Policy to split domain and host
Hi list, I'm searching the best way to configure a policy to split the domain and the prefix ' /host' when it is a computer connection. The initial UserName is like this: host/computername.DOMAIN.LOCAL I can already easily split the /host by policy and realm configuration but I don't know how I can do when there is double delimiter in the same UserName ? Thanks for your reply. __ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas@ricoh-industrie.fr | www.ricoh-thermal.com inline: 0E069074.gifinline: 0E984006.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy to split domain and host
Nice, thanks But in this case, how to tell Freeradius to use this variable when it's a host connection ? Because, I had already split User-Name variable into Stripped-User-name and use that into post-auth section to log correct syntax user. So if I tell Freeradius to used variable %{mschap:User-Name}, I think it will be logging original request UserName, no ? How to define a second post auth request when it's a host ? For example, I want the Stripped-UserName into sql postauth table when it's a user and the variable %{mschap:User-Name} when i'ts a host connection. Thanks. Nicolas CLO On 08/16/2013 08:24 AM, nicolas@ricoh-industrie.fr wrote: Hi list, I'm searching the best way to configure a policy to split the domain and the prefix ' /host' when it is a computer connection. You probably don't want to do this. Instead, you probably want to use the expansion: %{mschap:User-Name} ...which correctly transforms: host/name.domain.com ...to: name$ ...which is the correct form of the samaccountname for an AD computer account, which is I assume what you're dealing with. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
Hi, Yes, this is our actual configuration and it works very well, but I think that with the long run, a database that contains all MAC address can become very difficult to manage. But if it' s the only solution, I will make with. Thanks. Nicolas CLO Industrial and Network Technician ITS Section ---Original mail-- Hi, I'm now sure that the best way for us is MAC Address filtering. thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html inline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Hi list, I'm searching the best way to configure an authorization based on both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host or Username. Is it possible to verify host with mschapv2 and if the module return ok proceed to username verfication with the same module ? Thanks for your reply. __ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas@ricoh-industrie.fr | www.ricoh-thermal.com inline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Thanks for your help. We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. Nicolas CLO. -Original Message- nicolas@ricoh-industrie.fr wrote: Is it possible to verify host with mschapv2 That question has a number of unstated assumptions. Those assumptions are wrong. Does the *host* provide mschapv2 authentication data? No. Therefore, the host can't be verified with mschapv2. and if the module return ok proceed to username verfication with the same module ? You're asking for mschapv2 to authenticate two different identities at the same time. It doesn't do that. What do you really want to do? Your question assumes a particular view of things. That view is wrong, so we can't help you. If you describe what you have and what you want to do, we may be able to come up with a different approach that meets your needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas@ricoh-industrie.fr | www.ricoh-thermal.com inline: 0F402483.gifinline: 0F024915.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Ok thanks for the reply. I'm now sure that the best way for us is MAC Address filtering. Have a good day. Nicolas CLO ---Original mail--- nicolas@ricoh-industrie.fr wrote: We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. That is fairly vague. You're working with computers. Be specific. WHAT is in an Access-Request when they login using a desktop? WHAT is in an Access-Request when they login using their phone? HOW are the two requests different? Once you know that, it should be easy to create rules which can distinguish one from the other. And then apply different rules to each one. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. You're limited by what is in the Access-Request. If the only difference between a desktop and iPhone is a MAC address, too bad. Computers aren't magic. My guess is that the only thing which will really work is MAC address filtering. I'd suggest finding a way to make it manageable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth
I have the same problem after upgrade Freeradius to version 3.Before, ntlm worked very well but it seems that the new version used the ntlm module differently.-freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.org a écrit : -A : freerad...@hardarson.se, FreeRadius users mailing list freeradius-users@lists.freeradius.orgDe : John DennisEnvoyé par : freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.orgDate : 07/06/2013 17:12Objet : [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_authOn 06/07/2013 10:46 AM, Bjarni Hardarson wrote: I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it manually with the expanded attributes i get the NT_KEY. root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest --challenge=d9a8b4d1c188ae1b --nt-response=090bacad01a113dd74007ed5845d5b0c7c8017bac80821dd NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Any ideas?Please don't send more that one email, we heard you the first time.This sounds like a permission problem. Make sure when you run your testmanually you do so as the same user and group radiusd is running as,you'll find those values in your radiusd.cong file.Also if your system is running SELinux check for the presence of AVC's-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP error with Freeradius 3.0
Hello, I have a problem with mschap authentication and the external program ntlm_auth. With Freeradius 2.2 I haven't any problem but after upgrade to Freeradius 3, the output of this program was wrong and EAP failed. The output is very strange : Any ideas ?inline: 0E165810.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with freeradius + openldap for AP authentication
Hiya I need some help to configure freeradius with openldap. I have a ldap database which stores password in SSHA format, so i choose PAP for authentication. I want to use freeradius to authenticate on a netgear Wifi access point. (http://deployingradius.com/documents/protocols/compatibility.html) I've set up the AP in client freeradius in clients.conf, with a secret and shortname like in documentation. Next i've put auto_header = yes in pap.conf And uncomment the line ldap to activate module in /site-enable/default When i start server in debug mode, authorization works fine but server have problems to authentication step and i don't understand why Here is the debug comments : rad_recv: Access-Request packet from host 192.168.0.201 port 32774, id=85, length=169 User-Name = cyril NAS-IP-Address = 192.168.0.201 NAS-Identifier = hello NAS-Port = 0 Called-Station-Id = 4C-60-DE-D2-22-61:easyBridge2 Calling-Station-Id = 7C-C5-37-14-16-C9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11b EAP-Message = 0x020e016e6c61746869657265 Message-Authenticator = 0x2bf3ec3446adc97ea15c4c160ee8b0bbThu Nov 22 15:04:36 2012 : Wed Nov 21 18:39:17 2012 : Info: [ldap] looking for reply items in directory... Wed Nov 21 18:39:17 2012 : Info: [ldap] user cyril authorized to use remote access Wed Nov 21 18:39:17 2012 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Nov 21 18:39:17 2012 : Info: ++[ldap] returns ok Wed Nov 21 18:39:17 2012 : Info: ++[expiration] returns noop Wed Nov 21 18:39:17 2012 : Info: ++[logintime] returns noop Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing NT-Password from hex encoding Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing SSHA1-Password from base64 encoding Wed Nov 21 18:39:17 2012 : Info: [pap] Found existing Auth-Type, not changing it. Wed Nov 21 18:39:17 2012 : Info: ++[pap] returns noop Wed Nov 21 18:39:17 2012 : Info: Found Auth-Type = PAP Wed Nov 21 18:39:17 2012 : Info: +- entering group PAP {...} Auth: [pap] Attribute Password is required for authentication. Thu Nov 22 15:04:36 2012 : Info: ++[pap] returns invalid Thu Nov 22 15:04:36 2012 : Info: Failed to authenticate the user. Thu Nov 22 15:04:36 2012 : Auth: Login incorrect: [cyril/via Auth-Type = PAP] (from client WNAP320 port 0 cli 44-A7-CF-CD-C5-C7) Thu Nov 22 15:04:36 2012 : Info: Using Post-Auth-Type Reject Thu Nov 22 15:04:36 2012 : Info: +- entering group REJECT {...} Thu Nov 22 15:04:36 2012 : Debug: expand: %{User-Name} - cyril Thu Nov 22 15:04:36 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Nov 22 15:04:36 2012 : Info: ++[attr_filter.access_reject] returns updated Thu Nov 22 15:04:36 2012 : Info: Delaying reject of request 5 for 1 seconds Thu Nov 22 15:04:36 2012 : Debug: Going to the next request Thu Nov 22 15:04:36 2012 : Debug: Waking up in 0.9 seconds. Thu Nov 22 15:04:37 2012 : Info: Sending delayed reject for request 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Test
I received your message Alan -Message d'origine- De : freeradius-users-bounces+nicolas.fourel=adipsys@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.fourel=adipsys.com@lists.freeradius .org] De la part de Alan DeKok Envoyé : jeudi 15 septembre 2011 16:50 À : FreeRadius users mailing list Objet : Test Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug STDOUT
Am 26.05.2011 um 16:54 schrieb Norman Zhang: [root@box ~]# /usr/sbin/radiusd -xx [root@box ~]# ps aux | grep radius radiusd 32539 0.0 0.1 148872 2672 ?Ssl 10:50 0:00 / usr/sbin/radiusd -xx root 32564 0.0 0.0 61220 752 pts/0R+ 10:50 0:00 grep radius For some reason I can't get radius -x to display to STDOUT. Any hints? You probably mean -X (upper case) See the man page of radiusd . Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Re: Seg Fault - radius 3.0 Debug
Hello, I finally solved my issue. It was a problem of linking mysql libs. I'm sorry . Apologies to all but.. Maybe variables have changed but since 3.0 version the variable %{Huntgroup-Name} is no more recognized. tested on version 2.1.11 - Works perfectly Any ideas ? Thanks --- Forwarded message follows --- Date sent: Thu, 17 Mar 2011 21:20:20 + From: Alan Buxey a.l.m.bu...@lboro.ac.uk To: nicolas.bre...@belcenter.biz nicolas.bre...@belcenter.biz, FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject:Re: Seg Fault - radius 3.0 Debug Hi, Here is my debug file with gbd on the seg fault [Thread debugging using libthread_db enabled] [New Thread 0x7600b700 (LWP 23433)] [Thread 0x7600b700 (LWP 23433) exited] Program received signal SIGSEGV, Segmentation fault. 0x76032890 in mysql_field_count () from /usr/lib64/mysql/libmysqlclient_r.so.16 Missing separate debuginfos, use: debuginfo-install glibc-2.13-1.x86_64 suggest you follow the information given to get more debugging info out alan --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) (Fwd) Re: Seg Fault - radius 3.0 Debug
