proxy help question

2003-10-24 Thread CW 

(B
(B
(BIs it possible to haveONE radius 
(Bserver query TWO databases in the same server for requests for different 
(Brealms?
(B
(BFor example if I hadtwo 
(Brealms
(B
(B
(Bdialup.someisp.net
(Badsl.someisp.net
(B
(Band both realms came into the same radius 
(Bserver, and I had two mysql databases with two different customer bases 
(Bfortwo differnt services.(dialup and adsl)
(B
(BIs it possible for me to instruct the 
(Bradius server toquery different databases for different 
(Bdomains?
(B
(B
(BCheers,Craig 
(B

Configuration for TTLS

2003-10-24 Thread silvio . arcangeli 

Hi everybody,
with the last snapshot we finally did it in compiling the server and having it correctly installed :-)
now our issue is that the configuration is not delivered within the snapshot, and so we still have the one from the stable release... that does not feature TTLS.

What settings do we have to add to the configuration file for TTLS?

thank you again,

Silvio Arcangeli

Re: dialup_admin latest cvsup

2003-10-24 Thread Kostas Kalevras 
On Wed, 22 Oct 2003, apellido jr., wilfredo p wrote:

 Good day Mr. Kalevras. statistics, user's statistics
 and online users doesnt show anything in latest
 dialup_admin cvsup. here's my config

Doesn't show anything meaning a blank page or no accounting data?

Make sure that you are using the new conf/accounting.attrs file



 -
 admin.conf
 -

 #
 # Main Configuration File
 #
 # it can be default or whatever language. Only greek
 are supported
 # from non latin alphabet languages
 # These attribute only apply for ldap not for sql
 #
 general_prefered_lang: en
 general_prefered_lang_name: English
 #
 # The charset which will be added as a meta tag in all
 pages
 #
 general_charset: iso-8859-1
 #
 # Uncomment this if normal attributes (not the
 ;lang-xx ones) in ldap
 # are utf8 encoded.
 #
 #general_decode_normal_attributes: yes
 #
 # The directory where dialupadmin is installed
 #
 general_base_dir: /usr/local/www/data/dialup_admin
 #
 # The base directory of the freeradius radius
 installation
 #
 general_radiusd_base_dir: /usr/local/freeradius-0.9.2
 general_domain: mactan.ph
 #
 # Set it to yes to use sessions and cache the various
 mappings
 # You can also set use_session = 1 in config.php3 to
 also cache
 # the admin.conf
 #
 #  IMPORTANT -- IMPORTANT -- IMPORTANT 
 #Remember to use the 'Clear Cache' page if you use
 sessions and do any changes
 #in any of the configuration files.
 #
 general_use_session: no
 #
 # This is used by the failed logins page. It states
 the default back time
 # in minutes.
 #
 general_most_recent_fl: 30

 #
 # Realm setup
 #
 # Set general_strip_realms to yes in order  to stip
 realms from usernames.
 # By default realms are not striped
 #general_strip_realms : yes
 #
 # The delimiter used  in realms. Default is @
 #
 #general_realm_delimiter: @
 #
 # The format of the realms. Can be either suffix
 (realm is after the username)
 # or prefix (realm is before the username). Default is
 suffix
 #
 #general_realm_format: suffix
 #

 #
 # Determines if the administrator will be able to
 change the user password through
 # the user edit page
 general_show_user_password: yes


 #general_ldap_attrmap:
 %{general_radiusd_base_dir}/etc/raddb/ldap.attrmap
 general_sql_attrmap:
 %{general_base_dir}/conf/sql.attrmap
 general_accounting_attrs_file:
 %{general_base_dir}/conf/accounting.attrs
 #general_extra_ldap_attrmap:
 %{general_base_dir}/conf/extra.ldap-attrmap
 #
 # it can be either ldap or sql
 # This affects the user base not accounting.
 Accounting is always in sql
 #
 general_lib_type: sql
 #
 # Define which attributes will be visible in the user
 edit page
 #
 general_user_edit_attrs_file:
 %{general_base_dir}/conf/user_edit.attrs
 #
 # Used by the Accounting Report Generator
 #
 general_sql_attrs_file:
 %{general_base_dir}/conf/sql.attrs
 #
 # Set default values for various attributes
 #
 general_default_file:
 %{general_base_dir}/conf/default.vals
 #general_ld_library_path: /usr/local/snmpd/lib
 #
 # can be 'snmp' (for snmpfinger) or empty to query the
 radacct table without first
 # querying the nas
 # This is used by the online users page
 #
 general_finger_type: snmp
 general_snmpfinger_bin:
 %{general_base_dir}/bin/snmpfinger
 general_radclient_bin:
 %{general_radiusd_base_dir}/bin/radclient
 #
 # this information is used from the server check page
 #
 general_test_account_login: cache
 general_test_account_password: cache
 #
 # These are used as default values for the user test
 page
 #
 general_radius_server: localhost
 general_radius_server_port: 1645
 #
 # can be either pap or chap
 #
 general_radius_server_auth_proto: pap
 #
 # sorry, single valued for now. Should become
 something like
 # password[server-name]: x
 #
 general_radius_server_secret: cyclades
 general_auth_request_file:
 %{general_base_dir}/conf/auth.request
 #
 # can be one of crypt,md5,clear
 #
 general_encryption_method: clear
 #
 # can be either asc (older dates first) or desc
 (recent dates first)
 # This is used in the user accounting and badusers
 pages
 #
 general_accounting_info_order: desc
 #
 # Use the totacct table in the user statistics page
 instead of the radacct
 # table. That will make the page run quicker. totacct
 should have data for
 # this to work :-)
 #
 general_stats_use_totacct: yes

 INCLUDE: %{general_base_dir}/conf/naslist.conf

 INCLUDE: %{general_base_dir}/conf/captions.conf

 #
 # The ldap server to connect to.
 # Both ldap_server and ldap_write_server can be a
 space-separated
 # list of ldap hostnames. In that case the library
 will try to connect
 # to the servers in the order that they appear. If the
 first host is down
 # ldap_connect will ask for the second ldap host and
 so on.
 #
 #ldap_server: ldap.%{general_domain}
 #
 # There are many cases where we have a small write
 master and
 # a lot of fast read only replicas. If that is the
 case uncomment
 #

RE: FreeRADIUS with SNOM4S

2003-10-24 Thread Alan Litster 
OK, thanks Alan. I'll Point that out to them!

Regards,

Alan

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
 Sent: 23 October 2003 17:38
 To: [EMAIL PROTECTED]
 Subject: Re: FreeRADIUS with SNOM4S


 Alan Litster [EMAIL PROTECTED] wrote:
  0x   4500 009c 9242 4000 4011 d059 5190 9a52[EMAIL PROTECTED]@..YQ..R
  0x0010   5190 9a42 1789 0714 0088 4881 010d 007aQ..B..Hz

   The last '007a' is *supposed* to be the length of the RADIUS portion
 of the packet.

  0x0050   3033   03

   Including IP  UDP headers, the packet is only 0052 bytes long.  The
 RFC's say that such packets MUST be silently discarded.


   The client is broken.  It won't work with *any* RADIUS server.

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


---
This email, and any files transmitted with it, is copyright and may contain 
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics 
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or 
obligation.

Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY

Tel 07000 701999
Fax 07000 701777

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy help question

2003-10-24 Thread Dustin Doris 


On Fri, 24 Oct 2003, CW wrote:

 Is it possible to have ONE radius server query TWO databases in the same
 server for requests for different realms?

 For example if I had two realms


 dialup.someisp.net
 adsl.someisp.net

 and both realms came into the same radius server, and I had two mysql
 databases with two different customer bases for two differnt services.
 (dialup and adsl)

 Is it possible for me to instruct the radius server to query different
 databases for different domains?


 Cheers,
 Craig


Sure thing, just check out doc/Autz-Type



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: loging problems after logrotate

2003-10-24 Thread Nick Davis 
Well there are a couple of things.

1. After logrotate completes you need to restart radiusd so it will use the 
new log file.

2. If you search the freeradius list archives there are several instructions 
to make radius log to a different file every day/week/month etc.. You just 
modify this line to make that happen:

  detailfile = ${radacctdir}/%{Client-IP-Address}/detail

Nick

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

opie

2003-10-24 Thread Christoph Hubmann 



hello all
we want to setup a freeradius server to 
authenticate remote users with the opie 2.4 system.

please send me example to setup on a linux redhat 9 
system.

christoph

Re: loging problems after logrotate

2003-10-24 Thread Adam Jendrosek 
Nick Davis wrote:
Well there are a couple of things.

