Policy to split domain and host

[nicolas . clo]

Hi list,

I'm searching the best way to configure a policy to split the domain and the 
prefix ' /host' when it
is a computer connection.

The initial UserName is like this:

host/computername.DOMAIN.LOCAL

I can already easily split the /host by policy and realm configuration but I 
don't know how I can do
when there is double
delimiter in the same UserName ?

Thanks for your reply.

 
  __ 
 


   
  Nicolas CLO  
  Industrial and Network Technician
  ITS Section  
   



   
  RICOH INDUSTRIE FRANCE SAS   
  144, route de Rouffach, 68920 WETTOLSHEIM
  Tel: +33 (0) 3 89 20 48 84   
  nicolas@ricoh-industrie.fr  |  www.ricoh-thermal.com 
   






inline: 0E069074.gifinline: 0E984006.jpg-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Policy to split domain and host

[nicolas . clo]

Nice, thanks

But in this case, how to tell Freeradius to use this variable when it's a host 
connection ?
Because, I had already split User-Name variable into Stripped-User-name and use 
that into post-auth
section to log correct syntax user.
So if I tell Freeradius to used variable %{mschap:User-Name}, I think it will 
be logging original
request UserName, no ?

How to define a second post auth request when it's a host ?

For example, I want the Stripped-UserName into sql postauth table when it's a 
user and the variable
%{mschap:User-Name} when i'ts a host connection.

Thanks.


Nicolas CLO



On 08/16/2013 08:24 AM, nicolas@ricoh-industrie.fr wrote:
 Hi list,

 I'm searching the best way to configure a policy to split the domain
 and the prefix ' /host' when it is a computer connection.

You probably don't want to do this.

Instead, you probably want to use the expansion:

%{mschap:User-Name}

...which correctly transforms:

host/name.domain.com

...to:

name$

...which is the correct form of the samaccountname for an AD computer
account, which is I assume what you're dealing with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Username/Host authorization

[nicolas . clo]

Hi,

Yes, this is our actual configuration and it works very well, but I think that 
with the long run, a
database that contains all MAC address can become very difficult to manage.
But if it' s the only solution, I will make with.

Thanks.



   
  Nicolas CLO  
  Industrial and Network Technician
  ITS Section  
   









  ---Original
  mail--






Hi,

I'm now sure that the best way for us is MAC Address filtering.

thats a way of doing the 'host' part. the user can then be authenticated
by an EAP method.

ie authorization stage can check the calling-station-id (MAC address) and,
if not known, just reject. then, if known carry on to the user authentication
by 802.1X

as already said, you have to know what you want and the technologies available

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inline: ecblank.gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Username/Host authorization

[nicolas . clo]

Hi list,


I'm searching the best way to configure an authorization based on both  Host + 
Username ( mschapv2
+ /usr/bin/ntlm_auth) but not Host or Username.

Is it possible to verify host with mschapv2 and if the module return ok proceed 
to username
verfication with the same module ?

Thanks for your reply.


   
  __
   


   
  Nicolas CLO  
  Industrial and Network Technician
  ITS Section  
   




  RICOH INDUSTRIE FRANCE SAS
  144, route de Rouffach, 68920 WETTOLSHEIM
  Tel: +33 (0) 3 89 20 48 84
  nicolas@ricoh-industrie.fr  |  www.ricoh-thermal.com







inline: ecblank.gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Username/Host authorization

[nicolas . clo]

Thanks for your help.

We want two authorization in the same times, for example, to ensure that user 
not used his iPhone
with his DOMAIN/UserName account.
Mac Authorization is not a good way for us ( Too restrictive to keep up to date 
)
Authorization by certificat too because we have a lot of hosts which doesn't 
support that.


Nicolas CLO.


-Original Message-

nicolas@ricoh-industrie.fr wrote:
   Is it possible to verify host with mschapv2

  That question has a number of unstated assumptions.  Those assumptions
are wrong.

  Does the *host* provide mschapv2 authentication data?  No.  Therefore,
the host can't be verified with mschapv2.

 and if the module
   return ok proceed to username verfication with the same module ?

  You're asking for mschapv2 to authenticate two different identities at
the same time.  It doesn't do that.

  What do you really want to do?  Your question assumes a particular
view of things.  That view is wrong, so we can't help you.

  If you describe what you have and what you want to do, we may be able
to come up with a different approach that meets your needs.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



 
  __ 
 


   
  Nicolas CLO  
  Industrial and Network Technician
  ITS Section  
   



   
  RICOH INDUSTRIE FRANCE SAS   
  144, route de Rouffach, 68920 WETTOLSHEIM
  Tel: +33 (0) 3 89 20 48 84   
  nicolas@ricoh-industrie.fr  |  www.ricoh-thermal.com 
   






inline: 0F402483.gifinline: 0F024915.jpg-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Username/Host authorization

[nicolas . clo]

Ok thanks for the reply.
I'm now sure that the best way for us is MAC Address filtering.

Have a good day.

Nicolas CLO


---Original
mail---

nicolas@ricoh-industrie.fr wrote:
 We want two authorization in the same times, for example, to ensure that
 user not used his iPhone with his DOMAIN/UserName account.

  That is fairly vague.  You're working with computers.  Be specific.

  WHAT is in an Access-Request when they login using a desktop?

  WHAT is in an Access-Request when they login using their phone?

  HOW are the two requests different?

  Once you know that, it should be easy to create rules which can
distinguish one from the other.  And then apply different rules to each one.

 Mac Authorization is not a good way for us ( Too restrictive to keep up
 to date )
 Authorization by certificat too because we have a lot of hosts which
 doesn't support that.

  You're limited by what is in the Access-Request.  If the only
difference between a desktop and iPhone is a MAC address, too bad.
Computers aren't magic.

  My guess is that the only thing which will really work is MAC address
filtering.  I'd suggest finding a way to make it manageable.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth

[nicolas . clo]

I have the same problem after upgrade Freeradius to version 3.Before, ntlm worked very well but it seems that the new version used the ntlm module differently.-freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.org a écrit : -A : freerad...@hardarson.se, FreeRadius users mailing list freeradius-users@lists.freeradius.orgDe : John Dennis Envoyé par : freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.orgDate : 07/06/2013 17:12Objet : [SPAM]  Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_authOn 06/07/2013 10:46 AM, Bjarni Hardarson wrote: I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it manually with the expanded attributes i get the NT_KEY.  root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest --challenge=d9a8b4d1c188ae1b --nt-response=090bacad01a113dd74007ed5845d5b0c7c8017bac80821dd NT_KEY: 2066656E05C22F3A995AD9ECFED913D6  Any ideas?Please don't send more that one email, we heard you the first time.This sounds like a permission problem. Make sure when you run your testmanually you do so as the same user and group radiusd is running as,you'll find those values in your radiusd.cong file.Also if your system is running SELinux check for the presence of AVC's-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP error with Freeradius 3.0

[nicolas . clo]

Hello,


I have a problem with mschap authentication and the external program ntlm_auth.
With Freeradius 2.2 I haven't any problem but after upgrade to Freeradius 3, 
the output of this
program was wrong and EAP failed.

The output is very strange :



Any  ideas ?inline: 0E165810.gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with freeradius + openldap for AP authentication

[Nicolas Lathiere]

Hiya

I need some help to configure freeradius with openldap. I have a ldap database
which stores password in SSHA format, so i choose PAP for authentication. I 
want to use freeradius to authenticate
on a netgear Wifi access point.

(http://deployingradius.com/documents/protocols/compatibility.html)

I've set up the AP in client freeradius in clients.conf, with a secret and 
shortname
like in documentation. 

Next i've put auto_header = yes in pap.conf
And uncomment the line ldap to activate module in /site-enable/default

When i start server in debug mode, authorization works fine but server have 
problems
to authentication step and i don't understand why
Here is the debug comments :

rad_recv: Access-Request packet from host 192.168.0.201 port 32774, id=85, 
length=169
User-Name = cyril
NAS-IP-Address = 192.168.0.201
NAS-Identifier = hello
NAS-Port = 0
Called-Station-Id = 4C-60-DE-D2-22-61:easyBridge2
Calling-Station-Id = 7C-C5-37-14-16-C9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11b
EAP-Message = 0x020e016e6c61746869657265
Message-Authenticator = 0x2bf3ec3446adc97ea15c4c160ee8b0bbThu Nov 22 
15:04:36 2012 : 

Wed Nov 21 18:39:17 2012 : Info: [ldap] looking for reply items in directory...
Wed Nov 21 18:39:17 2012 : Info: [ldap] user cyril authorized to use remote 
access
Wed Nov 21 18:39:17 2012 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Nov 21 18:39:17 2012 : Info: ++[ldap] returns ok
Wed Nov 21 18:39:17 2012 : Info: ++[expiration] returns noop
Wed Nov 21 18:39:17 2012 : Info: ++[logintime] returns noop
Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing NT-Password from hex encoding
Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing SSHA1-Password from base64 
encoding
Wed Nov 21 18:39:17 2012 : Info: [pap] Found existing Auth-Type, not changing 
it.
Wed Nov 21 18:39:17 2012 : Info: ++[pap] returns noop
Wed Nov 21 18:39:17 2012 : Info: Found Auth-Type = PAP
Wed Nov 21 18:39:17 2012 : Info: +- entering group PAP {...}
Auth: [pap] Attribute Password is required for authentication.
Thu Nov 22 15:04:36 2012 : Info: ++[pap] returns invalid
Thu Nov 22 15:04:36 2012 : Info: Failed to authenticate the user.
Thu Nov 22 15:04:36 2012 : Auth: Login incorrect: [cyril/via Auth-Type = PAP] 
(from client WNAP320 port 0 cli 44-A7-CF-CD-C5-C7)
Thu Nov 22 15:04:36 2012 : Info: Using Post-Auth-Type Reject
Thu Nov 22 15:04:36 2012 : Info: +- entering group REJECT {...}
Thu Nov 22 15:04:36 2012 : Debug:   expand: %{User-Name} - cyril
Thu Nov 22 15:04:36 2012 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Nov 22 15:04:36 2012 : Info: ++[attr_filter.access_reject] returns updated
Thu Nov 22 15:04:36 2012 : Info: Delaying reject of request 5 for 1 seconds
Thu Nov 22 15:04:36 2012 : Debug: Going to the next request
Thu Nov 22 15:04:36 2012 : Debug: Waking up in 0.9 seconds.
Thu Nov 22 15:04:37 2012 : Info: Sending delayed reject for request 5


  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Test

[Nicolas FOUREL]

I received your message Alan

-Message d'origine-
De :
freeradius-users-bounces+nicolas.fourel=adipsys@lists.freeradius.org
[mailto:freeradius-users-bounces+nicolas.fourel=adipsys.com@lists.freeradius
.org] De la part de Alan DeKok
Envoyé : jeudi 15 septembre 2011 16:50
À : FreeRadius users mailing list
Objet : Test

  Is the list down, or are people quiet?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Debug STDOUT

[Nicolas Goutte]

Am 26.05.2011 um 16:54 schrieb Norman Zhang:


[root@box ~]# /usr/sbin/radiusd -xx

[root@box ~]# ps aux | grep radius
radiusd  32539  0.0  0.1 148872  2672 ?Ssl  10:50   0:00 / 
usr/sbin/radiusd -xx
root 32564  0.0  0.0  61220   752 pts/0R+   10:50   0:00  
grep radius


For some reason I can't get radius -x to display to STDOUT. Any hints?


You probably mean -X (upper case)

See the man page of radiusd .




Norman

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(Fwd) Re: Seg Fault - radius 3.0 Debug

[Breuer Nicolas]

 Hello,

 I finally solved my issue. It was a problem of linking mysql libs.
 I'm sorry . Apologies to all

 but.. Maybe variables have changed but since 3.0 version the variable 
%{Huntgroup-Name}
 is no more recognized.

 tested on version 2.1.11 -  Works perfectly

 Any ideas ?

  Thanks



--- Forwarded message follows ---
Date sent:  Thu, 17 Mar 2011 21:20:20 +
From:   Alan Buxey a.l.m.bu...@lboro.ac.uk
To: nicolas.bre...@belcenter.biz 
nicolas.bre...@belcenter.biz,
FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:Re: Seg Fault - radius 3.0 Debug

Hi,

 Here is my debug file with gbd on the seg fault
 [Thread debugging using libthread_db enabled]
[New Thread 0x7600b700 (LWP 23433)]
[Thread 0x7600b700 (LWP 23433) exited]
Program received signal SIGSEGV, Segmentation fault.
0x76032890 in mysql_field_count () from
/usr/lib64/mysql/libmysqlclient_r.so.16
Missing separate debuginfos, use: debuginfo-install
glibc-2.13-1.x86_64
   

suggest you follow the information given to get more debugging info
out

alan
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(Fwd) (Fwd) Re: Seg Fault - radius 3.0 Debug

[Breuer Nicolas]

 
 The debug mode said anything - No errors.
 My variable is in the SQLIPPOOL.conf file and called with %{Huntgroup-Name}

 No values were returned.

 With 2.1.11 - Same directory, dic files, etc , i have a value.

 
--- Forwarded message follows ---

Breuer Nicolas wrote:
  but.. Maybe variables have changed but since 3.0 version the variable
 %{Huntgroup-Name}
  is no more recognized.

  It should work.  The git master branch hasn't changed any of that
functionality.

  And (as always) what does debug mode say?

  Alan DeKok.


--- Forwarded message follows ---
From:   Breuer Nicolas nicolas.bre...@belcenter.biz
To: freeradius-users@lists.freeradius.org
Subject:(Fwd) Re: Seg Fault - radius 3.0 Debug
Date sent:  Fri, 18 Mar 2011 12:45:23 +0100


Hello,

I finally solved my issue. It was a problem of linking mysql libs.
I'm sorry . Apologies to all

but.. Maybe variables have changed but since 3.0 version the variable 
%{Huntgroup-Name}
is no more recognized.

tested on version 2.1.11 - Works perfectly

Any ideas ? 

