Re: openbsd dhcpd + freeradius
Am 03.07.2008 um 02:24 schrieb Raja Peer: Hi, Trying to get radiusd work with local dhcp server. [...] Checked to make sure dhcp module is included by radiusd -X. But does not that mean that you have 2 DHCP servers for your network? Does anyone have dhcp work with freeradius ? Thanks Raja -- View this message in context: http://www.nabble.com/openbsd-dhcpd-% 2B-freeradius-tp18249568p18249568.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] piše: Hello I set the password_header to = {crypt} and password_attribute to userPassword (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the ldap1's server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] piĹĄe: Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration --/etc/raddb/modules/ldap--- ldap ldap1 { server = a.b.c.d ... } ldap ldap2 { server = w.x.y.z ... } -/etc/raddb/radiusd.conf- authorize { ldap1 ldap2 } authenticate { ldap1 ldap2 } When I execute /sbin/radiusd -X It shows instantiating module ldap1 and module ldap2 Module: Instantiating ldap2 ldap ldap1 { server = a.b.c.d port = 389 Module: Instantiating ldap2 ldap ldap2 { server = w.x.y.z port = 389 When sending a radtest request using the following command (from the same machine as one which is running the server) $ radtest user secret localhost 2 testing123 I get ACCESS-REJECT reply from the sever. On the server the logs show something like this --- It shows binding to both LDAP servers one by one through something like this : rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=example - ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=example - ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389,
Can't find directory
Hy i'm beginner in Linux and freeradius. Can someone help pe because, when i finish my instalationn of freeradius i can't fint etc/raddb/ directory in etc???!!! Best regards! -- Ivan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
/usr/local/bin /usr/local/etc/raddb On Thu, Jul 3, 2008 at 11:44 AM, Ivan Markic [EMAIL PROTECTED] wrote: Hy i'm beginner in Linux and freeradius. Can someone help pe because, when i finish my instalationn of freeradius i can't fint etc/raddb/ directory in etc???!!! Best regards! -- Ivan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
/usr/local/etc/raddb? Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, Ivan Markic [EMAIL PROTECTED] piše: Hy i'm beginner in Linux and freeradius. Can someone help pe because, when i finish my instalationn of freeradius i can't fint etc/raddb/ directory in etc???!!! Best regards! -- Ivan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
Hi, Hy i'm beginner in Linux and freeradius. Can someone help pe because, when i finish my instalationn of freeradius i can't fint etc/raddb/ directory in etc???!!! where did you tell it to go - ie when you configured. by default it'd be /usr/local/etc/raddb certain distros etc will use /opt/freeradius/etc, /etc/raddb or /usr/etc/raddb alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
Am 03.07.2008 um 11:44 schrieb Ivan Markic: Hy i'm beginner in Linux and freeradius. Can someone help pe because, when i finish my instalationn of freeradius i can't fint etc/raddb/ directory in etc???!!! If you have installed in /usr/local (as you probably did, if you have compiled by yourself), the directory is then in /usr/local/etc If you want it in /etc, you have to copy it. Best regards! -- Ivan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openbsd dhcpd + freeradius
Checked to make sure dhcp module is included by radiusd -X. To make it work: 1. ./configure --with-dhcp 2. in /usr/local/share/freeradius/dictionary file uncomment line $INCLUDE dictionary.dhcp 3. edit /usr/local/etc/raddb/site-available/dhcp (edit to match your needs, comment out or remove lines containing ok) :) 4. symlink dhcp file to sites-enabled directory 5. run radiusd :) Does anyone have dhcp work with freeradius ? Yes ... It works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
I would like /etc/raddb/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't find directory
Hi, I would like /etc/raddb/ well tell it to use that location during the ./configure stage of the build process then! ./configure --help for further information alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using OTP authentication with Freeradius 2
Greg Woods wrote: What happens when I run radtest is, the first time, it always produces an Access-Reject response, whether or not I provide the correct passcode. The second time I run radtest, it sends radiusd into an infinite loop. ... I ran radiusd under 'strace', and it shows that it is going into an infinite loop trying to write to the otpd socket, and getting a Broken pipe error. It will continue to do this, racking up CPU time, until I kill it. I've committed a fix to CVS head. EPIPE means that the pipe is closed, and any further writes to it are impossible. The code *was* trying to write after EPIPE, which was likely wrong. It might still *not* work. But it should no longer hang. Does anybody have OTP authentication working with freeradius 2.0.5? Could something in my configuration be causing this problem, or is it more likely a bug? I don't use the OTP code, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unix auth with mysql radreply
