Hi everybody,,
I have configured a proxy server with 'type=client-port-balance'. I
have configure two backed FR servers(192.168.0.109 and 192.168.0.112).
I am sending requests from a PC to 192.168.0.102 ( acting as proxy
server). But requests are forwarded to only one FR server (i-e
192.168.0.112)
ing list
> Subject: Re: FreeRADIUS Proxy Problem
>
> You can actually make sense of IAS logs:
>
> http://technet.microsoft.com/en-us/library/cc778268.aspx
>
> Ivan Kalik
> Kalik Informatika ISP
Nifty - I'll try this. I know what attributes are being sent and rece
list
> Subject: Re: FreeRADIUS Proxy Problem
>
>
> The shared secret is wrong.
Actually, the shared secret *is* correct. I tested this out by changing the
shared secret on the proxy and I received a different error, which specifically
stated that the shared secret didn't m
>I've got a really frustrating problem with FreeRADIUS trying to proxy to a
>Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
>have proxying configured, but I keep getting Access-Reject back from the IAS.
>The IAS says that I used an unknown username or password, bu
Eric Van Tol wrote:
> Hi all,
> I've got a really frustrating problem with FreeRADIUS trying to proxy to a
> Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
> have proxying configured, but I keep getting Access-Reject back from the IAS.
> The IAS says that I used a
Hi all,
I've got a really frustrating problem with FreeRADIUS trying to proxy to a
Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
have proxying configured, but I keep getting Access-Reject back from the IAS.
The IAS says that I used an unknown username or password
clive gould wrote:
> Our ITNS team have just rebuilt the IAS server after it suffered a
> hardware failure failed and since the rebuild it is now rejecting
> FreeRADIUS proxy requests.
Likely because the IAS configuration changed.
> IAS will still respond to my Moodle PHP
> RADIUS authenticatio
Can anybody help please?
We use a FreeRADIUS proxy for authenticating DSpace with MS AD via MS IAS
Our ITNS team have just rebuilt the IAS server after it suffered a
hardware failure failed and since the rebuild it is now rejecting
FreeRADIUS proxy requests. IAS will still respond to my Moodle PH
Hello,
It's the same server with the very same config for both users in
radcheck and radreply, except that in proxy.conf, only the "proxy.com"
realm is set to be proxied to 192.168.1.2.
When the user "[EMAIL PROTECTED]" (no proxy) logs in, the VSA
ERX-Service-Bundle is sent to the B-RAS, while it
Guilherme Franco wrote:
> Hi,
>
> Sorry for bothering you guys.
>
> I would like to humbly ask if there's any ideas on this?
There's a lot there, and it's not clear what's going on.
Look at the differences between the two configurations.
Alan DeKok.
--
http://deployingradius.com
Hi,
Sorry for bothering you guys.
I would like to humbly ask if there's any ideas on this?
Thanks.
On 6/11/07, Guilherme Franco wrote:
> Hello Mr. Alan,
>
> Thank you for answering.
>
> Below, you will find a working local authentication, user
> [EMAIL PROTECTED] (without proxy), where the VSA
Hello Mr. Alan,
Thank you for answering.
Below, you will find a working local authentication, user
[EMAIL PROTECTED] (without proxy), where the VSA "ERX-Service-Bundle" is
found in radreply (although the debug doesn't says that) and sent back
to the B-RAS:
rad_recv: Access-Request packet from ho
Guilherme Franco wrote:
> With proxy configured, the user gets authenticated by bar.com but the
> VSA is not sent to bar.com (no traces of it in pre_proxy logs nor in
> radiusd -X debugs).
The debug logs will still tell you what modules are being executed,
and when. That will give information
Hello,
Running Freeradius 1.1.4 on RHEL with an Oracle backend.
I'm at a Carrier and every "@bar.com" request is configured to be
proxied but I have a problem where a VSA (in radreply table) is not
even sent to bar.com.
In my database:
select * from radcheck;
ID USERNAME ATTRIBUTE
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
> This makes sense. What I don't get is why the request is sailing
> through the proxy module (where it apparently receives an
> "Access-Accept") and then continues INTO the files/unix part of the
> config,
The debug log you posted for 1.1.3 doesn'
Alan DeKok wrote:
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
Right, the users file has a default Auth-Type := System
Yes, which doesn't affect anything, because the unix module is only
used during authentication, and it's proxying, so it's not hitting the
unix module.
This makes sense.
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
> Right, the users file has a default Auth-Type := System
Yes, which doesn't affect anything, because the unix module is only
used during authentication, and it's proxying, so it's not hitting the
unix module.
> So just so I completely understand, _di
Alan DeKok wrote:
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
That's exactly riight, but why is it even getting to my users file?
Because you configured it that way?
It's supposed to be proxying the auth request to another box, and
apparently does, but then it charges ahead and checks t
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
> That's exactly riight, but why is it even getting to my users file?
Because you configured it that way?
> It's supposed to be proxying the auth request to another box, and
> apparently does, but then it charges ahead and checks the username
> aga
Alan DeKok wrote:
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587
Reply-Message = "Your account has been disabled."
