Re: Freeradius + 2 x LDAP + VLAN
Thank you, it works with simple modification (not too effective): ldap1 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 } } ldap2 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } Miroslav Dne 12.9.2013 19:36, Arran Cudbard-Bell napsal(a): On 12 Sep 2013, at 18:18, Miroslav Lednicky miroslav.ledni...@fnusa.cz mailto:miroslav.ledni...@fnusa.cz wrote: Hello, I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04 authorize { ldap1 if (ok) { update reply { Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 } } elsif { ldap2 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } } } Arran Cudbard-Bell a.cudba...@freeradius.org mailto:a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mgr. Miroslav Lednický - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + 2 x LDAP + VLAN
On 12 Sep 2013, at 18:18, Miroslav Lednicky miroslav.ledni...@fnusa.cz wrote: Hello, I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04 authorize { ldap1 if (ok) { update reply { Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 } } elsif { ldap2 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } } } Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius 2.x
rosect...@yahoo.com wrote: It is noticed that some VSAs are sent with Access-Challenge but not with Access-Accept when PEAP is used. Is there a way to configure the server such that those attributes are sent with Access-Accept? Configure the server to send them in the Access-Accept. If you're not going to give useful information in your question, any answer will be likewise useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius 2.x
On 12/20/2012 05:14 PM, rosect...@yahoo.com wrote: It is noticed that some VSAs are sent with Access-Challenge but not with Access-Accept when PEAP is used. Is there a way to configure the server such that those attributes are sent with Access-Accept? use_tunneled_reply = yes under the peap {} section in eap.conf. In addition, if you're seeing the VSAs in Access-Challenge, it's most likely because you're returning them in the authorize second. Instead, consider returning them in the post-auth section of the inner-tunnel server, combined with the config above. There are other options, depending on your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius 2.x
Hi, In addition, if you're seeing the VSAs in Access-Challenge, it's most likely because you're returning them in the authorize second. Instead, consider returning them in the post-auth section of the inner-tunnel server, combined with the config above. dont forget RFC 2865 Access-Challenge The Attributes field MAY have one or more Reply-Message Attributes, and MAY have a single State Attribute, or none. Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State attributes MAY also be included. No other Attributes defined in this document are permitted in an Access-Challenge. ensure only the right things are in those challenge packets alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.x EAP-MSCHAPv2 + MySQL
hi,in sql.conf did you modify that line :readclients = no to readclients = yes ? Date: Wed, 19 May 2010 13:52:59 +0200 Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL From: mac...@drobniuch.pl To: freeradius-users@lists.freeradius.org Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
My NAS-es are located in the clients file and they are working fine with pppoe auth. 2010/5/19 dorra aa dj_dido2...@hotmail.com: hi, in sql.conf did you modify that line :readclients = no to readclients = yes ? Date: Wed, 19 ! May 2010 13:52:59 +0200 Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL From: mac...@drobniuch.pl To: freeradius-users@lists.freeradius.org Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hotmail: Trusted email with powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
[pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001f1a0108001a10c7d6fbe958d146ab792405e57d614d2c6d6172696f Message-Authenticator = 0x State = 0x9e96f9a79e9ee37993bcc70e3aa60b8b [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001f1a0108001a10c7d6fbe958d146ab792405e57d614d2c6d6172696f Message-Authenticator = 0x State = 0x9e96f9a79e9ee37993bcc70e3aa60b8b [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 46 to 93.175.129.30 port 52446 EAP-Message = 0x0108003b19001703010030c644c5069947da1d0b65e9345c9f5d97f1c9d8425826085a5ea328def3834835f94fd58cc38cc96c8b32ad0c6af0bb17 Message-Authenticator = 0x State = 0xbd4bf931bb43e07726e24ebbe3a70713 Finished request 24. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 93.175.129.30 port 40335, id=47, length=250 Service-Type = Framed-User Framed-MTU = 1400 User-Name = mario State = 0xbd4bf931bb43e07726e24ebbe3a70713 NAS-Port-Id = wlan1 Calling-Station-Id = 00-24-23-05-18-62 Called-Station-Id = 00-0E-8E-12-5C-0B:PROV EAP-Message = 0x0208006b190017030100601f901df53ab606b4241dc93bd9c8dc78503563b070c59551752ed754f1d3f1e2f5d75c23ee36ef74c37450136af9f17f917297da69b3dfe5e75b84c02141b409ed3c3a67f0ced9ae217318648a2e836a5aa47e05f226671f142ac33c9cd268fa Message-Authenticator = 0x2218a71be94f92ad7aac8a5477c3778c NAS-Identifier = MikroTik NAS-IP-Address = 192.168.1.141 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = mario, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800401a0208003b31bffa8955e6709ec4fdf6d46331c8fa1ded7a280e908424483bbc9c2c2454630d88756c09abc4c7bf006d6172696f server { PEAP: Setting User-Name to mario Sending tunneled request EAP-Message = 0x020800401a0208003b31bffa8955e6709ec4fdf6d46331c8fa1ded7a280e908424483bbc9c2c2454630d88756c09abc4c7bf006d6172696f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = mario State = 0x9e96f9a79e9ee37993bcc70e3aa60b8b server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = mario, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for mario with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 47 to 93.175.129.30 port 40335 EAP-Message = 0x0109002b19001703010020c31f20717df3dcaca42b6dc386f094200e0847944b4f87f37901e4ecc76b45e5 Message-Authenticator =
