Mail list
Add my address in a mailing list __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sql data not stored
I have install free radius .0.9.3. in Redhat Linux. I have two problems 1. data is logged in /etc/raddb/radacct/... . But not logged in Mysql. 2. My radius entry from client is not coming directly, it is crossing one tunnel. At present instead of storing log files in clients name it stores in tunnel name. if any body knows help me. __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alan is the King!
At Fri, 21 May 2004 11:03:45 -0300, RH List Account wrote: This is indeed very interesting. I 'll keep it in mind... (Opensource + support = convincing managers to switch!) Folks, I just wanted to publicly thank Alan DeKok for his invaluable assistance last week. We had a problem that we were kicking ourselves over and just couldn't get. After a search online, we found www.cladju.org. I don't think it's well enough publicised here, but Alan does do RADIUS consulting, and can make your FreeRADIUS problems go away very very quickly. If you have a problem, and have found Alan's tireless answering of questions on this list to be useful, consider contacting him directly. He quickly found our problem, and we have now been able to turn on a new service, easily justifying his very modest fee. Open source is great, but people gotta eat. Alan, hats off to you. Robert Hof Internet Architect Transact Bermuda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary file for hp 6108
Hi, Where can I find a dictionary file for a HP 6108 router? not on the website or included in the latest freeradius tarball. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with radwho,
Hi, I'm having problems getting utmp accounting to work properly on FreeRadius (latest version). When the NAS sends an account-request packet to radius, everything seems ok except for the following line seen in the debug window: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! The corresponding Access Request packet from the NAS contains: NAS-Port-Type = Virtual. I'm using a HP Procurve 6108 switch. I suspect that radius wants me to set the NAS-Port-Type to ethernet or similar, however I do not know how to get the switch to send a NAS-Port-Type that radius will like. radwho also does not work for my netscreen boxes. Does anyone have any ideas on how I can get radwho to work with my NAS gear? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting backup
On Sat, 22 May 2004, apellido jr., wilfredo p wrote: Just reading docs/configurable_failover, at the example # Handle accounting packets accounting { detail# always log to detail, stopping if it fails redundant { sql1# try module sql1 sql2# if that's down, try module sql2 handled # otherwise drop the request as # it's been handled by the always # module (see doc/rlm_always) } } #--- How do i setup freeradius to log accounting in two mysql server at the same time? Currently im running freeradius with only one database back end. How do i specify in accounting section? Just: accounting{ detail sql1 sql2 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin web pages' buttons problem.
On Sun, 23 May 2004, Shannon Sariman wrote: Hi All, I'm nearly there with dialup_admin being fully operational on my RH 8.0 machine, but some of the buttons like Accounting, Statistics, Online Users, New User, Edit Group, and New Group, aren't loading when I click on them, on my web browser. I have thoroughly (???), gone through each button's relevant php file and has seen no problem in the file (and so I think). My include statements in each respective php file look correct, but the buttons won't load their php files. Am I missing anything here? Try asking for the corresponding pages directly, like: http://your-machine-name/dialupadmin-dir/accounting.php3 What do you mean by not loading? Any help is much appreciated. Thanx in advance. Shannon -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin MySQL problems
On Wed, 19 May 2004, Evan Stenmark wrote: I have seen this question a few times on the archive of the mailing list, but I have not been able to find any answers on it (probably because it is too general of a problem) Whenever I access dialup admin with my web browser, I get many blank white pages or empty tables when clicking on the buttons on the left frame It seems like it is not connecting to mysql because if I change the sql username or password (to something incorrect) in the admin.conf (or rename the radius database), I get the same pages Well make *sure* that dialupadmin can connect to the mysql db. Try connecting through the command line and see what happens. Make sure that php is configured correctly and has mysql support compiled in. Check the apache/mysql log files. What am I doing wrong? (I do have the admin.conf correctly configure to access the mysql database I believe) Anything would help out btw, the Check Server button works, so at least it talks to radiusd Thanks Evan Stenmark A more detailed look at what the pages bring up, but I believe this information may be unnecessary On the Dialup Admin, clicking on the following links I receive: Home - standard homepage Accounting - blank white page Statistics - I get the greenlines1.gif background with nothing else on it User Statistics - empty table (with greenlines background) Online Users - blank white page (I don't believe I have configured this section correctly yet anyway, so not worried about this page) Bad Users- empty table (with greenlines background) Failed Logins- empty table (with greenlines background) Find User- search screen, but then nothing when I search for a valid user Edit User- Blank white page New User - Blank white page show Groups - empty table Check server - this page works and replys with Authenication was successful - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Entry
