RE: Basic ?
Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? Fedora Core 2 FreeBSD Debian Mandrake Or ??? I want something simple, easy to configure and will be the most stable in the long run. I've used Red Hat, Fedora Core1 and FreeBSD. So I'm somewhat familiar with them. But if there is something better I'm all ears. As I'm still somewhat of a newbie to the world of Linux. Basically I know enough to be dangerous. ;-) I have 2 - 3COM Total Control 1000 modem sets. The server is a: Pentium cpu running 333mhz. 128 meg Ram 10 gig hard drive Probably not big enough, but I hoping it will do this simple task of Radius Authentication. And I'd like to have a MySQL backend for it. Any info or ideas are appreciated. Sincerely, Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic ?
"Joel Eddy" <[EMAIL PROTECTED]> wrote: > Before I go jumping off the deep end, what OS would be the best and easiest to > use for Free Radius? I'm partial to NetBSD, but that's just me. For most purposes, it doesn't rally matter. Use what you're familiar with. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic ?
> Before I go jumping off the deep end, what OS would be the best and > easiest to > use for Free Radius? > > Fedora Core 2 > FreeBSD > Debian > Mandrake > Or ??? I'm a linux and Freeradius newbie and I'm using Freeradius for two month on a mandrake 9.2, it's not to hard to congigure and it works very well...(802.1x, EAP/MD5/TLS). Fred.Evrard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic question
Hi. I am currently trying to build a Linux accesspoint /w freeRADIUS 1.0.0 as Auth-Server. I want to use EAP-TLS first and, after that works, have to implement EAP-TTLS. Client is Xsupplicant. So I have a few questions that came up along with the progress: 1) What Kind of certificate does freeRADIUS expect from a client (specially, which key length)? I get a message like "rlm_eap_tls: >>> TLS 1.0 ALERT [length 0002], fatal unsupported_certificate" when trying to authenticate with EAP-TLS. 2) When using EAP-TTLS, what AUTH-TYPE do I have to use in the users file (later I will authenticate against an LDAP-Server, but for now I need to use that file)? Setting the specific User to AUTH-TYPE = EAP works for TLS, but what should I choose for EAP-TTLS? 3) concerning dynamic WEP-Key assignment: Who does this, hostapd or freeRADIUS? Hostapd has an option to turn re-keying on, but when using that, nothing works, because the client doesn't know about the current WEP Key the accesspoint has, which leads to an initial communications failure. So I guess freeRADIUS should take care of this, but I just don't find out where that is configured. Can someone tell me please? Thanks to anybody who can help me with these problems. I don't know where to look that up anymore. Greetings, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic Question
Dear all, first of all let me say thanks to those who had make this incredible opensource :). I am new with freeradius and I hope all you guys don't mind to answer my basic question. I want to build system with only for one or 2 users. And I wonder whether : 1. I need database for it(mySQL)? first I thought I won't need it but then I think i might need it for my accounting report. Or can I have it in a simple txt file? 2. I already build the system using 2 computers, one act as NAS and server. The other as client. Is my configuration right? 3. Can I not using EAP? while for now it is enough just authenticate the user from his password. Thanks a lot before and hope you are willing to answer them. SanSar __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic dialup_admin mods
I'm just starting out with changing over from xtRadius to freeRadius and testing things for the next few days. I'll be looking hard at dialup_admin and just now I've got it up on my own test box and I can see there are a few basic and obvious mods that could be made... that I will be doing anyway, and more, for myself but could be of general interest. . I'd be prepared to find every instance of *.php3 and change then _ALL_ to just *.php . change all $HTTP_*_VARS to just $_SERVER etc . catch all missing isset($var) warnings . ensure error_reporting(E_ALL) compatible . ensure it runs under PHP5 (my test system) Are these changes of any use to anyone else and if so how could I go about supplying the changes to whoever wants them ? --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question
- Original Message - From: "Robert Schultz" <[EMAIL PROTECTED]> > 1) What Kind of certificate does freeRADIUS expect from a client (specially, > which key length)? I get a message like "rlm_eap_tls: >>> TLS 1.0 ALERT > [length 0002], fatal unsupported_certificate" when trying to authenticate > with EAP-TLS. Update: before freeRADIUS states that message, it gives me an "certificate: unsupported purpose" message. So I guess my client certificate is not what it should be, I generated it with #> openssl req -newkey rsa:512 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM #> openssl rsa < tempkey.pem > client_key.pem #> openssl ca -in tempreq.pem -out client_crt.pem Which mistake did I make? Thank you Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question
> Update: > before freeRADIUS states that message, it gives me an "certificate: > unsupported purpose" message. Problem solved. The client certificate needed to be signed as a client certificate (not just simply signed). with an additional file named 'ext' containing [ client ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ server ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 the certificates are signed with #> openssl ca -extensions client -extfile ext -in tempreq.pem -out client_crt.pem #> openssl ca -extensions server -extfile ext -in tempreq.pem -out server_crt.pem I still need to know about rekeying and the EAP-TTLS User Configuration. Thank you Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic logging problems
I'm trying to setup a basic configuration, based on MySQL and unix, and I'ld like to keep logging on files. I'm actually using radtest, and I don't see any logging. MySQL is misconfigured, so it's ok not to have logging on MySQL, but I wonder how to have logging on file. Or does radtest just test autentication without bothering with accounting or other logging informations? Thanks, Tonino - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic wifi config
Hi,
I set up the following config, tried to follow the advices of freeradius
website (don't touch anything you could break in the raddb directory ;-) )
The config (in french, sorry) i used :
http://www.openbsd-edu.net/index.php/FreeRadius
FreeRadius OS: OpenBSD 4.5
freeradius-2.1.3RADIUS server implementation
192.168.1.9 & 172.16.0.133
AP : Linksys WRT54G
WPA Entreprise & TKIP
192.168.1.1
Client WinXP; SP2 DHCP
On the server :
pkg_add -v http://ftp.arcane-networks.fr/pub/OpenBSD/$(uname
-r)/packages/$(uname -m)/freeradius
echo "if [ -x /usr/local/sbin/radiusd ]; then
install -d -o _freeradius /var/run/radiusd
echo -n ' radiusd'; /usr/local/sbin/radiusd
fi
" >> /etc/rc.local
cp radius.pem /etc/raddb/certs/server.pem
chmod 744 /etc/raddb/certs/server.pem
cp ca.pem /etc/raddb/certs/ca.pem
chmod 744 /etc/raddb/certs/ca.pem
openssl verify -verbose -CApath /etc/raddb/certs/ -CAfile
/etc/raddb/certs/ca.pem /etc/raddb/certs/server.pem
=> /etc/raddb/certs/server.pem: OK
dd if=/dev/urandom of=/etc/raddb/certs/random bs=1024 count=100
openssl dhparam -out /etc/raddb/certs/dh 1024
echo "
usertest Cleartext-Password := \"password\"
" >> /etc/raddb/users
echo "
#Nagios
client Nagios {
secret = SECRETNAGIOS
shortname = Nagios
ipaddr = @IP NAgios
}
#Wifi AP3
client AP3 {
secret = \"SECRET_AP3\"
shortname = AP3
ipaddr = @IP AP3
nastype = other
}
# En local
client localhost {
ipaddr = 127.0.0.1
secret = \"SECRETLOCAL\"
require_message_authenticator = no
shortname = localhost
nastype = other
}
" > /etc/raddb/clients.conf
ifconfig em0 alias 192.168.1.9 netmask 255.255.255.0
ifconfig -a
=>em0: flags=8843 mtu 1500
=>inet 172.16.0.223 netmask 0x broadcast 172.16.255.255
=>inet 192.168.1.9 netmask 0xff00 broadcast 192.168.1.255
/usr/local/sbin/radiusd -X
radtest local & radtest remote are OK for the local and Nagios clients.
Let's go to the XP...
When i try to use the Wifi, the radiusd -X tells :
...I paste the logs to http://networkradius.com/freeradius.html
and only copied the neither white nor blue parts :
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
grep roxy * |grep -v "#"
attrs.access_reject:Proxy-State =* ANY
attrs.accounting_response: Proxy-State =* ANY
experimental.conf: mod_preproxy = radiusd_test
experimental.conf: func_preproxy = preproxy
experimental.conf: mod_postproxy = radiusd_test
experimental.conf: func_postproxy = postproxy
proxy.conf:proxy server {
radiusd.conf:proxy_requests = no
What is the missing magic command which could help me ??
Thanks.
Best regards.
