Re: How to configure RADIUS on 2 IP address Server
Pongsak Tawankanjanachot wrote: I started installing, ,setting, running ./radiusd -X with default configuration. No. You've configured the server to proxy requests to itself. This is wrong. Sending Access-Accept of id 102 to* 192.168.2.45 * port 36272 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Accept packet from host 192.168.2.45 port 1812, id=102, length=38 You have configured it to proxy requests to itself. Don't do that. My question is why the Access-Accept is to 192.168.2.45 (It should be 192.168.25.254? Because: 1) you have 2 interfaces 2) you haven't used the listen type = proxy configuration to set the proxying IP address 3) You haven't enabled UDPFROMTO in configure 4) The OS picks a source IP address and, you've configured the server to proxy requests to itself. Don't do that. radiusd: Opening IP addresses and Ports Listening on authentication address 192.168.25.254 port 1812 Listening on accounting address 192.168.25.254 port 1813 Listening on proxy address 192.168.25.254 port 1814 Ready to process requests. Seems like RADIUS is listening on 192.168.25.254. :D Yes... == On Server terminal, I test with radtest test test localhost 0 testing123 Sending Access-Request of id 103 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 /There is no response at all/ Do you understand what IP addresses are? The server is listening on 192.168.25.254, while you're sending packets to 127.0.0.1. And you're *surprised* that the server doesn't respond? Why? It replies!! Seems like it is listening at eth0 192.168.25.254 BUT when I use RTRadPing Test Utility from local computer-WinXP SP3 (192.168.25.142 ) asking Authentication Request to 192.168.25.254 RTRadPing says no response from server, timeout. Look at the DEBUG output of the SERVER, not the client. What should I do next?? Somebody can suggest me? I think this is just the first step, then I need to install OpenSSL and testa long way to go.. I would stop trying to configure the server, and start by understanding how networks work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax support
Ying DONG wrote: I have seen the documents related with wimax in the freeradius, files in rlm_wimax directory, dictionary.wimax, /modules/wimax. However, I didn't figure out how to configure it to let it use the wimax vender specified attribute. You add them to the reply, with values, just like any other attribute. I also find the MSK is set to 32 bytes length. I am a little confused. Why not set the length to 64 bytes as the standard specified? The code generates the MSK as 64 bytes. If you see it as 32, then something is wrong. Perhaps you could post the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting bug in Mikrotik
Hi,
I am working with freeradius and mikrotik gateway for a long time, but
recently I detect in my PostgreSQL database, in radacct table some
inconsistencies. First af all, I say that I have the standard configuration
file (postgres.sql) for accounting queries.
My problem is sometimes the field acctstoptime is full when the user is
connected. I can see the user in my hotspot as alive session. What is my
problem? the issue is all interim update queries are rejected because the SQL
update query does not find the folloing SQL WHERE:
AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND FramedIPAddress= '%{Framed-IP-Address}' AND AcctStopTime
IS NULL
because AcctStopTime = 'date'
When this field is fill in? Another thing is when the acctsopttime is not
null, too the acctterminatecause = '' (it is a blank, instad of a NULL value) .
Thanks.
_
Descarga el nuevo Messenger, más divertido que nunca.
http://download.live.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way of adding custom authentication procedure to Freeradius that works in Windows/Linux platforms?
Hello,
I'm a newbie, with some delphi/pascal programming skills, but no knowledge of C.
I've been watching Freeradius developments for the last 4 years, and am very
impressed by how much the community has grown and software has developed since
then. Henceforth, i am exploring into the possibility of using freeradius for
my authentication project.
For the last few days, i've been experimenting with the cygwin version of
Freeradius (Freeradius.net), and trying to figure out an easy way for me to add
custom authentication procedure to Freeradius that works on both Windows/Linux
platforms.
3 methods come into mind, rlm_perl, rlm_exec and custom module. Custom module
will be the last resort since it requires greater effort, and hence cost.
Firstly, I've got file and rlm_mysql working on freeradius.net.
Then comes rlm_perl, which was a problem as it wasn't available in the
freeradius.net installation (not found inside lib folder), so i can't use it.
Next, i tried rlm_exec, and got a no such file error - i tried setting
different paths in radiusd.conf, but to no avail.
Exec-Program output: Exec-Program: FAILED to execute
c:/freeradius.net/bin/test.pl:
No such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute c:/freeradius.net/
bin/test.pl: No such file or directory
Exec-Program: returned: 1
rlm_exec (exec): External script failed
For radiusd.conf, i tried c:/freeradius.net/bin/test.pl,
c:\freeradius.net\bin\test.pl, test.pl, /freeradius.net/bin/test.pl,
\freeradius.net\bin/test.pl, and also tried placing test.pl on C drive root.
E.g.
exec {
program = c:/freeradius.net/bin/test.pl
wait = yes
input_pairs = request
output_pairs = reply
}
Some questions which i hope someone here experienced can provide me with some
insights. :)
1). Is there a way to get the cygwin version of rlm_perl.
2). Why am i facing the path/file not found problem? Does this mean the cygwin
version of rlm_exec doesn't work?
3). Are there any other options for me besides rlm_exec and rlm_perl?
4). If i were to implement a custom module, must it be compiled into
radiusd.exe? I will want to avoid messing with the cygwin compiled
radiusd.exe. And if that is not the case, can i use a crossplatform
programming language like freepascal to implement the module, instead of C?
A little info on the custom authentication procedure:
1. I need to provide a double-factor authentication to my users.
2. The first level will be a simple challenge and password (i reckon that this
can be done using File or MySQL).
