Re: Thanks
Great, but could you say more !!! José Luis Solano wrote: Thanks, my freeradius runs. José Luis Solano Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D smime.p7s Description: S/MIME Cryptographic Signature
Re: EAP-TTLS and accounting
Hello Tom! :)
Tom Rixom wrote:
-Original Message-
From: Rok Pape [mailto:[EMAIL PROTECTED]
Has anyone managed to solve the problem with anonymous user
accounting ?
I've only found this message:
http://lists.cistron.nl/pipermail/freeradius-users/2003-September/023835.html
Just return the inner username back to the access point with the Access-Accept
message and the access point (if it followes standard procedure) will return
the Accounting request with the correct inner username.
Yes, this method is explaind in this message from Alan (the link above)
that I've found. The qustion is how to copy User-Name from the inside of
the tunnel to the outside :).
modules {
[...]
eap {
[...]
ttls {
use_tunneled_reply = yes
}
}
}
This doesn't work as User-Name already exists in the outer tunnel.
If I add User-Name override to the /etc/raddb/users via DEFAULT entry
it doesn't do as the inner User-Name attribute is changed. Plus it is
not appended to every reply. Not even to a challange :P.
This has been tested on Cisco 1100 and 1200.
With FreeRADIUS ? Could you please send me the relevant configuration ?
I read the doc dir quite a lot but can't find a solution to this problem.
--
best regards,
Rok Papez.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS and accounting
Hi Rok,
I must admit I haven't tested this on freeradius yet but I assumed
there would be a way to return the username in the inner request
I am just starting to use the freeradius server as I only noticed
recently that SecureW2 is being used with this server ;)
I guess if the functionality is not there then it would have to be
added. If not then accounting (using anonnymous outer requests) will
be impossible...
Regards,
Tom Rixom
-Original Message-
From: Rok Pape [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 10:05 AM
To: [EMAIL PROTECTED]
Subject: Re: EAP-TTLS and accounting
Hello Tom! :)
Tom Rixom wrote:
-Original Message-
From: Rok Pape [mailto:[EMAIL PROTECTED]
Has anyone managed to solve the problem with anonymous user
accounting ?
I've only found this message:
http://lists.cistron.nl/pipermail/freeradius-users/2003-Sept
ember/023835.html
Just return the inner username back to the access point with the Access-Accept
message and the access point (if it followes standard procedure) will return
the Accounting request with the correct inner username.
Yes, this method is explaind in this message from Alan (the link above)
that I've found. The qustion is how to copy User-Name from the inside of
the tunnel to the outside :).
modules {
[...]
eap {
[...]
ttls {
use_tunneled_reply = yes
}
}
}
This doesn't work as User-Name already exists in the outer tunnel.
If I add User-Name override to the /etc/raddb/users via DEFAULT entry
it doesn't do as the inner User-Name attribute is changed. Plus it is
not appended to every reply. Not even to a challange :P.
This has been tested on Cisco 1100 and 1200.
With FreeRADIUS ? Could you please send me the relevant configuration ?
I read the doc dir quite a lot but can't find a solution to this problem.