1. After logrotate completes you need to restart radiusd so it will use the 
new log file.
Yes that's right, but freeradius don't create a new log file.

regards,
Adam
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: loging problems after logrotate

2003-10-24 Thread Brian Johnson 
You prolly have a permissions issue on your logging directory.

Did you have to manually create the log file to get it to log the first
time?

- Brian J.
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Adam Jendrosek
 Sent: Friday, October 24, 2003 8:28 AM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: loging problems after logrotate
 
 Nick Davis wrote:
  Well there are a couple of things.
  
  1. After logrotate completes you need to restart radiusd so 
 it will use the 
  new log file.
 
 Yes that's right, but freeradius don't create a new log file.
 
 regards,
 Adam
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuration for TTLS

2003-10-24 Thread Michael Griego 
 What settings do we have to add to the configuration file for TTLS?

If you want to reset the configuration to the distribution default, make
sure you remove the /prefix/etc/raddb/radiusd.conf file before running
make install.  Otherwise, the install script will detect that you
already have a configuration file and not overwrite it with a new one.

-- 
 --Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: loging problems after logrotate

2003-10-24 Thread Adam Jendrosek 
Brian Johnson wrote:
You prolly have a permissions issue on your logging directory.

Yes.

Did you have to manually create the log file to get it to log the first
time?
Before i use logrotate the detail file was still fine logging.

regards,
Adam
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with huntgroups

2003-10-24 Thread Marian Rychteck 




Hi Alan,
 i solve my problem: i don't know why, but when i make RPM, radius
don't start (due to error with huntgroups), but when i try install from
tgz (with compilation and installation) all works fine!

Thaks, bye Marian


Alan DeKok napsal(a):

  Marian Rychtecky [EMAIL PROTECTED] wrote:
  
  
i have some problem with starting FRS (free-radius-server)  

  
  
  FRS?  Why are you inventing new acronyms that no one else uses?

  
  
rlm_preprocess: Error reading /etc/raddb/huntgroups
radiusd.conf[877]: preprocess: Module instantiation failed.

 Rights of /etc/raddb/huntgroups:
-rw-r--r--1 root root 1863 Oct 18 22:08 huntgroups

Nothing was change (content of  huntgroups after installation are "#" 
comment with no configuration), still run "raddb -xx" !

  
  
  Are you *sure*?  I strongly doubt that.

  The huntgroup file which ships with the server works with the
server.  If it doesn't work for you, then you've modified it.

  
  
On Internet i found (as content of huntgroups):

"DEFAULT NAS-IP-Address = 11.10.10.11, Rewrite-Function = "max_fixup"
NULL"

.but  this is not work too (same error).

  
  
  That's a file from GNU Radiusd, which isn't compatible with FreeRADIUS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-- 

  

  Marian
Rychteck


  [EMAIL PROTECTED]


  +420
603 373 396


  


  Na
Pin 281


  405
05 Dn, Czech Republic


  http://www.mari.cz

Orinoco AP2000

2003-10-24 Thread Marian Rychteck 




Hi!
 i'm trying authorize MAC adress into access point AP2000 (Orinoco)
- all work fine, but when i restart my access point, all users are
not-authorised until the client is restarted. I think that this bug is
in firmware of AP. 
Have somebody the same problem?

Thanks, Marian
 
-- 

  

  Marian
Rychteck


  [EMAIL PROTECTED]


  +420
603 373 396


  


  Na
Pin 281


  405
05 Dn, Czech Republic


  http://www.mari.cz

LDAP, LEAP and sha-encrypted passwords

2003-10-24 Thread [EMAIL PROTECTED] 
Hi All,

I am trying to setup freeradius in such a way that a client pc can authenticate with 
LEAP via a CISCO aironet AP 1200 using an account in LDAP.

I am so far that my freeradius adds my password (the header {SHA} is removed 
succesfully) to the check items, but when doing the get values, it inserts only 
{ as password. Due to this, I get an incorrect NtChallengeResponse from AP.

I have been reading all the related topics in the mail archive but I cannot find the 
solution.

I would like to know:

1) is it possible to use ldap sha-encrypted passwords for leap authentication?

2) if this is possible, how can I make rlm_ldap get the correct password when doing 
the get values?




***DEBUG INFO***

ldap_get_values
rlm_ldap: Added password eIBF4griEW456Ds+hv4x5CaI= in check items
rlm_ldap: looking for check items in directory...
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
rlm_ldap: Adding userPassword as userPassword, value {  op=21
ldap_get_values
rlm_ldap: looking for reply items in directory...
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
rlm_ldap: user username authorized to use remote access
ldap_msgfree
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 5
  rlm_eap: EAP packet type notification id 6 length 40
  rlm_eap: EAP Start not found
  modcall[authorize]: module eap returns updated for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 5
  rlm_eap: EAP packet type notification id 6 length 40
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - leap
  rlm_eap: processing type leap
  rlm_eap_leap: Stage 4
  rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
  modcall[authenticate]: module eap returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [username/no User-Password attribute] (from client accesspoint port 
37 cli 000e6824e6c3)


***DEBUG INFO***


Thanks in advance


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

experimental

2003-10-24 Thread Ron Wahler 

Is there a list on the website for each build that specifies which
features/modules are Experimental and need to be configured with
--with-experimental-modules ?

Thanks,
Ron.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: opie

2003-10-24 Thread Alan DeKok 
Christoph Hubmann [EMAIL PROTECTED] wrote:
 we want to setup a freeradius server to authenticate remote users with =
 the opie 2.4 system.

  That's nice.

 please send me example to setup on a linux redhat 9 system.

  Why?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAP authentication with LDAP

2003-10-24 Thread Alan DeKok 
Lai Fu Keung [EMAIL PROTECTED] wrote:
 We are heading to have Single Sign On for all services. Having a 
 plain text password on a machine is considered insecure and loss of 
 privacy.

  Nonsense.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap inside ttls

2003-10-24 Thread Rick Whitley 
Is it possible to have ldap authentication within ttls?


rick...
Rom.5:8

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP, LEAP and sha-encrypted passwords

2003-10-24 Thread Alan DeKok 
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 I have been reading all the related topics in the mail archive but I
 cannot find the solution.
 
 I would like to know:

 1) is it possible to use ldap sha-encrypted passwords for leap authentication?

  Read 'radiusd.conf', and the configuration section for the 'leap'
module.  It has comments which directly address your question.  What
part of those comments are unclear?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ldap inside ttls

2003-10-24 Thread Ron Wahler 
Yes it is.

Ron.

 -Original Message-
 From: Rick Whitley [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 24, 2003 8:32 AM
 To: 
 Subject: ldap inside ttls
 
 Is it possible to have ldap authentication within ttls?
 
 
 rick...
 Rom.5:8
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP, LEAP and sha-encrypted passwords

2003-10-24 Thread Woods, Bryan 
Johan,

LEAP does not work with SHA passwords.  It requires either clear-text or
NT-style (MD4) passwords.

from the default radiusd.conf

  # Cisco LEAP
  #
  #  Cisco LEAP uses the MS-CHAP algorithm (but not
  #  the MS-CHAP attributes) to perform it's authentication.
  #
  #  As a result, LEAP *requires* access to the plain-text
  #  User-Password, or the NT-Password attributes.
  #  'System' authentication is impossible with LEAP.
  #


Hope this helps.

Bryan



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 24, 2003 7:19 AM
 To: [EMAIL PROTECTED]
 Subject: LDAP, LEAP and sha-encrypted passwords
 
 
 Hi All,
 
 I am trying to setup freeradius in such a way that a client 
 pc can authenticate with LEAP via a CISCO aironet AP 1200 
 using an account in LDAP.
 
 I am so far that my freeradius adds my password (the header 
 {SHA} is removed succesfully) to the check items, but when 
 doing the get values, it inserts only { as password. Due 
 to this, I get an incorrect NtChallengeResponse from AP.
 
 I have been reading all the related topics in the mail 
 archive but I cannot find the solution.
 
 I would like to know:
 
 1) is it possible to use ldap sha-encrypted passwords for 
 leap authentication?
 
 2) if this is possible, how can I make rlm_ldap get the 
 correct password when doing the get values?
 