3. Upon successful first authentication, the user is not given access-accept,
instead, he needs to enter a second password (this is the OTP). The OTP must
be generated by the custom script/module by accessing some external database -
this is done immediately after the first authentication has been successfully
completed.
Thanks in advance.
Rgds,
Joshua
_
Easily edit your photos like a pro with Photo Gallery.
http://get.live.com/photogallery/overview-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Salem,
Yeh, I build the 2.1.3 version without problem and without installing
libtool!!! it was great to see that :)
but after running it, I tried to connect as test user but it was rejected!
is this normal, what I did is:
I run:
[EMAIL PROTECTED]:/home/kouka# export LD_LIBRARY_PATH=/usr/local/lib
[EMAIL PROTECTED]:/home/kouka# radiusd -X
then I got many lines then:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
so via another terminal I run (also as root, because with simple user it
said to me you are not allowed to access a config file under /etc/):
[EMAIL PROTECTED]:/home/kouka# radtest test test localhost 0 testing123
I got in the client terminal this result:
Sending Access-Request of id 210 to 127.0.0.1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=210,
length=20
and in the server terminal this one:
rad_recv: Access-Request packet from host 127.0.0.1 port 45738, id=210,
length=56
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 210 to 127.0.0.1 port 45738
Waking up in 4.9 seconds.
Cleaning up request 0 ID 210 with timestamp +322
Ready to process requests.
Is that normal? how can I try that all run well?
Best regards.
2008/12/10 Alan DeKok [EMAIL PROTECTED]
Abdelmonam Kouka wrote:
I am new on FreeRadius, I tried to build it from sources on ubuntu 8.04,
when I run ./configure all is OK, but when I run make I have got this
error:
/home/kouka/Desktop/freeradius-server-2.1.2/src/freeradius-devel/modpriv.h:9:18:
Delete 2.1.2, and install 2.1.3. See http://freeradius.org for
comments.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
عبد المنعم كوكة
Abdelmonam Kouka
Software Engineer
GNU/Linux user #450141
GPG Fingerprint: EC21 1E4E 5B0C E4E7 0D64 3305 0D62 75C9 2C15 16E0
Some people see things as they are and say why.
I dream things that never were and say why not?
[George Bernard Shaw]
http://www.ubuntume.com/
http://arabeyes.org/
http://www.ubuntu-tn.org/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax support
I also find the MSK is set to 32 bytes length. I am a little confused. Why not set the length to 64 bytes as the standard specified? The code generates the MSK as 64 bytes. If you see it as 32, then something is wrong. He probabaly means this (raddb/modules/wimax): # # Some useful things to remember: # # WiMAX-MSK = EAP MSK, but is 32 octets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wimax support
Hi,again, I have figured out that the Freeradius server use the MS_MPPE_Recv_Key and MS_MPPE_Send_Key to transport the MSK to the ASN after successful EAP authentication. I find the rlm_wimax.c which computes the MIP key using wimax_postauth() function. However, I don't think the wimax module has been included in the freeradius since I could not get any information of mobility keying material generation when I tried to print out some information in the wimax_postauth() function. Is the wimax module included in the freeradius? Do I have to configure it to let it work? Then how to configure it? I have compiled the module and added the wimax lib to the freeradius lib. However, it doesn't work. Thanks, ying -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 2008年12月10日 16:48 To: FreeRadius users mailing list Subject: Re: wimax support Ying DONG wrote: I am using the freeradius server 2.1.1 as the Radius server in the network to authenticate a wimax user. It seems that it could support the wimax VSA, since I found the dictionary.wimax in the dictionary directory. If you look at the *rest* of the configuration files, you'll see more references to WiMAX. Also, the release announcements, the web page... However, in my application, in the Access Accept message, the freeradius server Include the attributes of vendor-id 311 (microsoft), not having the expected attributes of wimax (such as MSK attribute). Because you have to configure it to do that. I want to how the radius server determine which dictionary it should use to response the incoming request? That's not how RADIUS works. It doesn't determine a dictionary to use. What I should do to make the freeradius server set the wimax specified attribute in the access-accept msg? Read raddb/modules/wimax. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ~ This message (including any attachments) is for the named addressee(s)'s use only. It may contain sensitive, confidential, private proprietary or legally privileged information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. Any use, disclosure, copying, or distribution of this message and/or any attachments is strictly prohibited. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting bug in Mikrotik
I am working with freeradius and mikrotik gateway for a long time, but
recently I detect in my PostgreSQL database, in radacct table some
inconsistencies. First af all, I say that I have the standard configuration
file (postgres.sql) for accounting queries.
My problem is sometimes the field acctstoptime is full when the user is
connected. I can see the user in my hotspot as alive session. What is my
problem? the issue is all interim update queries are rejected because the SQL
update query does not find the folloing SQL WHERE:
AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND FramedIPAddress= '%{Framed-IP-Address}' AND
AcctStopTime IS NULL
because AcctStopTime = 'date'
If you are using default configuration you should have detail file logs
as well. That log is created for each NAS daily by default (NAS
IP/detail-date). Check the detail file to see if accounting Stop packet
was received while the session was still alive. Accounting Stop packet
should be the only thing that inserts dates there.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
I run:
[EMAIL PROTECTED]:/home/kouka# export LD_LIBRARY_PATH=/usr/local/lib
[EMAIL PROTECTED]:/home/kouka# radiusd -X
then I got many lines then:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
so via another terminal I run (also as root, because with simple user it
said to me you are not allowed to access a config file under /etc/):
[EMAIL PROTECTED]:/home/kouka# radtest test test localhost 0 testing123
I got in the client terminal this result:
Sending Access-Request of id 210 to 127.0.0.1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=210,
length=20
and in the server terminal this one:
rad_recv: Access-Request packet from host 127.0.0.1 port 45738, id=210,
length=56
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 210 to 127.0.0.1 port 45738
Waking up in 4.9 seconds.
