAP will provide this. See the link above. TTLS is not available > until Windows 8, so you will need to deploy software on windows clients. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
> if you dont trust the network then you will also need to looking at using TLS to transport > things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? > as for NT hash - yes, there are security issues but only if you have access to them > or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash > isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. I want something like this: - encrypted channel between authenticator and radius server - passwords stored as a salted hash 2012/7/11 alan buxey > Hi, > >The problem is, that I do not trust the network and I don't want to > store > >the password in plain. > >Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i > >mixing things up? > > if you dont trust the network then you will also need to looking at using > TLS to transport > things around - eg RADSEC or a VPN tunnel. > > as for NT hash - yes, there are security issues but only if you have > access to them > or expose them - if you bind the FreeRADIUS system to an AD and use eg > ntlm_auth then the NThash > isnt accessed. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? 2012/7/11 alan buxey > Hi, > > >is there a way to securely transport and store the Username/Password > with > >freeradius? > >If I am informed correctly, you can use PEAP to ensure that the data > is > >encrypted but the most supported PEAP mode is with MSCHAPv2 which > implies > >that the passwords are stored in clear text or NT-Hash. > > PEAP will securely transport things - as with MSCHAPv2 the password is > never sent. > > > whether the passwords are stored in plain/nt-has format is down to how you > are doing things.. > if they are stored in AD then they are not stored in a plain format. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hello, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Did I get something wrong here? I am fairly new to RADIUS and therefore I don't know that much about it... Thanks in advance! Best regards, Marco Macala - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang syntax issue
Hi all,
I'm using freeradius 2.1.12 and I have a problem that I would like to
resolve with unlang but I can't for syntax error...
I need to authorize users based on case insensitive regular
expression, something like
if User-Name match ".*-guest$" use LDAP-1
else use LDAP-2
I made several attempts such
if ( User-Name =~ '.*-guest$' ) {
ldap-1
}
in authorize section, but debug says:
Expected regular expression at: '.*-guest$' )
After various attempts at least i have resolved using "users" file as:
DEFAULT User-Name =~ ".*-guest$", Autz-Type := LDAP-1, Auth-Type := PAP
DEFAULT User-Name !~ ".*-guest$", Autz-Type := LDAP-2
but "users" file is case-sensitivewhat's the correct unlang syntax
to do this???
many thanks
marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] 802.1x auth EAP-TLS problem
On Wed, 29 Jun 2011 15:03:33 +0200, Alan DeKok wrote: >> I thought it was some advanced chained root thing, but I never got it to >> work even once, so I wrote my own, but it sucks. I think it may be a bug, >> and you just reminded me of that. someone who knows what they're actually >> on about should investigate that and see if it needs fixin' or filin'. > It's a bug. The simplest thing to do is to make the client cert signed by > the CA cert. This might have been done already, but I don't recall. > > Patches are welcome. I just checked 2.1.11 and that's fine. In raddb/certs/Makefile: --- client.crt: client.csr ca.pem ca.key openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf --- -- mandi, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bind username to certificate
On Tue, 28 Jun 2011 15:00:18 +0200, Alan DeKok wrote: > See raddb/sites-available/default. Look for "tls" > > You will need to write your own policies to enforce this. FreeRADIUS > provides the pieces, you need to put them together. Thank you, Alan. -- mandi, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bind username to certificate
Hi folks, is it possible to bind a SSL certificate (used for EAP-TLS auth) to a specific LDAP user instead of using user's LDAP-stored password? Thank you! -- mandi, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] 802.1x auth EAP-TLS problem
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok wrote: > Use the correct certificates. I re-generated client certificate and signed it w/ CA one instead of server (default Makefile conf) and worked. Sorry for the noise. -- mandi, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x auth EAP-TLS problem
Hi folks, I have a problem in my freeradius setup and I'm looking for some hints about that. Scenario: 1) GNU/Linux client w/ WPA supplicant configured to request access through EAP-TLS using a certificate (in order to achieve 802.1x ethernet authentication) 2) 802.1x enabled switch where client is connected 3) user/pass 802.1x authentication works fine (MSCHAPv2 based) 4) freeradius authenticates users on LDAP Freeradius debug log of the issue is here: --- http://pastie.org/2132916 --- All certificates should be ok (both on server and client): --- FP42A certs # openssl verify ca.pem ca.pem: OK FP42A certs # openssl verify server.pem server.pem: OK FP42A certs # openssl verify 02.pem 02.pem: OK --- Any tips? Thank you! -- mandi, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and file authentication
hi @all, is it possible to provide ldap authentication and users file
authentication at the same time on a radius server? On my radius server the
ldap authentication works fine, additional I want to provide users file
authentication, so I commented out the following lines:
-->radiusd.conf
file {
userfile = ${confdir}/users
}
...
authorize{
...
files
...
}
My users file:
testuser Cleartext-Password := "XXX"
When I want to login the user "testuser" the Debugscreen shows:
Login incorrect: (rlm_ldap: User not found): [testuser]
Are there any other options I have to set or isn´t it possible to authenticate
users via ldap and users file at the same time?
Thanks for your answers, greetings Klaus
--
NEU: FreePhone - kostenlos mobil telefonieren und surfen!
Jetzt informieren: http://www.gmx.net/de/go/freephone
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication SOLVED with unlang
Hi Alan
got E V E R Y T H I N G working
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices?base?
eckAllowedServices=%{NAS-Identifier}}") {
ok
}
else {
reject
}
thank you anyway - you put me on the right way
Within a few days I'll publish a new version of ECK with freeradius2
(the actual uses freeradius, and that let a granular service
authorization by LDAP), ...
thank you for all the time you spent and you are spending on
freeradius project, ... I know what it mean
Good luck
Marco Carcano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan
OK - Got working - did a look at rlm_ldap.c, and ldap.h
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one
issue more, ... se below
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {
ok
}
else {
reject
}
debug is
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" )
rlm_ldap: - ldap_xlat
expand: ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap://
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
expand: %{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM
but it works only if eckAllowedServices has only one value.
eckAllowedServices is a multi-string attribute, that is for example
eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN
ecc
it works only for the first element of the array, ... so in the
preceding example only if eckAllowedServices[0]=ftp
is there a way to have it recursively process all the elements of the
array to do the comparison?
I tried
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "%
{NAS-Identifier}" )
and
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "%
{NAS-Identifier}" )
but had no luck
Marco Carcano
just for info (for other users that may read this post in the future):
I was wondering if it performed an anonymous bind to the directory -
LDAP URL does not contain credentials, so I raised up ldap server
verbosity and gave a look to the log,
it works authenticated as in modules/ldap - I think this is really
important: in my server I prohibited anonymous binding also from
localhost
Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
Marco Carcano wrote:
I RTM unlang, but I have to admit I only got confused - The only
thing I
have understood is to write a simple statement like this (in
authorize
section)
if (NAS-Identifier == "ftp" ) {
ok
}
else {
reject
}
and I think is even wrong because returns always OK :(
And what does debug mode say?
I noticed on some posts people using a syntax like if (NAS-
Identifier ==
%{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost
like this
if (NAS-Identifier ==
"ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
See "man unlang".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan,
just to let you know:
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
message:
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices) -> cn=testuser,ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)
rlm_ldap: String passed does not look like an LDAP URL.
expand: %{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ->
it seems to me that it "fires" the ldap module but it don't like my
syntax.
the same is for
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" ) {
ok
}
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local ->
cn=testuser,ou=Users,dc=marcolinux,dc=local
rlm_ldap: String passed does not look like an LDAP URL.
I do not understand why the message complains about LDAP URL - ldap
URL is the address of the server - what I provided is an LDAP DN
I tought it is not necessary to supply the LDAP URL because they are
already provided in modules/ldap file
Now I'm sure I have undestood absolutely nothing about this module
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost
like this
if (NAS-Identifier ==
"ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
if (NAS-Identifier == {ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) {
ok
}
when start radiusd in debug mode I got:
Expected string or numbers at: ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
is for that reason I did not use brackets - I got a syntax error, so I
tought it was wrong to use them in this way
if I modify to the following in
if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
radiusd starts well, but when tring to authenticate I got the
following message:
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
expand: {ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)} ->
{ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}
? Evaluating (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
++- else else returns reject
Using Post-Auth-Type Reject
%{User-Name} is expanded right, ... is my syntax that is certainly
wrong so that unlang see is just like a string to compare
Alan, ... why you don't just provide a working example - I'm working
on a GPL'ed app - ECK, if you give a look to sourceforge you can find
it - and now are almost two years I spent many of my nights - I have
to work during the day - and part of my weekends in a project that I
think somebody could find usefull. Maybe one day many people will use
it to build their base system and simply do not write to this list
asking ho to have freeradius working with PAM, LDAP and so on because
thanks to ECK they'll got a working environment in less than an hour.
Maybe they'll stress you just on how to improve it
you work on freeradius because you belive in your project, I work on
mine because I belive in mine. I belive in your project and put it
into mine. We both work without beeing paid by anybody, just for passion
Now I'm at the final race, ... I really do not understand why you
cannot provide just an example - maybe I am a stupid, but I re-read
more times unlang manual without beeing able to figure the right syntax
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan
I RTM unlang, but I have to admit I only got confused - The only thing
I have understood is to write a simple statement like this (in
authorize section)
if (NAS-Identifier == "ftp" ) {
ok
}
else {
reject
}
and I think is even wrong because returns always OK :(
I noticed on some posts people using a syntax like if (NAS-Identifier
== %{sql: SELECT ... BLA BLA} )
but I have not been able to see a working example using ldap, ... may
you provide an example, please? I've not been able to figure out how
to write it down.
my situation is this: eckAllowedServices is a multistring attribute
that contains a NAS-Identifier per line. I use service names as NAS-
Identifiers in order to perform users authorization to services - eg
authorize ftp access on a per users basis
this is what happen when I do a ldapsearch
ldapsearch -LLL -b cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices -x -D
"CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" -w
wRtEYnd3sGkEa.Y4
dn: cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices: ftp
eckAllowedServices: httpProxy
that shows that the DN used by freeradius is able to read
eckAllowedServices attribute
as I wrote in the previous post, I updated ldap.attrmap inserting the
following line
checkItem NAS-Identifier eckAllowedServices
in order to do the "binding" between radius and LDAP
and this is the extension of the LDAP schema (eck.schema)
attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices'
DESC 'Services the user is allowed to login' EQUALITY
caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject'
AUXILIARYDESC 'an ECK generic object'MAY ( locked $
eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $
eckAllowedServices))
thinking at the %{sql:SELECT ...} example I tough I syntax almost like
this
if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
ok
}
else {
reject
}
the aim is to check if NAS-Identifier supplied by the NAS is equal to
one of the multivalue strings of eckAllowedServices
but I always got this message - it doesnt matter if the user has got
or hasn't the eckAllowedServices attribute:
if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" )
expand: ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices) ->
ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)
? Evaluating (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++? if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
I gave a look to ldap.log - with verbose debugging, ... I found
references to eckAllowedServices, but not as a request for only one
attribute - as I was expecting for the unlang expression I wrote: I
got it mixed with lots of other attributes - that is the previous ldap
lookup of the ldap module of the authorization section: in other words
- I think the unlang expression above is useless and is not processed
with a query to the ldap server . I certainly mis-typed the syntax,
but I'm not able to figure a syntax :(((
Alan, may you provide an example unlang for LDAP? Maybe I am slow
learner, but I think it could help me (and I hope others) a lot
Ah - I use freeradius2-2.1.7-7.el5 - that is the "official" from
RedHat/CentOS - please, don't tell me I have to repackage it to 2.1.10
- I had done this with quite a lot of other packages in ECK
Il giorno 23/nov/10, alle ore 14:33, Alan DeKok ha scritto:
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a
webmail realted issue of my ISP.
Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius
packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html
, I think is the same.
Upgrade to 2.1.10. You're using a very old version of the
server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi John
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will
fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS
package):
this is the content of the original file
#%PAM-1.0
auth include password-auth
accountrequired pam_nologin.so
accountinclude password-auth
password include password-auth
sessioninclude password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string for pam.conf lookup
pam_pass: function pam_authenticate FAILED for . Reason:
Module is unknown
++[pam] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0
auth include system-auth
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessioninclude system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK:
I built an AAA system that relies on Freeradius that do Accounting in
MySQL, Authorization with OpenLDAP and Authentication by Kerberos -
the LDAP directory is Kerberized. I think that PAM and SASL are the
good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
as for my checkval issue, have not been able to fix it! I tried
to learn unlang, but the only thing I have now in my head is a lot of
confusion, ... but I'll answer directly to Alan reply in order not to
post the same message twice
thank you again, you bring me on the right way
Marco Carcano
Il giorno 23/nov/10, alle ore 16:25, John Dennis ha scritto:
On 11/23/2010 08:33 AM, Alan DeKok wrote:
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a
webmail realted issue of my ISP.
Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using
Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html
, I think is the same.
Upgrade to 2.1.10. You're using a very old version of
the
server.
The 2.x versions of FreeRADIUS on CentOS are under the package name
freeradius2, not freeradius.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
for check items in directory...
rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value ftp & op=21
rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value httpProxy & op=21
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U ] &
op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value
AB39C1761CF4947661DAB7AF9849A61E & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value pam & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding FTPQuotaFilesTransferred as
ArticaECK-FTP-Quota-Files-Transferred, value 0 & op=11
rlm_ldap: Adding FTPQuotaFilesOutgoing as ArticaECK-FTP-Quota-Files-Outgoing,
value 0 & op=11
rlm_ldap: Adding FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming,
value 50 & op=11
rlm_ldap: Adding FTPQuotaBytesTransferred as
ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11
rlm_ldap: Adding FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing,
value 0 & op=11
rlm_ldap: Adding FTPQuotaBytesIncoming as ArticaECK-FTP-Quota-Bytes-Incoming,
value 200 & op=11
rlm_ldap: Adding FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session,
value FALSE & op=11
rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type, value
soft & op=11
rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/tcsh & op=11
rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/testuser &
op=11
rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 & op=11
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: NAS-Identifier, Value: ftp
rlm_checkval: Value Name: NAS-Identifier, Value: ftp
modcall[authorize]: module "NAS" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string for pam.conf lookup
pam_pass: authentication succeeded for
modcall[authenticate]: module "pam" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Processing the post-auth section of radiusd.conf
and that Administrator doesn't
rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/bash & op=11
rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/Administrator
& op=11
rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: NAS-Identifier, Value: ftp
rlm_checkval: Could not find attribute named NAS-Identifier in check pairs
modcall[authorize]: module "NAS" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string for pam.conf lookup
pam_pass: authentication succeeded for
modcall[authenticate]: module "pam" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Processing the post-auth section of radiusd.conf
but I always got both of them authorized. How is it possible? What I did wrong?
Why freeradius goes to the authentication section altought checkval module
module "NAS" returned notfound? I'm sure I did some kind of mistake, but I
really am not able to find it. Now are days I'm googling around and getting
quite crazy - I hope that someone of you may help meThank you very much
Marco Carcano
Configuration files
RADIUSD.CONF###
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad =
Checkval weird issue with LDAP backend and PAM authentication
Auth-Type, value pam & op=21rlm_ldap:
looking for reply items in directory...rlm_ldap: Adding
FTPQuotaFilesTransferred as ArticaECK-FTP-Quota-Files-Transferred, value 0 &
op=11rlm_ldap: Adding FTPQuotaFilesOutgoing as
ArticaECK-FTP-Quota-Files-Outgoing, value 0 & op=11rlm_ldap: Adding
FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming, value 50 &
op=11rlm_ldap: Adding FTPQuotaBytesTransferred as
ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11rlm_ldap: Adding
FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing, value 0 &
op=11rlm_ldap: Adding FTPQuotaBytesIncoming as
ArticaECK-FTP-Quota-Bytes-Incoming, value 200 & op=11rlm_ldap: Adding
FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session, value FALSE &
op=11rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type,
value soft & op=11rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value
/bin/tcsh & op=11rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value
/home/testuser & op=11rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value
100 & op=11rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 &
op=11rlm_ldap: user testuser authorized to use remote accessrlm_ldap:
ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok
for request 0rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval:
Value Name: NAS-Identifier, Value: ftp modcall[authorize]: module "NAS"
returns ok for request 0modcall: leaving group authorize (returns ok) for
request 0 rad_check_password: Found Auth-Type pamauth: type "PAM" Processing
the authenticate section of radiusd.confmodcall: entering group authenticate
for request 0pam_pass: using pamauth string for pam.conf lookuppam_pass:
authentication succeeded for >modcall[authenticate]: module "pam" returns ok
for request 0modcall: leaving group authenticate (returns ok) for request 0
Processing the post-auth section of radiusd.conf
and that Administrator doesn't
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11rlm_ldap:
user Administrator authorized to use remote accessrlm_ldap: ldap_release_conn:
Release Id: 0 modcall[authorize]: module "ldap" returns ok for request
3rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval: Could not
find attribute named NAS-Identifier in check pairs modcall[authorize]: module
"NAS" returns notfound for request 3modcall: leaving group authorize (returns
ok) for request 3 rad_check_password: Found Auth-Type pamauth: type
"PAM" Processing the authenticate section of radiusd.confmodcall: entering
group authenticate for request 3pam_pass: using pamauth string for pam.conf
lookuppam_pass: authentication succeeded for modcall[authenticate]: module
"pam" returns ok for request 3modcall: leaving group authenticate (returns ok)
for request 3 Processing the post-auth section of radiusd.conf
but I always got both of them authorized. How is it possible? What I did
wrong?Why freeradius goes to the authentication section altought checkval
module module "NAS" returned notfound?I'm sure I did some kind of mistake, but
I really am not able to find it.Now are days I'm googling around and getting
quite crazy - I hope that someone of you may help meThank you very much
Marco Carcano
Configuration files
RADIUSD.CONF###
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "127.0.0.1"
identity = "CN=FreeRADI
DHCP with option 82 best practice
Hi everybody, at first I want to thank Arran and Alan for their help with my last post. Good job! Had trouble getting the lists reply's, but solved now. I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. I have the feeling that most users straight heading for rlm_perl and not using the ppp/chap/pap alike chain. This I would understand since the handshakes differ. Confirmation of this thesis would help me as well, so I can stop searching and start coding ;o) Any comment much appreciated! Cheers, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.10 DHCP not responding
e {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "dhcp"
ipaddr = 192.168.73.10
port = 67
}
listen {
type = "dhcp"
ipaddr = 192.168.72.10
port = 67
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on dhcp interface vlan73 address 192.168.73.10 port 67 as
server dhcp
Listening on dhcp interface vlan72 address 192.168.72.10 port 67 as
server dhcp
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
=
linux:/usr/local/etc/raddb/sites-available# egrep -v "^$|^[[:space:]]*#"
dhcp.net1
server dhcp {
listen {
ipaddr = 192.168.72.10
port = 67
type = dhcp
interface = vlan72
broadcast = yes
}
dhcp DHCP-Discover {
update reply {
DHCP-Message-Type = DHCP-Offer
}
update reply {
DHCP-Domain-Name-Server = XXX.65.0.XXX
DHCP-Domain-Name-Server = XXX.65.31.XXX
DHCP-Subnet-Mask = 255.255.255.0
DHCP-Router-Address = 192.168.72.1
DHCP-IP-Address-Lease-Time = 400
DHCP-DHCP-Server-Identifier = 192.168.72.10
}
ok
}
dhcp DHCP-Request {
update reply {
DHCP-Message-Type = DHCP-Ack
}
update reply {
DHCP-Domain-Name-Server = XXX.65.0.XXX
DHCP-Domain-Name-Server = XXX.65.31.XXX
DHCP-Subnet-Mask = 255.255.255.0
DHCP-Router-Address = 192.168.72.1
DHCP-IP-Address-Lease-Time = 400
DHCP-DHCP-Server-Identifier = 192.168.72.10
}
ok
}
dhcp {
reject
}
}
===
Any hint appreciated! If you need extra info let me know.
Thank you for your help!
Cheers
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy everyone
hi list! i'm setting up my freeradius architecture with a single proxy and multiple servers; here's my scenario: freeradius server # 1 -> my own server [realm local.net] freeradius server # 2 -> external server [realm ext.net] freeradius proxy -> i know everything about users i proxy towards my server [# 1] but i don't know anything about users i proxy towards external server [# 2]. i would proxy every_usern...@ext.net just to log requests. so this is my question for you: can i use rlm_realm to proxy an entire realm without knowing the usernames just to trace auth/acct requests? or i'm crazy at all? i hope you'll understand my question. ;) thanks, duffy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expired user accounts between two dates
hello, i want to use expiration module to validate user account, but i need check the expirtation between two dates, init and finish date. somebody help me. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_eap: No EAP session matching the State variable.
hello..
he wanted to know if they can help me with the configuration of a servant
radius in centus 5, what happens is that I am beginner in this.
already and installed the system centus, the packages radius and openssl that
biene in the dvd of intalacion of the centus, configure the radius files
eap.config, radiusd.config, client.config and user, but
when lifting the servant it leaves me failure when lifting the service.
the authentification way that I am using is eap-peap with the incriptacion wpa2
aes.
here sends them the files that it configures.
Atentamente:
Marco Zamora
Date: Mon, 12 Apr 2010 10:07:26 +0530
Subject: Error: rlm_eap: No EAP session matching the State variable.
From: a.rupes...@gmail.com
To: freeradius-users@lists.freeradius.org
Hi,
I am using latest freeradius server (version 2.1.8).
I have two authenticated sessions established with radius server and when
disable and reenable the dot1x sessions, then I am seeing the following error
and one request is getting Reject message from the server.
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Error: rlm_eap: No EAP session matching the State variable.
Info: [eap] Either EAP-request timed out OR EAP-response to an unknown
EAP-request
Info: [eap] Failed in handler
Info: ++[eap] returns invalid
I have seen the archive and found there are some old issues related to this
error.
Is it a known issue in radius server or what is the root cause of it.
I have attached radius server failure log messages
Thanks in advance !
Cheers
Rupesh
_
Invite your mail contacts to join your friends list with Windows Live Spaces.
