Re: Symbol Perl_hv_undef_flags problem using rlm_perl
On Aug 30, 2011, at 12:06 PM, david.suarezde...@telefonica.es wrote: in libperl.a. I include the complete output of radiusd -X below with both Did you compile perl with support for libperl.so ? Best Regards, Boian Jordanov Head of Voice Department tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute)
Hi Arran I do not define my private attribute while I follow the WISPr such as Bandwidth-Max-Up and Bandwidth-Max-Down. It is no problem that I use UAM method(user login with login page by user name/password) and freeradius can reply correct attribute. But when I use PEAP authentication,after user login it can not reply correct attribute that I configure in the radgroupreply table. Can anyone give some idea? BR//Gary - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Wednesday, August 31, 2011 2:21 PM Subject: Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute) On 31 Aug 2011, at 08:11, Arran Cudbard-Bell wrote: On 31 Aug 2011, at 04:37, gary wrote: Hi All I have NAS client which support WISPr standard working with freeradius 2.1.10+MySQL 5.5 install on Fedora OS. I create my test certificate and configure EAP-TLS/PEAP authentication well in my setup. I am using WINDOWS XP as client pc it can pass authentication but freeradius can not reply correct attribute I configured such as bandwidth control. I noticed in the reply attribute the vendor is Microsoft not WISPr. I wonder if this is WINDOWS default setting how can I modify so that FR can reply the correct attribute I configured? Look in the dictionary file for your NAS vendor and figure out what the actual attribute name is for the reply attribute you're trying to send. The name of a VSA is just there to make it easier to extract and manipulate attributes, it has no effect on the contents of the packet. So if you insert a VSA and it comes up as a Microsoft Vendor and this is not what you intended, then there's a naming conflict and the other Vendors VSAs will have been renamed. Of course if you're adding attributes in the inner tunnel you'll have to make sure tunnelled reply is set to yes in eap.conf for the relevant EAP methods. Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 77, Issue 1
Hi, Date: Thu, 1 Sep 2011 10:59:32 +0300 From: Boian Jordanov bjorda...@orbitel.bg On Aug 30, 2011, at 12:06 PM, david.suarezde...@telefonica.es wrote: in libperl.a. I include the complete output of radiusd -X below with both Did you compile perl with support for libperl.so ? Yes, but some other problems got in the middle, so things were a bit harder to solve. There are two issues here: First, that factory packages for Debian 6 weren't working together; and second, problems with compilation. On the second case, I was compiling both Freeradius and Perl but my Perl build (after several attempts) got things mangled. A make realclean solved the issue, but I got some problems because the change of running user ruined the perlbrew instalation (an access to libraries, etc). I have finally solved it, just an hour ago, by compiling Freeradius-2.1.11 and linking it to the system-wide libperl.so available library (somehow upgrading to Perl-5.14.1 is hard on Debian, as apt-get insist the installed package is the newest, even specifying the experimental repos, probably I am doing something wrong). Anyway, I will take the chance and link to 5.14.1 (eventually) as Perl 5.10 is about to get out of support... So it's solved, and the pointers I got were very helpful, thanks a lot for your attention. As for the first issue, I'll contact the package maintainers and let them know there's some mismatch (I suspect it is either an LD_PRELOAD issue or maybe the package has some problems, I recall that on versions 1.x there were several freeradius debian packages...) So thanks and best regards, dwd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Using rlm_passwd as a substitute for hunt groups
Hi, I made further tests, and (imho) it seems that rlm_passwd can´t handle IP-Addresses. In my setup the module is able to assign My-Device-Group when searching for: -User-Name -User-Password -NAS-Port But not when searching for NAS-IP-Address :-( I´m using freeradius2-2.1.7-7.el5 Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Using rlm_passwd as a substitute for hunt groups
jan.we...@t-systems.com wrote: I made further tests, and (imho) it seems that rlm_passwd can´t handle IP-Addresses. In the changelog for 2.1.10: * Allow passwd module to map IP addresses, too. I´m using freeradius2-2.1.7-7.el5 Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute)
gary wrote: I do not define my private attribute while I follow the WISPr such as Bandwidth-Max-Up and Bandwidth-Max-Down. It is no problem that I use UAM method(user login with login page by user name/password) and freeradius can reply correct attribute. But when I use PEAP authentication,after user login it can not reply correct attribute that I configure in the radgroupreply table. Can anyone give some idea? See use_tunneled_reply in raddb/eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special WIFI Router MAC check for the user's first connection. (Tom)
Phil,
Thanks a lot for your great help.
