dalo(free)radius authentication problem
Dear ALL i was follow the guide from the following page with the command, but when testing, the Radius server is not responding. For the setup on the Ubuntu newest server.. -sudo apt-get update -sudo apt-get upgrade -sudo apt-get install mysql-server -sudo apt-get install php5-gd php-pear php-db -sudo apt-get install freeradius freeradius-mysql -sudo apt-get install phpmyadmin On the DaloRadius Setup -wget .. 9-9.tar.gz -tar -zxvf daloradius-0.9-9.tar.gz -mv daloradius-0.9-9 daloradius -sudo cp daloradius/ /var/www -R -sudo chown www-data:www-data /var/www/daloradius -R -sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Database setup: -cd /var/www/daloradius/contrib/db/ - Ignored: -mysql -u root -p Enter 'mySqlPassword' mysql CREATE DATABASE radius; mysql quit - Ignored: -mysql -u root -p radius fr2-mysql-daloradius-and-freeradius.sql Database connection setup: -cd /var/www/daloradius/library/ -sudo nano -w daloradius.conf.php $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'mySqlPassword'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; Installation completed and login page to create user: -http://your ip address/daloradius username: administrator password: radius When i test it shown not respond from the server.. the NAS setting is matched, refer to the log file from the Daloradius, it shown Error: Ignoring request to authentication address could it be due to the setup error or? as refer to the guidance from the web, the setup everything is run well, using the freeradius -x, it shown.. ~Listening on authentication interface eth0 *port 1812 ~Listening on accounting *port 1813 ~Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel ~Ready to process request. what could be wrong and which part should i check on it? router debugging exsist: R1# *Mar 1 00:03:05.639: AAA/BIND(0003): Bind i/f *Mar 1 00:03:05.643: AAA/AUTHEN/LOGIN (0003): Pick method list 'default' *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): ask Username: *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): send packet; GET_USER R1# *Mar 1 00:03:07.359: RADIUS/ENCODE(0003): ask Password: *Mar 1 00:03:07.363: RADIUS/ENCODE(0003): send packet; GET_PASSWORD *Mar 1 00:03:08.795: RADIUS/ENCODE(0003):Orig. component type = EXEC *Mar 1 00:03:08.799: RADIUS: AAA Unsupported Attr: interface [174] 5 *Mar 1 00:03:08.799: RADIUS: 74 74 79 [tty] *Mar 1 00:03:08.799: RADIUS/ENCODE(0003): dropping service type, radius-server attribute 6 on-for-login-auth is off *Mar 1 00:03:08.803: RADIUS(0003): Config NAS IP: 0.0.0.0 *Mar 1 00:03:08.803: RADIUS/ENCODE(0003): acct_session_id: 1 *Mar 1 00:03:08.803: RADIUS(0003): sending *Mar 1 00:03:08.807: RADIUS/ENCODE: Best Local IP-Address 192.168.44.1 for Radius-Server 192.168.44.129 *Mar 1 00:03:08.811: RADIUS(0003): Send Access-Request to 192.168.44.129:1645 id 1645/1, len 84 *Mar 1 00:03:08.811: RADIUS: authenticator 7D F1 9D 12 60 81 DE 8C - FC 0B A4 96 E1 CD 71 E8 *Mar 1 00:03:08.811: RADIUS: User-Name [1] 6 test *Mar 1 00:03:08.815: RADIUS: User-Password [2] 18 * *Mar 1 00:03:08.815: RADIUS: NAS-Port[5] 6 98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Id [87] 7 tty98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:03:08.819: RADIUS: Calling-Station-Id [31] 15 192.168.44.10 *Mar 1 00:03:08.819: RADIUS: NAS-IP-Address [4] 6 192.168.44.1 R1# R1# *Mar 1 00:03:13.559: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:18.551: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:23.223: RADIUS: Retransmit to (192.168.44.129:1645,1646) for id 1645/1 R1# *Mar 1 00:03:27.895: RADIUS: No response from (192.168.44.129:1645,1646) for id 1645/1 *Mar 1 00:03:27.895: RADIUS/DECODE: No response from radius-server; parse response; FAIL *Mar 1 00:03:27.895: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL thanks and appreciate it..
