Re: Symbol Perl_hv_undef_flags problem using rlm_perl
On Aug 30, 2011, at 12:06 PM, david.suarezde...@telefonica.es wrote: in libperl.a. I include the complete output of radiusd -X below with both Did you compile perl with support for libperl.so ? Best Regards, Boian Jordanov Head of Voice Department tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute)
Hi Arran I do not define my private attribute while I follow the WISPr such as Bandwidth-Max-Up and Bandwidth-Max-Down. It is no problem that I use UAM method(user login with login page by user name/password) and freeradius can reply correct attribute. But when I use PEAP authentication,after user login it can not reply correct attribute that I configure in the radgroupreply table. Can anyone give some idea? BR//Gary - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Wednesday, August 31, 2011 2:21 PM Subject: Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute) On 31 Aug 2011, at 08:11, Arran Cudbard-Bell wrote: On 31 Aug 2011, at 04:37, gary wrote: Hi All I have NAS client which support WISPr standard working with freeradius 2.1.10+MySQL 5.5 install on Fedora OS. I create my test certificate and configure EAP-TLS/PEAP authentication well in my setup. I am using WINDOWS XP as client pc it can pass authentication but freeradius can not reply correct attribute I configured such as bandwidth control. I noticed in the reply attribute the vendor is Microsoft not WISPr. I wonder if this is WINDOWS default setting how can I modify so that FR can reply the correct attribute I configured? Look in the dictionary file for your NAS vendor and figure out what the actual attribute name is for the reply attribute you're trying to send. The name of a VSA is just there to make it easier to extract and manipulate attributes, it has no effect on the contents of the packet. So if you insert a VSA and it comes up as a Microsoft Vendor and this is not what you intended, then there's a naming conflict and the other Vendors VSAs will have been renamed. Of course if you're adding attributes in the inner tunnel you'll have to make sure tunnelled reply is set to yes in eap.conf for the relevant EAP methods. Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 77, Issue 1
Hi, Date: Thu, 1 Sep 2011 10:59:32 +0300 From: Boian Jordanov bjorda...@orbitel.bg On Aug 30, 2011, at 12:06 PM, david.suarezde...@telefonica.es wrote: in libperl.a. I include the complete output of radiusd -X below with both Did you compile perl with support for libperl.so ? Yes, but some other problems got in the middle, so things were a bit harder to solve. There are two issues here: First, that factory packages for Debian 6 weren't working together; and second, problems with compilation. On the second case, I was compiling both Freeradius and Perl but my Perl build (after several attempts) got things mangled. A make realclean solved the issue, but I got some problems because the change of running user ruined the perlbrew instalation (an access to libraries, etc). I have finally solved it, just an hour ago, by compiling Freeradius-2.1.11 and linking it to the system-wide libperl.so available library (somehow upgrading to Perl-5.14.1 is hard on Debian, as apt-get insist the installed package is the newest, even specifying the experimental repos, probably I am doing something wrong). Anyway, I will take the chance and link to 5.14.1 (eventually) as Perl 5.10 is about to get out of support... So it's solved, and the pointers I got were very helpful, thanks a lot for your attention. As for the first issue, I'll contact the package maintainers and let them know there's some mismatch (I suspect it is either an LD_PRELOAD issue or maybe the package has some problems, I recall that on versions 1.x there were several freeradius debian packages...) So thanks and best regards, dwd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Using rlm_passwd as a substitute for hunt groups
Hi, I made further tests, and (imho) it seems that rlm_passwd can´t handle IP-Addresses. In my setup the module is able to assign My-Device-Group when searching for: -User-Name -User-Password -NAS-Port But not when searching for NAS-IP-Address :-( I´m using freeradius2-2.1.7-7.el5 Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Using rlm_passwd as a substitute for hunt groups
jan.we...@t-systems.com wrote: I made further tests, and (imho) it seems that rlm_passwd can´t handle IP-Addresses. In the changelog for 2.1.10: * Allow passwd module to map IP addresses, too. I´m using freeradius2-2.1.7-7.el5 Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS/PEAP authentication problem(can not reply correctattribute)
