Hi all, I have radius-ldap setup for authenticating network devices.
I have small doubt here. Is it possible to have different enable passwords for different huntgroups? For e.g. i have 2 huntgroups. one for cisco switches and one for cisco routers and I want to have different enable passwords for both. Currently i have only one entry for enable password and that is commom for all the cisco devices. On 9/10/07, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote: > > Send Freeradius-Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. RE: Freeradius+Active directory - router login authentciation > (Rakesh Jha) > 2. Re: Freeradius doesn't detect EAP when authenticating against > MySQL (Andrew Rowson) > 3. RE : LOGs of eap-tls authentication (inelec communication) > 4. Re: Freeradius doesn't detect EAP when authenticating against > MySQL (Alan DeKok) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 10 Sep 2007 09:21:42 +0300 > From: "Rakesh Jha" <[EMAIL PROTECTED]> > Subject: RE: Freeradius+Active directory - router login authentciation > To: "FreeRadius users mailing list" > <[email protected]> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > Alan, > > Please see the complete output of radiusd -X as following - > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > pap: auto_header = yes > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = yes > mschap: passwd = "(null)" > mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-D > omain:-burgan_dom} --username=%{mschap:User-Name:-None} > --challenge=%{mschap:Cha > llenge:-00} --nt-response=%{mschap:NT-Response:-00}" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "tls" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" > tls: private_key_password = "whatever" > tls: dh_file = "(null)" > tls: random_file = "/dev/urandom" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > tls: cipher_list = "(null)" > tls: check_cert_issuer = "(null)" > rlm_eap_tls: Loading the certificate file as a chain > rlm_eap_tls: Unable to open DH file - (null) > rlm_eap: Failed to initialize type tls > radiusd.conf[10]: eap: Module instantiation failed. > radiusd.conf[1962] Unknown module "eap". > radiusd.conf[1909] Failed to parse authenticate section. > > As you have written 'as are most "helpful" pages not on freeradius.org', > can you please suggest some links which guide correctly to configure > radius, openssl and active directory. > > Thanks a lot, > Rakesh Jha > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alan > DeKok > Sent: Monday, September 10, 2007 8:35 AM > To: FreeRadius users mailing list > Subject: Re: Freeradius+Active directory - router login authentciation > > Rakesh Jha wrote: > ... > > After following FreeRADIUS Tutorial for AD integration I am not able > to > > start radius daemon as it complains - > > > > radiusd.conf[10]: eap: Module instantiation failed. > > radiusd.conf[1962] Unknown module "eap". > > radiusd.conf[1909] Failed to parse authenticate section. > > I'm at a bit of a loss for why so many people are so insistent on > removing all useful messages. > > Attention: > Any non-official business related views, opinions and other information > presented in this electronic mail > are solely those of the sender/author. > Burgan Bank does not endorse or accept responsibility for their opinions. > If you are not the addressed > indicated in this mail or responsible for delivering this message to the > intended, > you should delete this message and notify the sender immediately. > ------------------------------------------------------- > Burgan Bank S.A.K > www.burgan.com > > > > ------------------------------ > > Message: 2 > Date: Mon, 10 Sep 2007 08:47:09 +0100 > From: Andrew Rowson <[EMAIL PROTECTED]> > Subject: Re: Freeradius doesn't detect EAP when authenticating against > MySQL > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="UTF-8" > > > > On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <[EMAIL PROTECTED]> > wrote: > > Andrew Rowson wrote: > >> Looking over it, it seems that a problem comes up with the MSCHAP bit: > >> > >> rlm_mschap: No User-Password configured. Cannot create LM-Password. > >> rlm_mschap: No User-Password configured. Cannot create NT-Password. > >> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password > >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. > >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > >> modcall[authenticate]: module "mschap" returns reject for request 14 > >> > >> This appears to imply that there's no User-Password entry found > anywhere > >> for the user in the database. This would be correct, as the attribute > in > >> the radcheck table is set to Cleartext-Password. Anything other than > >> Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, > >> but Local instead, going back to my original problem. > > > > What does the database contain? Cleartext-Password == password, > > or Cleartext-Password := password ? > > > > The database contains Cleartext-Password == password. I've tried it with > :=, but if I remember correctly that fails as well, with the Auth-type > being set to local again. I'll see if I can get a log of that failure as > well, if it'd be helpful? > > Andrew > > > > ------------------------------ > > Message: 3 > Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST) > From: inelec communication <[EMAIL PROTECTED]> > Subject: RE : LOGs of eap-tls authentication > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > hello, > running radius in debug mode doesn't give any log file ,i meen it > doesn't give logs in radiusd.log ; if you give me your result when you > have rubn radiusd -X -A perhaps i can help > > regards > > > [EMAIL PROTECTED] a ?crit : > > Hi 1 I am using eap-tls authentication.My setup is working well with > certificates. I am unable to get logs of user login ok or denied in > the radius.log file [EMAIL PROTECTED] sbin]# radiusd -X -A Starting - > reading