Re: Problemes with the mystic of freeradius configuration

[Alan DeKok]

Klaus Ethgen wrote:
> Phil Mayers  schrieb:
>> Try this:
...
> Doesn't work:
>server probes {
>+- entering group authorize {...}
>++[ok] returns ok
>++[handled] returns handled
>} # server probes

  The debug log shows that you did *not* try Phil's suggestion.

> I believe that. But I defined a authenticate method: "ok" And I do not
> want freeradius to think that it should do some extra work than that
> what I told them.

  Go back and read the default configuration files.  The "authenticate"
section is composed of a set of *individual* authentication methods.
You can't just delete them all and expect them to work.

  i.e. If you don't understand how the server works, it's not a good
idea to butcher the configuration.

  Go back and try Phil's suggestion.  It works.  Don't put anything else
in the "authorize" section.  Don't use an "authenticate" section.

> Hmmm.. I'll try. I want to have all configuration concerning one virtual
> server to be encapsulated within this server. As I read the
> documentation and the examples, that work for some configuration
> settings but not for all.

  Exactly. If you want different configurations for a virtual server,
use different configuration files.  See raddb/radrelay.conf for an example.

> Well, ok, I will the next time. Principle it is all the same that the
> documentation about freeradius only covers the standard tasks but if you
> need a configuration that is a bit special you are on your own.

  Exactly.  The server includes documentation on how it works, and what
each configuration option does.  It's left to you to figure out how to
translate that into your requirements.

  The server does *not* include documentation for how to set up your
environment.  We don't know what you want, and there are millions of
possible configurations.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problemes with the mystic of freeradius configuration

[Alan Buxey]

Hi,

> Another quest for me is to encapsulate the configuration for eduroam
> (including the users and proxy.conf(!)) into a complete independent
> configuration to use the radius server for more than eduroam.
> Unfortunately all tries to us a other file for users and proxy.conf only
> in the eduroam virtual server was unsuccessful.

the proxy.conf entries are global - so you cannot have a single
isolated way - you need to share the file.  our current recipe is quite simple,
in 'human readable' terms :

is this user a local user?  
yes -> mark realm as local
no -> mark realm as eduroam


if realm = local then update the control proxy to local
if realm = eduroam then update the control proxy to eduroam

then, in proxy.conf have your eduroam config as a nice boilerplate.


its okay - but I really really wouldnt want to drop such a configuration
on top of someone elses server as, the joy of FreeRADIUS , is that people can
do whtings in so many ways...and by defining realms and control lgoic you 
could/may
break their internal logic, unlang etc.


what we DO suggest is that sites have a virtual server for dealing with things 
that
come from their national proxies - as the proxy would already have checked that
the user is theirs etc - so you can skip lots of stuff and go straight to the 
authorization/authentication
stages.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problemes with the mystic of freeradius configuration

[Phil Mayers]

On 08/10/10 10:36, Klaus Ethgen wrote:

Hello newsgroup, hello Alan DeKok,

I tried to solve my problem with Daniel Bertolo from Switch but was not
success, so he told me to ask here.

I want to configure a virtual server that always return ok to be used as
probe for a load balancer (Cisco ACE). So what I tried was to just copy
the status server and tried the following:
server tests {
   authorize {
   ok
   }

   authenticate {
   ok
   }
}

Unfortunately I get the following in the debug output:


Try this:

authorize {
  update control {
Auth-Type := Accept
  }
}


No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user


This is the problem.



Another quest for me is to encapsulate the configuration for eduroam
(including the users and proxy.conf(!)) into a complete independent
configuration to use the radius server for more than eduroam.
Unfortunately all tries to us a other file for users and proxy.conf only
in the eduroam virtual server was unsuccessful.

Do anybody have an idea how to solve that?


You'll have to be a bit more specific than that.

Also, this is two different issues in the same email; try posting each 
separate problem individually.




Ah, yes. Please excuse that I did not post the full configuration and
debug output as there is many confidential stuff inside. If someone need
special answers, please tell me and I will see what I can do.


We need the debug output, or we can't help you.