--
best regards,
Rok Papez.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AlfaAriss Client question
Hans, The big difference with Windows 2000 and XP is that Windows XP offer not only the 802.1X Client and EAP support but also a built-in WIFI client (Wireless Zero Config). Windows 2000 does not have this WIFI client and it will never have it as Windows 2000 service pack 4 was the last... This means Windows 2000 relies on third party WIFI clients to do the job of associating, setting WEP keys and so forth. Funk offers a complete client, 802.1X, EAP and WIFI which means you have a single interface for all of these items. I have tested SecureW2 succesfully on Windows 2000 with Cisco 350 cards but it did require me to configure the ACU client. Regards, Tom Rixom -Original Message- From: Hans Fiedler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 9:32 PM To: [EMAIL PROTECTED] Subject: Re: AlfaAriss Client question I see where everyone can have it work with Windows XP, but my problem is with Windows 2000. I havn't been able to find a method for enabling WEP on a Cisco 350 without using the Cisco ACU instead of the Windows 801.X method. On the driver config the only things that are available are; Client Name, Data Rates, Infrastructure Mode, Power Saving Mode and SSID. On the Linksys card I trying there are options on the driver to enable WEP (128/40) and enter WEP keys, channel and bunch of others that for the Cisco just seem to exist in the ACU software. We have a hard time limiting what we have to support here, so I'm probably lucky noone has asked for Windows 98 yet. The Funk Odysessy client is supposed to be abke to set the WEP flags according the the Windows guy who has been looking at it, we may have to go that way since he things it can be tweaked to achive the other holy grail here of single login, which since most of the faculty/staff have to run Novell client32 on their computers has been a major pain in about everything we try to set up. If we can find something that works on the Windows boxes, then we get to start Macs. The unix/freebsd/linux users don't expect any support from central computing, so I can just work with them informally, which is much easier, I'm a unix/freebsd guy so I'm trying to stay on the server end and not get sucked into the windows support, but I have to find something I can verify working I can use to test out the server. -- Hans K. Fiedler Information Technology Network Analyst Communications Services [EMAIL PROTECTED] 109 Miller Info Tech Center (502)852-7417 (Voice) University of Louisville (502)852-4508 (Fax) Louisville, Ky. 40292 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ignoring request from unknown client 127.0.0.1
i use freeradius-snapshot-20040224 on a redhat 7.3
all seems to work fine but when i use radtest
the server tell me
Ignoring request from unknown client 127.0.0.1
i add the loopback in client and client.conf
i don t understand
thanks
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/basile.pem
tls: certificate_file = /usr/local/etc/raddb/basile.pem
tls: CA_file = /usr/local/etc/raddb/root.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/DH
tls: random_file = /usr/local/etc/raddb/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown host 127.0.0.1
i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf i just had 127.0.0.1 to client , and had a users but when i use radtest i have the same error Ignoring request from unknown client 127.0.0.1 does i forget to do something ? with older version all works fine basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thanks
Hi alll ! Of course Jean-Paul, the problem was in my LDAP, I have changed my own LDAP configuration and freeradius works correctly with TTLS and TLS, but I have not changed anything in my freeradius configurations. So, thanks for your help!! José Luis Solano [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 9:58 AM Subject: Re: Thanks Great, but could you say more !!! José Luis Solano wrote: Thanks, my freeradius runs. José Luis Solano Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Start Errors
Daniel Baughman [EMAIL PROTECTED] wrote: I think what he was asking for is any other pertinent log entrys, or perhaps the 30 lines before and 30 after that line (more likely after). If you can block out sensitive info you could post more of your radiusd.conf Exactly. He posts a content-free questions, so I ask for line 1771 (which is the line the error message mentioned). He then posts line 1772, and sends me a private email, asking me why I'm such a dick, and why can't I just answer his questions. a) He can't read (I said I wasn't a mind reader, and I can't content-free questions) b) He can't read (Ask for 1771, get 1772) c) He's sending private name-calling flames to the one person who answered his original question. I don't deal well with people like that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Start Errors
Alan DeKok [EMAIL PROTECTED] wrote: a) He can't read (I said I wasn't a mind reader, and I can't content-free questions) sigh And I can't type, either. 2 hours of rock climbing last night have turned my fingers into msuh. g Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and accounting
=?windows-1252?Q?Rok_Pape=9E?= [EMAIL PROTECTED] wrote:
use_tunneled_reply = yes
...
This doesn't work as User-Name already exists in the outer tunnel.
In the reply packet? It exists only if you added it in your
configuration.
If I add User-Name override to the /etc/raddb/users via DEFAULT entry
it doesn't do as the inner User-Name attribute is changed. Plus it is
not appended to every reply. Not even to a challange :P.
It's not supposed to be appended to the challenge.