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Configuracion.rar
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP session matching the State variable
thank a lot for your feedback alan! marco Alan DeKok ha scritto: marco perugini wrote: is there a way to restart eap session? is there some script to run to have EAP restarted from scratch? Your supplicant needs to re-start the EAP session. This is a question for your local OS vendor. Alan DeKok. -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP session matching the State variable
Alan DeKok ha scritto: marco perugini wrote: hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday this message is driving me crazy: "EAP session matching the State variable". That's "NO eap session matching..." here's the use-case: i do auth and connection all right but if/when i lost my connection and i try to reconnect that massage shows me up in radius' debug; Then your supplicant and/or access point is broken. If the supplicant loses association with the AP, then EAP *must* be re-started from scratch. Re-using State attributes from previous EAP sessions will cause authentication to fail on *every* single RADIUS server that exists. hi alan! thank for your feedback, kind as usual.. is there a way to restart eap session? is there some script to run to have EAP restarted from scratch? best regards, marco in about 20 min i succeed in reconnecting. i thought radius was stateless.. No. EAP requires state. The AP maintains state for EAP sessions. do you know if there is some config changes to do to avoid this trouble? Fix the AP so that it doesn't re-use old State attributes. Alan DeKok. -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP session matching the State variable
hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday
this message is driving me crazy: "EAP session matching the State variable".
here's the use-case: i do auth and connection all right but if/when i lost my
connection and i try to reconnect that massage shows me up in radius' debug;
in about 20 min i succeed in reconnecting. i thought radius was stateless..
do you know if there is some config changes to do to avoid this trouble?
thanks in advance for feedback, if there will be.. ;)
marco
--
4IT S.r.l.
Marco Perugini | system administrator
-
Via Udine 30-36, 00161 Roma
Phone +39 06 97601680
Mobile +39 339.39.81.246
Fax +39 06 97601683
m.perug...@4it.it
www.4it.it
“Il
presente messaggio e gli eventuali allegati sono di natura
confidenziale. Qualora
vi fosse pervenuto per errore, vi preghiamo di cancellarlo
immediatamente dal vostro sistema e di avvisare il mittente. Grazie.”
“This
electronic mail transmission and any accompanying attachments contain
confidential information. If you have received this communication in
error, please immediately delete the E-mail and either notify the
sender. Thank you.”
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: raddebug before 2.1.4
thanks a
lot for your feedback alan! you're so helpful..
so i'd have to restart my production server :( i guess i'm going to
upgrade!
marco
Alan DeKok ha scritto:
marco perugini wrote:
hi list! my simple question is: is there a way to use the
powerfull/wonderfull raddebug script with version 2.1.1? or the only way
is to start the server with -x option?
It can't be used with 2.1.1. There are other changes inside of the
server to work with raddebug.
Alan DeKok.
--
4IT S.r.l.
Marco Perugini | system administrator
-
Via Udine 30-36, 00161 Roma
Phone +39 06 97601680
Mobile +39 339.39.81.246
Fax +39 06 97601683
m.perug...@4it.it
www.4it.it
“Il
presente messaggio e gli eventuali allegati sono di natura
confidenziale. Qualora
vi fosse pervenuto per errore, vi preghiamo di cancellarlo
immediatamente dal vostro sistema e di avvisare il mittente. Grazie.”
“This
electronic mail transmission and any accompanying attachments contain
confidential information. If you have received this communication in
error, please immediately delete the E-mail and either notify the
sender. Thank you.”
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddebug before 2.1.4
hi list! my simple question is: is there a way to use the powerfull/wonderfull raddebug script with version 2.1.1? or the only way is to start the server with -x option? thanks and regards, marco -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius + dhcp
hi alan, first of all thanks for your feedback! now i'm going to explain better: i'm in WiMax context with freeradius 2.1.1 and i want to differentiate several clients to assign addresses according with realm; here's an example: i've clie...@realm1, clie...@realm1 and clie...@realm1 and there's also clie...@realm2. now i'd love that my dhcp assigns IPs from 10.x.x.x pool to the realm1's clients and IPs from 20.x.x.x pool to the realm2's client. so do you know if it's possible to do with classic dhcp server [dhcpd]? or with freeradius's embedded dhcp server? or i'm guessing something impossible? thanks in advance for your attention and sorry for my bad english, marco Alan DeKok ha scritto: marco perugini wrote: hi list! i've two services: radius server and dhcp server. does anyone know if i can assign static address according to realm and not to mac? The DHCP side of the server can assign IP's based on whatever you want. Alan DeKok. -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius + dhcp
hi list! i've two services: radius server and dhcp server. does anyone know if i can assign static address according to realm and not to mac? thanks in advance and best regards, marco -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistic RADIUS
Hi all, In my Scenario FreeRadius is used as RADIUS PROXY. Is it possible with FreeRadius generating the statistics based on an Attribute? i.e The statistics based on NAS-Port-ID. Thanks in advance for your support. Regards Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 50, Issue 18
Hi Nicolas,
>Be careful that using MD5 is not possible with all authenfication
>methods:
>http://deployingradius.com/documents/protocols/compatibility.html
>(as you cannot uncrypt a hash)
I'm working on Radius Proxy.
The method used for Authentication is EAP-TLS. The server is configured with a
certificate for EAP-TLS.
As Radius Proxy, I need to send the packet, received from Radius Client,
towards Radius Server, with a Message-Authenticator (HMAC-MD5).
Home_server function:
home_server SERVER1 {
...
require_message_authenticator = yes
secret =
...
}
As Radius Proxy, should I define an authentication protocols?
Thanks
Regards
Marco
-Original Message-
From:
freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org
[mailto:freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: giovedì 4 giugno 2009 13.55
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 50, Issue 18
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: dealing with 'corrupt' detail file (Arran Cudbard-Bell)
2. How use tagged atrributes? (r.fila...@ttk.ru)
3. help HMAC-MD5 (Marco De Magistris)
4. Re: help HMAC-MD5 (Nicolas Goutte)
--
Message: 1
Date: Thu, 04 Jun 2009 11:34:59 +0100
From: Arran Cudbard-Bell
Subject: Re: dealing with 'corrupt' detail file
To: FreeRadius users mailing list
Message-ID: <4a27a353.3050...@sussex.ac.uk>
Content-Type: text/plain; charset=UTF-8
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
>>> (I've already got, on my list, use Calling-Station-Id
>>> instead of NAS-Port for the unique function as many
>>> NAS use the same port for every accounting packet :-|)
>> Create a patch, and send it to the list via git format-patch. "Best
>> practices" really need to go into the server configuration. Anything
>> else is too frustrating for the end users.
>
> I was hoping to get a small discussion initiated that would
> hopefully bring up a few things that people find they have to do
> to their configs ...at the end of which we get a nice comprehensive
> list of updates needed for the core server configuration (and hopefully
> a large number of 'you need to change this or add that' blog/wiki/random
> document entries removed across the world)
We write out a different detail file per hour. If for whatever reason
the account buffer gets to be big, and you have to restart the server,
at least you only have to deal with an hours worth of duplicate
accounting logs.
And just as Alan DeKok suggested:
accounting {
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql {
invalid = 2
}
if (invalid) {
ok
}
}
You can log it to a rejects detail file as well, if you want to dissect
the packets later.
The other (far more difficult) to handle one, is where you're using this
to Proxy eduroam Accounting records back to an ORPS.
If the administrator of the ORPS has been particularly... obnoxious.
Then the ORPS will not send Accounting-Responses, and the packet will be
stuck in the detail file indefinitely.
Our workaround is:
accounting {
#
# Icky workaround for lack of universal eduroam accounting support
# Really need NRPS to manufacture accounting response.
#
if((Acct-Delay-Time < 600) || (Realm != 'remote.jrs')){
proxy_to_realm
}
#
# Since we're proxying, we don't log anything
# locally. Ensure that the accounting section
# "succeeds" by forcing an "ok" return.
ok
}
This sucks, because perfectly valid Accounting Requests might be lost if
they were received at around the same time as invalid ones.
I'd be interested to hear if anyone has a better solution than the above.
Thanks,
Arran
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkono1MACgkQcaklux5oVKKh8ACdHgDLbeRIF6wpJY9boGATfybU
help HMAC-MD5
Hi all, Sorry, but I'm confused about HMAC-MD5 method. I'm working on Radius Proxy Implementation. The scenario is the following RADIUS Client -> Radius Proxy -> Radius Server. Radius Client sends a Radius Packet towards Radius Proxy (Message-Authenticator not used). Radius Proxy sends the Radius Packet towards Radius Server using HMAC-MD5 method. How to configure RADIUS Proxy? Should I add MD5-Password Attribute? MD5-Password is identical to Shared Secret between Radius Proxy and Radius Server? Thanks in advance Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-over. Send the request directly to Server2
Hi guys, My scenario is: --> Radius Server 1 Radius Client --> Radius Proxy --- --> Radius Server 2 Radius Proxy sends the request to the first live home server in the list (fail-over method). Radius Proxy sends the request towards Server1. Server 1 is down. Now the Radius Proxy rejects the Request. Radius Client Radius Proxy Radius Server1 |Request -->| Request--> | | <-- Reject | | Can RadiusProxy send the request directly towards Server2, if Server1 is down? Radius Client Radius Proxy Radius Server1 |Request -->| Request --> | (Server1 is down, Radius Proxy sends packet towards Server2) Radius Server2 | | Request -->| | | <-- Accept | Thanks in advance Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 49, Issue 117
Hi Alan
Thanks for your help.
Marco
-Original Message-
From:
freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org
[mailto:freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: martedì 26 maggio 2009 17.58
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 117
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Statistic Counter (Alan DeKok)
2. problem with rlm_counter module when reset option is set to
never (Ahmed Nifaz Faizabadi)
3. Re: problem with rlm_counter module when reset option is set
to never (Ivan Kalik)
4. Re: problem with rlm_counter module when reset option is set
to never (Ahmed Nifaz Faizabadi)
5. Re: problem with rlm_counter module when reset option is set
to never (Alan DeKok)
6. Assigning IP address from RADIUS to Cisco PPTP users (u...@3.am)
7. wired 802.1x for desktops (offtopic) (Mikael Kermorgant)
8. FW: freeradius2.1.4--Simultaneous (??)
--
Message: 1
Date: Tue, 26 May 2009 13:29:51 +0200
From: Alan DeKok
Subject: Re: Statistic Counter
To: FreeRadius users mailing list
Message-ID: <4a1bd2af.5050...@deployingradius.com>
Content-Type: text/plain; charset=UTF-8
Marco De Magistris wrote:
> Can I enable other counters for AuthRadiusClientAccessRetransmissions,
> AuthRadiusClientTimeouts, AuthRadiusClientCounterDiscontinuity)?
The server does not currently track those statistics.
As always, patches are welcome.
> Or I should use ?counter? module of FreeRadius?
No. It won't do what you want.
Alan DeKok.
--
Message: 2
Date: Tue, 26 May 2009 18:13:59 +0530
From: Ahmed Nifaz Faizabadi
Subject: problem with rlm_counter module when reset option is set to
never
To: freeradius-users@lists.freeradius.org
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
Hi all,
Here is the issue I am facing with rlm_counter module.
I am using freeradius-server-2.1.4 and configuring Max session time
for each user.
for example:
user1 Max-Session-Time := 1800, Auth-Type := Reject
Reply-Message = "Your time limit is used"
user2 Max-Session-Time := 3600, Auth-Type := Reject
Reply-Message = "Your time limit is used"
and rlm_counter options are :
counter daily {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
key = User-Name
reset = never
}
I am observing that the user accounting record is not deleted from
rlm_counter module once the user has used his allocated time. For
example when user1 has used 1800 seconds allocated to him then I will
be deleting the user from users config and then add the same user
back. I am getting the "Your time limit is used" message :(.
Does somebody has information about how to delete the records from
rlm_counter module once they are expired with reset-option set to
never.
Regards
Ahmed Nifaz
--
Message: 3
Date: Tue, 26 May 2009 14:15:35 +0100 (BST)
From: "Ivan Kalik"
Subject: Re: problem with rlm_counter module when reset option is set
to never
To: "FreeRadius users mailing list"
Message-ID:
<30874.194.176.105.44.1243343735.squir...@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> Here is the issue I am facing with rlm_counter module.