 
 
 
 ***DEBUG INFO***
 
 ldap_get_values
 rlm_ldap: Added password eIBF4griEW456Ds+hv4x5CaI= in check items
 rlm_ldap: looking for check items in directory... 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values
 rlm_ldap: Adding userPassword as userPassword, value {  
 op=21 ldap_get_values
 rlm_ldap: looking for reply items in directory... 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values 
 ldap_get_values ldap_get_values ldap_get_values ldap_get_values
 rlm_ldap: user username authorized to use remote access ldap_msgfree
 ldap_release_conn: Release Id: 0
   modcall[authorize]: module ldap returns ok for request 5
   rlm_eap: EAP packet type notification id 6 length 40
   rlm_eap: EAP Start not found
   modcall[authorize]: module eap returns updated for request 5
 modcall: group authorize returns updated for request 5
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
 modcall: entering group authenticate for request 5
   rlm_eap: EAP packet type notification id 6 length 40
   rlm_eap: EAP Start not found
   rlm_eap: Request found, released from the list
   rlm_eap: EAP_TYPE - leap
   rlm_eap: processing type leap
   rlm_eap_leap: Stage 4
   rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
   modcall[authenticate]: module eap returns invalid for request 5
 modcall: group authenticate returns invalid for request 5
 auth: Failed to validate the user.
 Login incorrect: [username/no User-Password attribute] 
 (from client accesspoint port 37 cli 000e6824e6c3)
 
 
 ***DEBUG INFO***
 
 
 Thanks in advance
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Issue regarding radius logs dialup admin

2003-10-24 Thread m0bius 

Greetings,

I have just replaced my old radius server with FreeRadius  dialup
admin. The authorization works perfectly and everyone can log in but
however I cant see any statistics about the persons that are logged in.
The Statistics page of the dialup admin returns the correct number of
session but no information regarding the total usage time and the
downloads. The Failed logins page is working as it should. The
accounting page only returns information about failed logins while the
page for each user does not return any statistics apart the failed
connection attempts. (For example It returns that the user has never
logged in even though he is currently online) Same for User Statistics
that return nothing.

The radius.conf contains the following:

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid


user = radius
group = radius

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes

log_stripped_names = no
log_auth = yes

log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = no
lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf

snmp= yes
$INCLUDE  ${confdir}/snmp.conf

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {
pap {
encryption_scheme = clear
}

chap {
authtype = CHAP
}

pam {
pam_auth = radiusd
}

unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}

eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}

mschap {
authtype = MS-CHAP
}

ldap {
server = ldap.your.domain
basedn = o=My Org,c=UA
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}

realm realmslash {
format = prefix
delimiter = /
}

realm suffix {
format = suffix
delimiter = @
}

realm realmpercent {
format = suffix
delimiter = %
}

preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}

files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}

detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}

 detail auth_log {
 detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-Y%m%d

 detailperm = 0600
}

 detail reply_log {
 detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d

 detailperm = 0600
 }

acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
}


$INCLUDE  ${confdir}/sql.conf

radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}

radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}

attr_filter {
attrsfile = ${confdir}/attrs
}

counter daily {
filename = ${raddbdir}/db.daily
key

PEAP TLS ... FreeRadius not starting

2003-10-24 Thread vlad 
 2003 : Debug:  security: status_server = no
Fri Oct 24 16:41:45 2003 : Debug:  main: debug_level = 0
Fri Oct 24 16:41:45 2003 : Debug: read_config_files:  reading dictionary
Fri Oct 24 16:41:45 2003 : Debug: read_config_files:  reading naslist
Fri Oct 24 16:41:45 2003 : Info: Using deprecated naslist file.  Support
for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: read_config_files:  
reading clients
Fri Oct 24 16:41:45 2003 : Info: Using deprecated clients file.  Support
for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: read_config_files:  
reading realms
Fri Oct 24 16:41:45 2003 : Info: Using deprecated realms file.  Support
for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: radiusd:  entering 
modules setup
Fri Oct 24 16:41:45 2003 : Debug: Module: Library search path is
/usr/local/freeradius_cvs/libFri Oct 24 16:41:45 2003 : Debug: Module: Loaded expr
Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated expr (expr)
Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded PAP
Fri Oct 24 16:41:45 2003 : Debug:  pap: encryption_scheme = crypt
Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated pap (pap)
Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded CHAP
Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated chap (chap)
Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded MS-CHAP
Fri Oct 24 16:41:45 2003 : Debug:  mschap: use_mppe = yes
Fri Oct 24 16:41:45 2003 : Debug:  mschap: require_encryption = no
Fri Oct 24 16:41:45 2003 : Debug:  mschap: require_strong = no
Fri Oct 24 16:41:45 2003 : Debug:  mschap: passwd = (null)
Fri Oct 24 16:41:45 2003 : Debug:  mschap: authtype = MS-CHAP
Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated mschap (mschap)
Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded System
Fri Oct 24 16:41:45 2003 : Debug:  unix: cache = no
Fri Oct 24 16:41:45 2003 : Debug:  unix: passwd = (null)
Fri Oct 24 16:41:45 2003 : Debug:  unix: shadow = (null)
Fri Oct 24 16:41:45 2003 : Debug:  unix: group = (null)
Fri Oct 24 16:41:45 2003 : Debug:  unix: radwtmp =
/usr/local/freeradius_cvs/var/log/radius/radwtmpFri Oct 24 16:41:45 2003 : Debug:  
unix: usegroup = no
Fri Oct 24 16:41:45 2003 : Debug:  unix: cache_reload = 600
Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated unix (unix)
Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded eap
Fri Oct 24 16:41:45 2003 : Debug:  eap: default_eap_type = ttls
Fri Oct 24 16:41:45 2003 : Debug:  eap: timer_expire = 60
Fri Oct 24 16:41:45 2003 : Debug:  eap: ignore_unknown_eap_types = no
Fri Oct 24 16:41:45 2003 : Debug:  tls: rsa_key_exchange = no
Fri Oct 24 16:41:45 2003 : Debug:  tls: dh_key_exchange = yes
Fri Oct 24 16:41:45 2003 : Debug:  tls: rsa_key_length = 512
Fri Oct 24 16:41:45 2003 : Debug:  tls: dh_key_length = 512
Fri Oct 24 16:41:45 2003 : Debug:  tls: verify_depth = 0
Fri Oct 24 16:41:45 2003 : Debug:  tls: CA_path = (null)
Fri Oct 24 16:41:45 2003 : Debug:  tls: pem_file_type = yes
Fri Oct 24 16:41:45 2003 : Debug:  tls: private_key_file =
/root/freeradius_cvs/client.keyFri Oct 24 16:41:45 2003 : Debug:  tls: 
certificate_file =
/root/freeradius_cvs/client.crtFri Oct 24 16:41:45 2003 : Debug:  tls: CA_file =
/root/freeradius_cvs/Radius.crtFri Oct 24 16:41:45 2003 : Debug:  tls: 
private_key_password = test
Fri Oct 24 16:41:45 2003 : Debug:  tls: dh_file = /root/shit
Fri Oct 24 16:41:45 2003 : Debug:  tls: random_file = /dev/random
Fri Oct 24 16:41:45 2003 : Debug:  tls: fragment_size = 1024
Fri Oct 24 16:41:45 2003 : Debug:  tls: include_length = yes
Fri Oct 24 16:41:45 2003 : Debug:  tls: check_crl = no

FreeRadius doesn't come up. It stopps right there. No port allocated. No
Message like Ready to serveI'm using the CVS Snapshot 
freeradius-snapshot-20031024.tar.gz

I suppose it has something to do with the TLS module.

Does anybody know what I'm doing wrong?

Thanks,

Martin

















- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP TLS ... FreeRadius not starting

2003-10-24 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
I am trying to set up FreeRadius with PEAP. However FreeRadius is not
starting. I already configured LEAP some time ago and it worked fine. I
cannot find where I made a failure:

  It looks like you've drastically hacked your radiusd.conf file:

  eap {
   default_eap_type = ttls
   timer_expire = 60
   ignore_unknown_eap_types = no
   #md5 {
   #}

  Ok, so you don't want EAP-MD5.

ttls {
  default_eap_type = md5

  Oh, you *do* want EAP-MD5.

  mschapv2 {
 }
 
mschap {
   authtype = MS-CHAP
 }

  Uh... one is an EAP sub-type, and the other is a module on it's own.