I understand the scripts you wrote. But I don't know where I should put it in.
Can you please kindly advise which file I should edit?
/usr/local/etc/raddb/sites-available/default?
Where I should put the scripts you wrote previously? The context?
Thanks!
Tom
-- Original --
From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org;
Date: Thu, Sep 1, 2011 02:51 AM
To: freeradius-usersfreeradius-users@lists.freeradius.org;
Subject: Freeradius-Users Digest, Vol 76, Issue 108
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server (Phil Mayers)
2. Re: Special WIFI Router MAC check for the user?s first
connection. (Phil Mayers)
3. Using rlm_passwd as a substitute for hunt groups
(jan.we...@t-systems.com)
4. problem with LDAP backend (Frank Bonnet)
5. Re: problem with chillispot (Alan DeKok)
6. Re: problem with LDAP backend (Alan DeKok)
7. Rating usage (Shreya Shah)
8. Re: problem with chillispot (Goke M Aruna)
--
Message: 1
Date: Wed, 31 Aug 2011 14:48:00 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server
To: freeradius-users@lists.freeradius.org
Message-ID: 4e5e3b90.2020...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 30/08/11 21:12, Glenn Machin wrote:
Phil - thanks for the feedback.
I just ended up proxying out to the IAS server usernames starting with
DOMAIN\.
Ok. Obviously that will fail if enters their wireless credentials
without a domain.
I configured the freeradius server to not support mschapv2 but will
support PEAP/GTC EAP/TLS.
It seems to be working fine with the Macs, iPads and Linux systems while
the windows systems are happy to talk to the IAS server.
It still bugs that ntlm_auth would not authenticate to the domain
controllers the challenge and nt-response.
I repeat: if you send debug info, people may be able to help.
I assume no one else is having any issues using ntlm_auth to W2008
servers? It may be some Windows GPO at our site for all I know.
Exactly which version of windows (2008 or 2008R2?) and at which
functional level is your domain?
Did you try increasing the debug level for winbind using smbcontrol
and then examining the debug logs after a failed auth?
For what it's worth, we have no problems with Windows 2008R2 domain
controllers and the samba3x package available under RHEL5 (samba
version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3)
versions after we'd upgraded to 2008R2 and upgraded functional level.
--
Message: 2
Date: Wed, 31 Aug 2011 14:55:35 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Special WIFI Router MAC check for the user?s first
connection.
To: freeradius-users@lists.freeradius.org
Message-ID: 4e5e3d57.2000...@imperial.ac.uk
Content-Type: text/plain; charset=UTF-8; format=flowed
On 31/08/11 12:38, 2394263740 wrote:
For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
After the first connection, user 58 can connect to any WIFI AP in the
network.
Can someone give some advice on how to do it?
1. Create a whitelist of users who can authenticate to any AP using
files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
2. If they are *not* found in the whitelist, check the
Called-Station-Id attribute, which usually contains the MAC address of
the AP. If your equipment uses a different attribute, check that.
3. If the AP MAC is the correct one, add the user to the whitelist,
else reject
For example:
authorize {
...
update control {
Tmp-String-0 := %{sql:select 1 from whitelist where
username='%{User-Name}'}
}
if (control:Tmp-String-0 == 1) {
# user is in whitelist
}
elsif (Called-Station-Id == aa-bb-cc-dd-ee-ff) {
# user is connecting to the whitelist AP
update control {
Tmp-String-0 = %{sql:insert into whitelist (username) values
('%{User-Name}')}
}
}
else {
reject
}
...
}
--
Message: 3
Date: Wed, 31 Aug 2011 16:11:48 +0200
From: jan.we...@t-systems.com
Subject: Using rlm_passwd as a substitute
Re: Special WIFI Router MAC check for the user's first connection. (Tom)
On 1 Sep 2011, at 15:40, 2394263740 wrote:
Phil,
Thanks a lot for your great help.
I understand the scripts you wrote. But I don't know where I should put it in.
Can you please kindly advise which file I should edit?
/usr/local/etc/raddb/sites-available/default?
