dalo(free)radius authentication problem
Dear ALL i was follow the guide from the following page with the command, but when testing, the Radius server is not responding. For the setup on the Ubuntu newest server.. -sudo apt-get update -sudo apt-get upgrade -sudo apt-get install mysql-server -sudo apt-get install php5-gd php-pear php-db -sudo apt-get install freeradius freeradius-mysql -sudo apt-get install phpmyadmin On the DaloRadius Setup -wget .. 9-9.tar.gz -tar -zxvf daloradius-0.9-9.tar.gz -mv daloradius-0.9-9 daloradius -sudo cp daloradius/ /var/www -R -sudo chown www-data:www-data /var/www/daloradius -R -sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Database setup: -cd /var/www/daloradius/contrib/db/ - Ignored: -mysql -u root -p Enter 'mySqlPassword' mysql CREATE DATABASE radius; mysql quit - Ignored: -mysql -u root -p radius fr2-mysql-daloradius-and-freeradius.sql Database connection setup: -cd /var/www/daloradius/library/ -sudo nano -w daloradius.conf.php $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'mySqlPassword'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; Installation completed and login page to create user: -http://your ip address/daloradius username: administrator password: radius When i test it shown not respond from the server.. the NAS setting is matched, refer to the log file from the Daloradius, it shown Error: Ignoring request to authentication address could it be due to the setup error or? as refer to the guidance from the web, the setup everything is run well, using the freeradius -x, it shown.. ~Listening on authentication interface eth0 *port 1812 ~Listening on accounting *port 1813 ~Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel ~Ready to process request. what could be wrong and which part should i check on it? router debugging exsist: R1# *Mar 1 00:03:05.639: AAA/BIND(0003): Bind i/f *Mar 1 00:03:05.643: AAA/AUTHEN/LOGIN (0003): Pick method list 'default' *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): ask Username: *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): send packet; GET_USER R1# *Mar 1 00:03:07.359: RADIUS/ENCODE(0003): ask Password: *Mar 1 00:03:07.363: RADIUS/ENCODE(0003): send packet; GET_PASSWORD *Mar 1 00:03:08.795: RADIUS/ENCODE(0003):Orig. component type = EXEC *Mar 1 00:03:08.799: RADIUS: AAA Unsupported Attr: interface [174] 5 *Mar 1 00:03:08.799: RADIUS: 74 74 79 [tty] *Mar 1 00:03:08.799: RADIUS/ENCODE(0003): dropping service type, radius-server attribute 6 on-for-login-auth is off *Mar 1 00:03:08.803: RADIUS(0003): Config NAS IP: 0.0.0.0 *Mar 1 00:03:08.803: RADIUS/ENCODE(0003): acct_session_id: 1 *Mar 1 00:03:08.803: RADIUS(0003): sending *Mar 1 00:03:08.807: RADIUS/ENCODE: Best Local IP-Address 192.168.44.1 for Radius-Server 192.168.44.129 *Mar 1 00:03:08.811: RADIUS(0003): Send Access-Request to 192.168.44.129:1645 id 1645/1, len 84 *Mar 1 00:03:08.811: RADIUS: authenticator 7D F1 9D 12 60 81 DE 8C - FC 0B A4 96 E1 CD 71 E8 *Mar 1 00:03:08.811: RADIUS: User-Name [1] 6 test *Mar 1 00:03:08.815: RADIUS: User-Password [2] 18 * *Mar 1 00:03:08.815: RADIUS: NAS-Port[5] 6 98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Id [87] 7 tty98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:03:08.819: RADIUS: Calling-Station-Id [31] 15 192.168.44.10 *Mar 1 00:03:08.819: RADIUS: NAS-IP-Address [4] 6 192.168.44.1 R1# R1# *Mar 1 00:03:13.559: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:18.551: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:23.223: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:27.895: RADIUS: No response from (192.168.44.129:1645,1646) for id 1645/1 *Mar 1 00:03:27.895: RADIUS/DECODE: No response from radius-server; parse response; FAIL *Mar 1 00:03:27.895: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL thanks and appreciate it..