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Hi, so, its an EAP request and therefore gets proxied into inner-tunnel... } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 ^ nice. EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 ^^^ and again EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE fairly clear. okay, what eap method are you using?...and what inner method etc. have you got mario in your system or users file too? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Maciej Drobniuch wrote: The freeradius server while authenticating is not searching in the sql database. Why that? You didn't configure it. What does the debug log say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. I'm using EAP PEAP MSCHAPv2 The sql is enabled and it works fine with pap,chap,mschap, mschapv2 on pppoe concentrators, but while using EAP it isn't working. Here is the whole debug: http://testowy.langw.net/text.txt 2010/5/19 Alan DeKok al...@deployingradius.com: Maciej Drobniuch wrote: The freeradius server while authenticating is not searching in the sql database. Why that? You didn't configure it. What does the debug log say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Maciej Drobniuch wrote: Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. Because you didn't configure it to ask SQL. I'm using EAP PEAP MSCHAPv2 Did you edit raddb/sites-available/inner-tunnel? The sql is enabled Where? Here is the whole debug: http://testowy.langw.net/text.txt Can you read it? [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. This is pretty obvious. Now read *backwards* from that. You'll see that there's no mention of SQL, but there is some text: Sending tunneled request EAP-Message = ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = mario State = 0x66cdb16066c5abec558fec6768936d41 server inner-tunnel { It's telling you that it's running the inner-tunnel virtual server. Did you edit it? It looks like you didn't. Should you edit it? Absolutely. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Hi, Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. I'm using EAP PEAP MSCHAPv2 The sql is enabled and it works fine with pap,chap,mschap, mschapv2 on pppoe concentrators, but while using EAP it isn't working. Here is the whole debug: http://testowy.langw.net/text.txt the EAP methods need particular backend stuff...you can see the logs barfing over this with all the complaints about no Cleartext-Password does mario have a Cleartext-Password := PASSWORD set in the SQL? are you calling the sql module in the inner-tunnel? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Thanks Alan, I did not knew about the inner-tunnel. Now everything works fine. BIG THANKS TO ALL!! 2010/5/19 Alan DeKok al...@deployingradius.com: Maciej Drobniuch wrote: Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. Because you didn't configure it to ask SQL. I'm using EAP PEAP MSCHAPv2 Did you edit raddb/sites-available/inner-tunnel? The sql is enabled Where? Here is the whole debug: http://testowy.langw.net/text.txt Can you read it? [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. This is pretty obvious. Now read *backwards* from that. You'll see that there's no mention of SQL, but there is some text: Sending tunneled request EAP-Message = ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = mario State = 0x66cdb16066c5abec558fec6768936d41 server inner-tunnel { It's telling you that it's running the inner-tunnel virtual server. Did you edit it? It looks like you didn't. Should you edit it? Absolutely. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.x + MySQL: Failed to authenticate the user
Alexander wrote: Hello all, I have a new setup with Freeradius 2.1.7, Dialup Admin 1.80 and MySQL 5.0.77 running under Red Hat ES 5.4. Access from Freeradius to MySQL is working fine but user 'dummy' does not get authenticated. After hours of searching through my setup it seems to me that the problem is rather related to my Freeradius configuration than to MySQL. I tested locally with radtest and remotly with NTRadPing: Access-Reject. From the attached debug output can you see why? Thanks in advance! See your users file: ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 70 That entry is forcing Auth-Type := System. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.x + MySQL: Failed to authenticate the user
--- On Thu, 1/14/10, Alan DeKok al...@deployingradius.com wrote: See your users file: ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 70 That entry is forcing Auth-Type := System. Don't do that. Alan DeKok. Hello Alan, thanks for your hint which solved my problem. After removing the entry from the users file everything worked like a charm. Time for coffee I guess ;-) Cheers, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html