Cleaning up request 0 ID 210 with timestamp +322
Ready to process requests.
Where did you put that users password? It's not in users file.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax support
Ying DONG wrote: I have figured out that the Freeradius server use the MS_MPPE_Recv_Key and MS_MPPE_Send_Key to transport the MSK to the ASN after successful EAP authentication. That is the normal EAP process. I find the rlm_wimax.c which computes the MIP key using wimax_postauth() function. Yes. It works. However, I don't think the wimax module has been included in the freeradius since I could not get any information of mobility keying material generation when I tried to print out some information in the wimax_postauth() function. You need to list wimax in the postauth section. This is documented in the raddb/modules/wimax file. Is the wimax module included in the freeradius? Do I have to configure it to let it work? Then how to configure it? I have compiled the module and added the wimax lib to the freeradius lib. However, it doesn't work. You need to configure it as instructed in the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Abdelmonam Kouka wrote: but after running it, I tried to connect as test user but it was rejected! is this normal, what I did is: It's normal, because you haven't added a test user as suggested in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting bug in Mikrotik
It is what I thought: Accounting Stop packet should be the only thing that
inserts dates.
Thanks. To: freeradius-users@lists.freeradius.org Subject: Re: accounting bug
in Mikrotik Date: Thu, 11 Dec 2008 10:59:26 +0100 From: [EMAIL PROTECTED]
I am working with freeradius and mikrotik gateway for a long time, but
recently I detect in my PostgreSQL database, in radacct table some
inconsistencies. First af all, I say that I have the standard configuration
file (postgres.sql) for accounting queries. My problem is sometimes the
field acctstoptime is full when the user is connected. I can see the user in my
hotspot as alive session. What is my problem? the issue is all interim update
queries are rejected because the SQL update query does not find the folloing
SQL WHERE: AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND FramedIPAddress= '%{Framed-IP-Address}' AND AcctStopTime
IS NULL because AcctStopTime = 'date' If you are using default
configuration you should have detail file logs as well. That log is created
for each NAS daily by default (NAS IP/detail-date). Check the detail file to
see if accounting Stop packet was received while the session was still alive.
Accounting Stop packet should be the only thing that inserts dates there.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Descarga el nuevo Messenger, más divertido que nunca.
http://download.live.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Repeated accopunting packets
Hi, In a normal revision of detail file of radius logs I see: - Wed Dec 10 18:27:04 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200NAS-Identifier = ESCS0020-HOTCAB001:RteCarcellerNAS-IP-Address = 192.168.10.2 Acct-Delay-Time = 0Client-IP-Address = 195.53.203.127 Acct-Unique-Session-Id = c3398d8d08896bc2Timestamp = 1228930024 Wed Dec 10 18:27:07 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200 NAS-Identifier = ESCS0020-HOTCAB001:RteCarceller NAS-IP-Address = 192.168.10.2Acct-Delay-Time = 3 Client-IP-Address = 195.53.203.127Acct-Unique-Session-Id = c3398d8d08896bc2Timestamp = 1228930027 Wed Dec 10 18:27:10 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200NAS-Identifier = ESCS0020-HOTCAB001:RteCarcellerNAS-IP-Address = 192.168.10.2 Acct-Delay-Time = 6Client-IP-Address = 195.53.203.127 Acct-Unique-Session-Id = c3398d8d08896bc2Timestamp = 1228930030 --- Is it means that the NAS does not receive the answer from radius server? Yes, the NAS timeout = 3 seg during three times. _ Comparte hasta 500 fotos en un solo email con Windows Live http://download.live.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help on Acocunting Respond
Hi all
i use the FreeRadius to work with Cisco Softswitch SIP Server
i follow the instruction:
http://freeradius.org/radiusd/man/rlm_attr_filter.html
preacct
Filters Accounting-Request packets.
accounting
Filters Accounting-Response packets.
i edit the following file :
site-enable/default :
# Filter attributes from the accounting response.
#attr_filter.accounting_response
preprocess : with_cisco_vsa_hack = yes
acct_users :
DEFAULT
User-Name := %{Stripped-User-Name:-%{User-Name}},
h323-return-code := h323-return-code=0
the problem i got in the Accounting respond :
Sending Accounting-Response of id 139 to 172.26.0.8 port 1645
User-Name := 087301
h323-return-code := h323-return-code=0
how do i run the sql query or do something to get the h323-return-code in the
Accounting Request
Thanks
Ha`
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is 2.1.3 sqlippool fast enough?