You should be able to do:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`
along with the use_tunneled_reply. The users file entry replies
with the User-Name *only* inside the tunnel, so you can be sure that
no User-Name exists outside of the tunnel.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Cisco 2511 router
Hi Guys, We would use a radius (freeradius version 8) proxy server for proxying users request to two radius servers that were used as authentication/authorization server. One of our NAS is Cisco 2511 router and this router has some problem with our radius proxy but other Cisco router types we use (for example 3660 Cisco series) don't have any problem. The dial up users that logged into our ISP from this 2511 router can't connect to our ISP correctly and authentication requests have been rejected. I don't why really cause this problem. - Our log: Wed Feb 25 13:33:20 2004 : Error: Received Access-Reject packet from 172.16.1.33 with invalid signature (err=2)! (Shared secret is incorrect.) - I check the shared secret key triple and double write them again handy, but the problem wasn't solved at all. Does anyone know anything about this problem as we encountered? Any suggestions? Best regards, Jahanbakhsh Monday, February 16, 2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: gateway problem - Registration?]
sorry - not this group :) Original Message Subject: gateway problem - Registration? Date: Wed, 25 Feb 2004 15:24:00 +0100 From: Lokotes [EMAIL PROTECTED] To: [EMAIL PROTECTED] hi, i have just connected a gateway to my LAN. My GK is set to auth with radius (RRQ) and everything works fine when using normal h323 clients (terminals). But when gatewey tries to register it gets 'security denial'. What's the problem? Does gateway needs to register as normal terminal or should i put it as a permanent endpoint in config file? thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP / MSCHAP2 / LDAP
I would like to use PEAP / MSCHAP2 / LDAP But I have got this kind of erros and my users cant authenticate rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. My password is stored in my LDAP directory using Crypt. I dont understand what is LM or NT password. Why it dont use the LDAP passwd ??? Have u got an idea ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / MSCHAP2 / LDAP
See many many previous discussions in this list on the requirement of cleartext passwords for MS-CHAP. --Mike On Wed, 2004-02-25 at 08:30, Arthur EBEL wrote: I would like to use PEAP / MSCHAP2 / LDAP But I have got this kind of erros and my users cant authenticate rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. My password is stored in my LDAP directory using Crypt. I dont understand what is LM or NT password. Why it dont use the LDAP passwd ??? Have u got an idea ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello,
I am training at FreeRADIUS, and I'm writting my own module to make different
stuff on request. It works well.
I use FreeRADIUS snapshot-20040102.
I think I've found an error in the libradius, in the file valuepair.c, into the
function pairreplace.
My valuepair.c is in version 1.74, but it seems, in CVS logs, that this function
did not evolve.
I join the patch at the end of this mail, done using diff, but without the -u
option - not available on
Solaris.
The problem is that when replacing an A/V pair by another, if the A/V pair to
replace is the last one, the loop exits before to reach it. Therefore, the A/V
pair is present twice.
Thanks for updates about it.
Geoffroy
Path starts here:
178c178
VALUE_PAIR *i, *next;
---
VALUE_PAIR *i, *next, *prev;
180a181,185
/*
Quiet compiler
*/
prev = NULL;
191c196
for(i = *first; i-next; i = next) {
---
for(i = *first; i; i = next) {
199a205
prev = i;
206c212
i-next = add;
---
prev-next = add;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown host 127.0.0.1
Basile Mathieu [EMAIL PROTECTED] wrote: i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf i just had 127.0.0.1 to client It's included by default. but when i use radtest i have the same error Ignoring request from unknown client 127.0.0.1 does i forget to do something ? I don't think so. I'm using the CVS snapshot almost every day for testing, and I don't have this problem. Are you sure it's reading the clients file you're editing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, shiva users file, and mysql.