I have configured Freeradius.0.9.3 with mysql for accounting. My problem is Mysql records duplicate entry for single clients entry. I think start query is ok start update is also ok stop update is ok stop insert is insert eventhough the record is already there help me in this problem. thanks __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] Is there any way to get the CHAP password authenticated by the LDAP or do I have to use EAP/TLS ? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP-ID: 15F925D9CEF94F2C Fingerprint: AF27 2674 4631 E230 B431 F68D 15F9 25D9 CEF9 4F2C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQFAseuZFfkl2c75TywRAmbcAJoCC7dLxT9DEAieJtleBSGkVWCg7QCffBxh Zh4QhOLcqWxOp8vd8YgwNXc= =oS6Y -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate
Helo, I would like to ask something, need I server certificates for using Radius (Auth type=PEAP)? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate
Yes, you nead a server certificate for PEAP. Szab Dvid wrote: Helo, I would like to ask something, need I server certificates for using Radius (Auth type=PEAP)? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AV-Pairs
Hello, Does anyone know the method of sending AV-Pair to cisco devices? Is it possible to send ACLs to cisco PIX on a per user basis? TS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with new proxy code
Stephan Jaeger [EMAIL PROTECTED] wrote: Testing the newest freerad version i ran into some problems with the server crashing under very-high-load situations (cvs snapshot from yesterday). ... Assertion failed in request_list.c, line 216 Just delete that line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with new proxy code
Stephan Jaeger [EMAIL PROTECTED] wrote: Testing the newest freerad version i ran into some problems with the server crashing under very-high-load situations (cvs snapshot from yesterday). Hmm... on second look, ignore my previous message. If you need the complete output or anything else let me know. gdb 'bt', as per doc/bugs would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: EAP Start not found
Hi, Currently using LEAP through Cisco AP 1200 and Cisco Client adapter (350 series) Not able to connect. Any suggestions are welcome. JS = Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 User-Name = Joseph Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.245d.b532 Message-Authenticator = 0xbfff0cd4e770e2b66a99fb1b3fd057c0 EAP-Message = 0x02040028110100181cd0eb44b170c98d8f75735f502bed799897f9be3ceb75af46416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 377 State = 0xa098942a08a361fac4b58e0be619329c434faf401ce42fce9ace56190b71178623755fa7 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 NAS-Identifier = ap modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 2 rlm_realm: No '@' in User-Name = Joseph, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=Joseph)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=Joseph)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLocation,O=MyOrg, with filter ((uid=Joseph)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLocation,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 161 users: Matched DEFAULT at 180 modcall[authorize]: module files returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for Joseph radius_xlat: '(uid=Joseph)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) rlm_ldap: checking if remote access for Joseph is allowed by proposedaltorgunit rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Joseph authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user modcall[authenticate]: module eap returns invalid for request 2 modcall: group authenticate returns invalid for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 Sending Access-Reject of id 211 to 192.168.1.7:21654 EAP-Message = 0x04040004 Message-Authenticator = 0x --- Walking the entire request list --- Cleaning up request 0 ID 209 with timestamp 40af4f42 Cleaning up request 1 ID 210 with timestamp 40af4f42 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 211 with timestamp 40af4f43 Nothing to do. Sleeping until we see a request. == - Forwarded by Joseph Silvin/Information Technology/MyLocation/MyOrg on 24/05/2004 07:02 PM - Joseph Silvin To: [EMAIL PROTECTED] 24/05/2004 09:53 cc: AM Subject: rlm_eap: EAP Start not found Hi, Need: Authorization through Domino LDAP (Lotus Notes) Authentication through EAP without certificates
Re: rlm_eap: EAP Start not found