Dave wrote: I have had a number of problems with 1.1.7 and sqlippool that its simply not able to process more than 10-20 connections at any one time. The SQL ippool module in 1.1.7 has issues. I will upgrade to 2.1.3 if its capable of handing 50-80 connections at one time? Does any one know? The module works better in 2.1.3. Any other connection issues are likely due to database locking problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about the source code in version 2.1.3
neoo wrote: Hi,all I'm not clear about two things. 1) in the file freeradius-server-2.1.3/src/mainradiusd.c, at the line 103-105: 103 #ifdef OSFC2 104 set_auth_parameters(argc,argv); 105 #endif what's this checked for ? it's about security or something? It's OSFC2 magic. I have no idea what it means. 2) in the file freeradius-server-2.1.3/src/main/event.c at line 2874: why ,it check the pointer el and not pl ? It's a bug. I've fixed it in git.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeated accopunting packets
In a normal revision of detail file of radius logs I see: - Wed Dec 10 18:27:04 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200NAS-Identifier = ESCS0020-HOTCAB001:RteCarcellerNAS-IP-Address = 192.168.10.2 Acct-Delay-Time = 0Client-IP-Address = 195.53.203.127 Acct-Unique-Session-Id = c3398d8d! 08896bc2Timestamp = 1228930024 Wed Dec 10 18:27:07 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200 NAS-Identifier = ESCS0020-HOTCAB001:RteCarceller NAS-IP-Address = 192.168.10.2Acct-Delay-Time = 3 Client-IP-Address = 195.53.203.127Acct-Unique-Session-Id = c3398d8d08896bc2Timestamp = 1228930027 Wed Dec 10 18:27:10 2008Acct-Status-Type = AliveNAS-Port-Type = Wireless-802.11Calling-Station-Id = 00:15:AF:09:5E:B5 Called-Station-Id = hs-AKIWIFINAS-Port-Id = br-AKIWIFI User-Name = aadu0052NAS-Port = 2149582184Acct-Session-Id = 80200568Framed-IP-Address = 10.5.50.88Mikrotik-Attr-10 = 0x0a053258Location-ID = isocc=es,cc=34,ac=12004,network=AKIWIFI Location-Name = AKIWIFI,RteCarcellerEvent-Timestamp = Dec 10 2008 18:27:03 CETAcct-Input-Octets = 112613Acct-Output-Octets = 1037627Acct-Input-Gigawords = 0Acct-Output-Gigawords = 0 Acct-Input-Packets = 1034Acct-Output-Packets = 1135 Acct-Session-Time = 1200NAS-Identifier = ESCS0020-HOTCAB001:RteCarcellerNAS-IP-Address = 192.168.10.2 Acct-Delay-Time = 6Client-IP-Address = 195.53.203.127 Acct-Unique-Session-Id = c3398d8d! 08896bc2Timestamp = 1228930030 --- Is it means that the NAS does not receive the answer from radius server? Yes, the NAS timeout = 3 seg during three times. That would be quite likely. This is the update at 20 minutes session time repeated 3 times. You will have to check Mikrotik log for that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Acocunting Respond
i use the FreeRadius to work with Cisco Softswitch SIP Server
i follow the instruction:
http://freeradius.org/radiusd/man/rlm_attr_filter.html
preacct
Filters Accounting-Request packets.
accounting
Filters Accounting-Response packets.
i edit the following file :
site-enable/default :
# Filter attributes from the accounting response.
#attr_filter.accounting_response
preprocess : with_cisco_vsa_hack = yes
acct_users :
DEFAULT
User-Name := %{Stripped-User-Name:-%{User-Name}},
h323-return-code := h323-return-code=0
the problem i got in the Accounting respond :
Sending Accounting-Response of id 139 to 172.26.0.8 port 1645
User-Name := 087301
h323-return-code := h323-return-code=0
how do i run the sql query or do something to get the h323-return-code in the
Accounting Request
Read man unlang.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
I didn't add any user neither password, in fact I followed what I read on
the INSTALL file, it indicates to test with this command and I did.
2008/12/11 [EMAIL PROTECTED]
I run:
[EMAIL PROTECTED]:/home/kouka# export LD_LIBRARY_PATH=/usr/local/lib
[EMAIL PROTECTED]:/home/kouka# radiusd -X
then I got many lines then:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
so via another terminal I run (also as root, because with simple user it
said to me you are not allowed to access a config file under /etc/):
[EMAIL PROTECTED]:/home/kouka# radtest test test localhost 0 testing123
I got in the client terminal this result:
Sending Access-Request of id 210 to 127.0.0.1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=210,
length=20
and in the server terminal this one:
rad_recv: Access-Request packet from host 127.0.0.1 port 45738, id=210,
length=56
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 210 to 127.0.0.1 port 45738
Waking up in 4.9 seconds.
Cleaning up request 0 ID 210 with timestamp +322
Ready to process requests.
Where did you put that users password? It's not in users file.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
عبد المنعم كوكة
Abdelmonam Kouka
Software Engineer
GNU/Linux user #450141
GPG Fingerprint: EC21 1E4E 5B0C E4E7 0D64 3305 0D62 75C9 2C15 16E0
Some people see things as they are and say why.
I dream things that never were and say why not?
