ure.in in my FreeBSD system, but failed
> (I am new to programming)
Don't break the software.
The "configure" scripts work. If you're new to programming, you have
no business changing them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that the usual attr filter method won't fit there.
No. But you can delete it before the packet is sent. See "attr_filter".
My $0.02 is to file a bug with Cisco, and tell them that their
software is broken. RFC 5176 Section 3.1 says that the NAS is supposed
to echo back Proxy-Sta
> What I am missing here.
The RADIUS server is returning Access-Accept. This means that it
thinks the user is OK.
> Apr 27 16:40:33 ioj-d00 pppd[2869]: LCP terminated by peer
> (^@M-h^NM-^Z^@ what i am missing !!
Not much. Find out why the PC is closing the connection.
George Koulyabin wrote:
> And 'Module-Failure-Message' is empty.
>
> Did I make mistake in configuration?
How are you referencing it? You added it to the "control" list. Are
you using %{control:Module-Failure-Message} ?
Alan DeKok.
-
List info/su
both ODS and AD.
As always, determine *when* you want to chose one or the other.
Determine *why* one is chosen. Refer to contents of packets.
Then, write the "unlang" rules.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
e-Message is empty?
As always, run the server in debugging mode to see what it's doing.
If the user isn't found, you'll probably have to add a message yourself.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George Koulyabin wrote:
> Records drop to database when access is rejected. But I want to see reason of
> rejection. As in radius.log.
Edit the SQL queries to include Module-Failure-Message.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
database when password is wrong, for example. But attribute
> 'Module-Failure-Message' ( and attribute 'Module-Success-Message') is empty
> when user not found, for example. And other reasons may be.
> How can I save comments for rejected requests?
Use &q
Just add it. We effectively own that space. They're not using it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ient (for the access point) but
> with the access point canĀ“t authenticate. So.. what i need to configure?
You were asked to provide more information.
Why are you ignoring that request?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You're ignoring our advice.
Go do what you were told to do. Don't post any more questions until
you've done that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
yagizozen wrote:
> Thank you for your answer Alan. I understand how to re-play the packets using
> radclient but I wonder if it is possible to see the debug output of an
> existing running radius server with "radiusd" command without stopping it.
$ man raddebug
This is
to read the existing documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
yagizozen wrote:
> What can be the reason of this situation?
Read the debug output to see what the server is doing.
Set up a test server. Re-play the packets.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
een fixed in the git v2.1.x branch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jeroen Scheerder wrote:
> On 26 Apr 2012(Q2, W17), at 10:01, Alan DeKok wrote:
> That's a valid question. I've followed the way it was done in rlm_caching.c.
That should be fixed, then.
> Actually, that's found in src/main/auth.c as well:
>
>
cache the working value.
> Still, I'm content so far. But I have one more thing to take care of: I'd
> like to enable caching only for specific clients. How could I acomplish that?
"man unlang". Write conditional checks around the caching module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t's useless.
Good questions get good answers.
These questions are bad. As a result, the only possible answer is
unhelpful. Along with the advice "ask good questions."
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ius acting as a proxy?
authorize {
...
update request {
User-Name := "%{NAS-Port-Id}"
}
...
}
This kind of thing is trivial to do in FreeRADIUS. Perhaps that's why
it's free... because it works. You have to pay large amounts of money
to get p
guration to default as Alan suggested but I
> still see that MSCHAPv2 auth fails.
Because you can't do MS-CHAP with MD5 passwords.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is a program on your local machine. Likely one that you wrote.
Go fix it, and make sure it works.
> what am I missing here?
Reading the debug output helps.
The *server* isn't returning a "NAS not found" message. *Your*
program is returning it. That's what the de
ault.
Why?
> Does anyone have idea what could be the problem?
You did a lot of work to break the server. Don't do that.
The default configuration works. Change as little as possible.
If you don't understand something, don't change it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ally, and test it. There
are more changes than just that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rn how
MS-CHAP works. We're being nice by explaining it to you. You're being
rude by ignoring our explanation, and asking the same question again.
If you keep asking questions we've already answered, you will be
unsubscribed and banned.
Alan DeKok.
-
List info/su
t entry, so now I am
> left with nothing in the users file. Is this correct?