--
Lycée polyvalent Alfred Nobel, Clichy sous Bois
http://www.lyceenobel.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Basic Authentication Problem
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 21 2008
at 15:35:42
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
Basic question on rlm_perl
hi, I am building freeradius 2.1.3 on ubuntu (configure/make/make install) I am trying to use perl module, but when I can't start my server. I have put "perl" as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? I also tried to configure with the experimental modules flag. Thanks -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic dialup_admin mods
Mark, I'm in a similar process right now, setting up a new radius-environment all running on Debian Woody consolidating three old servers. I'm planning to use dialup-admin for individual users to see their account-status and customer-admins to manage their individual scopes/users. I already seen that there're are few things to change, so I'm a) interested in your mods b) like to know how to submit new things created Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Constable Sent: Saturday, May 08, 2004 6:58 AM To: [EMAIL PROTECTED] Subject: Basic dialup_admin mods I'm just starting out with changing over from xtRadius to freeRadius and testing things for the next few days. I'll be looking hard at dialup_admin and just now I've got it up on my own test box and I can see there are a few basic and obvious mods that could be made... that I will be doing anyway, and more, for myself but could be of general interest. . I'd be prepared to find every instance of *.php3 and change then _ALL_ to just *.php . change all $HTTP_*_VARS to just $_SERVER etc . catch all missing isset($var) warnings . ensure error_reporting(E_ALL) compatible . ensure it runs under PHP5 (my test system) Are these changes of any use to anyone else and if so how could I go about supplying the changes to whoever wants them ? --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic dialup_admin mods
On Sat, 8 May 2004, Michael Markstaller wrote: > Mark, > > I'm in a similar process right now, setting up a new radius-environment > all running on Debian Woody consolidating three old servers. > I'm planning to use dialup-admin for individual users to see > their account-status and customer-admins to manage their individual scopes/users. > > I already seen that there're are few things to change, so I'm > a) interested in your mods > b) like to know how to submit new things created Send a patch to freeradius-devel. Better yet, open a bug report at bugs.freeradius.org and post your patch there. > > Michael > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mark > Constable > Sent: Saturday, May 08, 2004 6:58 AM > To: [EMAIL PROTECTED] > Subject: Basic dialup_admin mods > > > I'm just starting out with changing over from xtRadius to > freeRadius and testing things for the next few days. I'll be > looking hard at dialup_admin and just now I've got it up on > my own test box and I can see there are a few basic and obvious > mods that could be made... that I will be doing anyway, and > more, for myself but could be of general interest. > > . I'd be prepared to find every instance of *.php3 > and change then _ALL_ to just *.php > . change all $HTTP_*_VARS to just $_SERVER etc > . catch all missing isset($var) warnings > . ensure error_reporting(E_ALL) compatible > . ensure it runs under PHP5 (my test system) > > Are these changes of any use to anyone else and if so how > could I go about supplying the changes to whoever wants them ? > > --markc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic dialup_admin mods
On Sat, 8 May 2004, Mark Constable wrote: > I'm just starting out with changing over from xtRadius to > freeRadius and testing things for the next few days. I'll be > looking hard at dialup_admin and just now I've got it up on > my own test box and I can see there are a few basic and obvious > mods that could be made... that I will be doing anyway, and > more, for myself but could be of general interest. > > . I'd be prepared to find every instance of *.php3 > and change then _ALL_ to just *.php Hmm ok, but in any case it's mostly a cosmetic change. > . change all $HTTP_*_VARS to just $_SERVER etc dialupadmin should use the new variable format in general. I was just waiting for everyone to be using newer versions of PHP. It's much better from a security point of view. > . catch all missing isset($var) warnings That would be nice. > . ensure error_reporting(E_ALL) compatible > . ensure it runs under PHP5 (my test system) > > Are these changes of any use to anyone else and if so how > could I go about supplying the changes to whoever wants them ? Make the changes and open a bug report to bugs.freeradius with the patch. Preferably the .php3 -> .php patch should be kept separate. > > --markc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql accounting basic question
Hi could anyone tell the difference between AcctSessionId and AcctUniqueId in the sql table? and also: i see that an insert is performed with acctstarttime set to the timestamp and acctstoptime set to 0 at accounting start. an update is done at accounting stop, and another insert is done with acctstarttime and acctstoptime set to the starting end ending time values. is this how it works? or did i make mistakes when configuring it? i used url http://www.frontios.com/freeradius-old.html for configuring, and the result is very basic - only accounting to sql. this is what i wanted, but not sure if all the sql querys are needed. rtfm answers are welcome too, i've been through the doc/ directory and http://www.frontios.com/freeradius.html too. thanks adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic logging problems
"tonix (Antonio Nati)" <[EMAIL PROTECTED]> wrote: > Or does radtest just test autentication without > bothering with accounting or other logging informations? Read the documentation for radtest. It answers your question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Philippe Schwarz wrote: > I set up the following config, tried to follow the advices of freeradius > website (don't touch anything you could break in the raddb directory ;-) ) That's good. > The config (in french, sorry) i used : > http://www.openbsd-edu.net/index.php/FreeRadius Hmm.. that doesn't look all correct. The certificate stuff isn't necessary in 2.1.3. > When i try to use the Wifi, the radiusd -X tells : > > ...I paste the logs to http://networkradius.com/freeradius.html > and only copied the neither white nor blue parts : > > > WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! > Cancelling invalid proxy request. > No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user > Failed to authenticate the user. You didn't specify a password for the user. > What is the missing magic command which could help me ?? Specify a password, as suggested in: Les fichiers importants users on the OpenBSD page you used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Le 04/05/2010 19:05, Alan DeKok a écrit : > Philippe Schwarz wrote: >> The config (in french, sorry) i used : >> http://www.openbsd-edu.net/index.php/FreeRadius > > Hmm.. that doesn't look all correct. The certificate stuff isn't > necessary in 2.1.3. Ok, but it's useless only; i can keep it that way , right ? > ..>> Failed to authenticate the user. > > You didn't specify a password for the user. Oh! I should have read more carefully.. I thought i 'd have a popup for login,pass later.. > >> What is the missing magic command which could help me ?? > > Specify a password, as suggested in: > > Les fichiers importants > users OK, but my users are stored in a LDAP/samba Backend; i'll give it a try soon. BTW, the password is one-way encrypted, and tried echo -n 'user::Password' | md5 and paste the md5 to the users file, and did not work.. Maybe the null realm is the problem. Thanks. -- Lycée polyvalent Alfred Nobel, Clichy sous Bois http://www.lyceenobel.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Philippe Schwarz wrote: > Ok, but it's useless only; i can keep it that way , right ? "useless" means "confusing, unnecessary, and extra work". You should delete it. > ..>> Failed to authenticate the user. >> You didn't specify a password for the user. > Oh! I should have read more carefully.. > I thought i 'd have a popup for login,pass later.. Er... no. The *RADIUS* server doesn't know the correct password, so it can't authenticate the user. > OK, but my users are stored in a LDAP/samba Backend; i'll give it a try > soon. Take it one simple step at a time. Trying to configure everything all at once is a recipe for disaster. > BTW, the password is one-way encrypted, and tried > > echo -n 'user::Password' | md5 > > and paste the md5 to the users file, and did not work.. "I did stuff not recommended anywhere and it broke". Don't do that. > Maybe the null realm is the problem. No. See the FAQ for an example of how to add a password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Basic Authentication Problem
>rad_recv: Access-Request packet from host 127.0.0.1 port 1029, id=10,
>length=56
>User-Name = "John"
>User-Password = "hello"
>NAS-IP-Address = 192.168.1.131
>NAS-Port = 1
>+- entering group authorize
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "John", looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop
>++[unix] returns notfound
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
Nothing matched.
>And my radtest command *radtest John hello localhost 1 testing123
>
Oh dear! localhost resolved to:
>NAS-IP-Address = 192.168.1.131
You need to fix name resolution so localhost resolves properly to
127.0.0.1.
>Users file
>
># This is an entry for a user with a space in their name.
># Note the double quotes surrounding the name.
>
>John Auth-Type :=System,Huntgroup-Name == John,User-Password := "hello"
>
>Reply-Message = "Hello, %{User-Name}",
>Fall-Through = Yes
This is also wrong. Auth-Type system means that user/password will be
looked up in etc/passwd. You dont need either Auth-Type or password
attribute there. If you are going to remove Auth-Type fix password
attribute to be Cleartex-Password. If you are checking a system account
(not very likely since unix returned notfound) then remove the password
attribute.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Basic Authentication Problem
do not use
*Auth-Type :=System,*
dont use Auth-Type at all.
2008/8/22 Syed Anwarul Hasan <[EMAIL PROTECTED]>
> FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 21 2008
> at 15:35:42
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including configuration file /usr/local/etc/raddb/snmp.conf
> including files in directory /usr/local/etc/raddb/modules/
> including configuration file /usr/local/etc/raddb/modules/policy
> including configuration file /usr/local/etc/raddb/modules/acct_unique
> including configuration file /usr/local/etc/raddb/modules/unix
> including configuration file /usr/local/etc/raddb/modules/chap
> including configuration file /usr/local/etc/raddb/modules/preprocess
> including configuration file /usr/local/etc/raddb/modules/expiration
> including configuration file /usr/local/etc/raddb/modules/mac2vlan
> including configuration file /usr/local/etc/raddb/modules/mschap
> including configuration file /usr/local/etc/raddb/modules/ippool
> including configuration file /usr/local/etc/raddb/modules/files
> including configuration file /usr/local/etc/raddb/modules/krb5
> including configuration file /usr/local/etc/raddb/modules/passwd
> including configuration file /usr/local/etc/raddb/modules/radutmp
> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
> including configuration file /usr/local/etc/raddb/modules/echo
> including configuration file /usr/local/etc/raddb/modules/etc_group
> including configuration file /usr/local/etc/raddb/modules/pap
> including configuration file /usr/local/etc/raddb/modules/realm
> including configuration file /usr/local/etc/raddb/modules/pam
> including configuration file /usr/local/etc/raddb/modules/always
> including configuration file /usr/local/etc/raddb/modules/exec
> including configuration file /usr/local/etc/raddb/modules/logintime
> including configuration file /usr/local/etc/raddb/modules/sql_log
> including configuration file /usr/local/etc/raddb/modules/smbpasswd
> including configuration file /usr/local/etc/raddb/modules/sradutmp
> including configuration file /usr/local/etc/raddb/modules/counter
> including configuration file /usr/local/etc/raddb/modules/ldap
> including configuration file /usr/local/etc/raddb/modules/expr
> including configuration file /usr/local/etc/raddb/modules/attr_filter
> including configuration file /usr/local/etc/raddb/modules/checkval
> including configuration file /usr/local/etc/raddb/modules/digest
> including configuration file /usr/local/etc/raddb/modules/detail
> including configuration file /usr/local/etc/raddb/modules/detail.log
> including configuration file /usr/local/etc/raddb/modules/mac2ip
> including configuration file /usr/local/etc/raddb/eap.conf
> including configuration file /usr/local/etc/raddb/sql.conf
> including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
> including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
> including configuration file /usr/local/etc/raddb/policy.conf
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including dictionary file /usr/local/etc/raddb/dictionary
> main {
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> logdir = "/usr/local/var/log/radius"
> libdir = "/usr/local/lib"
> radacctdir = "/usr/local/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> allow_core_dumps = no
> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> }
> }
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "testing123"
> shortname = "localhost"
> nastype = "other"
> }
> radiusd: Loading Realms and Home Servers
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window =
Re: FreeRadius Basic Authentication Problem
Thank you *Ivan* for your help and exact advice. I was able to debug and
able to do user Authentication as you said.
I once again thanks FreeRadius OpenSource Community for helping people with
their Questions.
SYED
On Fri, Aug 22, 2008 at 4:14 PM, orion <[EMAIL PROTECTED]> wrote:
> do not use
> *Auth-Type :=System,*
> dont use Auth-Type at all.
>
>
> 2008/8/22 Syed Anwarul Hasan <[EMAIL PROTECTED]>
>
>> FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 21 2008
>> at 15:35:42
>> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> Starting - reading configuration files ...