However - for eduroam setup, including example FreeRadius configs, try 
googling for "FreeRadius eduroam" - there are white papers and example 
configs.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

[Jason Wittlin-Cohen]

On Thu, Dec 11, 2008 at 9:16 AM, Attou eric  wrote:

> Hi Everybody.
>
> We are having some issues in setting up freeradius to support EAP-TLS,
> EAP-TTLS and EAP-PEAP.
> Our goal is to have our authentication server providing those three
> Auth-Type simultaneously.
> To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>

You can use TinyCA, but you must add the proper extended key usage. Under
Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 for Server
Certificates into Extended Key usage, and 1.3.6.1.5.5.7.3.2 into Client
Certificate Extended Key Usage.

Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

[tnt]

>We are having some issues in setting up freeradius to support EAP-TLS, 
>EAP-TTLS and EAP-PEAP.
>Our goal is to have our authentication server providing those three Auth-Type 
>simultaneously.
>To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>We also add radius' log after an authentication attempt from  windows XP OS
>
>using windows built in supplicant by supplying a username and password stored 
>in 
>
>our /etc/passwd file. But the authentication failed with this error message :
> 
>rlm_eap: identity does not match User-Name, setting from EAP identity
> 
>Thu Dec 11 14:59:10 2008 : Debug: radiusd:  Loading Realms and Home 
>Servers 
>Thu Dec 11 14:59:10 2008 : Debug:  proxy server {
>Thu Dec 11 14:59:10 2008 : Debug:       retry_delay = 5
>Thu Dec 11 14:59:10 2008 : Debug:       retry_count = 3
>Thu Dec 11 14:59:10 2008 : Debug:       default_fallback = no
>Thu Dec 11 14:59:10 2008 : Debug:       dead_time = 120
>Thu Dec 11 14:59:10 2008 : Debug:       wake_all_if_all_dead = no
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server localhost {
>Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = 127.0.0.1
>Thu Dec 11 14:59:10 2008 : Debug:       port = 1812
>Thu Dec 11 14:59:10 2008 : Debug:       type = "auth"
>Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
>Thu Dec 11 14:59:10 2008 : Debug:       response_window = 20
>Thu Dec 11 14:59:10 2008 : Debug:       max_outstanding = 65536
>Thu Dec 11 14:59:10 2008 : Debug:       zombie_period = 40
>Thu Dec 11 14:59:10 2008 : Debug:       status_check = "status-server"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_check = "none"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       check_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       num_answers_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       num_pings_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       revive_interval = 120
>Thu Dec 11 14:59:10 2008 : Debug:       status_check_timeout = 4
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server_pool my_auth_failover {
>Thu Dec 11 14:59:10 2008 : Debug:       type = fail-over
>Thu Dec 11 14:59:10 2008 : Debug:       home_server = localhost
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  realm uac.bj {
>Thu Dec 11 14:59:10 2008 : Debug:       auth_pool = my_auth_failover
>Thu Dec 11 14:59:10 2008 : Debug:  }

You have configured the server to proxy requests to itself. Don't do
that. Configure it as local realm (just {}).

..
>rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, 
>length=145
>        User-Name = "[EMAIL PROTECTED]"
>        NAS-IP-Address = 172.21.1.251
>        Connect-Info = "CONNECT 802.11"
>        Called-Station-Id = "0060b33573b4"
>        Calling-Station-Id = "000e35dfc4c9"
>        NAS-Identifier = "ap"
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 40
>        NAS-Port-Id = "40"
>        Framed-MTU = 1400
>        EAP-Message = 0x0269001001746f746f407561632e626a
>        Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
..
>Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: 
>'HsrtQesmWHodM:14211::' to config_items

That's not going to work with PEAP.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

[Alan DeKok]

Attou eric wrote:
> We are having some issues in setting up freeradius to support EAP-TLS,
> EAP-TTLS and EAP-PEAP.
> Our goal is to have our authentication server providing those three
> Auth-Type simultaneously.
> To support EAP-TLS, we generate our CA and certificates via TinyCA.

  Please read eap.conf.  You need certain things in the certificates for
PEAP to work on Windows.  I'm not sure that TinyCA does the right thing
here.

> We also add radius' log after an authentication attempt from  windows XP OS  
> using windows built in supplicant by supplying a username and password
> stored in
> our /etc/passwd file.

  PEAP will NOT work with /etc/passwd.  It's impossible.


