Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Marcel Kraan wrote: I'am marcel kraan from Holland and i have a problem with Crypt-passwords in the mysql table. FreeRadius is working really great with Cleartext-Password but it does not authenticate with Crypt-password You can't use Crypt-Password and MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On 29 jul. 2013, at 13:52, Alan DeKok al...@deployingradius.com wrote: Marcel Kraan wrote: I'am marcel kraan from Holland and i have a problem with Crypt-passwords in the mysql table. FreeRadius is working really great with Cleartext-Password but it does not authenticate with Crypt-password You can't use Crypt-Password and MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Marcel Kraan wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? No. You're doing 802.1X to the WiFi router. You *cannot* use PAP. You cannot pick an authentication protocol and demand that everyone use it. The AP, client PC, etc. have already made choices which you cannot control. You have to live within that framework. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
I very clear understands.. thanks for the help On 29 jul. 2013, at 14:07, Alan DeKok al...@deployingradius.com wrote: Marcel Kraan wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? No. You're doing 802.1X to the WiFi router. You *cannot* use PAP. You cannot pick an authentication protocol and demand that everyone use it. The AP, client PC, etc. have already made choices which you cannot control. You have to live within that framework. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
By default PAP, CHAP.. are enabled in FR. You may need to change the authentication settings in your client. i.e Wifi Router to send PAP enabled access-request. On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan mar...@kraan.net wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On 29 jul. 2013, at 13:52, Alan DeKok al...@deployingradius.com wrote: Marcel Kraan wrote: I'am marcel kraan from Holland and i have a problem with Crypt-passwords in the mysql table. FreeRadius is working really great with Cleartext-Password but it does not authenticate with Crypt-password You can't use Crypt-Password and MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- br, Navodit Bhardwaj Hughes Systique Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
On 29/07/13 12:55, Marcel Kraan wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Thanks… i think my wifi router does not have that option… On 29 jul. 2013, at 14:15, Navodit Bhardwaj navodit.bhard...@gmail.com wrote: By default PAP, CHAP.. are enabled in FR. You may need to change the authentication settings in your client. i.e Wifi Router to send PAP enabled access-request. On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan mar...@kraan.net wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On 29 jul. 2013, at 13:52, Alan DeKok al...@deployingradius.com wrote: Marcel Kraan wrote: I'am marcel kraan from Holland and i have a problem with Crypt-passwords in the mysql table. FreeRadius is working really great with Cleartext-Password but it does not authenticate with Crypt-password You can't use Crypt-Password and MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- br, Navodit Bhardwaj Hughes Systique Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
On Mon, Jul 29, 2013 at 7:39 PM, Marcel Kraan mar...@kraan.net wrote: Thanks… i think my wifi router does not have that option… On 29 jul. 2013, at 14:15, Navodit Bhardwaj navodit.bhard...@gmail.com wrote: By default PAP, CHAP.. are enabled in FR. You may need to change the authentication settings in your client. i.e Wifi Router to send PAP enabled access-request. On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan mar...@kraan.net wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? As Phil said, you need to change it in the client. If you have windows 8 clients, IIRC it has built-in support for PEAP-GTC and TTLS-PAP (which is also supported by linux, android, macs). In both cases the client passes cleartext password inside encrypted tunnel, so crypt passwords on FR side should work fine. If you have older windows clients, and don't have third-party PEAP-GTC/TTLS-PAP-capable supplicant, then you're stuck with EAP-MSCHAP, so you need to store password as clear text or nt-hash. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Thanks. I have a genius en202 outdoor wifi router and i don't think i can change it to use PAP. So i'am only able to use ClearText-Password? If i'am wrong i will be very happy -- Marcel Kraan +31654378837 On 29 jul. 2013, at 15:04, Fajar A. Nugraha l...@fajar.net wrote: On Mon, Jul 29, 2013 at 7:39 PM, Marcel Kraan mar...@kraan.net wrote: Thanks… i think my wifi router does not have that option… On 29 jul. 2013, at 14:15, Navodit Bhardwaj navodit.bhard...@gmail.com wrote: By default PAP, CHAP.. are enabled in FR. You may need to change the authentication settings in your client. i.e Wifi Router to send PAP enabled access-request. On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan mar...@kraan.net wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? As Phil said, you need to change it in the client. If you have windows 8 clients, IIRC it has built-in support for PEAP-GTC and TTLS-PAP (which is also supported by linux, android, macs). In both cases the client passes cleartext password inside encrypted tunnel, so crypt passwords on FR side should work fine. If you have older windows clients, and don't have third-party PEAP-GTC/TTLS-PAP-capable supplicant, then you're stuck with EAP-MSCHAP, so you need to store password as clear text or nt-hash. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + Daloradius
Erik Sellgren wrote: I am trying to setup wireless authentication through my mikrotik router using freeradius with mysql and daloradius. I have the server setup and working, I can use NTradtest from my pc and I get Access-Accept messages in return with my cleartext user/password, username userclear password clear. But when I set it all up and try to access the wireless with the same credentials it is an access-reject. See below # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: userclear [mschap] Told to do MS-CHAPv2 for userclear with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. After reading the top of inner-tunnel I used the test they said to use : radtest USER PASSWORD 127.0.0.1:18120 0 testing123 It also says to try MSCHAP. Or at least recent versions say this. When I use my user it fails, when I use the test user user and pass it succeeds. So do I have my innertunnel setup wrong or something? I have sql uncommented in /etc/raddb/sites-available/inner-tunnel Please let me know what info you need and I can supply it, please help me debug this issue. You've conveniently deleted nearly all of the debug output. This isn't useful. From what little is there, it seems you're forcing Auth-Type to MSCHAP. This is wrong. See the FAQ. Instead (as the output shows) you need to supply a Cleartext-Password, and then let FreeRADIUS figure out which authentication method to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Mysql + xl2tpd and pptpd
Here, is links to logs on pastebin service: freeradius_debug_log (freeradius -X): http://dpaste.com/831692/ xl2tpd_debug_log (xl2tpd -D): http://dpaste.com/831693/ /etc/xl2tpd/xl2tpd.conf http://dpaste.com/831695/ /etc/ppp/options.xl2tpd http://dpaste.com/831696/ Guys, i just need another eyes to look at config files.. Strange, that ipsec auth with same freeradius server works without any problems, while xl2tpd - doesn't 15.11.2012 12:52, Dmitry Korzhevin пиÑеÑ: Hello, Can anyone please share working configs for freeradius + xl2tpd or pptpd? Radius server is already configured, and works with mysql backend + strongSwan ipsec (dirrect connection). But, i try several pptpd / xl2tpd configurations, and suddenly they doesn't work.. I even try configuration from wiki: http://wiki.freeradius.org/config/PopTop And it is not working. I use Debian 6.0.6 x86_64, freeradius 2.1.10+dfsg-2+squeeze1, xl2tpd 1.2.7+dfsg-1, pptpd 1.3.4-3 Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com smime.p7s Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Mysql + xl2tpd and pptpd
Can't help much, as I didn't set up our system, but have you tried require authentication = no in xl2tpd.conf? You've got auth in IPsec (one assumes), and also in PPP (CHAP; we use MSCHAPv2 for Windows compatibility), so my understanding is you don't need it in L2TP as well, which goes inside IPsec. Just make sure you have an iptables rule to block direct access to L2TP, and force it through IPsec. But really, this isn't a FreeRADIUS question... Matthew On Thu, Nov 15, 2012 at 09:33:28PM +0200, Dmitry Korzhevin wrote: Here, is links to logs on pastebin service: freeradius_debug_log (freeradius -X): http://dpaste.com/831692/ xl2tpd_debug_log (xl2tpd -D): http://dpaste.com/831693/ /etc/xl2tpd/xl2tpd.conf http://dpaste.com/831695/ /etc/ppp/options.xl2tpd http://dpaste.com/831696/ Guys, i just need another eyes to look at config files.. Strange, that ipsec auth with same freeradius server works without any problems, while xl2tpd - doesn't 15.11.2012 12:52, Dmitry Korzhevin пишет: Hello, Can anyone please share working configs for freeradius + xl2tpd or pptpd? Radius server is already configured, and works with mysql backend + strongSwan ipsec (dirrect connection). But, i try several pptpd / xl2tpd configurations, and suddenly they doesn't work.. I even try configuration from wiki: http://wiki.freeradius.org/config/PopTop And it is not working. I use Debian 6.0.6 x86_64, freeradius 2.1.10+dfsg-2+squeeze1, xl2tpd 1.2.7+dfsg-1, pptpd 1.3.4-3 Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Fajar A. Nugraha-2 wrote ... and then on authorize section add something like this (just for check) if ( (request:User-Name == 00:12:23:56:78:9A) (control:Agent-Circuit-ID != %{request:Agent-Circuit-ID}) ) { update control { Auth-Type := Reject } } then use debug mode again. It should print out what it recognize control:Agent-Circuit-ID (which is from db) and request:Agent-Circuit-ID. Then you just need to edit entry on db to match what's on the request. Construction shown above don't help me, because there was no output of control:Agent-Circuit-ID and request:Agent-Circuit-ID. But I use another construction: if (request:User-Name == 20:cf:30:e1:e6:29) { update control { Auth-Type := Reject } update reply { Context-Name := %{control:Agent-Circuit-ID} %{request:Agent-Circuit-ID} } } so in Acces-Reject I can see in Context-Name attribute both request and control attributes. And I have bad news. I got following: Context-Name = 0x 0x000403fc0017 Request attribute is OK, but control attribute is zero-length string. I think this is because first byte in string is 0, and Radius treat this as end-of-string. I tested this - I try to return attribute with only printable chars, and got it in Context-Name exactly as it stored in DB. So I urgently need help - how I can store needed value to adequately accepted by Radius? -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5611663.