proxy help question
(B (B (BIs it possible to haveONE radius (Bserver query TWO databases in the same server for requests for different (Brealms? (B (BFor example if I hadtwo (Brealms (B (B (Bdialup.someisp.net (Badsl.someisp.net (B (Band both realms came into the same radius (Bserver, and I had two mysql databases with two different customer bases (Bfortwo differnt services.(dialup and adsl) (B (BIs it possible for me to instruct the (Bradius server toquery different databases for different (Bdomains? (B (B (BCheers,Craig (B
Configuration for TTLS
Hi everybody, with the last snapshot we finally did it in compiling the server and having it correctly installed :-) now our issue is that the configuration is not delivered within the snapshot, and so we still have the one from the stable release... that does not feature TTLS. What settings do we have to add to the configuration file for TTLS? thank you again, Silvio Arcangeli
Re: dialup_admin latest cvsup
On Wed, 22 Oct 2003, apellido jr., wilfredo p wrote: Good day Mr. Kalevras. statistics, user's statistics and online users doesnt show anything in latest dialup_admin cvsup. here's my config Doesn't show anything meaning a blank page or no accounting data? Make sure that you are using the new conf/accounting.attrs file - admin.conf - # # Main Configuration File # # it can be default or whatever language. Only greek are supported # from non latin alphabet languages # These attribute only apply for ldap not for sql # general_prefered_lang: en general_prefered_lang_name: English # # The charset which will be added as a meta tag in all pages # general_charset: iso-8859-1 # # Uncomment this if normal attributes (not the ;lang-xx ones) in ldap # are utf8 encoded. # #general_decode_normal_attributes: yes # # The directory where dialupadmin is installed # general_base_dir: /usr/local/www/data/dialup_admin # # The base directory of the freeradius radius installation # general_radiusd_base_dir: /usr/local/freeradius-0.9.2 general_domain: mactan.ph # # Set it to yes to use sessions and cache the various mappings # You can also set use_session = 1 in config.php3 to also cache # the admin.conf # # IMPORTANT -- IMPORTANT -- IMPORTANT #Remember to use the 'Clear Cache' page if you use sessions and do any changes #in any of the configuration files. # general_use_session: no # # This is used by the failed logins page. It states the default back time # in minutes. # general_most_recent_fl: 30 # # Realm setup # # Set general_strip_realms to yes in order to stip realms from usernames. # By default realms are not striped #general_strip_realms : yes # # The delimiter used in realms. Default is @ # #general_realm_delimiter: @ # # The format of the realms. Can be either suffix (realm is after the username) # or prefix (realm is before the username). Default is suffix # #general_realm_format: suffix # # # Determines if the administrator will be able to change the user password through # the user edit page general_show_user_password: yes #general_ldap_attrmap: %{general_radiusd_base_dir}/etc/raddb/ldap.attrmap general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs #general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap # # it can be either ldap or sql # This affects the user base not accounting. Accounting is always in sql # general_lib_type: sql # # Define which attributes will be visible in the user edit page # general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs # # Used by the Accounting Report Generator # general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs # # Set default values for various attributes # general_default_file: %{general_base_dir}/conf/default.vals #general_ld_library_path: /usr/local/snmpd/lib # # can be 'snmp' (for snmpfinger) or empty to query the radacct table without first # querying the nas # This is used by the online users page # general_finger_type: snmp general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient # # this information is used from the server check page # general_test_account_login: cache general_test_account_password: cache # # These are used as default values for the user test page # general_radius_server: localhost general_radius_server_port: 1645 # # can be either pap or chap # general_radius_server_auth_proto: pap # # sorry, single valued for now. Should become something like # password[server-name]: x # general_radius_server_secret: cyclades general_auth_request_file: %{general_base_dir}/conf/auth.request # # can be one of crypt,md5,clear # general_encryption_method: clear # # can be either asc (older dates first) or desc (recent dates first) # This is used in the user accounting and badusers pages # general_accounting_info_order: desc # # Use the totacct table in the user statistics page instead of the radacct # table. That will make the page run quicker. totacct should have data for # this to work :-) # general_stats_use_totacct: yes INCLUDE: %{general_base_dir}/conf/naslist.conf INCLUDE: %{general_base_dir}/conf/captions.conf # # The ldap server to connect to. # Both ldap_server and ldap_write_server can be a space-separated # list of ldap hostnames. In that case the library will try to connect # to the servers in the order that they appear. If the first host is down # ldap_connect will ask for the second ldap host and so on. # #ldap_server: ldap.%{general_domain} # # There are many cases where we have a small write master and # a lot of fast read only replicas. If that is the case uncomment #
RE: FreeRADIUS with SNOM4S
OK, thanks Alan. I'll Point that out to them! Regards, Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: 23 October 2003 17:38 To: [EMAIL PROTECTED] Subject: Re: FreeRADIUS with SNOM4S Alan Litster [EMAIL PROTECTED] wrote: 0x 4500 009c 9242 4000 4011 d059 5190 9a52[EMAIL PROTECTED]@..YQ..R 0x0010 5190 9a42 1789 0714 0088 4881 010d 007aQ..B..Hz The last '007a' is *supposed* to be the length of the RADIUS portion of the packet. 0x0050 3033 03 Including IP UDP headers, the packet is only 0052 bytes long. The RFC's say that such packets MUST be silently discarded. The client is broken. It won't work with *any* RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy help question
On Fri, 24 Oct 2003, CW wrote: Is it possible to have ONE radius server query TWO databases in the same server for requests for different realms? For example if I had two realms dialup.someisp.net adsl.someisp.net and both realms came into the same radius server, and I had two mysql databases with two different customer bases for two differnt services. (dialup and adsl) Is it possible for me to instruct the radius server to query different databases for different domains? Cheers, Craig Sure thing, just check out doc/Autz-Type - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: loging problems after logrotate
Well there are a couple of things. 1. After logrotate completes you need to restart radiusd so it will use the new log file. 2. If you search the freeradius list archives there are several instructions to make radius log to a different file every day/week/month etc.. You just modify this line to make that happen: detailfile = ${radacctdir}/%{Client-IP-Address}/detail Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
opie
hello all we want to setup a freeradius server to authenticate remote users with the opie 2.4 system. please send me example to setup on a linux redhat 9 system. christoph
Re: loging problems after logrotate
Nick Davis wrote: Well there are a couple of things. 1. After logrotate completes you need to restart radiusd so it will use the new log file. Yes that's right, but freeradius don't create a new log file. regards, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: loging problems after logrotate