No. It's because you didn't follow the guide.
My previous message described what you should be doing. You're not
doing it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> However it looks like the sql query for that user fails instead of
> returning no user data.
> Could that cause it to behave this way?
Because the query isn't valid?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
g "Auth-Type = Accept" doesn't mean
"stop authorization". It means "use Accept authentication"
If you want to avoid processing the SQL module, use module-failover,
or "unlang". See "man unlang"
authorize {
...
file
h
step you tried, which ones worked, and which test failed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
of is below.
You haven't configured the MSCHAP module to use AD.
See my web site:
http://deployingradius.com/documents/configuration/active_directory.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.com/jpNtX4Hb
Please read it. The messages are clear:
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
And look for "sql". It doesn't appear in the debug output.
You haven't configured the server to use SQL.
Gennaro Leo wrote:
> is there another list to ask for?
I have no idea.
This list is about FreeRADIUS. Generic RADIUS questions, and
questions about your private RADIUS implementations don't belong here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.
Gennaro Leo wrote:
> does anyone know how to implement the salt encryption algorithm in
> java to send encrypted VSA attributes in a CoA request?
That is not an appropriate question for this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ad_wifi , while only users defined on a mySQL db can connect to sql_wifi.
As always, write the rules based on what's in the packets. DON'T talk
about concepts. They're too vague.
Read the packets, and write the rules based on that.
Alan DeKok.
-
List info/s
2c.
I'll just remove the references to SQL.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
queries? I assumed the stable
> code would be released with the best possible SQL indexes on the schema
> etc?
It's all a mystery. You're running a RADIUS system for 2 million
people. You have a budget. You figure it out.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
long u_long;
> + typedef unsigned char u_char;
> + typedef unsigned intu_int;
Those definitions are in the system header files. The server should
depend on the header files. It's better than having hard-coded values
in the source.
Alan DeKok.
-
List info/sub
ound
> ./config.status: line 602: syntax error near unexpected token `('
> ./config.status: line 602: `lt_cv_sys_global_symbol_to_cdecl='sed
> -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^[ABCDGIRSTW]* .*
> \(.*\)$/extern char \1;/p'''
>
Garber, Neal wrote:
> Try adding the following includes before those that are already in the file
> freeradius-server/src/lib/dhcp.c:
>
> #include
> #include
I'll add a patch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t get fudged
> on the original request.
*IF* the packets contain EAP and you want to authenticate devices by
NAS IP/port... it's impossible. Don't even bother trying. It won't work.
If you're not doing EAP, that's another question.
So... what's really going on? MAC auth? EAP? ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
7;s not hard.
There are examples of using LDAP-Group checking, and examples of
checking for client IP address.
What part is unclear?
i.e. ask a *specific* question.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ord-With-Header attribute
Yes.
> (2) If auto_header = yes, the password with header can be stored in
> Cleartext-Password attribute. Or is it in User-Password attribute,
> like what the docs and config file says?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http:/
Others are
Crypt-Password, MD5-Password, etc. They are all in specific formats.
The Password-With-Header is likely a bad name, but it accurately
describes the contents.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. It's what we did.
> To configure windows client, i use PEAP with mschap V2. Is it right ? I
> don't find other ways to connect windows client with login/passwd.
This question was asked and answered earlier today.
Alan DeKok.
-
List info/subscribe/unsubscribe? See ht
x-like.
See "radcrypt", which comes with the server.
> Then, i want to store this encrypted password in "users" file ?
Yes.
> i look
> to man rlm_pap and i set yes to auto_header.
You don't need to set that. Leave it as the default.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
he work, or get someone competent to do it for you.
This is the *FreeRADIUS* list. You are not asking questions about
FreeRADIUS. Therefore, your questions do not belong here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
never be supported.
People who want security should use RADIUS over TLS. Using SHA1
instead of MD5 is broken and pointless.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
g RADIUS, your coding questions don't
belong there.
We can't help you change RADIUS. I suggest debugging the program
yourself. Standard C skills will help here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
> the windows laptops as they have PEAP/MSCHAPv2 only.
>
> Any workaround?
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
x27;t mean anything,
and there's no reason to look at it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rect control of administrators (dot1x clients,
> federation servers, etc.) this might be worth a news page post.