Yes in the authorize section, thats why the script is encapsulated within and
authorize {} stanza :)
-Arran
-- Original --
From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org;
Date: Thu, Sep 1, 2011 02:51 AM
To: freeradius-usersfreeradius-users@lists.freeradius.org;
Subject: Freeradius-Users Digest, Vol 76, Issue 108
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server (Phil Mayers)
2. Re: Special WIFI Router MAC check for the user?s first
connection. (Phil Mayers)
3. Using rlm_passwd as a substitute for hunt groups
(jan.we...@t-systems.com)
4. problem with LDAP backend (Frank Bonnet)
5. Re: problem with chillispot (Alan DeKok)
6. Re: problem with LDAP backend (Alan DeKok)
7. Rating usage (Shreya Shah)
8. Re: problem with chillispot (Goke M Aruna)
--
Message: 1
Date: Wed, 31 Aug 2011 14:48:00 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server
To: freeradius-users@lists.freeradius.org
Message-ID: 4e5e3b90.2020...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 30/08/11 21:12, Glenn Machin wrote:
Phil - thanks for the feedback.
I just ended up proxying out to the IAS server usernames starting with
DOMAIN\.
Ok. Obviously that will fail if enters their wireless credentials
without a domain.
I configured the freeradius server to not support mschapv2 but will
support PEAP/GTC EAP/TLS.
It seems to be working fine with the Macs, iPads and Linux systems while
the windows systems are happy to talk to the IAS server.
It still bugs that ntlm_auth would not authenticate to the domain
controllers the challenge and nt-response.
I repeat: if you send debug info, people may be able to help.
I assume no one else is having any issues using ntlm_auth to W2008
servers? It may be some Windows GPO at our site for all I know.
Exactly which version of windows (2008 or 2008R2?) and at which
functional level is your domain?
Did you try increasing the debug level for winbind using smbcontrol
and then examining the debug logs after a failed auth?
For what it's worth, we have no problems with Windows 2008R2 domain
controllers and the samba3x package available under RHEL5 (samba
version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3)
versions after we'd upgraded to 2008R2 and upgraded functional level.
--
Message: 2
Date: Wed, 31 Aug 2011 14:55:35 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Special WIFI Router MAC check for the user?s first
connection.
To: freeradius-users@lists.freeradius.org
Message-ID: 4e5e3d57.2000...@imperial.ac.uk
Content-Type: text/plain; charset=UTF-8; format=flowed
On 31/08/11 12:38, 2394263740 wrote:
For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
After the first connection, user 58 can connect to any WIFI AP in the
network.
Can someone give some advice on how to do it?
1. Create a whitelist of users who can authenticate to any AP using
files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
2. If they are *not* found in the whitelist, check the
Called-Station-Id attribute, which usually contains the MAC address of
the AP. If your equipment uses a different attribute, check that.
3. If the AP MAC is the correct one, add the user to the whitelist,
else reject
For example:
authorize {
...
update control {
Tmp-String-0 := %{sql:select 1 from whitelist where
username='%{User-Name}'}
}
if (control:Tmp-String-0 == 1) {
# user is in whitelist
}
elsif (Called-Station-Id == aa-bb-cc-dd-ee-ff) {
# user is connecting to the whitelist AP
update control {
Tmp-String-0 = %{sql:insert into whitelist (username) values
('%{User-Name}')}
}
[no subject]
Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Thanks, Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Based on Criteria Other Than REALM
From: det.explo...@yahoo.com det.explo...@yahoo.com Date: September 1, 2011 9:51:33 PM GMT+08:00 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Thanks, Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On 1 Sep 2011, at 15:51, det.explo...@yahoo.com wrote: Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Yes. The control attribute Proxy-To-Realm can set the realm a request is proxied to. Read man unlang for further details. Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote:
Hi,
Is it possible to proxy based on a group the user belongs to? Or
attribute? Or based on NAS from where the request was received?
Aside from REALM, is there any other criteria that can be used to
decide whether or not to proxy a request?
There are two attributes:
1. Realm; added to the request by e.g. the suffix module. Doesn't
actually do anything; just used for logging.
2. Proxy-To-Realm; added to the control items by the suffix
module, or by other config. This is what actually controls proxying.
So for example you can do this:
authorize {
...
if (NAS-IP-Address == 192.0.2.1) {
update control {
Proxy-To-Realm := OTHERSERVER
}
}
...