>> including configuration file /usr/local/etc/raddb/radiusd.conf
>> including configuration file /usr/local/etc/raddb/proxy.conf
>> including configuration file /usr/local/etc/raddb/clients.conf
>> including configuration file /usr/local/etc/raddb/snmp.conf
>> including files in directory /usr/local/etc/raddb/modules/
>> including configuration file /usr/local/etc/raddb/modules/policy
>> including configuration file /usr/local/etc/raddb/modules/acct_unique
>> including configuration file /usr/local/etc/raddb/modules/unix
>> including configuration file /usr/local/etc/raddb/modules/chap
>> including configuration file /usr/local/etc/raddb/modules/preprocess
>> including configuration file /usr/local/etc/raddb/modules/expiration
>> including configuration file /usr/local/etc/raddb/modules/mac2vlan
>> including configuration file /usr/local/etc/raddb/modules/mschap
>> including configuration file /usr/local/etc/raddb/modules/ippool
>> including configuration file /usr/local/etc/raddb/modules/files
>> including configuration file /usr/local/etc/raddb/modules/krb5
>> including configuration file /usr/local/etc/raddb/modules/passwd
>> including configuration file /usr/local/etc/raddb/modules/radutmp
>> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
>> including configuration file /usr/local/etc/raddb/modules/echo
>> including configuration file /usr/local/etc/raddb/modules/etc_group
>> including configuration file /usr/local/etc/raddb/modules/pap
>> including configuration file /usr/local/etc/raddb/modules/realm
>> including configuration file /usr/local/etc/raddb/modules/pam
>> including configuration file /usr/local/etc/raddb/modules/always
>> including configuration file /usr/local/etc/raddb/modules/exec
>> including configuration file /usr/local/etc/raddb/modules/logintime
>> including configuration file /usr/local/etc/raddb/modules/sql_log
>> including configuration file /usr/local/etc/raddb/modules/smbpasswd
>> including configuration file /usr/local/etc/raddb/modules/sradutmp
>> including configuration file /usr/local/etc/raddb/modules/counter
>> including configuration file /usr/local/etc/raddb/modules/ldap
>> including configuration file /usr/local/etc/raddb/modules/expr
>> including configuration file /usr/local/etc/raddb/modules/attr_filter
>> including configuration file /usr/local/etc/raddb/modules/checkval
>> including configuration file /usr/local/etc/raddb/modules/digest
>> including configuration file /usr/local/etc/raddb/modules/detail
>> including configuration file /usr/local/etc/raddb/modules/detail.log
>> including configuration file /usr/local/etc/raddb/modules/mac2ip
>> including configuration file /usr/local/etc/raddb/eap.conf
>> including configuration file /usr/local/etc/raddb/sql.conf
>> including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
>> including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
>> including configuration file /usr/local/etc/raddb/policy.conf
>> including files in directory /usr/local/etc/raddb/sites-enabled/
>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>> including configuration file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>> including dictionary file /usr/local/etc/raddb/dictionary
>> main {
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> logdir = "/usr/local/var/log/radius"
>> libdir = "/usr/local/lib"
>> radacctdir = "/usr/local/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 1024
>> allow_core_dumps = no
>> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/local/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> }
>> }
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = "testing123"
>> shortname = "localhost"
>> nastype = "other"
>> }
>>
Re: Basic question on rlm_perl
Hi, > > I have put "perl" as a module in my radiusd.conf file. > > I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other > rlm_*.so files are located. > > What am I missing? have you edited experimental.conf to enable PERL and have you included this file in the radiusd.conf or sites-enabled/* files? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question on rlm_perl
On Dec 17, 2008, at 11:54 PM, al pat wrote: I am trying to use perl module, but when I can't start my server. I have put "perl" as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? Maybe you are missing development files for perl. Install them and then rebuild your freeradius. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question on rlm_perl
Hi - Thanks for the replies. I put libperl-dev and that worked. Rgds -a On Thu, Dec 18, 2008 at 4:42 AM, Boian Jordanov wrote: > On Dec 17, 2008, at 11:54 PM, al pat wrote: > > I am trying to use perl module, but when I can't start my server. > > I have put "perl" as a module in my radiusd.conf file. > > I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other > rlm_*.so files are located. > > What am I missing? > > > Maybe you are missing development files for perl. Install them and then > rebuild your freeradius. > > Best Regards, > Boian Jordanov > SNE > Orbitel - Next Generation Telecom > tel. +359 2 4004 723 > tel. +359 2 4004 002 > * > * > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic RADIUS network protocol question
I'm reading the RFC2865 for RADIUS. In each radius packet seems to have a code, an identifier, a length field, an authenticator field and some attributes.The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256?Regards,Martin Olsson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic RADIUS network protocol question
I'm reading the RFC2865 for RADIUS. In each radius packet seems to have a code, an identifier, a length field, an authenticator field and some attributes.The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256?Regards,Martin Olsson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting basic question
Adam KOSA <[EMAIL PROTECTED]> wrote: > could anyone tell the difference between AcctSessionId and AcctUniqueId > in the sql table? The first is the Acct-Session-Id, as sent by the NAS. NASes tend to re-use ID's however, despite the standard saying to NOT do that. As a result, FreeRADIUS create the "unique" Id, based on some additional information. > and also: i see that an insert is performed with acctstarttime set to > the timestamp and acctstoptime set to 0 at accounting start. an update > is done at accounting stop, and another insert is done with > acctstarttime and acctstoptime set to the starting end ending time values. That sounds right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic Question about group management
Hello, I m using Freeradius with mysql for PPP since two years, everything work great. I want to allow some user to use a vpn (VPNcisco3000). I don't have any problem to identify a user in PPP, or to identify a user in from the concentrator. But I don't know how to set correctly the group (radgroupreply, radgroupcheck) to be able to give: - Only PPP for some users - Only VPN for some users - Both for some users The only way I have found is using a "negation group" ex: a NOVPN group and a NOPPP group. I'm sure is not the good way to do it. I have read lot of documentation about this, but apperently not the good one. If someone can send me a link to some documentation it could be great. Thanks in advance. Julien Gabry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie question basic passwd authentication
Hi,
I am a complete newbie with radius. I need to configure this for use
with a PPTP VPN. The end goal will be that radius is running on a
fedora box, and authenticates against a SMBPASSWD file. PPTPd needs
chap.
but I am getting ahead of myself, irst I need to get a basic system
working. I installed the freeradius rpm, and tried to configure some
things:
file clients.conf:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.0/24 {
secret = testing123
shortname = localnet
}
File naslist:
localhost local other
File users:
nothing changed, all seemed oke to me.
file radius.conf:
cutted away some text
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
}
When I now start the daemon as root:
# radiusd -sfxxyz -l stdout.
When I tried to test it from the console again:
radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost 1
testing123
I see this at my console:
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
User-Name = "ramses"
User-Password = "OfCourseThisShouldBeSomethingLessObvious"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [ramses]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 122 to 127.0.0.1:32769
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 122 with timestamp 42ca3387
Nothing to do. Sleeping until we see a request.
Ofcourse I tripple checked the typed in password, and I could find
nothing wrong with that one.
Now I think all I can do is shoult: HELPPP adoes anyone have any ideas?
kind regards,
Ramses
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
very basic question about realms
Hi List, please, I think this must be a very basic issue, I am starting to
work with FreeRadius 0.9.3, my first test was very fine while testing
without realm, but now when I attempt to work with a realm I'm having
problems.
I have set my proxy.conf file that for working with real looks like:
realm myrealm {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
And in my user's file I have:
prueba Auth-Type := Local, User-Password == "prueba"
Port-Limit = 2,
Class = II-BRONCE,
Framed-IP-Address = 255.255.255.255,
Framed-IP-Netmask = 255.255.255.255
With this configuration , when I tested to authenticate with the user
[EMAIL PROTECTED] I get the following message, and this is rejected, but
without the realm all works fine.
#START OF THE
MESSAGE --#
rad_recv: Access-Request packet from host 192.168.100.161:1089, id=8,
length=193
NAS-IP-Address = 192.168.100.161
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 11
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.00"
NAS-Port-Type = Async
Connect-Info = "CONNECT 9600/ARQ"
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0x0c24fef9ec83ef46b0a9cd1167b54a54
MS-CHAP2-Response =
0xd29ca44130fe77235a0f744a7998d390ec6fa5e3db0ac1a199e232
0f9b3246565e67d9937e8811ea
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "eap" returns noop for request 5
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "prueba"
rlm_realm: Proxying request from user prueba to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
users: Matched prueba at 77
modcall[authorize]: module "files" returns ok for request 5
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 5
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 5
modcall: group Auth-Type returns reject for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 8 to 192.168.100.161:1089
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 8 with timestamp 40153a51
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.100.161:1090, id=9,
length=193
NAS-IP-Address = 192.168.100.161
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 11
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.00"
NAS-Port-Type = Async
Connect-Info = "CONNECT 9600/ARQ"
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xf4e6094ba50901a08d34e31f06d05bec
MS-CHAP2-Response =
0x01006d25736722c42e292ef788585bac49a78ec1a46aa6d87929e4c7c1
7679c47406dbf42713b55a9b88
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "eap" returns noop for request 6
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "prueba"
rlm_realm: Proxying request from user prueba to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
users: Matched prueba at 77
modcall[authorize]: module "files" returns ok for request 6
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 6
modcall: group authorize returns ok for request 6
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 6
rlm_mschap: doing MS-CHAPv2 with
Virtual server basic proxy configuration?
Freeradius gurus,
I have looked over the documentation and searched for examples and
haven't found anything concrete that I feel will solve my configuration.
Perhaps someone has implemented this or can offer up some advice on how
to approach this.
Basically wanting to create a virtual server listening on port 1818 that
simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am
used to the virtual-server configuration as I have multiple radius based
services running on different ports, but am not sure how to only proxy
those entries on that particular virtual server and not the other
virtual servers I have running on this server. At a first read/glance,
it looks like the proxy settings might apply to all virtual servers
instead of just the one on port 1818 that I am defining.
From reading "proxy.conf" would I just define something like:
home_server radius1 {
type = auth
ipaddr = 10.10.10.10
port = 1818
secret = testing123
}
Now...I am not sure how to apply this to a single virtual server. All I
really want to do is redirect the requests and respond.
Any tips would be appreciated,
- John Douglass, Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need basic help with accouting
Hello radius users, I need some basic info/redirection to start using accounting with freeradius. I already learned how to use authentication, but i'm unable to figure out from details in configurations files how to do some accounting - basic stuff like when a user logs in or out for start. Can anyone point me to some documentation on how to do basic accounting for beginners? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic freeradius set up problem
Platform: OpenBSD 5.1
Version: 2.1.12
Hello,
I have a problem setting up freeradius and I think it's related to the domain
stripping
Here's what I did for my configuration
1) Imported the scripts schema.sql, admin.sql, ippool.sql, nas.sql in my MySQL
radiusdb database
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES
('testuser', 'Password', 'passsecret');
3) Configured clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
4) Uncommented in radiusd.conf
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql/mysql/counter.conf
5) In /etc/raddb/sites-enabled/default uncommented
authorize {
sql
}
accounting {
sql
sql_log
}
6) Configured /etc/raddb/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
#socket= var/run/mysql/mysql.sock
server = "localhost"
port = 3306
login = "radiususer"
password = "passradius"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
7) In /etc/raddb/sql/mysql/dialup.conf added
sql_user_name = '%{Stripped-User-Name}'
8) I start the radius server
# /usr/local/sbin/radiusd -X
And make a test on the local machine
$ radtest testuser passsecret 127.0.0.1 1812 testing123
And I receive an access reject: rad_recv: Access-Reject packet from host
127.0.0.1 port 1812, id=222, length=20
9) Le debug says
rad_recv: Access-Request packet from host 127.0.0.1 port 10251, id=122,
length=78
User-Name = "testuser"
User-Password = "passsecret"
NAS-IP-Address = 192.168.1.1
NAS-Port = 1812
Message-Authenticator = 0xf16b463a77e5dfefbd9385915a307e88
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 122 to 127.0.0.1 port 10251
Waking up in 4.9 seconds.
Cleaning up request 1 ID 122 with timestamp +74
Ready to process requests.