Joseph Silvin [EMAIL PROTECTED] wrote: LDAP working perfectly (checked with radtest) but, the eap component is not working. (rlm_eap: EAP Start not found ) That message doesn't mean what you think. EAP will work even if you see that message. Do you have some OTHER reason for thinking that EAP doesn't work? Like clients trying EAP, and failing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary file for hp 6108
Maqbool Hashim [EMAIL PROTECTED] wrote: Where can I find a dictionary file for a HP 6108 router? not on the website or included in the latest freeradius tarball. Seach google. Or, try the NAS documentation. ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: EAP Start not found
Joseph, From the info you sent to the list it looks like the NT authentication is not happening... NOTE: I don't know why it is but the EAP - Start not found shows up in the debug normally [grin]... Here is the line that indicates the actual problem: rlm_eap_leap: No User-Password or NT-Password configured for this user Hope this helps you Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Joseph Silvin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 24 May 2004 19:01:36 +0530 Hi, Currently using LEAP through Cisco AP 1200 and Cisco Client adapter (350 series) Not able to connect. Any suggestions are welcome. JS = Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 User-Name = Joseph Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.245d.b532 Message-Authenticator = 0xbfff0cd4e770e2b66a99fb1b3fd057c0 EAP-Message = 0x02040028110100181cd0eb44b170c98d8f75735f502bed799897f9be3ceb75af46416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 377 State = 0xa098942a08a361fac4b58e0be619329c434faf401ce42fce9ace56190b71178623755fa7 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 NAS-Identifier = ap modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 2 rlm_realm: No '@' in User-Name = Joseph, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=Joseph)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=Joseph)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLocation,O=MyOrg, with filter ((uid=Joseph)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLocation,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 161 users: Matched DEFAULT at 180 modcall[authorize]: module files returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for Joseph radius_xlat: '(uid=Joseph)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) rlm_ldap: checking if remote access for Joseph is allowed by proposedaltorgunit rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Joseph authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user modcall[authenticate]: module eap returns invalid for request 2 modcall: group authenticate returns invalid for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 Sending Access-Reject of id 211 to 192.168.1.7:21654 EAP-Message = 0x04040004 Message-Authenticator = 0x --- Walking the entire request list --- Cleaning up request 0 ID 209 with timestamp 40af4f42 Cleaning up request 1 ID 210 with timestamp 40af4f42 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 211 with timestamp 40af4f43 Nothing to do. Sleeping until we see a request. == - Forwarded by Joseph Silvin/Information Technology/MyLocation/MyOrg on 24/05/2004 07:02 PM - Joseph Silvin To: [EMAIL PROTECTED]
Re: EAP/MD5 and LDAP
Michael Schwartzkopff [EMAIL PROTECTED] wrote: I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] That message has nothing to do with EAP. If you want to see why the authentication really failed, run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco-AV-Pairs
Yes, Like in: Cisco-AVPair += ip:inacl#09=deny udp any any eq 1234 Cisco-AVPair += ip:inacl#71=permit tcp host 1.2.3.4 5.6.7.0 0.0.0.255 Kind regards, Nico Baggus - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Segmentation Fault on LDAP Bind
I am working on the same type of project with Fedora Core 1 and gcc 3.3.3, getting the same segmentation fault... I just built a new RedHat 9 test box with gcc 3.2.2-5; works great, even connecting to the LDAP server via OpenSSL. I think the problem may is gcc (on the OpenLDAP and/or FreeRADIUS compile) or Fedora. What gcc are you using? I am recompiling now but the test box is sloow. Will post results as they become available. -Original Message- From: Paul Bender [mailto:[EMAIL PROTECTED] Sent: Sunday, May 16, 2004 7:13 PM To: [EMAIL PROTECTED] Subject: Freeradius Segmentation Fault on LDAP Bind At the moment, I am using freeradius-snapshot-20040516 on Fedora Core 2. I use freeradius to authenticate and authorize WLAN clients that use 802.1x or WPA. As a result, I have configured freeradius to do PEAP. With users configured in the users file, everything works fine. However, I use OpenLDAP as a central store for account information for all other services (unix, samba, email, etc). Therefore, I would like freeradius to get account information from the LDAP server as well. However, when I configure freeradius to use the LDAP server, the freeradius server segfaults rlm_ldap attempts to bind to my LDAP server. I ran freeradius using radiusd -X. I have attached the part of the resulting output that I believe is important (with the LDAP bind password removed). If anyone has suggestions, I am willing to give them a try. Please let me know if need other information. By the way, I did see a message from March 5, 2004 on the same subject