> I am using freeradius-server-2.1.4 and configuring Max session time
> for each user.
>
> for example:
> user1 Max-Session-Time := 1800, Auth-Type := Reject
> Reply-Message = "Your time limit is used"
>
> user2 Max-Session-Time := 3600, Auth-Type := Reject
> Reply-Message = "Your time limit is used"
>
> and rlm_counter options are :
>
> counter daily {
>counter-name = Max-All-Session-Time
>check-name = Max-All-Session
>key = User-Name
>reset = never
>}
>
>
> I am observing that the user accounting record is not deleted from
> rlm_counter module once the user has used his allocated time.
And what makes you think it would be.
Statistic Counter
Hi all, Thanks in advance for your help. My scenario is shown below: Radius Client--> Radius Proxy Radius Server 192.168.1.2 192.168.1.3 --> IPS1(192.168.1.4) I need the following Authentication Statistic of the RADIUS Server (192.168.1.4) AuthRadiusClientAccessRequestsCounter32, AuthRadiusClientAccessRetransmissions Counter32, AuthRadiusClientAccessAccepts Counter32, AuthRadiusClientAccessRejects Counter32, AuthRadiusClientAccessChallenges Counter32, AuthRadiusClientMalformedAccessResponses Counter32, AuthRadiusClientBadAuthenticators Counter32, AuthRadiusClientPendingRequests Gauge32, AuthRadiusClientTimeouts Counter32, AuthRadiusClientUnknownTypes Counter32, AuthRadiusClientPacketsDroppedCounter32, AuthRadiusClientCounterDiscontinuity TimeTicks Launch the command: echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 , FreeRADIUS-Stats-Server-IP-Address = 192.168.1.4 , FreeRADIUS-Stats-Server-Port = 1812" | ./radclient -s 192.168.1.3:1812 status Received response ID 59, code 2, length = 140 FreeRADIUS-Total-Access-Requests = 56 FreeRADIUS-Total-Access-Accepts = 0 FreeRADIUS-Total-Access-Rejects = 1 FreeRADIUS-Total-Access-Challenges = 0 FreeRADIUS-Total-Auth-Responses = 0 FreeRADIUS-Total-Auth-Duplicate-Requests = 3 FreeRADIUS-Total-Auth-Malformed-Requests = 0 FreeRADIUS-Total-Auth-Invalid-Requests = 0 FreeRADIUS-Total-Auth-Dropped-Requests = 5 FreeRADIUS-Total-Auth-Unknown-Types = 0 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Can I enable other counters for AuthRadiusClientAccessRetransmissions, AuthRadiusClientTimeouts, AuthRadiusClientCounterDiscontinuity)? Or I should use "counter" module of FreeRadius? RadiusClientAccessRetransmissions "The number of RADIUS Access-Request packets retransmitted to this RADIUS authentication server. This counter may experience a discontinuity when the RADIUS Client module within the managed entity is reinitialized, as indicated by the current value of edaRadiusServerCounterDiscontinuity." RadiusClientTimeouts "The number of authentication timeouts to this server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout. This counter may experience a discontinuity when the RADIUS Client module within the managed entity is reinitialized, as indicated by the current value of edaRadiusServerCounterDiscontinuity." RadiusClientCounterDiscontinuity "The number of centiseconds since the last discontinuity in the RADIUS Client counters. A discontinuity may be the result of a reinitialization of the RADIUS Client module within the managed entity." Thanks Regards Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 49, Issue 100
Hi Ivan, >> 4. Proxying packets from a fixed source IP address (Alan DeKok) It is good idea. Thank for your help. The solution works fine. Marco -Original Message- From: freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: giovedì 21 maggio 2009 18.50 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 49, Issue 100 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Freeradius-Users Digest, Vol 49, Issue 95 (Alan DeKok) 2. RE: Freeradius-Users Digest, Vol 49, Issue 95 (Ivan Kalik) 3. Re: question about session resumption and reply attributes (Alan DeKok) 4. Proxying packets from a fixed source IP address (Alan DeKok) 5. Re: Rewriting User-Name in pre-proxy (William Taylor) 6. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) (Just E. Mail) 7. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) (a.l.m.bu...@lboro.ac.uk) 8. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) (John Dennis) 9. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) (Just E. Mail) -- Message: 1 Date: Thu, 21 May 2009 15:00:51 +0200 From: Alan DeKok Subject: Re: Freeradius-Users Digest, Vol 49, Issue 95 To: FreeRadius users mailing list Message-ID: <4a155083.1020...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Marco De Magistris wrote: > In my opinion the packet (received from Radius Client) is sent towards > the default gateway. Yes. That's how neteworking works. > The following link describes the same scenario: > > http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/82575.html > > They introduce *proxyip = 10.10.10.10* in proxy.conf. In 2.x, you can define the addresses that the server opens for proxying. See the "listen" section of radiusd.conf. That may help. Alan DeKok. -- Message: 2 Date: Thu, 21 May 2009 14:27:51 +0100 (BST) From: "Ivan Kalik" Subject: RE: Freeradius-Users Digest, Vol 49, Issue 95 To: "FreeRadius users mailing list" Message-ID: <17832.194.176.105.43.1242912471.squir...@webmail.kalik.net> Content-Type: text/plain;charset=utf-8 > 3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik) > > > >> Radius Client--> Radius Proxy > >> 192.168.1.2 192.168.1.3 192.168.14.3 --> IPS1(192.168.14.4) > >> 192.168.24.3 --> IPS2(192.168.24.4) > > > > You say: > >>>Yes. Proxy server will change NAS-IP-Address from the original NAS >>> >>address into it's own. That is OK. > > > > It not works. In my scenario I have two different NAS-IP-Address(a > NAS-IP-Address for ISP1 and a NAS-IP-Address for ISP2). > That's because that can't work: # Note: "type = proxy" lets you control the source IP used for # proxying packets, with some limitations: # # * Only ONE proxy listener can be defined. # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set "port = 0". # * Any "clients" configuration will be ignored. You can't define two IPs on which to proxy. You need two proxy servers for that: proxy1 gets requests from NAS -> if it's for isp1 proxy to 192.168.14.4 from 192.168.14.3 if it's for isp2, proxy to proxy2 (also from 192.168.14.3) proxy2 will have 192.168.24.3 configured as proxy port and proxy to 192.168.24.4 (isp2) You can even have proxy1 and proxy2 on the same machine, one listening on 1812+ ports and other on 1645+ ports. They just can't be the same radiusd process. Ivan Kalik Kalik Informatika ISP -- Message: 3 Date: Thu, 21 May 2009 16:05:39 +0200 From: Alan DeKok Subject: Re: question about session resumption and reply attributes To: FreeRad
RE: Freeradius-Users Digest, Vol 49, Issue 93
>What does that mean? IP of the original NAS packet?
I have 2 interfaces towards the network.
Radius Client--> Radius Proxy
192.168.1.2 192.168.1.3 192.168.14.3 --> IPS1(192.168.14.4)
192.168.24.3 --> IPS2(192.168.24.4)
Steps:
1)Radius Client ---> Send packet with NAS-IP-Address = 192.168.1.2
towards Radius Proxy.
2)Radius Proxy changes NAS-IP-Address with 192.168.14.3 for IPS1(or
192.168.24.3 for IPS2) and sends it.
You say that changing NAS-IP-Address the packet is transmitted correctly. Right?
From 192.168.14.3 to IPS1(192.168.14.4) if NAS-IP-Address = 192.168.14.3
From 192.168.24.3 to IPS1(192.168.24.4) if NAS-IP-Address = 192.168.24.3
> That's in internal attribute Packet-Src-IP-Address.
Should I modify this attribute or FreeRadius associates Packet-Src-IP-Address =
NAS-IP-Address.
Thanks again
Marco
-Original Message-
From:
freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org
[mailto:freeradius-users-bounces+marco.de.magistris=ericsson@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: mercoledì 20 maggio 2009 14.12
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 93
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius-Users Digest, Vol 49, Issue 89 (Ivan Kalik)
2. Re: Long attribute name (Alan DeKok)
3. Sql Counter reads only the first 4 digits
(Mauro Iorio - Smart Soft s.r.l.)
4. Re: question about windows users (Bartosz Chodzinski)
5. Re: Sql Counter reads only the first 4 digits (Alan DeKok)
--
Message: 1
Date: Wed, 20 May 2009 12:44:28 +0100 (BST)
From: "Ivan Kalik"
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 89
To: "FreeRadius users mailing list"
Message-ID:
<41583.194.176.105.44.1242819868.squir...@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> The problem is the following:
>
>The customers ask me if possible send them the packets from an
> interface defined.
What does that mean? IP of the original NAS packet? That's in internal
attribute Packet-Src-IP-Address.
> My Radius proxy listen on an IP address (i.e. 192.168.1.3) for
> authentication packet and forwarding them towards two different networks
> (i.e. 192.168.14.4(Customer1) and 192.168.24.4(Customer2))
Ivan Kalik
Kalik Informatika ISP
--
Message: 2
Date: Wed, 20 May 2009 13:50:35 +0200
From: Alan DeKok
Subject: Re: Long attribute name
To: FreeRadius users mailing list
Message-ID: <4a13ee8b.1000...@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Ming-Ching Tiew wrote:
>
> I know it's almost trivial to go an alter the table column size, but for
> users convenience, the sql attribute length should be increased. Currently
> the schema.sql which comes with the distribution is varchar(32). One of the
> motorola wimax attributes is 39 characters,
> Motorola-WiMAX-Maximum-Commit-Bandwidth. And I notice the mysql silently
> truncate the inserted string.
That's reasonable.
Alan DeKok.
--
Message: 3
Date: Wed, 20 May 2009 13:58:32 +0200
From: "Mauro Iorio - Smart Soft s.r.l."
Subject: Sql Counter reads only the first 4 digits
To: "'FreeRadius users mailing list'"
Message-ID: <370da20735bc482c80a4249bf3946...@zuccherino>
Content-Type: text/plain; charset="us-ascii"
Hi all,
I've a strange problem with sql counter on freeradius both 1.1.7 and 2.1.5
versions.
Actually executing
SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mauro'
from SQL Server Management Studio gives me 294841 (Yes, that's a lot of
seconds, is a test user)
while the output of radiusd -X (ver 2.1.5) is:
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{
User-Name}&#x
help me: proxing towards 2 different networks
Hi all,
Thanks in advance for your help.
Here is our Scenario which is working now:
1. Radius Client sends packets towards Radius Proxy (from
192.168.1.2 to 192.168.1.3)
2. Radius proxy listen on 192.168.1.3 for authentication packet and
forwarding them towards two different network (192.168.14.4 and
192.168.24.4)
Can I configure this scenario using FreeRadius?
The current configuration is:
First configuration
Radiusd.conf
listen {
ipaddr = 192.168.1.2
port = 1812
type = auth
interface = eth18
}
proxy.conf
home_server Server1 {
type = auth
ipaddr = 192.168.14.4
port = 1812
secret =
require_message_authenticator = yes
}
home_server Server2 {
type = auth
ipaddr = 192.168.24.4
port = 1812
secret =
require_message_authenticator = yes
}
home_server_pool Serverpool1 {
type = fail-over
home_server = Server1
}
home_server_pool Serverpool2 {
type = fail-over
home_server = Server2
}
realm isp1.com {
auth_pool = Serverpool1
}
realm isp2.com {
auth_pool = Serverpool2
}
Results:
Expiration of the Timeout
Second configuration
Adding in radiusd.conf:
listen {
ipaddr = 192.168.14.3
port = 1812
type = proxy
}
Results:
The packet is received correctly by Server1, but I can't send any packet
towards Server2.