Done, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
he response shouldn't be "should
I post it?" The response SHOULD be to post it.
Just like everyone else does.
Daily on this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ing from the Mac OS
> fails, is the Mac OS not sending the password in clear text?
Read the debug output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
all-through to other ldap modules. Every time only ldap module ldap3 is
> taken to do this ldap-group query.
That's how it works. The LDAP-Group queries are not load balanced.
> Why FR doesn't load balance for this ldap-query?
Because the code to do it hasn't been written.
#x27;t really make sense. You're trying to work around a
problem that can't be worked around. Hacking the RADIUS server is a bad
choice.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
any.
i.e. the "modules/ippool" file is read, but the module is *not*
initialized.
That's because the module isn't referenced in any virtual server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t
the Juniper guys did were likely with CHAP-Challenges of 48 bytes or
less. I doubt very much that SBR is so broken as to also truncate
challenges at 48 bytes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
zA-Z\/\\]+", Auth-Type := Reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cific date.
Because it doesn't work.
> Is it correct to assume that what he wants (i.e. 2012/04/17/1700-1800)
> is not possible using Login-Time?
It's not. Login-Time is for time of day restrictions. Current-Time
is for date-based restrictions.
He can write "unlan
r ?
doc/README ?
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ug output, and post
small pieces of it."
If you want us to help you, the ask *good* questions. Asking a
question about a CHAP-Challenge, and then *not* including it in the
debug output is a *bad* thing to do.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
S-Server = "192.168.203.6",
> MS-Secondary-DNS-Server = "192.168.203.1",
> MS-Primary-NBNS-Server = "192.168.203.6"
You can just list "files.authorize" in the "post-proxy" section. It
will run the "users" file, add those attributes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ething) on Debian
> Squeeze 64-bit.
Don't. Use a RECENT version of the server.
> Any other tricks to get modules working? Haven't found any documentation yet
> about this and what attributes work with configure.
./configure --help
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The debug output is clear.
The password you supplied as the "known good" password doesn't match
the CHAP password in the packet.
Either you typed the password wrong, or the "known good" password in
the DB is wrong.
There are no other choices.
Alan DeKok
ome ports with with ONLY tls certs and on
> other ONLY with user/password and ttls.
> but with one global eap.conf there always will be a fallback to the other eap
> method.
> is it possible to do something like this?
Yes. It's possible to do almost anything with FreeRADIUS.
he MS-CHAP RFCs, and do the calculations yourself.
> In other word, I want to use ntlm_auth in my own external pre_auth or
> post_auth script with those attributes.
Read the documents describing how to do it. It's how *we* learned.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Matthew Newton wrote:
> That reminds me - the ldap module config (for both v2.1.x and
> master) does not mention the port option, which is needed if you
> have to use LDAPS, or plain LDAP on a different port. Another
> patch below.
Added, thanks.
Alan DeKok.
-
List info/subscribe
Brian Julin wrote:
> This just replaces some wrong port numbers in comments. This incorrect 689
> port has also made it onto the wiki, FWIW.
Added, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ming "listen" sections and "client" sections now
support that for TCP sockets.
The default is idle_timeout of 30. If it doesn't receive packets for
30s, there's no reason to keep the TCP connection open.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ome server), it will
>> send watchdog packets.
>
> Is this default, or do I need to configure it? If it is default, it
> doesn't seem to be working in my configuration.
It *should* work. It's a bit of a mystery why it doesn't. It should
be fixed before 3.0 is released
Session-Time attribute,
> which the RFC says should only go only if Acct-Status-Type is a STOP one
> Am I missing something here?
No. It's fine.
> How does freeradius act on this case?
It logs the session time.
> Also, Timestamp is UTC, while mysql shows local time....is t
As *always*, read the debug output to find out what the server is doing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ess it's impossible to solve. The passwords are clearly *so*
secret that you can't post them.
It's not like the configuration file for the "pap" module contains a
URL that tells you how to create a *correct* MD5 password. That
information is super-secret, too.
jomajo wrote:
> I am talking just about time-based authentication, at the specific time.
>
> But now there is a problem with MD5 encryption. Take a look please:
No. *You* need to read the output. The problem is clear.