[George Bernard Shaw]
http://www.ubuntume.com/
http://arabeyes.org/
http://www.ubuntu-tn.org/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
OK, I understand now, I thought that there is a default user for test or admin, so I will start with the FAQ Thanks for all of you 2008/12/11 Alan DeKok [EMAIL PROTECTED] Abdelmonam Kouka wrote: but after running it, I tried to connect as test user but it was rejected! is this normal, what I did is: It's normal, because you haven't added a test user as suggested in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- عبد المنعم كوكة Abdelmonam Kouka Software Engineer GNU/Linux user #450141 GPG Fingerprint: EC21 1E4E 5B0C E4E7 0D64 3305 0D62 75C9 2C15 16E0 Some people see things as they are and say why. I dream things that never were and say why not? [George Bernard Shaw] http://www.ubuntume.com/ http://arabeyes.org/ http://www.ubuntu-tn.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Hi, I didn't add any user neither password, in fact I followed what I read on the INSTALL file, it indicates to test with this command and I did. you are right - it doesnt. a small oversight I guess. however. reading any other installation and 'how it works' guide will clearly show how to add basic users into the users file. if FreeRADIUS shipped with a default working account then that would be a major security issue as it would have known credentials and I would bet that 90% (or more!) of FreeRADIUS installs wouldnt have such a default entry removed!! ha ha anyway, there are some other test entries already waiting for you in the users file - they just need to be uncommented and then FreeRADIUS restarting to take effect alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
[EMAIL PROTECTED] wrote: Hi, I didn't add any user neither password, in fact I followed what I read on the INSTALL file, it indicates to test with this command and I did. you are right - it doesnt. a small oversight I guess. No. The INSTALL file says: It doesn't matter if the authentication request is accepted or rejected, what matters is that the server received the request, and responded to it. Getting a Reject is FINE. It's DOCUMENTED. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
I didn't add any user neither password, in fact I followed what I read on the INSTALL file, it indicates to test with this command and I did. Then you read this as well: It doesn't matter if the authentication request is accepted or rejected, what matters is that the server received the request, and responded to it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Yeh, I read it, but this if made me not sure, if the sentence was the authentication request will be rejected, it is not a problem, what matters is that the server received the request, and responded to it. I wouldn't ask my question, but as I said this if forced me to ask to be sure of what happen exactly. Regards 2008/12/11 Alan DeKok [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, I didn't add any user neither password, in fact I followed what I read on the INSTALL file, it indicates to test with this command and I did. you are right - it doesnt. a small oversight I guess. No. The INSTALL file says: It doesn't matter if the authentication request is accepted or rejected, what matters is that the server received the request, and responded to it. Getting a Reject is FINE. It's DOCUMENTED. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- عبد المنعم كوكة Abdelmonam Kouka Software Engineer GNU/Linux user #450141 GPG Fingerprint: EC21 1E4E 5B0C E4E7 0D64 3305 0D62 75C9 2C15 16E0 Some people see things as they are and say why. I dream things that never were and say why not? [George Bernard Shaw] http://www.ubuntume.com/ http://arabeyes.org/ http://www.ubuntu-tn.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
[EMAIL PROTECTED] wrote: Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to persuade up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. Shouldn't that be: $ diff Makefile.20081211 Makefile 92c92 openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf --- openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Yeh, I read it, but this if made me not sure, if the sentence was the authentication request will be rejected, it is not a problem, what matters is that the server received the request, and responded to it. I wouldn't ask my question, but as I said this if forced me to ask to be sure of what happen exactly. Well, some people bother to read more than just INSTALL file, discover how to create users and their requests don't get rejected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
Shouldn't that be: $ diff Makefile.20081211 Makefile 92c92 openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf --- openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf It should. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best way of adding custom authentication procedure to Freeradius that works in Windows/Linux platforms?
Joshua Lim wrote: 1). Is there a way to get the cygwin version of rlm_perl. Compile it yourself from source. 2). Why am i facing the path/file not found problem? Does this mean the cygwin version of rlm_exec doesn't work? No idea. It's a cygwin issue. 3). Are there any other options for me besides rlm_exec and rlm_perl? Creating a native port of FreeRADIUS to Windows, or paying for one. 4). If i were to implement a custom module, must it be compiled into radiusd.exe? I will want to avoid messing with the cygwin compiled radiusd.exe. And if that is not the case, can i use a crossplatform programming language like freepascal to implement the module, instead of C? The server is written in C, not pascal. A little info on the custom authentication procedure: 1. I need to provide a doubl! e-factor authentication to my users. 2. The first level will be a simple challenge and password (i reckon that this can be done using File or MySQL). Maybe. 3. Upon successful first authentication, the user is not given access-accept, instead, he needs to enter a second password (this is the OTP). The OTP must be generated by the custom script/module by accessing some external database - this is done immediately after the first authentication has been successfully completed. You will need a custom module to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slightly OT: Problem with Vista
I have a problem with a Laptop with Vista (EAP-PEAP, and EAP-TTLS either won't work) tcpdump on access point outputs: Post freeradius debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slightly OT: Problem with Vista