Hello, I setup a freeradius for chilli-coova. It uses both unix accounting (which main users are there) and mysql at the same time for accounting and logging. Just i have a little problem. If i create a user on mysql and give an attribute in radreply, it works fine. But if i create an entry in radreply (Even tried with radgroupreply and usergroup) with unix/shadow authentication, i cant get the reply message. Just radacct records works fine without a problem. Do i have to enable smthing else on radius.conf or sql.conf to use radreply for unix accounting? And also i wonder is it possible to give a default value for everyuser that authenticated via freeradius? A default group for everybody??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unix auth with mysql radreply
It uses both unix accounting (which main users are there) So it's not accounting then. You are using (unix) system accounts for authentication. and mysql at the same time for accounting and logging. Just i have a little problem. If i create a user on mysql and give an attribute in radreply, it works fine. Good. But if i create an entry in radreply (Even tried with radgroupreply and usergroup) with unix/shadow authentication, i cant get the reply message. Can you post those mysql entries? It should work, so something is wrong with them. Post them and output of radiusd -X. Just radacct records works fine without a problem. Do i have to enable smthing else on radius.conf or sql.conf to use radreply for unix accounting? No. And also i wonder is it possible to give a default value for everyuser that authenticated via freeradius? A default group for everybody??? That would be a DEFAULT entry in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius crashing
Hello, We have been experiencing a weird crashing problem with FreeRadius 1.1.7 on fedora core 7 and was hoping someone would be able to help. The problem is that FreeRadius will crash several times each day and before each crash this error is displayed. error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Here is part of the log file Thu Jun 26 08:12:27 2008 : Auth: Login OK: [BaiE/no User-Password attribute] (from client localhost port 0) Thu Jun 26 08:12:27 2008 : Auth: Login OK: [BaiE/no User-Password attribute] (from client 10.0.1.11 port 50405 cli 00-08-74-CB-78-BA) Thu Jun 26 08:13:22 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu Jun 26 08:13:22 2008 : Auth: Login incorrect: [MooresJ/no User-Password attribute] (from client 10.0.1.11 port 50108 cli 00-18-8B-79-91-9B) restart FreeRadius Thu Jun 26 08:18:20 2008 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Jun 26 08:18:20 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Jun 26 08:18:20 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain Thu Jun 26 08:18:20 2008 : Info: WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! Thu Jun 26 08:18:20 2008 : Info: Ready to process requests. Thu Jun 26 08:18:24 2008 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Thu Jun 26 08:18:24 2008 : Info: rlm_eap_mschapv2: Issuing Challenge Thu Jun 26 08:18:24 2008 : Auth: Login OK: [MooresJ/no User-Password attribute] (from client localhost port 0) Thu Jun 26 08:18:24 2008 : Auth: Login OK: [MooresJ/no User-Password attribute] (from client 10.0.1.11 port 50108 cli 00-18-8B-79-91-9B) After this error message the log will show that authentication failed due to incorrect login (when it shouldn't have) and FreeRadius will then stop processing. Upon restart of the demon, it will then successfully authenticate the same user without crashing. FreeRadius is communicating with Active Directory to authenticate users. Thanks, Kyle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openbsd dhcpd + freeradius
Alan DeKok-4 wrote: Raja Peer wrote: Trying to get radiusd work with local dhcp server. What does that mean? Autheticate user using radius and lease an ip address through dhcp daemon running in the server. Is that correct ? Does radius has its own dhcp server ? Does anyone have dhcp work with freeradius ? Yes. See other messages on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Raja -- View this message in context: http://www.nabble.com/openbsd-dhcpd-%2B-freeradius-tp18249568p18260152.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crashing
Brooks, Kyle wrote: We have been experiencing a weird crashing problem with FreeRadius 1.1.7 on fedora core 7 and was hoping someone would be able to help. Upgrade to 2.0.5. There are LOTS of bug fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool
Is it possible to use two sql instances (sql-instance-name) for the same IP pool? (with version 2.0.5) To achieve some redundancy when one of the databases crashes. Thank you in advance. Johan van de Laar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