10) I can see that something goes wrong with this message
[sql] Error generating query; rejecting user
But I don't understand why
Thank you to those who can point the right direction.
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic RADIUS network protocol question
Martin Olsson wrote: The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256? You can just convert your short int from host-byte-order to network-byte-order using the function "htons" and then store it in the lenght field. see man pages for details Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic problems getting things to run
Hi Folks,
I've been tasked at my work w/ getting a radius backend working with our Cisco
3000 concentrators to do certificate auth. We're currently running an old
version of gnu radius for our standard radius auth, but I'd like to move to
freeradius so that we can eventually use some features like the ldap backend.
In the mean time, I've just been trying to get it working, and I've been
coming up short.
Forgive me if I'm missing something incredibly obvious, but I absolutely can't
get auth to work. ever. For starters, here's what I see when running
'radiusd -AX':
rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61
Attr-1 = 0x6a617468616e69736d
Attr-2 = 0xad790d5790cec60e1f908174aabe7335
Attr-4 = 0x7f01
Attr-5 = 0x0001
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched entry jathanism at line 121
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [jathanism] (from client localhost port 0)
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
That's running the following locally for testing as the client:
# echo 'User-Name= "jathanism", Password = "jathanism", NAS-IP-Address =
127.0.0.1, NAS-Port = 1' | /opt/reverb/bin/radclient -d
/opt/reverb/share/dictionary -x 127.0.0.1 auth 1234test1234
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "jathanism"
Password = "jathanism"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=136, length=20
My user's file right now looks like:
jathanism Auth-Type := Local
User-Password == "jathanism"
DEFAULT Auth-Type := Accept
Though I've tried as little as just the DEFAULT line, as well as specifying
"Accept" for a specific user. I've also tried PAP and CHAP, none of which are
ever successful.
My clients.conf file looks like:
client 127.0.0.1 {
secret = 1234test1234
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
And what I suspect are the most important parts of my radiusd.conf look like:
authorize {
preprocess
files
chap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
}
I had tried adding an 'Auth-Type Accept' or 'Auth-Type Local' line, but
couldn't get them to work either.
The thing that worries me most is the "auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user" error
throw by radiusd - no matter what I've tried to do to the radiusd.conf or
users files, it ALWAYS says that. The "WARNING: Unprintable characters in the
password. ? Double-check the shared secret on the server and the NAS!" also
frightens me, though I wonder if that's related (the secret is definitely
right, because if I change it, radclient tells me the secret is wrong).
I'm completely at a loss right now. I've looked at auth.c and some of the
other code, and it seems to me that auth_type just isn't ever getting populated.
Incidentally, the comments in the users file indicate stuff like:
bob Auth-Type := Local, User-Password == "bobpass"
should work, but radiusd won't start unless it looks like:
bob Auth-Type := Local
User-Password == "bobpass"
I can't tell if that's a documentation problem, or a bug, or indicitative of
some larger issue, but I thought I'd mention it.
FWIW, I've tried both freeradius 1.0.5 and 1.1.0. They were built on Red Hat
EL 3.0 Advanced Server with the stock Red Hat build tools.
Thanks for any help anyone can provide. I hate to go back to gnu radius, but
I've got to get this working by next Friday or else I won't have much of a
choice. If anyone willing to assist would like any additional
info/configs/strace output/etc, just ask and I'd be happy to provide them.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question basic passwd authentication
Solved this step: It turns out that radius user has no rights to read
the shadow file (I feel stupid and will write 1000 lines "I will
first check the filepermissions before shouting for help" ;) )
ramses
Hi,
I am a complete newbie with radius. I need to configure this for use
with a PPTP VPN. The end goal will be that radius is running on a
fedora box, and authenticates against a SMBPASSWD file. PPTPd needs
chap.
but I am getting ahead of myself, irst I need to get a basic system
working. I installed the freeradius rpm, and tried to configure some
things:
file clients.conf:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.0/24 {
secret = testing123
shortname = localnet
}
File naslist:
localhost local other
File users:
nothing changed, all seemed oke to me.
file radius.conf:
cutted away some text
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
}
When I now start the daemon as root:
# radiusd -sfxxyz -l stdout.
When I tried to test it from the console again:
radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost
1 testing123
I see this at my console:
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
User-Name = "ramses"
User-Password = "OfCourseThisShouldBeSomethingLessObvious"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [ramses]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 122 to 127.0.0.1:32769
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 122 with timestamp 42ca3387
Nothing to do. Sleeping until we see a request.
Ofcourse I tripple checked the typed in password, and I could find
nothing wrong with that one.
Now I think all I can do is shoult: HELPPP adoes anyone have any ideas?
kind regards,
Ramses
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question basic passwd authentication
Hi,
I am a complete newbie with radius. I need to configure this for use with a
PPTP VPN. The end goal will be that radius is running on a fedora box, and
authenticates against a SMBPASSWD file. PPTPd needs chap.
I used to run it againts smbpasswd, now I'm running against LDAP :-)
samba and freeradius use the same password hashes. I can share
configuration if You want.
but I am getting ahead of myself, irst I need to get a basic system working.
I installed the freeradius rpm, and tried to configure some things:
file clients.conf:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.0/24 {
secret = testing123
shortname = localnet
}
File naslist:
localhost local other
File users:
nothing changed, all seemed oke to me.
file radius.conf:
cutted away some text
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
}
When I now start the daemon as root:
# radiusd -sfxxyz -l stdout.
When I tried to test it from the console again:
radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost 1
testing123
I see this at my console:
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
User-Name = "ramses"
User-Password = "OfCourseThisShouldBeSomethingLessObvious"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [ramses]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 122 to 127.0.0.1:32769
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 122 with timestamp 42ca3387
Nothing to do. Sleeping until we see a request.
Ofcourse I tripple checked the typed in password, and I could find nothing
wrong with that one.
Now I think all I can do is shoult: HELPPP adoes anyone have any ideas?
kind regards,
Ramses
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: very basic question about realms
"Ernesto Freyre" <[EMAIL PROTECTED]> wrote:
> Hi List, please, I think this must be a very basic issue, I am starting to
> work with FreeRadius 0.9.3, my first test was very fine while testing
> without realm, but now when I attempt to work with a realm I'm having
> problems.
>
> I have set my proxy.conf file that for working with real looks like:
>
> realm myrealm {
> type= radius
> authhost= LOCAL
> accthost= LOCAL
> strip
Change this to "nostrip", and it will work. The MS-CHAP module has
issues with stripped user names. The 1.0 release should be a little
better that way...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
On 3 Oct 2011, at 17:22, John Douglass wrote:
> Freeradius gurus,
>
> I have looked over the documentation and searched for examples and haven't
> found anything concrete that I feel will solve my configuration. Perhaps
> someone has implemented this or can offer up some advice on how to approach
> this.
>
> Basically wanting to create a virtual server listening on port 1818 that
> simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am used
> to the virtual-server configuration as I have multiple radius based services
> running on different ports, but am not sure how to only proxy those entries
> on that particular virtual server and not the other virtual servers I have
> running on this server. At a first read/glance, it looks like the proxy
> settings might apply to all virtual servers instead of just the one on port
> 1818 that I am defining.
>
> From reading "proxy.conf" would I just define something like:
>
> home_server radius1 {
>type = auth
>ipaddr = 10.10.10.10
>port = 1818
>secret = testing123
> }
>
> Now...I am not sure how to apply this to a single virtual server. All I
> really want to do is redirect the requests and respond.
Just use a listen block within the virtual server { } configuration. There's a
template one in radiusd.conf
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
John Douglass wrote:
> Basically wanting to create a virtual server listening on port 1818 that
> simply proxies ALL AUTH requests to radius1.gatech.edu port 1812.
Read raddb/sites-available/README
It explains virtual servers in detail.
> At a first read/glance,
> it looks like the proxy settings might apply to all virtual servers
Yes.
> From reading "proxy.conf" would I just define something like:
Which defines a home server, just like normal.
> Now...I am not sure how to apply this to a single virtual server. All I
> really want to do is redirect the requests and respond.
Redirecting the requests involves setting Proxy-To-Realm. So you'll
need to set up a realm && home server pool for the above home server.
Or, just use the old-style realms definition. It will still work.
Then:
server proxy_all {
authorize {
update control {
Proxy-To-Realm := "nameOfRealm"
}
}
}
A seven line config. Can't get much simpler than that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need basic help with accouting
Cosmin Neagu wrote: > I already learned how to use authentication, but i'm unable to figure > out from details in configurations files how to do some accounting - > basic stuff like when a user logs in or out for start. > > Can anyone point me to some documentation on how to do basic accounting > for beginners? Do *what* with accounting? The NAS sends the server accounting packets. By default, the server logs them to the detail file. What *else* do you want to do? Once you know that, the documentation should be easy to find. Log them to SQL? --> Read the SQL documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need basic help with accouting
I found how to do what i needed to do From what i discovered by default it does not do any accounting regarding user logins. I have to set in radiusd.conf in log section: auth = yes By default was set to "no" On 01/03/2012 04:52 PM, Alan DeKok wrote: Cosmin Neagu wrote: I already learned how to use authentication, but i'm unable to figure out from details in configurations files how to do some accounting - basic stuff like when a user logs in or out for start. Can anyone point me to some documentation on how to do basic accounting for beginners? Do *what* with accounting? The NAS sends the server accounting packets. By default, the server logs them to the detail file. What *else* do you want to do? Once you know that, the documentation should be easy to find. Log them to SQL? --> Read the SQL documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need basic help with accouting
On Wed, Jan 4, 2012 at 7:52 PM, Cosmin Neagu wrote: > I found how to do what i needed to do > From what i discovered by default it does not do any accounting regarding > user logins. > I have to set in radiusd.conf in log section: > auth = yes > By default was set to "no" That's not accounting (at least, not the term "accounting" in radius). It's simply log. If you ask using correct terms, you'll more likely to get faster and more accurate answers. Glad to hear you found what you need though. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need basic help with accouting
Yes you are right...did some searching on accounting and this is what i want next. Thanks for clarification. Cosmin Neagu On 01/04/2012 03:08 PM, Fajar A. Nugraha wrote: On Wed, Jan 4, 2012 at 7:52 PM, Cosmin Neagu wrote: I found how to do what i needed to do From what i discovered by default it does not do any accounting regarding user logins. I have to set in radiusd.conf in log section: auth = yes By default was set to "no" That's not accounting (at least, not the term "accounting" in radius). It's simply log. If you ask using correct terms, you'll more likely to get faster and more accurate answers. Glad to hear you found what you need though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stuck on very basic freeradius setup
Hello,
I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get.
I've follow documentation and I'm stuck on a very basic setup (pap auth).
Basically I'm testing the default config using the users file to test auth
with radtest.