I have a problem with a Laptop with Vista (EAP-PEAP, and EAP-TTLS either won't work) tcpdump on access point outputs: 00:09:53.610223 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 72: 0x: 8001 0064 1018 0001 0001 ...d 0x0010: 000c 0008 0x0020: 001f 3a1b 4e8b 776c 3000 d23f :.N.wl0? 0x0030: e000 .. 00:09:54.143589 00:1f:3a:1b:4e:8b (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Command], length 6: 01 00 00:09:54.143758 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 98: 0x: 8001 007e 1018 0001 0001 ...~ 0x0010: 0008 0x0020: 001a 001f 3a1b 4e8b 776c 3000 d23f :.N.wl0? 0x0030: e000 dd18 0050 f201 0100 ...P 0x0040: 0050 f202 0100 0050 f202 0100 0050 f201 .P.P.P.. 0x0050: .. 00:09:54.167468 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 001f 3a1b 4e8b 776c 3000 d23f :.N.wl0? 0x0030: e000 0101 00 ... 00:09:54.167512 EAP code=1 id=1 length=0 00:10:25.005568 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 72: 0x: 8001 0064 1018 0001 0001 ...d 0x0010: 000c 0008 0x0020: 001f 3a1b 4e8b 776c 3000 00c0 c980 :.N.wl0. 0x0030: 5440 b600 [EMAIL PROTECTED] 00:10:25.561783 00:1f:3a:1b:4e:8b (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Command], length 6: 01 00 00:10:25.561952 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 98: 0x: 8001 007e 1018 0001 0001 ...~ 0x0010: 0008 0x0020: 001a 001f 3a1b 4e8b 776c 3000 00c0 c980 :.N.wl0. 0x0030: 5440 b600 dd18 0050 f201 0100 [EMAIL PROTECTED] 0x0040: 0050 f202 0100 0050 f202 0100 0050 f201 .P.P.P.. 0x0050: .. 00:10:25.585979 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 001f 3a1b 4e8b 776c 3000 00c0 c980 :.N.wl0. 0x0030: 5440 b600 0101 00[EMAIL PROTECTED] 00:10:25.586025 EAP code=1 id=1 length=0 00:10:34.792686 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 72: 0x: 8001 0064 1018 0001 0001 ...d 0x0010: 000c 0008 0x0020: 001f 3a1b 4e8b 776c 3000 6c63 5f63 :.N.wl0.lc_c 0x0030: 6c6b 6374 6c5f 6300 lkctl_c... 00:10:35.321712 00:1f:3a:1b:4e:8b (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Command], length 6: 01 00 00:10:35.321878 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 98: 0x: 8001 007e 1018 0001 0001 ...~ 0x0010: 0008 0x0020: 001a 001f 3a1b 4e8b 776c 3000 6c63 5f63 :.N.wl0.lc_c 0x0030: 6c6b 6374 6c5f 6300 dd18 0050 f201 0100 lkctl_cP 0x0040: 0050 f202 0100 0050 f202 0100 0050 f201 .P.P.P.. 0x0050: .. 00:10:35.344361 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 001f 3a1b 4e8b 776c 3000 6c63 5f63 :.N.wl0.lc_c 0x0030: 6c6b 6374 6c5f 6300 0101 00lkctl_c 00:10:35.344405 EAP code=1 id=1 length=0 00:10:40.337072 02:1d:7e:dc:22:d9 (oui Unknown) 00:1d:7e:dc:22:d9 (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019
Problems with starting radiusd (2.1.3 - latest)
Hi, I got the latest tarball (source) from freeradius.org and after untar'ing - did configure/make/install I can't start up the server. [EMAIL PROTECTED]:/usr/local/sbin# rc.radiusd start Starting FreeRADIUS:/usr/local/sbin/radiusd: error while loading shared libraries: libfreeradius-radius-2.1.3.so: cannot open shared object file: No such file or directory radiusd [EMAIL PROTECTED]:/usr/local/sbin# radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.3.so: cannot open shared object file: No such file or directory [EMAIL PROTECTED]:/usr/local/sbin# I am using ubuntu latest release with linux kernel 2.6.24-19 I have removed the freeradius (using apt-get remove freeradius). When I installed it showed version 1.1.7 (old?) Any inputs on what's happening? thx -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slightly OT: Problem with Vista
hi, which version of FreeRADIUS are you using? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with starting radiusd (2.1.3 - latest)
al pat wrote: I can't start up the server. [EMAIL PROTECTED]:/usr/local/sbin# rc.radiusd start Starting FreeRADIUS:/usr/local/sbin/radiusd: error while loading shared libraries: libfreeradius-radius-2.1.3.so: cannot open shared object file: No such file or directory You have installed the server over a pre-existing configuration. Odds are that the *old* radiusd.conf is still around. Ensure that you get rid of *all* traces of the old installation before installing a new one. apt-get remove freeradius does NOT removed the configuration directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL Cert bootstrap script
I've used the bootstrap script to build certs for our radius server (2.0.5 on FreeBSD) and I've set all of the .cnf files w/ the following: default_days= 3650 default_crl_days= 3650 My problem is that the ca.der file that is created has an expiration date of 30 days. Can anyone point me in the direction of what I'm doing wrong? Thanks in advance. -- Charles Plater Lead Application Technical Analyst Internet Services +1-313-577-4620 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
Attou eric wrote:
We are having some issues in setting up freeradius to support EAP-TLS,
EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three
Auth-Type simultaneously.
To support EAP-TLS, we generate our CA and certificates via TinyCA.
Please read eap.conf. You need certain things in the certificates for
PEAP to work on Windows. I'm not sure that TinyCA does the right thing
here.
We also add radius' log after an authentication attempt from windows XP OS
using windows built in supplicant by supplying a username and password
stored in
our /etc/passwd file.
PEAP will NOT work with /etc/passwd. It's impossible.
But the authentication failed with this
error message :
*rlm_eap: identity does not match User-Name, setting from EAP identity*
Radius logs
...Thu Dec 11 14:59:10 2008 : Debug: main {
Please *follow* the instructions in the FAQ, README, INSTALL, and
man page. We want radiusd -X, not radiusd -xX. Adding the dates
makes the debug output harder to read.
Note also that the debug output *includes* the configuration. So
there's no need to post it separately. And we don't ask for it, either.
Sending Access-Request of id 200 to 127.0.0.1 port 1812
...
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200,
length=143
Could you explain why you're proxying the packet from the server to
itself? This isn't necessary. It's also bad.
Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match
User-Name, setting from EAP Identity.
Your supplicant is broken. The two fields should match.
Or, you're editing the User-Name. Don't do that.
Is there something wrong in our configurations?