 But the authentication failed with this
> error message :
>  
> *rlm_eap: identity does not match User-Name, setting from EAP identity*
>  
> Radius logs 
> ...Thu Dec 11 14:59:10 2008 : Debug: main {

  Please *follow* the instructions in the FAQ, README, INSTALL, and
"man" page.  We want "radiusd -X", not "radiusd -xX".  Adding the dates
makes the debug output harder to read.

  Note also that the debug output *includes* the configuration.  So
there's no need to post it separately.  And we don't ask for it, either.

> Sending Access-Request of id 200 to 127.0.0.1 port 1812
...
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200,
> length=143

  Could you explain why you're proxying the packet from the server to
itself?  This isn't necessary.  It's also bad.

> Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match
> User-Name, setting from EAP Identity.

  Your supplicant is broken.  The two fields should match.

  Or, you're editing the User-Name.  Don't do that.

> Is there something wrong in our configurations?
> Is tit normal that there is no User-Password attribute in Access-Request
> packet?

  Yes.  This is how EAP works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Antwort: Re: Antwort: Re: Antwort: Re: FreeRADIUS configuration

[volkan . goeksel]

Alan DeKok:

ok  i will ask the vpn list.

thank you!-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Antwort: Re: Antwort: Re: FreeRADIUS configuration

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> no the documentation doesn't explain it...

  Well, I don't know anything about the VPN gateway you're using.  Maybe
they have a mailing list you can ask questions on?

  i.e. configuring the VPN gateway is a problem for the VPN people.
It's not a FreeRADIUS problem.

> vpn works. but i want to install a radius server on the vpn-gateway1,
> because i want that the client on lan2 have to type username and
> password to reach lan1.

  Yes, you've said that.  The VPN gateway is responsible for doing all
of this authentication.  If it can't be configured to do RADIUS, then no
amount of changing FreeRADIUS will make any difference.

  Go ask questions on the VPN list.  It is not a FreeRADIUS problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Antwort: Re: Antwort: Re: FreeRADIUS configuration

[volkan . goeksel]

Alan DeKok:

no the documentation doesn't explain it...

LAN1 <-> VPN-Gateway <-> VPN-Gateway1 <-> LAN2

this is a site-to-site vpn and a ipsec tunnel (between gateway1 and 2).

vpn works. but i want to install a radius server on the vpn-gateway1,
because i want that the client on lan2 have to type username and password 
to reach lan1.
if the passwort is incorrect, he cant connect with lan1.
clients = windows xp
gateways = linux 2.6
i already installed freeradius on the gateway1, but i dont know how to 
begin.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Antwort: Re: FreeRADIUS configuration

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> i installed FreeRADIUS with the packetmanager apt-get..

  They haven't upgraded to 1.1.7 yet?

> vpn gateway1 is the radius server.
> i only want that the clients (lan2) have to type username and password
> to use the vpn.
> but i dont know how to configure it...

  Does the VPN gateway documentation explain how to configure RADIUS?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Antwort: Re: FreeRADIUS configuration

[volkan . goeksel]

Alan DeKok:
hmm 1.1.6, why not..
i installed FreeRADIUS with the packetmanager apt-get..
vpn gateway1 is the radius server.
i only want that the clients (lan2) have to type username and password to 
use the vpn.
but i dont know how to configure it...

thanks, ldapman-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS configuration

[Alan DeKok]

LDAPMAN wrote:
> I have installed freeradius 1.1.6 and dont know how to configure it.

  Why 1.1.6?

> My "local networkstructure" looks like this (it is a test) :
> 
> LAN1 (central) <-> VPN Gateway1 <-> VPN Gateway2 <-> LAN2

  So... which one is a RADIUS client?

> I have installed freeradius on Gateway1.
> wiki.freeradius.org looks fine, but i dont know how to begin.
> I have written the client IPs with secrets in the clients.conf
> hmm.. and now?

  What do you want to do?  Does the VPN gateway have documentation on
what it expects from a RADIUS server?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS configuration

[LDAPMAN]

Hi!
I have installed freeradius 1.1.6 and dont know how to configure it.

My "local networkstructure" looks like this (it is a test) :

LAN1 (central) <-> VPN Gateway1 <-> VPN Gateway2 <-> LAN2

VPN is configured.
Both LAN have got 2 Windows XP Clients.