You prolly have a permissions issue on your logging directory. Did you have to manually create the log file to get it to log the first time? - Brian J. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Jendrosek Sent: Friday, October 24, 2003 8:28 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: loging problems after logrotate Nick Davis wrote: Well there are a couple of things. 1. After logrotate completes you need to restart radiusd so it will use the new log file. Yes that's right, but freeradius don't create a new log file. regards, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for TTLS
What settings do we have to add to the configuration file for TTLS? If you want to reset the configuration to the distribution default, make sure you remove the /prefix/etc/raddb/radiusd.conf file before running make install. Otherwise, the install script will detect that you already have a configuration file and not overwrite it with a new one. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: loging problems after logrotate
Brian Johnson wrote: You prolly have a permissions issue on your logging directory. Yes. Did you have to manually create the log file to get it to log the first time? Before i use logrotate the detail file was still fine logging. regards, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with huntgroups
Hi Alan, i solve my problem: i don't know why, but when i make RPM, radius don't start (due to error with huntgroups), but when i try install from tgz (with compilation and installation) all works fine! Thaks, bye Marian Alan DeKok napsal(a): Marian Rychtecky [EMAIL PROTECTED] wrote: i have some problem with starting FRS (free-radius-server) FRS? Why are you inventing new acronyms that no one else uses? rlm_preprocess: Error reading /etc/raddb/huntgroups radiusd.conf[877]: preprocess: Module instantiation failed. Rights of /etc/raddb/huntgroups: -rw-r--r--1 root root 1863 Oct 18 22:08 huntgroups Nothing was change (content of huntgroups after installation are "#" comment with no configuration), still run "raddb -xx" ! Are you *sure*? I strongly doubt that. The huntgroup file which ships with the server works with the server. If it doesn't work for you, then you've modified it. On Internet i found (as content of huntgroups): "DEFAULT NAS-IP-Address = 11.10.10.11, Rewrite-Function = "max_fixup" NULL" .but this is not work too (same error). That's a file from GNU Radiusd, which isn't compatible with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Marian Rychteck [EMAIL PROTECTED] +420 603 373 396 Na Pin 281 405 05 Dn, Czech Republic http://www.mari.cz
Orinoco AP2000
Hi! i'm trying authorize MAC adress into access point AP2000 (Orinoco) - all work fine, but when i restart my access point, all users are not-authorised until the client is restarted. I think that this bug is in firmware of AP. Have somebody the same problem? Thanks, Marian -- Marian Rychteck [EMAIL PROTECTED] +420 603 373 396 Na Pin 281 405 05 Dn, Czech Republic http://www.mari.cz
LDAP, LEAP and sha-encrypted passwords
Hi All, I am trying to setup freeradius in such a way that a client pc can authenticate with LEAP via a CISCO aironet AP 1200 using an account in LDAP. I am so far that my freeradius adds my password (the header {SHA} is removed succesfully) to the check items, but when doing the get values, it inserts only { as password. Due to this, I get an incorrect NtChallengeResponse from AP. I have been reading all the related topics in the mail archive but I cannot find the solution. I would like to know: 1) is it possible to use ldap sha-encrypted passwords for leap authentication? 2) if this is possible, how can I make rlm_ldap get the correct password when doing the get values? ***DEBUG INFO*** ldap_get_values rlm_ldap: Added password eIBF4griEW456Ds+hv4x5CaI= in check items rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: Adding userPassword as userPassword, value { op=21 ldap_get_values rlm_ldap: looking for reply items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: user username authorized to use remote access ldap_msgfree ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 rlm_eap: EAP packet type notification id 6 length 40 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP packet type notification id 6 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [username/no User-Password attribute] (from client accesspoint port 37 cli 000e6824e6c3) ***DEBUG INFO*** Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
experimental
Is there a list on the website for each build that specifies which features/modules are Experimental and need to be configured with --with-experimental-modules ? Thanks, Ron. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: opie
Christoph Hubmann [EMAIL PROTECTED] wrote: we want to setup a freeradius server to authenticate remote users with = the opie 2.4 system. That's nice. please send me example to setup on a linux redhat 9 system. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication with LDAP
Lai Fu Keung [EMAIL PROTECTED] wrote: We are heading to have Single Sign On for all services. Having a plain text password on a machine is considered insecure and loss of privacy. Nonsense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap inside ttls
Is it possible to have ldap authentication within ttls? rick... Rom.5:8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, LEAP and sha-encrypted passwords
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have been reading all the related topics in the mail archive but I cannot find the solution. I would like to know: 1) is it possible to use ldap sha-encrypted passwords for leap authentication? Read 'radiusd.conf', and the configuration section for the 'leap' module. It has comments which directly address your question. What part of those comments are unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap inside ttls
Yes it is. Ron. -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 8:32 AM To: Subject: ldap inside ttls Is it possible to have ldap authentication within ttls? rick... Rom.5:8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, LEAP and sha-encrypted passwords
Johan, LEAP does not work with SHA passwords. It requires either clear-text or NT-style (MD4) passwords. from the default radiusd.conf # Cisco LEAP # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # Hope this helps. Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: LDAP, LEAP and sha-encrypted passwords Hi All, I am trying to setup freeradius in such a way that a client pc can authenticate with LEAP via a CISCO aironet AP 1200 using an account in LDAP. I am so far that my freeradius adds my password (the header {SHA} is removed succesfully) to the check items, but when doing the get values, it inserts only { as password. Due to this, I get an incorrect NtChallengeResponse from AP. I have been reading all the related topics in the mail archive but I cannot find the solution. I would like to know: 1) is it possible to use ldap sha-encrypted passwords for leap authentication? 2) if this is possible, how can I make rlm_ldap get the correct password when doing the get values? ***DEBUG INFO*** ldap_get_values rlm_ldap: Added password eIBF4griEW456Ds+hv4x5CaI= in check items rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: Adding userPassword as userPassword, value { op=21 ldap_get_values rlm_ldap: looking for reply items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: user username authorized to use remote access ldap_msgfree ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 rlm_eap: EAP packet type notification id 6 length 40 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP packet type notification id 6 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [username/no User-Password attribute] (from client accesspoint port 37 cli 000e6824e6c3) ***DEBUG INFO*** Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue regarding radius logs dialup admin