 Thanks



--- Forwarded message follows ---
Date sent: Thu, 17 Mar 2011 21:20:20 +
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
To: nicolas.bre...@belcenter.biz nicolas.bre...@belcenter.biz,
 FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Seg Fault - radius 3.0 Debug

Hi,

 Here is my debug file with gbd on the seg fault
 [Thread debugging using libthread_db enabled]
 [New Thread 0x7600b700 (LWP 23433)]
 [Thread 0x7600b700 (LWP 23433) exited]
 Program received signal SIGSEGV, Segmentation fault.
 0x76032890 in mysql_field_count () from
 /usr/lib64/mysql/libmysqlclient_r.so.16
 Missing separate debuginfos, use: debuginfo-install
 glibc-2.13-1.x86_64
 

suggest you follow the information given to get more debugging info
out

alan
--- End of forwarded message ---
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Seg Fault - radius 3.0 Debug

[Breuer Nicolas]

 Dear all,

 Here is my debug file with gbd on the seg fault

 [Thread debugging using libthread_db enabled]
[New Thread 0x7600b700 (LWP 23433)]
[Thread 0x7600b700 (LWP 23433) exited]


Program received signal SIGSEGV, Segmentation fault.

0x76032890 in mysql_field_count () from 
/usr/lib64/mysql/libmysqlclient_r.so.16


Missing separate debuginfos, use: debuginfo-install glibc-2.13-1.x86_64 
keyutils-libs-1.2-
6.fc12.x86_64 krb5-libs-1.8.2-7.fc14.x86_64 libcom_err-1.41.12-6.fc14.x86_64 
libgcc-4.5.1-
4.fc14.x86_64 libselinux-2.0.96-6.fc14.1.x86_64 mysql-libs-5.1.55-1.fc14.x86_64 
nss-
softokn-freebl-3.12.9-2.fc14.x86_64 openssl-1.0.0d-1.fc14.x86_64 
zlib-1.2.5-2.fc14.x86_64

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Seg Fault - radius 3.0 Debug

[Breuer Nicolas]

\000\000\000\001\
000\000\000\377\177\000\000\225%C\000\000\000\000\000\000\000\000\000\n\000\000\000
P\321\377\377\377\177\000\000p\321\377\377\377\177\000\000\220\024y, '\000' 
repeats
13 times, l\312\071X\000\000\000\000\242\226`\234\061, '\000' repeats 1ֹ 
times,
\005, '\000' repeats 15 times,
\001\000\000\000\377\177\000\000\220\024y\000\000\000\000\000\005\000\000\000\377\1
77\000\000\000\000\000\000\000\000\000\000\310t\335\367\377\177, '\000' 
repeats 18
times\350,
\027y\000\000\000\000\000\360\320\377\377\377\177\000\000\001\000\000\000\000\000\00
0\000\020\321\377\377ל377\177\000\000\265=a\234\001
#6  0x0041afd9 in call_modsingle (component=7, c=0x8c4a40, 
request=value
optimized out) at modcall.c:297
myresult = value optimized out
#7  modcall (component=7, c=0x8c4a40, request=value optimized out) at 
modcall.c:670
myresult = value optimized out
stack = {pointer = 2, priority = {0 repeats 32 times}, result = {0 
repeats 32 times},
children = {
value optimized out repeats 32 times}, start = {value 
optimized out repeats
32 times}}
parent = 0x8c5840
child = 0x8c6500
if_taken = 0
was_if = 1
#8  0x00419d45 in indexed_modcall (comp=7, idx=0, request=0x8d5b20) at
modules.c:759
rcode = value optimized out
list = value optimized out
server = value optimized out
#9  0x00408495 in rad_postauth (request=0x8d5b20) at auth.c:422
result = value optimized out
postauth_type = value optimized out
vp = 0x0
#10 0x00408afb in rad_authenticate (request=0x8d5b20) at auth.c:812
namepair = 0x8d7500
check_item = 0x0
auth_item = 0x8d5e90
module_msg = value optimized out
tmp = value optimized out
result = 0
password = 0x436e91 
autz_retry = value optimized out
autz_type = value optimized out
#11 0x00429813 in radius_handle_request (request=0x8d5b20, fun=0x4084e0
rad_authenticate) at event.c:4243
No locals.
#12 0x00420a55 in thread_pool_addrequest (request=0x8d5b20, fun=0x4084e0
rad_authenticate) at threads.c:900
No locals.
#13 0x0042746d in event_socket_handler (xel=value optimized out, 
fd=value
optimized out, ctx=0x8d5580) at event.c:3957
listener = 0x8d5580
fun = 0x4084e0 rad_authenticate
request = 0x8d5b20
#14 0x77df0fdf in fr_event_loop (el=0x8c7a80) at event.c:413
ef = value optimized out
i = value optimized out
rcode = 1
maxfd = 26
when = {tv_sec = 0, tv_usec = 0}
wake = value optimized out
read_fds = {fds_bits = {33554432, 0 repeats 15 times}}
master_fds = {fds_bits = {109051904, 0 repeats 15 times}}
#15 0x0041d434 in main (argc=value optimized out, argv=value 
optimized
out) at radiusd.c:408
rcode = value optimized out
argval = value optimized out
spawn_flag = 0
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x41cef0 sig_fatal,
--- End of forwarded message ---

Breuer Nicolas
Network Supervisor
Sales Executive

BELCENTER sprl/bvba
Avenue Henri Consciencelaan, 94
Bruxelles 1140 Brussel

T. : +32 (0)2 403 04 60
F. : +32 (0)2 403 04 63
M. :+32 (0)486 50 27 87
E. : nicolas.bre...@belcenter.biz
W. : http://www.BelCenter.be | http://www.BelCenter.net


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(Fwd) Seg Fault - 3.0

[Breuer Nicolas]

--- Forwarded message follows ---
From:   Breuer Nicolas nicolas.bre...@belcenter.biz
To: freeradius-de...@lists.freeradius.org
Subject:Seg Fault - 3.0
Date sent:  Wed, 16 Mar 2011 15:23:22 +0100


Hello

I discovered a Seg Fault on the release 3.0 on the GIT server.

Seems happening on the first auth.
(30) Login OK: [XXX] (from client XXX)
(30) # Executing section post-auth from file /etc/XXX.conf
(30) +- entering group post-auth {...}
(30) ++? if (reply:Framed-IP-Address)
(30) ? Evaluating (reply:Framed-IP-Address) - FALSE
(30) ++? if (reply:Framed-IP-Address) - FALSE
(30) ++- entering else else {...}
rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14
(30) [IP-POOLING-01] expand: %{User-Name} - XXX
(30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX'
(30) [IP-POOLING-01] expand: BEGIN - BEGIN
(30) [IP-POOLING-01] expand: COMMIT - COMMIT
(30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name 
= '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time  NOW() ORDER BY 
rand(), 
pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool 
WHERE pool_name = 'BC*' AND expiry_time  NOW() ORDER BY rand(), pool_name, 
expiry_time LIMIT 1 FOR UPDATE


Segmentation fault



I see the expand of variable HuntGroup-Name didn't get any values...

Maybe the reason of Seg fault ?


--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Seg Fault - 3.0 - More Info needed

[Breuer Nicolas]

 Hello Alan,

 Could you precise wich infos you need to go further ?

 Thanks



--- End of forwarded message ---

Hello

I discovered a Seg Fault on the release 3.0 on the GIT server.

Seems happening on the first auth.
(30) Login OK: [XXX] (from client XXX)
(30) # Executing section post-auth from file /etc/XXX.conf
(30) +- entering group post-auth {...}
(30) ++? if (reply:Framed-IP-Address)
(30) ? Evaluating (reply:Framed-IP-Address) - FALSE
(30) ++? if (reply:Framed-IP-Address) - FALSE
(30) ++- entering else else {...}
rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14
(30) [IP-POOLING-01] expand: %{User-Name} - XXX
(30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX'
(30) [IP-POOLING-01] expand: BEGIN - BEGIN
(30) [IP-POOLING-01] expand: COMMIT - COMMIT
(30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name 
= '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time  NOW() ORDER BY 
rand(), 
pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool 
WHERE pool_name = 'BC*' AND expiry_time  NOW() ORDER BY rand(), pool_name, 
expiry_time LIMIT 1 FOR UPDATE


Segmentation fault



I see the expand of variable HuntGroup-Name didn't get any values...

Maybe the reason of Seg fault ?


--- End of forwarded message ---

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help on FreeRadius+OTP+OpenLDAP integration

[Nicolas Goutte]

Am 14.03.2011 um 17:40 schrieb pradyumna dash:


Hi,


We are receiving your emails. See also 
http://lists.freeradius.org/pipermail/freeradius-users/2011-March/date.html

(Please avoid to re-send your questions minutes after sending them the  
first time.)






I need a documentation on how to implement  FreeRadius+OTP+OpenLDAP, I
have installed and configured FreeRadius+OpenLDAP before but never
used OTP, and also would like to know how OTP will be configured with
SASL and how does SASL auth store OTP parameters.

Another problem am facing is, first there is an authentication with
freeradius but the next thing that is triggered in pam.d/ssh is the
account section for authorization and here OpenLDAP requires
password for the second time.  So a user needs to login twice because
of this.  How to solve this issue

Please help me out to solve this issue.

Regards,
Pradyumna

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lastest using git

[Nicolas Goutte]

Am 10.03.2011 um 15:08 schrieb David Peterson:

I am trying to recompile any new changes but cannot for the life of  
me remember how to check out the latest version.   I believe it’s  
called “Stable”


Do you mean http://git.freeradius.org/ and what is described there?


Have a nice day!



David

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Install problems

[Breuer Nicolas]

 Hello

 I can't install the last freeradius to our new server

  ./configure --libdir=/usr/local/lib/freeradius2 
--with-mysql-lib-dir=/usr/lib64/mysql --disable-
libltdl-install --with-system-libtool --without-openssl 

libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT
libtool: link: (cd .libs  gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c 
-fno-builtin 
radiusdS.c)
libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS 
.libs/radiusd.nmT
libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o 
.libs/client.o 
.libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o 
.libs/log.o .libs/mainconfig.o 
.libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o 
.libs/threads.o 
.libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o 
.libs/realms.o 
.libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic  
/var/instapp/freeradius-
server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread 
-lcrypt 
/var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl  -Wl,-rpath 
-
Wl,/usr/local/lib/freeradius2
.libs/modules.o: In function `setup_modules':
/var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined 
reference to 
`lt_preloaded_symbols'
collect2: ld returned 1 exit status
gmake[4]: *** [radiusd] Error 1
gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main'
gmake[3]: *** [main] Error 2
gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src'
gmake[1]: *** [src] Error 2
gmake[1]: Leaving directory `/var/instapp/freeradius-server-2.1.10'
make: *** [all] Error 2


 What's the solution ?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Install problems

[Breuer Nicolas]

 Hello

 I just do that.

MAKE= /usr/bin/gmake
CC  = gcc
RANLIB  = ranlib
INCLUDE =
CFLAGS  = $(INCLUDE) -g -O2 -D_REENTRANT -
D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -
DIE_LIBTOOL_DIE


 Same error

libtool: compile:  gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -
D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server-
2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ 
-DNO_OPENSSL -c detail.c  -fPIC -DPIC -o .libs/detail.o
libtool: compile:  gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -
D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server-
2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ 
-DNO_OPENSSL -c detail.c -o detail.o /dev/null 21
/usr/bin/libtool --mode=link gcc -export-dynamic -dlopen self \
  -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo 
files.lo listen.lo log.lo 
mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo session.lo threads.lo 
util.lo 
valuepair.lo version.lo xlat.lo event.lo realms.lo evaluate.lo vmps.lo 
detail.lo  \
 /var/instapp/freeradius-server-2.1.10/src/lib/libfreeradius-radius.la 
-lnsl -lresolv  -
lpthread  \
-lcrypt  /var/instapp/freeradius-server-2.1.10/libltdl/libltdl.la 
libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT
libtool: link: (cd .libs  gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c 
-fno-builtin 
radiusdS.c)
libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS 
.libs/radiusd.nmT
libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o 
.libs/client.o 
.libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o 
.libs/log.o .libs/mainconfig.o 
.libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o 
.libs/threads.o 
.libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o 
.libs/realms.o 
.libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic  
/var/instapp/freeradius-
server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread 
-lcrypt 
/var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl  -Wl,-rpath 
-
Wl,/usr/local/lib/freeradius2
.libs/modules.o: In function `setup_modules':
/var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined 
reference to 
`lt_preloaded_symbols'
collect2: ld returned 1 exit status
gmake[4]: *** [radiusd] Error 1
gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main'
gmake[3]: *** [main] Error 2
gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src'
gmake[2]: *** [all] Error 2


 
Date sent:  Mon, 17 Jan 2011 11:57:47 +0100
From:   Alan DeKok al...@deployingradius.com
To: nicolas.bre...@belcenter.biz,
FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:Re: Install problems

 Breuer Nicolas wrote:
   I can't install the last freeradius to our new server
  
./configure --libdir=/usr/local/lib/freeradius2
  --with-mysql-lib-dir=/usr/lib64/mysql --disable-libltdl-install
  --with-system-libtool --without-openssl
 ...
  /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined
  reference to `lt_preloaded_symbols'
 
   Edit the Make.inc file, and find the line starting with CFLAGS.  Add
 a  -DIE_LIBTOOL_DIE to the end.  Do make clean, followed by make.
 
   Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting Log

[Breuer Nicolas]

 Hello All,

 We used the Freeradius 2.X version.

 We use  the accounting SQL module and i remark something.

 When a user is rejected (Wrong password), i always have this error in 
radius.log

Mon Nov  8 18:07:40 2010 : Auth: Login incorrect: [BCgXXX] 
Mon Nov  8 18:07:41 2010 : Info: [ACCOUNTING-01] stop packet with zero session 
length. 


Mon Nov  8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Attempting to connect 
rlm_sql_mysql #13
Mon Nov  8 18:07:41 2010 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #13
Mon Nov  8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Connected new DB 
handle, 
#13
Mon Nov  8 18:07:41 2010 : Info: [ACCOUNTING-02] stop packet with zero session 
length. 


 Accounting-01 thinks that stop packet with zero session length is an error
 and tried to connect to Accounting-02 sql server.

 Is it the correct behaviour ?

 Is it possible to remove this logging.

 Thanks


Breuer Nicolas
Network Supervisor
Sales Executive

BELCENTER sprl/bvba
Avenue Henri Consciencelaan, 94 
Bruxelles 1140 Brussel

T. : +32 (0)2 403 04 60
F. : +32 (0)2 403 04 63
M. :+32 (0)486 50 27 87
E. : nicolas.bre...@belcenter.biz
W. : http://www.BelCenter.be | http://www.BelCenter.net


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting Log

[Breuer Nicolas]

Breuer Nicolas wrote:
 
  Accounting-01 thinks that stop packet with zero session length is 
an error
  and tried to connect to Accounting-02 sql server.
 
  Is it the correct behaviour ?

  Yes.

  see doc/configurable_failover for how to change redundant groups.

  Alan DeKok.



 Alan,

 I know that this is  the correct behaviour concerning redundant groups but
 for me a Stop with zero session length isn't a SQL issue that needs to go
 on secondary SQL servers.

 

Breuer Nicolas
Network Supervisor
Sales Executive

BELCENTER sprl/bvba
Avenue Henri Consciencelaan, 94 
Bruxelles 1140 Brussel

T. : +32 (0)2 403 04 60
F. : +32 (0)2 403 04 63
M. :+32 (0)486 50 27 87
E. : nicolas.bre...@belcenter.biz
W. : http://www.BelCenter.be | http://www.BelCenter.net


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(Fwd) Re: Accounting Log

[Breuer Nicolas]

From: Alexandre Chapellon alexandre.chapel...@mana.pf 

I have the very same behaviour here on my FR2.1.6 setup with PGSQL accoutning. 
It 
produce noisy logs but nothing unacceptable.
You can change this by not doing accouting for Stop Accounting packet that show 
up 
null session-time:

in your acccouting section:

if (Acct-Status-Type == Stop  Session-Time != 0) {
sql_accounting_module_name
}

Maybe relying on Session-Time is not a good idea. Try finding out another 
relevant 
attribute.

Cdt



 Nice idea, i will try :)


Breuer Nicolas
Network Supervisor
Sales Executive

BELCENTER sprl/bvba
Avenue Henri Consciencelaan, 94 
Bruxelles 1140 Brussel

T. : +32 (0)2 403 04 60
F. : +32 (0)2 403 04 63
M. :+32 (0)486 50 27 87
E. : nicolas.bre...@belcenter.biz
W. : http://www.BelCenter.be | http://www.BelCenter.net




WPM$2D83.PM$
Description: Mail message body
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(Fwd) (Fwd) Re: Accounting Log

[Breuer Nicolas]

 Hello Alexandre,

 Just in that case, if you not send the STOP in case Sess time =0
 The Session will stay opened in the accounting table.
 and never be closed

 

--- Forwarded message follows ---
From:   Breuer Nicolas nicolas.bre...@belcenter.biz
To: freeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:(Fwd) Re: Accounting Log 
Send reply to:  nicolas.bre...@belcenter.biz
Date sent:  Mon, 08 Nov 2010 23:00:40 +0100

From: Alexandre Chapellon alexandre.chapel...@mana.pf 

I have the very same behaviour here on my FR2.1.6 setup with PGSQL accoutning. 
It 
produce noisy logs but nothing unacceptable.
You can change this by not doing accouting for Stop Accounting packet that show 
up 
null session-time:

in your acccouting section:

if (Acct-Status-Type == Stop  Session-Time != 0) {
sql_accounting_module_name
}

Maybe relying on Session-Time is not a good idea. Try finding out another 
relevant 
attribute.

Cdt



Nice idea, i will try :)

Attachments: C:\Users\Nico\AppData\Local\Temp\WPM$2D83.PM$ 
--- End of forwarded message ---

Breuer Nicolas
Network Supervisor
Sales Executive

BELCENTER sprl/bvba
Avenue Henri Consciencelaan, 94 
Bruxelles 1140 Brussel

T. : +32 (0)2 403 04 60
F. : +32 (0)2 403 04 63
M. :+32 (0)486 50 27 87
E. : nicolas.bre...@belcenter.biz
W. : http://www.BelCenter.be | http://www.BelCenter.net




WPM$2BF5.PM$
Description: Mail message body
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radiusd.conf

[Nicolas Goutte]

Am 15.09.2010 um 20:10 schrieb Samuel Isaias Barriga Perez:

Hello I have a question:  I want to configure the radiusd.conf, here  
es my problem there es two radiusd.conf in diferent paths /usr/local/ 
etc/raddb/radiusd.conf and /root/freeradius-server-2.1.9/raddb/ 
radiusd.conf. which configuration file  should I use... is there a  
manual to configure this module???





Is /root/freeradius-server-2.1.9 thr directory where you  
(self-)compiled the source code? Then everything in /usr/local/etc/ 
raddb/ was probably installed and that is the configuration file that  
you should use.


As for documentation, partially it is inside the configuration files,  
some in the man pages. See also the tetxt files beside the source  
code, if you have compiled yourself.



Thank You

Samuel I. Barriga
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have  a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap authentication using free radius

[Nicolas Goutte]

Am 10.08.2010 um 16:54 schrieb Aqdas Muneer:


Hello,

We recently had a event during which our radius server lost  
connectivity to our Active Directory server. all the network gear  
could contact radius so none fell back to the backup authentication  
method (local), but because AD was down we couldn't get into our  
devices. is there a way to use some locally stored password in free  
radius if the ldap server cant be reached?


You can for example use the users file.



Thanks,

Aqdas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.9 digest authentication problem

[Nicolas Goutte]

Am 03.08.2010 um 13:23 schrieb al...@arctel.ru:


Hello,

trying to test digest authentication (freeradius 2.1.9). After
uncommenting 'digest' in sites-available/default 'radiusd -X'
starts fine. but after I added (according to 'man rlm_digest')
to users file:

testAuth-Type := Digest, User-Password = test
   Reply-Message = Hello, test with digest


Please try using Cleartext-Password := test instead of User-password  
= test



[...]


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.9 digest authentication problem

[Nicolas Goutte]

Am 03.08.2010 um 14:25 schrieb Alan Buxey:


Hi,


Tried Cleartext-Password := test, Cleartext-Password == test,
Cleartext-Password = test, result is the same.


why? why did you do that?

Cleartext-Password := test

is the only correct way. you just compl;eted ignored the information/ 
help given by the actual

author of FreeRADIUS. you dont trust him to know how the code works??



Alan Cox's email was sent only minutes later.



alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day.

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.9 digest authentication problem

[Nicolas Goutte]

Am 03.08.2010 um 15:24 schrieb Alan Buxey:


Hi,


Alan Cox's email was sent only minutes later.


Alan Cox?  wow. RedHat finally taking development to new levels..

you meant Alan DeKok I assume?Too many Alan's for you?  ;-)


Sorry for the mistyping.



alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAP Authentication

[Nicolas Goutte]

Am 21.06.2010 um 17:24 schrieb simone.trevi...@telsey.it:


Dear all,
I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE
Server.

The Cisco PPPoE Server forward PPPoE request from CPE to the  
Freeradius

2.1.0.
I would like to provide to CPE an IP address based on the pair:
Username/password.
Authentication used: PAP

I see the WARNING message reported by Freeradius, but my tentative  
to fix

them fails.
Can you help me
Thank you very much.

~~

1) I have added to radiusd.conf the module:
 # PAP module to authenticate users based on their stored password
   #
   #  Supports multiple encryption schemes
   #  clear: Clear text
   #  crypt: Unix crypt
   #md5: MD5 ecnryption
   #   sha1: SHA1 encryption.
   #  DEFAULT: crypt
   pap {
   encryption_scheme = clear
   }
2) I have modify the module pap:
pap {
   auto_header = yes
}
3) In users I have added:
mr642wg Auth-Type := PAP, User-Password == mr642wg


Try using Cleartext-Password := mr642wg instead

[...]

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Having trouble compiling freeradius 2.1.9 on ubuntu 10.04

[Nicolas Goutte]

Am 16.06.2010 um 12:01 schrieb Bassem Nagi:


Hi,
Iam having trouble compiling freeradius version 2.1.9 on ubuntu 10.04
when i try to start the server i get an error stating

radiusd: error while loading shared libraries:
libfreeradius-radius-2.1.9.so: cannot open shared object file: No  
such file or directory


Try running ldconfig in the directory where the .so-file is.



Any help would be appreciated.

Thanx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: The question about #define WIMAX2ATTR(x) ((24757 16) | (x)) in rlm_wimax.c

[Nicolas Goutte]

Am 13.06.2010 um 03:47 schrieb 李立明:



Hi,all
I find #define WIMAX2ATTR(x) ((24757  16) | (x)) in rlm_wimax.c,  
but I don`t understand its meaning.


Put 24757 (decimal) in the high 16 bits and put x in the low 16 bits  
(assuming x is only 16 bits).


As for what 24757 means, I do not know.



I appreciate your help


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with make

[Nicolas Goutte]

quote
Update CFLAGS to add -DIE_LIBTOOL_DIE
/quote

(Alan DeKok 2010-03-26 Thread FreeRADIUS 2.1.7 and 2.1.8 fail to  
build)



Have a nice day!

Am 09.06.2010 um 13:32 schrieb Martín @ Ibersystems:


Hello all,

we are trying to install Radius Manager from DmaSoftlab. We need to  
install Freeradius and we gt problems with the make

We get this errors:

*
modcall.lo radiusd.lo stats.lo session.lo threads.lo util.lo  
valuepair.lo version.lo xlat.lo event.lo realms.lo evaluate.lo  
vmps.lo detail.lo  \
 /root/work/freeradius-server-2.1.8/src/lib/ 
libfreeradius-radius.la -lnsl -lresolv  -lpthread  \

-lcrypt  -lltdl -lcrypto -lssl -lcrypto
rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT
creating .libs/radiusdS.c
(cd .libs  gcc  -g -O2 -c -fno-builtin radiusdS.c)
rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/ 
radiusd.nmT
gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/ 
auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/ 
exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/ 
mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/ 
stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/ 
valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/ 
realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export- 
dynamic  /root/work/freeradius-server-2.1.8/src/lib/.libs/ 
libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/ 
libltdl.so -lssl -lcrypto -ldl

.libs/modules.o: In function `setup_modules':
/root/work/freeradius-server-2.1.8/src/main/modules.c:1358:  
undefined reference to `lt__PROGRAM__LTX_preloaded_symbols'

collect2: ld returned 1 exit status
make[4]: *** [radiusd] Error 1
make[4]: se sale del directorio `/root/work/freeradius-server-2.1.8/ 
src/main'

make[3]: *** [common] Error 2
make[3]: se sale del directorio `/root/work/freeradius-server-2.1.8/ 
src'

make[2]: *** [all] Error 2
make[2]: se sale del directorio `/root/work/freeradius-server-2.1.8/ 
src'

make[1]: *** [common] Error 2
make[1]: se sale del directorio `/root/work/freeradius-server-2.1.8'
make: *** [all] Error 2
*

SO: Ubuntu Server 10.0.4 Lucid Lynxs

We  tryed the sources from dmasoftlab (2.1.8 modified) and the  
sources of freeradius.org (2.1.9) with the 2 sources we get the same  
error.


What we have to install or fix?



Thanks,


Martín Ruiz

Ibersystems Solutions, SL

Dpto. Redes Inalámbricas

Tel. 902 430 367
   669 37 95 21

Fax 93 758 63 01

http://www.ibersystems.es
martinr...@ibersystems.es


Estemensaje puede contener información confidencial y/o  
privilegiada. Siusted no es el destinatario o una persona  
expresamente autorizada pararecibir este envío no debe utilizar,  
copiar, reenviar, distribuir, o engeneral disponer de ninguna forma  
de la información incluida. Sihubiera recibido este mensaje por  
error, sírvase informar al emisormediante una respuesta inmediata y  
bórrelo, por favor. Muchas gracias.
P Antes de imprimir este e-mail, piensa en si es realmente  
necesario: El Medio Ambiente es responsabilidad de todos






-Original Message-
From: Natr Brazell natrbraz...@gmail.com
To: freeradius-users@lists.freeradius.org
Date: Wed, 9 Jun 2010 06:42:13 -0400
Subject: FreeRadius MYSQL tables

All,

I've set up FR2 to log acct data to mysql and that appears to be  
working.  I'm curious about how to enable the logging of specific  
attributes that are being sent by the NAS.  Specifically:


 rad_recv: Accounting-Request packet from host x.x.x.120 port 51637,  
id=50, length=95

Acct-Status-Type = Interim-Update
Acct-Session-Id = C2594B9A71DB
Acct-Delay-Time = 0
User-Name = joe.bobuser
NAS-Identifier = M20
Juniper-Interactive-Command = run start shell 
NAS-IP-Address = x.x.x.120
+- entering group preacct {...}

As you can see in the Accounting-Request packet above There is a NAS- 
Identifier and a Juniper-Interactive-Command entry.  Those  
attributes are not being logged (nor do I think I'd want them) in my  
radacct file.   Is there a way to have radius automatically populate  
an accountingactivity table (history file if you will)?  Or this  
there a manual way say in postauth to send those attributes to a  
mysql table via  script when an Accounting-Request packet is  
received.  The above attributes are being sent and are logged in my  
detail-`date` log file in /var/log/radius/radacct/IP_OF_NAS directory.