RE: radlast output
-Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hello, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Did I get something wrong here? I am fairly new to RADIUS and therefore I don't know that much about it... Thanks in advance! Best regards, Marco Macala - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Tamás Becz tamas.b...@ericsson.com: -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
On 11/07/12 12:45, Marco Macala wrote: Hello, is there a way to securely transport and store the Username/Password with freeradius? What does that mean? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic freeradius set up problem
Platform: OpenBSD 5.1 Version: 2.1.12 Hello, I have a problem setting up freeradius and I think it's related to the domain stripping Here's what I did for my configuration 1) Imported the scripts schema.sql, admin.sql, ippool.sql, nas.sql in my MySQL radiusdb database 2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testuser', 'Password', 'passsecret'); 3) Configured clients.conf client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nastype = other # localhost isn't usually a NAS... } 4) Uncommented in radiusd.conf $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sql/mysql/counter.conf 5) In /etc/raddb/sites-enabled/default uncommented authorize { sql } accounting { sql sql_log } 6) Configured /etc/raddb/sql.conf sql { database = mysql driver = rlm_sql_${database} #socket= var/run/mysql/mysql.sock server = localhost port = 3306 login = radiususer password = passradius radius_db = radius acct_table1 = radacct acct_table2 = radacct postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = nas $INCLUDE sql/${database}/dialup.conf } 7) In /etc/raddb/sql/mysql/dialup.conf added sql_user_name = '%{Stripped-User-Name}' 8) I start the radius server # /usr/local/sbin/radiusd -X And make a test on the local machine $ radtest testuser passsecret 127.0.0.1 1812 testing123 And I receive an access reject: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=222, length=20 9) Le debug says rad_recv: Access-Request packet from host 127.0.0.1 port 10251, id=122, length=78 User-Name = testuser User-Password = passsecret NAS-IP-Address = 192.168.1.1 NAS-Port = 1812 Message-Authenticator = 0xf16b463a77e5dfefbd9385915a307e88 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = testuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 122 to 127.0.0.1 port 10251 Waking up in 4.9 seconds. Cleaning up request 1 ID 122 with timestamp +74 Ready to process requests. 10) I can see that something goes wrong with this message [sql] Error generating query; rejecting user But I don't understand why Thank you to those who can point the right direction. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi, [sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hi, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. PEAP will securely transport things - as with MSCHAPv2 the password is never sent. whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Basic freeradius set up problem
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testuser', 'Password', 'passsecret'); Use 'Cleartext-Password' instead of 'Password' and try again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not Hello Alan, Thank you for your answer. I may have not understood what you wrote. I replaced in /etc/raddb/sql/mysql/dialup.conf sql_user_name = '%{Stripped-User-Name}' by sql_user_name = '%{User-Name}' But my authentication is still rejected [suffix] No '@' in User-Name = testuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - testuser [sql] sql_set_user escaped user -- 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I would like to have simple logins such as testuser and not testuser@somedomain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? 2012/7/11 alan buxey a.l.m.bu...@lboro.ac.uk Hi, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. PEAP will securely transport things - as with MSCHAPv2 the password is never sent. whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radlast output
Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... you posted a lot of sensitive stuff there that has not obviously been replaced by some random garbage. You wouldn't be the first to do that, sorry for drawing your attention to it. As to what does that have to do with social engineering, i've no clue, but at least you teach us about sarcasm. Wow.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hi, The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** - Description: Binary data smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. I want something like this: - encrypted channel between authenticator and radius server - passwords stored as a salted hash 2012/7/11 alan buxey a.l.m.bu...@lboro.ac.uk Hi, The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