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Alan DeKok-2 wrote IVB wrote: But I don't see in debug output what exactly was returned in SQL query. Have you tried running the SQL queries from an SQL client on the command line? That's why they're printed out in debugging mode: so you can see them, and re-run them yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes, I run queries by hand and see results as strings, non-printable chars not printed, but attribute itself has non-zero length. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5611684.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: Yes, I run queries by hand and see results as strings, non-printable chars not printed, but attribute itself has non-zero length. You can't put binary data into an ASCII string field. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Alan DeKok-2 wrote You can't put binary data into an ASCII string field. But that was my question! FreeRADIUS offers following schema for radcheck table: CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; So it expects attribute value as varchar. The question is: How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', ?, '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', ?, '==' ) What I must put in place of ? to be correctly accepted by Radius in following SELECT: SELECT `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radcheck` WHERE `UserName` = '00:12:23:56:78:9A' -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612096.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: But that was my question! ... How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? You don't. The database is intended for ASCII data. You could also edit the dictionaries to make the data octets, which would take care of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Hello Alan, Monday, April 2, 2012, 1:59:03 PM, you wrote: AD IVB wrote: But that was my question! AD ... How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? AD You don't. Are you kidding? AD The database is intended for ASCII data. Are you kidding again? The database is intended for data of any type. Do you mean that FreeRADIUS can't accept non-ASCII data from database? AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets -- Best regards, Igormailto:i...@is.ua - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Igor Belikov wrote: AD You don't. Are you kidding? If you insist on going down that path, you'll be unsubscribed and banned. I'm tried of people who can't read the documentation, and who use that ignorance to put me down. Do you mean that FreeRADIUS can't accept non-ASCII data from database? It means that FreeRADIUS expects ASCII data from the database. The attribute names and values are all *printable*. AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets Then you need to read the documentation to see how to represent data type octets in the DB and config files. HINT: Look at the debug output. What does it print for data type octets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Hello Alan, Monday, April 2, 2012, 2:53:15 PM, you wrote: AD2vF Igor Belikov wrote: AD You don't. Are you kidding? AD2vF If you insist on going down that path, you'll be unsubscribed and AD2vF banned. I'm tried of people who can't read the documentation, and who AD2vF use that ignorance to put me down. Please exuse me. Do you mean that FreeRADIUS can't accept non-ASCII data from database? AD2vF It means that FreeRADIUS expects ASCII data from the database. The AD2vF attribute names and values are all *printable*. AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets AD2vF Then you need to read the documentation to see how to represent data AD2vF type octets in the DB and config files. Yes, I will be very happy to read how to represent 'octets' data in DB. And I ask about this several times. I don't find this info in documentation, sorry. Please give me link to right place. -- Best regards, Igormailto:i...@is.ua -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612329.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: Hello Alan, Yes, I will be very happy to read how to represent 'octets' data in DB. And I ask about this several times. I don't find this info in documentation, sorry. Please give me link to right place. I gave you a hint, and you deleted it. Good luck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
This is incorrect: IVB wrote INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', x'0006001e58ab0304', '==' ) This is correct: INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', '0x000403fc0001', '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', '0x0006001e58ab0304', '==' ) Thanks to all for help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612364.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: But I don't see in debug output what exactly was returned in SQL query. Have you tried running the SQL queries from an SQL client on the command line? That's why they're printed out in debugging mode: so you can see them, and re-run them yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
On Fri, Mar 30, 2012 at 4:29 PM, IVB i...@is.ua wrote: I need help. Software: FreeRADIUS v2.1.11, MySQL v5.1.61. Hardware: RB SE100 under SEOS-6.4.1.4-Release BRAS sends Opt-82 related attributes in following format: What format? Attributes Agent-* described in radius dictionary as 'octets'. Attributes ADSL-Agent-* described in radius dictionary as 'string'. AFAIK those are not DHCP dictionary. They're part of normal radius dictionary. So you just treat them like any other attribute. I was try to store needed data in MySQL database from which Radius gets 'check' attributes: to Radius select that attributes to authenticate. But I got 'Login incorrect' message in Radius log. If I remove both Agent-* attributes from DB (that means that I dont validate Opt-82 parameters) - I got 'Login OK'. I think that I use wrong format for Agent-* attributes, but I was try some different variants without success. I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login OK' with _any_ attributes values - match and mismatch. So I need help. Very need. You need to know what the NAS (i.e. BRAS) sends. An easy way to get that is to run FR in debug mode (-X) while the NAS is sending authentication packet. Then compare to what you have on radcheck. Note the operators (you probably need ==). Then you need to find out what's going on. Again, debug mode would be the best way. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Fajar A. Nugraha-2 wrote On Fri, Mar 30, 2012 at 4:29 PM, IVB lt;ivb@gt; wrote: I need help. Software: FreeRADIUS v2.1.11, MySQL v5.1.61. Hardware: RB SE100 under SEOS-6.4.1.4-Release BRAS sends Opt-82 related attributes in following format: What format? Agent-Remote-Id = 0x0006001e58ab0304 ADSL-Agent-Remote-Id = \000\006\000\036X\253\003\004 Agent-Circuit-Id = 0x000403fc0001 ADSL-Agent-Circuit-Id = \000\004\003\374\000\001 Attributes Agent-* described in radius dictionary as 'octets'. Attributes ADSL-Agent-* described in radius dictionary as 'string'. AFAIK those are not DHCP dictionary. They're part of normal radius dictionary. So you just treat them like any other attribute. I was try to store needed data in MySQL database from which Radius gets 'check' attributes: INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', x'0006001e58ab0304', '==' ) (most important part of message disappears from my post) to Radius select that attributes to authenticate. But I got 'Login incorrect' message in Radius log. If I remove both Agent-* attributes from DB (that means that I dont validate Opt-82 parameters) - I got 'Login OK'. I think that I use wrong format for Agent-* attributes, but I was try some different variants without success. I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login OK' with _any_ attributes values - match and mismatch. So I need help. Very need. You need to know what the NAS (i.e. BRAS) sends. An easy way to get that is to run FR in debug mode (-X) while the NAS is sending authentication packet. Yes, I know about debug mode, but BRAS and Radius are in project mode (using PPPoE authorisation now). DHCP testing uses same context and same Radius server. To run different Radius in debug mode I need to configure different context... Then compare to what you have on radcheck. Note the operators (you probably need ==). Then you need to find out what's going on. Again, debug mode would be the best way. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606373.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Debug mode help me nothing. When I try to connect without Agent-* attributes in DB, I see in debug output 'User found in radcheck table' after performing check SQL. And finally I login successfully. When I try to connect with Agent-* attributes in DB, I don't see message 'User found in radcheck table' after check SQL, and reply SQL don't executed. And finally I don't login. But I don't see in debug output what exactly was returned in SQL query. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606432.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
On Fri, Mar 30, 2012 at 6:12 PM, IVB i...@is.ua wrote: Agent-Circuit-Id = 0x000403fc0001 let's start with that one. ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), Does that work? Shouldn't it be something like ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ), ? Another alternative is to insert something like this (note the operator) ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, ':=' ), ... and then on authorize section add something like this (just for check) if ( (request:User-Name == 00:12:23:56:78:9A) (control:Agent-Circuit-ID != %{request:Agent-Circuit-ID}) ) { update control { Auth-Type := Reject } } then use debug mode again. It should print out what it recognize control:Agent-Circuit-ID (which is from db) and request:Agent-Circuit-ID. Then you just need to edit entry on db to match what's on the request. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Fajar A. Nugraha-2 wrote On Fri, Mar 30, 2012 at 6:12 PM, IVB lt;ivb@gt; wrote: Agent-Circuit-Id = 0x000403fc0001 let's start with that one. ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), Does that work? No. And this is the problem. Fajar A. Nugraha-2 wrote Shouldn't it be something like ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ), ? 0x000403fc0001 and x'000403fc0001' are synonyms (as written in MySQL documentation). But I check both variants - without success. Fajar A. Nugraha-2 wrote Another alternative is to insert something like this (note the operator) ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, ':=' ), ... and then on authorize section add something like this (just for check) if ( (request:User-Name == 00:12:23:56:78:9A) (control:Agent-Circuit-ID != %{request:Agent-Circuit-ID}) ) { update control { Auth-Type := Reject } } then use debug mode again. It should print out what it recognize control:Agent-Circuit-ID (which is from db) and request:Agent-Circuit-ID. Then you just need to edit entry on db to match what's on the request. OK, I'll try this and write results. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606635.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