Thanks,
N
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list

Re: i install freeradius successfully, but i can't telnet the port

[Nicolas Goutte]

Am 08.06.2010 um 09:38 schrieb Spacelee:


this is the file users' content
test Auth-Type:=MS-CHAP, User-Password:=test, Simultaneous-Use:=100


Try using Cleartext-Password:=Test instead of User-Password:=Test


Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.0





[...]

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i install freeradius successfully, but i can't telnet the port

[Nicolas Goutte]

Am 08.06.2010 um 09:59 schrieb Spacelee:


i use radius -X to see the log, it looks like:

Ignoring request to authentication address * port 1812 from unknown  
client 123.116.121.228 port 56627

Ready to process requests.
Ignoring request to authentication address * port 1812 from unknown  
client 123.116.121.228 port 56627

Ready to process requests.


As far as I understand, such an error message means that the unknown  
client is not defined in client.conf and therefore freeradius  
discards the request (for security reasons).


Have  a nice day!




2010/6/8 Spacelee fjct...@gmail.com
what should i write in client.conf

mine is like this:
client fremont.iqwer.com {
ipaddr = 173.233.234.52
shortname = fremont
secret = 19861230
nastype = other
}

2010/6/8 Spacelee fjct...@gmail.com
on the radius server, i type the two command , and get those  
results, the iptables has been shutdown



radtest test test localhost 1812 19861230
Sending Access-Request of id 124 to 127.0.0.1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812,  
id=124, length=20



radtest test test 173.224.212.50 1812 19861230
Sending Access-Request of id 236 to 173.234.232.50 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 236 to 173.224.212.50 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 236 to 173.224.212.50 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 236 socket 3


2010/6/8 Spacelee fjct...@gmail.com
this is the file users' content
test Auth-Type:=MS-CHAP, User-Password:=test, Simultaneous-Use:=100
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.0



2010/6/8 Spacelee fjct...@gmail.com

i use netstat and found there is radius listen on 1812, 1813 and  
1814 using udp
i shut down all the iptables both on the server of pptp and the  
server radius


but the pptp can't be authenticated , the log is

RADIUS plugin initialized.
Jun  8 15:26:29 mountainview pppd[4604]: Plugin /usr/lib64/pppd/ 
2.4.4/radattr.so loaded.

Jun  8 15:26:29 mountainview pppd[4604]: RADATTR plugin initialized.
Jun  8 15:26:29 mountainview pppd[4604]: Plugin /usr/lib64/pptpd/ 
pptpd-logwtmp.so loaded.

Jun  8 15:26:29 mountainview pppd[4604]: pptpd-logwtmp: $Version$
Jun  8 15:26:29 mountainview pppd[4604]: pppd 2.4.4 started by root,  
uid 0

Jun  8 15:26:29 mountainview pppd[4604]: Using interface ppp0
Jun  8 15:26:29 mountainview pppd[4604]: Connect: ppp0 -- /dev/pts/1
Jun  8 15:27:03 mountainview pppd[4604]: rc_send_server: no reply  
from RADIUS server puppet:1812
Jun  8 15:27:03 mountainview pppd[4604]: Peer test failed CHAP  
authentication

Jun  8 15:27:03 mountainview pppd[4604]: Connection terminated.
Jun  8 15:27:03 mountainview pppd[4604]: Exit.


it says there is not reply

2010/6/8 Alan Buxey a.l.m.bu...@lboro.ac.uk

Hi,
 i can start freeradius ok, but my pptp can't remote access radius  
server, I telnet 1812 or 1813 , but both are connection refused, i  
don't know what to do with this situation


firewall eg iptables , on the server you put freeradius on?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Spacelee



--
Spacelee



--
Spacelee



--
Spacelee



--
Spacelee
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl version?

[Nicolas Goutte]

Am 25.05.2010 um 15:12 schrieb Jan Zacharias:


Hey Alan,

Alan DeKok al...@deployingradius.com hat am 25. Mai 2010 um 14:43  
geschrieben:


   My suspicion is that you've built 2.1.9 with version X of Perl,  
and
 are then trying to link it with version Y of Perl.  Ensure that  
you only

 have one version of Perl installed.
That's not the case here, I have (and had when building 2.1.9 this  
morning) only following

libperl stuff installed:

dpkg -l|grep libperl
ii  libperl-dev   5.10.1-8ubuntu2   Perl library: development files
ii  libperl5.10   5.10.1-8ubuntu2   shared Perl library


Isn't there a way to find out the perl version? I thought of print  
$1 but this does not

work as intended.


Try using

perl -V




Best, Jan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:

[Nicolas Goutte]

Am 04.05.2010 um 13:34 schrieb dorra aa:


Hi.
After installing Radius. i try to do some exemple.I d'ont know if it  
is correct because i'm new in it.


I add on Users:



sonia Auth-Type := Local, User-Password == salut


This should read

Cleartext-Password := salut

instead of

User-Password == salut

In Freeradius, passwords are assigned ( := ) and not compared ( == )

Have a nice day!


Reply-Message = Hello, %u,
Reply-Message = are you fine, %u

And i add on Clients.conf:
client 127.0.0.1 {
secret  = testing123 # notre clé partagée
shortname   = class
nastype = other
}
when i do this command, i have:

p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812  
testing123

Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = sonia
User-Password = salut
NAS-IP-Address = 127.0.1.1
NAS-Port ! = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11,  
length=20


What is the problem please.is there someting messing in my test?
Thank you


Hotmail: Trusted email with powerful SPAM protection. Sign up now. -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to handle dynamic update of shared secret and client configuration in free radius

[Nicolas Goutte]

Am 13.04.2010 um 15:27 schrieb Rajendra Hegde:


I wonder if this is directly not achievable,
what if some other program running on machine B update the file
and send signal SIGHUP or some oither signal I am not sure
to freeradius so that free radisu rereads the config information
without getting restarted ?
Does it work ?



Which signal to send to freeradius so that it rereads configuration  
again ?


If you want to re-read all configuration files, you have stop and to  
start (again) the freeradius server.




Thanks in Advance.


Have a nice day.




From: Rajendra Hegde
Sent: Mon 4/12/2010 4:48 PM
To: FreeRadius users mailing list
Subject: How to handle dynamic update of shared secret and client  
configuration in free radius


Hello,

I am a client program running on machine A.

It want to talk to free radius on machine B.
{ cleint on Machine A } ---   { free radius on machine B}

Now the client wants to dynamically update the shared secret and  
other client information

by just talking to the free radius over simple network connection.

After that free radius should use the new information right away as  
well as update the

static file(s) in /etc/raddb...

Any pointers for achieveing this would be appreciated.

Thanks,
Rajendra Hegde


The information transmitted is intended only for the person or  
entity to which it is addressed and may contain confidential and/or  
privileged material. Statements and opinions expressed in this e- 
mail may not represent those of the company. Any review,  
retransmission, dissemination or other use of, or taking of any  
action in reliance upon, this information by persons or entities  
other than the intended recipient is prohibited. If you received  
this in error, please contact the sender immediately and delete the  
material from any computer. Please see our legal details at http://www.cryptocard.com 
 CRYPTOCard Inc. is registered in the province of Ontario, Canada  
with Business number 80531 6478. CRYPTOCard Europe is limited  
liability company registered in England and Wales (with registered  
number 05728808 and VAT number 869 3979 41); its registered office  
is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to handle dynamic update of shared secret and client configuration in free radius

[Nicolas Goutte]

Am 13.04.2010 um 15:50 schrieb Nicolas Goutte:



Am 13.04.2010 um 15:27 schrieb Rajendra Hegde:


I wonder if this is directly not achievable,
what if some other program running on machine B update the file
and send signal SIGHUP or some oither signal I am not sure
to freeradius so that free radisu rereads the config information
without getting restarted ?
Does it work ?



Which signal to send to freeradius so that it rereads configuration  
again ?


If you want to re-read all configuration files, you have stop and to  
start (again) the freeradius server.


If you want, you can look at an old thread about why -HUP does not  
read them again:

http://lists.freeradius.org/pipermail/freeradius-users/2008-April/msg00020.html





Thanks in Advance.


Have a nice day.




From: Rajendra Hegde
Sent: Mon 4/12/2010 4:48 PM
To: FreeRadius users mailing list
Subject: How to handle dynamic update of shared secret and client  
configuration in free radius


Hello,

I am a client program running on machine A.

It want to talk to free radius on machine B.
{ cleint on Machine A } ---   { free radius on machine B}

Now the client wants to dynamically update the shared secret and  
other client information

by just talking to the free radius over simple network connection.

After that free radius should use the new information right away as  
well as update the

static file(s) in /etc/raddb...

Any pointers for achieveing this would be appreciated.

Thanks,
Rajendra Hegde


The information transmitted is intended only for the person or  
entity to which it is addressed and may contain confidential and/or  
privileged material. Statements and opinions expressed in this e- 
mail may not represent those of the company. Any review,  
retransmission, dissemination or other use of, or taking of any  
action in reliance upon, this information by persons or entities  
other than the intended recipient is prohibited. If you received  
this in error, please contact the sender immediately and delete the  
material from any computer. Please see our legal details at http://www.cryptocard.com 
 CRYPTOCard Inc. is registered in the province of Ontario, Canada  
with Business number 80531 6478. CRYPTOCard Europe is limited  
liability company registered in England and Wales (with registered  
number 05728808 and VAT number 869 3979 41); its registered office  
is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius says it is listening on port 1812, but isn't

[Nicolas Goutte]

Am 24.03.2010 um 09:51 schrieb Matt Harlum:


Hi,

I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz  
PowerMac


Since march last year I've had 2.1.6 installed however it's been  
switched off for the last few months.
Recently I powered it back on and have run system updates etc and  
got to the point I am now


When I launch FreeRadius it says it is listening on *:1812 for auth  
however my AP is unable to connect, and trying telnet on port 1812  
results in Connection Refused


I've tried reverting the configuration to default but it hasn't  
worked. running radiusd -x does not throw any errors




Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.


Anyone have any ideas as to why this would be happening all of a  
sudden? perhaps the system updates broke it?


Have you checked firewalls and such? Perhaps you can also check with  
tools like tcpdump if the packets arrive on the computer where  
freeradius is running.


Also perhaps check that the computer has really the IP address or name  
that you think it has and that the IP or name is really used by the AP.





Regards,
Matt Harlum


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP2-Response is incorrect + invalid NT-Password

[Nicolas Goutte]

Am 15.03.2010 um 11:35 schrieb omega bk:


sorry for spamming, i just want to understand



OpenLDAP knows the clear text password:

  [ldap] userPassword - Cleartext-Password == test 
  [ldap] userPassword - NT-Password == 0x7465737420 = supposed to  
be the hash password


I doub very much that this is a hash:

0x74: t
0x65: e
0x73: s
0x74: t
0x20: space
(all in ASCII)

Have you tried *not* to define a NT-Password and let Freeradius  
calculate from the Cleartext-Password what it needs?


[...]

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Manager

[Nicolas Goutte]

Am 12.02.2010 um 15:39 schrieb Teguh Kurniawan:


Hello,
I use ancient Free Radius 1.1.7 packages (from Ubuntu 8.04/Hardy) on
Ubuntu Server 9.10. I use ancient Free Radius, because the
requirement from Radius Manager we buy from
http://www.radius-manager.com/.
But after finish setting up the configuration for Free Radius, I've
got some problem. Some problem I could fixed after asking some
question from this mailing list and searching from google.
But I've got another problem, my testing is rejected. What should I  
do ?

Best Regards,

Teguh Kurniawan


The mailing list is receiving your emails, see also: 
https://lists.freeradius.org/pipermail/freeradius-users/2010-February/thread.html

You do not need to repeat the same question again, especially within a  
day.


If nobody is answering is because:
- nobody on this list knows an answer
- if somebody would know an answer, this person is perhaps otherwise  
busy.







[...]

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius for linux authentication

[Nicolas Goutte]

Am 11.02.2010 um 11:20 schrieb sr...@aol.in:



Hi List,

I have configured my linux devices to use freeRadius (freeRadius  
1.1.5 with MySQL backend) authentication.
Installation of pam library went well and am able to get  
authenticated against my freeRadius server.
Now the problem is how to identify a user like root have same name  
on multiple machines. For this I observed that this PAM library is  
sending Calling-Station-Id in Access-Request packets.

I did modify my radcheck table to have entires as following:
++---++++
| id | UserName  | Attribute  | op | Value  |
++---++++
|  1 | linuxuser | Password   | == | radpwd |
| 12 | root  | Calling-Station-Id | == | 192.168.100.61 |
| 11 | root  | Password   | == | 10radpwd   |
| 10 | root  | Password   | == | 61radpwd   |
| 13 | root  | Calling-Station-Id | == | 192.168.70.10  |
+ 
--


Try using := instead of == for setting in passwords.



But the failed to authenticate.

Please suggest what could be the problem, ASAP.
Also, are there any other ways to handle this kind of situation.


Appreciate your help.

Regards,
Sri.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Difficulties with rlm_perl specifically sending mail

[Nicolas Goutte]

Am 02.02.2010 um 00:12 schrieb David Buckley:



Greetings from New Zealand

I have a two factor auth system built using rlm_perl, which is all
working fine but for one problem.