On 11/07/12 14:04, Marco Macala wrote: if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? Yes. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/documents/protocols/compatibility.html I want something like this: - encrypted channel between authenticator and radius server PEAP or TTLS will provide this. - passwords stored as a salted hash Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not Hello Alan, Thank you for your answer. I may have not understood what you wrote. I replaced in /etc/raddb/sql/mysql/dialup.conf sql_user_name = '%{Stripped-User-Name}' by sql_user_name = '%{User-Name}' But my authentication is still rejected [suffix] No '@' in User-Name = testuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - testuser [sql] sql_set_user escaped user -- 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I would like to have simple logins such as testuser and not testuser@somedomain Hello lsclrstd, I have created a second user testuser2 with the password in 'Cleartext-Password' It doesn't work either. I have enabled the logs in Mysql, but I don't see any sql request that is been made. I think there's a way to enable additional logs with freeradius and see what are the queries done to the mysql server. Does anyone knows how to do that ? I'll search more. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/**documents/protocols/** compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html but I hoped there could be some way around this. 2012/7/11 Phil Mayers p.may...@imperial.ac.uk On 11/07/12 14:04, Marco Macala wrote: if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? Yes. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html I want something like this: - encrypted channel between authenticator and radius server PEAP or TTLS will provide this. - passwords stored as a salted hash Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql returns fail for some stop requests
Freeradius ver 2.1.12, configured to use ldap for auth, sql for acct. Sometimes users' sessions get stuck and have to be closed manualy (simultaneous use is turned on for all users). After extensive debugging I have found the following in the logs (radius -X) [thread] # Executing section preacct from file /etc/raddb/sites-enabled/default [thread] +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 14117776,Client-IP-Address = xx.xx.xx.xx,NAS-IP-Address = xx.xx.xx.xx,Acct-Session-Id = erx ip:109.226.0.9:147.235.234.115:1e47:6248:14c2:8b6a:5dac845:0060992452,Use r-Name = x@ccc' [acct_unique] Acct-Unique-Session-ID = d49ba42fa077f5f0. ++[acct_unique] returns ok [suffix] Looking up realm ccc for User-Name = x@ccc [suffix] Found realm ccc [suffix] Adding Stripped-User-Name = x [suffix] Adding Realm = ccc [suffix] Accounting realm is LOCAL. ++[suffix] returns ok ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - xx.xx.xx.xx [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711 [detail]expand: %t - Wed Jul 11 02:03:45 2012 Cleaning up request 12612249 ID 93 with timestamp +729235 ++[detail] returns ok [detail.moreshet] expand: /var/log/radius/radacct/moreshet.relay - /var/log/radius/radacct/moreshet.relay [detail.moreshet] /var/log/radius/radacct/moreshet.relay expands to /var/log/radius/radacct/moreshet.relay [detail.moreshet] expand: %t - Wed Jul 11 02:03:45 2012 ++[detail.moreshet] returns ok ++[unix] returns ok [sql] expand: %{Stripped-User-Name} - x [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - x [sql] sql_set_user escaped user -- 'x' [sql] expand: %{Acct-Input-Gigawords} - 0 [sql] expand: %{Acct-Input-Octets} - 4001 [sql] expand: %{Acct-Output-Gigawords} - 0 [sql] expand: %{Acct-Output-Octets} - 8134 [sql] expand: %{Acct-Delay-Time} - 0 [sql] expand:UPDATE radacct SET acctstoptime = '%S', acctsessiontime= '%{Acct-Session-Time}', acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -UPDATE radacct SET acctstoptime = '2012-07-11 02:03:45', acctsessiontime= '517', acctinputoctets= '0' 32 | '4001', acctoutputoctets = '0' 32 | [sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql Cleaning up request 12612250 ID 95 with timestamp +729235 ++[sql] returns fail Thread 20 got semaphore Thread 19 got semaphore It seems the last SQL query line is cut off for some reason, this only happens on some connections, while others are stopped correctly. Not specific to users or time of day. Versions information: cat /etc/issue : CentOS release 5.6 (Final) Kernel \r on an \m rpm -qa | grep radius : freeradius2-python-2.1.12-7 freeradius2-ldap-2.1.12-7 freeradius2-2.1.12-7 freeradius2-krb5-2.1.12-7 freeradius2-mysql-2.1.12-7 freeradius2-utils-2.1.12-7 freeradius2-postgresql-2.1.12-7 freeradius2-perl-2.1.12-7 freeradius2-unixODBC-2.1.12-7 additional logs and/or information can be provided if required. Help would be appreciated. The Cloud has no limit ! [cid:image001.jpg@01CD5F84.25487600]http://www.ccc.co.il/ Amir Tal Systems Automation Expert Cloud Services Direct: 972-(0)3-9201471 Fax: 972-(0)-3-9201442 www.ccc.co.ilhttp://www.ccc.co.il/ [cid:image002.png@01CD5F84.25487600] http://www.facebook.com/triplec.il inline: image001.jpginline: image002.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi, [sql] expand: %{User-Name} - testuser [sql] sql_set_user escaped user -- 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: - [sql] Error generating query; rejecting user seems fair enough - there is no expansion for the query - so I would now check your sql.conf and dialup file to verify that the query for authentication/authorization is sane and correct (I've deleted your previous email where you gave more details) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP_GTC