The debug mode said anything - No errors. My variable is in the SQLIPPOOL.conf file and called with %{Huntgroup-Name} No values were returned. With 2.1.11 - Same directory, dic files, etc , i have a value. --- Forwarded message follows --- Breuer Nicolas wrote: but.. Maybe variables have changed but since 3.0 version the variable %{Huntgroup-Name} is no more recognized. It should work. The git master branch hasn't changed any of that functionality. And (as always) what does debug mode say? Alan DeKok. --- Forwarded message follows --- From: Breuer Nicolas nicolas.bre...@belcenter.biz To: freeradius-users@lists.freeradius.org Subject:(Fwd) Re: Seg Fault - radius 3.0 Debug Date sent: Fri, 18 Mar 2011 12:45:23 +0100 Hello, I finally solved my issue. It was a problem of linking mysql libs. I'm sorry . Apologies to all but.. Maybe variables have changed but since 3.0 version the variable %{Huntgroup-Name} is no more recognized. tested on version 2.1.11 - Works perfectly Any ideas ? Thanks --- Forwarded message follows --- Date sent: Thu, 17 Mar 2011 21:20:20 + From: Alan Buxey a.l.m.bu...@lboro.ac.uk To: nicolas.bre...@belcenter.biz nicolas.bre...@belcenter.biz, FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Seg Fault - radius 3.0 Debug Hi, Here is my debug file with gbd on the seg fault [Thread debugging using libthread_db enabled] [New Thread 0x7600b700 (LWP 23433)] [Thread 0x7600b700 (LWP 23433) exited] Program received signal SIGSEGV, Segmentation fault. 0x76032890 in mysql_field_count () from /usr/lib64/mysql/libmysqlclient_r.so.16 Missing separate debuginfos, use: debuginfo-install glibc-2.13-1.x86_64 suggest you follow the information given to get more debugging info out alan --- End of forwarded message --- --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seg Fault - radius 3.0 Debug
Dear all, Here is my debug file with gbd on the seg fault [Thread debugging using libthread_db enabled] [New Thread 0x7600b700 (LWP 23433)] [Thread 0x7600b700 (LWP 23433) exited] Program received signal SIGSEGV, Segmentation fault. 0x76032890 in mysql_field_count () from /usr/lib64/mysql/libmysqlclient_r.so.16 Missing separate debuginfos, use: debuginfo-install glibc-2.13-1.x86_64 keyutils-libs-1.2- 6.fc12.x86_64 krb5-libs-1.8.2-7.fc14.x86_64 libcom_err-1.41.12-6.fc14.x86_64 libgcc-4.5.1- 4.fc14.x86_64 libselinux-2.0.96-6.fc14.1.x86_64 mysql-libs-5.1.55-1.fc14.x86_64 nss- softokn-freebl-3.12.9-2.fc14.x86_64 openssl-1.0.0d-1.fc14.x86_64 zlib-1.2.5-2.fc14.x86_64 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Seg Fault - radius 3.0 Debug
\000\000\000\001\ 000\000\000\377\177\000\000\225%C\000\000\000\000\000\000\000\000\000\n\000\000\000 P\321\377\377\377\177\000\000p\321\377\377\377\177\000\000\220\024y, '\000' repeats 13 times, l\312\071X\000\000\000\000\242\226`\234\061, '\000' repeats 1ֹ times, \005, '\000' repeats 15 times, \001\000\000\000\377\177\000\000\220\024y\000\000\000\000\000\005\000\000\000\377\1 77\000\000\000\000\000\000\000\000\000\000\310t\335\367\377\177, '\000' repeats 18 times\350, \027y\000\000\000\000\000\360\320\377\377\377\177\000\000\001\000\000\000\000\000\00 0\000\020\321\377\377ל377\177\000\000\265=a\234\001 #6 0x0041afd9 in call_modsingle (component=7, c=0x8c4a40, request=value optimized out) at modcall.c:297 myresult = value optimized out #7 modcall (component=7, c=0x8c4a40, request=value optimized out) at modcall.c:670 myresult = value optimized out stack = {pointer = 2, priority = {0 repeats 32 times}, result = {0 repeats 32 times}, children = { value optimized out repeats 32 times}, start = {value optimized out repeats 32 times}} parent = 0x8c5840 child = 0x8c6500 if_taken = 0 was_if = 1 #8 0x00419d45 in indexed_modcall (comp=7, idx=0, request=0x8d5b20) at modules.c:759 rcode = value optimized out list = value optimized out server = value optimized out #9 0x00408495 in rad_postauth (request=0x8d5b20) at auth.c:422 result = value optimized out postauth_type = value optimized out vp = 0x0 #10 0x00408afb in rad_authenticate (request=0x8d5b20) at auth.c:812 namepair = 0x8d7500 check_item = 0x0 auth_item = 0x8d5e90 module_msg = value optimized out tmp = value optimized out result = 0 password = 0x436e91 autz_retry = value optimized out autz_type = value optimized out #11 0x00429813 in radius_handle_request (request=0x8d5b20, fun=0x4084e0 rad_authenticate) at event.c:4243 No locals. #12 0x00420a55 in thread_pool_addrequest (request=0x8d5b20, fun=0x4084e0 rad_authenticate) at threads.c:900 No locals. #13 0x0042746d in event_socket_handler (xel=value optimized out, fd=value optimized out, ctx=0x8d5580) at event.c:3957 listener = 0x8d5580 fun = 0x4084e0 rad_authenticate request = 0x8d5b20 #14 0x77df0fdf in fr_event_loop (el=0x8c7a80) at event.c:413 ef = value optimized out i = value optimized out rcode = 1 maxfd = 26 when = {tv_sec = 0, tv_usec = 0} wake = value optimized out read_fds = {fds_bits = {33554432, 0 repeats 15 times}} master_fds = {fds_bits = {109051904, 0 repeats 15 times}} #15 0x0041d434 in main (argc=value optimized out, argv=value optimized out) at radiusd.c:408 rcode = value optimized out argval = value optimized out spawn_flag = 0 dont_fork = 1 flag = 0 act = {__sigaction_handler = {sa_handler = 0x41cef0 sig_fatal, --- End of forwarded message --- Breuer Nicolas Network Supervisor Sales Executive BELCENTER sprl/bvba Avenue Henri Consciencelaan, 94 Bruxelles 1140 Brussel T. : +32 (0)2 403 04 60 F. : +32 (0)2 403 04 63 M. :+32 (0)486 50 27 87 E. : nicolas.bre...@belcenter.biz W. : http://www.BelCenter.be | http://www.BelCenter.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Seg Fault - 3.0
--- Forwarded message follows --- From: Breuer Nicolas nicolas.bre...@belcenter.biz To: freeradius-de...@lists.freeradius.org Subject:Seg Fault - 3.0 Date sent: Wed, 16 Mar 2011 15:23:22 +0100 Hello I discovered a Seg Fault on the release 3.0 on the GIT server. Seems happening on the first auth. (30) Login OK: [XXX] (from client XXX) (30) # Executing section post-auth from file /etc/XXX.conf (30) +- entering group post-auth {...} (30) ++? if (reply:Framed-IP-Address) (30) ? Evaluating (reply:Framed-IP-Address) - FALSE (30) ++? if (reply:Framed-IP-Address) - FALSE (30) ++- entering else else {...} rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14 (30) [IP-POOLING-01] expand: %{User-Name} - XXX (30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX' (30) [IP-POOLING-01] expand: BEGIN - BEGIN (30) [IP-POOLING-01] expand: COMMIT - COMMIT (30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name = '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE Segmentation fault I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seg Fault - 3.0 - More Info needed
Hello Alan, Could you precise wich infos you need to go further ? Thanks --- End of forwarded message --- Hello I discovered a Seg Fault on the release 3.0 on the GIT server. Seems happening on the first auth. (30) Login OK: [XXX] (from client XXX) (30) # Executing section post-auth from file /etc/XXX.conf (30) +- entering group post-auth {...} (30) ++? if (reply:Framed-IP-Address) (30) ? Evaluating (reply:Framed-IP-Address) - FALSE (30) ++? if (reply:Framed-IP-Address) - FALSE (30) ++- entering else else {...} rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14 (30) [IP-POOLING-01] expand: %{User-Name} - XXX (30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX' (30) [IP-POOLING-01] expand: BEGIN - BEGIN (30) [IP-POOLING-01] expand: COMMIT - COMMIT (30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name = '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE Segmentation fault I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on FreeRadius+OTP+OpenLDAP integration
Am 14.03.2011 um 17:40 schrieb pradyumna dash: Hi, We are receiving your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2011-March/date.html (Please avoid to re-send your questions minutes after sending them the first time.) I need a documentation on how to implement FreeRadius+OTP+OpenLDAP, I have installed and configured FreeRadius+OpenLDAP before but never used OTP, and also would like to know how OTP will be configured with SASL and how does SASL auth store OTP parameters. Another problem am facing is, first there is an authentication with freeradius but the next thing that is triggered in pam.d/ssh is the account section for authorization and here OpenLDAP requires password for the second time. So a user needs to login twice because of this. How to solve this issue Please help me out to solve this issue. Regards, Pradyumna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lastest using git
Am 10.03.2011 um 15:08 schrieb David Peterson: I am trying to recompile any new changes but cannot for the life of me remember how to check out the latest version. I believe it’s called “Stable” Do you mean http://git.freeradius.org/ and what is described there? Have a nice day! David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Install problems
Hello I can't install the last freeradius to our new server ./configure --libdir=/usr/local/lib/freeradius2 --with-mysql-lib-dir=/usr/lib64/mysql --disable- libltdl-install --with-system-libtool --without-openssl libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: (cd .libs gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c -fno-builtin radiusdS.c) libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /var/instapp/freeradius- server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl -Wl,-rpath - Wl,/usr/local/lib/freeradius2 .libs/modules.o: In function `setup_modules': /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/var/instapp/freeradius-server-2.1.10' make: *** [all] Error 2 What's the solution ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install problems
Hello I just do that. MAKE= /usr/bin/gmake CC = gcc RANLIB = ranlib INCLUDE = CFLAGS = $(INCLUDE) -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG - DIE_LIBTOOL_DIE Same error libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall - D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server- 2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ -DNO_OPENSSL -c detail.c -fPIC -DPIC -o .libs/detail.o libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall - D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server- 2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ -DNO_OPENSSL -c detail.c -o detail.o /dev/null 21 /usr/bin/libtool --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo event.lo realms.lo evaluate.lo vmps.lo detail.lo \ /var/instapp/freeradius-server-2.1.10/src/lib/libfreeradius-radius.la -lnsl -lresolv - lpthread \ -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/libltdl.la libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: (cd .libs gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c -fno-builtin radiusdS.c) libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /var/instapp/freeradius- server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl -Wl,-rpath - Wl,/usr/local/lib/freeradius2 .libs/modules.o: In function `setup_modules': /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[2]: *** [all] Error 2 Date sent: Mon, 17 Jan 2011 11:57:47 +0100 From: Alan DeKok al...@deployingradius.com To: nicolas.bre...@belcenter.biz, FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject:Re: Install problems Breuer Nicolas wrote: I can't install the last freeradius to our new server ./configure --libdir=/usr/local/lib/freeradius2 --with-mysql-lib-dir=/usr/lib64/mysql --disable-libltdl-install --with-system-libtool --without-openssl ... /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' Edit the Make.inc file, and find the line starting with CFLAGS. Add a -DIE_LIBTOOL_DIE to the end. Do make clean, followed by make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Log