That message does not appear in the server source. It's added
somewhere by your local config.
Right, in the user
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
> Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587
> Reply-Message = "Your account has been disabled."
That message does not appear in the server source. It's added
somewhere by your local config.
> Fri Sep 8 12:37:40 2006 : Debug:
Please post a config & debug logs from 1.1.3.
OK, I took out blank lines, commented lines, and obfuscated IPs and
passwords. Let me know if there's anything else I can provide, and
thanks in advance for all your help!
-- radiusd -X -x debug output
rad
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote:
> We have [EMAIL PROTECTED] and bob. Bob (the local user) is disabled, he's
> in a certain group on my server that locks him out completely. On my
> backup RADIUS server, which is version 0.8-pre, I get the expected
> behavior - if bob tries to log i
OK, I've got a bit of a weird issue here. I've beat my head against it
and I'm turning to the list for help.
I have local UNIX authentication, and I also proxy a few realms. The
problem seems to arise when I have the same username both locally and
going to a particular realm.
We have [EMAI
Mitaine Yoann <[EMAIL PROTECTED]> wrote:
> There was no case of Acces challenge resquest ,I added it
> (case PW_ACCESS_CHALLENGE).
> And now the proxy request works !
> I would like to know if the change is correct and if somebody already had
> this error .
It's a bug, and a fairly stupid one
Dear everybody,I've installed the radius 's CVS version of 08-02-06.I've this architecture : client < > AP <> Radius A <> Radius B proxyingwith proxy.conf file :realm NULL { type = radius
Hi !
See post_proxy_authorize in proxy.conf.
Yes, "post_proxy_authorize = yes" was the solution and some hacking in the
user file.
See also "postproxy_users", which is I think what you want.
This file/function "postproxy_users" wasn't documented, maybe someone can do
that for the 1.
"VannMann32 ." <[EMAIL PROTECTED]> wrote:
> >Reading the doc/proxy file, i read that the user file is processed as usual
> >after accept is received ms radius server.
See post_proxy_authorize in proxy.conf.
See also "postproxy_users", which is I think what you want.
Alan DeKok.
-
List inf
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the "accept" from ms-win2k3-ias server, then i want to assign
a static ip address.
Reading the doc/proxy file, i read that the user file is processed as usual
after accept is received ms radius server.
users :
DE
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the "accept" from ms-win2k3-ias server, then i want to assign
a static ip address.
Found a odd solution :
radius.conf :
ippool pool-ip {
range-start = 192.168.1.100
range-stop =
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the "accept" from ms-win2k3-ias server, then i want to assign
a static ip address.
Reading the doc/proxy file, i read that the user file is processed as usual
after accept is received ms radius server.
users :
DEF
Hi !
> Is this possible ? Should it work ? Is it possible to proxy ms-chap-v2 ?
Yes. My guess is that the other RADIUS server doesn't understand
MS-CHAPv2.
The solution was to add a "nostrip" in proxy.conf file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users
Hi !
> If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
> i get this error message (from debug) :
That's nice. What does the debug log on the other RADIUS server say?
Sorry no debug information, but here is some from the ms w2k3 ias log file :
vent Type: Warnin
"VannMann32 ." <[EMAIL PROTECTED]> wrote:
> If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
> i get this error message (from debug) :
That's nice. What does the debug log on the other RADIUS server say?
> Is this possible ? Should it work ? Is it possible to proxy ms-cha
Hi !
I'm trying to set up a freeradius (1.1.0) server to proxy ms-chap-v2 to a ms
ias server.
If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
i get this error message (from debug) :
Sending Access-Request of id 1 to 192.168.1.1 port 1812
NAS-Identifier = "vpn.dom
"Tim Tyler" <[EMAIL PROTECTED]> wrote:
> users:
> DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu
> Fall-Through = 1
This makes no sense. It says "do PAP authentication, but don't do
PAP, do proxy".
> ttls {
> # default_eap_type = md5
> # copy_request_to_tunnel = yes
> # u
Alan, others,
Ok, we are trying to get wireless clients configured for
802.1x authentication by using wpa configured with pap
authentication. This works fine on the Freeradius server if
we authenticate against system. However, when we try to
proxy to other non eap supported radius servers, it
The information bellow is the server that will autheticate the domain
users (Realm TESTE):
Debug with the problem.
/usr/local/radius/sbin/radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Post your debug output (radiusd -X), with both a successful and
unsuccessful login.
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
> If I do a test, login without domain, only with username and password,
> the authentication occurs.
>
> We can see this information in the files "proxy1.txt" and
If I do a test, login without domain, only with username and password,
the authentication occurs.
We can see this information in the files "proxy1.txt" and "realmTESTE1.txt"
If someone can help me.
Very Thanks.
Israel Fabio Alves wrote:
The file "proxy.txt" is the freeradius that receive de reque
The file "proxy.txt" is the freeradius that receive de request from Switch.
The file "realmTESTE.txt" is the freeradius that will authenticate users
for domain TESTE. At this moment, the autentication is in files.