On Sat, Jan 28, 2012 at 3:03 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: What?? You dont need that kind of hardware for job, sure. Throwing that kind of horsepower might fix the speed but this is a DBA question. Look at your mysql configuration and see how it can be adjusted (my.cnf) look at the engine in use and see if you can use better..(eg innodb instead of myisam), look at an alternative SQL eg postgres. Look at your usage of sql with freeradius, eg the radius tables. What indexes are present what do you need , what do you not need? Can you divide the work? Use one server for one table or task and the other another...eg simple queries can be done against a passive slave server... alan Hi, Sorry to pick into this with a short question. Just wondering, do you see performance increase using postgres instead of mysql? I would rather think the opposite, but must admit that I'm no db expert and have not much experience with postgres. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
YvesDM wrote: Just wondering, do you see performance increase using postgres instead of mysql? Yes. MySQL can be higher performance than older versions of PostGreSQL, if you don't do database writes. Newer versions of Postgres have similar performance to MySQL, with the benefit of allowing writes. i.e. the MyISAM driver is fast but unsafe. The InnoDB is slower but safe. Postgres has the best of both. I would rather think the opposite, but must admit that I'm no db expert and have not much experience with postgres. The main reason to use MySQL is familiarity. That, and MySQL cluster. For most normal systems, Postgresql is a better choice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
On Sun, Jan 29, 2012 at 11:36 AM, Alan DeKok al...@deployingradius.comwrote: YvesDM wrote: Just wondering, do you see performance increase using postgres instead of mysql? Yes. MySQL can be higher performance than older versions of PostGreSQL, if you don't do database writes. Newer versions of Postgres have similar performance to MySQL, with the benefit of allowing writes. i.e. the MyISAM driver is fast but unsafe. The InnoDB is slower but safe. Postgres has the best of both. I would rather think the opposite, but must admit that I'm no db expert and have not much experience with postgres. The main reason to use MySQL is familiarity. That, and MySQL cluster. For most normal systems, Postgresql is a better choice. Alan DeKok. Ok Alan, I will not immediatelly will change the whole thing (indeed familiarity and we have no issues with our tuned mysql so far), but I will sure keep this post in mind. Thx for the clear up. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
Hi, Sorry to pick into this with a short question. Just wondering, do you see performance increase using postgres instead of mysql? yes. I am a postgreSQL convert. though, that said - out of the box you get slightly better and safer performance - but you'll still have to configure things (eg indexes) properly...and update your skillset as postgres does some things differently. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
On 01/28/2012 09:57 AM, Morteza Milani wrote: Hi, Our company is using freeradius as a VPN authentication authorization system. In worse-case say we would have 1 Million users. Beside scaling our market, we are going to develop an application to analyze users with data mining algorithms. Currently we use a server with the following features: * RAM: 4 GB * Processor: 1x E8400 3.0 GHz For some queries it takes 15 seconds or more to get answer from mysql specially when queries work with radacct table. Any suggestion to improve performance? This isn't really a FreeRADIUS question. It's an SQL question, and you want a trained DBA to inspect the DB. Most likely you've got too many indices, or too many rows in the table. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
Dear, i've got same problem in the first time that i use freeradius, first of all, you need to tune your mysql ( my.cnf ) with right optimization, you can enable slow query logging in order to check if is mysql or freeradius problem. when your mysql works fine, you can tune freeradius, like increase sql connection and other params, into the archive of ML you can find more information. Kindly regards On Sat, 2012-01-28 at 13:27 +0330, Morteza Milani wrote: Hi, Our company is using freeradius as a VPN authentication authorization system. In worse-case say we would have 1 Million users. Beside scaling our market, we are going to develop an application to analyze users with data mining algorithms. Currently we use a server with the following features: * RAM: 4 GB * Processor: 1x E8400 3.0 GHz For some queries it takes 15 seconds or more to get answer from mysql specially when queries work with radacct table. Any suggestion to improve performance? Regards, Morteza Milani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Giuseppe Marocchio Tel: (+39) 045.5116192 Fax: (+39) 045.597 skype: giuseppe.marocchio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
On Sat, Jan 28, 2012 at 6:10 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 01/28/2012 09:57 AM, Morteza Milani wrote: Hi, Our company is using freeradius as a VPN authentication authorization system. In worse-case say we would have 1 Million users. Beside scaling our market, we are going to develop an application to analyze users with data mining algorithms. Currently we use a server with the following features: * RAM: 4 GB * Processor: 1x E8400 3.0 GHz For some queries it takes 15 seconds or more to get answer from mysql specially when queries work with radacct table. Duh :P If you use interim updates, or you use radacct heavily (e.g. using simultaneous-use limit), or have high number of users online at the same time (e.g most of the 1-million user), then you're seriously underpowered. For starters, as a (very, very, rough) estimate, think something in the range of 2 servers, each with 2 x 4 cores, 256 GB RAM, and 16 HDD. And that doesn't include redundancy. Remember though, it's very rough estimate. It can be overkill, or still seriously underpowered, depending on your implementation detail. Any suggestion to improve performance? This isn't really a FreeRADIUS question. It's an SQL question, and you want a trained DBA to inspect the DB. +1 Having someone who understands how FR works, plus a competent sysadmin, also helps. Most likely you've got too many indices, or too many rows in the table. ... and need to do your homework, and calculate sizing requirements correctly. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
What?? You dont need that kind of hardware for job, sure. Throwing that kind of horsepower might fix the speed but this is a DBA question. Look at your mysql configuration and see how it can be adjusted (my.cnf) look at the engine in use and see if you can use better..(eg innodb instead of myisam), look at an alternative SQL eg postgres. Look at your usage of sql with freeradius, eg the radius tables. What indexes are present what do you need , what do you not need? Can you divide the work? Use one server for one table or task and the other another...eg simple queries can be done against a passive slave server... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
1 mil of users and one server... ??? Good luck... On 1/28/2012 10:57 AM, Morteza Milani wrote: Hi, Currently we use a server with the following features: * RAM: 4 GB * Processor: 1x E8400 3.0 GHz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
It's do-able. Though I would be worried about failover and resiliancy. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + PEAP Authentication
Hi, I have configured a freeradius + mysql server and i would like to use the PEAP authentication. I have tried the EAP-TTLS and it worked fine, but when i have tested the PEAP authentication all my requests were rejected how are you testing this? what client are you using? your default eap type is TTLS so if you send the server a PEAP request, the server will NAK it and ask for PEAP - the client needs to deal with this windows etc can.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + PEAP Authentication
Sorry, I was wrong. I have sent the eap.conf for my eap-ttls authentication. But in fact , i thought that i just needed to change the default_eap_type to peap and that's all. I have configured an Access Point to use radius authentication and i have tested the eap-ttls on my linux machine (debian squeeze) and on a windows xp machine, and it worked. Then when i changed the authentication to use peap, i got the problem. I launched the server in debug mode ( freeradius -X ) and all that i can see is that all my requests are rejected. On 24/01/2012 15:53, Alan Buxey wrote: Hi, I have configured a freeradius + mysql server and i would like to use the PEAP authentication. I have tried the EAP-TTLS and it worked fine, but when i have tested the PEAP authentication all my requests were rejected how are you testing this? what client are you using? your default eap type is TTLS so if you send the server a PEAP request, the server will NAK it and ask for PEAP - the client needs to deal with this windows etc can.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + PEAP Authentication
Hi, when i changed the authentication to use peap, i got the problem. I launched the server in debug mode ( freeradius -X ) and all that i can see is that all my requests are rejected. i'm sorry, I've lost my ability to read minds. It would actually be quite handy if you, for example, included the output of 'radiusd -X' when this error occurs. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