So, here is the thing:
*users file - first line:
teste Cleartext-Password:="teste"*
I'm running freeradius on debug mode, here is the error log:
rad_recv: Access-Request packet from host 127.0.0.1 port 38134, id=101,
length=57
User-Name = "teste"
User-Password = "teste"
NAS-IP-Address = 201.x.x.x
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "teste", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry teste at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
*[pap] login attempt with password "teste"
[pap] No password configured for the user. Cannot do authentication*
*++[pap] returns fail
Failed to authenticate the user.*
Login incorrect: [teste/teste] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> teste
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
My radtest command:
radtest teste teste 127.0.0.1 0 testing123
Ok, is that so obvious that I'm blind? Is there pap auth looking for
another file instead users file?
What am I missing?
Thanks people.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
> [sql] expand: %{Stripped-User-Name} ->
> [sql] sql_set_user escaped user --> ''
> rlm_sql (sql): Reserving sql socket id: 3
> [sql] expand: ->
> [sql] Error generating query; rejecting user
> rlm_sql (sql): Released sql socket id: 3
> ++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Basic freeradius set up problem
> 2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value)
> VALUES ('testuser', 'Password', 'passsecret');
Use 'Cleartext-Password' instead of 'Password' and try again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
>> [sql] expand: %{Stripped-User-Name} ->
>> [sql] sql_set_user escaped user --> ''
>> rlm_sql (sql): Reserving sql socket id: 3
>> [sql] expand: ->
>> [sql] Error generating query; rejecting user
>> rlm_sql (sql): Released sql socket id: 3
>> ++[sql] returns fail
>
> Stripped-User-Name not populated - so a blank expansion. do you need
> stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not testuser@somedomain
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
>>> [sql] expand: %{Stripped-User-Name} ->
>
>>> [sql] sql_set_user escaped user --> ''
>>> rlm_sql (sql): Reserving sql socket id: 3
>>> [sql] expand: ->
>>> [sql] Error generating query; rejecting user
>>> rlm_sql (sql): Released sql socket id: 3
>>> ++[sql] returns fail
>>
>> Stripped-User-Name not populated - so a blank expansion. do you need
>> stripped-user-name? - just use User-Name if not
>
>
> Hello Alan,
>
> Thank you for your answer.
> I may have not understood what you wrote.
> I replaced in /etc/raddb/sql/mysql/dialup.conf
>
> sql_user_name = '%{Stripped-User-Name}'
> by
> sql_user_name = '%{User-Name}'
>
> But my authentication is still rejected
>
> [suffix] No '@' in User-Name = "testuser", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [sql] expand: %{User-Name} -> testuser
> [sql] sql_set_user escaped user --> 'testuser'
> rlm_sql (sql): Reserving sql socket id: 4
> [sql] expand: ->
> [sql] Error generating query; rejecting user
> rlm_sql (sql): Released sql socket id: 4
> ++[sql] returns fail
> Invalid user: [testuser] (from client localhost port 1812)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> testuser
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
>
> I would like to have simple logins such as testuser and not
> testuser@somedomain
Hello lsclrstd,
I have created a second user testuser2 with the password in 'Cleartext-Password'
It doesn't work either. I have enabled the logs in Mysql, but I don't see any
sql request that is been made.
I think there's a way to enable additional logs with freeradius and see what
are the queries done to the mysql server. Does anyone knows how to do that ?
I'll search more.
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
> > [sql] expand: %{User-Name} -> testuser
> > [sql] sql_set_user escaped user --> 'testuser'
> > rlm_sql (sql): Reserving sql socket id: 4
> > [sql] expand: ->
> > [sql] Error generating query; rejecting user
seems fair enough - there is no expansion for the query - so I would
now check your sql.conf and dialup file to verify that the query
for authentication/authorization is sane and correct (I've deleted your
previous
email where you gave more details)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BASIC question, but still having conceptual issues
Sorry again for the BASIC question! I *occasionally* slam people on
other lists for being well, basically helpless - and here I am
asking what I think is a really stupid question! Humble pie anyone?
Let me take a sec to thank the development team for a very flexible
product! Seems you can do pretty much anything you'd ever need to! Did
Ci$co steal your code for ACS 5.0? :)Once I familiarize myself with
the in's and out's I hope to contribute to the community where I can,
probably with docs, use cases, examples, etc.
Now my current issue. I have read a lot of doc (some 3 and 4 times) and
am close to getting my head around how FR works and the various process
flow, however, I still can't determine the best way to address this
problem:
I have several different type's of clients/NAS's that will be using FR
as the Front End to perform AAA - mostly Authentication, but the Author
and Acct are close behind.
Anyway, each of these clients need to perform slightly different backend
queries to determine if Authenticate should pass or fail:
Type 1: Networking Hardware Management Access (VTY)
- Routers, switches, VPN concentrators, firewalls, etc.
- Auth pass if creds are good AND user is member of NetEng group
in AD; else fail
Type 2: IPSec VPN Access
- RAS to HQ via IPSec (Ci$c0 ASA at HQ)
- Several profiles/groups will exist on ASA with different
properties:
- NetEng, SysAdmins, Basic Users, etc.
- Auth pass if creds are good AND user is member of "RAS" group
in AD
Type 3 ... etc.
So, how do I go about this? I'm currently using NTLM_Auth and that's
all working fine, I'm just not sure how to say in FR config: if request
of type 1, run this NTLM_Auth command and check for this group; If
request of type 2 run this other NTLM_Auth command and check for this
other group.
Would this be something in the huntgroup file?
TIA for replies - back to more reading and trials for me!
Gary
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic problems getting things to run
Geoff Silver <[EMAIL PROTECTED]> wrote: > Forgive me if I'm missing something incredibly obvious, but I absolutely can't > get auth to work. ever. For starters, here's what I see when running > 'radiusd -AX': > > rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61 > Attr-1 = 0x6a617468616e69736d You are not using the dictionaries that come with the server. You've probably got a Gnu RADIUS dictionary installed in /etc/raddb. The "make install" output has a few lines at the end telling you that it didn't over-write existing dictionaries, and what to do to fix the problem. Read that text. Also, ensure that FreeRADIUS is looking for it's configuration files in a different directory than where the GNU radius configuration files are located. That will solve a lot of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic problems getting things to run
Ah. The include line in raddb/dictionary was wrong (pointing to the dictionary directory, not dictionary/dictionary). Auth-Type := Accept seems to be working now, so hopefully I can manage it from here (if not, I'm sure you'll hear from me again). Thanks a ton! Alan DeKok wrote: > Geoff Silver <[EMAIL PROTECTED]> wrote: > >>Forgive me if I'm missing something incredibly obvious, but I absolutely can't >>get auth to work. ever. For starters, here's what I see when running >>'radiusd -AX': >> >>rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61 >>Attr-1 = 0x6a617468616e69736d > > > You are not using the dictionaries that come with the server. > You've probably got a Gnu RADIUS dictionary installed in /etc/raddb. > > The "make install" output has a few lines at the end telling you > that it didn't over-write existing dictionaries, and what to do to fix > the problem. Read that text. > > Also, ensure that FreeRADIUS is looking for it's configuration files > in a different directory than where the GNU radius configuration files > are located. That will solve a lot of problems. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello!
Tiago wrote:
> Hello,
> I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get.
>
> I've follow documentation and I'm stuck on a very basic setup (pap auth).
> Basically I'm testing the default config using the users file to test auth
> with radtest.
>
> So, here is the thing:
>
> *users file - first line:
> teste Cleartext-Password:="teste"*
My entry in the user file looks like this:
miles<-><-->Cleartext-Password := "davis45"
<--><-->Reply-Message = "Hello, %{User-Name}"
Does this help?
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
On 07/03/2012 09:33 AM, Tiago wrote: Hello, I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get. I've follow documentation and I'm stuck on a very basic setup (pap auth). Basically I'm testing the default config using the users file to test auth with radtest. So, here is the thing: *users file - first line: teste Cleartext-Password:="teste"* Try adding spaces around the operator (:=) like the example suggests. Ok, is that so obvious that I'm blind? Is there pap auth looking for another file instead users file? The debug output tells you what file it's reading, read the output. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
No, still getting errors, but it sends the reply message:
[pap] login attempt with password "davis45"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Login incorrect: [miles/davis45] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> miles
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 230 to 127.0.0.1 port 59377
Reply-Message = "Hello, miles"
2012/7/3 Andreas Meyer
> Hello!
>
> Tiago wrote:
>
> > Hello,
> > I've just installed freeradius 2.x on an ubuntu server 12.04 with
> apt-get.
> >
> > I've follow documentation and I'm stuck on a very basic setup (pap auth).
> > Basically I'm testing the default config using the users file to test
> auth
> > with radtest.
> >
> > So, here is the thing:
> >
> > *users file - first line:
> > teste Cleartext-Password:="teste"*
>
> My entry in the user file looks like this:
>
> miles<-><-->Cleartext-Password := "davis45"
> <--><-->Reply-Message = "Hello, %{User-Name}"
>
> Does this help?
>
> Andreas
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
N
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
On Tue, Jul 3, 2012 at 8:53 PM, Tiago wrote: > No, still getting errors, but it sends the reply message: > > [pap] login attempt with password "davis45" > [pap] No password configured for the user. Cannot do authentication Did you do what John suggests, add spaces like the example on users file? What does your entry currently looks like? Did the debug log show it's reading that user file? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello Fajar,
Yes, I did, here is my users file:
teste Cleartext-Password := "teste"
miles Cleartext-Password := "davis45"
Reply-Message = "Hello, %{User-Name}"
The only entry refering to users file is this when I run freeradius -X:
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
* usersfile = "/etc/freeradius/users"*
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
2012/7/3 Fajar A. Nugraha
> On Tue, Jul 3, 2012 at 8:53 PM, Tiago wrote:
> > No, still getting errors, but it sends the reply message:
> >
> > [pap] login attempt with password "davis45"
> > [pap] No password configured for the user. Cannot do authentication
>
> Did you do what John suggests, add spaces like the example on users file?
> What does your entry currently looks like?
> Did the debug log show it's reading that user file?