I have a function that sends emails for sending one-time passwords via
SMS which works perfectly when FR is run as radiusd -X, but doesn't  
work

when FR started as a service.  This FR 2.1.7 RPM installation on RHEL
modern and patched.  When run as a service RHEL runs radiusd as user  
and

group radiusd.


Just an idea: sending emails often means starting the program  
sendmail. Perhaps radiusd started as service has no $PATH and  
therefore cannot find sendmail.



[...]




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius won't start with my configs

[Nicolas Goutte]

Am 16.12.2009 um 20:39 schrieb J Brandon Polley:

I can't get FreeRadius to start. No other instance of FreeRadius is  
running when I try to start FreeRadius.

I'm using FreeRadius 1.1.7-21.4.47


Here is my debug info when I enter radiusd -x

Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
rlm_preprocess: Error reading /etc/raddb/huntgroups (didnt change  
anything in this file)


Do you really have a file in this path? Are the rights of the file in  
a way that the daemon can read them, as the user that is being used?


Have a nice day!

[...]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Differencent assigments in users files

[Nicolas Goutte]

Am 04.11.2009 um 11:12 schrieb verhoem:



Hello,

I'am a newbee in freeradius but after reading o'reilly's Radius book  
for
dummies i still can't figure out what the difference is between :=  
== and =

in the usersfile.



steve Auth-Type := Local, User-Password ==  Testing etc.


It should read

Cleartext-Password := Testing


In FreeRadius passwords are assigned ( := ) not compared ( == ).


I also see notations like Jonathan Password = Unix-PW.
In the end my config seems to work but I'm wondering if i'm missing  
out on

something important.

Explanation or an url would be very appreciated !

Greetings Marcel

--
View this message in context: 
http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Differencent assigments in users files

[Nicolas Goutte]

Am 04.11.2009 um 11:21 schrieb Ana Gallardo:



http://freeradius.org/radiusd/man/users.html


Well, unfornately there is an example:

bob User-Password == hello

which is bad.

Have a nice day!



2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de

Am 04.11.2009 um 11:12 schrieb verhoem:



Hello,

I'am a newbee in freeradius but after reading o'reilly's Radius book  
for
dummies i still can't figure out what the difference is between :=  
== and =

in the usersfile.

steve Auth-Type := Local, User-Password ==  Testing etc.

It should read

Cleartext-Password := Testing


In FreeRadius passwords are assigned ( := ) not compared ( == ).


I also see notations like Jonathan Password = Unix-PW.
In the end my config seems to work but I'm wondering if i'm missing  
out on

something important.

Explanation or an url would be very appreciated !

Greetings Marcel

--
View this message in context: 
http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--


 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password expiration and change on next logon options

[Nicolas Goutte]

Am 03.11.2009 um 17:47 schrieb Ivan Kalik:


I am trying to figure out how to do password aging and on next logon
change
with freeRadius.


Custom script on your login. Radius doesn't interact with user  
interface.




I am using ASA firewall with MS-CHAP2 support. mschap is also  
enabled in

freeRadius.

Could somebody point to where I can find any documentation about it?
Also, should I use system passwords or keep them in the postgres to  
make

it
working?


You can't use system (crypted) passwords with mschap.


See: http://deployingradius.com/documents/protocols/compatibility.html



Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed to link to module rlm_ldap

[Nicolas Goutte]

Am 24.09.2009 um 15:54 schrieb José Johnny RANDRIAMAMPIONONA:

I tried to upgrade freeradius-server-2.1.6 to freeradius- 
server-2.1.7 and it worked well (in localhost) without ldap.Then I  
tried to use the old version (2.1.6) but it doesn't work anymore:
Thu Sep 24 13:32:16 2009 : Error: /usr/local/freeradius- 
server-2.1.6//etc/ 
raddb 
/modules 
/ldap[29]: Failed to link to module 'rlm_ldap': libldap_r-2.3.so.0:  
canno 
t 
 open shared object file: No such file or directory




Have you tried to run ldconfig, possibly on the directory where  
libldap_r.so is?


[...]






Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sanity check, example in users man page

[Nicolas Goutte]

Am 03.09.2009 um 21:02 schrieb Gary Gatten:


RPM shows nothing FR related installed.  I did run man 5 users.
v2.1.6 is current, no?



If you want something newer than the last released version, see http://git.freeradius.org 
 , especially the stable tree.


Have a nice day!

Nicolas Goutte


-Original Message-
From: freeradius-users-bounces 
+ggatten=waddell@lists.freeradius.org

[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Thursday, September 03, 2009 1:53 PM
To: FreeRadius users mailing list
Subject: RE: Sanity check, example in users man page

You do. Current documentation should be in man 5 users.

Ivan Kalik
Kalik Informatika ISP


v2.1.6.  AFAIK FR was never installed on this box - it's fairly new -

so

I don't think it could've been some legacy doc that didn't get
overwritten when 2.1.6 was installed.


-Original Message-
From:

freeradius-users-bounces+ggatten=waddell@lists.freeradius.org



[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or

g] On Behalf Of Alan Buxey
Sent: Thursday, September 03, 2009 1:33 PM
To: FreeRadius users mailing list
Subject: Re: Sanity check, example in users man page

Hi,

From users man page:


EXAMPLES
 bob  User-Password == hello

Requests  containing  the User-Name attribute, with value bob,
will be authenticated using the password bob.   There  are  no
reply items, so the reply will be empty.


Surely this is incorrect - right?  Should this not read:
... will be authenticated using the password hello.


Assuming I'm correct, this is my excuse for taking so long to grasp

some

of the concepts of FR, unlang, etc.  I think there are several doc
errors / typos that are confusing me



what version are you actually looking at? your example predates
2.x of the codeand only 2.x of the code has unlang etc.

the current doc (man 5 users) states

bob  Cleartext-Password := hello

 Requests  containing  the User-Name attribute, with

value

bob, will be authenticated
 using the known good password hello.  There are no
reply items, so the reply  will
 be empty.


but yes - the text you have is wrong. it is, indeed password

hello

- its
fairly obvious.

from the text i'd say you've got a document that came with version

1.0.2

of the code?

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext

2.25pt;padding:0in

0in 1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited.  If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext  
2.25pt;padding:0in 0in 1.0pt 0in'

/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited.  If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

nested groups

[Nicolas . CLEMENTZ]

Hi,

 Is-it possible to search users on nested groups. For 
example :

User1 is in group Group1,
User2 is in group Group2,
Group1 and Group2 are in group Group12

The users config :
...
DEFAULT ldap-iut-Ldap-Group == Group12
Tunnel-Medium-Type:1 = 6,
Tunnel-Type:1 = 13,
Tunnel-Private-Group-ID:1 = 636,
Fall-Through = Yes
...

Freeradius Server : 2.1.7 (git)
Ldap server : Active directory 2008


Thanks

Nicolas Clementz
Université de Haute Alsace-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new to freeRADIUS - Help

[Nicolas Goutte]

Am 03.08.2009 um 21:46 schrieb Radius Master:


Hi,

I am in the process of setting up freeRADIUS on Mac OSX. We're a small
group looking into becoming a WISP. Can anyone tell me if there is a
RAS that runs on OSX?


If by RAS, you mean remote access, then MacOSX has plenty of them:
- ssh
- (direct) remote desktop client (MacOS 10.5; see in Finder)
- remote desktop per iChat (MacOS 10.5)




The install of freeRADIUS itself seems to have gone smoothly, and I
installed MySQL 5.1 as well, no hitches. I have not, tho, found out
how to tell is freeRADIUS is actually running or not.


If by actually running or not, you mean that a user could check then  
use: ps ax
If you mean that a program should check I am not sure. A shell script  
could use ps, fgrep and co to do that.




Thanks in advance for all help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new to freeRADIUS - Help

[Nicolas Goutte]

Am 04.08.2009 um 17:13 schrieb Radius Master:


Hi Nicolas,

Thanks so much for your answer. What i meant was, in the terminal,
what can I type as a test to get a response from a running instance of
freeradius.

by RAS, I mean Remote Access Server. Also know as a Network Access
Server. As I understand it, the PPPoE users first hit the RAS, then
the rAS passes the query off to freeRadius, then freeRadius tells the
RAS what to do based on the user's validity, and the RAS either
accepts or rejects the user.

Do I have the concept right? And if so, do you or anyone know of a RAS
software that will run on OS X?


Ah, then I have misunderstood you. Sorry that I could not help you.

Perhaps this answer can bring you further: 
http://lists.freeradius.org/pipermail/freeradius-users/2009-January/msg00515.html



Another question i have, When I spoke briefly to the folks at Network
RADIUS, they told me that freeRadius includes the required db schema
for mySQL. When I installed mySQL 5.1, there was a db in there that I
didn't recognize, called information_schema, comprised of 28 tables.
Is this it, or is there something special I need to do to enable the
schema, as i understand from the docs that freeRadius will work with
almost any datasource including flatfiles.

Thanks in advance.

PS, if you're wondering if I'm aware of the irony in my name, the
answer is yes ;)


Have a nice day!



On Tue, Aug 4, 2009 at 3:35 AM, Nicolas
Gouttenicolas.gou...@extragroup.de wrote:


Am 03.08.2009 um 21:46 schrieb Radius Master:


Hi,

I am in the process of setting up freeRADIUS on Mac OSX. We're a  
small

group looking into becoming a WISP. Can anyone tell me if there is a
RAS that runs on OSX?


If by RAS, you mean remote access, then MacOSX has plenty of them:
- ssh
- (direct) remote desktop client (MacOS 10.5; see in Finder)
- remote desktop per iChat (MacOS 10.5)




The install of freeRADIUS itself seems to have gone smoothly, and I
installed MySQL 5.1 as well, no hitches. I have not, tho, found out
how to tell is freeRADIUS is actually running or not.


If by actually running or not, you mean that a user could check  
then use:

ps ax
If you mean that a program should check I am not sure. A shell  
script could

use ps, fgrep and co to do that.



Thanks in advance for all help.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: password encryption problem

[Nicolas Goutte]

Am 31.07.2009 um 15:13 schrieb Hegedus Gabor:


Hi all!

I have a problem, I want to authenticate console users in cisco  
switches.
In the 2960, the switch send the password in cleartext, nothing  
problem.


User-Password=password


Please try using

Cleartext-Password := password

in the users file (or similarly in databases).




but int the 2950, the switch can only send in crypted version like  
this:


NAS-Port-Type = Virtual
User-Name = test
Calling-Station-Id = 192.168.***
User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426
Service-Type = Login-User

In the ldap database I tried all of the encription type (clear, md5,  
crypt, md5crypt) but every time reject the authentication:


frad debug:

Failed to authenticate the user.
Login incorrect (rlm_ldap: Bind as user failed): [test/\\_ 
\266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1  
cli 192.168.***
WARNING: Unprintable characters in the password. Double-check the  
shared secret on the server and the NAS!



What can I do in the freeradius, what I forgot?
Thanks! Gabor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with compilation

[Nicolas Goutte]

-radius.so  ln -s libfreeradius- 
radius-2.1.6.so libfreeradius-radius.so)


false cru .libs/libfreeradius-radius.a  dict.o filters.o hash.o  
hmac.o hmacsha1.o isaac.o log.o misc.o missing.o md4.o md5.o print.o  
radius.o rbtree.o sha1.o snprintf.o strlcat.o strlcpy.o token.o  
udpfromto.o valuepair.o fifo.o packet.o event.o getaddrinfo.o vqp.o

heap.o dhcp.o


Here you have false. so probably you are missing a tool, that  
configure could not find. (Sorry, I do not know how the tool makring  
static libraries is supposed to be named on Solaris.)Í




gmake[4]: *** [libfreeradius-radius.la] Error 1
gmake[4]: Leaving directory `/export/home/install/freeradius- 
server-2.1.6/src/lib'

gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/export/home/install/freeradius- 
server-2.1.6/src'

gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/export/home/install/freeradius- 
server-2.1.6/src'

gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/export/home/install/freeradius- 
server-2.1.6'

make: *** [all] Error 2
#
Thanks in advence.

image001.gif

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysqld connecting problem

[Nicolas Goutte]

Am 23.07.2009 um 09:06 schrieb shivashankar:



hi,

miboss3# /usr/sfw/sbin/mysqld
Fatal error: Please read Security section of the manual to find  
out how to

run mysqld as root!


It is probably not the right mailing list to ask a (security) question  
about mysql, especially if the error message tells to read the manual.



090723  7:23:37 Aborting

090723  7:23:37 /usr/sfw/sbin/mysqld: Shutdown Complete

please help me
--
View this message in context: 
http://www.nabble.com/mysqld-connecting-problem-tp24620450p24620450.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: login / password

[Nicolas Goutte]

Am 23.07.2009 um 15:42 schrieb Rakotomandimby Mihamina:


Hi,
Our passwords are stored as clear text in a postgresql database.


Are they defined as Cleartext-Password ?

In a users file you would need something like:

username Cleartext-Password := secret

(not sure how to express it in a database).



The attached file tends to show CHAP is looking for something I dont  
understand.


Would you have any suggestion?
What's that no known good passwdord that might fail authentication?

testing with radtest give the correct auth answers.
I am now testing with the final client (coova).


--
   Architecte Informatique:
  Administration Systeme, Recherche  Developpement
 + 261 32 11 401 65
Pensez a l'environnement avant d'imprimer ce message
freeradius-x.txt-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Authentication failure

[Nicolas Goutte]

Am 21.07.2009 um 11:04 schrieb Vamsi Krishna Valiveti:


Hi,

I am using  freeradius-server-2.1.4. I changed only the below files

Users

iss Auth-Type := Local, User-Password == iss123


Try to use

Cleartext-Password := iss123


Passwords must be assigned ( := ) not compared ( == ).

Also User-Password is deprecated.

Have a nice day!