Greetings, I have just replaced my old radius server with FreeRadius dialup admin. The authorization works perfectly and everyone can log in but however I cant see any statistics about the persons that are logged in. The Statistics page of the dialup admin returns the correct number of session but no information regarding the total usage time and the downloads. The Failed logins page is working as it should. The accounting page only returns information about failed logins while the page for each user does not return any statistics apart the failed connection attempts. (For example It returns that the user has never logged in even though he is currently online) Same for User Statistics that return nothing. The radius.conf contains the following: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= yes $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } eap { default_eap_type = md5 timer_expire = 60 md5 { } leap { } } mschap { authtype = MS-CHAP } ldap { server = ldap.your.domain basedn = o=My Org,c=UA filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm realmslash { format = prefix delimiter = / } realm suffix { format = suffix delimiter = @ } realm realmpercent { format = suffix delimiter = % } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key
PEAP TLS ... FreeRadius not starting
2003 : Debug: security: status_server = no Fri Oct 24 16:41:45 2003 : Debug: main: debug_level = 0 Fri Oct 24 16:41:45 2003 : Debug: read_config_files: reading dictionary Fri Oct 24 16:41:45 2003 : Debug: read_config_files: reading naslist Fri Oct 24 16:41:45 2003 : Info: Using deprecated naslist file. Support for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: read_config_files: reading clients Fri Oct 24 16:41:45 2003 : Info: Using deprecated clients file. Support for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: read_config_files: reading realms Fri Oct 24 16:41:45 2003 : Info: Using deprecated realms file. Support for this will go away soon.Fri Oct 24 16:41:45 2003 : Debug: radiusd: entering modules setup Fri Oct 24 16:41:45 2003 : Debug: Module: Library search path is /usr/local/freeradius_cvs/libFri Oct 24 16:41:45 2003 : Debug: Module: Loaded expr Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated expr (expr) Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded PAP Fri Oct 24 16:41:45 2003 : Debug: pap: encryption_scheme = crypt Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated pap (pap) Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded CHAP Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated chap (chap) Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded MS-CHAP Fri Oct 24 16:41:45 2003 : Debug: mschap: use_mppe = yes Fri Oct 24 16:41:45 2003 : Debug: mschap: require_encryption = no Fri Oct 24 16:41:45 2003 : Debug: mschap: require_strong = no Fri Oct 24 16:41:45 2003 : Debug: mschap: passwd = (null) Fri Oct 24 16:41:45 2003 : Debug: mschap: authtype = MS-CHAP Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated mschap (mschap) Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded System Fri Oct 24 16:41:45 2003 : Debug: unix: cache = no Fri Oct 24 16:41:45 2003 : Debug: unix: passwd = (null) Fri Oct 24 16:41:45 2003 : Debug: unix: shadow = (null) Fri Oct 24 16:41:45 2003 : Debug: unix: group = (null) Fri Oct 24 16:41:45 2003 : Debug: unix: radwtmp = /usr/local/freeradius_cvs/var/log/radius/radwtmpFri Oct 24 16:41:45 2003 : Debug: unix: usegroup = no Fri Oct 24 16:41:45 2003 : Debug: unix: cache_reload = 600 Fri Oct 24 16:41:45 2003 : Debug: Module: Instantiated unix (unix) Fri Oct 24 16:41:45 2003 : Debug: Module: Loaded eap Fri Oct 24 16:41:45 2003 : Debug: eap: default_eap_type = ttls Fri Oct 24 16:41:45 2003 : Debug: eap: timer_expire = 60 Fri Oct 24 16:41:45 2003 : Debug: eap: ignore_unknown_eap_types = no Fri Oct 24 16:41:45 2003 : Debug: tls: rsa_key_exchange = no Fri Oct 24 16:41:45 2003 : Debug: tls: dh_key_exchange = yes Fri Oct 24 16:41:45 2003 : Debug: tls: rsa_key_length = 512 Fri Oct 24 16:41:45 2003 : Debug: tls: dh_key_length = 512 Fri Oct 24 16:41:45 2003 : Debug: tls: verify_depth = 0 Fri Oct 24 16:41:45 2003 : Debug: tls: CA_path = (null) Fri Oct 24 16:41:45 2003 : Debug: tls: pem_file_type = yes Fri Oct 24 16:41:45 2003 : Debug: tls: private_key_file = /root/freeradius_cvs/client.keyFri Oct 24 16:41:45 2003 : Debug: tls: certificate_file = /root/freeradius_cvs/client.crtFri Oct 24 16:41:45 2003 : Debug: tls: CA_file = /root/freeradius_cvs/Radius.crtFri Oct 24 16:41:45 2003 : Debug: tls: private_key_password = test Fri Oct 24 16:41:45 2003 : Debug: tls: dh_file = /root/shit Fri Oct 24 16:41:45 2003 : Debug: tls: random_file = /dev/random Fri Oct 24 16:41:45 2003 : Debug: tls: fragment_size = 1024 Fri Oct 24 16:41:45 2003 : Debug: tls: include_length = yes Fri Oct 24 16:41:45 2003 : Debug: tls: check_crl = no FreeRadius doesn't come up. It stopps right there. No port allocated. No Message like Ready to serveI'm using the CVS Snapshot freeradius-snapshot-20031024.tar.gz I suppose it has something to do with the TLS module. Does anybody know what I'm doing wrong? Thanks, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP TLS ... FreeRadius not starting
[EMAIL PROTECTED] wrote: I am trying to set up FreeRadius with PEAP. However FreeRadius is not starting. I already configured LEAP some time ago and it worked fine. I cannot find where I made a failure: It looks like you've drastically hacked your radiusd.conf file: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no #md5 { #} Ok, so you don't want EAP-MD5. ttls { default_eap_type = md5 Oh, you *do* want EAP-MD5. mschapv2 { } mschap { authtype = MS-CHAP } Uh... one is an EAP sub-type, and the other is a module on it's own. Stop playing games with such drastic edits to 'radiusd.conf'. You don't understand what you're doing, and you're breaking it. Start off with the 'radiusd.conf' shipped with the server. It works. Edit it slowly and a small piece at a time, running 'radiusd' each time to ensure you haven't broken anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peap Testing problem
With the 10/24 snapshot TTLS and PEAP are not working. I can't even Get as far in the eap protocol as I did with the 10/22 snapshot. Ron. rad_recv: Access-Request packet from host 10.0.0.57:1119, id=81, length=180 User-Name = [EMAIL PROTECTED] Cisco-AVPair = ssid=mariner NAS-IP-Address = 10.0.0.57 Called-Station-Id = 00409652e844 Calling-Station-Id = 00022d602022 NAS-Identifier = mariner NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0207001c01616e6f6e796d6f757340524f56494e475f504c414e4554 Message-Authenticator = 0x1f6a20e0280cae97dec90a58e02626ff Fri Oct 24 07:37:00 2003 : Debug: modcall: entering group authorize for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module chap returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module mschap returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: Looking up realm ROVING_PLANET for User-Name = [EMAIL PROTECTED] Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm ROVING_PLANET Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module suffix returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling realmslash (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '/' in User-Name = [EMAIL PROTECTED], looking up realm