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
On Tue, Jul 3, 2012 at 9:20 PM, Tiago wrote:
> Hello Fajar,
> Yes, I did, here is my users file:
>
> teste Cleartext-Password := "teste"
> miles Cleartext-Password := "davis45"
>Reply-Message = "Hello, %{User-Name}"
>
> The only entry refering to users file is this when I run freeradius -X:
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file
> /etc/freeradius/modules/files
> files {
> usersfile = "/etc/freeradius/users"
> acctusersfile = "/etc/freeradius/acct_users"
> preproxy_usersfile = "/etc/freeradius/preproxy_users"
> compat = "no"
> }
Then read the rest of the debug log. It should print (on authorize
phase) which lines matched, and you can compare whether it's the
correct line. Since you cut that part, no one else will be able to
help you.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Sorry, here is my complete debug log:
http://pastebin.com/dYWb5tDs
2012/7/3 Fajar A. Nugraha
> On Tue, Jul 3, 2012 at 9:20 PM, Tiago wrote:
> > Hello Fajar,
> > Yes, I did, here is my users file:
> >
> > teste Cleartext-Password := "teste"
> > miles Cleartext-Password := "davis45"
> >Reply-Message = "Hello, %{User-Name}"
> >
> > The only entry refering to users file is this when I run freeradius -X:
> > Module: Linked to module rlm_files
> > Module: Instantiating module "files" from file
> > /etc/freeradius/modules/files
> > files {
> > usersfile = "/etc/freeradius/users"
> > acctusersfile = "/etc/freeradius/acct_users"
> > preproxy_usersfile = "/etc/freeradius/preproxy_users"
> > compat = "no"
> > }
>
> Then read the rest of the debug log. It should print (on authorize
> phase) which lines matched, and you can compare whether it's the
> correct line. Since you cut that part, no one else will be able to
> help you.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hi, >Sorry, here is my complete debug log: >[1]http://pastebin.com/dYWb5tDs no it isnt. thats not complete - thats just the startup...where is the actual log when an event happens..this debug log just ends with Listening on authentication address * port 1812 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. and please dont use pastebin etc - just post the full output to this list. its not big its just simple and easy for us to help you then. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Alan,
My first message had that data, I'm pasting here again - after ready to
process line, thanks.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44400, id=204,
length=57
User-Name = "miles"
User-Password = "davis45"
NAS-IP-Address = 201.23.200.7
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "miles", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry miles at line 3
[files] expand: Hello, %{User-Name} -> Hello, miles
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "davis45"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Login incorrect: [miles/davis45] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> miles
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 204 to 127.0.0.1 port 44400
Reply-Message = "Hello, miles"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 204 with timestamp +10
Ready to process requests.
2012/7/3 alan buxey
> Hi,
> >Sorry, here is my complete debug log:
> >[1]http://pastebin.com/dYWb5tDs
>
> no it isnt. thats not complete - thats just the startup...where is the
> actual
> log when an event happens..this debug log just ends with
>
> Listening on authentication address * port 1812
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
>
> Listening on proxy address * port 1814
> Ready to process requests.
>
>
> and please dont use pastebin etc - just post the full output to this list.
> its not big its just simple and easy for us to help you then.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
On Tue, Jul 3, 2012 at 10:13 PM, Tiago wrote:
> Alan,
> My first message had that data, I'm pasting here again - after ready to
> process line, thanks.
It works on my setup.
> [files] users: Matched entry miles at line 3
> [files] expand: Hello, %{User-Name} -> Hello, miles
> ++[files] returns ok
Check your users file again. If you don't have empty lines on top, and
your users file is what you pasted earlier, it should say "line 2"
instead of "line 3". Recreate from scratch if necessary. My users file
is like this
#===
testuser1 Cleartext-Password := "testpass"
testuser2 Cleartext-Password := "testpass"
Reply-Message := "Hello %{User-Name}"
#===
and doing a "radtest testuser2 testpass 127.0.0.1 0 testing123" gets me
#==
[files] users: Matched entry testuser2 at line 2
[files] expand: Hello %{User-Name} -> Hello testuser2
++[files] returns ok
#==
Maybe it's extra line on your users file, or tab vs space issue, or
something else that I don't know about. Try copy-paste from mine
(minus the comment mark), and see if you get the correct line (which
is line 2 in my example).
... and if you've modified anything else on the config files, better
start from scratch (e.g. apt-get purge, apt-get install) just to be
sure.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello,
Even removing users file and recreating it didn't work (same error)
I did a purge/reinstall and it solved the problem O.o.
Well, thanks very much for the help!
2012/7/3 Fajar A. Nugraha
> On Tue, Jul 3, 2012 at 10:13 PM, Tiago wrote:
> > Alan,
> > My first message had that data, I'm pasting here again - after ready to
> > process line, thanks.
>
> It works on my setup.
>
>
> > [files] users: Matched entry miles at line 3
> > [files] expand: Hello, %{User-Name} -> Hello, miles
> > ++[files] returns ok
>
> Check your users file again. If you don't have empty lines on top, and
> your users file is what you pasted earlier, it should say "line 2"
> instead of "line 3". Recreate from scratch if necessary. My users file
> is like this
>
> #===
> testuser1 Cleartext-Password := "testpass"
> testuser2 Cleartext-Password := "testpass"
> Reply-Message := "Hello %{User-Name}"
> #===
>
> and doing a "radtest testuser2 testpass 127.0.0.1 0 testing123" gets me
>
> #==
> [files] users: Matched entry testuser2 at line 2
> [files] expand: Hello %{User-Name} -> Hello testuser2
> ++[files] returns ok
> #==
>
> Maybe it's extra line on your users file, or tab vs space issue, or
> something else that I don't know about. Try copy-paste from mine
> (minus the comment mark), and see if you get the correct line (which
> is line 2 in my example).
>
> ... and if you've modified anything else on the config files, better
> start from scratch (e.g. apt-get purge, apt-get install) just to be
> sure.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Basic freeradius set up problem
lscrlstld wrote:
>> 2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value)
>> VALUES ('testuser', 'Password', 'passsecret');
>
> Use 'Cleartext-Password' instead of 'Password' and try again.
The "Password" attribute will be removed in 3.0. I'm thinking of
deleting it in 2.2.0, too.
Too many people make this *basic* mistake.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem [SOLVED]
>> Hello Alan,
>>
>> Thank you for your answer.
>> I may have not understood what you wrote.
>> I replaced in /etc/raddb/sql/mysql/dialup.conf
>>
>> sql_user_name = '%{Stripped-User-Name}'
>> by
>> sql_user_name = '%{User-Name}'
>
> Hello lsclrstd,
> I have created a second user testuser2 with the password in
> 'Cleartext-Password'
Hello everyone,
I finally solved my problem. My dialup.conf was empty with the exception of the
statement I added. And dialup.conf is supposed to have some sql queries inside.
For the test to work, the password should be 'Password' and not
'Cleartext-Password'
Thank you to those who helped
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem [SOLVED]
Mik J wrote: > I finally solved my problem. My dialup.conf was empty with the exception of > the statement I added. And dialup.conf is supposed to have some sql queries > inside. > For the test to work, the password should be 'Password' and not > 'Cleartext-Password' NO. ABSOLUTELY NOT. Please stop giving erroneous advice. The advice to use "Password" or "User-Password" has been INVALID for about 7 years. It's time that people learn. If you have the password in a database, it's Cleartext-Password, ALWAYS. Anything else is WRONG. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: BASIC question, but still having conceptual issues
$hit - I just remembered. Eventually the Type 1 devices, specifically network switches, will be doing two different types of auth: vty access for admins only and 802.1x auth for all users! So, I can't process simply on NAS IP alone. I'm assuming there will be some diffs in the request packets sent to FR for vty, dot1x, etc. - but haven't got that far yet. I know when I get this figured out it will be SO simple and I'll feel like even a bigger dumb-a$$ than I do already, but at least I'll be a less busy dumb-a$$! :) TIA Gary -Original Message- From: Gary Gatten Sent: Wednesday, August 26, 2009 3:58 PM To: 'FreeRadius users mailing list' Subject: BASIC question, but still having conceptual issues Sorry again for the BASIC question! I *occasionally* slam people on other lists for being well, basically helpless - and here I am asking what I think is a really stupid question! Humble pie anyone? Let me take a sec to thank the development team for a very flexible product! Seems you can do pretty much anything you'd ever need to! Did Ci$co steal your code for ACS 5.0? :)Once I familiarize myself with the in's and out's I hope to contribute to the community where I can, probably with docs, use cases, examples, etc. Now my current issue. I have read a lot of doc (some 3 and 4 times) and am close to getting my head around how FR works and the various process flow, however, I still can't determine the best way to address this problem: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: Type 1: Networking Hardware Management Access (VTY) - Routers, switches, VPN concentrators, firewalls, etc. - Auth pass if creds are good AND user is member of NetEng group in AD; else fail Type 2: IPSec VPN Access - RAS to HQ via IPSec (Ci$c0 ASA at HQ) - Several profiles/groups will exist on ASA with different properties: - NetEng, SysAdmins, Basic Users, etc. - Auth pass if creds are good AND user is member of "RAS" group in AD Type 3 ... etc. So, how do I go about this? I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. Would this be something in the huntgroup file? TIA for replies - back to more reading and trials for me! Gary "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: BASIC question, but still having conceptual issues
> Eventually the Type 1 devices, specifically network switches, will be > doing two different types of auth: vty access for admins only and 802.1x > auth for all users! So, I can't process simply on NAS IP alone. I'm > assuming there will be some diffs in the request packets sent to FR for > vty, dot1x, etc. - but haven't got that far yet. > > I know when I get this figured out it will be SO simple and I'll feel > like even a bigger dumb-a$$ than I do already, but at least I'll be a > less busy dumb-a$$! :) Service-Type. Type 1 will be Nas-Prompt-User or Administartive-User. 2 should be Framed-User just as 802.1x but NAS-Port-Type will tell you if it is wireless. Construct unlang if statement filters using Service-Type and Ldap-Group (AD group). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: BASIC question, but still having conceptual issues
Gary Gatten wrote: > I have several different type's of clients/NAS's that will be using FR > as the Front End to perform AAA - mostly Authentication, but the Author > and Acct are close behind. Use virtual servers. See raddb/sites-available/README > Anyway, each of these clients need to perform slightly different backend > queries to determine if Authenticate should pass or fail: > > So, how do I go about this? Configure completely different virtual servers, even if the contents of those servers are mostly the same. This lets you work like each type of NAS has it's own RADIUS server, with it's own policies. > I'm currently using NTLM_Auth and that's > all working fine, I'm just not sure how to say in FR config: if request > of type 1, run this NTLM_Auth command and check for this group; If > request of type 2 run this other NTLM_Auth command and check for this > other group. You'll also need to configure different instances of the MSCHAP module, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: BASIC question, but still having conceptual issues
Seems like with FR this can be accomplished numerous ways. The virtual server sounds like what I'm looking for, ill read up on it. Thanks! Gary - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: FreeRadius users mailing list Sent: Sat Aug 29 04:02:03 2009 Subject: Re: BASIC question, but still having conceptual issues Gary Gatten wrote: > I have several different type's of clients/NAS's that will be using FR > as the Front End to perform AAA - mostly Authentication, but the Author > and Acct are close behind. Use virtual servers. See raddb/sites-available/README > Anyway, each of these clients need to perform slightly different backend > queries to determine if Authenticate should pass or fail: > > So, how do I go about this? Configure completely different virtual servers, even if the contents of those servers are mostly the same. This lets you work like each type of NAS has it's own RADIUS server, with it's own policies. > I'm currently using NTLM_Auth and that's > all working fine, I'm just not sure how to say in FR config: if request > of type 1, run this NTLM_Auth command and check for this group; If > request of type 2 run this other NTLM_Auth command and check for this > other group. You'll also need to configure different instances of the MSCHAP module, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
basic handling of multiple EAP-Methods by freerad
Hello, we wonder, how a freeradius can request a client to use a fixed EAP-Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP-Method Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method Question: you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that thanks for reply, Rainer Brinkmann University-Clinicum Hamburg / Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
basic handling of multiple EAP-Methods by freerad
Hello, we wonder, how a freeradius can request a client to use a fixed EAP-Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP-Method Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method Question: you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that thanks for reply, Rainer Brinkmann University-Clinicum Hamburg / Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
basic failure from intital install. doesnt make sense
All,
I
have just installed Free-Radius for my first time as a previous FUNK user and I
am having stupid errors when testing initial authentication. Here is hat is
happeneing: Any help is greatly appreciated. The end goal is to use this with a
Redback SE BRAS. Thanks in advance.