http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00221.html . However, I did not see any resolution. -- rad_recv: Accounting-Request packet from host 192.168.0.248:1027, id=166, length=158 Acct-Session-Id = 000C Acct-Status-Type = Stop Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 00-40-05-5F-70-9F Service-Type = Framed-User NAS-IP-Address = 192.168.0.248 NAS-Identifier = D-link Corp. Access Point User-Name = paul Acct-Terminate-Cause = Port-Reinit Acct-Session-Time = 2932 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module preprocess returns noop for request 0 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 192.168.0.248,NAS-IP-Address = 192.168.0.248,Acct-Session-Id = 000C,User-Name = paul' rlm_acct_unique: Acct-Unique-Session-ID = 46c6f260cd4f8036. modcall[preacct]: module acct_unique returns ok for request 0 rlm_realm: No '@' in User-Name = paul, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 0 modcall[preacct]: module files returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.248/detail-20040516' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.248/detail-20040516 modcall[accounting]: module detail returns ok for request 0 modcall[accounting]: module unix returns ok for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'paul' modcall[accounting]: module radutmp returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 166 to 192.168.0.248:1027 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.248:1026, id=167, length=196 Framed-MTU = 1466 NAS-IP-Address = 192.168.0.248 NAS-Identifier = D-link Corp. Access Point User-Name = paul Service-Type = Framed-User NAS-Port = 1 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = ether1_1 Called-Station-Id = 00-05-5d-99-61-4a Calling-Station-Id = 00-40-05-5f-70-9f Connect-Info = CONNECT Ethernet 0Mbps Full duplex EAP-Message = 0x02020009017061756c Message-Authenticator = 0x7dda6d614cccd496f8cd2d2e617b8cd0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = paul, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 9
PEAP help!
Helo, I have a big problem. The authentication with Freeradius is almost workink just one thing is wrong. After connecting to the wlan network ( PEAP) 4-5 seconds later my pc get disconnected. I don't know why. I get Access-Accept from the Radius. The Windows says the authentication is done. What's wrong? Please help, Thanks, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Segmentation Fault on LDAP Bind
I would love to hear your results. I have compiled it with both gcc 3.3.3 (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) and gcc 3.4.0 (gcc version 3.4.0 20040519 (Red Hat Linux 3.4.0-2)). In both cases, I get a segmentation fault. I spent a little time trying to get it to core dump, but I have not been successful. I did 'ulimit -c unlimited', enabled core dumps in radiusd.conf and compiled freeradius with --enable-developer. Yet, it still does not core dump on a segmentation fault. Willey Kurt D wrote: I am working on the same type of project with Fedora Core 1 and gcc 3.3.3, getting the same segmentation fault... I just built a new RedHat 9 test box with gcc 3.2.2-5; works great, even connecting to the LDAP server via OpenSSL. I think the problem may is gcc (on the OpenLDAP and/or FreeRADIUS compile) or Fedora. What gcc are you using? I am recompiling now but the test box is sloow. Will post results as they become available. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP help v2
Please check this: There is no problem, isn't it? Sending Access-Accept of id 128 to 193.226.239.181:3072 Service-Type := Framed-User Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 MS-MPPE-Recv-Key = 0x2c4b7b6574809b402070d7c2266dedbfe723d9f714fe81dfd8daf448ec aba7d0 MS-MPPE-Send-Key = 0x906896cee2d24bdaac256ef521e9be499a7defca161b9e5528ef210a7 476fea9 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = fredf Finished request 8 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 120 with timestamp 40b216e1 Cleaning up request 1 ID 121 with timestamp 40b216e1 Cleaning up request 2 ID 122 with timestamp 40b216e1 Cleaning up request 3 ID 123 with timestamp 40b216e1 Cleaning up request 4 ID 124 with timestamp 40b216e1 Cleaning up request 5 ID 125 with timestamp 40b216e1 Cleaning up request 6 ID 126 with timestamp 40b216e1 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 127 with timestamp 40b216e2 Cleaning up request 8 ID 128 with timestamp 40b216e2 Nothing to do. Sleeping until we see a request. -- David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with new proxy code