Hi, I´m really going crazy with freeradius. I want to setup a working freeradius proxy. Well, everything should have been configured correctly. I have my certificates, I have installed everything, so freeradius tells me no more errors when starting. Well, what do I want? - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: There are two different requests. On (working) with local radtest, the other one with radeapclient. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/src/freeradius/key-bamberg.pem tls: certificate_file = /usr/src/freeradius/freeradius-cert.pem tls: CA_file = /usr/src/freeradius/chain.txt tls: private_key_password = oft36fW! tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = mschapv2 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated
Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
[EMAIL PROTECTED] wrote: Well, what do I want? - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check validate server certificate on the Windows box. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest. #/This message appears about 2000+ times shrug It's 1.1.7. rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = Request Denied Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even FreeRADIUS? My guess is that the home server cannot do EAP. If so, why are you going crazy with freeradius? You're blaming the proxy for the actions of the home server. Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check validate server certificate on the Windows box. Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. Also they don´t have to uncheck the validate server certificate They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest. Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work. #/This message appears about 2000+ times shrug It's 1.1.7. Well, the output from radius -X had 17,5MB of size... rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = Request Denied Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even FreeRADIUS? Well, I do not have any influence on that home server on my own. But... My guess is that the home server cannot do EAP. If so, why are you going crazy with freeradius? You're blaming the proxy for the actionsof the home server. ... Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the sharing WLAN access community. It is in fact running now for years. So, must be another error, I guess? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy + PAP works, PEAP a nd the rest doesn´t
[EMAIL PROTECTED] wrote: - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check validate server certificate on the Windows box. Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. i.e. non-EAP users. Also they don´t have to uncheck the validate server certificate They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one. sigh The suggestion to uncheck that box was for TESTING. Not for PRODUCTION use. Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work. Go read my message again. The problem is NOT the proxy. The problem is the home server. If you noticed, the proxy debug mode shows that the HOME SERVER is rejecting the requests. The proxy is simply at the mercy of the HOME SERVER. Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the sharing WLAN access community. That's nice. Ask him why it's returning Access-Reject for your users. So, must be another error, I guess? The home server is rejecting the user. No amount of playing games with the proxy will fix the home server. You could install 1.1.7, 2.0.5, Cisco ACS, Juniper's SBR, Radiator, or nearly any other RADIUS server on the proxy and IT STILL WOULD NOT WORK. Go fix the home server so that it doesn't reject your users. Yell at it's admin, if necessary. Stop playing games with the proxy. You're wasting your time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy + PAP works, PEAP and the rest doesn´t
If pap works and peap (mschap) doesn't the reason is usually that the passwords kept on the home server are encrypted. If they are nothing apart from changing the passwords to cleartext ones will make peap, mschap or chap work. You will be able to get EAP-TTLS/PAP to work. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check validate server certificate on the Windows box. Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. Also they don´t have to uncheck the validate server certificate They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest. Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work. #/This message appears about 2000+ times shrug It's 1.1.7. Well, the output from radius -X had 17,5MB of size... rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = Request Denied Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even FreeRADIUS? Well, I do not have any influence on that home server on my own. But... My guess is that the home server cannot do EAP. If so, why are you going crazy with freeradius? You're blaming the proxy for the actionsof the home server. ... Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the sharing WLAN access community. It is in fact running now for years. So, must be another error, I guess? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool
Yes. You will need to use database management to replicate them and keep them in sync. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, Laar, Johan van de [EMAIL PROTECTED] piše: Is it possible to use two sql instances (sql-instance-name) for the same IP pool? (with version 2.0.5) To achieve some redundancy when one of the databases crashes. Thank you in advance. Johan van de Laar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan But I don't have a field in the database by that name . The name of the field is userPassword . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] piše: Hello I set the password_header to = {crypt} and password_attribute to userPassword (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the ldap1's server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] piĹĄe: Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration --/etc/raddb/modules/ldap--- ldap ldap1 { server = a.b.c.d ... } ldap ldap2 { server = w.x.y.z ... } -/etc/raddb/radiusd.conf- authorize { ldap1 ldap2 } authenticate { ldap1 ldap2 } When I execute /sbin/radiusd -X It shows instantiating module ldap1 and module ldap2 Module: Instantiating ldap2 ldap ldap1 { server = a.b.c.d port = 389 Module: Instantiating ldap2 ldap ldap2 { server = w.x.y.z port = 389 When sending a radtest request using the following command (from the same machine as one which is running the server) $ radtest user secret localhost 2 testing123 I get ACCESS-REJECT reply from the sever. On the server the logs show something like this --- It shows binding to both LDAP servers one by one through something like this : rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=example - ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with
Re: =?UTF-8?Q?freeradi us-proxy_+_PAP_works , _PEAP_and_the_rest_doesn=C2=B4t?=
hi, if you really are using freeradius as a proxy, as you stated, then you dont need certificates...as the system will JUST proxy. if you mean you want to terminate EAP on your freeradius, then please dont call it a proxy. get the terminology correct. what did you do wrong? well, since 1.1.7 and 2.0.5 need completely different configs, i doubt you could make the same mistake twice...you CANT use a 1.1.7 config on a 2.0.5 box. from what i can see, the daemon is clearly telling you something is wrong with your DH stuff. read eap.conf properly. get rid of that error. thats your primary task. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: =?UTF-8?Q?freeradi us-proxy_+_PAP_works , _PEAP_and_the_rest_doesn=C2=B4t?=
Hi, ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the sharing WLAN access community. It is in fact running now for years. So, must be another error, I guess? are you filtering attributes? if so, there are a large number of specific attributes that you MUST let through the proxy connection alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crashing
Hi, We have been experiencing a weird crashing problem with FreeRadius 1.1.7 on fedora core 7 and was hoping someone would be able to help. yeh, it doesnt that with EAP - thats why 2.0.x came along. 2.0.5 HIGHLY recommended. read the Changelog to note all the errors fixed etc if you feel an upgrade is not worth it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.0.5 problem
Hello! I have a problem with my freeradius server. The schema is the following... Mikrotik Router freeradius server Mysql Server From time to time (Maybe once in 4-5 days) i get this error repeated for many many times: Thu Jul 3 17:39:33 2008 : Error: Discarding duplicate request from client private-network port 35005 - ID: 223 due to unfinished request 5713664 Thu Jul 3 17:39:35 2008 : Error: Discarding duplicate request from client private-network port 35005 - ID: 223 due to unfinished request 5713664 Thu Jul 3 17:39:57 2008 : Error: Discarding duplicate request from client private-network port 45713 - ID: 65 due to unfinished request 5714017 Thu Jul 3 17:39:57 2008 : Error: Discarding duplicate request from client private-network port 35070 - ID: 126 due to unfinished request 5714018 Thu Jul 3 17:39:59 2008 : Error: Discarding duplicate request from client private-network port 45713 - ID: 65 due to unfinished request 5714017 Thu Jul 3 17:39:59 2008 : Error: Discarding duplicate request from client private-network port 35070 - ID: 126 due to unfinished request 5714018 also followed by some less errors like this one: Thu Jul 3 17:41:45 2008 : Error: WARNING: Unresponsive child (id 1377945920) for request 5715136, in module exec component post-auth And then many other errors like: hu Jul 3 17:43:16 2008 : Error: Received conflicting packet from client private-network port 35977 - ID: 249 due to unfinished request 5718311. Giving up on old request. Thu Jul 3 17:43:16 2008 : Error: Received conflicting packet from client private-network port 35976 - ID: 248 due to unfinished request 5718310. Giving up on old request. Thu Jul 3 17:43:16 2008 : Error: Received conflicting packet from client private-network port 35978 - ID: 250 due to unfinished request 5718312. Giving up on old request. Thu Jul 3 17:43:16 2008 : Error: Received conflicting packet from client private-network port 46742 - ID: 247 due to unfinished request 5718313. Giving up on old request. Thu Jul 3 17:43:16 2008 : Error: Received conflicting packet from client private-network port 46729 - ID: 235 due to unfinished request 5718317. Giving up on old request. also mixed with some other: Thu Jul 3 17:42:58 2008 : Error: WARNING: Unresponsive child (id 1346476352) for request 5716367, in module exec component post-auth And after that freeradius becomes unresponsive, i get Radius timeout on microtik and so the clients aren't authenticating. I have around 1200 clients in total, usually there are 700-800 users online. Thank You! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.0.5 problem