  Stop playing games with such drastic edits to 'radiusd.conf'.  You
don't understand what you're doing, and you're breaking it.  Start off
with the 'radiusd.conf' shipped with the server.  It works.  Edit it
slowly and a small piece at a time, running 'radiusd' each time to
ensure you haven't broken anything.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 

With the 10/24 snapshot TTLS and PEAP are not working. I can't even
Get as far in the eap protocol as I did with the 10/22 snapshot.

Ron.



rad_recv: Access-Request packet from host 10.0.0.57:1119, id=81,
length=180
User-Name = [EMAIL PROTECTED]
Cisco-AVPair = ssid=mariner
NAS-IP-Address = 10.0.0.57
Called-Station-Id = 00409652e844
Calling-Station-Id = 00022d602022
NAS-Identifier = mariner
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x0207001c01616e6f6e796d6f757340524f56494e475f504c414e4554
Message-Authenticator = 0x1f6a20e0280cae97dec90a58e02626ff
Fri Oct 24 07:37:00 2003 : Debug: modcall: entering group authorize for
request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module
preprocess returns ok for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
chap (rlm_chap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module chap
returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling mschap
(rlm_mschap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
mschap (rlm_mschap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module mschap
returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling suffix
(rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: Looking up realm
ROVING_PLANET for User-Name = [EMAIL PROTECTED]
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm
ROVING_PLANET
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
suffix (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module suffix
returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling
realmslash (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '/' in User-Name =
[EMAIL PROTECTED], looking up realm NULL
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
realmslash (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module
realmslash returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling
backslash (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '\' in User-Name =
[EMAIL PROTECTED], looking up realm NULL
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
backslash (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module
backslash returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling
realmpercent (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '%' in User-Name =
[EMAIL PROTECTED], looking up realm NULL
Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
realmpercent (rlm_realm) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module
realmpercent returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling files
(rlm_files) for request 2
Fri Oct 24 07:37:00 2003 : Debug: users: Matched DEFAULT at 10
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
files (rlm_files) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module files
returns ok for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   rlm_eap: EAP packet type response id
7 length 28
Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
eap (rlm_eap) for request 2
Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module eap
returns noop for request 2
Fri Oct 24 07:37:00 2003 : Debug: modcall: group authorize returns ok
for request 2
Fri Oct 24 07:37:00 2003 : Debug: Finished request 2
Fri Oct 24 07:37:00 2003 : Debug: Going to the next request
Fri Oct 24 07:37:00 2003 : Debug: --- Walking the entire request list
---
Fri Oct 24 07:37:00 2003 : Debug: Waking up in 6 seconds...
Fri Oct 24 07:37:06 2003 : Debug: --- Walking the entire request list
---
Fri Oct 24 07:37:06 2003 : Debug: Cleaning up request 2 ID 81 with
timestamp 3f992afc
Fri Oct 24 07:37:06 2003 : Debug: Nothing to do.  Sleeping until we see
a request.

Re: Peap Testing problem

2003-10-24 Thread Alan DeKok 
Ron Wahler [EMAIL PROTECTED] wrote:
 With the 10/24 snapshot TTLS and PEAP are not working. I can't even
 Get as far in the eap protocol as I did with the 10/22 snapshot.
...
 Fri Oct 24 07:37:00 2003 : Debug:   rlm_eap: EAP packet type response id
 7 length 28
 Fri Oct 24 07:37:00 2003 : Debug:   modsingle[authorize]: returned from
 eap (rlm_eap) for request 2
 Fri Oct 24 07:37:00 2003 : Debug:   modcall[authorize]: module eap
 returns noop for request 2

  It looks to me like the request was somehow marked to be proxied, so
the EAP module is ignoring it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP TLS ... FreeRadius not starting

2003-10-24 Thread vlad 
I didn't change so much at all I think...
However I changed back to the radiusd.conf from the installation.
I changed the following lines:

# diff radiusd.conf.orig radiusd.conf

615c615
   default_eap_type = md5
---
   default_eap_type = ttls

660c660,665
   #tls {
---
   tls {

 private_key_password = test
   private_key_file = /root/freeradius_cvs/client.key



668a674,675
   certificate_file = /root/freeradius_cvs/client.crt


671c678,680
   #   CA_file = /path/filename
---
   #CA_file = /path/filename
   CA_file = /root/freeradius_cvs/Radius.crt


674a684,685
   random_file = /dev/random


707c718
   #}
---
   }

715c726
   #ttls {
---
   ttls {

754c765
   #}
---
   }

Still the same result (see below).
Could it be that there is something wrong with my certificates? I used
standard OpenSSL certs. Where can I find more Information what exactly 
freeradius wants for private_key_file, certificate_file, CA_file, dh_file
(especially CA_file).

Any help appreciated.

Martin



Fri Oct 24 17:50:37 2003 : Info: Starting - reading configuration files ...
Fri Oct 24 17:50:37 2003 : Debug: reread_config:  reading radiusd.conf
Fri Oct 24 17:50:37 2003 : Debug: Config:   including file:
/usr/local/freeradius_cvs/etc/raddb/proxy.confFri Oct 24 17:50:37 2003 : Debug: 
Config:   including file:
/usr/local/freeradius_cvs/etc/raddb/clients.confFri Oct 24 17:50:37 2003 : Debug: 
Config:   including file:
/usr/local/freeradius_cvs/etc/raddb/snmp.confFri Oct 24 17:50:37 2003 : Debug: Config: 
  including file:
/usr/local/freeradius_cvs/etc/raddb/sql.confFri Oct 24 17:50:37 2003 : Debug:  main: 
prefix = /usr/local/freeradius_cvs
Fri Oct 24 17:50:37 2003 : Debug:  main: localstatedir =
/usr/local/freeradius_cvs/varFri Oct 24 17:50:37 2003 : Debug:  main: logdir =
/usr/local/freeradius_cvs/var/log/radiusFri Oct 24 17:50:37 2003 : Debug:  main: 
libdir =
/usr/local/freeradius_cvs/libFri Oct 24 17:50:37 2003 : Debug:  main: radacctdir =
/usr/local/freeradius_cvs/var/log/radius/radacctFri Oct 24 17:50:37 2003 : Debug:  
main: hostname_lookups = no
Fri Oct 24 17:50:37 2003 : Debug:  main: max_request_time = 30
Fri Oct 24 17:50:37 2003 : Debug:  main: cleanup_delay = 5
Fri Oct 24 17:50:37 2003 : Debug:  main: max_requests = 1024
Fri Oct 24 17:50:37 2003 : Debug:  main: delete_blocked_requests = 0
Fri Oct 24 17:50:37 2003 : Debug:  main: port = 0
Fri Oct 24 17:50:37 2003 : Debug:  main: allow_core_dumps = no
Fri Oct 24 17:50:37 2003 : Debug:  main: log_stripped_names = no
Fri Oct 24 17:50:37 2003 : Debug:  main: log_file =
/usr/local/freeradius_cvs/var/log/radius/radius.logFri Oct 24 17:50:37 2003 : Debug: 
 main: log_auth = no
Fri Oct 24 17:50:37 2003 : Debug:  main: log_auth_badpass = no
Fri Oct 24 17:50:37 2003 : Debug:  main: log_auth_goodpass = no
Fri Oct 24 17:50:37 2003 : Debug:  main: pidfile =
/usr/local/freeradius_cvs/var/run/radiusd/radiusd.pidFri Oct 24 17:50:37 2003 : 
Debug:  main: user = (null)
Fri Oct 24 17:50:37 2003 : Debug:  main: group = (null)
Fri Oct 24 17:50:37 2003 : Debug:  main: usercollide = no
Fri Oct 24 17:50:37 2003 : Debug:  main: lower_user = no
Fri Oct 24 17:50:37 2003 : Debug:  main: lower_pass = no
Fri Oct 24 17:50:37 2003 : Debug:  main: nospace_user = no
Fri Oct 24 17:50:37 2003 : Debug:  main: nospace_pass = no
Fri Oct 24 17:50:37 2003 : Debug:  main: checkrad =
/usr/local/freeradius_cvs/sbin/checkradFri Oct 24 17:50:37 2003 : Debug:  main: 
proxy_requests = yes
Fri Oct 24 17:50:37 2003 : Debug:  proxy: retry_delay = 5
Fri Oct 24 17:50:37 2003 : Debug:  proxy: retry_count = 3
Fri Oct 24 17:50:37 2003 : Debug:  proxy: synchronous = no
Fri Oct 24 17:50:37 2003 : Debug:  proxy: default_fallback = yes
Fri Oct 24 17:50:37 2003 : Debug:  proxy: dead_time = 120
Fri Oct 24 17:50:37 2003 : Debug:  proxy: post_proxy_authorize = yes
Fri Oct 24 17:50:37 2003 : Debug:  proxy: wake_all_if_all_dead = no
Fri Oct 24 17:50:37 2003 : Debug:  security: max_attributes = 200
Fri Oct 24 17:50:37 2003 : Debug:  security: reject_delay = 1
Fri Oct 24 17:50:37 2003 : Debug:  security: status_server = no
Fri Oct 24 17:50:37 2003 : Debug:  main: debug_level = 0
Fri Oct 24 17:50:37 2003 : Debug: read_config_files:  reading dictionary
Fri Oct 24 17:50:37 2003 : Debug: read_config_files:  reading naslist
Fri Oct 24 17:50:37 2003 : Info: Using deprecated naslist file.  Support
for this will go away soon.Fri Oct 24 17:50:37 2003 : Debug: read_config_files:  
reading clients
Fri Oct 24 17:50:37 2003 : Info: Using deprecated clients file.  Support
for this will go away soon.Fri Oct 24 17:50:37 2003 : Debug: read_config_files:  
reading realms
Fri Oct 24 17:50:37 2003 : Info: Using deprecated realms file.  Support
for this will go away soon.Fri Oct 24 17:50:37 2003 :