I found the sollution some time ago. This might be helpful for beginners like me. The PEAP authentication is done using the site-enable/inner-tunnel virtual server configuration by default. So in the site-enabled/inner-tunnel in the section authorize add these: == sql if (SQL-Group == wifi) { # ok to login } else { reject } == My original goal was to distinguish between wifi users and openvpn users. Openvpn users gets authenticated using the radiusplugin with username and password. I use the radius server just for wifi and openvpn so I just need the site-enabled/default config sql if (NAS-Identifier == OpenVpn) { #Nas-identifier is set in radiusplugin.cnf if (SQL-Group == openvpn) { } else { reject } } = And one last note - PEAP is using MSCHAPv2 and so the passwords must be stored in cleartext (or nthash)! I use for administration DiapUPAdmin - very nice and easy. Hopefully this will help to somebody who was lost like me. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-MySQL-WiFi-PEAP-authorisation-only-to-a-group-of-users-tp4685928p5163539.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Hi, This configuration is correctly? Nowadays, could I use this to copy acct to a remote server? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-mysql-acct-copy-tp4272880p4942524.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL | radacct: Errors and Warnings
On Thu, Oct 27, 2011 at 8:19 PM, Daniel Menezes lis...@dmnzs.com.br wrote: Fajar, I had radutmp and SQL commented out in account {}. I don't know why, a possible mistake. After mark radutmp and restart freeradius I don't see new errors in log. So you mean radutmp was the root cause of your problem? That's good, in a way. It means you've got more room to breathe (and possibly do more improvements) before your db's high load really slows down your system :) In the NAS (MikroTik) statistics sometimes have a few resends and timeouts, it's normal? What does FR log says? Does it say it recives duplicate or conflicting packets? If yes, then the db is still slow. You still need to fix it. If not, then the problem might be somewhere else (e.g. congested network causing dropped packets) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL | radacct: Errors and Warnings
On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes lis...@dmnzs.com.br wrote: I read something about slow backend, tables indexes and other things. I've used the backend script 'mysqltuner.pl' to adjust the performance. It's better now, but the warnings and erros persists. Can anyone help me on this? Obviously the automated script-based adjustment isn't enough. Get a dba. I haven't seen a script that's good enough to magically solve all problems that it can replace an actual expert. A dba would be able to do a deep dive into your configuration and come up with the best solution based on your particular situation. Who knows, one of the advices might be delete these indexes (no, I'm not kidding) or you need to archive accounting records older than x days. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL | radacct: Errors and Warnings
On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes lis...@dmnzs.com.br wrote: Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request 784, in module radutmp component accounting Another thing to try, are you using radutmp? If no (e.g. session/simultaneous use check is using sql), just mark all instance of radutmp from sites-available/default (and whatever other virtual server you use). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Daniel, I have a FreeRadius + MySQL setup with MikroTik as NAS. And a few days ago I have some warnings and errors in the log: Tue Oct 25 04:02:41 2011 : Info: Released IP xxx.xxx.xxx.xxx (did via-pppoe-01 cli xx:xx:xx:xx:xx:xx user dmnzs-test) Tue Oct 25 05:30:36 2011 : Error: Received conflicting packet from client my-pppoe-01 port 39595 - ID: 75 due to unfinished request 625066. Giving up on old request. Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request 784, in module radutmp component accounting There are a few basic steps you can take to improve the performance of FreeRADIUS with MySQL. 1. User the InnoDB Engine in MySQL. 2. Increase the number of SQL sockets in sql.conf (num_sql_socks). The default is 5, try 25. 3. Increase the number of connections (max_connections) in my.cnf to match the number of SQL sockets in sql.conf. 4. Enable the MySQL slow query log (slow_query_log) in my.cnf. 5. Check the MySQL slow query log file for problems. Start with this list. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL | radacct: Errors and Warnings
On Thu, Oct 27, 2011 at 12:13 AM, Daniel Menezes lis...@dmnzs.com.br wrote: Yes, there is a large number of rows in the radacct and radposauth tables. The attribute 'Acct-Interim-Interval' works very well but makes many records. Interim update aren't suppose to add records, they simply update existing ones. They DO make the db busier though, since the number of accounting request increased (depending on your environment, the difference can be over a magnitude). I rotate these tables to archive old records, I think I'll do this every month. Of course, the script wouldn't solve all my problems, but it was very useful. Maybe I really need some customization to the backend, I'll think about it. Another thing to consider, IF: - you're pretty sure that your setup is optimized-enough - you already have someone with enough knowledge to look at the system and determine that the bottleneck is in disk I/O (due to frequent random db disk access) - you have limited budget then you might want to try spending your budget to replace the disk with SSD. Get sandforce-based SSD (or any other MLC SSD that have good garbage collection and wear-leveling). Usually they can give you instant performance boost (can be over 10x, depending on your current situation) due to increased available IOPS. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
Lumir Lindovsky wrote: How do I give access to wifi users who authenticate with username pass over PEAP only to a group of users? See the FAQ. You can create a group, and limit them based on group membership. You can use SQL-Group. See doc/rlm_sql Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And could you plz give me a short example? And where to put the sql condition? In sql.conf or in eap.conf or in one of the site-enabled servers? It should be in the authorise or authenticate section? Users are stored in radcheck and users + groups associated to them are in radusergroup. I did not find any example on the net or in the config. Sorry for bothering but examples always help me most. Thank you, Lumir Lindovsky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
Lumir Lindovsky wrote: How do I give access to wifi users who authenticate with username pass over PEAP only to a group of users? See the FAQ. You can create a group, and limit them based on group membership. You can use SQL-Group. See doc/rlm_sql Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
Hello, I would like to help with this: I have Freeradius version 2.1.6 I have it running with SQL and DialupAdmin. How do I give access to wifi users who authenticate with username pass over PEAP only to a group of users? I mean that authorised would be only users from group WIFI and not other users belonging to other group like OpenVPN. Now it authorises everybody from the radcheck table. I am very new to radius and even if I was searching the net for some time I cannot find the answer which would fir my needs. I would think something like this in your users file: DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Group == WIFI DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Auth-Type = Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
I would think something like this in your users file: DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Group == WIFI DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Auth-Type = Reject - Thank you for the answer but I do not use any users file - I use mysql and users are stored in radcheck table and the groups are assigned in the radusergroup. Plus the wifi are always behind a firewall and so NAT is present - so requests for both Wifi and OpenVPN authentication comes from the same IP address. Maybe I can put something inside the eap.conf to add checking of the group in sql? But how to do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]pap method
Um yes, it's 'encrypted' using the shared secret between the NAS and the RADIUS server... this is described in RFC 2865. On 2 Aug 2011, at 07:31, gary wrote: Hi All I configure the NAS client as pap method for user authentication. But through the packet analysis by wireshark it appears Encrypted. Is it normal or any incorrect configure on NAS or Freeradius server? 111.JPG Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]pap method
Hi All Thanks very much for your reply. Best Regards Gary - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Tuesday, August 02, 2011 2:54 PM Subject: Re: [freeradius+mysql]pap method Um yes, it's 'encrypted' using the shared secret between the NAS and the RADIUS server... this is described in RFC 2865. On 2 Aug 2011, at 07:31, gary wrote: Hi All I configure the NAS client as pap method for user authentication. But through the packet analysis by wireshark it appears Encrypted. Is it normal or any incorrect configure on NAS or Freeradius server? 111.JPG Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]new field of table
On 1 Aug 2011, at 10:34, gary wrote: Hi to all Anybody give me some guideline? I would like to add new field in mysql table, how to configure freeradius recognize the field and fill out the correct value that I want? Edit the queries in raddb/sql/your db/dialup.conf -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]new field of table
2011/8/1 gary gary.y...@browan.com: Hi to all Anybody give me some guideline? I would like to add new field in mysql table, how to configure freeradius recognize the field and fill out the correct value that I want? All queries are customizable. By default it's on raddb/sql/mysql/dialup.conf -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]new field of table
Hi Arran, Fajar I've try and thank you so much. Best Regards Gary - Original Message - From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 01, 2011 4:41 PM Subject: Re: [freeradius+mysql]new field of table 2011/8/1 gary gary.y...@browan.com: Hi to all Anybody give me some guideline? I would like to add new field in mysql table, how to configure freeradius recognize the field and fill out the correct value that I want? All queries are customizable. By default it's on raddb/sql/mysql/dialup.conf -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]pap method
2011/8/2 gary gary.y...@browan.com Hi All I configure the NAS client as pap method for user authentication. But through the packet analysis by wireshark it appears Encrypted. To debug radius problems, it's much easier and informative to run debug mode (radiusd -X) instead of using packet sniffers. Is it normal or any incorrect configure on NAS or Freeradius server? Yup, that's normal. From http://www.ietf.org/rfc/rfc2865.txt : Network Security Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password. If the shared server is correct, the radius server will be able to see the password as clear-text (i.e. unencrypted, exactly the way user enters it). This is different from (for example) mschapv2, where the radius server can't see what the clear-text password is by simply looking at what the client sent. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql (problem)