RE: radlast output
-Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hello, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Did I get something wrong here? I am fairly new to RADIUS and therefore I don't know that much about it... Thanks in advance! Best regards, Marco Macala - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Tamás Becz tamas.b...@ericsson.com: -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
On 11/07/12 12:45, Marco Macala wrote: Hello, is there a way to securely transport and store the Username/Password with freeradius? What does that mean? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic freeradius set up problem
Platform: OpenBSD 5.1
Version: 2.1.12
Hello,
I have a problem setting up freeradius and I think it's related to the domain
stripping
Here's what I did for my configuration
1) Imported the scripts schema.sql, admin.sql, ippool.sql, nas.sql in my MySQL
radiusdb database
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES
('testuser', 'Password', 'passsecret');
3) Configured clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
4) Uncommented in radiusd.conf
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql/mysql/counter.conf
5) In /etc/raddb/sites-enabled/default uncommented
authorize {
sql
}
accounting {
sql
sql_log
}
6) Configured /etc/raddb/sql.conf
sql {
database = mysql
driver = rlm_sql_${database}
#socket= var/run/mysql/mysql.sock
server = localhost
port = 3306
login = radiususer
password = passradius
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
postauth_table = radpostauth
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = radusergroup
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = nas
$INCLUDE sql/${database}/dialup.conf
}
7) In /etc/raddb/sql/mysql/dialup.conf added
sql_user_name = '%{Stripped-User-Name}'
8) I start the radius server
# /usr/local/sbin/radiusd -X
And make a test on the local machine
$ radtest testuser passsecret 127.0.0.1 1812 testing123
And I receive an access reject: rad_recv: Access-Reject packet from host
127.0.0.1 port 1812, id=222, length=20
9) Le debug says
rad_recv: Access-Request packet from host 127.0.0.1 port 10251, id=122,
length=78
User-Name = testuser
User-Password = passsecret
NAS-IP-Address = 192.168.1.1
NAS-Port = 1812
Message-Authenticator = 0xf16b463a77e5dfefbd9385915a307e88
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 122 to 127.0.0.1 port 10251
Waking up in 4.9 seconds.
Cleaning up request 1 ID 122 with timestamp +74
Ready to process requests.
10) I can see that something goes wrong with this message
[sql] Error generating query; rejecting user
But I don't understand why
Thank you to those who can point the right direction.
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hi, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. PEAP will securely transport things - as with MSCHAPv2 the password is never sent. whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Basic freeradius set up problem
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value)
VALUES ('testuser', 'Password', 'passsecret');
Use 'Cleartext-Password' instead of 'Password' and try again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not testuser@somedomain
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? 2012/7/11 alan buxey a.l.m.bu...@lboro.ac.uk Hi, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. PEAP will securely transport things - as with MSCHAPv2 the password is never sent. whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radlast output
Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... you posted a lot of sensitive stuff there that has not obviously been replaced by some random garbage. You wouldn't be the first to do that, sorry for drawing your attention to it. As to what does that have to do with social engineering, i've no clue, but at least you teach us about sarcasm. Wow.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Hi, The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** - Description: Binary data smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. I want something like this: - encrypted channel between authenticator and radius server - passwords stored as a salted hash 2012/7/11 alan buxey a.l.m.bu...@lboro.ac.uk Hi, The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
On 11/07/12 14:04, Marco Macala wrote: if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? Yes. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/documents/protocols/compatibility.html I want something like this: - encrypted channel between authenticator and radius server PEAP or TTLS will provide this. - passwords stored as a salted hash Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = testuser, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not
testuser@somedomain
Hello lsclrstd,
I have created a second user testuser2 with the password in 'Cleartext-Password'
It doesn't work either. I have enabled the logs in Mysql, but I don't see any
sql request that is been made.