-
installed Free Radius and had no
errors. I run radiusd –Ayx:
[EMAIL PROTECTED]
bin]# ps -ef | grep radiusd
root
7083 9621 0 10:06 pts/2 00:00:00 radiusd –Ayx
-
Used /usr/local/bin/radtest and I
get :
./radtest REDBACK passwd localhost:1812 1812 testing123
Sending Access-Request of id 192 to 127.0.0.1:1812
User-Name =
"REDBACK"
User-Password =
"passwd"
NAS-IP-Address =
yuengling.netops.talk.com
NAS-Port = 1812
Re-sending Access-Request of id 192 to 127.0.0.1:1812
User-Name =
"REDBACK"
User-Password =
"j\355\222!\370\032R\n\031\233L\354\247\345\311q"
NAS-IP-Address =
yuengling.netops.talk.com
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812,
id=192, length=20
#snippet from users ##
REDBACK Auth-Type := Local, User-Password ==
"passwd"
PVC-Encapsulation-Type = Route-1483
snippet from
clients.config
client 127.0.0.1 {
#
# The
shared secret use to "encrypt" and "sign" packets between
# the NAS
and FreeRADIUS. You MUST change this secret from the
# default,
otherwise it's not a secret any more!
#
# The
secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short
name is used as an alias for the fully qualified
# domain
name, or the IP address.
#
shortname = localhost
}
###
Shane Gingell
Manager of IP Engineering
Talk America Inc.
Desk: 703-391-7545
Cell: 703-856-7606
--
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.5 - Release Date: 3/1/2005
Basic question to authenticate switches and Linux boxes
Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? And what authentication procedure do I have ti use in order to let universal AAA ??? Thanks a lot, Roberto "the locu abierto" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS basic setup for PEAP using example certificates
Hi all I'm trying to setup a very basic test server using FreeRADIUS (running on Ubuntu 12.04) that uses PEAP with the example certificates generated by FreeRADIUS. I keep running into a variety of fairly basic problems. After running freeradius -X I get this error message. Couldn't open /etc/freeradius/acct_users for reading: Permission denied Errors reading /etc/freeradius/acct_users /etc/freeradius/modules/files[7]: Instantiation failed for module "files" /etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module "files". /etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize section. I was hoping someone could advise. Thanks PS I'm new to FreeRADIUS and Ubuntu. This e-mail message is confidential and for use by the addressee only. If you are not the intended recipient, you must not use, disclose, copy or forward this transmission. Please return the message to the sender by replying to it and then delete the message from your computer. Sagentia provides e-mail services for both itself and a number of its independent spin-out companies. Sagentia shall not be held liable to any person resulting from the use of any information contained in this e-mail and shall not be liable to any person who acts or omits to do anything in reliance upon it. Sagentia does not accept responsibility for changes made to this message after it was sent. Company Information: Name: Sagentia Limited. Registered Address: Harston Mill, Harston Cambridge CB22 7GG. Registered as a Company in England: 2081960 VAT Number: 432214202. Website hosted by: Sagentia Limited Harston Mill, Harston, Cambridge, UK. CB22 7GG i...@sagentia.com -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help in basic configuration in connection mysql with freeradius
hi,
I am trying to use mysql database with free radius 2.0.0 for the first
time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if
I am using the unix username and password. I modified some configurations
in radiusd.conf and sql.conf but it doesn't work. Please tell me the most
basic steps to configure freeradius with mysql.
Here is the log file while running in debugging mode:
[EMAIL PROTECTED] ~]# radiusd -X
FreeRADIUS Version 2.0.0, for host i686-pc-linux-gnu, built on Jan 29 2008
at 12:25:11
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
user = "root"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
syslog_facility = "daemon"
stripped_names = no
file = "/usr/local/var/log/radius/radius.log"
auth = yes
auth_badpass = yes
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "johnson123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "johnson123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "NULL"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
t
Re: basic handling of multiple EAP-Methods by freerad
Rainer Brinkmann wrote:
Hello,
we wonder, how a freeradius can request a client to use a fixed EAP-Method:
so its defined:
Client starts with EAP-Start-Msg
Radius wants EAP-Identity
Client answers with Username or Hostname NOT using a special EAP-Method
Radius now starts communiucating with the first EAP-Packet, using the
special EAP-Method
For this, it will use the default_eap_type
Question:
you run in your wireless LAN many SSIDs:
SSID1 shall use EAP-TTLS
SSID2 shall use EAP-TLS(high-secured Net like personal Data)
what logic starts the right inner-EAP-Protocol, cause neither the
AccessPoint(WLAN-Controller), nor the
radius server know, what Method to use, when there are many enabled.
e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no
special attribute defined to control that
Yes there is. Set "EAP-Type" (see dictionary.freeradius.internal)
e.g.
DEFAULT Your-SSID-AVP = "SSID1", EAP-Type := EAP-TTLS
DEFAULT Your-SSID-AVP = "SSID2", EAP-Type := EAP-TLS
Note however, the client can still NAK the radius server and request a
different type, and the radius server will allow that. To prevent that,
you'd need to run >1 instance of the eap module and disable the other
eap types. The following is untested and may not work for various
reasons, but is worth a try:
modules {
eap eap_ttlsonly {
default_eap_type = ttls
# only define one eap sub-module
ttls {
# stuff
}
}
eap eap_tlsonly {
default_eap_type = tls
# only define one eap sub-module
tls {
# stuff
}
}
}
authorize {
preprocess
users
Autz-Type TTLS-only {
eap_ttlsonly
}
Autz-Type TLS-only {
eap_tlsonly
}
}
authenticate {
Auth-Type TTLS-only {
eap_ttlsonly
}
Auth-Type TLS-only {
eap_tlsonly
}
}
...the in "users":
DEFAULT SSID = "ssid1", Autz-Type := TTLS-only, Auth-Type := TTLS-only
DEFAULT SSID = "ssid2", Autz-Type := TLS-only, Auth-Type := TLS-only
thanks for reply,
Rainer Brinkmann
University-Clinicum Hamburg / Germany
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic handling of multiple EAP-Methods by freerad
"Rainer Brinkmann" <[EMAIL PROTECTED]> wrote: > we wonder, how a freeradius can request a client to use a fixed EAP-Method: > so its defined: > Client starts with EAP-Start-Msg > Radius wants EAP-Identity > Client answers with Username or Hostname NOT using a special EAP-Method That isn't how EAP works. > you run in your wireless LAN many SSIDs: > SSID1 shall use EAP-TTLS > SSID2 shall use EAP-TLS(high-secured Net like personal Data) > > what logic starts the right inner-EAP-Protocol, cause neither the > AccessPoint(WLAN-Controller), nor the > radius server know, what Method to use, when there are many enabled. The supplicant. i.e. the laptop, usually. What you can do in the default config is something like the following: DEFAULT SSID == "SSID1", Eap-Type != EAP-TTLS, Auth-Type := Reject You'll have to look in the RADIUS packet to see how the SSID comes in, and match that. But that *should* reject anyone on SSID1 who isn't using TTLS. The reason you have to reject the request, rather than forcing people to use TTLS is that you *can't* force people to use TTLS. They use whatever they want, and the server has to deal with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic handling of multiple EAP-Methods by freerad
On 29 Jun 2006, at 17:23, Rainer Brinkmann wrote: Hello, we wonder, how a freeradius can request a client to use a fixed EAP- Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP- Method Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method Question: you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) I'd personally question the assumption that TLS is any more secure than TTLS, but if you want to do this it is probably easiest to have a single SSID, and allocate a VLAN dynamically depending on whether they've used TTLS or TLS. josh. what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that thanks for reply, Rainer Brinkmann University-Clinicum Hamburg / Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | internal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic failure from intital install. doesnt make sense
"Gingell, Shane" <[EMAIL PROTECTED]> wrote: > I have just installed Free-Radius for my first time as a > previous FUNK user and I am having stupid errors when testing initial > authentication. Here is hat is happeneing: Any help is greatly > appreciated. Run the server in debugging mode as suggested in the FAQ, README, and INSTALL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna wrote: > Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to > authenticate Allied switches and Debian/Centos boxes. > > What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And > what authentication procedure do I have ti use in order to let universal AAA > ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny > On Wed, May 8, 2013 at 3:26 PM, Roberto Carna > wrote: > > Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to > > authenticate Allied switches and Debian/Centos boxes. > > > > What package/module do I have to install in adition to freeradius ??? > > For the Debian clients you might want: > > libpam-radius-auth > > You can use apt-cache to search for things: > > % apt-cache search radius pam > freeradius - high-performance and highly configurable RADIUS server > libpam-radius-auth - The PAM RADIUS authentication module > yardradius - YARD Radius Authorization and Accounting Server > > And > > what authentication procedure do I have ti use in order to let universal > AAA > > ??? > > I don't understand this question. > > -mz > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
You need to rephrase your question. Do you want to: a.) authenticate and authorize users accessing the console of your switch? b.) authenticate a machine/user connected to a port of a switch (MAC auth or 801.x) c.) Linux boxes are machines... see "B" d.) authenticate users accessing the boxes... Regards, E:S On 09.05.2013 21:38, Roberto Carna wrote: Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mailto:mzagr...@d.umn.edu>> On Wed, May 8, 2013 at 3:26 PM, Roberto Carna mailto:robertocarn...@gmail.com>> wrote: > Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to > authenticate Allied switches and Debian/Centos boxes. > > What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And > what authentication procedure do I have ti use in order to let universal AAA > ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH Thanks again. Roberto 2013/5/9 "Edvin Seferovic | Kolpinghaus St. Pölten" > You need to rephrase your question. Do you want to: > > a.) authenticate and authorize users accessing the console of your switch? > b.) authenticate a machine/user connected to a port of a switch (MAC auth > or 801.x) > c.) Linux boxes are machines... see "B" > d.) authenticate users accessing the boxes... > > Regards, > E:S > > > On 09.05.2013 21:38, Roberto Carna wrote: > > Dear Matt, my second question is: > > If I have to authenticate Linux boxes and switches against Freeradius, > do I have to use libpam-radius-auth for both devices or what ??? > > Thanks again, > > Roberto > > > 2013/5/8 Matt Zagrabelny > >> On Wed, May 8, 2013 at 3:26 PM, Roberto Carna >> wrote: >> > Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to >> > authenticate Allied switches and Debian/Centos boxes. >> > >> > What package/module do I have to install in adition to freeradius ??? >> >> For the Debian clients you might want: >> >> libpam-radius-auth >> >> You can use apt-cache to search for things: >> >> % apt-cache search radius pam >> freeradius - high-performance and highly configurable RADIUS server >> libpam-radius-auth - The PAM RADIUS authentication module >> yardradius - YARD Radius Authorization and Accounting Server >> >> And >> > what authentication procedure do I have ti use in order to let >> universal AAA >> > ??? >> >> I don't understand this question. >> >> -mz >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Roberto Carna wrote: > Dear, sorry for my confusion...I need to do te following: > > 1) Autehnticate and authorize users accesing switches through TELNET > and/or HTTP > 2) Authenticate and authorize users accesing Linux servers through SSH You're about 2 steps removed from RADIUS. First, find out how those systems use RADIUS. Then look at the RADIUS pieces. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
Darlington, Andrew wrote: > I’m trying to setup a very basic test server using FreeRADIUS (running > on Ubuntu 12.04) that uses PEAP with the example certificates generated > by FreeRADIUS. See http://deployingradius.com It has a detailed guide for EAP / PEAP. > Couldn't open /etc/freeradius/acct_users for reading: Permission denied > Errors reading /etc/freeradius/acct_users You're running it as a normal user, and the file is owned by root (or another user). Run it as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS basic setup for PEAP using example certificates
orize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module "files".
/etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize
section.
I thought I was running it as root (root@hd), and I also used sudo just to be
sure (not too confident on Ubuntu's root system).
Let me know if that's not the case.
Also another thing I forgot to mention is this time the basic radtest fails.
root@hd:~# radtest testing password 127.0.0.1 0 testing123
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
radclient: no response from server for ID 137 socket 3
I had it working before but I have no idea why it won't work anymore, hopefully
this is related and will help in some way.
Thanks
Andy
This e-mail message is confidential and for use by the addressee only. If you
are not the intended recipient, you must not use, disclose, copy or forward
this transmission. Please return the message to the sender by replying to it
and then delete the message from your computer. Sagentia provides e-mail
services for both itself and a number of its independent spin-out companies.
Sagentia shall not be held liable to any person resulting from the use of any
information contained in this e-mail and shall not be liable to any person who
acts or omits to do anything in reliance upon it. Sagentia does not accept
responsibility for changes made to this message after it was sent.
Company Information: Name: Sagentia Limited. Registered Address: Harston Mill,
Harston Cambridge CB22 7GG. Registered as a Company in England: 2081960 VAT
Number: 432214202. Website hosted by: Sagentia Limited Harston Mill, Harston,
Cambridge, UK. CB22 7GG i...@sagentia.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
Hi, >I'm trying to setup a very basic test server using FreeRADIUS (running on >Ubuntu 12.04) that uses PEAP with the example certificates generated by >FreeRADIUS. out of the box, freeRADIUS works - you just need, for testing to add your user/pass to the 'users' file and your NAS to the clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
hi, check permissions/owner etc of /etc/freeradius and the contents alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
On 15/08/13 14:30, Darlington, Andrew wrote:
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module "files".
/etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize
section.
I thought I was running it as root (root@hd), and I also used sudo just to be
sure (not too confident on Ubuntu's root system).
Let me know if that's not the case.
main {
user = "freerad"
group = "freerad"
Ensure user/group freerad has permissions on /etc/freeradius/acct_users
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS basic setup for PEAP using example certificates
Hi Thanks for all the replies! Going through all the permissions of the various files freeradius complained about fixed it like Phil Mayers and Alan said. I also fixed the radtest problem. This just need to have freeradius restarted normally. I'm now working on PEAP with an Ubuntu client now so hopefully that will go smoothly. Thanks again for the help. This e-mail message is confidential and for use by the addressee only. If you are not the intended recipient, you must not use, disclose, copy or forward this transmission. Please return the message to the sender by replying to it and then delete the message from your computer. Sagentia provides e-mail services for both itself and a number of its independent spin-out companies. Sagentia shall not be held liable to any person resulting from the use of any information contained in this e-mail and shall not be liable to any person who acts or omits to do anything in reliance upon it. Sagentia does not accept responsibility for changes made to this message after it was sent. Company Information: Name: Sagentia Limited. Registered Address: Harston Mill, Harston Cambridge CB22 7GG. Registered as a Company in England: 2081960 VAT Number: 432214202. Website hosted by: Sagentia Limited Harston Mill, Harston, Cambridge, UK. CB22 7GG i...@sagentia.com -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
On Friday 08 February 2008 16:18:25 johnson elangbam wrote: > hi, > I am trying to use mysql database with free radius 2.0.0 for the first > time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine > if I am using the unix username and password. I modified some > configurations in radiusd.conf and sql.conf but it doesn't work. Please > tell me the most basic steps to configure freeradius with mysql. http://wiki.freeradius.org/SQL_HOWTO -- Iñaki Baz Castillo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
johnson elangbam wrote: > hi, > I am trying to use mysql database with free radius 2.0.0 for the > first time. I am using centOS 4.5 and mysql 4.1.2.The authentication > works fine if I am using the unix username and password. I modified > some configurations in radiusd.conf and sql.conf but it doesn't work. > Please tell me the most basic steps to configure freeradius with mysql. > Here is the log file while running in debugging mode: Which contains nothing about SQL. You need to un-comment the uses of SQL in the configuration files. See radiusd.conf, sites-enabled/default, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
Hi, > hi, > I am trying to use mysql database with free radius 2.0.0 for the first > time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if > I am using the unix username and password. I modified some configurations > in radiusd.conf and sql.conf but it doesn't work. Please tell me the most > basic steps to configure freeradius with mysql. > Here is the log file while running in debugging mode: home-built with no sign of SQL activity in the log file. so. did the server build with mysql support? what errors were thrown during the ./configure stage? eg ./configure --with-whatever-arguments | grep WARNING you will need mysql-devel package installed to build mysql support into the system alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic usage: What do I do next to get this to work?
Hello, I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Now I need to actually try it out "In the field". I need people running XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL database that I have set up. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. I will provide all the details I can think of, but please let me know if you need more. Server: FreeRADIUS 1.1.7 with MySQL module. Database: Remote MySQL Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) MS-CHAP-V2 (Other options: GTC, TLS) I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, length=193 Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" Calling-Station-Id = "00-1B-77-28-B3-CF" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11a" EAP-Message = 0x020b01746261727468 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Id = "STA port # 1" rad_lowerpair: User-Name now 'testuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 Message-Authenticator = 0x State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1, length=206 Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Called-Station-Id = "00-11-95-DA-
Re: Basic usage: What do I do next to get this to work?
You haven't configured PEAP in eap.conf. You need to configure tls and peap sections. You will also need a server certificate and to export root certificate to XP clients (if you are signing them yourself). Read instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD integration before doing anything. Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >Hello, > >I hate to ask this, but I'm running out of time on this project and I'm >completely new to RADIUS. I would be really happy if someone could just >point me to a detailed HOW TO for what I need. > >I have freeRADIUS set up with an external MySQL user database and it's >successfully authorizing requests from NTRadPing. > >Now I need to actually try it out "In the field". I need people running >XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL >database that I have set up. > >So far I'm not having any luck, and I don't mind saying that I'm a >little over my head at this point. Someone familiar with this will >probably see glaring problems. > >I will provide all the details I can think of, but please let me know if >you need more. > >Server: >FreeRADIUS 1.1.7 with MySQL module. > >Database: >Remote MySQL > >Access Point: >D-Link DWL-7100AP (Ciscos coming in January) >WPA-EAP >TKIP > >Client Laptop: >WPA Enterprise >TKIP >PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) >MS-CHAP-V2 (Other options: GTC, TLS) > > > > > > >I set up an AP to use RADIUS, and the requests get through to the RADIUS >server, but they always fail. Posted below is the debug output from the >failed attempt. > > >> Ready to process requests. >> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, >> length=193 >> Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 >> Service-Type = Framed-User >> User-Name = "testuser" >> Framed-MTU = 1488 >> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" >> Calling-Station-Id = "00-1B-77-28-B3-CF" >> NAS-Identifier = "D-Link Access Point" >> NAS-Port-Type = Wireless-802.11 >> Connect-Info = "CONNECT 54Mbps 802.11a" >> EAP-Message = 0x020b01746261727468 >> NAS-IP-Address = 192.168.0.1 >> NAS-Port = 1 >> NAS-Port-Id = "STA port # 1" >> rad_lowerpair: User-Name now 'testuser' >> Processing the authorize section of radiusd.conf >> modcall: entering group authorize for request 0 >> modcall[authorize]: module "preprocess" returns ok for request 0 >> modcall[authorize]: module "chap" returns noop for request 0 >> modcall[authorize]: module "mschap" returns noop for request 0 >> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 0 >> rlm_eap: EAP packet type response id 0 length 11 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> modcall[authorize]: module "eap" returns updated for request 0 >> radius_xlat: 'testuser' >> rlm_sql (sql): sql_set_user escaped user --> 'testuser' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radcheck WHERE Username = 'testuser' ORDER BY id' >> rlm_sql (sql): Reserving sql socket id: 4 >> radius_xlat: 'SELECT >> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op >> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radreply WHERE Username = 'testuser' ORDER BY id' >> radius_xlat: 'SELECT >> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op >> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >> rlm_sql (sql): Released sql socket id: 4 >> modcall[authorize]: module "sql" returns ok for request 0 >> rlm_pap: Found existing Auth-Type, not changing it. >> modcall[authorize]: module "pap" returns noop for request 0 >> modcall: leaving group authorize (returns updated) for request 0 >> rad_check_password: Found Auth-Type EAP >> auth: type "EAP" >> Processing the authenticate section of radiusd.conf >> modcall: entering group authenticate for request 0 >> rlm_eap: EAP Identity >> rlm_eap: processing type md5 >> rlm_eap_md5: Issuing Challenge >> modcall[authenticate]: module "eap" returns handled for request 0 >> modcall: leaving group authenticate (returns handled) for request 0 >> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 >> Framed-Protocol := PPP >> Service-Type := Framed-User >> Framed-MTU := 1500 >> Framed-Compression := Van-Jacobson-TCP-IP >> EAP-Message = 0x01010016
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: > I hate to ask this, but I'm running out of time on this project and I'm > completely new to RADIUS. I would be really happy if someone could just > point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. > I have freeRADIUS set up with an external MySQL user database and it's > successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. > So far I'm not having any luck, and I don't mind saying that I'm a > little over my head at this point. Someone familiar with this will > probably see glaring problems. The debug output tries to be helpful. Honest. > Access Point: > D-Link DWL-7100AP (Ciscos coming in January) > WPA-EAP > TKIP > > Client Laptop: > WPA Enterprise > TKIP > PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. > I set up an AP to use RADIUS, and the requests get through to the RADIUS > server, but they always fail. Posted below is the debug output from the > failed attempt. ... >> rlm_eap: EAP-NAK asked for EAP-Type/peap >> rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