Hi, i have the exact same problem here with a Linksys access point. The Access list to the AP works fine allowing the client to connect. But the authentication fails. When i enter the client with it's login in the users file like this myclientuser Cleartext-Password := myclientspassword it works fine. As soon as i try this on the mysql System i do not get the access. The Allowd hosts access still works fine -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-mysql-problem-tp4638453p4643540.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Is it right that my freeradius go down after home server was down? Regards, Alexander. 2011/3/31 Fajar A. Nugraha l...@fajar.net On Thu, Mar 31, 2011 at 2:45 PM, Alexander Kosykh avkos...@gmail.com wrote: Hi. I need to copy acct packets to my billing server and save acct in standart freeradius radacct table in mysql. I'm saving acct in radacct table now, but can't duplicate them to other (billing) radius server. I've tried to use copy-acct-to-home-server but no success. As I understand, virtual server from copy-acct-to-home-server use a detail files to read acct information from default server. Is the way to don't use detail file and use mysql? See http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-td3408816.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
On Thu, Mar 31, 2011 at 2:45 PM, Alexander Kosykh avkos...@gmail.com wrote: Hi. I need to copy acct packets to my billing server and save acct in standart freeradius radacct table in mysql. I'm saving acct in radacct table now, but can't duplicate them to other (billing) radius server. I've tried to use copy-acct-to-home-server but no success. As I understand, virtual server from copy-acct-to-home-server use a detail files to read acct information from default server. Is the way to don't use detail file and use mysql? See http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-td3408816.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Alexander Kosykh wrote: I need to copy acct packets to my billing server and save acct in standart freeradius radacct table in mysql. I'm saving acct in radacct table now, but can't duplicate them to other (billing) radius server. I've tried to use copy-acct-to-home-server but no success. See the FAQ for it doesn't work. As I understand, virtual server from copy-acct-to-home-server use a detail files to read acct information from default server. Is the way to don't use detail file and use mysql? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
On Thu, Mar 31, 2011 at 4:00 PM, Alan DeKok al...@deployingradius.com wrote: Alexander Kosykh wrote: As I understand, virtual server from copy-acct-to-home-server use a detail files to read acct information from default server. Is the way to don't use detail file and use mysql? No. There's actually something interesting about that. I just had a chat with a colleague that managed a system with similar setup (acct to local mysql and copy to remote), the biggest difference was that he used FR 1.1.3 (this system was created many years ago, and back then the version was current). He actually used a setup like this on proxy.conf realm remoterealm { type= radius authhost= 10.11.12.1:1812 accthost= 10.11.12.1:1813 accthost= LOCAL secret = remotesecret nostrip } The biggest difference there from the standard configuration (example from https://github.com/alandekok/freeradius-server/blob/release_1_1_3/raddb/proxy.conf), is that he used two accthost lines. And it worked :P Can you confirm that this is bug, that it shouldn't behave like that (since the example proxy.conf doesn't mention anything about two accthost line). Another thing, while reading http://wiki.freeradius.org/Proxy , the link for doc/proxy is broken (it should be doc/proxy.rst). Edit function in wiki is available for registered users only, while create account function is disabled, so I can't fix it. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Fajar A. Nugraha wrote: Can you confirm that this is bug, that it shouldn't behave like that (since the example proxy.conf doesn't mention anything about two accthost line). In 1.1.3, multiple accthost lines do fail-over from one to the other. Another thing, while reading http://wiki.freeradius.org/Proxy , the link for doc/proxy is broken (it should be doc/proxy.rst). Edit function in wiki is available for registered users only, while create account function is disabled, so I can't fix it. I'll take a lok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Enterasys management-access
Hi, did you just copy the original example (framed-ip etc?) rather than put your required attributes into the table? ;-) the list should be used to give you the helpful pointer...not do ALL your work for you :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Enterasys management-access
You have to use radreply table for that. For example: select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | test | Framed-IP-Address | = | 10.100.0.100 | | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | ++--+---++---+ On Sat, Feb 5, 2011 at 10:22 PM, Yücel Türkistan yucel.turkis...@gmail.com wrote: Hello, I use FreeRADIUS version 2.1.3 with backend MySQL. It's working very good except this issue: When i try to use auth by Enterasys switch for management-access, Enterasys switch fails with login but FreeRADIUS says Auth: Login OK:... I searched on net and found that i have to add a Filter-Id with value Enterasys:version=1:mgmt=su But i could not find how to add this Filter-Id to mysql table. Can anyone help me please to solve this problem? Thanks a lot. -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Enterasys management-access
Thanks Ömer. I think that you understood my problem wrongly but i tried what you suggested. However it did not work. I had asked some people who uses Enterasys switches and they confirmed that i have to use Filter-Id but that guys dont know how it can be done under freeradius/unix. So i'm still in trouble with the issue. 2011/2/5 Omer Faruk SEN omerf...@gmail.com You have to use radreply table for that. For example: select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | test | Framed-IP-Address | = | 10.100.0.100 | | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | ++--+---++---+ On Sat, Feb 5, 2011 at 10:22 PM, Yücel Türkistan yucel.turkis...@gmail.com wrote: Hello, I use FreeRADIUS version 2.1.3 with backend MySQL. It's working very good except this issue: When i try to use auth by Enterasys switch for management-access, Enterasys switch fails with login but FreeRADIUS says Auth: Login OK:... I searched on net and found that i have to add a Filter-Id with value Enterasys:version=1:mgmt=su But i could not find how to add this Filter-Id to mysql table. Can anyone help me please to solve this problem? Thanks a lot. -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Mysql + Enterasys management-access
Yücel, Did you add the Filter-ID attribute to the radreply table? It should look like this. select * from radreply; ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 1 | test | Framed-IP-Address | = | 10.100.0.100| | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | | 3 | test | Filter-ID | = | Enterasys:version=1:mgmt=su | ++--+---++-+ Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer adius.org] On Behalf Of Yücel Türkistan Sent: Saturday, February 05, 2011 1:49 PM To: FreeRadius users mailing list Subject: Re: Freeradius + Mysql + Enterasys management-access Thanks Ömer. I think that you understood my problem wrongly but i tried what you suggested. However it did not work. I had asked some people who uses Enterasys switches and they confirmed that i have to use Filter-Id but that guys dont know how it can be done under freeradius/unix. So i'm still in trouble with the issue. 2011/2/5 Omer Faruk SEN omerf...@gmail.com You have to use radreply table for that. For example: select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | test | Framed-IP-Address | = | 10.100.0.100 | | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | ++--+---++---+ On Sat, Feb 5, 2011 at 10:22 PM, Yücel Türkistan yucel.turkis...@gmail.com wrote: Hello, I use FreeRADIUS version 2.1.3 with backend MySQL. It's working very good except this issue: When i try to use auth by Enterasys switch for management-access, Enterasys switch fails with login but FreeRADIUS says Auth: Login OK:... I searched on net and found that i have to add a Filter-Id with value Enterasys:version=1:mgmt=su But i could not find how to add this Filter-Id to mysql table. Can anyone help me please to solve this problem? Thanks a lot. -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Enterasys management-access
Tim, This worked. Thank you so much. 2011/2/6 Tim Sylvester tim.sylves...@networkradius.com Yücel, Did you add the Filter-ID attribute to the radreply table? It should look like this. select * from radreply; ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 1 | test | Framed-IP-Address | = | 10.100.0.100| | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | | 3 | test | Filter-ID | = | Enterasys:version=1:mgmt=su | ++--+---++-+ Tim *From:* freeradius-users-bounces+tim.sylvester=networkradius.com@ lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester= networkradius@lists.freeradius.org] *On Behalf Of *Yücel Türkistan *Sent:* Saturday, February 05, 2011 1:49 PM *To:* FreeRadius users mailing list *Subject:* Re: Freeradius + Mysql + Enterasys management-access Thanks Ömer. I think that you understood my problem wrongly but i tried what you suggested. However it did not work. I had asked some people who uses Enterasys switches and they confirmed that i have to use Filter-Id but that guys dont know how it can be done under freeradius/unix. So i'm still in trouble with the issue. 2011/2/5 Omer Faruk SEN omerf...@gmail.com You have to use radreply table for that. For example: select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | test | Framed-IP-Address | = | 10.100.0.100 | | 2 | test | Framed-IP-Netmask | = | 255.255.255.0 | ++--+---++---+ On Sat, Feb 5, 2011 at 10:22 PM, Yücel Türkistan yucel.turkis...@gmail.com wrote: Hello, I use FreeRADIUS version 2.1.3 with backend MySQL. It's working very good except this issue: When i try to use auth by Enterasys switch for management-access, Enterasys switch fails with login but FreeRADIUS says Auth: Login OK:... I searched on net and found that i have to add a Filter-Id with value Enterasys:version=1:mgmt=su But i could not find how to add this Filter-Id to mysql table. Can anyone help me please to solve this problem? Thanks a lot. -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- King Regards Yucel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql Auth-Type error...