Clients.conf



[...]

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server Log say user authenticate but modem shows error 691

[Nicolas Goutte]

Am 21.07.2009 um 14:28 schrieb amritap sinha:


Dear All,
  I have try to implement  freeradius in RHCL 4 with my sql.
My data base connected to the   radius server properly and my radius
server authenticate the user properly inside the network and outside
the network. My problem is that when I try to connect any user through
dial up connection  my NAS and radius response and password
authenticate(basically I using CHAP password for authentication) but
modem shows error 691 in Windows XP O.S.
Please any one help me with  providing a  
suitable solution.


Ok, I am sure that you will be asked the classical questions, so I can  
ask them:


What is in the log of radiusd -X? What is your configuration?




Thanks  Regards

 Amritap Sinha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Nicolas Goutte]

Am 15.07.2009 um 08:16 schrieb Stefan Winter:


Hello,

I wonder if there's a way to install FreeRADIUS, but *not* have it
install config files in its raddb dir.

The reason being that if you have a previous version and a
well-shepherded config directory with only exactly the needed files, a
make install will clutter your raddb dir with default files. You can
delete the unnecessary files afterwards for sure, but it would be
preferable if raddb could remain untouched on request.
I even had one instance where I got bitten by it: a server didn't  
have a

sites-enabled/default. make install during an upgrade helpfully
created it with a set of module calls in it which weren't  
configured. As

a result, the server refused to start afterwards until the default
server was deleted.

So, is there some kind of make install-no-config, ./configure
--no-touch-raddb or similar?


I do not know how to do it at compile time but you can do it at  
runtime by specifing -d your_directory to radiusd.


So perhaps a make install will install many configuration files but  
not where *your* configuration is.




Greetings,

Stefan Winter


Have a nice day!



--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale  
et de la Recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication

[Nicolas Goutte]

We are receiving your messages. You do not need to post them multiple  
times. (Posting to a mailing list is never immediate.)


(See also the archives: http://lists.freeradius.org/pipermail/freeradius-users/2009-July/date.html 
 )


Have a nice day!

Am 15.07.2009 um 09:40 schrieb youler:



My running environment is freeraius-2.1.3，The authentication type  
is EAP/MD5.
It's running not well with individual 'user' file.I can't find the  
problem.

My mainly configuration file as follow:



[...]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Nicolas Goutte]

Am 15.07.2009 um 09:53 schrieb Stefan Winter:


Hi,


I do not know how to do it at compile time but you can do it at
runtime by specifing -d your_directory to radiusd.

So perhaps a make install will install many configuration files but
not where *your* configuration is.


Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I


I am not sure but does that mean that the binary that you create would  
point to that directory too. So in that case, you would have to  
specify the real directory at runtime too.


don't want a one-time installation problem to require attention  
whenever

I run the service in the future. It is then something to remember
constantly (and to document for on-duty personnel etc. ...), only to  
fix

a single-shot problem. It just doesn't sound right to me.


Yes, I had not seen it from that point of view.



Greetings,


Have a nice day!



Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale  
et de la Recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[Nicolas Goutte]

Am 15.07.2009 um 15:45 schrieb shiva shankar:


hi aland

is is giveing problem while doing  make.


Then please post the relevant lines of the bottom of the output of make.




regard's
shiva shankar


Have a nice day!



2009/7/15 Alan DeKok al...@deployingradius.com
shivashankar wrote:
 when i am isntalling freeradius-server-2.1.6 on solaris10. it is  
showing

 some warnings.

 plz help me out how to remove those warining

 You don't.  They are WARNINGS, not ERRORS.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--

regard's
shiva shankar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Location of freeradius log file

[Nicolas Goutte]

Am 13.07.2009 um 17:35 schrieb Deepak:


Hi,

I have following installed.

===
OS: CentOS 5.3
freeradius 2.1.6 (rpm version)
daloradius 0.9-8
mysql 5.0.45
===

When I try to check the radius log file from daloradius interface, it
give me following error:

error reading log file:

looked for log file in /var/log/freeradius/radius.log and
/usr/local/var/log/radius/radius.log but couldn't find it.
if you know where your freeradius log file is located, set it's
location in /zradius/rep-logs-radius.php

I tried to look for this file but couldn't locate it. There is no
freeradius directory in  /var/log

Where do freeradius keep the log file?


If you do not find, check your radiusd.conf

The property is named log_file



Thanks

--
==
Registered Linux User #460714
Currently Using Fedora 10, CentOS 5.3
==
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Timeout in Access-Challenge (that contains EAP-Message)

[Nicolas Goutte]

Am 08.07.2009 um 20:05 schrieb Gong Cheng:



Hi Alan, thanks for the answer. (and thanks to David too).
I can't seem to find 2.1.7 yet, but I will keep this in mind.


I suppose that with 2.1.7, the stable version in GIT is meant, see: 
http://git.freeradius.org/

Have a nice day!



Just as an FYI, I do see commercial NAS code that implements this.


Alan DeKok-2 wrote:


Gong Cheng wrote:

Hi,
   I wonder if there is  a way
- not to include Session-Timeout value intended for Access- 
Accept in

Access-Challenge messages?


 In 2.1.7, see raddb/sites-available/default.  Look for
Access-Challenge.  There is sample configuration.

- or to configure a different Session-Timeout value for Access- 
Challenges

(which contain EAP-Message)?

This is about the following section in RFC3579 where Session- 
Timeout in

Access-Challenge is used to influence EAP retransmission behavior.


 I'm not sure any AP supports that.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




--
View this message in context: 
http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r

[Nicolas Goutte]

Am 08.07.2009 um 13:07 schrieb Steven Carr:


On 8/7/09 12:00, Ivan Kalik wrote:
Your linker is probably looking in /usr/lib but not in /usr/local/ 
lib. Add

the correct path.


I have tried with the following set:

 export LD_LIBRARY_PATH=/usr/local/lib



checking for ldap_init in -lldap_r... no

-lldap means compile time linking. By using LD_LIBRARY_PATH you change  
only runtime linking, which is not the same




and I still get the same errors.

Steve

--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP and Huntgroup-Name

[Nicolas Boullis]

Hello,

I'm using Freeradius 2.0.4 from the package in Debian Lenny for WPA (for
wifi) and 802.1x (for wired ethernet) authentication and authorization.

They use PEAP/MSchapv2 for authentication.

Most users are in LDAP and are allowed to connect either to wired
ethernet or to wifi.
But I also have to deal with some guest users, whose usernames all
begin with the guest/ prefix, who are in a SQL database, and who only
should be allowed to connect to wifi.

Currently, the relevant part of my users file is:

| DEFAULT Huntgroup-Name == ap, Prefix == guest/, Autz-Type := GUEST
| Fall-Through = No
|
| DEFAULT Autz-Type := DEFAULT

The trouble is the inner request has no NAS-IP-Address, so the
Huntgroup-Name is not set and does not match.

Running freeradius -X shows that the Huntgroup-Name condition is
correctly verified for the outer request, but not for the inner one.
And if I remove the Huntgroup-Name condition, everything works fine, but
the guest users are allowed to connect to wired ethernet.

Is there a way I can test the outer Huntgroup-Name in my users file?


Regards,

-- 
Nicolas Boullis
Ecole Centrale Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP and Huntgroup-Name

[Nicolas Boullis]

Ivan Kalik wrote:
 
 Enable copy_request_to_tunnel in peap section of eap.conf.

Hmmm... Now I feel stupid for not finding this myself...
Thanks for showing me the right direction.


Regards,

-- 
Nicolas Boullis
Ecole Centrale Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can?t bring it to work on Centos 5.2...

[Nicolas Goutte]

Am 03.07.2009 um 12:24 schrieb Mike:


Dear list,
after 4 days of work and lots of google searches I?m really in the  
need for some help!

My Setup:
A Centos 5.2 x86_64 box, running source installations of postfix  
2.5.x and Dovecot Imap with domain and users stored in mysql, all  
with tls enabled. Edimax AccessPoint 7206PDg

My goal:
Allowing User authentication for iPhone and Macs with user/password
My current Setup:
http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 



I?ve followed this as far as possible. Only one difference: I did  
build freeradius 1.1.7 from source in the lag of a rpm-package. I?ve  
configured with ./configure --libdir=/usr/lib64. While it only  
complains about some missing oracle odbc and other sql stuff and I  
don?t want to use sql I don?t think that this will cause any problems.



Ok I think I will ask the question, which otherwise will be asked by  
someone else.


If you have compiled from source, is there a reason why you have not  
used any new version (2.1.6), probably to have less work with the  
configuration?


Have  a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server

[Nicolas Goutte]

Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe:


OK.   I have done that,  But still returned the error below!

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect


You have either Cleartext-Password or NT-Password defined in your LDAP  
database, haven't you?



If not, see:
http://deployingradius.com/documents/protocols/compatibility.html

Have a nice day!



++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
   MS-CHAP-Error = \010E=691 R=1
   EAP-Message = 0x04080004
   Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
   MS-CHAP-Error = \010E=691 R=1
   EAP-Message = 0x04080004
   Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE

Clement

-Original Message-
From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org 
]

On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP  
authentication to

LDAP server

The user/password information are held in the LDAP server.  I have  
been

able
to authenticate successfully with packets coming from non-EAP  
clients.

But
for EAP authentication clients, I have been receiving the following  
error

lines.  (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.


ntlm_auth is for Active Directory. Comment out ntlm_auth line in  
maschap
module and it will work as long as you have clear or nt hashed  
password

stored in ldap.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

different default_eap_type for different users

[Nicolas Boullis]

Hello,

I'm currently in the process of switching from an old freeradius 1.1.6
to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).

I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2,
so I had default_eap_type=peap in my configuration. But now, I will also
have to support a few 802.1x clients using TLS or MD5.

The bad news is that some IP phones fail to authenticate when
default_eap_type=peap (they only support MD5). Changing to
default_eap_type=md5 works, but I'm not satsified with it since most
clients use PEAP...

In the default EAP configuration, it is written, about the
default_eap_type=peap option:
#  If the EAP-Type attribute is set by another module,
#  then that EAP type takes precedence over the
#  default type configured here.

Hence, I thought I would use the hints file to force EAP-Type (the good
news is that I can recognize the IP phones with their username):
CP-7942G-SEP0024C4BE96B7
EAP-Type = MD5-Challenge

But this apparently does not work.

I also tried to have several eap instances, and check User-Name to know
which one to use in the authorize and authenticate section:
if (User-Name == CP-7942G-SEP0024C4BE96B7) {
eap_ipphones
}
else {
eap
}

But then freeradius -X fails to start with:
/etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type
(User-Name == CP-7942G-SEP0024C4BE96B7) in authenticate sub-section.


Is there a way I can have per-user default_eap_type?


Regards,

-- 
Nicolas Boullis
Ecole Centrale Paris
France
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: different default_eap_type for different users

[Nicolas Boullis]

Alan DeKok wrote:
 Nicolas Boullis wrote:
 
I'm currently in the process of switching from an old freeradius 1.1.6
to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).
 
   Why not 2.1.6?

No good reason for this, only that current Debian stable (Lenny) has
packages for 2.0.4, not 2.1.6. (And since administration of radius
servers is only a small part of my work, I'd rather rely on Debian
packages and Debian security team than track the potential security
issues of all the server softwares that I use.)

Hence, I thought I would use the hints file to force EAP-Type (the good
news is that I can recognize the IP phones with their username):
CP-7942G-SEP0024C4BE96B7
EAP-Type = MD5-Challenge

But this apparently does not work.
 
   It's a *configuration* item, not a reply item.  See man users
 
 ...
 CP-7942G-SEP0024C4BE96B7   EAP-Type := MD5-Challenge
 ...
 
   That will work.

Unfortunately, it does not, freeradius still tries TLS (PEAP?):

# freeradius -X
(...)
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 138.195.254.246 port 1645,
id=21, length=181
User-Name = CP-7942G-SEP0024C4BE96B7
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1F-6D-11-DD-98
Calling-Station-Id = 00-24-C4-BE-96-B7
EAP-Message =
0x0203001d0143502d37393432472d534550303032344334424539364237
Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4
NAS-Port-Type = Ethernet
NAS-Port = 50024
NAS-Port-Id = FastEthernet0/24
NAS-IP-Address = 138.195.254.246
+- entering group authorize
  hints: Matched CP-7942G-SEP0024C4BE96B7 at 78
++[preprocess] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702
expand: %t - Thu Jul  2 11:51:53 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = CP-7942G-SEP0024C4BE96B7, looking
up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 29
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 21 to 138.195.254.246 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x
State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.


Note the hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 and rlm_eap:
processing type tls.

(... a few minutes later ...)

I just tried to set EAP-Type in users rather that in hints, and now it
works fine. Thanks!
But why does it work in users and not in hints? (I thought I had to use
hints because it is run before eap in the authorize section...)


Cheers,

-- 
Nicolas Boullis
Ecole Centrale Paris
France
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: simple test,, how to go on?

[Nicolas Goutte]

Am 01.07.2009 um 14:10 schrieb Rakotomandimby Mihamina:


07/01/2009 02:53 PM, Rakotomandimby Mihamina::
[...]

rlm_pap: login attempt with password mihamina
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject

[...]

The question:
What Have I got to put in the Cleartext-Password attribute in  
users

in order to have Auth success?



In this case, as you have tried the password mihamina it should have  
been:


Cleartext-Password := mihamina



Thank you.


Have a nice day!



--
Architecte Informatique Gulfsat/Blueline:
Administration Système, Recherche et Développement
Mob: +261 33 11 207 36
Penser à l'environnement avant d'imprimer ce message
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i can't stop freeradius

[Nicolas Goutte]

Look at inetd, xinetd or any other daemon control software. (I do not  
know which one Ubuntu uses.)