gary wrote: I do not define my private attribute while I follow the WISPr such as Bandwidth-Max-Up and Bandwidth-Max-Down. It is no problem that I use UAM method(user login with login page by user name/password) and freeradius can reply correct attribute. But when I use PEAP authentication,after user login it can not reply correct attribute that I configure in the radgroupreply table. Can anyone give some idea? See use_tunneled_reply in raddb/eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special WIFI Router MAC check for the user's first connection. (Tom)
Phil, Thanks a lot for your great help. I understand the scripts you wrote. But I don't know where I should put it in. Can you please kindly advise which file I should edit? /usr/local/etc/raddb/sites-available/default? Where I should put the scripts you wrote previously? The context? Thanks! Tom -- Original -- From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org; Date: Thu, Sep 1, 2011 02:51 AM To: freeradius-usersfreeradius-users@lists.freeradius.org; Subject: Freeradius-Users Digest, Vol 76, Issue 108 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server (Phil Mayers) 2. Re: Special WIFI Router MAC check for the user?s first connection. (Phil Mayers) 3. Using rlm_passwd as a substitute for hunt groups (jan.we...@t-systems.com) 4. problem with LDAP backend (Frank Bonnet) 5. Re: problem with chillispot (Alan DeKok) 6. Re: problem with LDAP backend (Alan DeKok) 7. Rating usage (Shreya Shah) 8. Re: problem with chillispot (Goke M Aruna) -- Message: 1 Date: Wed, 31 Aug 2011 14:48:00 +0100 From: Phil Mayers p.may...@imperial.ac.uk Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server To: freeradius-users@lists.freeradius.org Message-ID: 4e5e3b90.2020...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 30/08/11 21:12, Glenn Machin wrote: Phil - thanks for the feedback. I just ended up proxying out to the IAS server usernames starting with DOMAIN\. Ok. Obviously that will fail if enters their wireless credentials without a domain. I configured the freeradius server to not support mschapv2 but will support PEAP/GTC EAP/TLS. It seems to be working fine with the Macs, iPads and Linux systems while the windows systems are happy to talk to the IAS server. It still bugs that ntlm_auth would not authenticate to the domain controllers the challenge and nt-response. I repeat: if you send debug info, people may be able to help. I assume no one else is having any issues using ntlm_auth to W2008 servers? It may be some Windows GPO at our site for all I know. Exactly which version of windows (2008 or 2008R2?) and at which functional level is your domain? Did you try increasing the debug level for winbind using smbcontrol and then examining the debug logs after a failed auth? For what it's worth, we have no problems with Windows 2008R2 domain controllers and the samba3x package available under RHEL5 (samba version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) versions after we'd upgraded to 2008R2 and upgraded functional level. -- Message: 2 Date: Wed, 31 Aug 2011 14:55:35 +0100 From: Phil Mayers p.may...@imperial.ac.uk Subject: Re: Special WIFI Router MAC check for the user?s first connection. To: freeradius-users@lists.freeradius.org Message-ID: 4e5e3d57.2000...@imperial.ac.uk Content-Type: text/plain; charset=UTF-8; format=flowed On 31/08/11 12:38, 2394263740 wrote: For example, WIFI AP 26, has the MAC address MAC26. I need ensure one WIFI user, say user 58, must connect to WIFI AP 26 for the first time. After the first connection, user 58 can connect to any WIFI AP in the network. Can someone give some advice on how to do it? 1. Create a whitelist of users who can authenticate to any AP using files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki 2. If they are *not* found in the whitelist, check the Called-Station-Id attribute, which usually contains the MAC address of the AP. If your equipment uses a different attribute, check that. 3. If the AP MAC is the correct one, add the user to the whitelist, else reject For example: authorize { ... update control { Tmp-String-0 := %{sql:select 1 from whitelist where username='%{User-Name}'} } if (control:Tmp-String-0 == 1) { # user is in whitelist } elsif (Called-Station-Id == aa-bb-cc-dd-ee-ff) { # user is connecting to the whitelist AP update control { Tmp-String-0 = %{sql:insert into whitelist (username) values ('%{User-Name}')} } } else { reject } ... } -- Message: 3 Date: Wed, 31 Aug 2011 16:11:48 +0200 From: jan.we...@t-systems.com Subject: Using rlm_passwd as a substitute
Re: Special WIFI Router MAC check for the user's first connection. (Tom)