NULL Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from realmslash (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module realmslash returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling backslash (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '\' in User-Name = [EMAIL PROTECTED], looking up realm NULL Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from backslash (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module backslash returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling realmpercent (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No '%' in User-Name = [EMAIL PROTECTED], looking up realm NULL Fri Oct 24 07:37:00 2003 : Debug: rlm_realm: No such realm NULL Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from realmpercent (rlm_realm) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module realmpercent returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Fri Oct 24 07:37:00 2003 : Debug: users: Matched DEFAULT at 10 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module files returns ok for request 2 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: rlm_eap: EAP packet type response id 7 length 28 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module eap returns noop for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall: group authorize returns ok for request 2 Fri Oct 24 07:37:00 2003 : Debug: Finished request 2 Fri Oct 24 07:37:00 2003 : Debug: Going to the next request Fri Oct 24 07:37:00 2003 : Debug: --- Walking the entire request list --- Fri Oct 24 07:37:00 2003 : Debug: Waking up in 6 seconds... Fri Oct 24 07:37:06 2003 : Debug: --- Walking the entire request list --- Fri Oct 24 07:37:06 2003 : Debug: Cleaning up request 2 ID 81 with timestamp 3f992afc Fri Oct 24 07:37:06 2003 : Debug: Nothing to do. Sleeping until we see a request.
Re: Peap Testing problem
Ron Wahler [EMAIL PROTECTED] wrote: With the 10/24 snapshot TTLS and PEAP are not working. I can't even Get as far in the eap protocol as I did with the 10/22 snapshot. ... Fri Oct 24 07:37:00 2003 : Debug: rlm_eap: EAP packet type response id 7 length 28 Fri Oct 24 07:37:00 2003 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Fri Oct 24 07:37:00 2003 : Debug: modcall[authorize]: module eap returns noop for request 2 It looks to me like the request was somehow marked to be proxied, so the EAP module is ignoring it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP TLS ... FreeRadius not starting
I didn't change so much at all I think... However I changed back to the radiusd.conf from the installation. I changed the following lines: # diff radiusd.conf.orig radiusd.conf 615c615 default_eap_type = md5 --- default_eap_type = ttls 660c660,665 #tls { --- tls { private_key_password = test private_key_file = /root/freeradius_cvs/client.key 668a674,675 certificate_file = /root/freeradius_cvs/client.crt 671c678,680 # CA_file = /path/filename --- #CA_file = /path/filename CA_file = /root/freeradius_cvs/Radius.crt 674a684,685 random_file = /dev/random 707c718 #} --- } 715c726 #ttls { --- ttls { 754c765 #} --- } Still the same result (see below). Could it be that there is something wrong with my certificates? I used standard OpenSSL certs. Where can I find more Information what exactly freeradius wants for private_key_file, certificate_file, CA_file, dh_file (especially CA_file). Any help appreciated. Martin Fri Oct 24 17:50:37 2003 : Info: Starting - reading configuration files ... Fri Oct 24 17:50:37 2003 : Debug: reread_config: reading radiusd.conf Fri Oct 24 17:50:37 2003 : Debug: Config: including file: /usr/local/freeradius_cvs/etc/raddb/proxy.confFri Oct 24 17:50:37 2003 : Debug: Config: including file: /usr/local/freeradius_cvs/etc/raddb/clients.confFri Oct 24 17:50:37 2003 : Debug: Config: including file: /usr/local/freeradius_cvs/etc/raddb/snmp.confFri Oct 24 17:50:37 2003 : Debug: Config: including file: /usr/local/freeradius_cvs/etc/raddb/sql.confFri Oct 24 17:50:37 2003 : Debug: main: prefix = /usr/local/freeradius_cvs Fri Oct 24 17:50:37 2003 : Debug: main: localstatedir = /usr/local/freeradius_cvs/varFri Oct 24 17:50:37 2003 : Debug: main: logdir = /usr/local/freeradius_cvs/var/log/radiusFri Oct 24 17:50:37 2003 : Debug: main: libdir = /usr/local/freeradius_cvs/libFri Oct 24 17:50:37 2003 : Debug: main: radacctdir = /usr/local/freeradius_cvs/var/log/radius/radacctFri Oct 24 17:50:37 2003 : Debug: main: hostname_lookups = no Fri Oct 24 17:50:37 2003 : Debug: main: max_request_time = 30 Fri Oct 24 17:50:37 2003 : Debug: main: cleanup_delay = 5 Fri Oct 24 17:50:37 2003 : Debug: main: max_requests = 1024 Fri Oct 24 17:50:37 2003 : Debug: main: delete_blocked_requests = 0 Fri Oct 24 17:50:37 2003 : Debug: main: port = 0 Fri Oct 24 17:50:37 2003 : Debug: main: allow_core_dumps = no Fri Oct 24 17:50:37 2003 : Debug: main: log_stripped_names = no Fri Oct 24 17:50:37 2003 : Debug: main: log_file = /usr/local/freeradius_cvs/var/log/radius/radius.logFri Oct 24 17:50:37 2003 : Debug: main: log_auth = no Fri Oct 24 17:50:37 2003 : Debug: main: log_auth_badpass = no Fri Oct 24 17:50:37 2003 : Debug: main: log_auth_goodpass = no Fri Oct 24 17:50:37 2003 : Debug: main: pidfile = /usr/local/freeradius_cvs/var/run/radiusd/radiusd.pidFri Oct 24 17:50:37 2003 : Debug: main: user = (null) Fri Oct 24 17:50:37 2003 : Debug: main: group = (null) Fri Oct 24 17:50:37 2003 : Debug: main: usercollide = no Fri Oct 24 17:50:37 2003 : Debug: main: lower_user = no Fri Oct 24 17:50:37 2003 : Debug: main: lower_pass = no Fri Oct 24 17:50:37 2003 : Debug: main: nospace_user = no Fri Oct 24 17:50:37 2003 : Debug: main: nospace_pass = no Fri Oct 24 17:50:37 2003 : Debug: main: checkrad = /usr/local/freeradius_cvs/sbin/checkradFri Oct 24 17:50:37 2003 : Debug: main: proxy_requests = yes Fri Oct 24 17:50:37 2003 : Debug: proxy: retry_delay = 5 Fri Oct 24 17:50:37 2003 : Debug: proxy: retry_count = 3 Fri Oct 24 17:50:37 2003 : Debug: proxy: synchronous = no Fri Oct 24 17:50:37 2003 : Debug: proxy: default_fallback = yes Fri Oct 24 17:50:37 2003 : Debug: proxy: dead_time = 120 Fri Oct 24 17:50:37 2003 : Debug: proxy: post_proxy_authorize = yes Fri Oct 24 17:50:37 2003 : Debug: proxy: wake_all_if_all_dead = no Fri Oct 24 17:50:37 2003 : Debug: security: max_attributes = 200 Fri Oct 24 17:50:37 2003 : Debug: security: reject_delay = 1 Fri Oct 24 17:50:37 2003 : Debug: security: status_server = no Fri Oct 24 17:50:37 2003 : Debug: main: debug_level = 0 Fri Oct 24 17:50:37 2003 : Debug: read_config_files: reading dictionary Fri Oct 24 17:50:37 2003 : Debug: read_config_files: reading naslist Fri Oct 24 17:50:37 2003 : Info: Using deprecated naslist file. Support for this will go away soon.Fri Oct 24 17:50:37 2003 : Debug: read_config_files: reading clients Fri Oct 24 17:50:37 2003 : Info: Using deprecated clients file. Support for this will go away soon.Fri Oct 24 17:50:37 2003 : Debug: read_config_files: reading realms Fri Oct 24 17:50:37 2003 : Info: Using deprecated realms file. Support for this will go away soon.Fri Oct 24 17:50:37 2003 :
RE: Peap Testing problem
