Hi all,
I have radius-ldap setup for authenticating network devices.
I have small doubt here.
Is it possible to have different enable passwords for different
huntgroups?
For e.g. i have 2 huntgroups. one for cisco switches and one for cisco
routers and I want to have different enable passwords for both.
Currently i have only one entry for enable password and that is commom
for all the cisco devices.
On 9/10/07, * [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>*
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Send Freeradius-Users mailing list submissions to
[email protected]
<mailto:[email protected]>
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
You can reach the person managing the list at
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius+Active directory - router login authentciation
(Rakesh Jha)
2. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Andrew Rowson)
3. RE : LOGs of eap-tls authentication (inelec communication)
4. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Alan DeKok)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Sep 2007 09:21:42 +0300
From: "Rakesh Jha" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Subject: RE: Freeradius+Active directory - router login authentciation
To: "FreeRadius users mailing list"
<[email protected]
<mailto:[email protected]>>
Message-ID:
<
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Content-Type: text/plain; charset="us-ascii"
Alan,
Please see the complete output of radiusd -X as following -
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain:-burgan_dom} --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Cha
llenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert- srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "(null)"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap_tls: Unable to open DH file - (null)
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1962] Unknown module "eap".
radiusd.conf[1909] Failed to parse authenticate section.
As you have written 'as are most "helpful" pages not on
freeradius.org <http://freeradius.org>',
can you please suggest some links which guide correctly to configure
radius, openssl and active directory.
Thanks a lot,
Rakesh Jha
-----Original Message-----
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] On Behalf
Of Alan
DeKok
Sent: Monday, September 10, 2007 8:35 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius+Active directory - router login authentciation
Rakesh Jha wrote:
...
> After following FreeRADIUS Tutorial for AD integration I am not able
to
> start radius daemon as it complains -
>
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.
I'm at a bit of a loss for why so many people are so insistent on
removing all useful messages.
Attention:
Any non-official business related views, opinions and other
information presented in this electronic mail
are solely those of the sender/author.
Burgan Bank does not endorse or accept responsibility for their
opinions. If you are not the addressed
indicated in this mail or responsible for delivering this message
to the intended,
you should delete this message and notify the sender immediately.
-------------------------------------------------------
Burgan Bank S.A.K
www.burgan.com <http://www.burgan.com>
------------------------------
Message: 2
Date: Mon, 10 Sep 2007 08:47:09 +0100
From: Andrew Rowson <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Subject: Re: Freeradius doesn't detect EAP when authenticating
against
MySQL
To: FreeRadius users mailing list
<[email protected]
<mailto:[email protected]>>
Message-ID: <
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Content-Type: text/plain; charset="UTF-8"
On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
wrote:
> Andrew Rowson wrote:
>> Looking over it, it seems that a problem comes up with the
MSCHAP bit:
>>
>> rlm_mschap: No User-Password configured. Cannot create
LM-Password.
>> rlm_mschap: No User-Password configured. Cannot create
NT-Password.
>> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password
>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
>> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>> modcall[authenticate]: module "mschap" returns reject for
request 14
>>
>> This appears to imply that there's no User-Password entry found
anywhere
>> for the user in the database. This would be correct, as the
attribute in
>> the radcheck table is set to Cleartext-Password. Anything other
than
>> Cleartext-Password and freeradius doesn't attempt an auth-type
of EAP,
>> but Local instead, going back to my original problem.
>
> What does the database contain? Cleartext-Password == password,
> or Cleartext-Password := password ?
>
The database contains Cleartext-Password == password. I've tried
it with
:=, but if I remember correctly that fails as well, with the Auth-type
being set to local again. I'll see if I can get a log of that
failure as
well, if it'd be helpful?