On 1 Sep 2011, at 15:40, 2394263740 wrote: Phil, Thanks a lot for your great help. I understand the scripts you wrote. But I don't know where I should put it in. Can you please kindly advise which file I should edit? /usr/local/etc/raddb/sites-available/default? Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :) -Arran -- Original -- From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org; Date: Thu, Sep 1, 2011 02:51 AM To: freeradius-usersfreeradius-users@lists.freeradius.org; Subject: Freeradius-Users Digest, Vol 76, Issue 108 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server (Phil Mayers) 2. Re: Special WIFI Router MAC check for the user?s first connection. (Phil Mayers) 3. Using rlm_passwd as a substitute for hunt groups (jan.we...@t-systems.com) 4. problem with LDAP backend (Frank Bonnet) 5. Re: problem with chillispot (Alan DeKok) 6. Re: problem with LDAP backend (Alan DeKok) 7. Rating usage (Shreya Shah) 8. Re: problem with chillispot (Goke M Aruna) -- Message: 1 Date: Wed, 31 Aug 2011 14:48:00 +0100 From: Phil Mayers p.may...@imperial.ac.uk Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server To: freeradius-users@lists.freeradius.org Message-ID: 4e5e3b90.2020...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 30/08/11 21:12, Glenn Machin wrote: Phil - thanks for the feedback. I just ended up proxying out to the IAS server usernames starting with DOMAIN\. Ok. Obviously that will fail if enters their wireless credentials without a domain. I configured the freeradius server to not support mschapv2 but will support PEAP/GTC EAP/TLS. It seems to be working fine with the Macs, iPads and Linux systems while the windows systems are happy to talk to the IAS server. It still bugs that ntlm_auth would not authenticate to the domain controllers the challenge and nt-response. I repeat: if you send debug info, people may be able to help. I assume no one else is having any issues using ntlm_auth to W2008 servers? It may be some Windows GPO at our site for all I know. Exactly which version of windows (2008 or 2008R2?) and at which functional level is your domain? Did you try increasing the debug level for winbind using smbcontrol and then examining the debug logs after a failed auth? For what it's worth, we have no problems with Windows 2008R2 domain controllers and the samba3x package available under RHEL5 (samba version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) versions after we'd upgraded to 2008R2 and upgraded functional level. -- Message: 2 Date: Wed, 31 Aug 2011 14:55:35 +0100 From: Phil Mayers p.may...@imperial.ac.uk Subject: Re: Special WIFI Router MAC check for the user?s first connection. To: freeradius-users@lists.freeradius.org Message-ID: 4e5e3d57.2000...@imperial.ac.uk Content-Type: text/plain; charset=UTF-8; format=flowed On 31/08/11 12:38, 2394263740 wrote: For example, WIFI AP 26, has the MAC address MAC26. I need ensure one WIFI user, say user 58, must connect to WIFI AP 26 for the first time. After the first connection, user 58 can connect to any WIFI AP in the network. Can someone give some advice on how to do it? 1. Create a whitelist of users who can authenticate to any AP using files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki 2. If they are *not* found in the whitelist, check the Called-Station-Id attribute, which usually contains the MAC address of the AP. If your equipment uses a different attribute, check that. 3. If the AP MAC is the correct one, add the user to the whitelist, else reject For example: authorize { ... update control { Tmp-String-0 := %{sql:select 1 from whitelist where username='%{User-Name}'} } if (control:Tmp-String-0 == 1) { # user is in whitelist } elsif (Called-Station-Id == aa-bb-cc-dd-ee-ff) { # user is connecting to the whitelist AP update control { Tmp-String-0 = %{sql:insert into whitelist (username) values ('%{User-Name}')} }
[no subject]
Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Thanks, Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Based on Criteria Other Than REALM
From: det.explo...@yahoo.com det.explo...@yahoo.com Date: September 1, 2011 9:51:33 PM GMT+08:00 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Thanks, Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On 1 Sep 2011, at 15:51, det.explo...@yahoo.com wrote: Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Yes. The control attribute Proxy-To-Realm can set the realm a request is proxied to. Read man unlang for further details. Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote: Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? There are two attributes: 1. Realm; added to the request by e.g. the suffix module. Doesn't actually do anything; just used for logging. 2. Proxy-To-Realm; added to the control items by the suffix module, or by other config. This is what actually controls proxying. So for example you can do this: authorize { ... if (NAS-IP-Address == 192.0.2.1) { update control { Proxy-To-Realm := OTHERSERVER } } ... } As you can see, you can therefore proxy on any attribute you like, or even on the output of a script, SQL query, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special WIFI Router MAC check for the user's first connection (Tom)