Ok, I had a bad config, I fixed that. So here is the debug for PEAP. Still failing on Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Ron. The debug out put -Xxxx Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group authenticate for request 1 8 Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: calling eap (rlm_eap) f or request 18 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Request found, released from the list Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: EAP_TYPE - peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: processing type peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Authenticate Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: processing TLS Fri Oct 24 08:33:52 2003 : Debug: eaptls_verify returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: Done initial handshake Fri Oct 24 08:33:52 2003 : Debug: eaptls_process returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: EAPTLS_OK Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Session established. Proceeding t o decode tunneled attributes. PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Received EAP-TLV response. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall[authenticate]: module eap returns inva lid for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate returns invalid for re quest 18 Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user. Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds Fri Oct 24 08:33:52 2003 : Debug: Finished request 18 Fri Oct 24 08:33:52 2003 : Debug: Going to the next request Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107, length=202 Sending Access-Reject of id 107 to 10.0.0.57:1146 EAP-Message = 0x04190004 Message-Authenticator = 0x Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request list --- Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with timestamp 3f9938 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peap Testing problem
I am testing with Windows XP/peap, through a Cisco 350 AP to FreeRadius. Ron. -Original Message- From: Ron Wahler Sent: Friday, October 24, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Peap Testing problem Ok, I had a bad config, I fixed that. So here is the debug for PEAP. Still failing on Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Ron. The debug out put -Xxxx Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group authenticate for request 1 8 Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: calling eap (rlm_eap) f or request 18 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Request found, released from the list Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: EAP_TYPE - peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: processing type peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Authenticate Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: processing TLS Fri Oct 24 08:33:52 2003 : Debug: eaptls_verify returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: Done initial handshake Fri Oct 24 08:33:52 2003 : Debug: eaptls_process returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: EAPTLS_OK Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Session established. Proceeding t o decode tunneled attributes. PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Received EAP-TLV response. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall[authenticate]: module eap returns inva lid for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate returns invalid for re quest 18 Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user. Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds Fri Oct 24 08:33:52 2003 : Debug: Finished request 18 Fri Oct 24 08:33:52 2003 : Debug: Going to the next request Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107, length=202 Sending Access-Reject of id 107 to 10.0.0.57:1146 EAP-Message = 0x04190004 Message-Authenticator = 0x Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request list --- Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with timestamp 3f9938 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peap Testing problem
Here's the line of code, type 25 is PEAP, but no handler if (eaptype_call(inst-types[eaptype-type], handler) == 0) { DEBUG2( rlm_eap: Handler failed in EAP type %d, eaptype-type); return EAP_INVALID; } -Original Message- From: Ron Wahler Sent: Friday, October 24, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: RE: Peap Testing problem I am testing with Windows XP/peap, through a Cisco 350 AP to FreeRadius. Ron. -Original Message- From: Ron Wahler Sent: Friday, October 24, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Peap Testing problem Ok, I had a bad config, I fixed that. So here is the debug for PEAP. Still failing on Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Ron. The debug out put -Xxxx Fri Oct 24 08:33:52 2003 : Debug: auth: type EAP Fri Oct 24 08:33:52 2003 : Debug: modcall: entering group authenticate for request 1 8 Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: calling eap (rlm_eap) f or request 18 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Request found, released from the list Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: EAP_TYPE - peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: processing type peap Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Authenticate Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: processing TLS Fri Oct 24 08:33:52 2003 : Debug: eaptls_verify returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_tls: Done initial handshake Fri Oct 24 08:33:52 2003 : Debug: eaptls_process returned 7 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: EAPTLS_OK Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Session established. Proceeding t o decode tunneled attributes. PEAP tunnel data in : 02 19 00 0b 21 80 03 00 02 00 02 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Received EAP-TLV response. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type 25 Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP select Fri Oct 24 08:33:52 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall[authenticate]: module eap returns inva lid for request 18 Fri Oct 24 08:33:52 2003 : Debug: modcall: group authenticate returns invalid for re quest 18 Fri Oct 24 08:33:52 2003 : Debug: auth: Failed to validate the user. Fri Oct 24 08:33:52 2003 : Debug: Delaying request 18 for 1 seconds Fri Oct 24 08:33:52 2003 : Debug: Finished request 18 Fri Oct 24 08:33:52 2003 : Debug: Going to the next request Fri Oct 24 08:33:52 2003 : Debug: Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.0.57:1146, id=107, length=202 Sending Access-Reject of id 107 to 10.0.0.57:1146 EAP-Message = 0x04190004 Message-Authenticator = 0x Fri Oct 24 08:33:57 2003 : Debug: --- Walking the entire request list --- Fri Oct 24 08:33:57 2003 : Debug: Cleaning up request 10 ID 99 with timestamp 3f9938 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Peap Testing problem
Ron Wahler [EMAIL PROTECTED] wrote: Here's the line of code, type 25 is PEAP, but no handler Yes... it's clear as to what line of the source prints the message. What's not clear is *why* the PEAP module is failing. The debug output SHOULD contain information which lets you track down what went wrong, and why. If there isn't enough information, then adding more debugging statements would be a good place to start. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
relocation error running FreeRadius with TTLS