Hello. Currently, I am using an intel Shiva access switch for Radius AAA. I would like to try to move to freeradius for the AAA, and use mysql as a database backend for user authorization. My problem is that the current shiva users file that I have has all the passwords encrypted, thus I cannot figure out a way to simply write a perl script to parse the users file and insert into the mysql radius database. Is there a far simpler method than writing a script to parse the users file? Some other method that I am completely missing? Or is there some way I can decrypt these passwords? (I do have the secret key from the shiva access switch) Any help would be wonderful. Thank you. -- Donnie Jones - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / MSCHAP2 / LDAP
On Wed, 2004-02-25 at 08:30, Arthur EBEL wrote: I would like to use PEAP / MSCHAP2 / LDAP My password is stored in my LDAP directory using Crypt. See many many previous discussions in this list on the requirement of cleartext passwords for MS-CHAP. OK, time for some user education has to happen here. (Feel free to correct me if this is in any way wrong) NT-Hash is a password encryption technology just like crypt is a password encryption technology. If you have a clear text password you can encrypt it and come out with a NT-Hash password, or you could encrypt it and come out with a crypt password. However, once it is in an encrypted form it is impossible to compare two different encryption forms to tell if it is the same password. PEAP / MSCHAPv2 passes the password encrypted with NT-Hash encryption, so it is impossible to compare it against the crypt password stored in LDAP. It is also impossible to decrypt the NT-Hash password back to a clear text password, so the password passed with PEAP / MSCHAPv2 cannot be used in a LDAP bind either. It is possible to use PEAP / MSCHAPv2 with LDAP, however one must store the NT-Hash password in LDAP. I've had the same problem with crypts as my password encryption in LDAP. I ended having to create an extra LDAP attribute for NT-Hash passwords. Whenever a user now goes through a password change, the NT-Hash password attribute will also be populated at the same time the crypt password is changed in LDAP. After you set this up, make sure to define the attribute in the ldap.attrmap for NT-Password and it will work great with PEAP / MSCHAPv2. Chris Wieringa [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown host 127.0.0.1
A 10:18 25/02/2004 -0500, vous avez écrit :
Basile Mathieu [EMAIL PROTECTED] wrote:
i reinstall freeradius-snapshot-20040224 and use the default radiusd.conf
i just had 127.0.0.1 to client
It's included by default.
but when i use radtest i have the same error
Ignoring request from unknown client 127.0.0.1
does i forget to do something ?
here is the log when i launch radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
and there is something strange
in the radtest output
the NAS-IP-Address is not 127.0.0.1 or localhost but the name of the
machine on internet
i don t change anything else in the default configuration
I don't think so. I'm using the CVS snapshot almost every day for
testing, and I don't have this problem.
Are you sure it's reading the clients file you're editing?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Auth-Type SecurID - failed to validate the user
Hello, we're testing freeradius 0.9.3 on HP-UX 11.0. The compilation of rlm_krb5 failed and for this reason i compile freeradius without this module. Now we're testing freeradius using the Auth-Type SecurID 2, but it failed with the following message in the log-file: failed to validate the user Maybe there is a problem with the file '/var/ace/sdconf.rec' ... How can i be sure that freeradius is reading this file ? Or does the Authentication via SecurID depends on the module rlm_krb5 ? What are the most important settings, which i have to do, using freeradius with Auth-Type SecurID ? Please help me ... Gunnar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius - Giganews
Ok, everything is working great now...except one thing... In my clients.conf file I have my test box in there as: test.mydomain.com. Well, when I run radtest from that box, it says ignoring request from ip address. But, that ip address resolves to test.mydomain.com. I turned hostname lookups on but for some reason, radius isn't doing a reverse dns to resolve that ip to that name I have in my clients.conf. Anything I'm missing? Thanks again. __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP attributes checking
Hello to the list I configured my Freeradius to authenticate users with LDAP. When one of the clients send a request it includes this attribute: Cisco-AVPair = h323-ivr-out=terminal-alias:5854; This attribute depends from the user: so for user U1 it could be Cisco-AVPair = h323-ivr-out=terminal-alias:5855; and for user U2 it colud be Cisco-AVPair = h323-ivr-out=terminal-alias:5856; Is there a way to tell freeradius to check this attribute? In other word I'd like to authenticate user U1 only if this atrribute CONTAINS the string 5855? Thanks to all sergio -- Sergio SAGLIOCCO SecureLAB - System Network Security CSP s.c. a r.l. __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP + LDAP + freeradius (Attribute User-Password is required for authentication)
I've got the radius server up on a unix box and got it to authenticate
users off of a active directory and that part is working fine.