}
As you can see, you can therefore proxy on any attribute you like, or
even on the output of a script, SQL query, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special WIFI Router MAC check for the user's first connection (Tom)
? I think I can achieve rating using counter.conf and reading the usage from radacct but not sure how to reject this user from authenticating when he exceeds this usage limit ? Thanks, Shreya. -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html -- Message: 8 Date: Wed, 31 Aug 2011 19:51:20 +0100 From: Goke M Aruna gok...@gmail.com Subject: Re: problem with chillispot To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: CAE=ditpqorojhxqa7u+btcuxheh0_1v-tahmuw1ntgio9_e...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Hi Allan, Mistyped shared-secret? How can I confirm that? Thank you. On 8/31/11, Alan DeKok al...@deployingradius.com wrote: Goke M Aruna wrote: Is it bug on freeradius v2? No. I got the chillispot working with freeradius 1.7 then and still tested same recently but v2 of radius give same error while v1 work seamlessly. I compiled this on centos 5.6. You mistyped the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my mobile device -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 76, Issue 108 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 77, Issue 3 ***- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to update a MySql table after successfully WIFI authentication?
Hello, I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql I got a WIFI network, using one radius server. The whole thing works fine. I got a requirement, which is, after each successful WIFI connection, one record need be added into connectionlog table. CREATE TABLE connectionlog ( radacctid bigint(21) NOT NULL auto_increment, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', acctstartdelay int(12) default NULL, acctstopdelay int(12) default NULL, xascendsessionsvrkey varchar(10) default NULL, PRIMARY KEY (radacctid), KEY username (username), KEY framedipaddress (framedipaddress), KEY acctsessionid (acctsessionid), KEY acctsessiontime (acctsessiontime), KEY acctuniqueid (acctuniqueid), KEY acctstarttime (acctstarttime), KEY acctstoptime (acctstoptime), KEY nasipaddress (nasipaddress) ) ; Can you please kindly advise how to do this? Which file should be edited? Where is the context to put in the script? What is the script? Thanks! Tom- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to update a MySql table after successfully WIFI authentication?
Look in raddb/sql/mysql/dialup.conf
The postauth query is the one you need to edit.
Then uncomment the 'sql' module in
raddb/sites-available/default
post-auth {
}
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server
It's largely successful, but as I mentioned in my note to this group from the 29th, I've run into problems with Windows clients having a disagreement with FreeRADIUS about the final stages of the PEAP-MSCHAPv2 conversation, after IAS has authenticated them successfully. - Jacob On 31 Aug 2011, at 16:32, Alan DeKok wrote: It really should work... it works for my tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using encrypted passwords in users file
Hello, I'm new to FreeRadius and to linux. Maybe this question will sound stupid, but I really need you help. I have a server running freeradius. These are some outputs of the configuration: *etc/freeradius/radiusd.conf* # passwd = /etc/passwd shadow = /etc/shadow # group = /etc/group */etc/freeradius/users* test1 Auth-Type := Crypt-Local, User-Password := $1$NzW2iwkn$ygDcJgb4WhAEqQYfySFkj/ Service-Type = Administrative-User, Cajun-Service-Type := 3, */etc/shadow* test1:$1$cnEh49V6$Q.68mw.3P5rgmsfhbo/iC1:15217:0:9:7::: I would like to change the password for the user test1. But in the users file I see only the encrypted password. Where is the original password stored ? How do I change it ? Thanks a lot for your help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-encrypted-passwords-in-users-file-tp4758890p4758890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco 3825 authentication error
I am trying to terminate vpdn sessions through our cisco 3825 using
freeradius. I am new to this whole process and I was hoping to get some
assistance with the missing configuration.