Dustin Doris wrote:
Do you have nostrip setup in proxy.conf to not strip the user
Do you have nostrip setup in proxy.conf to not strip the username? Please
post debug info (radiusd -X).
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
> I do not know right if is a problem of freeradius, it is possible that
> is my configuration.
>
> When I do a test using just the user and pas
I do not know right if is a problem of freeradius, it is possible that
is my configuration.
When I do a test using just the user and password, I loggin OK, but when
using username, password and domain, occurr the login failed.
If somebody have information taht help me, I will very happy.
Alan
Israel Fabio Alves <[EMAIL PROTECTED]> wrote:
> I try to do 802.1x with proxy autentication, when user loggin from
> Windows XP, he put username, password and domain. The Switch will send a
> request authentication for a freeradius server, that will proxy the
> request conform user domain. When
Hi,
I try to do 802.1x with proxy autentication, when user loggin from
Windows XP, he put username, password and domain. The Switch will send a
request authentication for a freeradius server, that will proxy the
request conform user domain. When a try this, I get the erros bellow.
If I use the e
Alan DeKok schrieb:
> Yes please see the existing TTLS and
> PEAP code which does exactly this. You have
> working examples in front of you.
> Use them.
Thanks, that put me on the right track again...
I stupidly was searching for a configuration
error and missed the (now obvious) error in
m
[EMAIL PROTECTED] wrote:
> I hacked rlm_eap_md5 to actually generate a fake request
> containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge
> and CHAP-Response attributes and call "rad_authenticate"
rad_authenticate doesn't do proxying.
> However, the whole point of my modification was to
Hi,
I'm having a strange problem with a modified rlm_eap_md5
module and proxying - apparently I'm missing some details
of the internal workings of FreeRADIUS, now I don't understand
what's going on at all ...
I hacked rlm_eap_md5 to actually generate a fake request
containing FreeRADIUS-P
Hi!
> rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0,
> length=198 Reply-Message = "Login successful."
> MS-CHAP2-Success =
> 0x02533d4645343046424332434131364136373045313546303944343831414542383036433
>1463031423943 MS-MPPE-Encryption-Policy = 0x0001
> MS-M
Auth-Type MS-CHAP {
mschap
}
unix
# Allow EAP authentication.
eap
}
pre-proxy {
}
post-proxy {
eap
}
In proxy.conf:
realm company.realm {
type= radius
authhost= IPnumber-Vasco:1645
accthos
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
> Now you gave us all the details about the problem in your setup, I'm
> thinking of a different approach: perhaps it could be easier to add a
> source NAT rule on the firewall rather than hacking the source IP
> inside radiusd. Did you try this ?
Tha
Raimund Sacherer wrote:
> Here is a more detailed description of our scenario
[...]
Thanks, it's a lot easier to undestand now.
> For a Proxy Packet the Packet->src_ipaddr is empty.
It's the normal behaviour. The RADIUS server doesn't have knowledge
about the network routes so it's the kernel
"Raimund Sacherer" <[EMAIL PROTECTED]> wrote:
> My previously posted patch adds configuration items for the proxy.conf
> config file where you can define the ip_addr which should be used for
> each Realm.
>
> I would be glad if someone can confirm this as problem and my patch as
> the right soluti
Hi Nicolas, Thomas!
Here is a more detailed description of our scenario:
+--+
+---+ | NAS/Roaming | (NAS/Roaming Partner may not be
| 1 | | RadiusServer | part of our Network and can have their
+---+ +--+ own Public/Priv
Hi Raimund,
Nicolas and I did some test on proxy forwarding , we use this model :
CLIENT 172.16.69.1
|
vlan 69
|
"Raimund Sacherer" <[EMAIL PROTECTED]> wrote:
> There where two problems with proxying, first, i listen to 2 ip
> addresses, if those where on different interfaces (eth0/eth1) it is not
> working, the problem is, the packet is sent to the roamingpartner, but
> the response is not recognized by free
Here is our Scenario which is working now:
Some Partners depend on an IPSec tunnel.
+--+
| Our |
| RadiusServer |
+--+
| |
eth0
Hi,
i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i
applied the patch from nicolas
(http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html)
and now receiving/sending local auth/acct packets with more than one ip
address works as expected.
There where two problems with
Ben Butler <[EMAIL PROTECTED]> wrote:
> Just tried something out of desperation and commented out EAP in post-proxy,
> and guess what, cooking with gas.
It's a bug in 0.9.3, which is fixed in the latest CVS snapshots.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.
Um, typical.
Just tried something out of desperation and commented out EAP in post-proxy,
and guess what, cooking with gas.
Thanks anyways.
Ben
-Original Message-
From: Ben Butler [mailto:[EMAIL PROTECTED]
Sent: 10 May 2004 23:59
To: '[EMAIL PROTECTED]'
Subject: Proxy Pr
Hi All,
I have two servers running freeradius-0.9.3, I am trying to proxy radius
request for a specific realm from one server (server1) to the other
(server2). I believe I have updated radius.conf and attrs correctly as well
as proxy.conf and clients.conf.
Using radtest on server2 to initiate a
61 matches
Mail list logo