The problem now is that I'd like to have our linux pptp server (running
poptop) authenticate users via radius.
I've been able to get the pptp server make requests to the radius server
but the radius server fails and here are some logs.
I've seen a lot of posts on this group who claims that they have a setup
like this working but I've not seen a working config. File example.
Anyways, anyone have any idea?
# /usr/local/sbin/radiusd -X
rad_recv: Access-Request packet from host 192.168.34.31:1028, id=43,
length=134
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
MS-CHAP-Challenge =
MS-CHAP2-Response =
x5x0
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module eap returns noop for request 0
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 2
users: Matched DEFAULT at 6
users: Matched DEFAULT at 12
modcall[authorize]: module files returns ok for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := LDAP'
modcall[authorize]: module mschap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
modcall[authenticate]: module ldap returns invalid for request 0
# cat /usr/local/etc/raddb/radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
mschap {
authtype = ldap
}
ldap {
server = ldap
basedn = OU=,DC=xxx,DC=xx,DC=xxx
filter =
(mailNickname=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {clear}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm realmslash {
format = prefix
delimiter = /
}
realm suffix {
format = suffix
delimiter = @
}
realm realmpercent {
format = suffix
delimiter = %
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
Sending NAS-IP-Address to proxied realm
Hi, I am running freeradius 0.9.3 on redhat 9.0. My radius server is used primarily for proxying to other ISP's. I currently have over 30 external ISP's set up in my radius and most seem to be working well. However for those ISP's that are using ICradius, it seems to be very unhappy about the NAS address that is getting sent to it. For my application, rather than using a traditional NAS, I have 6 internet accelerator servers that act as NAS (s), in that the client software contacts the accelerator server which then contacts my radius servers. The radius server proxies the request to the appropriate ISP based on realm, the ISP sends back a vendor specific attribute along with Access-Accept or reject. My radius servers, accelerator servers, DNS servers are all on a private internal network which then gets nat'd to one address. However since the accelerator servers have internal IP's, the NAS-IP-Address is being sent as 10.1.4.x and it seems that ICradius does not like this. Since I have so many ISP's already in productions I am hesitant to make major global changes. I was wondering if it was possible to send NAS-IP-Address=X.X.X.X, where X.X.X.X is my nat'd external address to only certain realms (those using ICradius). On a side note: When we set this up, the vendor recommended that we use FreeRadius but we later found out that they had no experience is actually setting up any radius servers in this type of environement and could not offer us any help in setting up our environement. They could help us with the client software which they wrote and the accleration server software but not radius. So with little time to learn, I took a stab at setting up our infrastructure. I have no idea if I did it correctly, it seems to be working but only time will tell. Sorry for the long post but I thought a clear explaination may help to understand the question and why I would ask such a question. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XSupplicant client with TTLS
Hi all, I'm here again ;) Anybody uses XSupplicant client with TTLS? Anybody knows if XSupplicant works OK with TTLS? Please, if there is some guy who works with XSupplicant, I need help!!! Thanks José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XSupplicant client with TTLS
=?iso-8859-1?Q?Jos=E9_Luis_Solano?= [EMAIL PROTECTED] wrote: Anybody knows if XSupplicant works OK with TTLS? So far as I know. See the list archives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return proper reply attributes per nas type
Kevin Jeoung [EMAIL PROTECTED] wrote: I am wondering if there is a way to return proper reply attributes per nas type. The server doesn't have the concept of NAS type that you can use in the users file. In short, I need to return some sort of pre-listed attributes not by users but by nastype. So key off of the NAS IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending NAS-IP-Address to proxied realm
