Hi everybody,,
I have configured a proxy server with 'type=client-port-balance'. I
have configure two backed FR servers(192.168.0.109 and 192.168.0.112).
I am sending requests from a PC to 192.168.0.102 ( acting as proxy
server). But requests are forwarded to only one FR server (i-e
Hi all,
I've got a really frustrating problem with FreeRADIUS trying to proxy to a
Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
have proxying configured, but I keep getting Access-Reject back from the IAS.
The IAS says that I used an unknown username or
Eric Van Tol wrote:
Hi all,
I've got a really frustrating problem with FreeRADIUS trying to proxy to a
Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
have proxying configured, but I keep getting Access-Reject back from the IAS.
The IAS says that I used an
I've got a really frustrating problem with FreeRADIUS trying to proxy to a
Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I
have proxying configured, but I keep getting Access-Reject back from the IAS.
The IAS says that I used an unknown username or password, but I
: FreeRADIUS Proxy Problem
The shared secret is wrong.
Actually, the shared secret *is* correct. I tested this out by changing the
shared secret on the proxy and I received a different error, which specifically
stated that the shared secret didn't match. Shared secret is the same on both
: FreeRADIUS Proxy Problem
You can actually make sense of IAS logs:
http://technet.microsoft.com/en-us/library/cc778268.aspx
Ivan Kalik
Kalik Informatika ISP
Nifty - I'll try this. I know what attributes are being sent and received,
though, as I have tcpdumps and Wireshark traces. However
clive gould wrote:
Our ITNS team have just rebuilt the IAS server after it suffered a
hardware failure failed and since the rebuild it is now rejecting
FreeRADIUS proxy requests.
Likely because the IAS configuration changed.
IAS will still respond to my Moodle PHP
RADIUS authentication
Can anybody help please?
We use a FreeRADIUS proxy for authenticating DSpace with MS AD via MS IAS
Our ITNS team have just rebuilt the IAS server after it suffered a
hardware failure failed and since the rebuild it is now rejecting
FreeRADIUS proxy requests. IAS will still respond to my Moodle
Guilherme Franco wrote:
Hi,
Sorry for bothering you guys.
I would like to humbly ask if there's any ideas on this?
There's a lot there, and it's not clear what's going on.
Look at the differences between the two configurations.
Alan DeKok.
--
http://deployingradius.com -
Hello,
It's the same server with the very same config for both users in
radcheck and radreply, except that in proxy.conf, only the proxy.com
realm is set to be proxied to 192.168.1.2.
When the user [EMAIL PROTECTED] (no proxy) logs in, the VSA
ERX-Service-Bundle is sent to the B-RAS, while it's
Hi,
Sorry for bothering you guys.
I would like to humbly ask if there's any ideas on this?
Thanks.
On 6/11/07, Guilherme Franco wrote:
Hello Mr. Alan,
Thank you for answering.
Below, you will find a working local authentication, user
[EMAIL PROTECTED] (without proxy), where the VSA
Hello Mr. Alan,
Thank you for answering.
Below, you will find a working local authentication, user
[EMAIL PROTECTED] (without proxy), where the VSA ERX-Service-Bundle is
found in radreply (although the debug doesn't says that) and sent back
to the B-RAS:
rad_recv: Access-Request packet from
Guilherme Franco wrote:
With proxy configured, the user gets authenticated by bar.com but the
VSA is not sent to bar.com (no traces of it in pre_proxy logs nor in
radiusd -X debugs).
The debug logs will still tell you what modules are being executed,
and when. That will give information
Hello,
Running Freeradius 1.1.4 on RHEL with an Oracle backend.
I'm at a Carrier and every @bar.com request is configured to be
proxied but I have a problem where a VSA (in radreply table) is not
even sent to bar.com.
In my database:
select * from radcheck;
ID USERNAME ATTRIBUTE
OK, I've got a bit of a weird issue here. I've beat my head against it
and I'm turning to the list for help.
I have local UNIX authentication, and I also proxy a few realms. The
problem seems to arise when I have the same username both locally and
going to a particular realm.
We have
Chris A. Kalin [EMAIL PROTECTED] wrote:
We have [EMAIL PROTECTED] and bob. Bob (the local user) is disabled, he's
in a certain group on my server that locks him out completely. On my
backup RADIUS server, which is version 0.8-pre, I get the expected
behavior - if bob tries to log in, he
Please post a config debug logs from 1.1.3.
OK, I took out blank lines, commented lines, and obfuscated IPs and
passwords. Let me know if there's anything else I can provide, and
thanks in advance for all your help!
-- radiusd -X -x debug output
Chris A. Kalin [EMAIL PROTECTED] wrote:
Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587
Reply-Message = Your account has been disabled.
That message does not appear in the server source. It's added
somewhere by your local config.