conns: 0x8104a60 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/cert/server.pvk tls: certificate_file = /usr/local/cert/server.cer tls: CA_file = /usr/local/cert/ca.cer tls: private_key_password = acsi tls: dh_file = /usr/local/cert/dh tls: random_file = /usr/local/cert/random tls: include_length = yes tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no Module: Loaded preprocess rlm_eap: Loaded and initialized type ttls rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) preprocess: ascend_channels_per_line = 23 Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Instantiated realm (suffix) Module: Loaded files files: acctusersfile = /usr/local/etc/raddb/acct_users files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.12:4197, id=19, length=130 NAS-IP-Address = 12.12.12.8 NAS-Port-Type = Async User-Name = tilsaduser Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-08-02-94-3b-e8 EAP-Message = 0x021a0174696c736164757365724066726565726164697573 Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd Proxy-State = 0x434953434f3a31 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024' modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024 rad_check_password: Found Auth-Type EAP modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 ./radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback rlm_eap: EAP packet type response id 0 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = tilsaduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password:: command not found auth: type EAP auth:: command not found modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls ./radiusd: relocation error: /usr/local/lib/rlm_eap_tls
Re: PEAP TLS ... FreeRadius not starting
[EMAIL PROTECTED] wrote: Could it be that there is something wrong with my certificates? It's a possibility. I used standard OpenSSL certs. Where can I find more Information what exactly freeradius wants for private_key_file, certificate_file, CA_file, dh_file (especially CA_file). See 'scripts/CA.all', which creates test certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peap Testing problem
This is the line that is failing. The status is PEAP_STATUS_SENT_TLV_FAILURE. How does this get set ? How can we check versions of PEAP ? Ron. Peap.c } else if (t-status == PEAP_STATUS_SENT_TLV_FAILURE) { DEBUG2( rlm_eap_peap: RML_MODULE_REJECT 2); return RLM_MODULE_REJECT; } -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 10:44 AM To: [EMAIL PROTECTED] Subject: Re: Peap Testing problem Ron Wahler [EMAIL PROTECTED] wrote: Here's the line of code, type 25 is PEAP, but no handler Yes... it's clear as to what line of the source prints the message. What's not clear is *why* the PEAP module is failing. The debug output SHOULD contain information which lets you track down what went wrong, and why. If there isn't enough information, then adding more debugging statements would be a good place to start. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000
When the AP is restarted, the clients will have to reassociate. During the association phase is when a client MAC auth is performed. Since the clients have to do this anyway to regain access, there shouldn't be an issue there. I've never seen this sort of behavior with my AP-2Ks. New RADIUS requests are sent when the client reassociates. What client card/OS are you using and what AP firmware revision are you using? --Mike On Fri, 2003-10-24 at 09:16, Marian Rychtecký wrote: Hi! i'm trying authorize MAC adress into access point AP2000 (Orinoco) - all work fine, but when i restart my access point, all users are not-authorised until the client is restarted. I think that this bug is in firmware of AP. Have somebody the same problem? Thanks, Marian -- Marian Rychtecký [EMAIL PROTECTED] +420 603 373 396 Na Pěšině 281 405 05 Děčín, Czech Republic http://www.mari.cz -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: relocation error running FreeRadius with TTLS
mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8104a60 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/cert/server.pvk tls: certificate_file = /usr/local/cert/server.cer tls: CA_file = /usr/local/cert/ca.cer tls: private_key_password = acsi tls: dh_file = /usr/local/cert/dh tls: random_file = /usr/local/cert/random tls: include_length = yes tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no Module: Loaded preprocess rlm_eap: Loaded and initialized type ttls rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) preprocess: ascend_channels_per_line = 23 Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Instantiated realm (suffix) Module: Loaded files files: acctusersfile = /usr/local/etc/raddb/acct_users files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.12:4197, id=19, length=130 NAS-IP-Address = 12.12.12.8 NAS-Port-Type = Async User-Name = tilsaduser Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-08-02-94-3b-e8 EAP-Message = 0x021a0174696c736164757365724066726565726164697573 Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd Message-Authenticator = 0xee4a8219409c33104673d5b577f28ccd Proxy-State = 0x434953434f3a31 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024' modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.100.12/auth-detail-20031024 rad_check_password: Found Auth-Type EAP modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 ./radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback rlm_eap: EAP packet type response id 0 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = tilsaduser, looking up realm NULL rlm_realm: No such realm NULL modcall
Re: relocation error running FreeRadius with TTLS
Which version of OpenSSL are you running against, and which version was the server compiled against? SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning Silvio
RE : RE: Better security
I know that vpn (in my situation I use AES in esp and ike) is a perfect (about) solution. In my infrastructure vpn authenticates machines/computer/box (network card) and radius authenticates users. Is this a wireless environment? How are you using Radius? The user typically never sees Radius packets. They occur only between an AP or a NAS or a dialup server on one end and a Radius server on the other. Can I made an eap/tls connction above a vpn? That is before I create an ipsec connction and after I made up a eap/tls? I'm not sure if I get it but: you are using EAP-TLS between your laptop and the AP, and then a VPN client from your laptop to another box (for VPN termination) somewhere behind the AP, it sounds like it would work. I don't think so because vpn works at layer 3 and eap at layer 2...is exactly? AFAIK when you do EAP-TLS first, you have setup Layer2 and now you should be able to do anything (including VPN) at Layer 3. Java support ssl (JSSE), is it hard/difficult made a java-client with ssl that talk with a radius server? I have never used Java+SSL so I dont know. I assume you are planning to write an EAP-TLS client. If so, you can try using one of the existing clients (Windows/XSupplicant/alfa-ariss.com etc). If this is between the NAS and the Server, it'll be some work to get SSL working, as Radius messages use UDP and SSL inherently assumes a connection oriented reliable transport such as TCP, and your code will have to handle stuff like retransmits, out of order delivery etc. You might be better off using IPSec between your NAS and the Radius server. So: 1. user - AP (EAP-TLS) 2. AP - Radius Server (IPSec) [BTW which AP supports a builtin VPN client?] 3. user - VPN termination box (IPSec) and you are all set. You dont need to write any SSL client. Puneet ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Peap Testing problem
Ron Wahler [EMAIL PROTECTED] wrote: This is the line that is failing. The status is PEAP_STATUS_SENT_TLV_FAILURE. How does this get set ? It appears that the client is sending this to the server. It means that the client didn't like the server's EAP-MSCHAPv2 response. How can we check versions of PEAP ? It's buried in one of the bits of the TLS header, inside of the EAP-Message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: relocation error running FreeRadius with TTLS
[EMAIL PROTECTED] wrote: SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning It appears that you have multiple versions of OpenSSL installed, and the server is compiled using one, but is using another when you run it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
encapsulation and log formats.