I think there's a way to enable additional logs with freeradius and see what
are the queries done to the mysql server. Does anyone knows how to do that ?
I'll search more.
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure Storage and Transport of User Credentials
Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/**documents/protocols/** compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html but I hoped there could be some way around this. 2012/7/11 Phil Mayers p.may...@imperial.ac.uk On 11/07/12 14:04, Marco Macala wrote: if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication? Yes. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html I want something like this: - encrypted channel between authenticator and radius server PEAP or TTLS will provide this. - passwords stored as a salted hash Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql returns fail for some stop requests
Freeradius ver 2.1.12, configured to use ldap for auth, sql for acct.
Sometimes users' sessions get stuck and have to be closed manualy (simultaneous
use is turned on for all users).
After extensive debugging I have found the following in the logs (radius -X)
[thread] # Executing section preacct from file
/etc/raddb/sites-enabled/default
[thread] +- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 14117776,Client-IP-Address =
xx.xx.xx.xx,NAS-IP-Address = xx.xx.xx.xx,Acct-Session-Id = erx
ip:109.226.0.9:147.235.234.115:1e47:6248:14c2:8b6a:5dac845:0060992452,Use
r-Name = x@ccc'
[acct_unique] Acct-Unique-Session-ID = d49ba42fa077f5f0.
++[acct_unique] returns ok
[suffix] Looking up realm ccc for User-Name = x@ccc
[suffix] Found realm ccc
[suffix] Adding Stripped-User-Name = x
[suffix] Adding Realm = ccc
[suffix] Accounting realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - xx.xx.xx.xx
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711
[detail]expand: %t - Wed Jul 11 02:03:45 2012
Cleaning up request 12612249 ID 93 with timestamp +729235
++[detail] returns ok
[detail.moreshet] expand: /var/log/radius/radacct/moreshet.relay -
/var/log/radius/radacct/moreshet.relay
[detail.moreshet] /var/log/radius/radacct/moreshet.relay expands to
/var/log/radius/radacct/moreshet.relay
[detail.moreshet] expand: %t - Wed Jul 11 02:03:45 2012
++[detail.moreshet] returns ok
++[unix] returns ok
[sql] expand: %{Stripped-User-Name} - x
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - x
[sql] sql_set_user escaped user -- 'x'
[sql] expand: %{Acct-Input-Gigawords} - 0
[sql] expand: %{Acct-Input-Octets} - 4001
[sql] expand: %{Acct-Output-Gigawords} - 0
[sql] expand: %{Acct-Output-Octets} - 8134
[sql] expand: %{Acct-Delay-Time} - 0
[sql] expand:UPDATE radacct SET acctstoptime =
'%S', acctsessiontime= '%{Acct-Session-Time}',
acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}' -UPDATE radacct SET acctstoptime
= '2012-07-11 02:03:45', acctsessiontime= '517',
acctinputoctets= '0' 32 | '4001',
acctoutputoctets = '0' 32 |
[sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql
Cleaning up request 12612250 ID 95 with timestamp +729235
++[sql] returns fail
Thread 20 got semaphore
Thread 19 got semaphore
It seems the last SQL query line is cut off for some reason, this only happens
on some connections, while others are stopped correctly.
Not specific to users or time of day.
Versions information:
cat /etc/issue :
CentOS release 5.6 (Final)
Kernel \r on an \m
rpm -qa | grep radius :
freeradius2-python-2.1.12-7
freeradius2-ldap-2.1.12-7
freeradius2-2.1.12-7
freeradius2-krb5-2.1.12-7
freeradius2-mysql-2.1.12-7
freeradius2-utils-2.1.12-7
freeradius2-postgresql-2.1.12-7
freeradius2-perl-2.1.12-7
freeradius2-unixODBC-2.1.12-7
additional logs and/or information can be provided if required.
Help would be appreciated.
The Cloud has no limit !