? I think I can achieve rating using counter.conf and reading the usage from radacct but not sure how to reject this user from authenticating when he exceeds this usage limit ? Thanks, Shreya. -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html -- Message: 8 Date: Wed, 31 Aug 2011 19:51:20 +0100 From: Goke M Aruna gok...@gmail.com Subject: Re: problem with chillispot To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: CAE=ditpqorojhxqa7u+btcuxheh0_1v-tahmuw1ntgio9_e...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Hi Allan, Mistyped shared-secret? How can I confirm that? Thank you. On 8/31/11, Alan DeKok al...@deployingradius.com wrote: Goke M Aruna wrote: Is it bug on freeradius v2? No. I got the chillispot working with freeradius 1.7 then and still tested same recently but v2 of radius give same error while v1 work seamlessly. I compiled this on centos 5.6. You mistyped the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my mobile device -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 76, Issue 108 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 77, Issue 3 ***- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to update a MySql table after successfully WIFI authentication?
Hello, I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql I got a WIFI network, using one radius server. The whole thing works fine. I got a requirement, which is, after each successful WIFI connection, one record need be added into connectionlog table. CREATE TABLE connectionlog ( radacctid bigint(21) NOT NULL auto_increment, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', acctstartdelay int(12) default NULL, acctstopdelay int(12) default NULL, xascendsessionsvrkey varchar(10) default NULL, PRIMARY KEY (radacctid), KEY username (username), KEY framedipaddress (framedipaddress), KEY acctsessionid (acctsessionid), KEY acctsessiontime (acctsessiontime), KEY acctuniqueid (acctuniqueid), KEY acctstarttime (acctstarttime), KEY acctstoptime (acctstoptime), KEY nasipaddress (nasipaddress) ) ; Can you please kindly advise how to do this? Which file should be edited? Where is the context to put in the script? What is the script? Thanks! Tom- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to update a MySql table after successfully WIFI authentication?
Look in raddb/sql/mysql/dialup.conf The postauth query is the one you need to edit. Then uncomment the 'sql' module in raddb/sites-available/default post-auth { } -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server
It's largely successful, but as I mentioned in my note to this group from the 29th, I've run into problems with Windows clients having a disagreement with FreeRADIUS about the final stages of the PEAP-MSCHAPv2 conversation, after IAS has authenticated them successfully. - Jacob On 31 Aug 2011, at 16:32, Alan DeKok wrote: It really should work... it works for my tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using encrypted passwords in users file
Hello, I'm new to FreeRadius and to linux. Maybe this question will sound stupid, but I really need you help. I have a server running freeradius. These are some outputs of the configuration: *etc/freeradius/radiusd.conf* # passwd = /etc/passwd shadow = /etc/shadow # group = /etc/group */etc/freeradius/users* test1 Auth-Type := Crypt-Local, User-Password := $1$NzW2iwkn$ygDcJgb4WhAEqQYfySFkj/ Service-Type = Administrative-User, Cajun-Service-Type := 3, */etc/shadow* test1:$1$cnEh49V6$Q.68mw.3P5rgmsfhbo/iC1:15217:0:9:7::: I would like to change the password for the user test1. But in the users file I see only the encrypted password. Where is the original password stored ? How do I change it ? Thanks a lot for your help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-encrypted-passwords-in-users-file-tp4758890p4758890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco 3825 authentication error
I am trying to terminate vpdn sessions through our cisco 3825 using freeradius. I am new to this whole process and I was hoping to get some assistance with the missing configuration. Below is the error message I am receiving when trying to authenticate via the router. rad_recv: Access-Request packet from host 64.34.66.5 port 1645, id=19, length=135 Framed-Protocol = PPP User-Name = aew...@domain.com User-Password = password Calling-Station-Id = bas20330455 Connect-Info = 10 NAS-Port-Type = Virtual NAS-Port = 532 NAS-Port-Id = Uniq-Sess-ID532 Service-Type = Framed-User NAS-IP-Address = 64.34.66.5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm domain.com for User-Name = aew...@domain.com [suffix] No such realm domain.com ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - aew...@domain.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 19 to 64.34.66.5 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 19 with timestamp +381 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using encrypted passwords in users file