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 
Ok, I had a bad config, I fixed that. So here is the debug for PEAP.

Still failing on 

Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
valid.
Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP type
25
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select


Ron.





The debug out put -Xxxx


Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP
Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group authenticate
for request 1
8
Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]: calling eap
(rlm_eap) f
or request 18
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Request found, released
from the list
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: EAP_TYPE - peap
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: processing type peap
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Authenticate
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: processing TLS
Fri Oct 24 08:33:52 2003 : Debug:   eaptls_verify returned 7
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: Done initial handshake
Fri Oct 24 08:33:52 2003 : Debug:   eaptls_process returned 7
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: EAPTLS_OK
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Session established.
Proceeding t
o decode tunneled attributes.
  PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Received EAP-TLV
response.
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
valid.
Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP type
25
Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select
Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]: returned
from eap (rlm_
eap) for request 18
Fri Oct 24 08:33:52 2003 : Debug:   modcall[authenticate]: module eap
returns inva
lid for request 18
Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate returns
invalid for re
quest 18
Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user.
Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds
Fri Oct 24 08:33:52 2003 : Debug: Finished request 18
Fri Oct 24 08:33:52 2003 : Debug: Going to the next request
Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107,
length=202
Sending Access-Reject of id 107 to 10.0.0.57:1146
EAP-Message = 0x04190004
Message-Authenticator = 0x
Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request list
---
Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with
timestamp 3f9938




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 

I am testing with Windows XP/peap, through a Cisco 350 AP to FreeRadius.

Ron.

 -Original Message-
 From: Ron Wahler
 Sent: Friday, October 24, 2003 10:20 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Peap Testing problem
 
 Ok, I had a bad config, I fixed that. So here is the debug for PEAP.
 
 Still failing on
 
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
 valid.
 Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP type
 25
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select
 
 
 Ron.
 
 
 
 
 
 The debug out put -Xxxx
 
 
 Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP
 Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group authenticate
 for request 1
 8
 Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]: calling
eap
 (rlm_eap) f
 or request 18
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Request found, released
 from the list
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: EAP_TYPE - peap
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: processing type peap
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Authenticate
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: processing TLS
 Fri Oct 24 08:33:52 2003 : Debug:   eaptls_verify returned 7
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: Done initial
handshake
 Fri Oct 24 08:33:52 2003 : Debug:   eaptls_process returned 7
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: EAPTLS_OK
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Session established.
 Proceeding t
 o decode tunneled attributes.
   PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Received EAP-TLV
 response.
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
 valid.
 Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP type
 25
 Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select
 Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]: returned
 from eap (rlm_
 eap) for request 18
 Fri Oct 24 08:33:52 2003 : Debug:   modcall[authenticate]: module
eap
 returns inva
 lid for request 18
 Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate returns
 invalid for re
 quest 18
 Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user.
 Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds
 Fri Oct 24 08:33:52 2003 : Debug: Finished request 18
 Fri Oct 24 08:33:52 2003 : Debug: Going to the next request
 Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds...
 rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107,
 length=202
 Sending Access-Reject of id 107 to 10.0.0.57:1146
 EAP-Message = 0x04190004
 Message-Authenticator = 0x
 Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request list
 ---
 Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with
 timestamp 3f9938
 
 
 
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 
 
Here's the line of code, type 25 is PEAP, but no handler 


   if (eaptype_call(inst-types[eaptype-type],
 handler) == 0) {
DEBUG2( rlm_eap: Handler failed in EAP type %d,
   eaptype-type);
return EAP_INVALID;
}



 -Original Message-
 From: Ron Wahler
 Sent: Friday, October 24, 2003 10:23 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Peap Testing problem
 
 
 I am testing with Windows XP/peap, through a Cisco 350 AP to
FreeRadius.
 
 Ron.
 
  -Original Message-
  From: Ron Wahler
  Sent: Friday, October 24, 2003 10:20 AM
  To: [EMAIL PROTECTED]
  Subject: RE: Peap Testing problem
 
  Ok, I had a bad config, I fixed that. So here is the debug for PEAP.
 
  Still failing on
 
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
  valid.
  Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP
type
  25
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select
 
 
  Ron.
 
 
 
 
 
  The debug out put -Xxxx
 
 
  Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP
  Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group
authenticate
  for request 1
  8
  Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]: calling
 eap
  (rlm_eap) f
  or request 18
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Request found, released
  from the list
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: EAP_TYPE - peap
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: processing type peap
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Authenticate
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: processing TLS
  Fri Oct 24 08:33:52 2003 : Debug:   eaptls_verify returned 7
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_tls: Done initial
 handshake
  Fri Oct 24 08:33:52 2003 : Debug:   eaptls_process returned 7
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: EAPTLS_OK
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Session
established.
  Proceeding t
  o decode tunneled attributes.
PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Received EAP-TLV
  response.
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap_peap: Tunneled data is
  valid.
  Fri Oct 24 08:33:52 2003 : Debug:  rlm_eap: Handler failed in EAP
type
  25
  Fri Oct 24 08:33:52 2003 : Debug:   rlm_eap: Failed in EAP select
  Fri Oct 24 08:33:52 2003 : Debug:   modsingle[authenticate]:
returned
  from eap (rlm_
  eap) for request 18
  Fri Oct 24 08:33:52 2003 : Debug:   modcall[authenticate]: module
 eap
  returns inva
  lid for request 18
  Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate
returns
  invalid for re
  quest 18
  Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user.
  Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds
  Fri Oct 24 08:33:52 2003 : Debug: Finished request 18
  Fri Oct 24 08:33:52 2003 : Debug: Going to the next request
  Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds...
  rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107,
  length=202
  Sending Access-Reject of id 107 to 10.0.0.57:1146
  EAP-Message = 0x04190004
  Message-Authenticator = 0x
  Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request
list
  ---
  Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with
  timestamp 3f9938
 
 
 
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Peap Testing problem

2003-10-24 Thread Alan DeKok 
Ron Wahler [EMAIL PROTECTED] wrote:
 Here's the line of code, type 25 is PEAP, but no handler 

  Yes... it's clear as to what line of the source prints the message.
What's not clear is *why* the PEAP module is failing.