Normally it is on purpose that daemons get re-started when they are  
killed.


Have a nice day!

Am 22.06.2009 um 13:24 schrieb Ayşe GİR:


(i love freeradius but i don't lovefreeradius on ubuntu ...)
i install freeradius on ubuntu 9.4 but i can't stop freeradius...
what can i do ?
my console out

r...@blacky:/etc/init.d# freeradius stop
r...@blacky:/etc/init.d# ps -aux | grep freeradius
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00  
freeradius
root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00  
grep freeradius

r...@blacky:/etc/init.d#

 ( i use freeradius on centos everything is ok but on ubuntu  
everything is bad. :( )

i'm sorry for my bad english :)
thank you for everything
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radclient: no response from server ... please help newbe.

[Nicolas Goutte]

Am 17.06.2009 um 13:43 schrieb Gregory Machin:


Hi
Please could someone help a newbe ...

I'm using the following stack FreeRADIUS Version 2.1.3 with coova- 
chilli-1.0.13  with Daloradius .



I'm having issues with sending POD from Daloradius and radclient via  
the command line


[r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21

Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700
User-Name = TC-Demo
^X^C
[r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21

Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = TC-Demo
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = TC-Demo
Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814
User-Name = TC-Demo
radclient: no response from server for ID 77 socket 3
[r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21

Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = TC-Demo
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = TC-Demo
Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813
User-Name = TC-Demo
radclient: no response from server for ID 215 socket 3
[r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n  
'3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21

Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = TC-Demo
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = TC-Demo
Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812
User-Name = TC-Demo
radclient: no response from server for ID 168 socket 3


The server is listening on all the port's I have tried ..

r...@localhost ~]# netstat -antup | grep rad
udp0  0 0.0.0.0:1812 
0.0.0.0:*  2461/radiusd
udp0  0 0.0.0.0:1813 
0.0.0.0:*  2461/radiusd
udp0  0 0.0.0.0:1814 
0.0.0.0:*  2461/radiusd



What have I missed ...


Do you know (via tcpdump, wireshark or so) that the packets do arrive  
on the computer where Freeradius runs? If not, check firewall settings  
of both computers and of anything that might be between.


Have a nice day!






Regards
Gregory Machin
Email: gmac...@techconcepts.co.za
Cell:   +27 (0) 72 524 5098
gtalk:  gmachin.techconce...@gmail.com
Support
helpd...@techconcepts.co.za
Tell: +27 (0) 11 803 2169
Fax: +27 (0) 11 803 2189
After Hours
Cell:+27 (0) 82 790 0796


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help HMAC-MD5

[Nicolas Goutte]

Am 04.06.2009 um 13:39 schrieb Marco De Magistris:


Hi all,

Sorry, but I’m confused about HMAC-MD5 method.
I’m working on Radius Proxy Implementation.


The scenario is the following

RADIUS Client - Radius Proxy - Radius Server.


Radius Client sends a Radius Packet towards Radius Proxy (Message- 
Authenticator not used).


Radius Proxy sends the Radius Packet towards Radius Server using  
HMAC-MD5 method. How to configure RADIUS Proxy? Should I add MD5- 
Password Attribute? MD5-Password is identical to Shared Secret  
between Radius Proxy and Radius Server?


Be careful that using MD5 is not possible with all authenfication  
methods:

http://deployingradius.com/documents/protocols/compatibility.html
(as you cannot uncrypt a hash)




Thanks in advance
  Marco







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: supported encryption

[Nicolas Goutte]

Am 02.06.2009 um 11:09 schrieb Rakotomandimby Mihamina:


Hi all,
At the moment, our FreeRaduis(v1.x) is looking up users in a PGSQL
database, with clear username and clear password in the fields.

We would like to switch it to FreeRadius (v2.x) and by the way, crypt
(SHA, just crypt(),...) the password in the Database. What  
encryption is
supported by FreeRadius, so that I could just make the PGSQL query  
with

the encrypted password?


You can look at http://deployingradius.com/documents/protocols/ 
compatibility.html for which type of hashing can be used whit which  
type of authentication protocol.





Thank you.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: communication safe ssh - NAS - FreeRADIUS ?

[Nicolas Goutte]

Am 19.05.2009 um 14:14 schrieb François Mehault:


Hi,



I authenticate on cisco equipments via ssh/telnet. There is no  
supplicant, so I don’t understand in my case and i would like to  
know if the communication between my cisco equipment and my  
FreeRadius  safe is. I have a secret shared between both. I  
understand that the communciation between freeradius and the client  
radius use the protocol Radius. But in my case there is no PEAP,  
EAP/TLS …


Someone can confirm me please if the communication is safe ?  
because I afraid to see in the file users my password in clear- 
text. Is it possible to use md5, ssha … and how ?


For the compatibility, see http://deployingradius.com/documents/ 
protocols/compatibility.html




Thanks,



Regards,





François

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: Common error on sql_counter on Ver 2.1.5

[Nicolas Goutte]

Am 18.05.2009 um 18:15 schrieb Mauro Iorio - Smart Soft s.r.l.:



User entry didn't match. Post the debug (radiusd -X) and the user  
entry.

You wouldn't be using User-Password as the password attribute?




From radcheck table

Id  UsernameAttribute   Value   op
7216mauro   Passwordflower  ==



Try to assign ( := ) the password, not to compare ( == ) it.

Also probably Password is not the right attribute name. Try to use  
Cleartext-Password ...





From usergroup table




[...]

!! 
!!

!!!
!!!Replacing User-Password in config items with Cleartext- 
Password.

!!!
!! 
!!

!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User- 
Password.

!!!
!! 
!!

!!!


... as the log is asking.





[...]

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

[Nicolas Goutte]

Am 14.05.2009 um 19:31 schrieb Davies, Mike:


We’re not able to get the user authenticated.




[...]


radiusd:  Loading Virtual Servers 

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Instantiating ntlm_auth

  exec ntlm_auth {

  wait = yes

  program = /usr/bin/ntlm_auth --request-nt-key --domain=DOM002 -- 
username=%{mschap:User-Name} --password=%{User-Password}


I do not know much about ntlm_auth but I can see that this call seems  
to differ widely compared to the change that was proposed in the last  
hours for Freeradius 2.1.6:



ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{% 
{Stripped-User-Name}:-%{User-Name:-None}} --challenge=% 
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}


See archive: http://lists.freeradius.org/pipermail/freeradius-users/ 
2009-May/msg00254.html



  input_pairs = request

  shell_escape = yes

  }


[...]

This e-mail message, including any attachments, is for the sole use  
of the intended recipient(s) and may contain information that is  
confidential and protected by law from unauthorized disclosure. Any  
unauthorized review, use, disclosure or distribution is prohibited.  
If you are not the intended recipient, please contact the sender by  
reply e-mail and destroy all copies of the original message.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrading freeradius from source

[Nicolas Goutte]

Am 13.05.2009 um 11:06 schrieb Ivan Kalik:


2.1.4/2.1.5 release had identity crises. 2.1.8. will be available in
matter of days. It's on pre-release testing.


I hope you mean 2.1.6 ;-)



Ivan Kalik
Kalik Informatika ISP





--- On Tue, 5/12/09, John Dennis jden...@redhat.com wrote:



I think you'll save yourself a lot of headaches if you
stick with RPM
based packages. If the version of FreeRADIUS is not
available as an RPM
for the version of the distro you're using then you can
find
instructions for how to download, build and install the
*RPM* for a
current version here:

http://wiki.freeradius.org/Red_Hat_FAQ




I can't find a SOURCE RPM for 2.1.4 yet for fedora.
I tried one of those 2.1.3 rpm, it works perfectly on my
older fedora distro, even though it seem to indicate
that they are for newer fedora. So I guess I have
to wait a little longer.

Regards.





-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: test

[Nicolas Goutte]

Am 12.05.2009 um 11:31 schrieb François Mehault:






De : François Mehault
Envoyé : mardi 12 mai 2009 11:27
À : 'freeradius-users@lists.freeradius.org'
Cc : François Mehault
Objet : RE: check-item NAS-IP-ADdress  Calling-Station-ID with  
openldap




Hi All,

Don't worry. We do receive your emails. See also http:// 
lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR Using MAC Authentication

[Nicolas Goutte]

Am 08.05.2009 um 17:35 schrieb Steve Wu:


Hi -

I have just started tinkering with Freeradius, I built an Ubuntu  
8.10 server box and installed FR -- sudo apt-get install  
freeradius*. It installed in a breeze and tested fine. I have setup  
a HP420 AP for testing, it's chattering with the FR box fine (I  
think).


I want my wireless clients to do MAC authentication via the FR box.  
I have setup my users file to auth two of my test laptops:


000E35-84610A Auth-Type := Local, User-Password == esradius
00215C-08B25D Auth-Type := Local, User-Password == esradius


Try to assign ( := ) the password instead of comparing ( == ) it.





When either tries to connect up, in the FR debug I see:

rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7,  
length=53

User-Name = 00215c-08b25d
User-Password = 00215c-08b25d
  Processing the authorize section of radiusd.conf

The authentication eventually fails:

rlm_pap: WARNING! No known good password found for the user.   
Authentication may fail because of this.


Why is the User-Password the MAC address and not what is specified  
in the users file? I have only tweaked the users and clients.conf  
files.


Just simple MAC authentication, that's all I want at this point.

Thanks in advance!

- Steve



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error after installation

[Nicolas Goutte]

Run ldconfig on the path where the .so file is.


Am 30.04.2009 um 17:52 schrieb Xiaochen Jing:


Hello,



I newly installed 2.1.4. When I want to run radiusd –X, I get an  
error saying




“radiusd: error while loading shared libraries: libfreeradius- 
radius-2.1.5.so: cannot open shared object file: No such file or  
directory”




I double checked, libfreeradius-radius-2.1.5.so and other lib files  
are indeed located in /usr/local/lib. And I notice that lib version  
(2.1.5) is different than freeradius version (2.1.4). Is that why I  
am having the error while running radius -X




Now I am going through ./configure and trying to any error message.  
But does anyone know why this happens?






Thanks in advance



XJ





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help

[Nicolas Goutte]

Am 27.04.2009 um 09:08 schrieb ramesh p:

I'm seeing the following weirdness from my freeradiusserver and  
when i see the radiusd process its stopped status. why this  
happens. any valid reasons for this?


Apr 26 00:18:44.498: %RADIUS-4-RADIUS_ALIVE: RADIUS server
X.X.X.X:0,1813 is being marked alive.

Apr 26 00:18:50.777: %RADIUS-4-RADIUS_DEAD: RADIUS server
X.X.X.X:0,1813 is not responding.

Apr 26 00:18:50.777: %RADIUS-4-RADIUS_ALIVE: RADIUS server
X.X.X.X:0,1813 is being marked alive.

Apr 26 00:18:59.133: %RADIUS-4-RADIUS_DEAD: RADIUS server
X.X.X.X:0,1813 is not responding.

Apr 26 00:18:59.133: %RADIUS-4-RADIUS_ALIVE: RADIUS server
X.X.X.X:0,1813 is being marked alive.

Apr 26 00:19:04.765: %RADIUS-4-RADIUS_DEAD: RADIUS server
X.X.X.X:0,1813 is not responding.
Thanks in advance.



Have you checked the output of radiusd -X if there is a reason given  
or any other hint?




Regards,
Rams.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap+freeradius

[Nicolas Goutte]

Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:

I want to use crypt -passwords (pap) but Idon't know where to  
define it. Only cleartext-passwords are accepted. Can somebody help me


PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ 
Password_authentication_protocol )


Have a nice day!




2009/3/24 t...@kalik.net
Client RADIUS {
..

That should be:

client RADIUS {
..

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap+freeradius

[Nicolas Goutte]

Forget what I have written, see http://deployingradius.com/documents/ 
protocols/compatibility.html


Am 24.03.2009 um 18:05 schrieb Nicolas Goutte:



Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:

I want to use crypt -passwords (pap) but Idon't know where to  
define it. Only cleartext-passwords are accepted. Can somebody  
help me


PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ 
Password_authentication_protocol )


Have a nice day!




2009/3/24 t...@kalik.net
Client RADIUS {
..

That should be:

client RADIUS {
..

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap+freeradius

[Nicolas Goutte]

Am 24.03.2009 um 18:15 schrieb David N'DAKPAZE:


Please which protocol more secure can i use with ldap as database?


As I wrote in the email as answer to my email (and an URL I missed to  
find the whole day as answer to your problems), see http:// 
deployingradius.com/documents/protocols/compatibility.html


There you have a list of what protocols can be used when you have  
which type of passwords available for freeradius.






2009/3/24 Nicolas Goutte nicolas.gou...@extragroup.de

Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:

I want to use crypt -passwords (pap) but Idon't know where to  
define it. Only cleartext-passwords are accepted. Can somebody  
help me


PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ 
Password_authentication_protocol )


Have a nice day!




2009/3/24 t...@kalik.net
Client RADIUS {
..

That should be:

client RADIUS {
..

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with ldap authentication

[Nicolas Goutte]

Am 23.03.2009 um 16:46 schrieb Frank Bonnet:


hello

I'm in trouble with a debian version of freeradius
I've installed chillispot and freeradius packages
but it won't work for LDAP users it fails with
such error messages :

Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP- 
Password] (from client localhost port 31 cli 00-13-02-AE-F1-01)



Any help/idea welcome


Be sure to assign passwords ( := ) and not to compare ( == ) passwords.

Also check that the shared secret is really the same.

Otherwise, I suppose that you will be asked to give the output of  
radiusd -X




Thanks you
.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Next release of freeradius

[Nicolas Goutte]

Am 10.03.2009 um 15:28 schrieb Clare Scally:


Hi,



Can anyone tell me when the next freeradius release is due?



If you mean 2.1.4, it has been released today.