VPN Gateway:
Linux 2.6
Openswan 2.4

I have installed freeradius on Gateway1.
wiki.freeradius.org looks fine, but i dont know how to begin.
I have written the client IPs with secrets in the clients.conf
hmm.. and now?

Can anyone help me?
-- 
View this message in context: 
http://www.nabble.com/FreeRADIUS-configuration-tp16608592p16608592.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Freeradius configuration

[Kelly Ormsby]

Ok, thanks Nicholas Hall and Scott Lambert.

I'd rather use CHAP for the encryption and since the cisco router won't
allow PAP through. I guess I'll just have to suck up the management overhead
of maintaining a clear text password list.

Thanks,

On 8/16/07, Scott Lambert <[EMAIL PROTECTED]> wrote:
>
> On Thu, Aug 16, 2007 at 10:47:58AM +0800, Kelly Ormsby wrote:
> > Hi all,
> >
> > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I
> > can't upgrade please don't go there). I did a basic configure/make/make
> > install.
> >
> > The only changes to the default configuration is adding an entry to the
> > clients.conf file to allow requests from the Cisco VPN gateway. So far
> as I
> > can tell CHAP and CHAPv2 should work straight out of the box (as per
> this
> > page http://deployingradius.com/documents/configuration/auth_type.html).
>
> The problem is that CHAP requires cleartext or NTLM type passwords.
>
> Your configuration will likely work if you use PAP rather than CHAP.
>
> --
> Scott LambertKC5MLE   Unix
> SysAdmin
> [EMAIL PROTECTED]
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Kelly Ormsby
Senior Unix Systems Administrator

Email: [EMAIL PROTECTED]
Mobile: 0417 910 801
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Freeradius configuration

[Scott Lambert]

On Thu, Aug 16, 2007 at 10:47:58AM +0800, Kelly Ormsby wrote:
> Hi all,
> 
> I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I
> can't upgrade please don't go there). I did a basic configure/make/make
> install.
> 
> The only changes to the default configuration is adding an entry to the
> clients.conf file to allow requests from the Cisco VPN gateway. So far as I
> can tell CHAP and CHAPv2 should work straight out of the box (as per this
> page http://deployingradius.com/documents/configuration/auth_type.html).

The problem is that CHAP requires cleartext or NTLM type passwords.

Your configuration will likely work if you use PAP rather than CHAP.
 
-- 
Scott LambertKC5MLE   Unix SysAdmin
[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Freeradius configuration

[Kelly Ormsby]

Hi,

I can't do that the Cisco won't allow it through. Is pap the only way to use
/etc/passwd?

Thanks,

On 8/16/07, Nicholas Hall <[EMAIL PROTECTED]> wrote:
>
> On 8/15/07, Kelly Ormsby <[EMAIL PROTECTED]> wrote:
> >
> > Hi all,
> >
> > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I
> > can't upgrade please don't go there). I did a basic configure/make/make
> > install.
> >
> > The only changes to the default configuration is adding an entry to the
> > clients.conf file to allow requests from the Cisco VPN gateway. So far
> > as I can tell CHAP and CHAPv2 should work straight out of the box (as per
> > this page
> > http://deployingradius.com/documents/configuration/auth_type.html).
> >
> > I've tried to authenticate using a local /etc/passwd user, and I get the
> > output posted below. Is the default configuration enough for it to consult
> > the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System"
> > did?) or is there something else I need to add. Can CHAP (or CHAPv2) use
> > /etc/passwd? I'm a little confused about the differences and I'm sure thats
> > not helping :)
> >
> > I'd really rather not list the users individually in the users file, I'd
> > like there to still only be one place to add users, so I'd like to use
> > /etc/passwd file only. I apologise if there is documentation listed on this,
> > I really feel that I've searched everywhere I can and no one seems to give
> > real details.
> >
>
> CHAP requires a clear text password.  Tell your client to use PAP.  I
> believe it will work without any configuration on the server.
>
> --
> Nicholas Hall
> [EMAIL PROTECTED]
> 262.208.6271
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Kelly Ormsby
Senior Unix Systems Administrator