  The debug output SHOULD contain information which lets you track
down what went wrong, and why.  If there isn't enough information,
then adding more debugging statements would be a good place to start.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

relocation error running FreeRadius with TTLS

2003-10-24 Thread silvio . arcangeli 
 conns: 0x8104a60
 Module: Instantiated ldap (ldap)
 Module: Loaded eap
 eap: default_eap_type = tls
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 rlm_eap: Loaded and initialized type md5
 rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /usr/local/cert/server.pvk
 tls: certificate_file = /usr/local/cert/server.cer
 tls: CA_file = /usr/local/cert/ca.cer
 tls: private_key_password = acsi
 tls: dh_file = /usr/local/cert/dh
 tls: random_file = /usr/local/cert/random
tls: include_length = yes
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = md5
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
Module: Loaded preprocess
 rlm_eap: Loaded and initialized type ttls
 rlm_eap: Loaded and initialized type mschapv2
 Module: Instantiated eap (eap)
preprocess: ascend_channels_per_line = 23
 Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 Module: Instantiated preprocess (preprocess)
 Module: Loaded detail
 detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
 Module: Instantiated detail (auth_log)
 Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
Module: Instantiated realm (suffix)
 Module: Instantiated realm (suffix)
 Module: Loaded files
files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: usersfile = /usr/local/etc/raddb/users
 files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
 files: compat = no
 Module: Instantiated files (files)
 Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id
 Module: Instantiated acct_unique (acct_unique)
 detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
 Module: Instantiated detail (detail)
 Module: Loaded radutmp
 radutmp: filename = /usr/local/var/log/radius/radutmp
 radutmp: username = %{User-Name}
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
 Module: Instantiated radutmp (radutmp)
 Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp.
 Ready to process requests.
 rad_recv: Access-Request packet from host 192.168.100.12:4197, id=19, length=130
 NAS-IP-Address = 12.12.12.8
 NAS-Port-Type = Async
 User-Name = tilsaduser
 Service-Type = Framed-User
 Framed-MTU = 1500
 Calling-Station-Id = 00-08-02-94-3b-e8
 EAP-Message = 0x021a0174696c736164757365724066726565726164697573
Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd
 Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd
 Proxy-State = 0x434953434f3a31
radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024'
 modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024'
 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024
 rad_check_password: Found Auth-Type EAP
  modcall[authorize]: module auth_log returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
./radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback
  rlm_eap: EAP packet type response id 0 length 26
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
 rlm_realm: No '@' in User-Name = tilsaduser, looking up realm NULL
 rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
 users: Matched DEFAULT at 152
 users: Matched DEFAULT at 171
modcall[authorize]: module files returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
rad_check_password:: command not found
auth: type EAP
auth:: command not found
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
./radiusd: relocation error: /usr/local/lib/rlm_eap_tls

Re: PEAP TLS ... FreeRadius not starting

2003-10-24 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 Could it be that there is something wrong with my certificates?

  It's a possibility.

 I used standard OpenSSL certs. Where can I find more Information
 what exactly freeradius wants for private_key_file,
 certificate_file, CA_file, dh_file (especially CA_file).

  See 'scripts/CA.all', which creates test certificates.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 

This is the line that is failing.  The status is
PEAP_STATUS_SENT_TLV_FAILURE.   How does this get set ?
How can we check versions of PEAP ?

Ron.

Peap.c

   } else if (t-status == PEAP_STATUS_SENT_TLV_FAILURE) {
DEBUG2(  rlm_eap_peap: RML_MODULE_REJECT 2);
return RLM_MODULE_REJECT;
}





 -Original Message-
 From: Alan DeKok [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 24, 2003 10:44 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Peap Testing problem
 
 Ron Wahler [EMAIL PROTECTED] wrote:
  Here's the line of code, type 25 is PEAP, but no handler 
 
   Yes... it's clear as to what line of the source prints the message.
 What's not clear is *why* the PEAP module is failing.
 
   The debug output SHOULD contain information which lets you track
 down what went wrong, and why.  If there isn't enough information,
 then adding more debugging statements would be a good place to start.
 
   Alan DeKok.
 
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Orinoco AP2000

2003-10-24 Thread Michael Griego 
When the AP is restarted, the clients will have to reassociate.  During
the association phase is when a client MAC auth is performed.  Since the
clients have to do this anyway to regain access, there shouldn't be an
issue there.  I've never seen this sort of behavior with my AP-2Ks.  New
RADIUS requests are sent when the client reassociates.  What client
card/OS are you using and what AP firmware revision are you using?

--Mike


On Fri, 2003-10-24 at 09:16, Marian Rychtecký wrote:
 Hi!
 i'm trying authorize MAC adress into access point AP2000
 (Orinoco)  - all work fine, but when i restart my access point, all
 users are not-authorised until the client is restarted. I think that
 this bug is in firmware of AP. 
 Have somebody the same problem?
 
 Thanks, Marian
 
 -- 
 Marian Rychtecký
 [EMAIL PROTECTED]
 +420 603 373 396
  
 Na Pěšině 281
 405 05 Děčín, Czech Republic
 http://www.mari.cz
-- 
 --Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: relocation error running FreeRadius with TTLS

2003-10-24 Thread Michael Griego 
 mapped to RADIUS
 Framed-AppleTalk-Link
  rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
 Framed-AppleTalk-Network
  rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
 Framed-AppleTalk-Zone
  rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
  rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
  conns: 0x8104a60
  Module: Instantiated ldap (ldap)
  Module: Loaded eap
   eap: default_eap_type = tls
   eap: timer_expire = 60
   eap: ignore_unknown_eap_types = no
  rlm_eap: Loaded and initialized type md5
  rlm_eap: Loaded and initialized type leap
   tls: rsa_key_exchange = no
   tls: dh_key_exchange = yes
   tls: rsa_key_length = 512
   tls: dh_key_length = 512
   tls: verify_depth = 0
   tls: CA_path = (null)
   tls: pem_file_type = yes
   tls: private_key_file = /usr/local/cert/server.pvk
   tls: certificate_file = /usr/local/cert/server.cer
   tls: CA_file = /usr/local/cert/ca.cer
   tls: private_key_password = acsi
   tls: dh_file = /usr/local/cert/dh
   tls: random_file = /usr/local/cert/random
  tls: include_length = yes
   tls: fragment_size = 1024
   tls: include_length = yes
   tls: check_crl = no
  rlm_eap: Loaded and initialized type tls
   ttls: default_eap_type = md5
   ttls: copy_request_to_tunnel = no
   ttls: use_tunneled_reply = no
 Module: Loaded preprocess
  rlm_eap: Loaded and initialized type ttls
  rlm_eap: Loaded and initialized type mschapv2
  Module: Instantiated eap (eap)
  preprocess: ascend_channels_per_line = 23
  Module: Loaded preprocess
   preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
   preprocess: hints = /usr/local/etc/raddb/hints
   preprocess: with_ascend_hack = no
   preprocess: ascend_channels_per_line = 23
   preprocess: with_ntdomain_hack = no
   preprocess: with_specialix_jetstream_hack = no
   preprocess: with_cisco_vsa_hack = no
  Module: Instantiated preprocess (preprocess)
  Module: Loaded detail
   detail: detailfile =
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
   detail: detailperm = 384
   detail: dirperm = 493
   detail: locking = no
  Module: Instantiated detail (auth_log)
  Module: Loaded realm
   realm: format = suffix
   realm: delimiter = @
 Module: Instantiated realm (suffix)
  Module: Instantiated realm (suffix)
  Module: Loaded files
  files: acctusersfile = /usr/local/etc/raddb/acct_users
   files: usersfile = /usr/local/etc/raddb/users
   files: acctusersfile = /usr/local/etc/raddb/acct_users
   files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
   files: compat = no
  Module: Instantiated files (files)
  Module: Loaded Acct-Unique-Session-Id
   acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
 Client-IP-Address, NAS-Port-Id
  Module: Instantiated acct_unique (acct_unique)
   detail: detailfile =
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
   detail: detailperm = 384
   detail: dirperm = 493
   detail: locking = no
  Module: Instantiated detail (detail)
  Module: Loaded radutmp
   radutmp: filename = /usr/local/var/log/radius/radutmp
   radutmp: username = %{User-Name}
   radutmp: case_sensitive = yes
   radutmp: check_with_nas = yes
   radutmp: perm = 384
   radutmp: callerid = yes
  Module: Instantiated radutmp (radutmp)
  Listening on IP address *, ports 1645/udp and 1646/udp, with proxy
 on 1647/udp.
  Ready to process requests.
  rad_recv: Access-Request packet from host 192.168.100.12:4197,
 id=19, length=130
  NAS-IP-Address = 12.12.12.8
  NAS-Port-Type = Async
  User-Name = tilsaduser
  Service-Type = Framed-User
  Framed-MTU = 1500
  Calling-Station-Id = 00-08-02-94-3b-e8
  EAP-Message =
 0x021a0174696c736164757365724066726565726164697573
 Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd
  Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd
  Proxy-State = 0x434953434f3a31
 radius_xlat:
 '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024'
  modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
  radius_xlat:
 '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024'
  rlm_detail:
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to 
 /usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024
   rad_check_password:  Found Auth-Type EAP
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
 ./radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so:
 undefined symbol: SSL_set_msg_callback
rlm_eap: EAP packet type response id 0 length 26
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module eap returns updated for request 0
   rlm_realm: No '@' in User-Name = tilsaduser, looking up realm NULL
   rlm_realm: No such realm NULL
 modcall

Re: relocation error running FreeRadius with TTLS

2003-10-24 Thread silvio . arcangeli 

 Which version of OpenSSL are you running against, and which version was
 the server compiled against?


SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning

Silvio

RE : RE: Better security

2003-10-24 Thread Puneet B 

 I know that vpn (in my situation I use AES in esp and ike) is a 
 perfect (about) solution.
 In my infrastructure vpn authenticates machines/computer/box 
 (network card) and radius authenticates users.

Is this a wireless environment? How are you using Radius? The user 
typically never sees Radius packets. They occur only between an AP or 
a NAS or a dialup server on one end and a Radius server on the other.

 Can I made an eap/tls connction above a vpn? That is before I create 
 an ipsec connction and after I made up a eap/tls?

I'm not sure if I get it but: you are using EAP-TLS between your 
laptop and the AP, and then a VPN client from your laptop to
another box (for VPN termination) somewhere behind the AP, it sounds
like it would work.

 I don't think so because vpn works at layer 3 and eap at layer 
 2...is exactly?

AFAIK when you do EAP-TLS first, you have setup Layer2 and now you
should be able to do anything (including VPN) at Layer 3.

 Java support ssl (JSSE), is it hard/difficult made a java-client 
 with ssl that talk with a radius server?

I have never used Java+SSL so I dont know. I assume you are planning
to write an EAP-TLS client. If so, you can try using one of the
existing clients (Windows/XSupplicant/alfa-ariss.com etc). 

If this is between the NAS and the Server, it'll be some work to get 
SSL working, as Radius messages use UDP and SSL inherently assumes 
a connection oriented reliable transport such as TCP, and your code 
will have to handle stuff like retransmits, out of order delivery etc.
You might be better off using IPSec between your NAS and the Radius
server. 
So:
1. user - AP (EAP-TLS)
2. AP - Radius Server (IPSec) [BTW which AP supports a builtin VPN client?]
3. user - VPN termination box (IPSec)
and you are all set. You dont need to write any SSL client.

Puneet

___
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Peap Testing problem

2003-10-24 Thread Alan DeKok 
Ron Wahler [EMAIL PROTECTED] wrote:
 This is the line that is failing.  The status is
 PEAP_STATUS_SENT_TLV_FAILURE.   How does this get set ?

  It appears that the client is sending this to the server.  It means
that the client didn't like the server's EAP-MSCHAPv2 response.

 How can we check versions of PEAP ?

  It's buried in one of the bits of the TLS header, inside of the
EAP-Message.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: relocation error running FreeRadius with TTLS

2003-10-24 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning

  It appears that you have multiple versions of OpenSSL installed, and
the server is compiled using one, but is using another when you run
it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

encapsulation and log formats.

2003-10-24 Thread Jack J 
Hi,


I have looked into Archives, but did not locate
information.

Just wanted to if FreeRadius supports:
a) Customized log formats for Accounting.
  What are other formats supported ?
b) In REPLY: Access-Accept/Reject: an option to
turn on/off encapsulation for AV pairs.
I understand some clients require this.

Thanks,




__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Peap Testing problem

2003-10-24 Thread Ron Wahler 

Yea that was it, a bad MSCHAPv2 password. It does
Work to a local user. Thanks!



there still is another problem with TTLS

It looks like the post-auth module ie exec-program is called twice.
Once with the correct user name, then again with the anonymous user
name.



Ron.



Fri Oct 24 10:36:14 2003 : Debug: rlm_exec (rp_default_postauth):
WARNING! Input pai
rs are empty.  No attributes will be passed to the script
Fri Oct 24 10:36:14 2003 : Debug: radius_xlat:
'/opt/freeradius/etc/raddb/authUser.
sh [EMAIL PROTECTED] 00022d60203c NONE NONE'
Fri Oct 24 10:36:14 2003 : Debug: Exec-Program:
/opt/freeradius/etc/raddb/authUser.s
h [EMAIL PROTECTED] 00022d60203c NONE NONE
--10:36:14--
https://localhost/CSD/[EMAIL PROTECTED]mac=0002
2d60203crpgrp=
   =
[EMAIL PROTECTED]mac=00022d60203crpgrp='
Resolving localhost... done.
Connecting to localhost[127.0.0.1]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150 [text/html]

100%[] 150  146.48K/s
ETA 00:00

10:36:14 (146.48 KB/s) -
[EMAIL PROTECTED]mac=00022d60203cr
pgrp=' saved [150/150]

Fri Oct 24 10:36:14 2003 : Debug: Exec-Program output:
Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: returned: 0
Fri Oct 24 10:36:14 2003 : Debug:   modsingle[post-auth]: returned from
rp_default_p
ostauth (rlm_exec) for request 30
Fri Oct 24 10:36:14 2003 : Debug:   modcall[post-auth]: module
rp_default_postauth
 returns ok for request 30
Fri Oct 24 10:36:14 2003 : Debug: modcall: group post-auth returns ok
for request 30
  TTLS: Got tunneled reply RADIUS code 2
Fri Oct 24 10:36:14 2003 : Debug:   TTLS: Got tunneled Access-Accept
Fri Oct 24 10:36:14 2003 : Debug:   rlm_eap: Freeing handler
Fri Oct 24 10:36:14 2003 : Debug:   modsingle[authenticate]: returned
from eap (rlm_
eap) for request 30
Fri Oct 24 10:36:14 2003 : Debug:   modcall[authenticate]: module eap
returns ok f
or request 30
Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns ok
for request
 30
Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth for
request 30
Fri Oct 24 10:36:14 2003 : Debug:   modsingle[post-auth]: calling
rp_default_postaut
h (rlm_exec) for request 30
Fri Oct 24 10:36:14 2003 : Debug: radius_xlat:
'/opt/freeradius/etc/raddb/authUser.
sh [EMAIL PROTECTED] 00022d60203c NONE NONE'
Fri Oct 24 10:36:14 2003 : Debug: Exec-Program:
/opt/freeradius/etc/raddb/authUser.s
h [EMAIL PROTECTED] 00022d60203c NONE NONE
--10:36:14--
https://localhost/CSD/[EMAIL PROTECTED]ma
c=00022d60203crpgrp=
   =
[EMAIL PROTECTED]mac=00022d60203crpgrp=
'
Resolving localhost... done.
Connecting to localhost[127.0.0.1]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150 [text/html]

100%[] 150  146.48K/s
ETA 00:00

10:36:14 (146.48 KB/s) -
[EMAIL PROTECTED]mac=00022d60
203crpgrp=' saved [150/150] l

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TTLS outer/inner access-accept

2003-10-24 Thread Ron Wahler 

It looks like the inner tunnel calls 

rp_default_postauth (rlm_exec) for request 30

then it is called again 
calling rp_default_postauth (rlm_exec) for request 30

when the Access-Accept is sent back to the AP.


Is that expected behavior?

Thanks,
Ron.




  TTLS: Got tunneled reply RADIUS code 2
Fri Oct 24 10:36:14 2003 : Debug:   TTLS: Got tunneled Access-Accept
Fri Oct 24 10:36:14 2003 : Debug:   rlm_eap: Freeing handler
Fri Oct 24 10:36:14 2003 : Debug:   modsingle[authenticate]: returned
from eap (rlm_
eap) for request 30
Fri Oct 24 10:36:14 2003 : Debug:   modcall[authenticate]: module eap
returns ok f
or request 30
Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns ok
for request
 30
Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth for
request 30
Fri Oct 24 10:36:14 2003 : Debug:   modsingle[post-auth]: calling
rp_default_postaut
h (rlm_exec) for request 30
Fri Oct 24 10:36:14 2003 : Debug: radius_xlat:
'/opt/freeradius/etc/raddb/authUser.
sh [EMAIL PROTECTED] 00022d60203c NONE NONE'



 
 there still is another problem with TTLS
 
 It looks like the post-auth module ie exec-program is called twice.
 Once with the correct user name, then again with the anonymous user
 name.
 
 
 
 Ron.
 