Regards,





Clare Scally.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Version 2.1.4 has been released

[Nicolas Goutte]

Am 10.03.2009 um 13:17 schrieb Alan DeKok:


  This version comes 3 months after 2.1.3, which is a bit more of a
delay than we would like.  However, it includes a number of minor bug
fixes, and some interesting new features.

  The best new feature is one that has been needed for a long  
time.  The

(easy) ability to see debugging output from a live server.  You can
now do this via the raddebug command.





FreeRADIUS 2.1.4 Thu Dec 25 17:40:00 CEST 2008;  , urgency=medium


Just a nitpick: the date above is probaly the one of 2.1.3 (around  
three months ago) and not the date of today.






[...]

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config. Help please - ldap and Active Directory

[Nicolas Goutte]

Am 06.03.2009 um 12:20 schrieb Leighton Man:


Hi,
I'm new to freeradius (3 weeks experience) and mailing lists  
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured  
to authenticate against Active Directory using ntlm-auth.

All working OK.
Now I'm trying to return different reply attributes depending on  
Active Directory group membership and restrict which groups can  
authenticate. Ldap lookups against the active directory root fail  
with operation error. Reconfiguring Active Directory is not a  
viable option so I have to specify an OU= in the query. I have  
configured two instances of the ldap module for authorisation, one  
to query the staff ou and the other to query the student ou. Both  
work OK for valid queries but if the user does not exist in the ou  
the server still authenticates the username/password and grants  
access if valid. Relevant debug output:


rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,  
dc=uk, with filter (sAMAccountName=stafftest)

rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap_student returns notfound for  
request 8

modcall: leaving group student (returns notfound) for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list

...

 rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module eap returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645

Relevant bits of radiusd.conf:

ldap ldap_student{
server = server.hud.ac.uk
identity =  
cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk



password = secret



Try using := instead of = or == You have to assign the password, not  
compare to it. Also perhaps you should use Cleartext-Password if the  
password is in clear here.




port = 636
basedn = ou=students, dc=ad, dc=hud,  
dc=ac, dc=uk
filter = (sAMAccountName=%{mschap:User-Name:-% 
{User-Name}})

start_tls = no

   access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
 groupname_attribute = cn
 groupmembership_filter = (|( 
(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))( 
(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))

 groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}



instantiate {
exec
expr
ldap_staff
ldap_student
}

authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}

authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}

I want to reject the user if they are not in the relevant ou. I  
must be missing something obvious. Can anyone help please?


Thanks in advance,
Leighton



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SV: SV: SV: SV: No known good password

[Nicolas Goutte]

Am 04.03.2009 um 11:24 schrieb Ove Fagerheim:


Hmm, that gives me a policy problem, my company *does not* use Linux.


If you do not mean only Windows, see the other options, like for  
examples MacOS, BSD, Solaris: http://wiki.freeradius.org/Platforms


Is there any Windows ports out there? I've checked http:// 
download.opensuse.org/repositories/network:/aaa/, but I'm  
uncertain which folder to select and which files to download


Ove


Have a nice day!



-Opprinnelig melding-
Fra: freeradius-users-bounces 
+ove.fagerheim=helgelandskraft...@lists.freeradius.org  
[mailto:freeradius-users-bounces 
+ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av  
Alan DeKok

Sendt: 4. mars 2009 10:43
Til: FreeRadius users mailing list
Emne: Re: SV: SV: SV: No known good password


Ove Fagerheim wrote:

After uncommenting the entry, FreeRadius does not start. Errors:

E:\FreeRADIUS.net\binradiusd -X


  Ah freeradius.net.  That's a cygwin build of a *very* old  
version of the server.


  I'd suggest running it instead on a Linux machine.  You can run a
*new* version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No known good password

[Nicolas Goutte]

Am 03.03.2009 um 12:54 schrieb Ove Fagerheim:


Hello all

Are there room for a newbee question here? This is my first Radius  
server.
I get the message No known good password when trying to  
authenticate users. The users are coming from one of two possible  
VPN tunnels. I assume clients.conf is correctly configured.

Any help is highly appreciated.


Best regards
Ove Fagerheim


From Users.conf:

snip
user1   Service-Type == Framed-User, User-Password == password,
# Adresses from 10.194.0.1 to 10.194.63.254
# Auth-Type = System,
Framed-IP-Address = 10.194.0.1,
Framed-IP-Netmask = 255.255.192.0,
Fall-Through = Yes

DEFAULT Service-Type == Framed-User, Huntgroup-Name == Huntgroup-1,
Framed-Protocol = GPRS-PDP-Context,
NAS-Identifier = STCGGSN3,
Called-Station_id = My-Station-Id-String,
Reply-Message = %u is granted access


user1   Service-Type == Framed-User, User-Password == password,


You must assign passwords, not compare them. So try to use :=  
instead of ==


And as in the previous answer, probably you need Cleartext-Password  
instead of  User-Password



# Adresser fra 10.192.64.1 til 10.192.127.254
# Auth-Type = System,
Framed-IP-Address = 10.192.64.1,
Framed-IP-Netmask = 255.255.192.0,
Fall-Through = Yes

DEFAULT Service-Type == Framed-User, Huntgroup-Name ==  
Huntgroup-2, ,

Framed-Protocol = GPRS-PDP-Context,
NAS-Identifier = FBUGGSN3,
Called-Station_id = My-Station-Id-String,
Reply-Message = %u is granted access
snip


From Huntgroups:

snip
Huntgroup-1 NAS-IP-Address == 172.x.x.0
Huntgroup-1 NAS-IP-Address == 172.x.x.1
.
.
.
Huntgroup-1 NAS-IP-Address == 172.x.x.14
#
#
Huntgroup-2 NAS-IP-Address == 172.y.y.240
Huntgroup-2 NAS-IP-Address == 172.y.y.241
.
.
.
Huntgroup-2 NAS-IP-Address == 172.y.y.254
snip


logfile log\radius\radacct\NAS-IPAddress\auth- 
detail-20090303.log: (username is client telephone number)

snip
Packet-Type = Access-Request
Tue Mar  3 08:37:36 2009
NAS-IP-Address = 172.x.x.2
NAS-Identifier = STCGGSN3
Called-Station-Id = My-Station-Id-String
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 16861232
User-Name = user1
User-Password = password
Calling-Station-Id = user1
Client-IP-Address = 172.x.x.2
Huntgroup-Name = Huntgroup-1
snip


logfile log\radius\radius.log
snip
Mon Feb 16 12:00:54 2009 : Info: Ready to process requests.
Mon Feb 16 12:01:49 2009 : Auth: Login incorrect: [user1/password]  
(from client TelenorTVK1 port 35970456 cli 4790622859)
Mon Feb 16 12:02:04 2009 : Auth: Login incorrect: [user1/password]  
(from client TelenorTVK1 port 33168936 cli 4790622859)
Mon Feb 16 12:02:17 2009 : Auth: Login incorrect: [user1/password]  
(from client TelenorTVK1 port 30960664 cli 4790622859)
Mon Feb 16 12:03:57 2009 : Info: Using deprecated naslist file.   
Support for this will go away soon.
Mon Feb 16 12:03:57 2009 : Info: rlm_exec: Wait=yes but no output  
defined. Did you mean output=none?
Mon Feb 16 12:03:57 2009 : Info: rlm_eap_tls: Loading the  
certificate file as a chain
Mon Feb 16 12:03:57 2009 : Info: WARNING: rlm_eap_tls: Unable to  
set DH parameters.  DH cipher suites may not work!

Mon Feb 16 12:03:57 2009 : Info: Ready to process requests.
snip

If the abow errors is unrelated to my issue, I still would very  
much appreciante any hints on how to fix them.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.3 compile problem

[Nicolas Goutte]

Looking for lt__PROGRAM__LTX_preloaded_symbols in my email archive,  
this was already reported on 2009-02-02 for Linux ( thread  
Installation Problem), but as far as I know no definite answer was  
given.


Have a nice day!

Am 26.02.2009 um 16:16 schrieb Chris Howley:


Alan,

I encountered the following problem (see below) when attempting to  
compile the latest version
of 2.1.3 (stable code) from the git tree. Your help in fixing this  
problem would be appreciated.


Thanks,

Chris


Environment: SunOS XX 5.10 Generic_120012-14 i86pc i386 i86p

gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/ 
auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/ 
exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/ 
mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/ 
stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/ 
valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/ 
realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o  /sandbox/ 
radiusd/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv - 
lsocket -lposix4 -lpthread -lcrypt /usr/local/lib/libltdl.so -lssl - 
lcrypto  -R/usr/local/lib

Undefined   first referenced
 symbol in file
lt__PROGRAM__LTX_preloaded_symbols  .libs/modules.o
ld: fatal: Symbol referencing errors. No output written to .libs/ 
radiusd

collect2: ld returned 1 exit status
gmake[4]: *** [radiusd] Error 1
gmake[4]: Leaving directory `/sandbox/radiusd/src/main'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/sandbox/radiusd/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/sandbox/radiusd/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/sandbox/radiusd'
gmake: *** [all] Error 2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: does peap/mschap-v2 must use with ldap?

[Nicolas Goutte]

Am 25.02.2009 um 09:59 schrieb 张虓:

[...]



Does it because I'm not configure LDAP? Does PEAP/MSCHAP-V2 must  
use with LDAP?
In my database  I have already add the  testuser  User- 
Password  :=  test123 in radcheck table but it doesn't work.


Try using Cleartext-Password instead of User-Password, so that mschap  
has a chance to compute the correct hash.



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP authentication + FreeRadius + SQL

[Nicolas Goutte]

Am 18.02.2009 um 16:39 schrieb Marcelo Freitas:


Hello,

I'm trying to authenticate users using CHAP and store the passwords  
in the SQL, but I'm having a hard time.


I checked past messages, but I still couldn't get it to work ...  
Below is my Access-Request packet


Wed Feb 18 12:31:04 2009
Packet-Type = Access-Request
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 000E2EEB1D91
Called-Station-Id = hotspot1
NAS-Port-Id = wHotSpotB
User-Name = admin2
NAS-Port = 2153775219
Acct-Session-Id = 80600073
Framed-IP-Address = 10.5.50.253
Mikrotik-Ho! st-IP = 10.5.50.253
CHAP-Challenge = 0x4f0299d5a5107ded915739e236f71e3c
CHAP-Password = 0x606707e3411f443140573554283c987ca5
Service-Type = Login-User
WISPr-Logoff-URL = http://10.5.50.1/logout;
NAS-Identifier = AP_HQ
NAS-IP-Address = 10.0.1.130

In MySQL I just have Cleartext-Password == admin2 for check  
items ... But I always get Access-Reject.


Before checking the past messages, I had already check items like  
Auth-Type := CHAP, Cleartext-Password == admin2; and also just CHAP- 
Password, but none of it worked ...


Try to use := for Cleartext-Password instead of  == (Thing about  
assigning the password, instead of comparing it.)





Thanks in advance,

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error binding port to ipv6 address

[Nicolas Goutte]

Am 09.02.2009 um 17:17 schrieb D'AVELLA STEFANO:



Hello,

I am new to Freeradius. I am running Freeradius 2.1.0 on Ubuntu  
8.10, built from source.
I have already read all the documentation I could find in the  
config files and in the wiki.


The machine has two network interfaces, eth0 and eth1, the first  
configured with ipv4 and the second with ipv6.
I am interested on using freeradius with ipv6 support so I would  
like to test it using it only on eth1 interface.


The point of my testbed will be to define a new attribute and  
transfer it to the client when it is authorized.
But before  doing it I am finding some problems in opening the ip6  
socket in the server.
In fact I configured users and clients.conf to allow my ip6 client  
to connect to the server, and then in the radiusd.conf file I  
commented the ip4 listening option and uncommented the ip6 one. (I  
also commented the accounting listening part because I am not  
interested in it).


The problem is that when I run the server it exits saying (last  
lines):


 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd:  Opening IP addresses and Ports 
listen {
type = auth
ipv6addr = :: IPv6 address [::]
port = 0





/etc/freeradius/radiusd.conf[236]: Error binding to port for ::  
port 1812


Be sure that no other freeradius is running and also that you have  
enough rights to open such a port.


Look in your inet.d or similar to avoid that another service is run  
instead of the planned freeradius.





I checked if the ip6 interface is properly configured, and it seems  
so (i can ping other ip6 nodes, and also writing another little c  
program to bind an ip6 socket works fine)


Changing port doesn't solve the issue.
Commenting or uncommenting the interface line in radiusd.conf  
doesn't change anything.
Trying different types of ip6 addresses (::1, or manually assigned  
ones) doesn't work either.


Obviously with ip4 I don't have any kind of problem.

I can't understand if it a freeradius configuration problem or a  
system configuration one.


Thank you for you help!

Regards,


Have a nice day!


--
Stefano D'Avella



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschap No Cleartext-Password configured

[Nicolas Goutte]

Am 08.10.2008 um 09:49 schrieb alois blasbichler:


ablasbichler Cleartext-Password == ablasbichler
With no success


Should be := not ==.


Hello

Thank you for the the answers. I changed how you suggested but  
without success.


Another thing : we use md5 encrypted passwords in our Ldap-DB for  
userpasswords -  is it right that the line above in users overwrite  
this  ?


I am not sure, so I won't answer this one.


Here my log (tested with user test password alois)
Why pap use CRYPT encryption not it should be cleartext ?


If you define a Cleartext-Password for a user, it does not mean that  
you force the use of cleartext for the authentification for the user.  
If the authentification needs the password in another form, it will  
transform the cleartext password into the needed form. (For example  
for MS-CHAP, it would encode the password into UTF32-LE and then make  
the MD4 hash of it.)




by
luis


Have a nice day!






[...]


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html