Email: [EMAIL PROTECTED]
Mobile: 0417 910 801
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Freeradius configuration

[Nicholas Hall]

On 8/15/07, Kelly Ormsby <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I
> can't upgrade please don't go there). I did a basic configure/make/make
> install.
>
> The only changes to the default configuration is adding an entry to the
> clients.conf file to allow requests from the Cisco VPN gateway. So far as
> I can tell CHAP and CHAPv2 should work straight out of the box (as per this
> page http://deployingradius.com/documents/configuration/auth_type.html).
>
> I've tried to authenticate using a local /etc/passwd user, and I get the
> output posted below. Is the default configuration enough for it to consult
> the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System"
> did?) or is there something else I need to add. Can CHAP (or CHAPv2) use
> /etc/passwd? I'm a little confused about the differences and I'm sure thats
> not helping :)
>
> I'd really rather not list the users individually in the users file, I'd
> like there to still only be one place to add users, so I'd like to use
> /etc/passwd file only. I apologise if there is documentation listed on this,
> I really feel that I've searched everywhere I can and no one seems to give
> real details.
>

CHAP requires a clear text password.  Tell your client to use PAP.  I
believe it will work without any configuration on the server.

-- 
Nicholas Hall
[EMAIL PROTECTED]
262.208.6271
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simple Freeradius configuration

[Kelly Ormsby]

Hi all,

I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I
can't upgrade please don't go there). I did a basic configure/make/make
install.

The only changes to the default configuration is adding an entry to the
clients.conf file to allow requests from the Cisco VPN gateway. So far as I
can tell CHAP and CHAPv2 should work straight out of the box (as per this
page http://deployingradius.com/documents/configuration/auth_type.html).

I've tried to authenticate using a local /etc/passwd user, and I get the
output posted below. Is the default configuration enough for it to consult
the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System"
did?) or is there something else I need to add. Can CHAP (or CHAPv2) use
/etc/passwd? I'm a little confused about the differences and I'm sure thats
not helping :)

I'd really rather not list the users individually in the users file, I'd
like there to still only be one place to add users, so I'd like to use
/etc/passwd file only. I apologise if there is documentation listed on this,
I really feel that I've searched everywhere I can and no one seems to give
real details.

Thanks,

rad_recv: Access-Request packet from host 192.168.100.254:1645, id=45,
length=152
Framed-Protocol = PPP
User-Name = "denvertech"
MS-CHAP-Challenge = 0x79c27ab491824ce5
MS-CHAP-Response =
0x010133f6aa08b02f18fa3e3013072a8f8f171469f179b7b7434b
NAS-Port-Type = Virtual
NAS-Port = 33
NAS-Port-Id = "Uniq-Sess-ID33"
Service-Type = Framed-User
NAS-IP-Address = 192.168.100.254
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
  modcall[authorize]: module "mschap" returns ok for request 2
rlm_realm: No '@' in User-Name = "denvertech", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 2
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv1 with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: MS-CHAP-Response is incorrect.
  modcall[authenticate]: module "mschap" returns reject for request 2
modcall: leaving group MS-CHAP (returns reject) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 45 to 192.168.100.254 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 45 with timestamp 46c3b8db
Nothing to do.  Sleeping until we see a request.

-- 
Kelly Ormsby
Senior Unix Systems Administrator

Email: [EMAIL PROTECTED]
Mobile: 0417 910 801
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius configuration

[affora deeb]

hi james.
really i appreciate ur help but i couldn't get that book u talked about so i still have the problem
so i don't know what to do and the project must be done after 2 weeks maximum.
so if u help me an other way. u'll do me a favour.
as soon  as possible, please .
thanks alot 
On 8/21/06, James Wakefield <[EMAIL PROTECTED]> wrote:
Have you tried the documentation supplied with the freeradius package?It's not bad...If you need more, try the book "RADIUS" by Jonothan Hassell, published
by O'Reilly.affora deeb wrote:> hi free radius users.> i asked u before if any one can help me and send the configuration or> steps of configuration of free radius over linux> and really i'll appreciate u.
> thanks--James Wakefield,Unix Administrator, Information Technology Services DivisionDeakin University, Geelong, Victoria 3217 Australia.Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866E-mail:   [EMAIL PROTECTED]Website:  http://www.deakin.edu.au
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius configuration

[James Wakefield]

Have you tried the documentation supplied with the freeradius package? 
It's not bad...