[cid:image001.jpg@01CD5F84.25487600]http://www.ccc.co.il/
Amir Tal
Systems Automation Expert
Cloud Services
Direct: 972-(0)3-9201471
Fax: 972-(0)-3-9201442
www.ccc.co.ilhttp://www.ccc.co.il/ [cid:image002.png@01CD5F84.25487600]
http://www.facebook.com/triplec.il
inline: image001.jpginline: image002.png-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
seems fair enough - there is no expansion for the query - so I would
now check your sql.conf and dialup file to verify that the query
for authentication/authorization is sane and correct (I've deleted your
previous
email where you gave more details)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP_GTC
Hello: Are there any clients that actually display the EAP-GTC challenge? Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: Client: ---User/PassServer Client: --Challenge Message-Server Client: ---Challenge Response---Server Client: ---Accept--Server So far, I cannot seem to find documentation to suggest that I CANNOT do this, and the spec suggests that I can, but I cannot seem to find anything that will do this. In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dalo(free)radius authentication problem
Not sure why you are posting about daloradius on a FreeRADIUS list, but a 2 second look says you have the port numbers wrong. Michael -- Michael J. Hartwick, VE3SLQ mailto:hartw...@hartwick.com hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick.com@lists.freeradiu s.org] On Behalf Of Soul - Sent: Wednesday, July 11, 2012 04:17 To: freeradius-users@lists.freeradius.org Subject: dalo(free)radius authentication problem Dear ALL i was follow the guide from the following page with the command, but when testing, the Radius server is not responding. For the setup on the Ubuntu newest server.. -sudo apt-get update -sudo apt-get upgrade -sudo apt-get install mysql-server -sudo apt-get install php5-gd php-pear php-db -sudo apt-get install freeradius freeradius-mysql -sudo apt-get install phpmyadmin On the DaloRadius Setup -wget .. 9-9.tar.gz -tar -zxvf daloradius-0.9-9.tar.gz -mv daloradius-0.9-9 daloradius -sudo cp daloradius/ /var/www -R -sudo chown www-data:www-data /var/www/daloradius -R -sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Database setup: -cd /var/www/daloradius/contrib/db/ - Ignored: -mysql -u root -p Enter 'mySqlPassword' mysql! CREATE DATABASE radius; mysql quit - Ignored: -mysql -u root -p radius fr2-mysql-daloradius-and-freeradius.sql Database connection setup: -cd /var/www/daloradius/library/ -sudo nano -w daloradius.conf.php $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'mySqlPassword'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; Installation completed and login page to create user: -http://your ip address/daloradius username: administrator password: radius When i test it shown not respond from the server.. the NAS setting is matched, refer to the log file from the Daloradius, it shown Error: Ignoring request to authentication address could it be due to the setup error or? as refer to the guidance from th! e web, the setup everything is run well, using the freerad ius -x, it shown.. ~Listening on authentication interface eth0 *port 1812 ~Listening on accounting *port 1813 ~Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel ~Ready to process request. what could be wrong and which part should i check on it? router debugging exsist: R1# *Mar 1 00:03:05.639: AAA/BIND(0003): Bind i/f *Mar 1 00:03:05.643: AAA/AUTHEN/LOGIN (0003): Pick method list 'default' *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): ask Username: *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): send packet; GET_USER R1# *Mar 1 00:03:07.359: RADIUS/ENCODE(0003): ask Password: *Mar 1 00:03:07.363: RADIUS/ENCODE(0003): send packet; GET_PASSWORD *Mar 1 00:03:08.795: RADIUS/ENCODE(0003):Orig. com! ponent type = EXEC *Mar 1 00:03:08.799: RADIUS: AAA Unsupported Attr: interface [174] 5 *Mar 1 00:03:08.799: RADIUS: 74 74 79 [tty] *Mar 1 00:03:08.799: RADIUS/ENCODE(0003): dropping service type, radius-server attribute 6 on-for-login-auth is off *Mar 1 00:03:08.803: RADIUS(0003): Config NAS IP: 0.0.0.0 *Mar 1 00:03:08.803: RADIUS/ENCODE(0003): acct_session_id: 1 *Mar 1 00:03:08.803: RADIUS(0003): sending *Mar 1 00:03:08.807: RADIUS/ENCODE: Best Local IP-Address 192.168.44.1 for Radius-Server 192.168.44.129 *Mar 1 00:03:08.811: RADIUS(0003): Send Access-Request to 192.168.44.129:1645 id 1645/1, len 84 *Mar 1 00:03:08.811: RADIUS: authenticator 7D F1 9D 12 60 81 DE 8C - FC 0B A4 96 E1 CD 71 E8 *Mar 1 00:03:08.811: RADIUS: User-Name [1] 6 test *Mar 1 00:! 03:08.815: RADIUS: User-Password [2] 18 * *Mar 1 00:03:08.815: RADIUS: NAS-Port[5] 6 98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Id [87] 7 tty98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:03:08.819: RADIUS: Calling-Station-Id [31] 15 192.168.44.10 *Mar 1 00:03:08.819: RADIUS: NAS-IP-Address [4] 6