Well I been working on this system in some form or another for about a month, which when done is going to be able (so I am told) to limit the bandwidth that the connected users (be it wired or wireless clients) can use using squid/squish/hostapd/freeradius/daloradius (so when I leave someone can have a point and click way to delete abusive users and add them back when needed). From my reading I was under the impression that to use daloradius I needed to use mysql (I could be wrong on this) otherwise I would use the user accounts on the system and be done with it. Instead of doing what I should have been doing and using the links to the documentation and wiki I went looking for a QUICK FIX and it didn't work and it burnt me in the a$$. I was smart enough to copy original files to a backup directory BEFORE I made any changes, so copying the original files back and going to the wiki and starting from there is not going to be that difficult. On 12/18/2010 2:41 AM, Alan DeKok wrote: i.e. you've butchered the default configuration by following some un-named, out-dated, and entirely *wrong* third-party documentation. Is there any reason you don't use the documentation that's included with the server? Or read the Wiki? Honestly. The Wiki contains *explicit* instructions for what to do. *None* of that includes destroying the configuration. Use the default configuration. Follow the FreeRADIUS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1170 / Virus Database: 1435/3321 - Release Date: 12/17/10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql Auth-Type error...
Surprising, put it back to the condition it is in when you first install it and started with the Basic configuration HOWTO and then moved on to the SQL HOWTO and it worked for the test with the username and password in the users file and then again with a different user in the database. The only thing I noticed was the first database was showing the usergroup table which I didn't have so I substituted radusergroup for usergroup and it worked like a charm. On 12/18/2010 2:41 AM, Alan DeKok wrote: i.e. you've butchered the default configuration by following some un-named, out-dated, and entirely *wrong* third-party documentation. Is there any reason you don't use the documentation that's included with the server? Or read the Wiki? Honestly. The Wiki contains *explicit* instructions for what to do. *None* of that includes destroying the configuration. Use the default configuration. Follow the FreeRADIUS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1170 / Virus Database: 1435/3321 - Release Date: 12/17/10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1170 / Virus Database: 1435/3321 - Release Date: 12/17/10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql Auth-Type error...
I changed the /etc/raddb/sites-available/default to the following and changed Auth-Type to SQL in the radcheck table, and it still rejects the user. authorize { preprocess mschap sql } authenticate { Auth-Type MS-CHAP { mschap } } preacct { account_unique } accounting { radutmp sql } session { sql } post-auth { Post-Auth-Type REJECT { sql attr_filter.access_reject } } pre-proxy { } post-proxy { } and add the information to clients.conf and sql.conf, and it seems to be working for I get database requests when I run radiusd -X and run radtest. My mysql tables look like the following: mysql select * from radcheck; ++--+--++--+ | id | username | attribute| op | value| ++--+--++--+ | 1 | testuser | MD5-Password | := | 179ad45c6ce2cb97cf1029e212046e81 | ++--+--++--+ 1 row in set (0.00 sec) I have also tried this with Attribute set to Cleartext-Password and op set to == with the same result. mysql select * from radgroupcheck; ++-+---++-+ | id | groupname | attribute | op | value | ++-+---++-+ | 1 | normalusers | Auth-Type | := | MS-CHAP | ++-+---++-+ 1 row in set (0.00 sec) Changed Auth-Tyle to SQL mysql select * from radgroupreply; ++-+++-+ | id | groupname | attribute | op | value | ++-+++-+ | 1 | normalusers | Framed-Compression | = | Van-Jacobson-TCP-IP | ++-+++-+ 1 row in set (0.00 sec) mysql select * from radpostauth; ++--+--+---+-+ | id | username | pass | reply | authdate| ++--+--+---+-+ | 1 | testuser | testuserpass | Access-Reject | 2010-12-16 23:45:22 | | 2 | testuser | testuserpass | Access-Reject | 2010-12-16 23:52:18 | | 3 | testuser | testuserpass | Access-Reject | 2010-12-17 00:24:07 | | 4 | root | changed | Access-Accept | 2010-12-17 01:28:43 | | 5 | user1| password1| Access-Reject | 2010-12-17 01:29:01 | | 6 | root | changed | Access-Accept | 2010-12-17 01:38:59 | | 7 | todd | changed | Access-Accept | 2010-12-17 01:41:16 | | 8 | user1| password1| Access-Reject | 2010-12-17 02:06:47 | | 9 | user1| password1| Access-Reject | 2010-12-17 02:18:37 | | 10 | testuser | testpass | Access-Reject | 2010-12-17 05:05:05 | | 11 | testuser | testpass | Access-Reject | 2010-12-17 05:10:04 | | 12 | testuser | testpass | Access-Reject | 2010-12-17 05:24:06 | | 13 | testuser | testpass | Access-Reject | 2010-12-17 05:35:10 | | 14 | testuser | testpass | Access-Reject | 2010-12-17 06:09:40 | | 15 | testuser | testpass | Access-Reject | 2010-12-17 06:28:45 | | 16 | testuser | testpass | Access-Reject | 2010-12-17 06:43:24 | ++--+--+---+-+ 16 rows in set (0.00 sec) The Access-Accepts that I got here is when I switched it to use the /etc/passwd file. mysql select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | testuser | Framed-IP-Address | = | 127.0.0.1 | ++--+---++---+ 1 row in set (0.00 sec) mysql select * from radusergroup; +--+-+--+ | username | groupname | priority | +--+-+--+ | testuser | normalusers |1 | +--+-+--+ 1 row in set (0.00 sec) When I start radiusd in debug mode and test from another window I get this output. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 58605, id=234, length=60 User-Name = testuser User-Password = testpass NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute,
Re: Freeradius + mysql Auth-Type error...