If you need more, try the book "RADIUS" by Jonothan Hassell, published 
by O'Reilly.


affora deeb wrote:

hi free radius users.
i asked u before if any one can help me and send the configuration or 
steps of configuration of free radius over linux

and really i'll appreciate u.
thanks



--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SUSE freeradius configuration

[Seferovic Edvin]

As always, be sure that
your Accees Point is allowed client to connect to the freeradius...

Then ( as said on the
website you have used ) – start radius with –XAx parameter to see the debugging
information ( that is radiusd –XAx )... then try to auth on your access point
and look what happens...

 

When you ask a question
next time – please include your debugging information, because no mailing list
user can actually know what your freeradius server is doing.. 

 

Regards,

 

Edvin Seferovic

 









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Esposito
Sent: Sonntag, 23. Oktober 2005
07:41
To:
freeradius-users@lists.freeradius.org
Subject: SUSE freeradius
configuration



 

I’m new to freeRadius and Linux (Suse) and need some
help.  I apologize but I really don’t know the question to ask because of
my limited knowledge of Linux and wireless technology, but I’ll give it a
try.  I setup freeRadius v1.0.2 on SUSE v9.0.  I have another NetWare
6.5 server installed hopefully to be used as the LDAP server that freeRadius
will use to get usernames and passwords from eDirectory via LDAP.  I
followed the following guide for my setup…

 

http://www.novell.com/coolsolutions/tip/15922.html

 

I’m using D-Link DWP-8200 access points which
supports WPA2/Enterprise.  I’ve setup this access point to point to my
SUSE server.  I can start Radius on the Linux box, but when I try to
connect through the access point, I am getting no response on the Radius
server.  Everything IP wise is fine, I can ping from everywhere and if I
change the Access Point to a Linksys WAP55AG, I get a login screen (not that I
know the format to put the username, password, and how domain would be used
with NetWare).  My client has the D-Link DWP-8200 access points, and I’d
like to get it working with this if possible so they don’t have to buy 50 new
access points.  I believe I’m trying to use EAP/TLS with LDAP
authentication.

 

I guess my question is, does the D-Link 8200-AP work
with freeRadius, and if so, does anyone know NetWare enough to give me a
hand.  I understand if that isn’t possible, but I thought I’d at least
try.  I’m sorry for being so vague, but maybe I can learn a little about
wireless security and authentication if anything.  The D-Link seems to
have the same settings as the Linksys, so I hope it can work.

 

Thanks-

Chris








--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.12.4/146 - Release Date: 10/21/2005
 - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SUSE freeradius configuration

[Chris Esposito]

I’m new to freeRadius and Linux (Suse) and need some
help.  I apologize but I really don’t know the question to ask
because of my limited knowledge of Linux and wireless technology, but I’ll
give it a try.  I setup freeRadius v1.0.2 on SUSE v9.0.  I have
another NetWare 6.5 server installed hopefully to be used as the LDAP server
that freeRadius will use to get usernames and passwords from eDirectory via
LDAP.  I followed the following guide for my setup…

 

http://www.novell.com/coolsolutions/tip/15922.html

 

I’m using D-Link DWP-8200 access points which supports
WPA2/Enterprise.  I’ve setup this access point to point to my SUSE
server.  I can start Radius on the Linux box, but when I try to connect
through the access point, I am getting no response on the Radius server. 
Everything IP wise is fine, I can ping from everywhere and if I change the
Access Point to a Linksys WAP55AG, I get a login screen (not that I know the
format to put the username, password, and how domain would be used with
NetWare).  My client has the D-Link DWP-8200 access points, and I’d
like to get it working with this if possible so they don’t have to buy 50
new access points.  I believe I’m trying to use EAP/TLS with LDAP
authentication.

 

I guess my question is, does the D-Link 8200-AP work with freeRadius,
and if so, does anyone know NetWare enough to give me a hand.  I
understand if that isn’t possible, but I thought I’d at least try. 
I’m sorry for being so vague, but maybe I can learn a little about
wireless security and authentication if anything.  The D-Link seems to
have the same settings as the Linksys, so I hope it can work.