Fri Sep 8 12:37:40 2006 : Debug:
Alan DeKok wrote:
Chris A. Kalin [EMAIL PROTECTED] wrote:
Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587
Reply-Message = Your account has been disabled.
That message does not appear in the server source. It's added
somewhere by your local config.
Right, in the users
Chris A. Kalin [EMAIL PROTECTED] wrote:
That's exactly riight, but why is it even getting to my users file?
Because you configured it that way?
It's supposed to be proxying the auth request to another box, and
apparently does, but then it charges ahead and checks the username
against
Chris A. Kalin [EMAIL PROTECTED] wrote:
Right, the users file has a default Auth-Type := System
Yes, which doesn't affect anything, because the unix module is only
used during authentication, and it's proxying, so it's not hitting the
unix module.
So just so I completely understand, _did_
Alan DeKok wrote:
Chris A. Kalin [EMAIL PROTECTED] wrote:
Right, the users file has a default Auth-Type := System
Yes, which doesn't affect anything, because the unix module is only
used during authentication, and it's proxying, so it's not hitting the
unix module.
This makes sense.
Chris A. Kalin [EMAIL PROTECTED] wrote:
This makes sense. What I don't get is why the request is sailing
through the proxy module (where it apparently receives an
Access-Accept) and then continues INTO the files/unix part of the
config,
The debug log you posted for 1.1.3 doesn't show
Dear everybody,I've installed the radius 's CVS version of 08-02-06.I've this architecture : client AP Radius A Radius B proxyingwith proxy.conf file :realm NULL { type = radius authhost = LOCAL accthost = LOCAL}realm AAA
{ type = radius authhost = LOCAL accthost =
Mitaine Yoann [EMAIL PROTECTED] wrote:
There was no case of Acces challenge resquest ,I added it
(case PW_ACCESS_CHALLENGE).
And now the proxy request works !
I would like to know if the change is correct and if somebody already had
this error .
It's a bug, and a fairly stupid one at
Hi !
See post_proxy_authorize in proxy.conf.
Yes, post_proxy_authorize = yes was the solution and some hacking in the
user file.
See also postproxy_users, which is I think what you want.
This file/function postproxy_users wasn't documented, maybe someone can do
that for the 1.1.1
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the accept from ms-win2k3-ias server, then i want to assign
a static ip address.
Reading the doc/proxy file, i read that the user file is processed as usual
after accept is received ms radius server.
users :
VannMann32 . [EMAIL PROTECTED] wrote:
Reading the doc/proxy file, i read that the user file is processed as usual
after accept is received ms radius server.
See post_proxy_authorize in proxy.conf.
See also postproxy_users, which is I think what you want.
Alan DeKok.
-
List
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the accept from ms-win2k3-ias server, then i want to assign
a static ip address.
Reading the doc/proxy file, i read that the user file is processed as usual
after accept is received ms radius server.
users :
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the accept from ms-win2k3-ias server, then i want to assign
a static ip address.
Found a odd solution :
radius.conf :
ippool pool-ip {
range-start = 192.168.1.100
range-stop =
Hi !
If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
i get this error message (from debug) :
That's nice. What does the debug log on the other RADIUS server say?
Sorry no debug information, but here is some from the ms w2k3 ias log file :
vent Type: Warning
Hi !
I'm trying to set up a freeradius (1.1.0) server to proxy ms-chap-v2 to a ms
ias server.
If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
i get this error message (from debug) :
Sending Access-Request of id 1 to 192.168.1.1 port 1812
NAS-Identifier =
VannMann32 . [EMAIL PROTECTED] wrote:
If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then
i get this error message (from debug) :
That's nice. What does the debug log on the other RADIUS server say?
Is this possible ? Should it work ? Is it possible to proxy ms-chap-v2 ?
Alan, others,
Ok, we are trying to get wireless clients configured for
802.1x authentication by using wpa configured with pap
authentication. This works fine on the Freeradius server if
we authenticate against system. However, when we try to
proxy to other non eap supported radius servers, it
Tim Tyler [EMAIL PROTECTED] wrote:
users:
DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu
Fall-Through = 1
This makes no sense. It says do PAP authentication, but don't do
PAP, do proxy.
ttls {
# default_eap_type = md5
# copy_request_to_tunnel = yes
#
Alan DeKok schrieb:
Yes please see the existing TTLS and
PEAP code which does exactly this. You have
working examples in front of you.
Use them.
Thanks, that put me on the right track again...
I stupidly was searching for a configuration
error and missed the (now obvious) error in
my
Hi,
I try to do 802.1x with proxy autentication, when user loggin from
Windows XP, he put username, password and domain. The Switch will send a
request authentication for a freeradius server, that will proxy the
request conform user domain. When a try this, I get the erros bellow.