Re: Secure Storage and Transport of User Credentials
Marco Macala wrote: Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/documents/protocols/compatibility.html but I hoped there could be some way around this. What part of impossible is hard to understand? You read the documentation. Instead of believing it, you wasted everyones time by asking questions where you already knew the answer. That's rude. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Basic freeradius set up problem
lscrlstld wrote:
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value)
VALUES ('testuser', 'Password', 'passsecret');
Use 'Cleartext-Password' instead of 'Password' and try again.
The Password attribute will be removed in 3.0. I'm thinking of
deleting it in 2.2.0, too.
Too many people make this *basic* mistake.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql returns fail for some stop requests
Amir Tal wrote: It seems the last SQL query line is cut off for some reason, this only happens on some connections, while others are stopped correctly. The server has limited space for SQL qeuries. Make them shorter. Remove multiple spaces, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP_GTC
Carl Pierre wrote: Are there any clients that actually display the EAP-GTC challenge? No idea. Try it and see. Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: Client: ---User/PassServer Client: --Challenge Message-Server Client: ---Challenge Response---Server Client: ---Accept--Server So far, I cannot seem to find documentation to suggest that I CANNOT do this, and the spec suggests that I can, but I cannot seem to find anything that will do this. In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. The RFCs are the canonical source of information about EAP-GTC. There really isn't much else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP_GTC
Hi, Are there any clients that actually display the EAP-GTC challenge? Essentially, I am trying to use EAP-GTC similarly to how PAP Access-Challenge works: have you tried wpa_supplicant or eapol_test ? In addition, are there any resources that thoroughly documents EAP-GTC? The RFCs do not provide much information. the RFC *is* the documentation for the EAP-GTC protocol ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS WinXP, default_md MD5, default_eap_type
The following questions about changing default_md and default_eap_type
is solely for the matter that I should have RADIUS work on some
Linux-machines and some Windows-machines all of them hopefully with TLS
client sertificates mainly.
There are some diversities as to MD5 and post SP1 WinXP:
http://freeradius.org/doc/EAP-MD5.html
QUOTE:
Windows XP (before SP1)
Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!!
EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection
corresponding to the adapter which is going to use EAP authentication.
Go to the Authentication tab. If it doesn’t appear (yes, it’s weird
sometimes) try to unplug and plug your adapter till it does (if
PCMCIA...) Otherwise, download the software for the adapter
configuration like e.g. ACU for the Cisco adapters and try to de- and
reactivate the card.
In the Authentication dialog, assure the box Use IEEE802.1X network
authentication is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
ENDQUOTE.
This recommendation is put forth in the etc/raddb/certs/README:
QUOTE:
MD5 has known weaknesses and is discouraged in favor of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the ca.cnf, server.cnf, and client.cnf files to specify
the use of SHA1 for the certificates. To do this, change the
'default_md' entry in those files from 'md5' to 'sha1'.