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Perhaps NAT is the wrong term? NAT is what firewalls do when the proxy packets with one visible IP. Everything is behind a firewall and we have only one external IP address which actually points to a load balancer and all of the accelerator servers are behind it. Does the load balance act as a RADIUS proxy? If not, then NAT might be an issue. The problem is that many NAT boxes aren't smart enough to realize that an RADIUS reply packet is associated with a RADIUS request packet. So the servers behind the NAT may not get the reply, or they may get a reply with nonsense ports. I know this is not the forum for networking issues, but what would the problem with the NAT with regards to Radius or NAS's? If you have any suggestions I would be happy to look into them! RADIUS servers need access to public IP's. If you're running a RADIUS server on the external box, acting as a proxy with load balancing, then it should be fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap encryption
Dear all, i am using freeradius-ldap-mysql, which is working just fine. the question is: in LDAP i have the users stored with different encryption schemes, some are CRYPT, some are CLEAR and some are MD5, is there a way to let FR use all of them and not just one specific scheme?? each one of them is working great, but there are always some users which are unable to authenticate Thank you for your help Best Regards, Ossama -- Ossama Suleiman Systems Engineer TE Data S.A.E Email: [EMAIL PROTECTED] Web: www.tedata.net Phone: +(202)-416-6600, EXT: 1105 Any Dream worth having, is a dream worth fighting for. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Overwritten Perl Module
Dear Freeradius users:
I'm using freeradius 0.9.3 and I've written 2 basic perl scripts to use
them depending on the huntgroup and the Auth-Type (quintum.pl and gnugk.pl).
Both modules are specified in the radiusd.conf and are loaded when
freeradius starts.
I've noticed that the last loaded perl module is overwritten the first one
BECAUSE:
1. When the Access-Request is coming from a Quintum NAS the log shows that
the corresponding perl module(quintum) is used BUT the fact is that the
module used is gnugk (pls check the attached radiusd.conf and Log).If
the request is from a Gnugk NAS the things work fine.
2. If I change the order of the modules in radiusd.conf and the quintum
module is loaded after the gnugk one then it works fine for the Quintum
NAS and fails for the Gnugk NAS . For the latter, the executed perl
script is quintum.pl, even though the log is showing the module is gnugk.
What could be the problem?
Thanks for your help,
Humberto Quintana
---
-The users file contains:
DEFAULT Auth-Type := quintum, Huntgroup-Name == quintum
DEFAULT Auth-Type := gnugk, Huntgroup-Name == gnugk
-The following is part of the radiusd.conf :
modules {
perl quintum {
module = /usr/local/etc/raddb/quintum.pl
func_accounting = accounting
func_authentication = authenticate
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
perl gnugk {
module = /usr/local/etc/raddb/gnugk.pl
func_accounting = accounting
func_authentication = authenticate
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
...
...
}
authenticate {
Auth-Type quintum{
quintum
}
Auth-Type gnugk{
gnugk
}
}
-Log: When Freeradius starts-
Module: Loaded perl
perl: module = /usr/local/etc/raddb/quintum.pl
perl: func_authorize = authorize
perl: func_authenticate = authenticate
perl: func_accounting = accounting
perl: func_preacct = preacct
perl: func_checksimul = checksimul
perl: func_detach = detach
perl: func_xlat = xlat
perl: perl_flags = (null)
perl: func_start_accounting = (null)
perl: func_stop_accounting = (null)
Module: Instantiated perl (quintum)
perl: module = /usr/local/etc/raddb/gnugk.pl
perl: func_authorize = authorize
perl: func_authenticate = authenticate
perl: func_accounting = accounting
perl: func_preacct = preacct
perl: func_checksimul = checksimul
perl: func_detach = detach
perl: func_xlat = xlat
perl: perl_flags = (null)
perl: func_start_accounting = (null)
perl: func_stop_accounting = (null)
Module: Instantiated perl (gnugk)
--Log: Once the Access request is received
modcall[authorize]: module preprocess returns ok for request 0
huntgroups: Matched quintum at 49
users: Matched DEFAULT at 155
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type quintum
auth: type quintum
modcall: entering group Auth-Type for request 0
rlm_perl: Added pair h323-credit-amount = h323-credit-amount=2.02
rlm_perl: Added pair h323-return-code = h323-return-code=0
rlm_perl: Added pair Auth-Type = quintum
rlm_perl: Added pair Huntgroup-Name = quintum
modcall[authenticate]: module quintum returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Login OK: [9] (from client x02 port 0 cli )
Sending Access-Accept of id 197 to ...