Hello: Are there any clients that actually display the EAP-GTC challenge? Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: Client: ---User/PassServer Client: --Challenge Message-Server Client: ---Challenge Response---Server Client: ---Accept--Server So far, I cannot seem to find documentation to suggest that I CANNOT do this, and the spec suggests that I can, but I cannot seem to find anything that will do this. In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dalo(free)radius authentication problem
Not sure why you are posting about daloradius on a FreeRADIUS list, but a 2 second look says you have the port numbers wrong. Michael -- Michael J. Hartwick, VE3SLQ mailto:hartw...@hartwick.com hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick.com@lists.freeradiu s.org] On Behalf Of Soul - Sent: Wednesday, July 11, 2012 04:17 To: freeradius-users@lists.freeradius.org Subject: dalo(free)radius authentication problem Dear ALL i was follow the guide from the following page with the command, but when testing, the Radius server is not responding. For the setup on the Ubuntu newest server.. -sudo apt-get update -sudo apt-get upgrade -sudo apt-get install mysql-server -sudo apt-get install php5-gd php-pear php-db -sudo apt-get install freeradius freeradius-mysql -sudo apt-get install phpmyadmin On the DaloRadius Setup -wget .. 9-9.tar.gz -tar -zxvf daloradius-0.9-9.tar.gz -mv daloradius-0.9-9 daloradius -sudo cp daloradius/ /var/www -R -sudo chown www-data:www-data /var/www/daloradius -R -sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Database setup: -cd /var/www/daloradius/contrib/db/ - Ignored: -mysql -u root -p Enter 'mySqlPassword' mysql! CREATE DATABASE radius; mysql quit - Ignored: -mysql -u root -p radius fr2-mysql-daloradius-and-freeradius.sql Database connection setup: -cd /var/www/daloradius/library/ -sudo nano -w daloradius.conf.php $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'mySqlPassword'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; Installation completed and login page to create user: -http://your ip address/daloradius username: administrator password: radius When i test it shown not respond from the server.. the NAS setting is matched, refer to the log file from the Daloradius, it shown Error: Ignoring request to authentication address could it be due to the setup error or? as refer to the guidance from th! e web, the setup everything is run well, using the freerad ius -x, it shown.. ~Listening on authentication interface eth0 *port 1812 ~Listening on accounting *port 1813 ~Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel ~Ready to process request. what could be wrong and which part should i check on it? router debugging exsist: R1# *Mar 1 00:03:05.639: AAA/BIND(0003): Bind i/f *Mar 1 00:03:05.643: AAA/AUTHEN/LOGIN (0003): Pick method list 'default' *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): ask Username: *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): send packet; GET_USER R1# *Mar 1 00:03:07.359: RADIUS/ENCODE(0003): ask Password: *Mar 1 00:03:07.363: RADIUS/ENCODE(0003): send packet; GET_PASSWORD *Mar 1 00:03:08.795: RADIUS/ENCODE(0003):Orig. com! ponent type = EXEC *Mar 1 00:03:08.799: RADIUS: AAA Unsupported Attr: interface [174] 5 *Mar 1 00:03:08.799: RADIUS: 74 74 79 [tty] *Mar 1 00:03:08.799: RADIUS/ENCODE(0003): dropping service type, radius-server attribute 6 on-for-login-auth is off *Mar 1 00:03:08.803: RADIUS(0003): Config NAS IP: 0.0.0.0 *Mar 1 00:03:08.803: RADIUS/ENCODE(0003): acct_session_id: 1 *Mar 1 00:03:08.803: RADIUS(0003): sending *Mar 1 00:03:08.807: RADIUS/ENCODE: Best Local IP-Address 192.168.44.1 for Radius-Server 192.168.44.129 *Mar 1 00:03:08.811: RADIUS(0003): Send Access-Request to 192.168.44.129:1645 id 1645/1, len 84 *Mar 1 00:03:08.811: RADIUS: authenticator 7D F1 9D 12 60 81 DE 8C - FC 0B A4 96 E1 CD 71 E8 *Mar 1 00:03:08.811: RADIUS: User-Name [1] 6 test *Mar 1 00:! 03:08.815: RADIUS: User-Password [2] 18 * *Mar 1 00:03:08.815: RADIUS: NAS-Port[5] 6 98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Id [87] 7 tty98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:03:08.819: RADIUS: Calling-Station-Id [31] 15 192.168.44.10 *Mar 1 00:03:08.819: RADIUS: NAS-IP-Address [4] 6
Re: Secure Storage and Transport of User Credentials
Marco Macala wrote: Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/documents/protocols/compatibility.html but I hoped there could be some way around this. What part of impossible is hard to understand? You read the documentation. Instead of believing it, you wasted everyones time by asking questions where you already knew the answer. That's rude. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Basic freeradius set up problem
lscrlstld wrote: 2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testuser', 'Password', 'passsecret'); Use 'Cleartext-Password' instead of 'Password' and try again. The Password attribute will be removed in 3.0. I'm thinking of deleting it in 2.2.0, too. Too many people make this *basic* mistake. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql returns fail for some stop requests