 
 
 Fri Oct 24 10:36:14 2003 : Debug: rlm_exec (rp_default_postauth):
 WARNING! Input pai
 rs are empty.  No attributes will be passed to the script
 Fri Oct 24 10:36:14 2003 : Debug: radius_xlat:
 '/opt/freeradius/etc/raddb/authUser.
 sh [EMAIL PROTECTED] 00022d60203c NONE NONE'
 Fri Oct 24 10:36:14 2003 : Debug: Exec-Program:
 /opt/freeradius/etc/raddb/authUser.s
 h [EMAIL PROTECTED] 00022d60203c NONE NONE
 --10:36:14--
 https://localhost/CSD/[EMAIL PROTECTED]mac=0002
 2d60203crpgrp=
=
 [EMAIL PROTECTED]mac=00022d60203crpgrp='
 Resolving localhost... done.
 Connecting to localhost[127.0.0.1]:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 150 [text/html]
 
 100%[] 150  146.48K/s
 ETA 00:00
 
 10:36:14 (146.48 KB/s) -
 [EMAIL PROTECTED]mac=00022d60203cr
 pgrp=' saved [150/150]
 
 Fri Oct 24 10:36:14 2003 : Debug: Exec-Program output:
 Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: returned: 0
 Fri Oct 24 10:36:14 2003 : Debug:   modsingle[post-auth]: returned
from
 rp_default_p
 ostauth (rlm_exec) for request 30
 Fri Oct 24 10:36:14 2003 : Debug:   modcall[post-auth]: module
 rp_default_postauth
  returns ok for request 30
 Fri Oct 24 10:36:14 2003 : Debug: modcall: group post-auth returns ok
 for request 30
   TTLS: Got tunneled reply RADIUS code 2
 Fri Oct 24 10:36:14 2003 : Debug:   TTLS: Got tunneled Access-Accept
 Fri Oct 24 10:36:14 2003 : Debug:   rlm_eap: Freeing handler
 Fri Oct 24 10:36:14 2003 : Debug:   modsingle[authenticate]: returned
 from eap (rlm_
 eap) for request 30
 Fri Oct 24 10:36:14 2003 : Debug:   modcall[authenticate]: module
eap
 returns ok f
 or request 30
 Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns
ok
 for request
  30
 Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth
for
 request 30
 Fri Oct 24 10:36:14 2003 : Debug:   modsingle[post-auth]: calling
 rp_default_postaut
 h (rlm_exec) for request 30
 Fri Oct 24 10:36:14 2003 : Debug: radius_xlat:
 '/opt/freeradius/etc/raddb/authUser.
 sh [EMAIL PROTECTED] 00022d60203c NONE NONE'
 Fri Oct 24 10:36:14 2003 : Debug: Exec-Program:
 /opt/freeradius/etc/raddb/authUser.s
 h [EMAIL PROTECTED] 00022d60203c NONE NONE
 --10:36:14--
 https://localhost/CSD/[EMAIL PROTECTED]ma
 c=00022d60203crpgrp=
=
 [EMAIL PROTECTED]mac=00022d60203crpgrp=
 '
 Resolving localhost... done.
 Connecting to localhost[127.0.0.1]:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 150 [text/html]
 
 100%[] 150  146.48K/s
 ETA 00:00
 
 10:36:14 (146.48 KB/s) -
 [EMAIL PROTECTED]mac=00022d60
 203crpgrp=' saved [150/150] l
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TTLS outer/inner access-accept

2003-10-24 Thread Alan DeKok 
Ron Wahler [EMAIL PROTECTED] wrote:
 It looks like the inner tunnel calls

 rp_default_postauth (rlm_exec) for request 30

  For the tunneled version of the request.

 then it is called again
 calling rp_default_postauth (rlm_exec) for request 30

  For the outer version of the request.

 when the Access-Accept is sent back to the AP.
 
 Is that expected behavior?

  Yes.  The tunneled authentication request looks *exactly* like a
normal authentication request to everything in the server.  Only the
TTLS/PEAP modules know it's a tunneled request.

  If you don't want the post-auth section called for the outer user,
then you can configure the server to only call it for the tunneled
request, OR to not call it for the anonymous user.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: TTLS outer/inner access-accept

2003-10-24 Thread Ron Wahler 

What would the syntax look like to prevent the outer tunnel from
Calling post-auth ? they both have the same realm.

How about just preventing an anonymous user ?

 -Original Message-
 From: Alan DeKok [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 24, 2003 2:54 PM
 To: [EMAIL PROTECTED]
 Subject: Re: TTLS outer/inner access-accept
 
 Ron Wahler [EMAIL PROTECTED] wrote:
  It looks like the inner tunnel calls
 
  rp_default_postauth (rlm_exec) for request 30
 
   For the tunneled version of the request.
 
  then it is called again
  calling rp_default_postauth (rlm_exec) for request 30
 
   For the outer version of the request.
 
  when the Access-Accept is sent back to the AP.
 
  Is that expected behavior?
 
   Yes.  The tunneled authentication request looks *exactly* like a
 normal authentication request to everything in the server.  Only the
 TTLS/PEAP modules know it's a tunneled request.
 
   If you don't want the post-auth section called for the outer user,
 then you can configure the server to only call it for the tunneled
 request, OR to not call it for the anonymous user.
 
   Alan DeKok.
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

iptables rules to permit RADIUS

2003-10-24 Thread Javier Santos 
Hello,

I am running freeradius on my linux server. And i am authenticating users of 
my cisco router on RADIUS.

i have firewall to my lunux server whit iptables.

When iptables is started the radius authentication i have problem with 
autentication (i can not telnet into a router, access denied).

i have permited tcp and udp 1812/1813 in iptables rules.

the question is

are there more pots to permit?

thanks.









!Navega con el Internet Gratis de Amnet!
Descarga el Programa de Instalación: http://www.amnetsal.com/files/amnet.exe
ó Visitanos en http://www.amnetsal.com
Para cualquier consulta llamar al 247-8000
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

iptables rules to permit RADIUS

2003-10-24 Thread Javier Santos 
Hello,

I have freeraius running on my linux server.
users who telnet to my router cisco are authenticated with RADIUS.
In order to protect the Server I am running iptables rules.

when i start iptables, i can not telnet into a router cisco (access denied).

I have permited tcp/udp 1812/1813 ports in iptables rules.

are there more ports that i must to permit?

Thanks
!Navega con el Internet Gratis de Amnet!
Descarga el Programa de Instalación: http://www.amnetsal.com/files/amnet.exe
ó Visitanos en http://www.amnetsal.com
Para cualquier consulta llamar al 247-8000
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: iptables rules to permit RADIUS

2003-10-24 Thread Alan DeKok 
Javier Santos [EMAIL PROTECTED] wrote:
 I have permited tcp/udp 1812/1813 ports in iptables rules.
 
 are there more ports that i must to permit?

  No.  And RADIUS doesn't use TCP, so you can block TCP 1812/1813.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

configuration question: multiple LDAP relams with TTLS.

2003-10-24 Thread Jack J 
Hi,

I have a situation that I need to configure.
I did not find in archives, thus hoping some one
could shed some light.

I need to configure 2 realms.
Two of them need to use TTLS with different LDAP
servers
that use TLS for communication.

Any tips how to configure this ?
Any samples ?


Thank you,


__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.1 and bad logins

2003-10-24 Thread Michael Richardson 
-BEGIN PGP SIGNED MESSAGE-


 Bill == Bill  [EMAIL PROTECTED] writes:
Bill I recently switched from Cistron to FreeRadius 0.9.1  I just
Bill noticed 
Bill that FreeRadius is periodically rejecting customer's passwords when
Bill the 

  It sounds like freeradius and/or some other process isn't locking the
password file properly, and you are seeing partially updated passwd entries.

  If we knew what OS and what set of libraries you were using, and
what other processes were editing /etc/passwd, we might be able to help.

] Collecting stories about my dad: http://www.sandelman.ca/cjr/ |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[
] panic(Just another Debian/notebook using, kernel hacking, security guy);  [

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP5mRd4qHRg3pndX9AQHtrAP+JfBhbgNDMc3fGtLiqIdR6lO312+rExZP
NPDdXU1JbMjwIabGLfpo19VPIiyXGdqUs+QsXCztNCKtDXLg2UH/t/1dFgErS0XA
+eH4t0ySmC6ddvRp8WxLZFywKpBHZ8Nndfhh/Uwwj+9CKASdaC+s/y4GFfyfyxrb
xeOdP/MFHCY=
=EjLy
-END PGP SIGNATURE-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html