h323-credit-amount = h323-credit-amount=2.02
h323-return-code = h323-return-code=0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
List, I am new to this so I may not provide all that is needed so please feel free to ask. I am running Free radius 0.9.3 on a redhat 9.0 box with mysql 0.4.3. When attempting to start the radius server using radiusd xxyz I get the following error: Usr/local/raddb/radiusd.conf[1636] unexpected end of file errors reading radiusd.conf I believe that the [1636] refers to the actual line in the file. I looked at this exact spot using gedit and found that it is the last line of the file and it has nothing in it. What can I do to fix this error? Clinton J Wooton KLNT Enterprises (303) 973-7778 http://www.klnt.net [EMAIL PROTECTED] Clinton J Wooton KLNT Enterprises (303) 973-7778 http://www.klnt.net [EMAIL PROTECTED]
Re: (no subject)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wednesday 25 February 2004 18:05, Clinton J Wooton wrote:
I believe that the [1636] refers to the actual line in the file. I looked
at this exact spot using gedit and found that it is the last line of the
file and it has nothing in it.
I would make sure that all { have a matching } in the file. If that doesn't
help, copy your current configuration out of the way, then copy the default
radiusd.conf in place and attempt your config changes again.
Kevin Bonner
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAPS94/9i/ml3OBYMRAm2wAJ4ok0DCBuLhV2mMUrsN1I61sciggACbBKqA
3Uocqna8iVqZuOyMd77tm1I=
=wvOc
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Testing
It is just something I hacked together last week in an hour or so, but attached is something of a radius test client. It is undocumented, not itself tested, and possibly slightly Ascend specific. It is a wrapper around radtest that randomly generates (well, chooses from a list) some data values, and keeping them consistant, sends out a access, accounting start and accounting stop packet. On Wed, 25 Feb 2004, Tre Johnston wrote: I finally have my freeradius up and working with ldap using radtest to verify in debug mode. I wanted to know if there is a more advanced testing tool for testing user rights and privileges settings in freeradius with out having to use an actual device like a router or a RAS? radiustest.tar.gz Description: Binary data
HELP please.
can anybody help me please.. HOW CAN I CONNECT/CONFIGURE/BRIDGE freeRadius with HostAP Driver/HostAPd. thanks a lot. _ Leonardo D. Pabroquez Jr. 00-51582 Department of Computer Science, College of Engineering University of the Philippines Diliman, Quezon City - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What the unit of AcctInputOctets, AcctOutputOctets
Hi Would anyone tell me what is the unit of AcctInputOctets, AcctOutputOctets in table radacct? Is it byte, kbyte, mbyte? Thanks, Raymond
Re: HELP!!!! Translate h323-setup/connect/disconnect to ...
Help me pls. How can I translate Translate h323-setup/connect/disconnect to normal sql like date? Now my VoIP proxy(Mera XPGK) send me Cisco VSA( 25): h323-setup-time=17:42:00.000 MSK Fri Feb 13 2004 How I can translate it to SQL Like fromat - 13.02.2004 17:42:00.000 ? Simple. You can use PostgreSQL (it's comportable that is) or create stored procedures and translated in normal format, or save this as string. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What the unit of AcctInputOctets, AcctOutputOctets
Octets :) -- Chris Linstruth [EMAIL PROTECTED] QNET 1031 West Avenue M14 #A Palmdale, CA 93551 (661) 538-2028 On Thu, 26 Feb 2004, Raymond wrote: Hi Would anyone tell me what is the unit of AcctInputOctets, AcctOutputOctets in table radacct? Is it byte, kbyte, mbyte? Thanks, Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