Alan DeKok.
-
List info/subscribe/unsubscribe?
oing on.
Try grabbing the "v2.1.x" branch from git. It has a fix.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
r, lol).)
Sure, send a patch.
However, fixing that will require some in-depth knowledge of the core
server APIs.
> 4.) In addition to lifetime and idle_timeout, would something like a keep
> alive be reasonable?
That's up to the client.
When FreeRADIUS acts as client (i.e.
to create it yourself.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
7;m wondering if the mschap module somehow gets its internal state
> muddled on a HUP, and starts sending the wrong challenge response.
> ntlm_auth from the command line works fine when FR has a problem.
I'm not sure how.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
little is *more* irritating than
people who can't be bothered to help themselves.
The whole point of the debug output is for YOU TO READ IT.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timmy wrote:
> I have browsed the source code of Freeradius 2.1 and also the
> freeradius.org main site, there is still no IBM DB2 connection available.
You haven't looked very hard then.
It exists, and people use it.
Alan DeKok.
-
List info/subscribe/unsubscrib
he password. i.e. not LDAP.
Then... delete the password from the users file, and put it into LDAP.
Check also that you're not setting "Auth-Type := LDAP"
You're trying to fix a problem which has a lot of pieces. Some of the
pieces are configured wrong, which means it&
James J J Hooper wrote:
> Ok - More delving into the code (rlm_eap_mschapv2.c) seems to indicate
> that the bits missing in 2.1.x are possibly there in FR3:
It might be useful to get that into the 2.1.x stream...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradi
Fabricio Flores wrote:
> where I find this variable? and how i configure it?
Go to the wiki. Type "Simultaneous-Use" into the search box. Read
the documentation.
This should *not* be difficult.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
of these to keep in
> /etc/freeradius/sites-available/default ?
> main_pool
> sqlippool
It depends on what you want. Configuring FreeRADIUS is *not* about
making random changes. It's about understanding what you're doing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
You need to ensure that the server is doing
the right queries, and that the queries return the data you expect.
You haven't done that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ke to post the main setting of a successful automatic
> ppp ip address assignment through mysql ip pool?
It works if you configure it correctly.
So... what did you do?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the server when the config file doesn't exist,
it's because it's using a different config file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
preply. Have you any
> ideas?
Run the queries manually, and try to sort it out.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t;username: %{mschap:NT-Domain}"
> +#ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
I'll fix that, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
are using an external perl module,
> but it is running fine on many hundreds of systems. I am wandering if
> someone have an idea about what can be wrong :
As Fajar said, try the v2.1.x branch from git. It has some fixes to
the Perl module.
Alan DeKok.
-
List info/subscribe/uns
CD DD wrote:
> and how do i get this working ?
read raddb/mods-available/mschap
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d not "magical
thing I'm supposed to not touch"?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for CoA.
> I have check with the netstat command in the OS that a java program is
> listening to the port 4200.
That doesn't matter.
> Do i have to configure the NAS client IP and port in home_server section of
> originate-coa file ?
That's what the documentation says.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ulislam.raihan wrote:
> If NAS and Freeradius server is in same PC . Then freeradius will send COA
> request to NAS in which port?
This is documented. You were told which file to read.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eply
> packets pairs that existed only in radgroupreply.
No idea. It works for me when I test it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
w the
existing examples.
Perhasp you could try using the originate-coa example, rather than
ignoring it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
; branch of FreeRADIUS supports MS-CHAP password
change. Version 2.1.x does NOT support it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stead i have seen following error "Info: WARNING: Unknown destination
> 127.0.0.1:4200 for CoA request."
read raddb/sites-available/originate-coa
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ference (the
> server defaults to Fall-Through from the config). I can see no
> difference in the structure of the user/groups between working and
> non-working accounts.
Did you set "read_groups = yes" in sql.conf?
What about the comments just above that configurat
the
Access-Accept is important?
> Any help would be hugely appreciated as I'm working under a deadline.
No one here cares about your deadline. This isn't a paid support
list, where you can demand a service level.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
quot; ??
Because it's written with a '#' in the mschap module.
Go back and ensure that there is only ONE mschap module in the
"modules" directory.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1301 - 1400 of 15417 matches
Mail list logo