Hello All, We used the Freeradius 2.X version. We use the accounting SQL module and i remark something. When a user is rejected (Wrong password), i always have this error in radius.log Mon Nov 8 18:07:40 2010 : Auth: Login incorrect: [BCgXXX] Mon Nov 8 18:07:41 2010 : Info: [ACCOUNTING-01] stop packet with zero session length. Mon Nov 8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Attempting to connect rlm_sql_mysql #13 Mon Nov 8 18:07:41 2010 : Info: rlm_sql_mysql: Starting connect to MySQL server for #13 Mon Nov 8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Connected new DB handle, #13 Mon Nov 8 18:07:41 2010 : Info: [ACCOUNTING-02] stop packet with zero session length. Accounting-01 thinks that stop packet with zero session length is an error and tried to connect to Accounting-02 sql server. Is it the correct behaviour ? Is it possible to remove this logging. Thanks Breuer Nicolas Network Supervisor Sales Executive BELCENTER sprl/bvba Avenue Henri Consciencelaan, 94 Bruxelles 1140 Brussel T. : +32 (0)2 403 04 60 F. : +32 (0)2 403 04 63 M. :+32 (0)486 50 27 87 E. : nicolas.bre...@belcenter.biz W. : http://www.BelCenter.be | http://www.BelCenter.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Log
Breuer Nicolas wrote: Accounting-01 thinks that stop packet with zero session length is an error and tried to connect to Accounting-02 sql server. Is it the correct behaviour ? Yes. see doc/configurable_failover for how to change redundant groups. Alan DeKok. Alan, I know that this is the correct behaviour concerning redundant groups but for me a Stop with zero session length isn't a SQL issue that needs to go on secondary SQL servers. Breuer Nicolas Network Supervisor Sales Executive BELCENTER sprl/bvba Avenue Henri Consciencelaan, 94 Bruxelles 1140 Brussel T. : +32 (0)2 403 04 60 F. : +32 (0)2 403 04 63 M. :+32 (0)486 50 27 87 E. : nicolas.bre...@belcenter.biz W. : http://www.BelCenter.be | http://www.BelCenter.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Re: Accounting Log
From: Alexandre Chapellon alexandre.chapel...@mana.pf I have the very same behaviour here on my FR2.1.6 setup with PGSQL accoutning. It produce noisy logs but nothing unacceptable. You can change this by not doing accouting for Stop Accounting packet that show up null session-time: in your acccouting section: if (Acct-Status-Type == Stop Session-Time != 0) { sql_accounting_module_name } Maybe relying on Session-Time is not a good idea. Try finding out another relevant attribute. Cdt Nice idea, i will try :) Breuer Nicolas Network Supervisor Sales Executive BELCENTER sprl/bvba Avenue Henri Consciencelaan, 94 Bruxelles 1140 Brussel T. : +32 (0)2 403 04 60 F. : +32 (0)2 403 04 63 M. :+32 (0)486 50 27 87 E. : nicolas.bre...@belcenter.biz W. : http://www.BelCenter.be | http://www.BelCenter.net WPM$2D83.PM$ Description: Mail message body - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) (Fwd) Re: Accounting Log
Hello Alexandre, Just in that case, if you not send the STOP in case Sess time =0 The Session will stay opened in the accounting table. and never be closed --- Forwarded message follows --- From: Breuer Nicolas nicolas.bre...@belcenter.biz To: freeRadius users mailing list freeradius-users@lists.freeradius.org Subject:(Fwd) Re: Accounting Log Send reply to: nicolas.bre...@belcenter.biz Date sent: Mon, 08 Nov 2010 23:00:40 +0100 From: Alexandre Chapellon alexandre.chapel...@mana.pf I have the very same behaviour here on my FR2.1.6 setup with PGSQL accoutning. It produce noisy logs but nothing unacceptable. You can change this by not doing accouting for Stop Accounting packet that show up null session-time: in your acccouting section: if (Acct-Status-Type == Stop Session-Time != 0) { sql_accounting_module_name } Maybe relying on Session-Time is not a good idea. Try finding out another relevant attribute. Cdt Nice idea, i will try :) Attachments: C:\Users\Nico\AppData\Local\Temp\WPM$2D83.PM$ --- End of forwarded message --- Breuer Nicolas Network Supervisor Sales Executive BELCENTER sprl/bvba Avenue Henri Consciencelaan, 94 Bruxelles 1140 Brussel T. : +32 (0)2 403 04 60 F. : +32 (0)2 403 04 63 M. :+32 (0)486 50 27 87 E. : nicolas.bre...@belcenter.biz W. : http://www.BelCenter.be | http://www.BelCenter.net WPM$2BF5.PM$ Description: Mail message body - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radiusd.conf
Am 15.09.2010 um 20:10 schrieb Samuel Isaias Barriga Perez: Hello I have a question: I want to configure the radiusd.conf, here es my problem there es two radiusd.conf in diferent paths /usr/local/ etc/raddb/radiusd.conf and /root/freeradius-server-2.1.9/raddb/ radiusd.conf. which configuration file should I use... is there a manual to configure this module??? Is /root/freeradius-server-2.1.9 thr directory where you (self-)compiled the source code? Then everything in /usr/local/etc/ raddb/ was probably installed and that is the configuration file that you should use. As for documentation, partially it is inside the configuration files, some in the man pages. See also the tetxt files beside the source code, if you have compiled yourself. Thank You Samuel I. Barriga - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication using free radius
Am 10.08.2010 um 16:54 schrieb Aqdas Muneer: Hello, We recently had a event during which our radius server lost connectivity to our Active Directory server. all the network gear could contact radius so none fell back to the backup authentication method (local), but because AD was down we couldn't get into our devices. is there a way to use some locally stored password in free radius if the ldap server cant be reached? You can for example use the users file. Thanks, Aqdas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 13:23 schrieb al...@arctel.ru: Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest Please try using Cleartext-Password := test instead of User-password = test [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 14:25 schrieb Alan Buxey: Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. why? why did you do that? Cleartext-Password := test is the only correct way. you just compl;eted ignored the information/ help given by the actual author of FreeRADIUS. you dont trust him to know how the code works?? Alan Cox's email was sent only minutes later. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day. Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 15:24 schrieb Alan Buxey: Hi, Alan Cox's email was sent only minutes later. Alan Cox? wow. RedHat finally taking development to new levels.. you meant Alan DeKok I assume?Too many Alan's for you? ;-) Sorry for the mistyping. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication
Am 21.06.2010 um 17:24 schrieb simone.trevi...@telsey.it: Dear all, I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE Server. The Cisco PPPoE Server forward PPPoE request from CPE to the Freeradius 2.1.0. I would like to provide to CPE an IP address based on the pair: Username/password. Authentication used: PAP I see the WARNING message reported by Freeradius, but my tentative to fix them fails. Can you help me Thank you very much. ~~ 1) I have added to radiusd.conf the module: # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = clear } 2) I have modify the module pap: pap { auto_header = yes } 3) In users I have added: mr642wg Auth-Type := PAP, User-Password == mr642wg Try using Cleartext-Password := mr642wg instead [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Having trouble compiling freeradius 2.1.9 on ubuntu 10.04
Am 16.06.2010 um 12:01 schrieb Bassem Nagi: Hi, Iam having trouble compiling freeradius version 2.1.9 on ubuntu 10.04 when i try to start the server i get an error stating radiusd: error while loading shared libraries: libfreeradius-radius-2.1.9.so: cannot open shared object file: No such file or directory Try running ldconfig in the directory where the .so-file is. Any help would be appreciated. Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The question about #define WIMAX2ATTR(x) ((24757 16) | (x)) in rlm_wimax.c
Am 13.06.2010 um 03:47 schrieb 李立明: Hi,all I find #define WIMAX2ATTR(x) ((24757 16) | (x)) in rlm_wimax.c, but I don`t understand its meaning. Put 24757 (decimal) in the high 16 bits and put x in the low 16 bits (assuming x is only 16 bits). As for what 24757 means, I do not know. I appreciate your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with make
quote Update CFLAGS to add -DIE_LIBTOOL_DIE /quote (Alan DeKok 2010-03-26 Thread FreeRADIUS 2.1.7 and 2.1.8 fail to build) Have a nice day! Am 09.06.2010 um 13:32 schrieb Martín @ Ibersystems: Hello all, we are trying to install Radius Manager from DmaSoftlab. We need to install Freeradius and we gt problems with the make We get this errors: * modcall.lo radiusd.lo stats.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo event.lo realms.lo evaluate.lo vmps.lo detail.lo \ /root/work/freeradius-server-2.1.8/src/lib/ libfreeradius-radius.la -lnsl -lresolv -lpthread \ -lcrypt -lltdl -lcrypto -lssl -lcrypto rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/ radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/ auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/ exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/ mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/ stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/ valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/ realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export- dynamic /root/work/freeradius-server-2.1.8/src/lib/.libs/ libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/ libltdl.so -lssl -lcrypto -ldl .libs/modules.o: In function `setup_modules': /root/work/freeradius-server-2.1.8/src/main/modules.c:1358: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: se sale del directorio `/root/work/freeradius-server-2.1.8/ src/main' make[3]: *** [common] Error 2 make[3]: se sale del directorio `/root/work/freeradius-server-2.1.8/ src' make[2]: *** [all] Error 2 make[2]: se sale del directorio `/root/work/freeradius-server-2.1.8/ src' make[1]: *** [common] Error 2 make[1]: se sale del directorio `/root/work/freeradius-server-2.1.8' make: *** [all] Error 2 * SO: Ubuntu Server 10.0.4 Lucid Lynxs We tryed the sources from dmasoftlab (2.1.8 modified) and the sources of freeradius.org (2.1.9) with the 2 sources we get the same error. What we have to install or fix? Thanks, Martín Ruiz Ibersystems Solutions, SL Dpto. Redes Inalámbricas Tel. 902 430 367 669 37 95 21 Fax 93 758 63 01 http://www.ibersystems.es martinr...@ibersystems.es Estemensaje puede contener información confidencial y/o privilegiada. Siusted no es el destinatario o una persona expresamente autorizada pararecibir este envío no debe utilizar, copiar, reenviar, distribuir, o engeneral disponer de ninguna forma de la información incluida. Sihubiera recibido este mensaje por error, sírvase informar al emisormediante una respuesta inmediata y bórrelo, por favor. Muchas gracias. P Antes de imprimir este e-mail, piensa en si es realmente necesario: El Medio Ambiente es responsabilidad de todos -Original Message- From: Natr Brazell natrbraz...@gmail.com To: freeradius-users@lists.freeradius.org Date: Wed, 9 Jun 2010 06:42:13 -0400 Subject: FreeRadius MYSQL tables All, I've set up FR2 to log acct data to mysql and that appears to be working. I'm curious about how to enable the logging of specific attributes that are being sent by the NAS. Specifically: rad_recv: Accounting-Request packet from host x.x.x.120 port 51637, id=50, length=95 Acct-Status-Type = Interim-Update Acct-Session-Id = C2594B9A71DB Acct-Delay-Time = 0 User-Name = joe.bobuser NAS-Identifier = M20 Juniper-Interactive-Command = run start shell NAS-IP-Address = x.x.x.120 +- entering group preacct {...} As you can see in the Accounting-Request packet above There is a NAS- Identifier and a Juniper-Interactive-Command entry. Those attributes are not being logged (nor do I think I'd want them) in my radacct file. Is there a way to have radius automatically populate an accountingactivity table (history file if you will)? Or this there a manual way say in postauth to send those attributes to a mysql table via script when an Accounting-Request packet is received. The above attributes are being sent and are logged in my detail-`date` log file in /var/log/radius/radacct/IP_OF_NAS directory. Thanks, N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Re: i install freeradius successfully, but i can't telnet the port