Latest configuration
Adding in radiusd.conf:
listen {
ipaddr = 192.168.14.3
port = 1812
type = proxy
}
listen {
ipaddr = 192.168.24.3
port = 1812
type = proxy
}
Results:
Expiration of the Timeout
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools -- revisited
Ouch
This change made radius stop issuing IP addresses. It would start
without errors, but would then still authenticate a user, but would not
issue a new IP address.
Never good on a production server Yea I know, don't test on
production server Duhh
Is the syntax show below what you meant?
Thanks,
Marco
Marco C. Coelho wrote:
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without
waiting for a max usage night?
It now looks like:
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
#
sql
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
Marco C. Coelho wrote:
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without
waiting for a max usage night?
Marco
t...@kalik.net wrote:
Below are all sections of the radius.conf that I've got the pools called
out.
accounting {
detail
main_pool
main_pool2
radutmp
sql
}
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
sql
}
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
redundant section should be *inside* post-auth.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools -- revisited
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without waiting
for a max usage night?
It now looks like:
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
#
sql
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
Marco C. Coelho wrote:
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without
waiting for a max usage night?
Marco
t...@kalik.net wrote:
Below are all sections of the radius.conf that I've got the pools called
out.
accounting {
detail
main_pool
main_pool2
radutmp
sql
}
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
sql
}
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
redundant section should be *inside* post-auth.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools -- revisited
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without waiting
for a max usage night?
It now looks like:
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
#
sql
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
Marco C. Coelho wrote:
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without
waiting for a max usage night?
Marco
t...@kalik.net wrote:
Below are all sections of the radius.conf that I've got the pools called
out.
accounting {
detail
main_pool
main_pool2
radutmp
sql
}
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
sql
}
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
redundant section should be *inside* post-auth.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools -- revisited
I've moved redundant to be inside of post-auth and restarted
radiusd. Any ideas on how to test that it's working without waiting
for a max usage night?
Marco
t...@kalik.net wrote:
Below are all sections of the radius.conf that I've got the pools called
out.
accounting {
detail
main_pool
main_pool2
radutmp
sql
}
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
sql
}
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
redundant section should be *inside* post-auth.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools -- revisited
Ok here's where I'm at now:
I added a second IP Pool in my radius.conf. If I create a user account
with a group that only lists that new IP Pool (main_pool2), I get an
address in that pool. The problem is when I have a user in a group that
uses both pools (main_pool and main_pool2), when the first pool runs out
of IP addresses, the second pool does not get used.
Below are all sections of the radius.conf that I've got the pools called
out.
any suggestions are greatly appreciated. Help!
Marco
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 44.202.227.1
range-stop = 44.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool main_pool2 {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 44.202.237.1
range-stop = 44.202.239.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool2
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex2
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
accounting {
detail
main_pool
main_pool2
radutmp
sql
}
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
sql
}
redundant {
# added by mcc per suggestions 11/9/08
main_pool
main_pool2
#
# reply_log
}
Marco C. Coelho wrote:
I've been trying to get my second set up IP address' working. The
main_pool works correctly. main_pool2 does not appear to ever issue
more than 2 ip addresses.
you had previously mentioned:
Marco C. Coelho wrote:
>> Did you put "main_pool" and "main_pool" into a fail-over section, as
>> documented in "man unlang" ?
>>
>
> No, and I must be blind, because I have read the section and cannot
> find mention of it.
Sorry, the "redundant" section should do what you want.
Alan DeKok.
I cannot find a redundant section in this radiusd.conf
my radiusd.conf contains:
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.227.1
range-stop = 64.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool main_pool2 {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.237.1
range-stop = 64.202.239.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool2
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex2
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
**It also has:
# Accounting. Log the accounting data.
#
accounting {
#
# Cr
Re: No log destination specified.
Have you checked permissions of the file / dir?
Marcel Grandemange wrote:
|->>I have a problem where I upgraded v1 to v2 of freeradius and now I can
only
|->start it with mode radius -X , if I try use script is simply does
following.
|->
|->
|->
|->>/usr/local/etc/rc.d]# ./rc.radiusd start
|->>Starting FreeRADIUS:radiusd: Error: No log destination specified.
|->>Radius
|->
|->
|->>Any advise?
|->
|->FYI - I have now made a startup script to the following.
|->
|->/usr/local/sbin/radiusd -X & > /dev/null 2>&1
|->
|->To Run Freeradius as this is a production machine.
It is complaining that you have not specified a place to write a log file.
==
logdir = /var/log
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
==
This is from my radiusd.conf file. Radius writes log file messages (few
and far between) to /var/log/radius.log
Fix that and you wont have to use the redirect to /dev/null, which I would
not use anyway as you want log files to know if something is going wrong.
This is the beginning of my radius.conf, it seems the entry is indeed there
and valid as it's same as old installation.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
HTH,
Keith
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with ip_pools -- revisited
No response so I'm resending this
Marco C. Coelho wrote:
I've been trying to get my second set up IP address' working. The
main_pool works correctly. main_pool2 does not appear to ever issue
more than 2 ip addresses.
you had previously mentioned:
Marco C. Coelho wrote:
>> Did you put "main_pool" and "main_pool" into a fail-over section, as
>> documented in "man unlang" ?
>>
>
> No, and I must be blind, because I have read the section and cannot
> find mention of it.
Sorry, the "redundant" section should do what you want.
Alan DeKok.
I cannot find a redundant section in this radiusd.conf
my radiusd.conf contains:
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.227.1
range-stop = 64.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool main_pool2 {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.237.1
range-stop = 64.202.239.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool2
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex2
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
**It also has:
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
main_pool
main_pool2
**It also has:
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with ip_pools -- revisited
I've been trying to get my second set up IP address' working. The
main_pool works correctly. main_pool2 does not appear to ever issue
more than 2 ip addresses.
you had previously mentioned:
Marco C. Coelho wrote:
>> Did you put "main_pool" and "main_pool" into a fail-over section, as
>> documented in "man unlang" ?
>>
>
> No, and I must be blind, because I have read the section and cannot
> find mention of it.
Sorry, the "redundant" section should do what you want.
Alan DeKok.
I cannot find a redundant section in this radiusd.conf
my radiusd.conf contains:
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.227.1
range-stop = 64.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool main_pool2 {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.237.1
range-stop = 64.202.239.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 762
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool2
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex2
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
**It also has:
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
main_pool
main_pool2
**It also has:
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
main_pool
main_pool2
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: FreeRadius
It complaining about time, not usage?
Marco
Marcel Grandemange wrote:
>I have a working FreeRadius installation used for PPPOE clients using
a Mikrotik NAS (Essentialy Linux)
>I am using Freeradius to limit data a user can send/receive within a
month and automatically reset it every month.
>I used an example from chilliuspot hotspot for this.
>However what im noticing is sometimes a customer gets denied access
because he has exceeded he's monthly allowance, however when I check the
>Db this is not the case cause it's the beginning of month.
>This only happens sometimes so im lost!
>I use sqlcounter.conf for the counter part of things and INCLUDE this
from radius.conf.
>sqlcounter monthlytraffic {
>counter-name = Monthly-Traffic
> check-name = Max-Monthly-Traffic
> reply-name = Mikrotik-Xmit-Limit-Gigawords
> sqlmod-inst = sql
> key = User-Name
>reset = monthly
>query = "SELECT SUM(AcctInputOctets - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0))+ SUM(AcctOutputOctets
-GREATEST((%b - >UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '%b'"
>}
>Anybody for input? I would greately appreciate help here! A Work
around is to simply increase he's allowance till he is allowed to connect!
Here is an update... I have created an entirely new account that has
NO history and yet I get same issue.
Following in radius.log
Wed Oct 1 17:51:46 2008 : Auth: Invalid user (rlm_sqlcounter: Maximum
monthly usage time reached): [njale/] (from client
OldPPPOES port 40541 cli 00:0C:29:0B:44:66)
I kept increasing the data limit via dialupadmin till it allowed me to
connect...
Ideas?
__ NOD32 3485 (20081001) Information __
This message was checked by NOD32 antivirus system.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ip_pools
Please See Below: Alan DeKok wrote: Marco C. Coelho wrote: I ran out of IP space in my original IP_Pool, and since the next available addresses were non contiguous, I added a second pool. Here's the snippet of my radiusd.conf: Did you add "main_pool2" to the "post-auth" && accounting sections where "main_pool" was referenced? No. After I added it and corrected the operand to := it now issues the new addresses. Thanks! Did you put "main_pool" and "main_pool" into a fail-over section, as documented in "man unlang" ? No, and I must be blind, because I have read the section and cannot find mention of it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with ip_pools
I ran out of IP space in my original IP_Pool, and since the next
available addresses were non contiguous, I added a second pool. Here's
the snippet of my radiusd.conf: The problem is that the first pool
comes up and is used, but when it runs out of IP space, the second pool
never gets used.
If the db files are deleted and freeradius restarted, should both sets
of files get recreated on start up?
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.227.1
range-stop = 64.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 768
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool main_pool2 {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.237.1
range-stop = 64.202.239.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 768
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool2
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex2
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool with non-contiguous ip ranges
I've got 3 class C ranges that are contiguous assigned to a freeradius
server. I want to add an additional class C ranges to this server, but
they are not contiguous with the previous three.
I would like to add 64.202.231.1 - 64.202.234.254 without creating an
additional IP Pool . I've searched the docs and net and cannot find an
answer.
my radiusd.conf has a section like this:
SNIP***
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 64.202.227.1
range-stop = 64.202.229.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 768
SNIP***
Thanks,
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Mandi! George KNIGHT In chel di` si favelave... > My question is I have been looking for a HOWTO paper for a beginner to set > freeradius as an AAA server in a wireless environment to Windows XP SP2 > clients. I will use Windows' own PEAP client. Is there such a paper someone > can give me the link? A very good starting point is: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO if you have a samba domain, simply ignore all the 'AD' stuff, the real point here are make ntlm_auth work, normally it suffices to install winbindd. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
Mandi! Ivan Kalik In chel di` si favelave... > >Literally? Or it is some sort of example? Eg i have to write: > > Expiration := "May 10 2008 21:00:00" > Like that. Works, but a minor drawback and i don't know if it is a radius or a supplicant problem (windows xpsp2 with wpa2 patch added). If i set on supplicant the wrong password, connection are easily rejected and radius traffic stopped. If i set an Expiration early than 'now', connection are rejected (i can see clearly 'Password-Expired' on logs) but supplican retry and retry indefinitely... i've waited 5 minutes and was still trying. Boh, it is not a big trouble, only a little curiosity. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
Mandi! Ivan Kalik In chel di` si favelave... Sorry, but... > Expiration := date_format_like"May 10 2008 21:00:00" Literally? Or it is some sort of example? Eg i have to write: Expiration := "May 10 2008 21:00:00" or literally: Expiration := date_format_like"May 10 2008 21:00:00" Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration?
Using:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
as a base, i've setup freeradius to authenticate against my domain
(samba, not AD, but little difference).
In this way users can access my wireless network, using their domain
account with password expiration and so on. Perfect.
But could be that i will need some 'guest access': for, ahem, guests,
or for speakers at a conference, ...
Creating and deleting domain accounts only for that it is not my
preferred choice.
The same HOWTO above say:
Configuration of users
The configuration of this file is not necesary to get work the
freeradius against the Active Directory, it is only necessary for
advanced usage of FreeRADIUS.