Hi, I have looked into Archives, but did not locate information. Just wanted to if FreeRadius supports: a) Customized log formats for Accounting. What are other formats supported ? b) In REPLY: Access-Accept/Reject: an option to turn on/off encapsulation for AV pairs. I understand some clients require this. Thanks, __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peap Testing problem
Yea that was it, a bad MSCHAPv2 password. It does Work to a local user. Thanks! there still is another problem with TTLS It looks like the post-auth module ie exec-program is called twice. Once with the correct user name, then again with the anonymous user name. Ron. Fri Oct 24 10:36:14 2003 : Debug: rlm_exec (rp_default_postauth): WARNING! Input pai rs are empty. No attributes will be passed to the script Fri Oct 24 10:36:14 2003 : Debug: radius_xlat: '/opt/freeradius/etc/raddb/authUser. sh [EMAIL PROTECTED] 00022d60203c NONE NONE' Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: /opt/freeradius/etc/raddb/authUser.s h [EMAIL PROTECTED] 00022d60203c NONE NONE --10:36:14-- https://localhost/CSD/[EMAIL PROTECTED]mac=0002 2d60203crpgrp= = [EMAIL PROTECTED]mac=00022d60203crpgrp=' Resolving localhost... done. Connecting to localhost[127.0.0.1]:443... connected. HTTP request sent, awaiting response... 200 OK Length: 150 [text/html] 100%[] 150 146.48K/s ETA 00:00 10:36:14 (146.48 KB/s) - [EMAIL PROTECTED]mac=00022d60203cr pgrp=' saved [150/150] Fri Oct 24 10:36:14 2003 : Debug: Exec-Program output: Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: returned: 0 Fri Oct 24 10:36:14 2003 : Debug: modsingle[post-auth]: returned from rp_default_p ostauth (rlm_exec) for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall[post-auth]: module rp_default_postauth returns ok for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: group post-auth returns ok for request 30 TTLS: Got tunneled reply RADIUS code 2 Fri Oct 24 10:36:14 2003 : Debug: TTLS: Got tunneled Access-Accept Fri Oct 24 10:36:14 2003 : Debug: rlm_eap: Freeing handler Fri Oct 24 10:36:14 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall[authenticate]: module eap returns ok f or request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns ok for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth for request 30 Fri Oct 24 10:36:14 2003 : Debug: modsingle[post-auth]: calling rp_default_postaut h (rlm_exec) for request 30 Fri Oct 24 10:36:14 2003 : Debug: radius_xlat: '/opt/freeradius/etc/raddb/authUser. sh [EMAIL PROTECTED] 00022d60203c NONE NONE' Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: /opt/freeradius/etc/raddb/authUser.s h [EMAIL PROTECTED] 00022d60203c NONE NONE --10:36:14-- https://localhost/CSD/[EMAIL PROTECTED]ma c=00022d60203crpgrp= = [EMAIL PROTECTED]mac=00022d60203crpgrp= ' Resolving localhost... done. Connecting to localhost[127.0.0.1]:443... connected. HTTP request sent, awaiting response... 200 OK Length: 150 [text/html] 100%[] 150 146.48K/s ETA 00:00 10:36:14 (146.48 KB/s) - [EMAIL PROTECTED]mac=00022d60 203crpgrp=' saved [150/150] l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS outer/inner access-accept
It looks like the inner tunnel calls rp_default_postauth (rlm_exec) for request 30 then it is called again calling rp_default_postauth (rlm_exec) for request 30 when the Access-Accept is sent back to the AP. Is that expected behavior? Thanks, Ron. TTLS: Got tunneled reply RADIUS code 2 Fri Oct 24 10:36:14 2003 : Debug: TTLS: Got tunneled Access-Accept Fri Oct 24 10:36:14 2003 : Debug: rlm_eap: Freeing handler Fri Oct 24 10:36:14 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall[authenticate]: module eap returns ok f or request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns ok for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth for request 30 Fri Oct 24 10:36:14 2003 : Debug: modsingle[post-auth]: calling rp_default_postaut h (rlm_exec) for request 30 Fri Oct 24 10:36:14 2003 : Debug: radius_xlat: '/opt/freeradius/etc/raddb/authUser. sh [EMAIL PROTECTED] 00022d60203c NONE NONE' there still is another problem with TTLS It looks like the post-auth module ie exec-program is called twice. Once with the correct user name, then again with the anonymous user name. Ron. Fri Oct 24 10:36:14 2003 : Debug: rlm_exec (rp_default_postauth): WARNING! Input pai rs are empty. No attributes will be passed to the script Fri Oct 24 10:36:14 2003 : Debug: radius_xlat: '/opt/freeradius/etc/raddb/authUser. sh [EMAIL PROTECTED] 00022d60203c NONE NONE' Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: /opt/freeradius/etc/raddb/authUser.s h [EMAIL PROTECTED] 00022d60203c NONE NONE --10:36:14-- https://localhost/CSD/[EMAIL PROTECTED]mac=0002 2d60203crpgrp= = [EMAIL PROTECTED]mac=00022d60203crpgrp=' Resolving localhost... done. Connecting to localhost[127.0.0.1]:443... connected. HTTP request sent, awaiting response... 200 OK Length: 150 [text/html] 100%[] 150 146.48K/s ETA 00:00 10:36:14 (146.48 KB/s) - [EMAIL PROTECTED]mac=00022d60203cr pgrp=' saved [150/150] Fri Oct 24 10:36:14 2003 : Debug: Exec-Program output: Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: returned: 0 Fri Oct 24 10:36:14 2003 : Debug: modsingle[post-auth]: returned from rp_default_p ostauth (rlm_exec) for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall[post-auth]: module rp_default_postauth returns ok for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: group post-auth returns ok for request 30 TTLS: Got tunneled reply RADIUS code 2 Fri Oct 24 10:36:14 2003 : Debug: TTLS: Got tunneled Access-Accept Fri Oct 24 10:36:14 2003 : Debug: rlm_eap: Freeing handler Fri Oct 24 10:36:14 2003 : Debug: modsingle[authenticate]: returned from eap (rlm_ eap) for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall[authenticate]: module eap returns ok f or request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: group authenticate returns ok for request 30 Fri Oct 24 10:36:14 2003 : Debug: modcall: entering group post-auth for request 30 Fri Oct 24 10:36:14 2003 : Debug: modsingle[post-auth]: calling rp_default_postaut h (rlm_exec) for request 30 Fri Oct 24 10:36:14 2003 : Debug: radius_xlat: '/opt/freeradius/etc/raddb/authUser. sh [EMAIL PROTECTED] 00022d60203c NONE NONE' Fri Oct 24 10:36:14 2003 : Debug: Exec-Program: /opt/freeradius/etc/raddb/authUser.s h [EMAIL PROTECTED] 00022d60203c NONE NONE --10:36:14-- https://localhost/CSD/[EMAIL PROTECTED]ma c=00022d60203crpgrp= = [EMAIL PROTECTED]mac=00022d60203crpgrp= ' Resolving localhost... done. Connecting to localhost[127.0.0.1]:443... connected. HTTP request sent, awaiting response... 