Am 08.06.2010 um 09:38 schrieb Spacelee: this is the file users' content test Auth-Type:=MS-CHAP, User-Password:=test, Simultaneous-Use:=100 Try using Cleartext-Password:=Test instead of User-Password:=Test Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.0 [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: i install freeradius successfully, but i can't telnet the port
Am 08.06.2010 um 09:59 schrieb Spacelee: i use radius -X to see the log, it looks like: Ignoring request to authentication address * port 1812 from unknown client 123.116.121.228 port 56627 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 123.116.121.228 port 56627 Ready to process requests. As far as I understand, such an error message means that the unknown client is not defined in client.conf and therefore freeradius discards the request (for security reasons). Have a nice day! 2010/6/8 Spacelee fjct...@gmail.com what should i write in client.conf mine is like this: client fremont.iqwer.com { ipaddr = 173.233.234.52 shortname = fremont secret = 19861230 nastype = other } 2010/6/8 Spacelee fjct...@gmail.com on the radius server, i type the two command , and get those results, the iptables has been shutdown radtest test test localhost 1812 19861230 Sending Access-Request of id 124 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=124, length=20 radtest test test 173.224.212.50 1812 19861230 Sending Access-Request of id 236 to 173.234.232.50 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 236 to 173.224.212.50 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 236 to 173.224.212.50 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 236 socket 3 2010/6/8 Spacelee fjct...@gmail.com this is the file users' content test Auth-Type:=MS-CHAP, User-Password:=test, Simultaneous-Use:=100 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.0 2010/6/8 Spacelee fjct...@gmail.com i use netstat and found there is radius listen on 1812, 1813 and 1814 using udp i shut down all the iptables both on the server of pptp and the server radius but the pptp can't be authenticated , the log is RADIUS plugin initialized. Jun 8 15:26:29 mountainview pppd[4604]: Plugin /usr/lib64/pppd/ 2.4.4/radattr.so loaded. Jun 8 15:26:29 mountainview pppd[4604]: RADATTR plugin initialized. Jun 8 15:26:29 mountainview pppd[4604]: Plugin /usr/lib64/pptpd/ pptpd-logwtmp.so loaded. Jun 8 15:26:29 mountainview pppd[4604]: pptpd-logwtmp: $Version$ Jun 8 15:26:29 mountainview pppd[4604]: pppd 2.4.4 started by root, uid 0 Jun 8 15:26:29 mountainview pppd[4604]: Using interface ppp0 Jun 8 15:26:29 mountainview pppd[4604]: Connect: ppp0 -- /dev/pts/1 Jun 8 15:27:03 mountainview pppd[4604]: rc_send_server: no reply from RADIUS server puppet:1812 Jun 8 15:27:03 mountainview pppd[4604]: Peer test failed CHAP authentication Jun 8 15:27:03 mountainview pppd[4604]: Connection terminated. Jun 8 15:27:03 mountainview pppd[4604]: Exit. it says there is not reply 2010/6/8 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, i can start freeradius ok, but my pptp can't remote access radius server, I telnet 1812 or 1813 , but both are connection refused, i don't know what to do with this situation firewall eg iptables , on the server you put freeradius on? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Spacelee -- Spacelee -- Spacelee -- Spacelee -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl version?
Am 25.05.2010 um 15:12 schrieb Jan Zacharias: Hey Alan, Alan DeKok al...@deployingradius.com hat am 25. Mai 2010 um 14:43 geschrieben: My suspicion is that you've built 2.1.9 with version X of Perl, and are then trying to link it with version Y of Perl. Ensure that you only have one version of Perl installed. That's not the case here, I have (and had when building 2.1.9 this morning) only following libperl stuff installed: dpkg -l|grep libperl ii libperl-dev 5.10.1-8ubuntu2 Perl library: development files ii libperl5.10 5.10.1-8ubuntu2 shared Perl library Isn't there a way to find out the perl version? I thought of print $1 but this does not work as intended. Try using perl -V Best, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Am 04.05.2010 um 13:34 schrieb dorra aa: Hi. After installing Radius. i try to do some exemple.I d'ont know if it is correct because i'm new in it. I add on Users: sonia Auth-Type := Local, User-Password == salut This should read Cleartext-Password := salut instead of User-Password == salut In Freeradius, passwords are assigned ( := ) and not compared ( == ) Have a nice day! Reply-Message = Hello, %u, Reply-Message = are you fine, %u And i add on Clients.conf: client 127.0.0.1 { secret = testing123 # notre clé partagée shortname = class nastype = other } when i do this command, i have: p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812 testing123 Sending Access-Request of id 11 to 127.0.0.1 port 1812 User-Name = sonia User-Password = salut NAS-IP-Address = 127.0.1.1 NAS-Port ! = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20 What is the problem please.is there someting messing in my test? Thank you Hotmail: Trusted email with powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle dynamic update of shared secret and client configuration in free radius
Am 13.04.2010 um 15:27 schrieb Rajendra Hegde: I wonder if this is directly not achievable, what if some other program running on machine B update the file and send signal SIGHUP or some oither signal I am not sure to freeradius so that free radisu rereads the config information without getting restarted ? Does it work ? Which signal to send to freeradius so that it rereads configuration again ? If you want to re-read all configuration files, you have stop and to start (again) the freeradius server. Thanks in Advance. Have a nice day. From: Rajendra Hegde Sent: Mon 4/12/2010 4:48 PM To: FreeRadius users mailing list Subject: How to handle dynamic update of shared secret and client configuration in free radius Hello, I am a client program running on machine A. It want to talk to free radius on machine B. { cleint on Machine A } --- { free radius on machine B} Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection. After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb... Any pointers for achieveing this would be appreciated. Thanks, Rajendra Hegde The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e- mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle dynamic update of shared secret and client configuration in free radius
Am 13.04.2010 um 15:50 schrieb Nicolas Goutte: Am 13.04.2010 um 15:27 schrieb Rajendra Hegde: I wonder if this is directly not achievable, what if some other program running on machine B update the file and send signal SIGHUP or some oither signal I am not sure to freeradius so that free radisu rereads the config information without getting restarted ? Does it work ? Which signal to send to freeradius so that it rereads configuration again ? If you want to re-read all configuration files, you have stop and to start (again) the freeradius server. If you want, you can look at an old thread about why -HUP does not read them again: http://lists.freeradius.org/pipermail/freeradius-users/2008-April/msg00020.html Thanks in Advance. Have a nice day. From: Rajendra Hegde Sent: Mon 4/12/2010 4:48 PM To: FreeRadius users mailing list Subject: How to handle dynamic update of shared secret and client configuration in free radius Hello, I am a client program running on machine A. It want to talk to free radius on machine B. { cleint on Machine A } --- { free radius on machine B} Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection. After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb... Any pointers for achieveing this would be appreciated. Thanks, Rajendra Hegde The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e- mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
Am 24.03.2010 um 09:51 schrieb Matt Harlum: Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, and trying telnet on port 1812 results in Connection Refused I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. Anyone have any ideas as to why this would be happening all of a sudden? perhaps the system updates broke it? Have you checked firewalls and such? Perhaps you can also check with tools like tcpdump if the packets arrive on the computer where freeradius is running. Also perhaps check that the computer has really the IP address or name that you think it has and that the IP or name is really used by the AP. Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Am 15.03.2010 um 11:35 schrieb omega bk: sorry for spamming, i just want to understand OpenLDAP knows the clear text password: [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x7465737420 = supposed to be the hash password I doub very much that this is a hash: 0x74: t 0x65: e 0x73: s 0x74: t 0x20: space (all in ASCII) Have you tried *not* to define a NT-Password and let Freeradius calculate from the Cleartext-Password what it needs? [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Manager
Am 12.02.2010 um 15:39 schrieb Teguh Kurniawan: Hello, I use ancient Free Radius 1.1.7 packages (from Ubuntu 8.04/Hardy) on Ubuntu Server 9.10. I use ancient Free Radius, because the requirement from Radius Manager we buy from http://www.radius-manager.com/. But after finish setting up the configuration for Free Radius, I've got some problem. Some problem I could fixed after asking some question from this mailing list and searching from google. But I've got another problem, my testing is rejected. What should I do ? Best Regards, Teguh Kurniawan The mailing list is receiving your emails, see also: https://lists.freeradius.org/pipermail/freeradius-users/2010-February/thread.html You do not need to repeat the same question again, especially within a day. If nobody is answering is because: - nobody on this list knows an answer - if somebody would know an answer, this person is perhaps otherwise busy. [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius for linux authentication
Am 11.02.2010 um 11:20 schrieb sr...@aol.in: Hi List, I have configured my linux devices to use freeRadius (freeRadius 1.1.5 with MySQL backend) authentication. Installation of pam library went well and am able to get authenticated against my freeRadius server. Now the problem is how to identify a user like root have same name on multiple machines. For this I observed that this PAM library is sending Calling-Station-Id in Access-Request packets. I did modify my radcheck table to have entires as following: ++---++++ | id | UserName | Attribute | op | Value | ++---++++ | 1 | linuxuser | Password | == | radpwd | | 12 | root | Calling-Station-Id | == | 192.168.100.61 | | 11 | root | Password | == | 10radpwd | | 10 | root | Password | == | 61radpwd | | 13 | root | Calling-Station-Id | == | 192.168.70.10 | + -- Try using := instead of == for setting in passwords. But the failed to authenticate. Please suggest what could be the problem, ASAP. Also, are there any other ways to handle this kind of situation. Appreciate your help. Regards, Sri. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Difficulties with rlm_perl specifically sending mail
Am 02.02.2010 um 00:12 schrieb David Buckley: Greetings from New Zealand I have a two factor auth system built using rlm_perl, which is all working fine but for one problem. I have a function that sends emails for sending one-time passwords via SMS which works perfectly when FR is run as radiusd -X, but doesn't work when FR started as a service. This FR 2.1.7 RPM installation on RHEL modern and patched. When run as a service RHEL runs radiusd as user and group radiusd. Just an idea: sending emails often means starting the program sendmail. Perhaps radiusd started as service has no $PATH and therefore cannot find sendmail. [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius won't start with my configs