If I use the
Israel Fabio Alves [EMAIL PROTECTED] wrote:
I try to do 802.1x with proxy autentication, when user loggin from
Windows XP, he put username, password and domain. The Switch will send a
request authentication for a freeradius server, that will proxy the
request conform user domain. When a try
I do not know right if is a problem of freeradius, it is possible that
is my configuration.
When I do a test using just the user and password, I loggin OK, but when
using username, password and domain, occurr the login failed.
If somebody have information taht help me, I will very happy.
Alan
Do you have nostrip setup in proxy.conf to not strip the username? Please
post debug info (radiusd -X).
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
I do not know right if is a problem of freeradius, it is possible that
is my configuration.
When I do a test using just the user and
The file proxy.txt is the freeradius that receive de request from Switch.
The file realmTESTE.txt is the freeradius that will authenticate users
for domain TESTE. At this moment, the autentication is in files.
Dustin Doris wrote:
Do you have nostrip setup in proxy.conf to not strip the
If I do a test, login without domain, only with username and password,
the authentication occurs.
We can see this information in the files proxy1.txt and realmTESTE1.txt
If someone can help me.
Very Thanks.
Israel Fabio Alves wrote:
The file proxy.txt is the freeradius that receive de request
Post your debug output (radiusd -X), with both a successful and
unsuccessful login.
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
If I do a test, login without domain, only with username and password,
the authentication occurs.
We can see this information in the files proxy1.txt and
Hi,
I'm having a strange problem with a modified rlm_eap_md5
module and proxying - apparently I'm missing some details
of the internal workings of FreeRADIUS, now I don't understand
what's going on at all ...
I hacked rlm_eap_md5 to actually generate a fake request
containing
[EMAIL PROTECTED] wrote:
I hacked rlm_eap_md5 to actually generate a fake request
containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge
and CHAP-Response attributes and call rad_authenticate
rad_authenticate doesn't do proxying.
However, the whole point of my modification was to be
= verysecret
nostrip
}
Since direct authentication works just fine, I figure it's a proxy problem.
Using Fedora Core 2 with freeradius RPM freeradius-1.0.1-0.FC2
Thanks in advance,
René
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi!
rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0,
length=198 Reply-Message = Login successful.
MS-CHAP2-Success =
0x02533d4645343046424332434131364136373045313546303944343831414542383036433
1463031423943 MS-MPPE-Encryption-Policy = 0x0001
Raimund Sacherer wrote:
Here is a more detailed description of our scenario
[...]
Thanks, it's a lot easier to undestand now.
For a Proxy Packet the Packet-src_ipaddr is empty.
It's the normal behaviour. The RADIUS server doesn't have knowledge
about the network routes so it's the kernel
Nicolas Baradakis [EMAIL PROTECTED] wrote:
Now you gave us all the details about the problem in your setup, I'm
thinking of a different approach: perhaps it could be easier to add a
source NAT rule on the firewall rather than hacking the source IP
inside radiusd. Did you try this ?
That
Hi Nicolas, Thomas!
Here is a more detailed description of our scenario:
+--+
+---+ | NAS/Roaming | (NAS/Roaming Partner may not be
| 1 | | RadiusServer | part of our Network and can have their
+---+ +--+ own
Raimund Sacherer [EMAIL PROTECTED] wrote:
My previously posted patch adds configuration items for the proxy.conf
config file where you can define the ip_addr which should be used for
each Realm.
I would be glad if someone can confirm this as problem and my patch as
the right solution ;-)
Hi Raimund,
Nicolas and I did some test on proxy forwarding , we use this model :
CLIENT 172.16.69.1
|
vlan 69
|
Raimund Sacherer [EMAIL PROTECTED] wrote:
There where two problems with proxying, first, i listen to 2 ip
addresses, if those where on different interfaces (eth0/eth1) it is not
working, the problem is, the packet is sent to the roamingpartner, but
the response is not recognized by freeradius
Here is our Scenario which is working now:
Some Partners depend on an IPSec tunnel.
+--+
| Our |
| RadiusServer |
+--+
| |
Ben Butler [EMAIL PROTECTED] wrote:
Just tried something out of desperation and commented out EAP in post-proxy,
and guess what, cooking with gas.
It's a bug in 0.9.3, which is fixed in the latest CVS snapshots.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi All,
I have two servers running freeradius-0.9.3, I am trying to proxy radius
request for a specific realm from one server (server1) to the other
(server2). I believe I have updated radius.conf and attrs correctly as well
as proxy.conf and clients.conf.
Using radtest on server2 to initiate a
Um, typical.
Just tried something out of desperation and commented out EAP in post-proxy,
and guess what, cooking with gas.
Thanks anyways.
Ben
-Original Message-
From: Ben Butler [mailto:[EMAIL PROTECTED]
Sent: 10 May 2004 23:59
To: '[EMAIL PROTECTED]'
Subject: Proxy Problem
57 matches
Mail list logo