One of this advanced features, (among others) is the case when we want
to have some local users that does not rely on the Active Directory
that is working, but in the local file of users under
${sysconfdir}/raddb directory, an with the same authentication schema
of PEAP.
Open your users file with your favorite editor and put a line like
this:
username1 Cleartext-Password := "user-password1",
MS-CHAP-Use-NTLM-Auth := 0
Perfectly, also this works. But i'm lazy as many system administrators,
and i know that probably i will forgot to have account like this.
Googling around i've found the Expiration radius tag that seems suit my
needs, but i've found no example around, nor an expalnation if can be
used and how on 'users' file.
Speaking clearly: can i define in 'users' file some users with an
explicit 'expiration date'?
Someone can explain me how?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers In chel di` si favelave... > You are not running the default config. You've added the "ldap" module, so > even though "files" doesn't match, "ldap" does. Perfectly clear. Reviewing all the stuff indeed now is clear, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Alan DeKok In chel di` si favelave... > Start with the default configuration and make small changes. Test > them. You WILL get it working very quickly. Exactly what i've done. I've wrote a little docs (sorry, in italian) on how to setup all the stuff, and it count 5-6 modification. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers
In chel di` si favelave...
>> box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
> Upgrade to 1.1.7 at least
...as a debian user, i prefer to keep on 'debian stable' ad using the
offical packet, even if repackaged...
>> But users file was 'no match, no party'? What i'm missing?
> What does "no match no party" mean?
On users file, last line say:
# On no match, the user is denied access.
(so no match imply deny, that imply no WLAN-party ;).
> In all probability, you've got something like:
Precisely:
authorize {
preprocess
chap
mschap
ntdomain
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
(indeed probably a bit more than needed...)
> ...if so, mschap (or eap, for the outer module) finds the relevant
> attributes, sets Auth-Type to itself, and processes the request; if the
> user has a password, they're authenticated. If you want to deny people you
> need to do that.
Probably i'm missing something... i've tried to type a wrong password
and works (eg, radius refuse to auth me), i've not clear what you mean
with 'if the user has a password, they're authenticated' and expecially
with 'you need to do that': 'that' what? Explicitly neglet access?
More deeper, i've not clear if this is a configuration error by me, or
with this setup things NEED to be done in this way.
> Since you're not subscribed to the mailing list and haven't read the
List refuse posts from non-subscribed user, so now i'm subscribed.
I've read tons of docs, expecially the FAQ (with no clue at all),
expecially the freeradius.org site where some doc say something and
some other doc say the converse (or at least this seems to me, clearly
i'm ignorant and stupid).
> documents, you have failed to see the advice repeated daily; namely, to run
> radiusd under debugging with "radiusd -X", examine the output and if you
> can't figure out what it's saying, post that output here.
It is two days that i run with 'freeradius -X' in my hand. I've solved
at least half a dozen of trouble myself using the FAQ and other docs on
the net.
Because this is not a trouble (at least for me, again remember i'm
ignorant and stupid), i think that was not the case to start sending
tons of attachments.
I've shut off my test system, and i've accumulated too many 'freeradius
-X' logs to remember where was the culprit, so please wait tomorrow for
the config file and associated log.
good night.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, EAP-PEAP, LDAP and users file...
[i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == "ced" DEFAULT Service-Type == Framed-User, Ldap-Group == "diramm" DEFAULT Service-Type == Framed-User, Ldap-Group == "ricerca" DEFAULT Service-Type == Framed-User, Ldap-Group == "*", Auth-Type := Reject Reply-Message = "Gruppo non autorizzato" if i remove the last entry, user got authenticated. But users file was 'no match, no party'? What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
Touchy! :-) I was only asking as I am not an expert on this subject and wanted to understand why Samba came in the loop? Now that you have clarified the point it makes sense. I will follow your advice. Thanks Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 01 October 2007 10:20 To: FreeRadius users mailing list Subject: Re: 802.1x machine authentication patch help Marco Casulli wrote: > However how is samba related to this error? > > This is an error coming from the AD server no able to authenticate a > user. If you're not going to believe the answers on this list, I don't see why you're asking questions here. Q: Are you using Samba? Yes: upgrade as you were told to do No: You can't get the error message you posted without using Samba, so you ARE using Samba. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
Thanks for your reply Phil, However how is samba related to this error? This is an error coming from the AD server no able to authenticate a user. Thanks Marco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: 01 October 2007 09:55 To: FreeRadius users mailing list Subject: Re: 802.1x machine authentication patch help On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote: > Hi Jamie, > > Marco from BBC in london. > > I have read your message > (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/0485 > 76.html related to the error when the radius is trying to authenticate > in AD and I am getting exactly the same message. > > "No logon workstation trust account (0xc199)". > > The article is dated Nov 2005 so I hope you have the solution by now! > ;-) You need a suitably recent version of Samba. I can't remember the exact version number, but I'm sure judicious use of Google will find it, or just use the most recent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x machine authentication patch help
Hi Jamie, Marco from BBC in london. I have read your message (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048576 .html related to the error when the radius is trying to authenticate in AD and I am getting exactly the same message. "No logon workstation trust account (0xc199)". The article is dated Nov 2005 so I hope you have the solution by now! ;-) How did you fix the problem? I cant find any resolution on the net. Thanks Marco This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : rlm_sql: Password in Accounting Packet
Hello Thibault, Thanks for the in-depth explanation. Here are some of my impressions regarding this solution. Only attribute I can rely on is Acct-Session-Id (present in Authorization and Accounting requests) - drawback is in the RAS, which resets the counter after every reboot, so this string is not unique (a must for SQL joins). Maybe there's some other attribute to look for? Cheers, Marco On 12/15/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote: -Message d'origine- De :[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] De la part de Marco Stuhl Envoyé : vendredi 15 décembre2006 13:47 À : FreeRadius users mailinglist Objet : Re: RE : RE : rlm_sql: Password in AccountingPacket Here's the scenario. I'd like to make one username for all usershaving/sharing same service (e.g. users w/ service A all have username 'foo'with unique password for every user). Now, the problem arises with accounting,or, to be more precise, session reports that will be available for them to seeand check their past sessions. Sothe password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations. Since accounting (SQL schema) is based onunique username, I cannot make the distinction between users. Also, I've noted(in past FR versions, though) that it was possible for log files, since FRlogged passwords there? Accounting is based on AcctSessionId (or AcctUniqueId, which canbe computed by a FR module). AFAIK, there is no assumption about the'unique username' thing: it is your session analyzer that makes suchassumption. Ifyou want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the trueusername. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : rlm_sql: Password in Accounting Packet
Hello all, Thanks for sharing your thouths! Seems that I'll go with unique/different usernames, for now... Cheers, Marco On 12/15/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Marco Stuhl wrote: > Here's the scenario. > > I'd like to make one username for all users having/sharing same service Quite frankly, it's much easier to have different usernames. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : rlm_sql: Password in Accounting Packet
Here's the scenario.
I'd like to make one username for all users having/sharing same service (e.g.
users w/ service A all have username 'foo' with unique password for every
user). Now, the problem arises with accounting, or, to be more precise,
session reports that will be available for them to see and check their past
sessions.
Since accounting (SQL schema) is based on unique username, I cannot make the
distinction between users. Also, I've noted (in past FR versions, though)
that it was possible for log files, since FR logged passwords there?
Thanks,
Marco
On 12/15/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote:
>>>Is there a way to insert password in radacct table?
>>>Changing SQL query to insert %{User-Password} has no effect.
>>I don't think your NAS sends a User-Password attribute in the Accounting
>>Request. How do you want FR to know the User-Password attribute then ?
>I agree on that one; still no workaround?
I don't understand what you're trying to do.
* If you want to record the user-password, why don't you record it at
Authentication time (see the postauth section) ?
* If you want to do this at during the Accounting process, you'll have do
develop your own module to get the password that matches to the User-Login
from the Accounting request: you will have to query your internal backend
to
get the user's password (if it is available in clear text, which is not
certain).
Can you be more specific as to why you are trying to do this... because
there might be workarounds for this.
Thibault
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : rlm_sql: Password in Accounting Packet
On 12/15/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote:
>Is there a way to insert password in radacct table?
>Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting
Request. How do you want FR to know the User-Password attribute then ?
I agree on that one; still no workaround?
Cheers,
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: Password in Accounting Packet
Hello,
Is there a way to insert password in radacct table? Changing SQL query to
insert %{User-Password} has no effect.
I'm aware of the RFCs - is there any workaround for this?
Thanks,
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP + radius
hello what do you want to do with PHP and radius exactly? - authentificate in php against radius - administrate raidius server (user / accounting) with php interface? regards marco raviprakash sunkara schrieb: Hi Guys Happy friend ship day... ! I'm Working on Linux. box.. I want How to integrate the PHP with RADIUS Ccan any one tell the Doccumetation Help me ! -- Thanks and Regards with cheers Sunkara Ravi Prakash (Voip Developer) Hyperion Technology Kondapur, Hi-tech city, Hyderabad. www.hyperion-tech.com <http://www.hyperion-tech.com> +91-9985077535 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Operation of a radius server
hello dave i know the following: the clients dsl router establishes a pppoe connection with the NAS (my a cisco access router with pppoe support and authentification agains radius). the NAS needs the framed-ip, compression type, mtu, etc. from the radius. the radius is getting a request with the encrypted password from the NAS. if the login is correct the radius will answer with a accept packet and the information like framed-ip, mut, compression type, etc. Dave schrieb: I was just hoping someone here could explain to me how the radius server process works. My situation will be authorizing for DSL. I think the process is: My DSL wholesaler gets requests for a logins under my realm to their NAS, then sends it to me, then I send back a yes or no answer. My question is what information do I have to supply to my DSL wholesaler and what information do I need from them? regarding authorization types or encryption? Any info would help a lot. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
may you have to do an "chkconfig radiusd add" first... [EMAIL PROTECTED] schrieb: Hi, I am rephrasing my question. I installed FreeRadius without rpm package on CentOS 4. I want FreeRadius to start automatically in background when System boots up. FreeRADIUS comes with some helpful example scripts etc. there is one for Redhat - which works on Fedora and should work on CentOS, simply copy the file (redhat/rc.radiusd-redhat) into the init.d directoryeg /etc/init.d/radiusd ..and then chkconfig radiusd on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
we should really know your operating system. but on most systems you have to write a small rc script (shell scirpt) with a start and stop command. unter redhat you can hang in the script in your system with the tool chkconfig greets marco Wasif schrieb: Hi all, I have a simple question . I installed FreeRadius without rpm package. I want FreeRadius to start automatically when System boots up. Thanks Wazb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
show logged in users
hello anohter question: whats the best way to see which users are logged in? - reading out the pppoe router with snmp for active sessions - search for session ids with start but no stop event i want do the first one. becuase our routers are in isolated management network and i want access the router from our webinterface or some admin hosts can i be 100% sure that a user is logged in if there is no stop event? thanks and kind regards marco fretz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accouting over more than one servers
hello there ive got a problem. we are using 2 radius servers to auth our xDSL users quering from a CISCO PPPoE Router. how can i protect a user to dial in from a secound xdsl line if first radius is down and CISCO AAA useses the 2nd radius server? and btw: does anybody know how to setup up AAA on a CISCO IOS to send periodically accounting infos to the radius server? thanks and kind regards marco fretz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin and FreeRADIUS communication issues
Hi 2006/1/4, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > version of OpenSSL and FreeRADIUS and installed Apache on the machine via What Apache Version? AFAIK DialAdmin works only with Apache 1.3.x and not with 2.0.x but don't maybe I'm wrong. Cheers Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas emulator under linux
Hello!! Where I can find a linux-based nas authenticator in order to simulate vary types of authentications? Thanks Marco -- ! Messaggio da Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem. Resolved!!!