Am 16.12.2009 um 20:39 schrieb J Brandon Polley: I can't get FreeRadius to start. No other instance of FreeRadius is running when I try to start FreeRadius. I'm using FreeRadius 1.1.7-21.4.47 Here is my debug info when I enter radiusd -x Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess rlm_preprocess: Error reading /etc/raddb/huntgroups (didnt change anything in this file) Do you really have a file in this path? Are the rights of the file in a way that the daemon can read them, as the user that is being used? Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
Am 04.11.2009 um 11:21 schrieb Ana Gallardo: http://freeradius.org/radiusd/man/users.html Well, unfornately there is an example: bob User-Password == hello which is bad. Have a nice day! 2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password expiration and change on next logon options
Am 03.11.2009 um 17:47 schrieb Ivan Kalik: I am trying to figure out how to do password aging and on next logon change with freeRadius. Custom script on your login. Radius doesn't interact with user interface. I am using ASA firewall with MS-CHAP2 support. mschap is also enabled in freeRadius. Could somebody point to where I can find any documentation about it? Also, should I use system passwords or keep them in the postgres to make it working? You can't use system (crypted) passwords with mschap. See: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to link to module rlm_ldap
Am 24.09.2009 um 15:54 schrieb José Johnny RANDRIAMAMPIONONA: I tried to upgrade freeradius-server-2.1.6 to freeradius- server-2.1.7 and it worked well (in localhost) without ldap.Then I tried to use the old version (2.1.6) but it doesn't work anymore: Thu Sep 24 13:32:16 2009 : Error: /usr/local/freeradius- server-2.1.6//etc/ raddb /modules /ldap[29]: Failed to link to module 'rlm_ldap': libldap_r-2.3.so.0: canno t open shared object file: No such file or directory Have you tried to run ldconfig, possibly on the directory where libldap_r.so is? [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sanity check, example in users man page
Am 03.09.2009 um 21:02 schrieb Gary Gatten: RPM shows nothing FR related installed. I did run man 5 users. v2.1.6 is current, no? If you want something newer than the last released version, see http://git.freeradius.org , especially the stable tree. Have a nice day! Nicolas Goutte -Original Message- From: freeradius-users-bounces +ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Ivan Kalik Sent: Thursday, September 03, 2009 1:53 PM To: FreeRadius users mailing list Subject: RE: Sanity check, example in users man page You do. Current documentation should be in man 5 users. Ivan Kalik Kalik Informatika ISP v2.1.6. AFAIK FR was never installed on this box - it's fairly new - so I don't think it could've been some legacy doc that didn't get overwritten when 2.1.6 was installed. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Alan Buxey Sent: Thursday, September 03, 2009 1:33 PM To: FreeRadius users mailing list Subject: Re: Sanity check, example in users man page Hi, From users man page: EXAMPLES bob User-Password == hello Requests containing the User-Name attribute, with value bob, will be authenticated using the password bob. There are no reply items, so the reply will be empty. Surely this is incorrect - right? Should this not read: ... will be authenticated using the password hello. Assuming I'm correct, this is my excuse for taking so long to grasp some of the concepts of FR, unlang, etc. I think there are several doc errors / typos that are confusing me what version are you actually looking at? your example predates 2.x of the codeand only 2.x of the code has unlang etc. the current doc (man 5 users) states bob Cleartext-Password := hello Requests containing the User-Name attribute, with value bob, will be authenticated using the known good password hello. There are no reply items, so the reply will be empty. but yes - the text you have is wrong. it is, indeed password hello - its fairly obvious. from the text i'd say you've got a document that came with version 1.0.2 of the code? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nested groups
Hi, Is-it possible to search users on nested groups. For example : User1 is in group Group1, User2 is in group Group2, Group1 and Group2 are in group Group12 The users config : ... DEFAULT ldap-iut-Ldap-Group == Group12 Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 636, Fall-Through = Yes ... Freeradius Server : 2.1.7 (git) Ldap server : Active directory 2008 Thanks Nicolas Clementz Université de Haute Alsace- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeRADIUS - Help
Am 03.08.2009 um 21:46 schrieb Radius Master: Hi, I am in the process of setting up freeRADIUS on Mac OSX. We're a small group looking into becoming a WISP. Can anyone tell me if there is a RAS that runs on OSX? If by RAS, you mean remote access, then MacOSX has plenty of them: - ssh - (direct) remote desktop client (MacOS 10.5; see in Finder) - remote desktop per iChat (MacOS 10.5) The install of freeRADIUS itself seems to have gone smoothly, and I installed MySQL 5.1 as well, no hitches. I have not, tho, found out how to tell is freeRADIUS is actually running or not. If by actually running or not, you mean that a user could check then use: ps ax If you mean that a program should check I am not sure. A shell script could use ps, fgrep and co to do that. Thanks in advance for all help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeRADIUS - Help
Am 04.08.2009 um 17:13 schrieb Radius Master: Hi Nicolas, Thanks so much for your answer. What i meant was, in the terminal, what can I type as a test to get a response from a running instance of freeradius. by RAS, I mean Remote Access Server. Also know as a Network Access Server. As I understand it, the PPPoE users first hit the RAS, then the rAS passes the query off to freeRadius, then freeRadius tells the RAS what to do based on the user's validity, and the RAS either accepts or rejects the user. Do I have the concept right? And if so, do you or anyone know of a RAS software that will run on OS X? Ah, then I have misunderstood you. Sorry that I could not help you. Perhaps this answer can bring you further: http://lists.freeradius.org/pipermail/freeradius-users/2009-January/msg00515.html Another question i have, When I spoke briefly to the folks at Network RADIUS, they told me that freeRadius includes the required db schema for mySQL. When I installed mySQL 5.1, there was a db in there that I didn't recognize, called information_schema, comprised of 28 tables. Is this it, or is there something special I need to do to enable the schema, as i understand from the docs that freeRadius will work with almost any datasource including flatfiles. Thanks in advance. PS, if you're wondering if I'm aware of the irony in my name, the answer is yes ;) Have a nice day! On Tue, Aug 4, 2009 at 3:35 AM, Nicolas Gouttenicolas.gou...@extragroup.de wrote: Am 03.08.2009 um 21:46 schrieb Radius Master: Hi, I am in the process of setting up freeRADIUS on Mac OSX. We're a small group looking into becoming a WISP. Can anyone tell me if there is a RAS that runs on OSX? If by RAS, you mean remote access, then MacOSX has plenty of them: - ssh - (direct) remote desktop client (MacOS 10.5; see in Finder) - remote desktop per iChat (MacOS 10.5) The install of freeRADIUS itself seems to have gone smoothly, and I installed MySQL 5.1 as well, no hitches. I have not, tho, found out how to tell is freeRADIUS is actually running or not. If by actually running or not, you mean that a user could check then use: ps ax If you mean that a program should check I am not sure. A shell script could use ps, fgrep and co to do that. Thanks in advance for all help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password encryption problem
Am 31.07.2009 um 15:13 schrieb Hegedus Gabor: Hi all! I have a problem, I want to authenticate console users in cisco switches. In the 2960, the switch send the password in cleartext, nothing problem. User-Password=password Please try using Cleartext-Password := password in the users file (or similarly in databases). but int the 2950, the switch can only send in crypted version like this: NAS-Port-Type = Virtual User-Name = test Calling-Station-Id = 192.168.*** User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426 Service-Type = Login-User In the ldap database I tried all of the encription type (clear, md5, crypt, md5crypt) but every time reject the authentication: frad debug: Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/\\_ \266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1 cli 192.168.*** WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! What can I do in the freeradius, what I forgot? Thanks! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with compilation
-radius.so ln -s libfreeradius- radius-2.1.6.so libfreeradius-radius.so) false cru .libs/libfreeradius-radius.a dict.o filters.o hash.o hmac.o hmacsha1.o isaac.o log.o misc.o missing.o md4.o md5.o print.o radius.o rbtree.o sha1.o snprintf.o strlcat.o strlcpy.o token.o udpfromto.o valuepair.o fifo.o packet.o event.o getaddrinfo.o vqp.o heap.o dhcp.o Here you have false. so probably you are missing a tool, that configure could not find. (Sorry, I do not know how the tool makring static libraries is supposed to be named on Solaris.)Í gmake[4]: *** [libfreeradius-radius.la] Error 1 gmake[4]: Leaving directory `/export/home/install/freeradius- server-2.1.6/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/export/home/install/freeradius- server-2.1.6/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/install/freeradius- server-2.1.6/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/export/home/install/freeradius- server-2.1.6' make: *** [all] Error 2 # Thanks in advence. image001.gif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysqld connecting problem
Am 23.07.2009 um 09:06 schrieb shivashankar: hi, miboss3# /usr/sfw/sbin/mysqld Fatal error: Please read Security section of the manual to find out how to run mysqld as root! It is probably not the right mailing list to ask a (security) question about mysql, especially if the error message tells to read the manual. 090723 7:23:37 Aborting 090723 7:23:37 /usr/sfw/sbin/mysqld: Shutdown Complete please help me -- View this message in context: http://www.nabble.com/mysqld-connecting-problem-tp24620450p24620450.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: login / password
Am 23.07.2009 um 15:42 schrieb Rakotomandimby Mihamina: Hi, Our passwords are stored as clear text in a postgresql database. Are they defined as Cleartext-Password ? In a users file you would need something like: username Cleartext-Password := secret (not sure how to express it in a database). The attached file tends to show CHAP is looking for something I dont understand. Would you have any suggestion? What's that no known good passwdord that might fail authentication? testing with radtest give the correct auth answers. I am now testing with the final client (coova). -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message freeradius-x.txt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Authentication failure
Am 21.07.2009 um 11:04 schrieb Vamsi Krishna Valiveti: Hi, I am using freeradius-server-2.1.4. I changed only the below files Users iss Auth-Type := Local, User-Password == iss123 Try to use Cleartext-Password := iss123 Passwords must be assigned ( := ) not compared ( == ). Also User-Password is deprecated. Have a nice day! Clients.conf [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Log say user authenticate but modem shows error 691