On Mon, 2004-05-24 at 09:51 -0400, Alan DeKok wrote: Stephan Jaeger [EMAIL PROTECTED] wrote: Testing the newest freerad version i ran into some problems with the server crashing under very-high-load situations (cvs snapshot from yesterday). Hmm... on second look, ignore my previous message. If you need the complete output or anything else let me know. gdb 'bt', as per doc/bugs would help. Took me some time to figure out that linux doesnt like to coredump on multithread procs and i had to run it in gdb. Maybe that could be added to doc/bugs. Here you go, this time another it happend in another line of request_list.c: Assertion failed in request_list.c, line 580 Program received signal SIGABRT, Aborted. [Switching to Thread 16384 (LWP 2567)] 0x4029b721 in kill () from /lib/libc.so.6 (gdb) bt #0 0x4029b721 in kill () from /lib/libc.so.6 #1 0x400fa771 in pthread_kill () from /lib/libpthread.so.0 #2 0x400faa7b in raise () from /lib/libpthread.so.0 #3 0x4029b4d4 in raise () from /lib/libc.so.6 #4 0x4029c9e8 in abort () from /lib/libc.so.6 #5 0x0805004e in rad_assert_fail (file=0x0, line=0) at util.c:331 #6 0x0805d9ef in rl_add_proxy (request=0x40102140) at request_list.c:580 #7 0x0805236d in proxy_send (request=0x82c8890) at proxy.c:472 #8 0x0804e2ee in rad_respond (request=0x82c8890, fun=0x8053600 rad_authenticate) at radiusd.c:1723 #9 0x0804d9ba in main (argc=135116904, argv=0x8053600) at radiusd.c:1452 Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Segmentation Fault on LDAP Bind
On Mon, 2004-05-24 at 08:50 -0700, Paul Bender wrote: I would love to hear your results. I have compiled it with both gcc 3.3.3 (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) and gcc 3.4.0 (gcc version 3.4.0 20040519 (Red Hat Linux 3.4.0-2)). In both cases, I get a segmentation fault. I spent a little time trying to get it to core dump, but I have not been successful. I did 'ulimit -c unlimited', enabled core dumps in radiusd.conf and compiled freeradius with --enable-developer. Yet, it still does not core dump on a segmentation fault. I had the same problem, i think it is that multithread procs won't coredump on linux, run it directly in gdb and do the bt there. Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap user
Hi, I'm configuring PEAP. I think the freeradius config is Ok. I'm using an Aironet AP 1100 configured to support 802.1X authentication and WEP and my wireless network is enabled to use PEAP auth. the fact is that when I try to authenticate my card against radius I'm not asked to enter a user and a passw and it directly uses an unknown user for me called PEAP-mi_card_MAC. Wasn't I suppossed to de asked to enter the user? I add the logs in case they can help. thanks a lot bfr rad_recv: Access-Request packet from host 172.26.0.3:1645, id=6, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x642163f9e77208900dc76dd8c5b48981 EAP-Message = 0x0202001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 63 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 6 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 40b22f94 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xbabd2bd7b3b9a2cf23018d052dcc7582 EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 64 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 7 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 40b22f9f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=8, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x017eb94e1149c58524647d0840f81dce EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 65 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize
Re: peap user
Sounds like a client side problem. What supplicant are you using? Are you using the one built into Win2k or WinXP? Both of those have checkboxes to automatically use your machine name or your windows login name. Make sure those aren't checked. On May 24, 2004, at 10:33 AM, BLANCA FERRERO RODRIGUEZ wrote: Hi, I'm configuring PEAP. I think the freeradius config is Ok. I'm using an Aironet AP 1100 configured to support 802.1X authentication and WEP and my wireless network is enabled to use PEAP auth. the fact is that when I try to authenticate my card against radius I'm not asked to enter a user and a passw and it directly uses an unknown user for me called PEAP-mi_card_MAC. Wasn't I suppossed to de asked to enter the user? I add the logs in case they can help. thanks a lot bfr rad_recv: Access-Request packet from host 172.26.0.3:1645, id=6, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x642163f9e77208900dc76dd8c5b48981 EAP-Message = 0x0202001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 63 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 6 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 40b22f94 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xbabd2bd7b3b9a2cf23018d052dcc7582 EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 64 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 7 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 40b22f9f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=8, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11
Re: EAP-TLS and WEP key generation
Hi Bob You might remember from my previous postings that I was connecting via wireless connection using EAP-TLS via a Cisco 1200 AP and a freeradius server, but my connections weren't appearing as WEP encrypted. As per your suggestion, I downloaded kismet (I don't have a Mac) and have it running on my linux laptop as my sniffer..I have not joined this machine to the network, so it is just passively capturing wireless data. I then got another Win2K laptop and connected it to our network using EAP/TLS via the Cisco 1200 and a freeradius server. It all works as before.the client laptop connects OK and the radiusd logging shows MS-MPPE stuff which I believe indicates that WEP keys are being generated. However, kismet does not show the traffic as encrypted.. Also, if I open the dump formatted file