Below is the error message I am receiving when trying to authenticate
via the router.
rad_recv: Access-Request packet from host 64.34.66.5 port 1645, id=19,
length=135
Framed-Protocol = PPP
User-Name = aew...@domain.com
User-Password = password
Calling-Station-Id = bas20330455
Connect-Info = 10
NAS-Port-Type = Virtual
NAS-Port = 532
NAS-Port-Id = Uniq-Sess-ID532
Service-Type = Framed-User
NAS-IP-Address = 64.34.66.5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm domain.com for User-Name = aew...@domain.com
[suffix] No such realm domain.com
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - aew...@domain.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 19 to 64.34.66.5 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 19 with timestamp +381
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using encrypted passwords in users file
that is the hashed password. You can change it by generating a hash of your new password... you would probably use crypt(3) to do that... The original password was never stored in cleartext form. You could store a cleartext password if you really wanted to, but that is less than secure. On Thu, Sep 1, 2011 at 8:57 AM, sundoo sandu_nas...@yahoo.com wrote: Hello, I'm new to FreeRadius and to linux. Maybe this question will sound stupid, but I really need you help. I have a server running freeradius. These are some outputs of the configuration: *etc/freeradius/radiusd.conf* # passwd = /etc/passwd shadow = /etc/shadow # group = /etc/group */etc/freeradius/users* test1 Auth-Type := Crypt-Local, User-Password := $1$NzW2iwkn$ygDcJgb4WhAEqQYfySFkj/ Service-Type = Administrative-User, Cajun-Service-Type := 3, */etc/shadow* test1:$1$cnEh49V6$Q.68mw.3P5rgmsfhbo/iC1:15217:0:9:7::: I would like to change the password for the user test1. But in the users file I see only the encrypted password. Where is the original password stored ? How do I change it ? Thanks a lot for your help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-encrypted-passwords-in-users-file-tp4758890p4758890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Quis custodiet ipsos custodes?: who shall watch the watchers themselves? - Juvenal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. its on one of our production servers and on a couple of other systems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
Hey thanks! :)
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: Thursday, September 1, 2011 10:04 PM
Subject: Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote:
Hi,
Is it possible to proxy based on a group the user belongs to? Or
attribute? Or based on NAS from where the request was received?
Aside from REALM, is there any other criteria that can be used to
decide whether or not to proxy a request?
There are two attributes:
1. Realm; added to the request by e.g. the suffix module. Doesn't actually
do anything; just used for logging.
2. Proxy-To-Realm; added to the control items by the suffix module, or by
other config. This is what actually controls proxying.
So for example you can do this:
authorize {
...
if (NAS-IP-Address == 192.0.2.1) {
update control {
Proxy-To-Realm := OTHERSERVER
}
}
...
}
As you can see, you can therefore proxy on any attribute you like, or even on
the output of a script, SQL query, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error
Can someone point me in the right direction on figuring this out? I'm
running Arch linux and I installed via pacman -S freeradius. I
didn't edit any config files yet.
[root@pogo /]# uname -a
Linux pogo 2.6.39-ARCH #2 PREEMPT Mon Jul 11 14:08:22 MDT 2011
armv5tel Feroceon 88FR131 rev 1 (v5l) Marvell SheevaPlug Reference
Board GNU/Linux
[root@pogo raddb]# radiusd -X
FreeRADIUS Version 2.1.11, for host armv5tel-unknown-linux-gnu, built
on Jul 15 2011 at 23:45:34
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home
Re: rlm_eap: SSL error
Chad Rebuck wrote: Can someone point me in the right direction on figuring this out? I'm running Arch linux and I installed via pacman -S freeradius. I didn't edit any config files yet. It's supposed to build the various cert files the first time it's booted. If that isn't happening properly, go to raddb/certs and poke around there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: Error in PEAP configuration
Hi guys,
I encountered this error when starting radiusd -X trying to make it work with
peap. Can you help me fix this or give me an idea how to?
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
rlm_eap: No such sub-type for default EAP type peap
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module
eap.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[190]: Errors parsing
authenticate section.
I followed this procedure in installing freeradius with openssl.
===
Installation of OpenSSL 0.9.8j:
===
$ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz
$ tar xzf openssl-0.9.8j.tar.gz
$ cd openssl-0.9.8j
$ ./config --prefix=/usr/local/openssl shared
$ make
$ sudo make install
==
Installation of Freeradius 2.14:
==
$ wget
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz
$ tar xzf freeradius-server-2.1.3.tar.gz
$ cd freeradius-server-2.1.3
$ ./configure --with-openssl
--with-openssl-includes=/usr/local/openssl/include/
--with-openssl-libraries=/usr/local/openssl/lib/
$ make
$ sudo make install
PS: If needed, do a sudo ldconfig, and in case of error consult the file
config.log.
Thank you.
Drei
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