Am 21.07.2009 um 14:28 schrieb amritap sinha: Dear All, I have try to implement freeradius in RHCL 4 with my sql. My data base connected to the radius server properly and my radius server authenticate the user properly inside the network and outside the network. My problem is that when I try to connect any user through dial up connection my NAS and radius response and password authenticate(basically I using CHAP password for authentication) but modem shows error 691 in Windows XP O.S. Please any one help me with providing a suitable solution. Ok, I am sure that you will be asked the classical questions, so I can ask them: What is in the log of radiusd -X? What is your configuration? Thanks Regards Amritap Sinha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Am 15.07.2009 um 08:16 schrieb Stefan Winter: Hello, I wonder if there's a way to install FreeRADIUS, but *not* have it install config files in its raddb dir. The reason being that if you have a previous version and a well-shepherded config directory with only exactly the needed files, a make install will clutter your raddb dir with default files. You can delete the unnecessary files afterwards for sure, but it would be preferable if raddb could remain untouched on request. I even had one instance where I got bitten by it: a server didn't have a sites-enabled/default. make install during an upgrade helpfully created it with a set of module calls in it which weren't configured. As a result, the server refused to start afterwards until the default server was deleted. So, is there some kind of make install-no-config, ./configure --no-touch-raddb or similar? I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Greetings, Stefan Winter Have a nice day! -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication
We are receiving your messages. You do not need to post them multiple times. (Posting to a mailing list is never immediate.) (See also the archives: http://lists.freeradius.org/pipermail/freeradius-users/2009-July/date.html ) Have a nice day! Am 15.07.2009 um 09:40 schrieb youler: My running environment is freeraius-2.1.3,The authentication type is EAP/MD5. It's running not well with individual 'user' file.I can't find the problem. My mainly configuration file as follow: [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Am 15.07.2009 um 09:53 schrieb Stefan Winter: Hi, I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I I am not sure but does that mean that the binary that you create would point to that directory too. So in that case, you would have to specify the real directory at runtime too. don't want a one-time installation problem to require attention whenever I run the service in the future. It is then something to remember constantly (and to document for on-duty personnel etc. ...), only to fix a single-shot problem. It just doesn't sound right to me. Yes, I had not seen it from that point of view. Greetings, Have a nice day! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
Am 15.07.2009 um 15:45 schrieb shiva shankar: hi aland is is giveing problem while doing make. Then please post the relevant lines of the bottom of the output of make. regard's shiva shankar Have a nice day! 2009/7/15 Alan DeKok al...@deployingradius.com shivashankar wrote: when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining You don't. They are WARNINGS, not ERRORS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Location of freeradius log file
Am 13.07.2009 um 17:35 schrieb Deepak: Hi, I have following installed. === OS: CentOS 5.3 freeradius 2.1.6 (rpm version) daloradius 0.9-8 mysql 5.0.45 === When I try to check the radius log file from daloradius interface, it give me following error: error reading log file: looked for log file in /var/log/freeradius/radius.log and /usr/local/var/log/radius/radius.log but couldn't find it. if you know where your freeradius log file is located, set it's location in /zradius/rep-logs-radius.php I tried to look for this file but couldn't locate it. There is no freeradius directory in /var/log Where do freeradius keep the log file? If you do not find, check your radiusd.conf The property is named log_file Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Am 08.07.2009 um 20:05 schrieb Gong Cheng: Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. I suppose that with 2.1.7, the stable version in GIT is meant, see: http://git.freeradius.org/ Have a nice day! Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access- Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access- Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session- Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
Am 08.07.2009 um 13:07 schrieb Steven Carr: On 8/7/09 12:00, Ivan Kalik wrote: Your linker is probably looking in /usr/lib but not in /usr/local/ lib. Add the correct path. I have tried with the following set: export LD_LIBRARY_PATH=/usr/local/lib checking for ldap_init in -lldap_r... no -lldap means compile time linking. By using LD_LIBRARY_PATH you change only runtime linking, which is not the same and I still get the same errors. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and Huntgroup-Name
Hello, I'm using Freeradius 2.0.4 from the package in Debian Lenny for WPA (for wifi) and 802.1x (for wired ethernet) authentication and authorization. They use PEAP/MSchapv2 for authentication. Most users are in LDAP and are allowed to connect either to wired ethernet or to wifi. But I also have to deal with some guest users, whose usernames all begin with the guest/ prefix, who are in a SQL database, and who only should be allowed to connect to wifi. Currently, the relevant part of my users file is: | DEFAULT Huntgroup-Name == ap, Prefix == guest/, Autz-Type := GUEST | Fall-Through = No | | DEFAULT Autz-Type := DEFAULT The trouble is the inner request has no NAS-IP-Address, so the Huntgroup-Name is not set and does not match. Running freeradius -X shows that the Huntgroup-Name condition is correctly verified for the outer request, but not for the inner one. And if I remove the Huntgroup-Name condition, everything works fine, but the guest users are allowed to connect to wired ethernet. Is there a way I can test the outer Huntgroup-Name in my users file? Regards, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and Huntgroup-Name
Ivan Kalik wrote: Enable copy_request_to_tunnel in peap section of eap.conf. Hmmm... Now I feel stupid for not finding this myself... Thanks for showing me the right direction. Regards, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can?t bring it to work on Centos 5.2...
Am 03.07.2009 um 12:24 schrieb Mike: Dear list, after 4 days of work and lots of google searches I?m really in the need for some help! My Setup: A Centos 5.2 x86_64 box, running source installations of postfix 2.5.x and Dovecot Imap with domain and users stored in mysql, all with tls enabled. Edimax AccessPoint 7206PDg My goal: Allowing User authentication for iPhone and Macs with user/password My current Setup: http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 I?ve followed this as far as possible. Only one difference: I did build freeradius 1.1.7 from source in the lag of a rpm-package. I?ve configured with ./configure --libdir=/usr/lib64. While it only complains about some missing oracle odbc and other sql stuff and I don?t want to use sql I don?t think that this will cause any problems. Ok I think I will ask the question, which otherwise will be asked by someone else. If you have compiled from source, is there a reason why you have not used any new version (2.1.6), probably to have less work with the configuration? Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe: OK. I have done that, But still returned the error below! Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect You have either Cleartext-Password or NT-Password defined in your LDAP database, haven't you? If not, see: http://deployingradius.com/documents/protocols/compatibility.html Have a nice day! ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE Clement -Original Message- From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org ] On Behalf Of Ivan Kalik Sent: 03 July 2009 12:17 To: FreeRadius users mailing list Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different default_eap_type for different users
Hello, I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2, so I had default_eap_type=peap in my configuration. But now, I will also have to support a few 802.1x clients using TLS or MD5. The bad news is that some IP phones fail to authenticate when default_eap_type=peap (they only support MD5). Changing to default_eap_type=md5 works, but I'm not satsified with it since most clients use PEAP... In the default EAP configuration, it is written, about the default_eap_type=peap option: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge But this apparently does not work. I also tried to have several eap instances, and check User-Name to know which one to use in the authorize and authenticate section: if (User-Name == CP-7942G-SEP0024C4BE96B7) { eap_ipphones } else { eap } But then freeradius -X fails to start with: /etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type (User-Name == CP-7942G-SEP0024C4BE96B7) in authenticate sub-section. Is there a way I can have per-user default_eap_type? Regards, -- Nicolas Boullis Ecole Centrale Paris France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different default_eap_type for different users
Alan DeKok wrote: Nicolas Boullis wrote: I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). Why not 2.1.6? No good reason for this, only that current Debian stable (Lenny) has packages for 2.0.4, not 2.1.6. (And since administration of radius servers is only a small part of my work, I'd rather rely on Debian packages and Debian security team than track the potential security issues of all the server softwares that I use.) Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge But this apparently does not work. It's a *configuration* item, not a reply item. See man users ... CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge ... That will work. Unfortunately, it does not, freeradius still tries TLS (PEAP?): # freeradius -X (...) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 138.195.254.246 port 1645, id=21, length=181 User-Name = CP-7942G-SEP0024C4BE96B7 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1F-6D-11-DD-98 Calling-Station-Id = 00-24-C4-BE-96-B7 EAP-Message = 0x0203001d0143502d37393432472d534550303032344334424539364237 Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4 NAS-Port-Type = Ethernet NAS-Port = 50024 NAS-Port-Id = FastEthernet0/24 NAS-IP-Address = 138.195.254.246 +- entering group authorize hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 expand: %t - Thu Jul 2 11:51:53 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = CP-7942G-SEP0024C4BE96B7, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 21 to 138.195.254.246 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b Finished request 0. Going to the next request Waking up in 4.9 seconds. Note the hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 and rlm_eap: processing type tls. (... a few minutes later ...) I just tried to set EAP-Type in users rather that in hints, and now it works fine. Thanks! But why does it work in users and not in hints? (I thought I had to use hints because it is run before eap in the authorize section...) Cheers, -- Nicolas Boullis Ecole Centrale Paris France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple test,, how to go on?