Todd Bateman wrote: I have been trying to get freeradius + mysql to play nice together for the past few days and no mater what HOW TO or Tutorial I follow the end result is the same when I run radtest from the command line I get Access-Reject. In the HOW TO/Tutorials I have followed I was told to make my /etc/raddb/sites-available/default like the following: i.e. you've butchered the default configuration by following some un-named, out-dated, and entirely *wrong* third-party documentation. Is there any reason you don't use the documentation that's included with the server? Or read the Wiki? Honestly. The Wiki contains *explicit* instructions for what to do. *None* of that includes destroying the configuration. Use the default configuration. Follow the FreeRADIUS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL characters being converted to HEX
Steve Staples wrote: there were some other attributes that get these =HEX values passed and stored, and what I am wondering is, is that in the flat files, it gets stored as connect-progress=LAN Ses Up ('=3D' translates to '=') but in MySQL, it gets parsed/translated to the '=3D' style. How do I go about storing this as the '=' and not the '=3D' as well as all the other attribute values that get parsed/translated to hex characters? Read raddb/sql/mysql/dialup.conf. Look for safe_characters. It doesn't appear to be the MySQL that is changing it, it looks like it is from the FreeRadius side... but I could be wrong. It's FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL characters being converted to HEX
On Thu, 2010-12-16 at 16:15 +0100, Alan DeKok wrote: Steve Staples wrote: there were some other attributes that get these =HEX values passed and stored, and what I am wondering is, is that in the flat files, it gets stored as connect-progress=LAN Ses Up ('=3D' translates to '=') but in MySQL, it gets parsed/translated to the '=3D' style. How do I go about storing this as the '=' and not the '=3D' as well as all the other attribute values that get parsed/translated to hex characters? Read raddb/sql/mysql/dialup.conf. Look for safe_characters. It doesn't appear to be the MySQL that is changing it, it looks like it is from the FreeRadius side... but I could be wrong. It's FreeRADIUS. Alan DeKok. Thank you Alan, I will be adding the '=' and '%' to this list, and uncommenting it. I had seen this before, but never read it, or put much thought to it. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL + Multiple Dynamic Clients
Dynamic Clients would only apply to the NAS's (ie the WNR834v2 Access Points) and not the workstations connecting to the APs. As the Workstations / users would just be users. So either you allow anyone from the internet (or restrict it down to certain IP addresses which the Mobile Provider issues as DHCP addresses) to connect to your FreeRadius server. Otherwise perhaps your Mobile provider may offer a private office Mobile broadband offering so by specifying a different APN on the router you get put into a certain IP address pool by the Telco and you don't route your FreeRadius AAA over the internet. On Fri, Oct 29, 2010 at 11:00 AM, Tyler Nally tna...@technally.com wrote: Hello, I'm the IT fellow for a bus company that is about to implement WiFi on a fleet of a couple dozen buses (or so), so that passengers can pull out their laptops, iPhones, iPads, iWhatevers and connect thru the wandering networks from inside the comfort of the bus while traveling to their various destinations. We'll be using a Wireless Broadband device that will provide the broadband signal to a router. The router will be configured to use a Radius server so that as people connect they'll go through the Radius authentication protocols to get their wifi connection to the network. I'm assuming that whenever these power on, they'll be getting a new dynamically assigned IP address. Not to mention that potentially, as the bus roams aruond and as it loses and gains service between the different cell sites, I guess it's possible that each time it loses/gains a cell site, it might even get a new IP address. So, what I want to avoid is having set each router's access password (which would be 1 or 2 at first) each week .. manually. Up to a maximum of 20 or 30 of these .. manually. I figure that I can capture the the users email address (or username) and a password, and make just THAT combination of authentication available WHILE their scheduled route is running. Sooo.. just prior to the dispatch of the bus, I add that list of good authentications to the records of FreeRADIUS server setup. When the route is over, I remove the records (or somehow toggle them off). The idea being that they'll only be allowed one login per user while on the bus. And if they don't check/select that they want wifi access, they won't get access from a previous user/password combination. What I've got working is FreeRADIUS with MySQL. But not with a dynamic client. It's refusing the authentication connection with the client. Do I define 1 dynamic client that maybe 20-30 of these will be using? Or should they be numbered from 01 thru whatever. Either way, they'll all have different IP's as they are traveling down the road. The error message I see in the logs is: Thu Oct 28 16:10:26 2010 : Error: Ignoring request to authentication address * port 1812 from unknown client 98.212.198.111 port 2048 So.. I know the network is open to get the request, it's just not processing it. I've looked through the WIKI and can't find any specific dynamic client setup parameters/settings. I'm running freeradius v 2.1.8 on a Ubuntu 10.04 machine. With a test connection via a Netgear WNR834v2 that's been reflashed as a DD-WRT mini hotspot to give me the router configuration. Any help would be appreciated. -- Tyler Nally tna...@technally.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL + Multiple Dynamic Clients
Right... Ok.. so are these different traveling mobile offices in documentation of what is called a VLAN (with a dynamic IP to the internet side of the router that in turn hands out IP's to it's clients) ? Somehow the router authenticates by something secret that only it and the FreeRadius server knows .. and then the user authenticates via user/password FreeRadius a different way. Assuming the router has to authenticate successfully first before the users turn. I don't want FreeRadius to hand out IP's. I think I want the AP to do that. On 10/28/2010 05:13 PM, Peter Lambrechtsen wrote: Dynamic Clients would only apply to the NAS's (ie the WNR834v2 Access Points) and not the workstations connecting to the APs. As the Workstations / users would just be users. So either you allow anyone from the internet (or restrict it down to certain IP addresses which the Mobile Provider issues as DHCP addresses) to connect to your FreeRadius server. Otherwise perhaps your Mobile provider may offer a private office Mobile broadband offering so by specifying a different APN on the router you get put into a certain IP address pool by the Telco and you don't route your FreeRadius AAA over the internet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL + Multiple Dynamic Clients
On Fri, Oct 29, 2010 at 4:33 PM, Tyler Nally tna...@technally.com wrote: Right... Ok.. so are these different traveling mobile offices in documentation of what is called a VLAN (with a dynamic IP to the internet side of the router that in turn hands out IP's to it's clients) ? The traveling mobile routers are NAS's (http://wiki.freeradius.org/NAS) Somehow the router authenticates by something secret that only it and the FreeRadius server knows .. and then the user authenticates via user/password FreeRadius a different way. Assuming the router has to authenticate successfully first before the users turn. Yes, the NAS and FreeRadius share a Shared Secret. The users password is encrypted using the Shared Secret by the NAS before it sends the request to Free Radius So probably having a config in your clients.conf like: client 10.64.0.0/16 { secret= supersecretpassword shortname= MobileNetworkIPAddresses } And assign the same shared password onto all your NAS's would be all you need. Not all that secure having this over the internet, that's why I said having a private office offering from the Telco would be a better option. But if that's not available then you put a firewall in front of your FR box, and then only traffic from the Telco's Mobile IP Address range is permitted is probably the best you are going to be able to do. I don't want FreeRadius to hand out IP's. I think I want the AP to do that. That would be up to how you configure your NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry
Esteban TALAVERA wrote: My freeradius + MySQL + EAP_TLS is working, but I have a problem. I assumed that without an entry in MySQl database, the client can not authenticate, That's not how EAP-TLS works. but I forgot to create one user's database entry and the laptop was able to join the network. It is possible a client authentication without a database entry, just with the certificates That's how EAP-TLS works. If you want to reject the user, configure the server to look up the username in the DB, and reject if they're not found. Or, use TLS as it was intended to be used: revoke the client certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry
Thanks! On Wed, Oct 20, 2010 at 9:19 AM, Alan DeKok al...@deployingradius.comwrote: Esteban TALAVERA wrote: My freeradius + MySQL + EAP_TLS is working, but I have a problem. I assumed that without an entry in MySQl database, the client can not authenticate, That's not how EAP-TLS works. but I forgot to create one user's database entry and the laptop was able to join the network. It is possible a client authentication without a database entry, just with the certificates That's how EAP-TLS works. If you want to reject the user, configure the server to look up the username in the DB, and reject if they're not found. Or, use TLS as it was intended to be used: revoke the client certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW C.A. * Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry [SOLVED]