200 OK Length: 150 [text/html] 100%[] 150 146.48K/s ETA 00:00 10:36:14 (146.48 KB/s) - [EMAIL PROTECTED]mac=00022d60 203crpgrp=' saved [150/150] l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS outer/inner access-accept
Ron Wahler [EMAIL PROTECTED] wrote: It looks like the inner tunnel calls rp_default_postauth (rlm_exec) for request 30 For the tunneled version of the request. then it is called again calling rp_default_postauth (rlm_exec) for request 30 For the outer version of the request. when the Access-Accept is sent back to the AP. Is that expected behavior? Yes. The tunneled authentication request looks *exactly* like a normal authentication request to everything in the server. Only the TTLS/PEAP modules know it's a tunneled request. If you don't want the post-auth section called for the outer user, then you can configure the server to only call it for the tunneled request, OR to not call it for the anonymous user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS outer/inner access-accept
What would the syntax look like to prevent the outer tunnel from Calling post-auth ? they both have the same realm. How about just preventing an anonymous user ? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: Re: TTLS outer/inner access-accept Ron Wahler [EMAIL PROTECTED] wrote: It looks like the inner tunnel calls rp_default_postauth (rlm_exec) for request 30 For the tunneled version of the request. then it is called again calling rp_default_postauth (rlm_exec) for request 30 For the outer version of the request. when the Access-Accept is sent back to the AP. Is that expected behavior? Yes. The tunneled authentication request looks *exactly* like a normal authentication request to everything in the server. Only the TTLS/PEAP modules know it's a tunneled request. If you don't want the post-auth section called for the outer user, then you can configure the server to only call it for the tunneled request, OR to not call it for the anonymous user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iptables rules to permit RADIUS
Hello, I am running freeradius on my linux server. And i am authenticating users of my cisco router on RADIUS. i have firewall to my lunux server whit iptables. When iptables is started the radius authentication i have problem with autentication (i can not telnet into a router, access denied). i have permited tcp and udp 1812/1813 in iptables rules. the question is are there more pots to permit? thanks. !Navega con el Internet Gratis de Amnet! Descarga el Programa de Instalación: http://www.amnetsal.com/files/amnet.exe ó Visitanos en http://www.amnetsal.com Para cualquier consulta llamar al 247-8000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iptables rules to permit RADIUS
Hello, I have freeraius running on my linux server. users who telnet to my router cisco are authenticated with RADIUS. In order to protect the Server I am running iptables rules. when i start iptables, i can not telnet into a router cisco (access denied). I have permited tcp/udp 1812/1813 ports in iptables rules. are there more ports that i must to permit? Thanks !Navega con el Internet Gratis de Amnet! Descarga el Programa de Instalación: http://www.amnetsal.com/files/amnet.exe ó Visitanos en http://www.amnetsal.com Para cualquier consulta llamar al 247-8000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: iptables rules to permit RADIUS
Javier Santos [EMAIL PROTECTED] wrote: I have permited tcp/udp 1812/1813 ports in iptables rules. are there more ports that i must to permit? No. And RADIUS doesn't use TCP, so you can block TCP 1812/1813. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration question: multiple LDAP relams with TTLS.
Hi, I have a situation that I need to configure. I did not find in archives, thus hoping some one could shed some light. I need to configure 2 realms. Two of them need to use TTLS with different LDAP servers that use TLS for communication. Any tips how to configure this ? Any samples ? Thank you, __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
-BEGIN PGP SIGNED MESSAGE- Bill == Bill [EMAIL PROTECTED] writes: Bill I recently switched from Cistron to FreeRadius 0.9.1 I just Bill noticed Bill that FreeRadius is periodically rejecting customer's passwords when Bill the It sounds like freeradius and/or some other process isn't locking the password file properly, and you are seeing partially updated passwd entries. If we knew what OS and what set of libraries you were using, and what other processes were editing /etc/passwd, we might be able to help. ] Collecting stories about my dad: http://www.sandelman.ca/cjr/ | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian/notebook using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP5mRd4qHRg3pndX9AQHtrAP+JfBhbgNDMc3fGtLiqIdR6lO312+rExZP NPDdXU1JbMjwIabGLfpo19VPIiyXGdqUs+QsXCztNCKtDXLg2UH/t/1dFgErS0XA +eH4t0ySmC6ddvRp8WxLZFywKpBHZ8Nndfhh/Uwwj+9CKASdaC+s/y4GFfyfyxrb xeOdP/MFHCY= =EjLy -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html