Am 01.07.2009 um 14:10 schrieb Rakotomandimby Mihamina: 07/01/2009 02:53 PM, Rakotomandimby Mihamina:: [...] rlm_pap: login attempt with password mihamina rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject [...] The question: What Have I got to put in the Cleartext-Password attribute in users in order to have Auth success? In this case, as you have tried the password mihamina it should have been: Cleartext-Password := mihamina Thank you. Have a nice day! -- Architecte Informatique Gulfsat/Blueline: Administration Système, Recherche et Développement Mob: +261 33 11 207 36 Penser à l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: i can't stop freeradius
Look at inetd, xinetd or any other daemon control software. (I do not know which one Ubuntu uses.) Normally it is on purpose that daemons get re-started when they are killed. Have a nice day! Am 22.06.2009 um 13:24 schrieb Ayşe GİR: (i love freeradius but i don't lovefreeradius on ubuntu ...) i install freeradius on ubuntu 9.4 but i can't stop freeradius... what can i do ? my console out r...@blacky:/etc/init.d# freeradius stop r...@blacky:/etc/init.d# ps -aux | grep freeradius Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html root 5193 0.0 0.0 106828 2556 ?Ssl Jun19 0:00 freeradius root 16823 0.0 0.0 7524 892 pts/2R+ 14:13 0:00 grep freeradius r...@blacky:/etc/init.d# ( i use freeradius on centos everything is ok but on ubuntu everything is bad. :( ) i'm sorry for my bad english :) thank you for everything - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
Am 17.06.2009 um 13:43 schrieb Gregory Machin: Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova- chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:1812 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1813 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1814 0.0.0.0:* 2461/radiusd What have I missed ... Do you know (via tcpdump, wireshark or so) that the packets do arrive on the computer where Freeradius runs? If not, check firewall settings of both computers and of anything that might be between. Have a nice day! Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help HMAC-MD5
Am 04.06.2009 um 13:39 schrieb Marco De Magistris: Hi all, Sorry, but I’m confused about HMAC-MD5 method. I’m working on Radius Proxy Implementation. The scenario is the following RADIUS Client - Radius Proxy - Radius Server. Radius Client sends a Radius Packet towards Radius Proxy (Message- Authenticator not used). Radius Proxy sends the Radius Packet towards Radius Server using HMAC-MD5 method. How to configure RADIUS Proxy? Should I add MD5- Password Attribute? MD5-Password is identical to Shared Secret between Radius Proxy and Radius Server? Be careful that using MD5 is not possible with all authenfication methods: http://deployingradius.com/documents/protocols/compatibility.html (as you cannot uncrypt a hash) Thanks in advance Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: supported encryption
Am 02.06.2009 um 11:09 schrieb Rakotomandimby Mihamina: Hi all, At the moment, our FreeRaduis(v1.x) is looking up users in a PGSQL database, with clear username and clear password in the fields. We would like to switch it to FreeRadius (v2.x) and by the way, crypt (SHA, just crypt(),...) the password in the Database. What encryption is supported by FreeRadius, so that I could just make the PGSQL query with the encrypted password? You can look at http://deployingradius.com/documents/protocols/ compatibility.html for which type of hashing can be used whit which type of authentication protocol. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don’t understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS … Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear- text. Is it possible to use md5, ssha … and how ? For the compatibility, see http://deployingradius.com/documents/ protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Common error on sql_counter on Ver 2.1.5
Am 18.05.2009 um 18:15 schrieb Mauro Iorio - Smart Soft s.r.l.: User entry didn't match. Post the debug (radiusd -X) and the user entry. You wouldn't be using User-Password as the password attribute? From radcheck table Id UsernameAttribute Value op 7216mauro Passwordflower == Try to assign ( := ) the password, not to compare ( == ) it. Also probably Password is not the right attribute name. Try to use Cleartext-Password ... From usergroup table [...] !! !! !!! !!!Replacing User-Password in config items with Cleartext- Password. !!! !! !! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User- Password. !!! !! !! !!! ... as the log is asking. [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
Am 14.05.2009 um 19:31 schrieb Davies, Mike: We’re not able to get the user authenticated. [...] radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_chap Module: Instantiating chap Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=DOM002 -- username=%{mschap:User-Name} --password=%{User-Password} I do not know much about ntlm_auth but I can see that this call seems to differ widely compared to the change that was proposed in the last hours for Freeradius 2.1.6: ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{% {Stripped-User-Name}:-%{User-Name:-None}} --challenge=% {mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} See archive: http://lists.freeradius.org/pipermail/freeradius-users/ 2009-May/msg00254.html input_pairs = request shell_escape = yes } [...] This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius from source
Am 13.05.2009 um 11:06 schrieb Ivan Kalik: 2.1.4/2.1.5 release had identity crises. 2.1.8. will be available in matter of days. It's on pre-release testing. I hope you mean 2.1.6 ;-) Ivan Kalik Kalik Informatika ISP --- On Tue, 5/12/09, John Dennis jden...@redhat.com wrote: I think you'll save yourself a lot of headaches if you stick with RPM based packages. If the version of FreeRADIUS is not available as an RPM for the version of the distro you're using then you can find instructions for how to download, build and install the *RPM* for a current version here: http://wiki.freeradius.org/Red_Hat_FAQ I can't find a SOURCE RPM for 2.1.4 yet for fedora. I tried one of those 2.1.3 rpm, it works perfectly on my older fedora distro, even though it seem to indicate that they are for newer fedora. So I guess I have to wait a little longer. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test
Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http:// lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Am 08.05.2009 um 17:35 schrieb Steve Wu: Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius Try to assign ( := ) the password instead of comparing ( == ) it. When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error after installation
Run ldconfig on the path where the .so file is. Am 30.04.2009 um 17:52 schrieb Xiaochen Jing: Hello, I newly installed 2.1.4. When I want to run radiusd –X, I get an error saying “radiusd: error while loading shared libraries: libfreeradius- radius-2.1.5.so: cannot open shared object file: No such file or directory” I double checked, libfreeradius-radius-2.1.5.so and other lib files are indeed located in /usr/local/lib. And I notice that lib version (2.1.5) is different than freeradius version (2.1.4). Is that why I am having the error while running radius -X Now I am going through ./configure and trying to any error message. But does anyone know why this happens? Thanks in advance XJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help
Am 27.04.2009 um 09:08 schrieb ramesh p: I'm seeing the following weirdness from my freeradiusserver and when i see the radiusd process its stopped status. why this happens. any valid reasons for this? Apr 26 00:18:44.498: %RADIUS-4-RADIUS_ALIVE: RADIUS server X.X.X.X:0,1813 is being marked alive. Apr 26 00:18:50.777: %RADIUS-4-RADIUS_DEAD: RADIUS server X.X.X.X:0,1813 is not responding. Apr 26 00:18:50.777: %RADIUS-4-RADIUS_ALIVE: RADIUS server X.X.X.X:0,1813 is being marked alive. Apr 26 00:18:59.133: %RADIUS-4-RADIUS_DEAD: RADIUS server X.X.X.X:0,1813 is not responding. Apr 26 00:18:59.133: %RADIUS-4-RADIUS_ALIVE: RADIUS server X.X.X.X:0,1813 is being marked alive. Apr 26 00:19:04.765: %RADIUS-4-RADIUS_DEAD: RADIUS server X.X.X.X:0,1813 is not responding. Thanks in advance. Have you checked the output of radiusd -X if there is a reason given or any other hint? Regards, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE: I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol ) Have a nice day! 2009/3/24 t...@kalik.net Client RADIUS { .. That should be: client RADIUS { .. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Forget what I have written, see http://deployingradius.com/documents/ protocols/compatibility.html Am 24.03.2009 um 18:05 schrieb Nicolas Goutte: Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE: I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol ) Have a nice day! 2009/3/24 t...@kalik.net Client RADIUS { .. That should be: client RADIUS { .. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Am 24.03.2009 um 18:15 schrieb David N'DAKPAZE: Please which protocol more secure can i use with ldap as database? As I wrote in the email as answer to my email (and an URL I missed to find the whole day as answer to your problems), see http:// deployingradius.com/documents/protocols/compatibility.html There you have a list of what protocols can be used when you have which type of passwords available for freeradius. 2009/3/24 Nicolas Goutte nicolas.gou...@extragroup.de Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE: I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol ) Have a nice day! 2009/3/24 t...@kalik.net Client RADIUS { .. That should be: client RADIUS { .. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Am 23.03.2009 um 16:46 schrieb Frank Bonnet: hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP- Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Be sure to assign passwords ( := ) and not to compare ( == ) passwords. Also check that the shared secret is really the same. Otherwise, I suppose that you will be asked to give the output of radiusd -X Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Next release of freeradius
Am 10.03.2009 um 15:28 schrieb Clare Scally: Hi, Can anyone tell me when the next freeradius release is due? If you mean 2.1.4, it has been released today. Regards, Clare Scally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.4 has been released