Thanks to your patience Alan, I have resolved !!!
I have reinstalled freeradius.
The errors was in radiusd.conf.
Sorry but I did not know that for any modify in users file it was needed
restart radiusd :-(
The others old files do not give errors.
I haved included the difference between the bad radiusd.conf file and the good
(my new) radiusd.conf file.
20c20,21
< bind_address = *
---
54,84c55,60
< pap {
< encryption_scheme = crypt
< }
< chap {
< authtype = CHAP
< }
< pam {
< pam_auth = radiusd
< }
< unix {
< cache = no
< cache_reload = 600
< shadow = /etc/shadow
< radwtmp = ${logdir}/radwtmp
< }
< $INCLUDE ${confdir}/eap.conf
< mschap {
< authtype = MS-CHAP
< }
< ldap {
< server = "ldap.your.domain"
< basedn = "o=My Org,c=UA"
< filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
< start_tls = no
< access_attr = "dialupAccess"
< dictionary_mapping = ${raddbdir}/ldap.attrmap
< ldap_connections_number = 5
< timeout = 4
< timelimit = 3
< net_timeout = 1
< }
---
> #$INCLUDE ${confdir}/eap.conf
> eap {
> default_eap_type = md5
> md5 {
> }
> }
136c112
< $INCLUDE ${confdir}/postgresql.conf
---
> $INCLUDE ${confdir}/sql.conf
173a150
>
175a153
>
177a156,157
>
> preprocess
182,197d161
< exec echo {
< wait = yes
< program = "/bin/echo %{User-Name}"
< input_pairs = request
< output_pairs = reply
< }
< ippool main_pool {
< range-start = 192.168.1.1
< range-stop = 192.168.3.254
< netmask = 255.255.255.0
< cache-size = 800
< session-db = ${raddbdir}/db.ippool
< ip-index = ${raddbdir}/db.ipindex
< override = no
< maximum-timeout = 0
< }
205,207d168
< chap
< mschap
< suffix
209,210d169
< files
< sql
213,222d171
< Auth-Type PAP {
< pap
< }
< Auth-Type CHAP {
< chap
< }
< Auth-Type MS-CHAP {
< mschap
< }
< unix
225a175
> files
233d182
< unix
234a184
> sql
237a188
> sql
239a191
> sql
244d195
Good year to all the participants to the mailing-list!!!
BYE
On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote:
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: FreeRadius users mailing list
> Date: Thu, 29 Dec 2005 02:22:19 -0500
> Subject: Re: EAP-MD5 Authentication problem
>
> Marco Spiga <[EMAIL PROTECTED]> wrote:
> > However as soon as installed freeradius I have tried radtest and it worked
> > well, also whith users inserted in
> > radcheck table of postgresql and authentication EAP MD5 has not never
> > worked.
>
> The entry in the "users" file isn't being matched because you edited
> radiusd.conf, and broke the server.
>
> > modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > rlm_eap: EAP packet type response id 210 length 9
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 0
> > modcall: group authorize returns updated for request 0
>
> See? There's no mention of the "files" module, or that any entry in
> the "users" file was matched. So you can edit the "users" file
> forever, and it won't affect anything... because *you* told the server
> to not look at the "users" file.
>
> > # eap sets the authenticate type as EAP
> > authorize {
> > ...
> > eap
> > }
>
> And rather than quoting your exact "authorize" section, you've
> edited it.
>
> Since I can read the debug output, I can tell what you've done. But
> by editing the "radiusd.conf" pieces you quoted, you've gone out of
> your way to make it more difficult for anyone to be able to help you.
>
> In short, if you don't know what the entries in &quo
Re: EAP-MD5 Authentication problem. Resolved!!!
Thanks to your patience Alan, I have resolved !!!
I have reinstalled freeradius.
The errors was in radiusd.conf.
Sorry but I did not know that for any modify in users file it was needed
restart radiusd :-(
The others old files do not give errors.
I haved included the difference between the bad radiusd.conf file and the good
(my new) radiusd.conf file.
20c20,21
< bind_address = *
---
54,84c55,60
< pap {
< encryption_scheme = crypt
< }
< chap {
< authtype = CHAP
< }
< pam {
< pam_auth = radiusd
< }
< unix {
< cache = no
< cache_reload = 600
< shadow = /etc/shadow
< radwtmp = ${logdir}/radwtmp
< }
< $INCLUDE ${confdir}/eap.conf
< mschap {
< authtype = MS-CHAP
< }
< ldap {
< server = "ldap.your.domain"
< basedn = "o=My Org,c=UA"
< filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
< start_tls = no
< access_attr = "dialupAccess"
< dictionary_mapping = ${raddbdir}/ldap.attrmap
< ldap_connections_number = 5
< timeout = 4
< timelimit = 3
< net_timeout = 1
< }
---
> #$INCLUDE ${confdir}/eap.conf
> eap {
> default_eap_type = md5
> md5 {
> }
> }
136c112
< $INCLUDE ${confdir}/postgresql.conf
---
> $INCLUDE ${confdir}/sql.conf
173a150
>
175a153
>
177a156,157
>
> preprocess
182,197d161
< exec echo {
< wait = yes
< program = "/bin/echo %{User-Name}"
< input_pairs = request
< output_pairs = reply
< }
< ippool main_pool {
< range-start = 192.168.1.1
< range-stop = 192.168.3.254
< netmask = 255.255.255.0
< cache-size = 800
< session-db = ${raddbdir}/db.ippool
< ip-index = ${raddbdir}/db.ipindex
< override = no
< maximum-timeout = 0
< }
205,207d168
< chap
< mschap
< suffix
209,210d169
< files
< sql
213,222d171
< Auth-Type PAP {
< pap
< }
< Auth-Type CHAP {
< chap
< }
< Auth-Type MS-CHAP {
< mschap
< }
< unix
225a175
> files
233d182
< unix
234a184
> sql
237a188
> sql
239a191
> sql
244d195
Good year to all the participants to the mailing-list!!!
BYE
On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote:
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: FreeRadius users mailing list
> Date: Thu, 29 Dec 2005 02:22:19 -0500
> Subject: Re: EAP-MD5 Authentication problem
>
> Marco Spiga <[EMAIL PROTECTED]> wrote:
> > However as soon as installed freeradius I have tried radtest and it worked
> > well, also whith users inserted in
> > radcheck table of postgresql and authentication EAP MD5 has not never
> > worked.
>
> The entry in the "users" file isn't being matched because you edited
> radiusd.conf, and broke the server.
>
> > modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > rlm_eap: EAP packet type response id 210 length 9
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 0
> > modcall: group authorize returns updated for request 0
>
> See? There's no mention of the "files" module, or that any entry in
> the "users" file was matched. So you can edit the "users" file
> forever, and it won't affect anything... because *you* told the server
> to not look at the "users" file.
>
> > # eap sets the authenticate type as EAP
> > authorize {
> > ...
> > eap
> > }
>
> And rather than quoting your exact "authorize" section, you've
> edited it.
>
> Since I can read the debug output, I can tell what you've done. But
> by editing the "radiusd.conf" pieces you quoted, you've gone out of
> your way to make it more difficult for anyone to be able to help you.
>
> In short, if you don't know what the entries in "
Re: EAP-MD5 Authentication problem
>> Marco Spiga <[EMAIL PROTECTED]> wrote:
>> Still it does not work :-((
> Go read the FAQ. See 5.10. It's directed specifically at your remark.
> Alan DEKok.
Endured made!!
I don't have include the output of radtest because I want to only qualify
radiusd to use authentication EAP MD5.
However as soon as installed freeradius I have tried radtest and it worked
well, also whith users inserted in
radcheck table of postgresql and authentication EAP MD5 has not never worked.
The req.txt file contains:
User-Name = "test"
EAP-MD5-Password = "password"
NAS-IP-Address = "localhost"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "test"
EAP-Message = "0x0"
Message-Authenticator = "0x0"
NAS-Port =
WITH OUTPUT:
+++> About to send encoded packet:
User-Name = "test"
EAP-MD5-Password = "password"
NAS-IP-Address = localhost
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "test"
Sending Access-Request of id 2 to 127.0.0.1:1812
User-Name = "test"
NAS-IP-Address = localhost
EAP-Message = 0x02d200090174657374
Message-Authenticator = 0x
rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=2, length=80
EAP-Message = 0x01d300160410dc4eb119fa86b90b61acfdb69ab3a961
Message-Authenticator = 0x30c5633d1d0717256ade7d9780683428
State = 0xf28f6899a431b6ac423bf3672d4a21b9
<+++ EAP decoded packet:
EAP-Message = 0x01d300160410dc4eb119fa86b90b61acfdb69ab3a961
Message-Authenticator = 0x30c5633d1d0717256ade7d9780683428
State = 0xf28f6899a431b6ac423bf3672d4a21b9
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10dc4eb119fa86b90b61acfdb69ab3a961
+++> About to send encoded packet:
User-Name = "test"
EAP-MD5-Password = "password"
NAS-IP-Address = localhost
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x
EAP-Type-MD5 = 0x1079d9627aaca015bb70d2d48eb3d5581b
State = 0xf28f6899a431b6ac423bf3672d4a21b9
Sending Access-Request of id 3 to 127.0.0.1:1812
User-Name = "test"
NAS-IP-Address = localhost
Message-Authenticator = 0x
State = 0xf28f6899a431b6ac423bf3672d4a21b9
EAP-Message = 0x02d30016041079d9627aaca015bb70d2d48eb3d5581b
Re-sending Access-Request of id 3 to 127.0.0.1:1812
User-Name = "test"
EAP-MD5-Password = "password"
NAS-IP-Address = localhost
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x
EAP-Type-MD5 = 0x1079d9627aaca015bb70d2d48eb3d5581b
State = 0xf28f6899a431b6ac423bf3672d4a21b9
EAP-Message = 0x02d30016041079d9627aaca015bb70d2d48eb3d5581b
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=3, length=44
EAP-Message = 0x04d30004
Message-Authenticator = 0x54a6958e6602e2a3ada0be9c34d398b2
<+++ EAP decoded packet:
EAP-Message = 0x04d30004
Message-Authenticator = 0x54a6958e6602e2a3ada0be9c34d398b2
EAP-Id = 211
EAP-Code = Failure
Total approved auths: 0
Total denied auths: 2
the radius.conf file contain:
modules {
...
eap {
default_eap_type = md5
md5 {
}
...
}
...
}
# eap sets the authenticate type as EAP
authorize {
...
eap
}
# eap authentication takes place.
authenticate {
eap
}
the eap.conf file contain:
eap {
default_eap_type = md5
md5 {
}
}
the users file contain:
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'acct_users', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup na
Re: EAP-MD5 Authentication problem
A row like this? "test" Auth-Type := EAP, User-Password := "password" Reply-Message = "Hello, %u" Still it does not work :-(( And I also have tried to write "test" Auth-Type == EAP, User-Password := "password" Reply-Message = "Hello, %u" only to make an other attempt --- Another info: FreeRADIUS Version 1.0.4 over FC4 --- Bye Marco On Wed, Dec 28, 2005 at 12:02:58PM -0500, Alan DeKok wrote: > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: FreeRadius users mailing list > Date: Wed, 28 Dec 2005 12:02:58 -0500 > Subject: Re: EAP-MD5 Authentication problem > > Marco Spiga <[EMAIL PROTECTED]> wrote: > > the users file contain: > > > > "test" Auth-Type := EAP, User-Password == "password" > > Use ':=' for the password, not '=='. > > The debug log would show that it's not matching that entry. Once > you make this change, it *will* show it's matching that entry. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---fine del testo--- -- ! Messaggio da Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem
On Wed, Dec 28, 2005 at 12:37:00PM +, Anup Parkhi wrote:
> From: "Anup Parkhi" <[EMAIL PROTECTED]>
> To: freeradius-users@lists.freeradius.org
> Date: Wed, 28 Dec 2005 12:37:00 +
> Subject: Re: EAP-MD5 Authentication problem
>
> Try moving your entry fpr user way up in the users file. I had the same
> problem. Then i moved my user after the first DEFAULT entry and it worked.