Amir Tal wrote: It seems the last SQL query line is cut off for some reason, this only happens on some connections, while others are stopped correctly. The server has limited space for SQL qeuries. Make them shorter. Remove multiple spaces, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP_GTC
Carl Pierre wrote: Are there any clients that actually display the EAP-GTC challenge? No idea. Try it and see. Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: Client: ---User/PassServer Client: --Challenge Message-Server Client: ---Challenge Response---Server Client: ---Accept--Server So far, I cannot seem to find documentation to suggest that I CANNOT do this, and the spec suggests that I can, but I cannot seem to find anything that will do this. In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. The RFCs are the canonical source of information about EAP-GTC. There really isn't much else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP_GTC
Hi, Are there any clients that actually display the EAP-GTC challenge? Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: have you tried wpa_supplicant or eapol_test ? In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. the RFC *is* the documentation for the EAP-GTC protocol ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS WinXP, default_md MD5, default_eap_type
The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly. There are some diversities as to MD5 and post SP1 WinXP: http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1) Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices. Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the Authentication tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card. In the Authentication dialog, assure the box Use IEEE802.1X network authentication is checked. Set your EAP type there (EAP/MD5 Challenge). That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE. This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the ca.cnf, server.cnf, and client.cnf files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE. In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE. QUESTIONS: -Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{} or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf -Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in: http://freeradius.org/doc/EAPTLS.pdf for Windows is outdated or wont work today? It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask -- Si St sigbj...@operamail.com -- http://www.fastmail.fm - The professional email service - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... You're getting upset at people who are trying to help you. Be nice, or you can be unsubscribed and banned from the list. Alan DeKok. - Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. In fact, a kind of such a message could have been private. It's not my habit, to be sarcastic. But ok, perhaps it was my mistake, it was not my will offend to Tamas, so my apologies. Thanks as always. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS WinXP, default_md MD5, default_eap_type
Hello, the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5 that is used as a message digest in certificate generation (configured in the .cnf files you mentioned) have *nothing* to do with each other. I.e. you can change one without side-effects on the other. Since there is no EAP-SHA1, it does not make sense to add a sha1 { } section in eap.conf. The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and others. They are mentioned in eap.conf. If you want to get rid of EAP-MD5, configure one of those. Greetings, Stefan Winter On 11.07.2012 21:17, Si St wrote: The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly. There are some diversities as to MD5 and post SP1 WinXP: http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1) Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices. Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the Authentication tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card. In the Authentication dialog, assure the box Use IEEE802.1X network authentication is checked. Set your EAP type there (EAP/MD5 Challenge). That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE. This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the ca.cnf, server.cnf, and client.cnf files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE. In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE. QUESTIONS: -Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{} or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf -Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in: http://freeradius.org/doc/EAPTLS.pdf for Windows is outdated or wont work today? It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
On Thu, Jul 12, 2012 at 3:17 AM, Sergio Belkin seb...@gmail.com wrote: Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. If you're still interested in getting full NAS-Identifier, you should store accounting data in sql table. Even if you don't want to manage separate sql server (e.g. mysql), you can use something like sqlite to store the data. Needs some effort (e.g. the module is not built by default), but should be doable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html