Hi, Mikrotik Router freeradius server Mysql Server From time to time (Maybe once in 4-5 days) i get this error repeated for many many times: your MySQL is too slow to respond to the requests - check your SQL queries and see how you can optimise them. I've been able to go from queries that look up many thousands of lines to just a single index query. change your MySQL engine to InnoDB - or even better, move to postgresql instead. these event happen when a table gets eventually too large for the basic MySQL settings to cope. think about deleting old records etc. i alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Sambuddho: I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like: server = ldap.xxx.ca identity = cn=radius,ou=Applications,dc=xxx,dc=ca password = password basedn = ou=People,dc=xxx,dc=ca The default setting is read-only anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful. Andy [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) -- Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty [EMAIL PROTECTED] Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=utf-8 Hello Ivan But I don't have a field in the database by that name . The name of the field is userPassword . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] pi?e: Hello I set the password_header to = {crypt} and password_attribute to userPassword (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the ldap1's server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] pi??e: Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the
Re: freeradius with multiple ldap servers
But I don't have a field in the database by that name . No, you don't. I am talking about ldap section of radiusd.conf. You need to set the appropriate radius password attribute. http://wiki.freeradius.org/index.php/Rlm_ldap Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? No response or no user in that ldap database. If the user is present but password is wrong user will be rejected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2. ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = ou=People,dc=example,dc=com ... } ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = ou=People,dc=example,dc=com ... } The first server has a user named 'try' and the second one has one named 'catch'. When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into auth: type Local and fails. WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=com - ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests. I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05) Thanks Sambuddho On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote: Hi Sambuddho: I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like: server = ldap.xxx.ca identity = cn=radius,ou=Applications,dc=xxx,dc=ca password = password basedn = ou=People,dc=xxx,dc=ca The default setting is read-only anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful. Andy [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) -- Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty [EMAIL PROTECTED] Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=utf-8 Hello Ivan But I don't have a field in the database by that name . The name of the field is userPassword . This is what the openLDAP migration scripts generated. Please let me know
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hello Some progress. Added to ldap.attrmap --- checkItem Crypt-Password userPassword Added to modules/ldap ldap ldap1{ identity = (root DN) password = (password for the root DN) password_header={crypt} password_attribute=Crypt-Password ... } ldap ldap2{ identity = (root DN) password = (password for the root DN) password_header={crypt} password_attribute=Crypt-Password ... } The radiusd attempts to connect to the correct LDAP server. However , the attempt fails with error in binding due to invalid credentials rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials The username and password supplied are nevertheless correct. Any hints would be gratefully appreciated Thanks Sambuddho On Thu, 2008-07-03 at 15:54 -0400, Sambuddho Chakravarty wrote: Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2. ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = ou=People,dc=example,dc=com ... } ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = ou=People,dc=example,dc=com ... } The first server has a user named 'try' and the second one has one named 'catch'. When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into auth: type Local and fails. WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=com - ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests. I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05) Thanks Sambuddho On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote: Hi Sambuddho: I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like: server = ldap.xxx.ca identity = cn=radius,ou=Applications,dc=xxx,dc=ca password = password basedn = ou=People,dc=xxx,dc=ca The default setting is read-only anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful. Andy [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradiuswith multiple ldap servers