ENDQUOTE.
In the eap.conf this is put forth:
QUOTE:
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
ENDQUOTE.
QUESTIONS:
-Should I stick only to the changes of default_md in ca.*,server.*, and
client.cnf and leave the eap.conf unchanged, or should I add a module
like:
sha1 {
}
or change the md5{} to sha1{}
or should it be done differently? . I count for the postulate in
eap.conf that:
QUOTE:
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
ENDQUOTE
and therefore I do no not need to change so much in eap.conf
-Should I by all means keep winXP-userclient to a PEAP solution because
the nice doc in:
http://freeradius.org/doc/EAPTLS.pdf
for Windows is outdated or wont work today?
It could be that I complicate the matter here by mixing together parts
that do not belong to each other, but I have to ask
--
Si St
sigbj...@operamail.com
--
http://www.fastmail.fm - The professional email service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... You're getting upset at people who are trying to help you. Be nice, or you can be unsubscribed and banned from the list. Alan DeKok. - Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. In fact, a kind of such a message could have been private. It's not my habit, to be sarcastic. But ok, perhaps it was my mistake, it was not my will offend to Tamas, so my apologies. Thanks as always. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS WinXP, default_md MD5, default_eap_type
Hello,
the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5
that is used as a message digest in certificate generation (configured
in the .cnf files you mentioned) have *nothing* to do with each other.
I.e. you can change one without side-effects on the other.
Since there is no EAP-SHA1, it does not make sense to add a sha1 { }
section in eap.conf.
The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and
others. They are mentioned in eap.conf. If you want to get rid of
EAP-MD5, configure one of those.
Greetings,
Stefan Winter
On 11.07.2012 21:17, Si St wrote:
The following questions about changing default_md and default_eap_type
is solely for the matter that I should have RADIUS work on some
Linux-machines and some Windows-machines all of them hopefully with TLS
client sertificates mainly.
There are some diversities as to MD5 and post SP1 WinXP:
http://freeradius.org/doc/EAP-MD5.html
QUOTE:
Windows XP (before SP1)
Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!!
EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection
corresponding to the adapter which is going to use EAP authentication.
Go to the Authentication tab. If it doesn’t appear (yes, it’s weird
sometimes) try to unplug and plug your adapter till it does (if
PCMCIA...) Otherwise, download the software for the adapter
configuration like e.g. ACU for the Cisco adapters and try to de- and
reactivate the card.
In the Authentication dialog, assure the box Use IEEE802.1X network
authentication is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
ENDQUOTE.
This recommendation is put forth in the etc/raddb/certs/README:
QUOTE:
MD5 has known weaknesses and is discouraged in favor of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the ca.cnf, server.cnf, and client.cnf files to specify
the use of SHA1 for the certificates. To do this, change the
'default_md' entry in those files from 'md5' to 'sha1'.
ENDQUOTE.
In the eap.conf this is put forth:
QUOTE:
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
ENDQUOTE.
QUESTIONS:
-Should I stick only to the changes of default_md in ca.*,server.*, and
client.cnf and leave the eap.conf unchanged, or should I add a module
like:
sha1 {
}
or change the md5{} to sha1{}
or should it be done differently? . I count for the postulate in
eap.conf that:
QUOTE:
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
ENDQUOTE
and therefore I do no not need to change so much in eap.conf
-Should I by all means keep winXP-userclient to a PEAP solution because
the nice doc in:
http://freeradius.org/doc/EAPTLS.pdf
for Windows is outdated or wont work today?
It could be that I complicate the matter here by mixing together parts
that do not belong to each other, but I have to ask
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
On Thu, Jul 12, 2012 at 3:17 AM, Sergio Belkin seb...@gmail.com wrote: Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. If you're still interested in getting full NAS-Identifier, you should store accounting data in sql table. Even if you don't want to manage separate sql server (e.g. mysql), you can use something like sqlite to store the data. Needs some effort (e.g. the module is not built by default), but should be doable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