that is the hashed password. You can change it by generating a hash of your new password... you would probably use crypt(3) to do that... The original password was never stored in cleartext form. You could store a cleartext password if you really wanted to, but that is less than secure. On Thu, Sep 1, 2011 at 8:57 AM, sundoo sandu_nas...@yahoo.com wrote: Hello, I'm new to FreeRadius and to linux. Maybe this question will sound stupid, but I really need you help. I have a server running freeradius. These are some outputs of the configuration: *etc/freeradius/radiusd.conf* # passwd = /etc/passwd shadow = /etc/shadow # group = /etc/group */etc/freeradius/users* test1 Auth-Type := Crypt-Local, User-Password := $1$NzW2iwkn$ygDcJgb4WhAEqQYfySFkj/ Service-Type = Administrative-User, Cajun-Service-Type := 3, */etc/shadow* test1:$1$cnEh49V6$Q.68mw.3P5rgmsfhbo/iC1:15217:0:9:7::: I would like to change the password for the user test1. But in the users file I see only the encrypted password. Where is the original password stored ? How do I change it ? Thanks a lot for your help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-encrypted-passwords-in-users-file-tp4758890p4758890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Quis custodiet ipsos custodes?: who shall watch the watchers themselves? - Juvenal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. its on one of our production servers and on a couple of other systems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
Hey thanks! :) From: Phil Mayers p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Sent: Thursday, September 1, 2011 10:04 PM Subject: Re: Proxying Based on Criteria Other Than REALM On 01/09/11 14:53, det.explo...@yahoo.com wrote: Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? There are two attributes: 1. Realm; added to the request by e.g. the suffix module. Doesn't actually do anything; just used for logging. 2. Proxy-To-Realm; added to the control items by the suffix module, or by other config. This is what actually controls proxying. So for example you can do this: authorize { ... if (NAS-IP-Address == 192.0.2.1) { update control { Proxy-To-Realm := OTHERSERVER } } ... } As you can see, you can therefore proxy on any attribute you like, or even on the output of a script, SQL query, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error
Can someone point me in the right direction on figuring this out? I'm running Arch linux and I installed via pacman -S freeradius. I didn't edit any config files yet. [root@pogo /]# uname -a Linux pogo 2.6.39-ARCH #2 PREEMPT Mon Jul 11 14:08:22 MDT 2011 armv5tel Feroceon 88FR131 rev 1 (v5l) Marvell SheevaPlug Reference Board GNU/Linux [root@pogo raddb]# radiusd -X FreeRADIUS Version 2.1.11, for host armv5tel-unknown-linux-gnu, built on Jul 15 2011 at 23:45:34 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home
Re: rlm_eap: SSL error
Chad Rebuck wrote: Can someone point me in the right direction on figuring this out? I'm running Arch linux and I installed via pacman -S freeradius. I didn't edit any config files yet. It's supposed to build the various cert files the first time it's booted. If that isn't happening properly, go to raddb/certs and poke around there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: Error in PEAP configuration
Hi guys, I encountered this error when starting radiusd -X trying to make it work with peap. Can you help me fix this or give me an idea how to? Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } rlm_eap: No such sub-type for default EAP type peap /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module eap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[190]: Errors parsing authenticate section. I followed this procedure in installing freeradius with openssl. === Installation of OpenSSL 0.9.8j: === $ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz $ tar xzf openssl-0.9.8j.tar.gz $ cd openssl-0.9.8j $ ./config --prefix=/usr/local/openssl shared $ make $ sudo make install == Installation of Freeradius 2.14: == $ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz $ tar xzf freeradius-server-2.1.3.tar.gz $ cd freeradius-server-2.1.3 $ ./configure --with-openssl --with-openssl-includes=/usr/local/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ $ make $ sudo make install PS: If needed, do a sudo ldconfig, and in case of error consult the file config.log. Thank you. Drei - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html