Added to ldap.attrmap --- checkItem Crypt-Password userPassword Don't do that. userPassword is already mapped in ldap module: # password_attribute: Define the attribute which contains the user # password. # While integrating FreeRADIUS with Novell eDirectory, set # 'password_attribute = nspmpassword' in order to use the universal # password of the eDirectory users for RADIUS authentication. This will # work only if FreeRADIUS is configured to build with --with-edir option. # # default: NULL - don't add password # # password_attribute = userPassword # password_radius_attribute: Defined the RADIUS attribute where the extracted # user password will be stored to. Can be used to set it to NT-Password or any # other similar attribute instead of the default # # default: User-Password # # password_radius_attribute = NT-Password Added to modules/ldap ldap ldap1{ identity = (root DN) password = (password for the root DN) password_header={crypt} password_attribute=Crypt-Password No, not password_attribute but password_radius_attribute. password_attribute should remain userPassword (as it is by default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradiuswith multiple ldap servers
Hello Ivan Problem still the same I changed :- On Thu, 2008-07-03 at 22:20 +0100, Ivan Kalik wrote: Added to ldap.attrmap --- checkItem Crypt-Password userPassword Removed this from ldap.attrmap Don't do that. userPassword is already mapped in ldap module: # password_attribute: Define the attribute which contains the user # password. # While integrating FreeRADIUS with Novell eDirectory, set # 'password_attribute = nspmpassword' in order to use the universal # password of the eDirectory users for RADIUS authentication. This will # work only if FreeRADIUS is configured to build with --with-edir option. # # default: NULL - don't add password # # password_attribute = userPassword # password_radius_attribute: Defined the RADIUS attribute where the extracted # user password will be stored to. Can be used to set it to NT-Password or any # other similar attribute instead of the default # # default: User-Password # # password_radius_attribute = NT-Password Added to modules/ldap ldap ldap1{ identity = (root DN) password = (password for the root DN) password_header={crypt} password_attribute=Crypt-Password Yes changed this to password_radius_attribute=Crypt-Password However , if I change the password_attribute=userPassword, the auth type is detected wrongly as Local auth: type Local auth: user supplied User-Password does NOT match local User-Password Thanks Sambuddho No, not password_attribute but password_radius_attribute. password_attribute should remain userPassword (as it is by default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5:freeradiuswith multiple ldap servers
ldap ldap1{ identity = (root DN) password = (password for the root DN) password_header={crypt} password_attribute=Crypt-Password Yes changed this to password_radius_attribute=Crypt-Password However , if I change the password_attribute=userPassword, the auth type is detected wrongly as Local OK. I had a quick look at the code. It looks like you dont need to use any of those settings at all. You should have a (crypt) header in userPassword field and ldap module will put the value into appropriate attribute on it's own (it has auto-header discovery now). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan Problem still persists. What do you mean by the {crypt} header. These are simple /etc/passwd file converted into a ldif database using LDAP Migration Scripts from padl.com This is what the logs look like (supplied clear text passwd - from radtest) rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - try attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, Sambuddho Chakravarty [EMAIL PROTECTED] piše: Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration --/etc/raddb/modules/ldap--- ldap ldap1 { server = a.b.c.d ... } ldap ldap2 { server = w.x.y.z ... } -/etc/raddb/radiusd.conf- authorize { ldap1 ldap2 } authenticate { ldap1 ldap2 } When I execute /sbin/radiusd -X It shows instantiating module ldap1 and module ldap2 Module: Instantiating ldap2 ldap ldap1 { server = a.b.c.d port = 389 Module: Instantiating ldap2 ldap ldap2 { server = w.x.y.z port = 389 When sending a radtest request using the following command (from the same machine as one which is running the server) $ radtest user secret localhost 2 testing123 I get ACCESS-REJECT reply from the sever. On the server the logs show something like this --- It shows binding to both LDAP servers one by one through something like this : rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=example - ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=catch) expand: ou=People,dc=example,dc=example - ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-) Thanks in advance. Sambuddho On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: Sambuddho Chakravarty wrote: This is exactly what I did . I forgot to put the separate module names