 

Thanks-

Chris








--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.12.4/146 - Release Date: 10/21/2005
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SV: Postgresql+freeradius configuration

[Alan DeKok]

=?iso-8859-1?Q?Erik_=C5gren?= <[EMAIL PROTECTED]> wrote:
> Where do I get the rlm_sql_postgresql.so module? I can't find it.

  You need to install the postgresql development libraries.  Then
build FreeRADIUS, and the module will automatically be installed.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: Postgresql+freeradius configuration

[Erik Ågren]

Hi

Where do I get the rlm_sql_postgresql.so module? I can't find it.


Thanx

/Erik

-Ursprungligt meddelande-
Från: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] För
[EMAIL PROTECTED]
Skickat: den 26 september 2005 12:12
Till: freeradius-users@lists.freeradius.org
Ämne: Postgresql+freeradius configuration

Good morning!
I have successfully configured  freeradius server with using postgresql
database to storage users which i want to authenticate.
when i put it in debug mode to test he works well. But when I run it as
deamon the  server radius don't see the postgresql server. In the radius's
log file i look this:
 Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Info: rlm_sql (sql): Attempting to connect to
[EMAIL PROTECTED]:/radiusdb
Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
[EMAIL PROTECTED]:radiusdb
Error: rlm_sql_postgresql: Postgresql error 'could not connect to server:
Permission denied ?Is the server running on host "localhost" and accepting
?TCP/IP connections on port 5432? '
Error: rlm_sql (sql): Failed to connect DB handle #0
Info: Ready to process requests.
Please help me.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Postgresql+freeradius configuration

[msah]

Good morning!
I have successfully configured  freeradius server with using postgresql database
to storage users which i want to authenticate.
when i put it in debug mode to test he works well. But when I run it as deamon
the  server radius don't see the postgresql server. In the radius's log file i
look this:
 Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb
Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
[EMAIL PROTECTED]:radiusdb
Error: rlm_sql_postgresql: Postgresql error 'could not connect to server:
Permission denied ?Is the server running on host "localhost" and accepting
?TCP/IP connections on port 5432? '
Error: rlm_sql (sql): Failed to connect DB handle #0
Info: Ready to process requests.
I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql
8.0.3-1.
In the postgresql's file pg_hba.conf i make this configuration:
#TYPE  DATABASEUSER CIDR-ADDRESS  METHOD
#IPv4 local connections:
hostradiusdb   radiusadmin  127.0.0.1/32  trust
I don't why this dysfonctionnement
Please help me and thanks for your assistance.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Postgresql+freeradius configuration

[Thor Spruyt]

[EMAIL PROTECTED] wrote:
>  Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and
> linked 
> Info: rlm_sql (sql): Attempting to connect to
> [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't
> connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb
> Error: rlm_sql_postgresql: Postgresql error 'could not connect to
> server: Permission denied ?Is the server running on host "localhost"
> and accepting ?TCP/IP connections on port 5432? '
> Error: rlm_sql (sql): Failed to connect DB handle #0
> Info: Ready to process requests.

Try using 127.0.0.1 instead of localhost

-- 
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Postgresql+freeradius configuration

[msah]

Good morning!
I have successfully configured  freeradius server with using postgresql database
to storage users which i want to authenticate.
when i put it in debug mode to test he works well. But when I run it as deamon
the  server radius don't see the postgresql server. In the radius's log file i
look this:
 Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb
Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
[EMAIL PROTECTED]:radiusdb
Error: rlm_sql_postgresql: Postgresql error 'could not connect to server:
Permission denied ?Is the server running on host "localhost" and accepting
?TCP/IP connections on port 5432? '
Error: rlm_sql (sql): Failed to connect DB handle #0
Info: Ready to process requests.
Please help me.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: questions about a custom freeradius configuration

[Alan DeKok]

Jeff Smith <[EMAIL PROTECTED]> wrote:
> The custom authentication module I referred to in the first paragraph 
> basically re-implemented MS-CHAP v2 and talked to the custom servers on 
> the back end.  It would not be easy to wedge into the rlm_eap code. 

  Exactly.  The rlm_eap code doesn't do MS-CHAP at *all*.  Instead, it
calls the mschap module.