Am 10.03.2009 um 13:17 schrieb Alan DeKok: This version comes 3 months after 2.1.3, which is a bit more of a delay than we would like. However, it includes a number of minor bug fixes, and some interesting new features. The best new feature is one that has been needed for a long time. The (easy) ability to see debugging output from a live server. You can now do this via the raddebug command. FreeRADIUS 2.1.4 Thu Dec 25 17:40:00 CEST 2008; , urgency=medium Just a nitpick: the date above is probaly the one of 2.1.3 (around three months ago) and not the date of today. [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Am 06.03.2009 um 12:20 schrieb Leighton Man: Hi, I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU= in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output: rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_student returns notfound for request 8 modcall: leaving group student (returns notfound) for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list ... rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 104 to 10.127.240.217 port 1645 Relevant bits of radiusd.conf: ldap ldap_student{ server = server.hud.ac.uk identity = cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk password = secret Try using := instead of = or == You have to assign the password, not compare to it. Also perhaps you should use Cleartext-Password if the password is in clear here. port = 636 basedn = ou=students, dc=ad, dc=hud, dc=ac, dc=uk filter = (sAMAccountName=%{mschap:User-Name:-% {User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = (|( (objectClass=GroupOfNames)(member=%{Ldap-UserDn}))( (objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } instantiate { exec expr ldap_staff ldap_student } authorize { preprocess mschap suffix eap Autz-Type staff{ ldap_staff } Autz-Type student{ ldap_student } files } authenticate { Auth-Type MS-CHAP { mschap } eap } I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please? Thanks in advance, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Am 04.03.2009 um 11:24 schrieb Ove Fagerheim: Hmm, that gives me a policy problem, my company *does not* use Linux. If you do not mean only Windows, see the other options, like for examples MacOS, BSD, Solaris: http://wiki.freeradius.org/Platforms Is there any Windows ports out there? I've checked http:// download.opensuse.org/repositories/network:/aaa/, but I'm uncertain which folder to select and which files to download Ove Have a nice day! -Opprinnelig melding- Fra: freeradius-users-bounces +ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces +ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av Alan DeKok Sendt: 4. mars 2009 10:43 Til: FreeRadius users mailing list Emne: Re: SV: SV: SV: No known good password Ove Fagerheim wrote: After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Ah freeradius.net. That's a cygwin build of a *very* old version of the server. I'd suggest running it instead on a Linux machine. You can run a *new* version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No known good password
Am 03.03.2009 um 12:54 schrieb Ove Fagerheim: Hello all Are there room for a newbee question here? This is my first Radius server. I get the message No known good password when trying to authenticate users. The users are coming from one of two possible VPN tunnels. I assume clients.conf is correctly configured. Any help is highly appreciated. Best regards Ove Fagerheim From Users.conf: snip user1 Service-Type == Framed-User, User-Password == password, # Adresses from 10.194.0.1 to 10.194.63.254 # Auth-Type = System, Framed-IP-Address = 10.194.0.1, Framed-IP-Netmask = 255.255.192.0, Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == Huntgroup-1, Framed-Protocol = GPRS-PDP-Context, NAS-Identifier = STCGGSN3, Called-Station_id = My-Station-Id-String, Reply-Message = %u is granted access user1 Service-Type == Framed-User, User-Password == password, You must assign passwords, not compare them. So try to use := instead of == And as in the previous answer, probably you need Cleartext-Password instead of User-Password # Adresser fra 10.192.64.1 til 10.192.127.254 # Auth-Type = System, Framed-IP-Address = 10.192.64.1, Framed-IP-Netmask = 255.255.192.0, Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == Huntgroup-2, , Framed-Protocol = GPRS-PDP-Context, NAS-Identifier = FBUGGSN3, Called-Station_id = My-Station-Id-String, Reply-Message = %u is granted access snip From Huntgroups: snip Huntgroup-1 NAS-IP-Address == 172.x.x.0 Huntgroup-1 NAS-IP-Address == 172.x.x.1 . . . Huntgroup-1 NAS-IP-Address == 172.x.x.14 # # Huntgroup-2 NAS-IP-Address == 172.y.y.240 Huntgroup-2 NAS-IP-Address == 172.y.y.241 . . . Huntgroup-2 NAS-IP-Address == 172.y.y.254 snip logfile log\radius\radacct\NAS-IPAddress\auth- detail-20090303.log: (username is client telephone number) snip Packet-Type = Access-Request Tue Mar 3 08:37:36 2009 NAS-IP-Address = 172.x.x.2 NAS-Identifier = STCGGSN3 Called-Station-Id = My-Station-Id-String Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 16861232 User-Name = user1 User-Password = password Calling-Station-Id = user1 Client-IP-Address = 172.x.x.2 Huntgroup-Name = Huntgroup-1 snip logfile log\radius\radius.log snip Mon Feb 16 12:00:54 2009 : Info: Ready to process requests. Mon Feb 16 12:01:49 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 35970456 cli 4790622859) Mon Feb 16 12:02:04 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 33168936 cli 4790622859) Mon Feb 16 12:02:17 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 30960664 cli 4790622859) Mon Feb 16 12:03:57 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Feb 16 12:03:57 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Feb 16 12:03:57 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain Mon Feb 16 12:03:57 2009 : Info: WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! Mon Feb 16 12:03:57 2009 : Info: Ready to process requests. snip If the abow errors is unrelated to my issue, I still would very much appreciante any hints on how to fix them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.3 compile problem
Looking for lt__PROGRAM__LTX_preloaded_symbols in my email archive, this was already reported on 2009-02-02 for Linux ( thread Installation Problem), but as far as I know no definite answer was given. Have a nice day! Am 26.02.2009 um 16:16 schrieb Chris Howley: Alan, I encountered the following problem (see below) when attempting to compile the latest version of 2.1.3 (stable code) from the git tree. Your help in fixing this problem would be appreciated. Thanks, Chris Environment: SunOS XX 5.10 Generic_120012-14 i86pc i386 i86p gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/ auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/ exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/ mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/ stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/ valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/ realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /sandbox/ radiusd/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv - lsocket -lposix4 -lpthread -lcrypt /usr/local/lib/libltdl.so -lssl - lcrypto -R/usr/local/lib Undefined first referenced symbol in file lt__PROGRAM__LTX_preloaded_symbols .libs/modules.o ld: fatal: Symbol referencing errors. No output written to .libs/ radiusd collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/sandbox/radiusd/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/sandbox/radiusd/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/sandbox/radiusd/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/sandbox/radiusd' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: does peap/mschap-v2 must use with ldap?
Am 25.02.2009 um 09:59 schrieb 张虓: [...] Does it because I'm not configure LDAP? Does PEAP/MSCHAP-V2 must use with LDAP? In my database I have already add the testuser User- Password := test123 in radcheck table but it doesn't work. Try using Cleartext-Password instead of User-Password, so that mschap has a chance to compute the correct hash. Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP authentication + FreeRadius + SQL
Am 18.02.2009 um 16:39 schrieb Marcelo Freitas: Hello, I'm trying to authenticate users using CHAP and store the passwords in the SQL, but I'm having a hard time. I checked past messages, but I still couldn't get it to work ... Below is my Access-Request packet Wed Feb 18 12:31:04 2009 Packet-Type = Access-Request NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 000E2EEB1D91 Called-Station-Id = hotspot1 NAS-Port-Id = wHotSpotB User-Name = admin2 NAS-Port = 2153775219 Acct-Session-Id = 80600073 Framed-IP-Address = 10.5.50.253 Mikrotik-Ho! st-IP = 10.5.50.253 CHAP-Challenge = 0x4f0299d5a5107ded915739e236f71e3c CHAP-Password = 0x606707e3411f443140573554283c987ca5 Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = AP_HQ NAS-IP-Address = 10.0.1.130 In MySQL I just have Cleartext-Password == admin2 for check items ... But I always get Access-Reject. Before checking the past messages, I had already check items like Auth-Type := CHAP, Cleartext-Password == admin2; and also just CHAP- Password, but none of it worked ... Try to use := for Cleartext-Password instead of == (Thing about assigning the password, instead of comparing it.) Thanks in advance, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding port to ipv6 address
Am 09.02.2009 um 17:17 schrieb D'AVELLA STEFANO: Hello, I am new to Freeradius. I am running Freeradius 2.1.0 on Ubuntu 8.10, built from source. I have already read all the documentation I could find in the config files and in the wiki. The machine has two network interfaces, eth0 and eth1, the first configured with ipv4 and the second with ipv6. I am interested on using freeradius with ipv6 support so I would like to test it using it only on eth1 interface. The point of my testbed will be to define a new attribute and transfer it to the client when it is authorized. But before doing it I am finding some problems in opening the ip6 socket in the server. In fact I configured users and clients.conf to allow my ip6 client to connect to the server, and then in the radiusd.conf file I commented the ip4 listening option and uncommented the ip6 one. (I also commented the accounting listening part because I am not interested in it). The problem is that when I run the server it exits saying (last lines): Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 /etc/freeradius/radiusd.conf[236]: Error binding to port for :: port 1812 Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. I checked if the ip6 interface is properly configured, and it seems so (i can ping other ip6 nodes, and also writing another little c program to bind an ip6 socket works fine) Changing port doesn't solve the issue. Commenting or uncommenting the interface line in radiusd.conf doesn't change anything. Trying different types of ip6 addresses (::1, or manually assigned ones) doesn't work either. Obviously with ip4 I don't have any kind of problem. I can't understand if it a freeradius configuration problem or a system configuration one. Thank you for you help! Regards, Have a nice day! -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == ablasbichler With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html