configuration files ... reread_config: reading radiusd.conf Config: > including file: /etc/raddb/proxy.conf Config: including file: > /etc/raddb/clients.conf Config: including file: > /etc/raddb/snmp.conf Config: including file: > /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: > prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: > logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" > main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: > hostname_lookups = no main: snmp = no main: max_request_time = 30 > main: cleanup_delay = 5 main: max_requests = 1024 main: > delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no > main: log_stripped_names > = yes main: log_file = \"/usr/local/var/log/radius/radius.log\" main: > log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = > yes main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: > user = \"(null)\" main: group = \"(null)\" main: usercollide = no > main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = > \"no\" main: nospace_pass = \"no\" main: checkrad = > \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: > retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: > default_fallback = yes proxy: dead_time = 120 proxy: > post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: > max_attributes = 200 security: reject_delay = 1 security: status_server > = no main: debug_level = 0 read_config_files: reading > dictionary read_config_files: reading naslist Using deprecated naslist > file. Support for this will go away soon. read_config_files: reading > clients > read_config_files: reading realms radiusd: entering modules > setup Module: Library search path is /usr/local/lib Module: Loaded exec > exec: wait = yes exec: program = \"(null)\" exec: input_pairs = > \"request\" exec: output_pairs = \"(null)\" exec: packet_type = > \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean > output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: > Instantiated expr (expr) Module: Loaded System unix: cache = no unix: > passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" > unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = > no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: > Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: > ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = > no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and > initialized type leap gtc: challenge = \"Password: \" > gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type gtc tls: > rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = > 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = > \"(null)\" tls: pem_file_type = yes tls: private_key_file = > \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\" > tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password = > \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file = > \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes > tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = > \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the > certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH > parameters. DH cipher suites may not work! WARNING: Fix this by running > the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized > type tls mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap > (eap) Module: Loaded preprocess preprocess: huntgroups = > \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" > preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = > 23 preprocess: with_ntdomain_hack = no preprocess: > with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no > preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess > (preprocess) Module: Loaded realm realm: format = \"suffix\" realm: > delimiter = \"@\" realm: ignore_default = no realm: ignore_null = > no Module: Instantiated realm (suffix) Module: Loaded files files: > usersfile = \"/etc/raddb/users\" files: acctusersfile = > \"/etc/raddb/acct_users\" files: preproxy_usersfile = > \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated > files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = > \"User-Name, > Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module: > Instantiated acct_unique (acct_unique) Module: Loaded detail detail: > detailfile = > \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\" > detail: detailperm = 384 detail: dirperm = 493 detail: locking = > no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: > filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = > \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = > yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated > radutmp (radutmp) Listening on authentication *:1812 Listening on > accounting *:1813 Ready to process requests. 2 I am using certificate > based authentication so do i need to edit anything in the users > file/ Thanks and regards Anoop > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > --------------------------------- > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! > Mail > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html > > > > ------------------------------ > > Message: 4 > Date: Mon, 10 Sep 2007 11:15:58 +0200 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: Freeradius doesn't detect EAP when authenticating against > MySQL > To: [EMAIL PROTECTED], FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Andrew Rowson wrote: > > The database contains Cleartext-Password == password. I've tried it with > > :=, but if I remember correctly that fails as well, > > Use := for Cleartext-Password. > > > with the Auth-type > > being set to local again. I'll see if I can get a log of that failure as > > well, if it'd be helpful? > > No. > > Upgrade to 1.1.7, I think it solves this problem. > > Alan DeKok. > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 29, Issue 25 > ************************************************ >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