> Instead, I'd like to find a solution that makes the fewest possible (if 
> any) modifications to stock freeradius, so we can track releases more 
> closely. I would like to continue using the custom authentication and 
> authorization servers.

  If your existing module takes MS-CHAP attributes & does
authentication, then you should be able to hack rlm_eap_mschapv2 to
point to your module, rather than the mschap module.  That should be a
1-line change to the source.

> 1) In the authorization phase, call out to the custom authorization 
> server and ask a question like "Is this user who claims to be ``joe'' 
> authorized to use the wireless service?"

  Write a custom module.

> 2) In the authorization phase, also call out to the custom 
> authentication server to get pack the NT-Password and add that to the 
> value pairs in the check list in the request packet, so that when 
> EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is 
> available.

  That should be easy.  Just write a custom module. :)

> I have been having a hard time getting my mind around the complexity of 
> RADIUS and freeradius.  It may be that I'm taking a completely 
> wrong-headed approach here.  If anyone on this list has any thoughts on 
> how this could be done best, I'd appreciate  hearing your ideas.

  The design goal behind FreeRADIUS was to make things modular, so
that you wouldn't have to worry about unrelated issues.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

questions about a custom freeradius configuration

[Jeff Smith]

Hi,

Our wireless network currently authenticates and authorizes users via 
freeradius 0.8.1 with a custom module that talks to custom 
authentication and authorization servers.


I'm upgrading the server side to freeradius 1.0.4.  At the same time, 
the people who run the wireless network are switching to using EAP-PEAP 
with MS-CHAP v2.


I'm fairly new to freeradius, but I have been spending a lot of time 
reading this list, the documents, the O'Reilly book, and experimenting 
with the server.  So far I've been able to do PEAP authentications to 
the server via the users file.


The custom authentication module I referred to in the first paragraph 
basically re-implemented MS-CHAP v2 and talked to the custom servers on 
the back end.  It would not be easy to wedge into the rlm_eap code. 
Instead, I'd like to find a solution that makes the fewest possible (if 
any) modifications to stock freeradius, so we can track releases more 
closely. I would like to continue using the custom authentication and 
authorization servers.


My thinking on this so far is that I might be able to use the 
Exec-Program-Wait atribute and/or the rlm_perl modules to call out to 
the custom servers, which have command-line interfaces.  Ideally, I'd be 
able to do something like this:


1) In the authorization phase, call out to the custom authorization 
server and ask a question like "Is this user who claims to be ``joe'' 
authorized to use the wireless service?"  I can get back a yes/no answer 
and send an Access-Reject with an explanation, or continue on if they 
are authorized.  (I don't think Exec-Program-Wait can help here since I 
understand it only gets called after the user is authenticated.  I could 
make this check after and only if mschap returns success, though.)


2) In the authorization phase, also call out to the custom 
authentication server to get pack the NT-Password and add that to the 
value pairs in the check list in the request packet, so that when 
EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is 
available.


I have been having a hard time getting my mind around the complexity of 
RADIUS and freeradius.  It may be that I'm taking a completely 
wrong-headed approach here.  If anyone on this list has any thoughts on 
how this could be done best, I'd appreciate  hearing your ideas.


Thanks in advance!

Jeff
--
Jeff Smith
Security Analyst - ITaP Identity & Access Management
Purdue University
W. Lafayette IN 47907-1408
Phone: 765-496-8285
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Configuration Questions

[Shark]

hello,

i would like assistance to configure my freeradius server...

i would like to use freeradius in a vpn solution based on LDAP.

the LDAP IP is 10.1.1.1 
the VPN is 10.1.4.1 
they can reach each other no problem

I have to edit clients.conf and users to make it work 

here is the part i have in clients.conf:

--
client 127.0.0.1 {
...
}

client 10.1.4.0/24 {
secret "isasecret"
shotname = private-network
}

---

i found a way to auth with a single user using this config
in users

shark   Auth-Type = Local, Password = "secret_pass"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.1.4.22,
Framed-MTU = 1492

---

My questions are:

how do make some auth for a group (not a single user or the default
DEFAULT)?


Is there a way to set Framed-IP-Address range to this group?

Can you help making the "users" files pls?


thanks for you help,
shark




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html