Andrew
------------------------------
Message: 3
Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)
From: inelec communication <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Subject: RE : LOGs of eap-tls authentication
To: FreeRadius users mailing list
<[email protected]
<mailto:[email protected]>>
Message-ID: < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Content-Type: text/plain; charset="iso-8859-1"
hello,
running radius in debug mode doesn't give any log file ,i meen
it doesn't give logs in radiusd.log ; if you give me your result
when you have rubn radiusd -X -A perhaps i can help
regards
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> a ?crit :
Hi 1 I am using eap-tls authentication.My setup is working
well with certificates. I am unable to get logs of user
login ok or denied in the radius.log file [EMAIL PROTECTED] sbin]#
radiusd -X -A Starting - reading configuration files
... reread_config: reading radiusd.conf Config: including
file: /etc/raddb/proxy.conf Config: including file:
/etc/raddb/clients.conf Config: including file:
/etc/raddb/snmp.conf Config: including file:
/etc/raddb/eap.conf Config: including file:
/etc/raddb/sql.conf main: prefix = \"/usr/local\" main:
localstatedir = \"/usr/local/var\" main: logdir =
\"/usr/local/var/log/radius\" main: libdir =
\"/usr/local/lib\" main: radacctdir =
\"/usr/local/var/log/radius/radacct\" main: hostname_lookups =
no main: snmp = no main: max_request_time = 30 main:
cleanup_delay = 5 main: max_requests = 1024 main:
delete_blocked_requests = 0 main: port = 0 main:
allow_core_dumps = no main: log_stripped_names
= yes main: log_file =
\"/usr/local/var/log/radius/radius.log\" main: log_auth = yes
main: log_auth_badpass = yes main: log_auth_goodpass = yes
main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main:
user = \"(null)\" main: group = \"(null)\" main: usercollide =
no main: lower_user = \"no\" main: lower_pass = \"no\" main:
nospace_user = \"no\" main: nospace_pass = \"no\" main:
checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests =
yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy:
synchronous = no proxy: default_fallback = yes proxy:
dead_time = 120 proxy: post_proxy_authorize = no proxy:
wake_all_if_all_dead = no security: max_attributes = 200
security: reject_delay = 1 security: status_server = no main:
debug_level = 0 read_config_files: reading
dictionary read_config_files: reading naslist Using deprecated
naslist file. Support for this will go away
soon. read_config_files: reading clients
read_config_files: reading realms radiusd: entering modules
setup Module: Library search path is /usr/local/lib Module:
Loaded exec exec: wait = yes exec: program = \"(null)\"
exec: input_pairs = \"request\" exec: output_pairs =
\"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes
but no output defined. Did you mean output=none? Module:
Instantiated exec (exec) Module: Loaded expr Module:
Instantiated expr (expr) Module: Loaded System unix: cache =
no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix:
group = \"(null)\" unix: radwtmp =
\"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no
unix: cache_reload = 600 Module: Instantiated unix
(unix) Module: Loaded eap eap: default_eap_type = \"tls\"
eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap:
cisco_accounting_username_bug = no rlm_eap: Loaded and
initialized type md5 rlm_eap: Loaded and initialized type leap
gtc: challenge = \"Password: \"
gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type
gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes
tls: rsa_key_length = 512 tls: dh_key_length = 512 tls:
verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type
= yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls:
certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file =
\"/etc/1x/root.pem\" tls: private_key_password = \"password\"
tls: dh_file = \"/etc/1x/DH\" tls: random_file =
\"/etc/1x/random\" tls: fragment_size = 1024 tls:
include_length = yes tls: check_crl = no tls: check_cert_cn =
\"(null)\" tls: cipher_list = \"(null)\" tls:
check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the
certificate file as a chain WARNING: rlm_eap_tls: Unable to set
DH parameters. DH cipher suites may not work! WARNING: Fix this
by running the OpenSSL command listed in eap.conf rlm_eap: Loaded
and initialized type tls mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2 Module:
Instantiated eap (eap) Module: Loaded preprocess preprocess:
huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints =
\"/etc/raddb/hints\" preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23 preprocess:
with_ntdomain_hack = no preprocess:
with_specialix_jetstream_hack = no preprocess:
with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack =
no Module: Instantiated preprocess (preprocess) Module: Loaded
realm realm: format = \"suffix\" realm: delimiter = \"@\"
realm: ignore_default = no realm: ignore_null = no Module:
Instantiated realm (suffix) Module: Loaded files files:
usersfile = \"/etc/raddb/users\" files: acctusersfile =
\"/etc/raddb/acct_users\" files: preproxy_usersfile =
\"/etc/raddb/preproxy_users\" files: compat = \"no\" Module:
Instantiated files (files) Module: Loaded
Acct-Unique-Session-Id acct_unique: key = \"User-Name,
Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port\" Module: Instantiated acct_unique
(acct_unique) Module: Loaded detail detail: detailfile =
\"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
detail: detailperm = 384 detail: dirperm = 493 detail: locking
= no Module: Instantiated detail (detail) Module: Loaded
radutmp radutmp: filename =
\"/usr/local/var/log/radius/radutmp\" radutmp: username =
\"%{User-Name}\" radutmp: case_sensitive = yes radutmp:
check_with_nas = yes radutmp: perm = 384 radutmp: callerid =
yes Module: Instantiated radutmp (radutmp) Listening on
authentication *:1812 Listening on accounting *:1813 Ready to
process requests. 2 I am using certificate based
authentication so do i need to edit anything in the users
file/ Thanks and regards Anoop
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---------------------------------
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers
Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html>>
------------------------------
Message: 4
Date: Mon, 10 Sep 2007 11:15:58 +0200
From: Alan DeKok <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Subject: Re: Freeradius doesn't detect EAP when authenticating
against
MySQL
To: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>, FreeRadius users mailing list
<[email protected]
<mailto:[email protected]>>
Message-ID: <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Content-Type: text/plain; charset=ISO-8859-1
Andrew Rowson wrote:
> The database contains Cleartext-Password == password. I've tried
it with
> :=, but if I remember correctly that fails as well,
Use := for Cleartext-Password.
> with the Auth-type
> being set to local again. I'll see if I can get a log of that
failure as
> well, if it'd be helpful?
No.
Upgrade to 1.1.7, I think it solves this problem.
Alan DeKok.
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 29, Issue 25
************************************************
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