On Wed, Oct 20, 2010 at 9:22 AM, Esteban TALAVERA etalave...@gmail.comwrote: Thanks! On Wed, Oct 20, 2010 at 9:19 AM, Alan DeKok al...@deployingradius.comwrote: Esteban TALAVERA wrote: My freeradius + MySQL + EAP_TLS is working, but I have a problem. I assumed that without an entry in MySQl database, the client can not authenticate, That's not how EAP-TLS works. but I forgot to create one user's database entry and the laptop was able to join the network. It is possible a client authentication without a database entry, just with the certificates That's how EAP-TLS works. If you want to reject the user, configure the server to look up the username in the DB, and reject if they're not found. Or, use TLS as it was intended to be used: revoke the client certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW C.A. * Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 -- *Esteban Talavera* * * *Proyectos ITW C.A. * Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks, yoy're rigth. I'ill continue this way, the problem is not the effort, but I was trying to complete the picture Freeradius+MySql+EAP_TLS+Cisco AP without success. Keep trying... On Tue, Sep 14, 2010 at 5:25 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password err, EAP needs certs..thats a fundamental building block. the RADIUS server needs to be signed by a CA and the client needs to have that CA installed onto it. you can make things easier by getting your RADIUS server signed by a CA that is built into most of your clients - eg get a thawte or verisign signed cert. its a BAD BAD thing not to enable radius server checking and CA checking on your client. the public key infrastructure is a major part of the security of 802.1X and if you thinks its 'too much effort' then I'll show you a nasty man-in-middle fake AP and radius server that will get all your users usernames and passwords. all run in a 512Mb VM on a basic laptop :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. On Tue, Sep 14, 2010 at 11:06 AM, Kevin Ehlers ke...@uoregon.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
On 09/14/2010 11:53 AM, Esteban TALAVERA wrote: Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. Huh? What's that? As has been pointed previously you must have a server cert if you're doing TLS. In addition the server cert should be signed by a trusted CA and the supplicant should validate the cert (anything less would be a ridiculous security risk). No amount of fudging the server configuration is going to magically modify the fundamental requirements of TLS. If you don't want to set up a server cert forget about supporting PEAP, EAP_TLS, etc. (which means most Windows clients will not work). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/10 11:38 AM, Alan Buxey wrote: Hi, I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPxQUACgkQ0l216NgIDryV7ACfdCwwbjP6y4dWsNUOQS0x5woK JQ4Amwa3WK5kSoGHvzX1FPiUxJp1cQt9 =opmK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. so visitors get a nice easy coffee-shop way onto the network whilst employees have to suffer the wrath of 21 steps of PEAP hell? nah. thats just not fair. there are several tools developing nicely which make getting onto an 802.1X network nice and easy for all peoplestaff, students or visitors - eg Cloudpath and su1x - with these, there is no nasty CA/cert trust for a visitor to deal with. and if they cannot get onto the supplied network, then theres always a commercial link or 3G dongle option (most modern 'road warriors' have eg 3G dongle or MiFi in their pocket to avoid stupid wifi charges at hotels ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Marten You mean configuring freeradius for EAP-PEAP its not necessary to creates certificates? Its possible to use with CISCO AP as NAS? Thanks On Mon, Sep 13, 2010 at 6:23 PM, Marten Pape marten.p...@pape-hn.de wrote: Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+mysql+chillispot
jorge88 wrote: I have a serious problem, see if you can help. It just can not authenticate any user. The throwing error is: WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! All of those messages should be easy to understand. Use Cleartext-Password := .. instead of User-Password == .. Re-enter the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+mysql+chillispot
Hello Alan, Thank you very much for you request. Using Cleartext-Password: = message still appears: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! And the user is not logged in successful, the encrypted key. What could be the problem? Thank you :) Regards, Jorge El 13/07/2010 18:44, Alan DeKok escribió: jorge88 wrote: I have a serious problem, see if you can help. It just can not authenticate any user. The throwing error is: WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! All of those messages should be easy to understand. Use Cleartext-Password := .. instead of User-Password == .. Re-enter the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.830 / Virus Database: 271.1.1/3002 - Release Date: 07/13/10 08:36:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius+mysql+chillispot
Using Cleartext-Password: = message still appears: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! And the user is not logged in successful, the encrypted key. What could be the problem? You need to read the error message and Alan's e-mail. The error message says: Double-check the shared secret on the server and the NAS! Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+mysql+chillispot
Hi, this: User-Password = L] \ 357DK \ 027 \ 304 \ 033 \ 376Hx. \ 342Ö \ 336 and this: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! are clear signs that the shared secret on the NAS is wrong - or you've entered the wrong string in the clients.conf (or SQL table). fix it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MYSQL tables
Natr Brazell wrote: I've set up FR2 to log acct data to mysql and that appears to be working. I'm curious about how to enable the logging of specific attributes that are being sent by the NAS. Specifically: Edit the schema queries. As you can see in the Accounting-Request packet above There is a NAS-Identifier and a Juniper-Interactive-Command entry. Those attributes are not being logged (nor do I think I'd want them) in my radacct file. Is there a way to have radius automatically populate an accountingactivity table (history file if you will)? Sure. Edit the configuration to make it do that. The queries are in a configuration file for a reason: they can be edited. Or this there a manual way say in postauth to send those attributes to a mysql table via script when an Accounting-Request packet is received. postauth is not used for Accounting-Request packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql trouble
I was simply using the debian package manager version, seams to work file for what I need. is version of freeradius supplied by distro or package manager? have you uncommented calls to sql - eg in the default server or inner-tunnel (look in the required/needed sections, eg authorize, authenticate etc). i also note you dont have SSL support so wont be able to do any EAP stuff. alan That was exactly the problem, none of the docs mention that file which is why I missed it. Part way through, it says: Edit /etc/raddb/sites-available/default ... You didn't do that. # /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql trouble
Ski Mountain wrote: Hi everybody, I am trying to set up freeradius so that it authenticates off a myql database. sql.conf is being included in the config. But the rlm_sql is never loaded and I have been trying to figure out why. It does not appear to even try to connect to the database and I am stumped as to why. I have also followed (http://wiki.freeradius.org/SQL_HOWTO) to no avail. Part way through, it says: Edit /etc/raddb/sites-available/default ... You didn't do that. # /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Why use a version that's two years old? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql trouble
Hi, I am trying to set up freeradius so that it authenticates off a myql database. sql.conf is being included in the config. But the rlm_sql is never loaded and I have been trying to figure out why. It does not appear to even try to connect to the database and I am stumped as to why. this version of freeradius supplied by distro or package manager? have you uncommented calls to sql - eg in the default server or inner-tunnel (look in the required/needed sections, eg authorize, authenticate etc). i also note you dont have SSL support so wont be able to do any EAP stuff. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql + openssl certificates?
On 05/06/2010 03:17 AM, shirkavand wrote: Hi, Can i use freeradius + mysql + ssl certficates at the same time for autenticating users...or this does not make sense? I am a bit confused if i have to use one of them(mysql or ssl certificates) for autentication purposes. I have read tutorials for using freeradius + mysql OR freeradius + ssl certificates. In freeradius + mysql tutorial explains how to make the autentication using mysql... so the passwords and users are all stored inside a mysql db. In the other hand the freeradius + ssl certificates explains how to make the autentication using a file called users that stores all the users and paswords. So i am wondering if i can not make the radius server autenticate users using the credential fino from the mysql Db and using certificates too..or if each one are different methods to use. You might be confused as to when certificates are required and for what purpose. In the more common case the only certificate needed is for the radius server, user authentication occurs via per-user passwords or hashes available to the radius server via a secondary store (e.g. SQL database, flat file, or LDAP). The server certificate only used to secure the communications channel and there is no need to store a certificate in a database. However some EAP methods avoid the use of the less secure password/hash credential (what is normally stored in a database on a per user basis) and instead require a client certificate. Client certificates (e.g. a certificate is issued to each user wishing to authenticate) are more secure than password/hashes. However the requirement for distributing and maintaining client side certificates is often considered too much of a logistical burden despite the excellent security it provides. When client certificates are used it's still not necessary to store any per user certificates in the backend. Why? Because in the SSL/TLS protocol when client authentication is requested the client sends its certificate to the server which then validates the client certificate (after having also validated a client signed challenge). The primary requirement here is that CA which signed the client certificate is a trusted CA known to the radius server. The short answer is radius configurations backed by a MySQL database do not require storing per user certificates in the database. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + Mysql + Multiple databases
Jonathan Wood wrote: I have been contacted by a local ISP to upgrade their current radius server (currently running V 1.x) They have multiple databases running for their clients with one radius server, I have looked around Google, the archives and through the documentation with the current version with no luck Uh... if you have access to their configuration, much of the 1.x configuration will work in 2.x. I have the new install running with mysql now need to get it able to access the other databases I was wondering does anyone have a sample code I can use in the sites available/enabled to help me on this? You should be able to figure it out from their current configuration. It's really not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html