Is tit normal that there is no User-Password attribute in Access-Request
packet?
Yes. This is how EAP works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL Cert bootstrap script
Charles Plater wrote: I've used the bootstrap script to build certs for our radius server (2.0.5 on FreeBSD) and I've set all of the .cnf files w/ the following: default_days= 3650 default_crl_days= 3650 My problem is that the ca.der file that is created has an expiration date of 30 days. Can anyone point me in the direction of what I'm doing wrong? It's a bug in OpenSSL. The FreeRADIUS files were fixed to work around this in version 2.1.3. You can grab the fixes in raddb/certs/Makefile. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
We are having some issues in setting up freeradius to support EAP-TLS,
EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three Auth-Type
simultaneously.
To support EAP-TLS, we generate our CA and certificates via TinyCA.
We also add radius' log after an authentication attempt from windows XP OS
using windows built in supplicant by supplying a username and password stored
in
our /etc/passwd file. But the authentication failed with this error message :
Â
rlm_eap: identity does not match User-Name, setting from EAP identity
Â
Thu Dec 11 14:59:10 2008 : Debug: radiusd: Loading Realms and Home
Servers
Thu Dec 11 14:59:10 2008 : Debug:Â proxy server {
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â retry_delay = 5
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â retry_count = 3
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â default_fallback = no
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â dead_time = 120
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â wake_all_if_all_dead = no
Thu Dec 11 14:59:10 2008 : Debug:Â }
Thu Dec 11 14:59:10 2008 : Debug:Â home_server localhost {
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â ipaddr = 127.0.0.1
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â port = 1812
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â type = auth
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â secret = testing123
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â response_window = 20
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â max_outstanding = 65536
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â zombie_period = 40
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â status_check = status-server
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â ping_check = none
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â ping_interval = 30
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â check_interval = 30
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â num_answers_to_alive = 3
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â num_pings_to_alive = 3
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â revive_interval = 120
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â status_check_timeout = 4
Thu Dec 11 14:59:10 2008 : Debug:Â }
Thu Dec 11 14:59:10 2008 : Debug:Â home_server_pool my_auth_failover {
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â type = fail-over
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â home_server = localhost
Thu Dec 11 14:59:10 2008 : Debug:Â }
Thu Dec 11 14:59:10 2008 : Debug:Â realm uac.bj {
Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â auth_pool = my_auth_failover
Thu Dec 11 14:59:10 2008 : Debug:Â }
You have configured the server to proxy requests to itself. Don't do
that. Configure it as local realm (just {}).
..
rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233,
length=145
       User-Name = [EMAIL PROTECTED]
       NAS-IP-Address = 172.21.1.251
       Connect-Info = CONNECT 802.11
       Called-Station-Id = 0060b33573b4
       Calling-Station-Id = 000e35dfc4c9
       NAS-Identifier = ap
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 40
       NAS-Port-Id = 40
       Framed-MTU = 1400
       EAP-Message = 0x0269001001746f746f407561632e626a
       Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
..
Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password:
'HsrtQesmWHodM:14211::' to config_items
That's not going to work with PEAP.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL Cert bootstrap script
Sure, http://bugs.freeradius.org/show_bug.cgi?id=615 -Ted- Charles Plater wrote: I've used the bootstrap script to build certs for our radius server (2.0.5 on FreeBSD) and I've set all of the .cnf files w/ the following: default_days= 3650 default_crl_days= 3650 My problem is that the ca.der file that is created has an expiration date of 30 days. Can anyone point me in the direction of what I'm doing wrong? Thanks in advance. -- Charles Plater Lead Application Technical Analyst Internet Services +1-313-577-4620 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Proxy Problem
Hi all, I've got a really frustrating problem with FreeRADIUS trying to proxy to a Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I have proxying configured, but I keep getting Access-Reject back from the IAS. The IAS says that I used an unknown username or password, but I know that the username and password is correct. I know this because I have a test FR box with the same config and same version (1.0.1) that works fine. I assume that the User-Password is not being passed on properly, but I can't imagine why. I looked into the PAP authentication config and both the working test box and the non-working production box are configured to use 'crypt'. Can anyone point me in the right direction? Thanks, evt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy Problem
Eric Van Tol wrote: Hi all, I've got a really frustrating problem with FreeRADIUS trying to proxy to a Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I have proxying configured, but I keep getting Access-Reject back from the IAS. The IAS says that I used an unknown username or password, but I know that the username and password is correct. I know this because I have a test FR box with the same config and same version (1.0.1) that works fine. The shared secret is wrong. I assume that the User-Password is not being passed on properly, but I can't imagine why. I looked into the PAP authentication config and both the working test box and the non-working production box are configured to use 'crypt'. Can anyone point me in the right direction? Huh? The proxy configuration of crypt has *nothing* to do with this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy Problem