> I think it has to do with some Checked attribute.(Sorry, i don't have
> access to my machine right now. i am on vacation. I can not give more
> clear answer than this).
>
Thank for your interesting Anup.
I have tried, but it don't work.
I attend trusting your re-enter from the vacation.
Bye
Marco
>
> >From: Marco Spiga <[EMAIL PROTECTED]>
> >Reply-To: FreeRadius users mailing list
> >
> >To: freeradius-users@lists.freeradius.org
> >Subject: Re: EAP-MD5 Authentication problem
> >Date: Wed, 28 Dec 2005 09:56:37 +0100
> >
> >Hello!!!
> >
> >I don't know why the 'radeapclient -s -xx 127.0.0.1 auth testing123
> > >don't authenticate whith radiusd.
> >The req.txt file contains:
> >
> >User-Name = "test"
> >User-Password = "password"
> >EAP-MD5-Password = "password"
> >NAS-IP-Address = 127.0.0.1
> >NAS-Port = 10
> >EAP-Code = Response
> >Called-Station-Id = "00-06-25-57-18-B6"
> >Calling-Station-Id = "00-06-23-27-38-E6"
> >EAP-Id = 210
> >EAP-Type-Identity = "test"
> >Message-Authenticator = 0x0
> >
> >
> >
> >the radius.conf file contain:
> >
> > modules {
> >...
> >eap {
> >default_eap_type = md5
> >md5 {
> >}
> >...
> >}
> >...
> >}
> >authorize {
> >...
> >eap
> >}
> >authenticate {
> >eap
> >}
> >
> >the eap.conf file contain:
> >
> > eap {
> > default_eap_type = md5
> > md5 {
> > }
> > }
> >
> >the users file contain:
> >
> >"test" Auth-Type := EAP, User-Password == "password"
> >Reply-Message = "Hello, %u"
> >
> >Where is the error ?
> >Please.
> >
> >Bye!
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
---fine del testo---
--
! Messaggio da Marco !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem
Hello!!! I don't know why the 'radeapclient -s -xx 127.0.0.1 auth testing123 http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem
On Mon, Dec 26, 2005 at 11:40:03AM -0500, Alan DeKok wrote: > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: FreeRadius users mailing list > Date: Mon, 26 Dec 2005 11:40:03 -0500 > Subject: Re: EAP-MD5 Authentication problem > > Marco Spiga <[EMAIL PROTECTED]> wrote many, many, times: > ... > > First, only one post to the list is necessary. Second: Excused but I am still fighting with a problem mail of mine provider. > > > rlm_eap_md5: User-Password is required for EAP-MD5 authentication > > You didn't tell the server what the user's *correct* password was. > How did you expect the server to be able to authenticate the user? But well, but my problem is that I exactly do not know coma to make. In the previous email I had sended the configuration and log files. > Alan DeKok. > - Marco > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 Authentication problem
ql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Listening on proxy 127.0.0.1:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=71, length=123 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" EAP-Message = 0x02d200090174657374 Message-Authenticator = 0x77fa8c7a2619f5223c04f644b71f3c7f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 127.0.0.1:32770 EAP-Message = 0x01d30016041078ecacc0f85321e54008e837f5d52010 Message-Authenticator = 0x State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" Message-Authenticator = 0x77d3b31a08ee633b519db4b99fbeb3e7 State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac EAP-Message = 0x02d3001604108000d71b7b64534ed94f357e6a0b26d8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 Sending Access-Reject of id 72 to 127.0.0.1:32770 EAP-Message = 0x04d30004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43abf06d Cleaning up request 1 ID 72 with timestamp 43abf06d Nothing to do. Sleeping until we see a request. It work fine also with postgresql but I do not succeed to make this operation. You excuse me for my bad English Thanks -- ! Message from Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 Authentication problem
ql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Listening on proxy 127.0.0.1:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=71, length=123 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" EAP-Message = 0x02d200090174657374 Message-Authenticator = 0x77fa8c7a2619f5223c04f644b71f3c7f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 127.0.0.1:32770 EAP-Message = 0x01d30016041078ecacc0f85321e54008e837f5d52010 Message-Authenticator = 0x State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" Message-Authenticator = 0x77d3b31a08ee633b519db4b99fbeb3e7 State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac EAP-Message = 0x02d3001604108000d71b7b64534ed94f357e6a0b26d8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 Sending Access-Reject of id 72 to 127.0.0.1:32770 EAP-Message = 0x04d30004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43abf06d Cleaning up request 1 ID 72 with timestamp 43abf06d Nothing to do. Sleeping until we see a request. It work fine also with postgresql but I do not succeed to make this operation. You excuse me for my bad English Thanks -- ! Message from Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 Authentication problem
ql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Listening on proxy 127.0.0.1:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=71, length=123 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" EAP-Message = 0x02d200090174657374 Message-Authenticator = 0x77fa8c7a2619f5223c04f644b71f3c7f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 127.0.0.1:32770 EAP-Message = 0x01d30016041078ecacc0f85321e54008e837f5d52010 Message-Authenticator = 0x State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Called-Station-Id = "00-06-25-57-18-B6" Calling-Station-Id = "00-06-23-27-38-E6" Message-Authenticator = 0x77d3b31a08ee633b519db4b99fbeb3e7 State = 0xa5a05865b3f3bc1d95db4dc54b8e9bac EAP-Message = 0x02d3001604108000d71b7b64534ed94f357e6a0b26d8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=72, length=154 Sending Access-Reject of id 72 to 127.0.0.1:32770 EAP-Message = 0x04d30004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43abf06d Cleaning up request 1 ID 72 with timestamp 43abf06d Nothing to do. Sleeping until we see a request. It work fine also with postgresql but I do not succeed to make this operation. You excuse me for my bad English Thanks -- ! Message from Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and external authentication script
On Thu, Feb 10, 2005 at 12:48:49PM -0500, Alan DeKok wrote: > Or maybe you're confused about what "authentication" the script is > doing. Could you please explain in detail what the script is supposed > to do, and why? > I'm for sure confused about when the authentication happens during EAP and I was probably unclear in my explanation. I don't want to write a script that provides the EAP handshake. I simply want to authenticate users with a script instead of using a sql db or ldap, or using the "users" file. Not using EAP, the script receives username and password. Is it possible to do the same with EAP? If I understood correctly PEAP, for example, tunnels an MSCHAP authentication. Where I can tell to freeradius to use a script to perform this authentication? I hope it's more clear now. Thank you for your support. -- Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and external authentication script
Hi all,
I'd like to use a script to authenticate eap users.
If I write in users:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = "/etc/freeradius/auth.sh"
everything works fine without eap.
If I use eap/peap, and I write static entries in the users file
(i.e. user User-Password == "pass"), again everything works fine.
Is there a way to use a script instead of static entry?
I tried to define in radiusd.conf
exec login {
wait = yes
program = "/etc/freeradius/auth.sh"
input_pairs = request
output_pairs = config
}
authorize {
preprocess
auth_log
eap
login
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
This is the last part of the debug I obtain:
---
rad_recv: Access-Request packet from host 172.27.1.2:2048, id=0,
length=222
User-Name = "user"
NAS-IP-Address = 172.27.1.2
Called-Station-Id = "001217bcf177"
Calling-Station-Id = "000cf102223f"
NAS-Identifier = "001217bcf177"
NAS-Port = 31
Framed-MTU = 1400
State = 0x6e3920e40ad9946c1c33e00a383508f6
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02080050190017030100201692cc07d9feeb5af7cd044abdd6b07bc1bc4a3bbdf4e2e698647a87b57d56cd1703010020f466325cf16a7c3594d254f1a78462e494863c04b254dcb4cdd42f5f23c5e955
Message-Authenticator = 0x381e97fa3b15a2dbf5d6412071febe63
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modsingle[authorize]: calling preprocess (rlm_preprocess) for request
8
modsingle[authorize]: returned from preprocess (rlm_preprocess) for
request 8 modcall[authorize]: module "preprocess" returns ok for
request 8
modsingle[authorize]: calling auth_log (rlm_detail) for request 8
radius_xlat:
'/var/log/freeradius/radacct/172.27.1.2/auth-detail-20050210'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.27.1.2/auth-detail-20050210
modsingle[authorize]: returned from auth_log (rlm_detail) for request
8
modcall[authorize]: module "auth_log" returns ok for request 8
modsingle[authorize]: calling eap (rlm_eap) for request 8
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modsingle[authorize]: returned from eap (rlm_eap) for request 8
modcall[authorize]: module "eap" returns updated for request 8
modsingle[authorize]: calling login (rlm_exec) for request 8
radius_xlat: '/etc/freeradius/auth.sh'
Exec-Program: /etc/freeradius/auth.sh
Exec-Program output:
Exec-Program: returned: 0
modsingle[authorize]: returned from login (rlm_exec) for request 8
modcall[authorize]: module "login" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
modsingle[authenticate]: calling eap (rlm_eap) for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in : 02 08 00 0b 21 80 03 00 02 00 02
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modsingle[authenticate]: returned from eap (rlm_eap) for request 8
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Thu Feb 10 18:10:38 2005 : Auth: Login incorrect: [user]
(from client wis-network port 31 cli 000cf102223f)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
rl_next: returning NULL
---
What I'm doing wrong ?
Thank you,
--
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct Logging to Mysql
Hello List,
we have freeradius 1.0.1 and Mysql 4.0.3.
Auth Logging works fine, but the acct Logging is broken.
In freeradius -X i found no NAS Ports:
modcall[accounting]: module "detail" returns ok for request 1
modcall[accounting]: module "unix" returns noop for request 1
radius_xlat: '/var/log/freeradius/radutmp'
radius_xlat: 'panekm'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module "radutmp" returns noop for request 1
modcall: group accounting returns ok for request 1
Sending Accounting-Response of id 23 to 172.20.49.102:1047
Finished request 1
Going to the next request
--- Walking the entire request list ---
Cleaning up request 1 ID 23 with timestamp 41a6052b
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 22 with timestamp 41a60528
Nothing to do. Sleeping until we see a request.
We used it as an VPN Server , Hardware is Enterasys XSR-1805:
Config :
!
aaa method radius radius default
enable
group ecavpn
address ip-address 172.20.49.106
hash enable
key
client vpn
auth-port 1812
acct-port 1813
attempts 4
retransmit 3
timeout 10
qtimeout 0
Radiusd.conf :
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = acct
#}
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
sql
acct_unique
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
unix# wtmp file
Any idea ??
Thx
Regards / Grüße / Danke
Marco Panek
...
Smurfit Europa Carton GmbH
Information Systems (IS)
Tilsiter Straße 144
D-22047 Hamburg
Tel:+49 (0)40 30901 191
Fax: +49 (0)40 30901 5191
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