I've got a really frustrating problem with FreeRADIUS trying to proxy to a Microsoft IAS. I'm using FR 1.0.1 (I know, it's old). The problem is that I have proxying configured, but I keep getting Access-Reject back from the IAS. The IAS says that I used an unknown username or password, but I know that the username and password is correct. I know this because I have a test FR box with the same config and same version (1.0.1) that works fine. I assume that the User-Password is not being passed on properly, but I can't imagine why. I looked into the PAP authentication config and both the working test box and the non-working production box are configured to use 'crypt'. Can anyone point me in the right direction? You can actually make sense of IAS logs: http://technet.microsoft.com/en-us/library/cc778268.aspx Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
On Thu, Dec 11, 2008 at 9:16 AM, Attou eric gouroue...@yahoo.fr wrote: Hi Everybody. We are having some issues in setting up freeradius to support EAP-TLS, EAP-TTLS and EAP-PEAP. Our goal is to have our authentication server providing those three Auth-Type simultaneously. To support EAP-TLS, we generate our CA and certificates via TinyCA. You can use TinyCA, but you must add the proper extended key usage. Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 for Server Certificates into Extended Key usage, and 1.3.6.1.5.5.7.3.2 into Client Certificate Extended Key Usage. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Proxy Problem
-Original Message- From: freeradius-users-bounces+eric=atlantech@lists.freeradius.org [mailto:freeradius-users-bounces+eric=atlantech@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 11, 2008 1:41 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS Proxy Problem The shared secret is wrong. Actually, the shared secret *is* correct. I tested this out by changing the shared secret on the proxy and I received a different error, which specifically stated that the shared secret didn't match. Shared secret is the same on both the production and test boxes. Huh? The proxy configuration of crypt has *nothing* to do with this. Okay, well, I obviously didn't know. -evt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Proxy Problem
-Original Message- From: freeradius-users-bounces+eric=atlantech@lists.freeradius.org [mailto:freeradius-users-bounces+eric=atlantech@lists.freeradius.org] On Behalf Of t...@kalik.net Sent: Thursday, December 11, 2008 3:35 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS Proxy Problem You can actually make sense of IAS logs: http://technet.microsoft.com/en-us/library/cc778268.aspx Ivan Kalik Kalik Informatika ISP Nifty - I'll try this. I know what attributes are being sent and received, though, as I have tcpdumps and Wireshark traces. However, this might help me see something I hadn't noticed before. Thanks for the link. -evt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake? -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and LDAP Groups
Now that I have FreeRADIUS authenticating users via MSCHAPv2 and the
sambaNTPassword attributes, the next step in my project is to limit the system
so that only users in certain user groups can log in.
I'm using posixGroup groups, not groupOfNames or groupOfUniqueNames.
In my modules/ldap files I have:
groupname_attribute = cn
groupmembership_attribute = memberUid
groupmembership_filter = (memberUid=%{Stripped-User-Name:-%{User-Name}})
In my users I have
DEFAULT LDAP-Group == foo
However, even with these configuration options set, anyone with a valid login
and password can authenticate right now. In my radiusd -X I see:
rlm_ldap: performing search in dc=blah, with filter ((cn=foo)(memberUid=test))
rlm_ldap: object not found or got ambiguous search result
But it then goes on the authenticate the user anyhow:
rlm_ldap: user test authorized to use remote access
I looked around on Google, and I see -lots- of stuff about configuring LDAP
group checks, but I haven't found anything that's all too helpful right now.
Is there some option that I have to set to tell the system to ignore a user
that's not in the proper group?
And then the follow-up question to this will be: is it possible to configure
FreeRADIUS to check for membership in more than one group? Put another way,
how can I let the system authenticate users in the foo group -or- in the
bar group?
Tim Gustafson
SOE Webmaster
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and LDAP Groups
In my users I have DEFAULT LDAP-Group == foo However, even with these configuration options set, anyone with a valid login and password can authenticate right now. In my radiusd -X I see: rlm_ldap: performing search in dc=blah, with filter ((cn=foo)(memberUid=test)) rlm_ldap: object not found or got ambiguous search result But it then goes on the authenticate the user anyhow: rlm_ldap: user test authorized to use remote access I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now. Is there some option that I have to set to tell the system to ignore a user that's not in the proper group? Add: DEFAULT Auth-Type := Reject at the end of the users file. If none of the groups match user will be rejected even with the correct password. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
Hi,
I have a problem =/
I create this Querys:
INSERT INTO radcheck(UserName, Attribute, op, Value)
VALUES('cliente1', 'MD5-Password', ':=', MD5('projecto08'));
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES
('sessaounica', 'Simultaneous-Use', ':=', 1);
INSERT INTO usergroup (username, groupname) VALUES
('cliente1','sessaounica');
But two different clients (PCs) whit the same pair user/password can do
success login. =/
What i have done wrong ?
I want that only one client have access to the network. And if one client
are logged, another user with same pair user/pass don't have access until
the user logged do the logoff.
Very thanks for your pacience,
Best Regards,
Diogo Teixeira
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rad_recv: Access-Reject #plz ignore the previous letter
Dear,
check it with adding client 127.0.0.1{
...
.
}
instead of localhost .
it may work.or if u r on local network then send request from other computer
and after adding thats computer ip into ur clients.conf file
On Wed, Dec 10, 2008 at 2:56 PM, Ilya i...@bwc.ru wrote:
hello!
debugging freeRADIUS i met the problem like this:
'rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194,
length=20'
At the beginning I thought that the problem was in the users file but
in radiusd.log I saw the message:
rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and
linked
rlm_sql (sql): Attempting to connect to rad...@localhost:/raddb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_oracle #0
rlm_sql_oracle: Couldn't init Oracle OCI environment (OCIEnvCreate())
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
what's wrong?
could anybody help me plz?
radiusd -X log , users file and cliens.conf is attached.
have a good day,
ilya
ilya vishnyov
billing department
baykalwestcom
68, 2-zheleznodorozhnaya str.,
irkutsk, 664005, russia
gsm: +7 9025 113 992
e-mail: i...@bwc.ru
icq #: 988-0-229
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Best regards
Yawar Hadi Noshahi
QAU Islamabad
(+92-0300-5504798)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake... -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