that kismet generates using ethereal I can see the data inside packets..eg: the echo's from a telnet session are readable in ASCIIno WEP key required to decode, and besides, my sniffer doesn't know the key to decode. Either it is possible to have EAP-TLS without WEP, or I have badly missed something in my configuration.probably the latter. I would be most grateful for any help in unravelling this... Thanx in advance Chris. From: Bob McCormick [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Thu, 20 May 2004 10:52:14 -0600 On May 20, 2004, at 10:08 AM, Chris Bshaw wrote: Hi Thanx to everyone who has replied so farvery helpful. A few more questions. Bob.I tried your settings below. My client does connect and I can see the EAP-TLS exchange via the radiusd debugging info. I also see MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in ethereal on the client I see the EAPOL packets. However. 1. Again, both ends say security = none (or Encryption = off) On the AP, what command are you running that says there is no encryption? 2. A show logging on the AP has a line like this when a client machine associates with it: *Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0009.5b65.d55c Associated KEY_MGMT[NONE] .is KEY_MGMT[NONE] relevant here? Do you have TKIP or CKIP enabled in your config? The config I sent you does not. It's possible the log message is talking about TKIP key management? I'm not certain. 3. I thought guest-mode meant that anyone could connect without EAP (or WEP)am I wrong on this? You are completely wrong. :-) A Cisco AP can support multiple SSID's, but only one SSID can be broadcast in the beacon. The SSID that is in Guest mode is the one being beaconed. You can also have no guest mode SSID's at all, and then no SSID will be included in your AP's beacons. (but it *will* still beacon). 4. I set the dynamic rekeying interval to 120 seconds (instead of 600 seconds as you have below).however, after the first successful connection, I never see any transaction on the radiusd server.you mention I should configure the AP to honor the Session-Timeout from the radius server.should I also set Session-Timeout = 120 on the freeradius server and if so where? (eg: in the raddb/attrs file?)... When you're using 802.1x authentication, there are actually 2 wep keys involved. One is the per-user key assigned by the radius server. It's used to encrypt unicast traffic. Then there is a broadcast key used to encrypt broadcast and multicast traffic. That key is shared by all clients that are associated to the AP. The statement broadcast-key change 600, causes a Cisco AP to change the broadcast WEP key every 600 seconds and distribute the new key to all associated clients. The Session-Timeout causes the AP to disassociate the client from the AP. When client will attempt to automatically re-associate. When it does, the radius server will give the client a new unicast WEP key.So yes, in addition to telling the AP to honor the Session-Timeout, you will need to tell Freeradius to send a Session-Timeout. It looks like this: (in your Freeradius users file) # BDM - for all users, send a session-timeout value of 15 minutes (900 seconds) # to the AP. For Cisco AP's you MUST make sure the AP is configured # to honor the Session-Timeout value (it doesn't by default) DEFAULT Session-Timeout := 900, Fall-Through = Yes Put that at the VERY top of your users file. 5. Does my client wlan card and/or card driver need to support WEP dynamic rekeying? Or is it the w2k supplicant which handles this? (in case you missed it below I am using a NetGear WG511 card). As long as your card supports 802.1x I believe you're fine. The supplicant will handle everything else. One think you might do to verify that your clients *are* indeed using a WEP key would be to download a wireless sniffer like Kismet (or Kismac for Macintosh). They'll tell you if the traffic on the SSID is WEP
Re: Duplicate Entry
--- Melkin dev [EMAIL PROTECTED] wrote: I have configured Freeradius.0.9.3 with mysql for accounting. My problem is Mysql records duplicate entry for single clients entry. I think start query is ok start update is also ok stop update is ok stop insert is insert eventhough the record is already there help me in this problem. The stop packet will probably be sent by your client twice. It looks like your radius server is not responding fast enough to the client. So the client assumes that the record has not reached the radius and is sending it for the second time. Check the indexes on your tables and try to estimate the time taken for each insert. This should solved the problem. thanks __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! Messenger - Communicate instantly...Ping your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap user
And the user sent isn't your computer name either? If not, I have no idea. I've never used Cisco's client software, I always use the supplicant built into windows. On May 24, 2004, at 11:04 AM, BLANCA FERRERO RODRIGUEZ wrote: I'm using Windows XP, the same as for eap/tls and it worked fine in that case. My card is a 350 cisco and follow the instructions in the cisco page to configure it as well as the AP. In teh network manager I enabled PEAP auth and unchecked the box you mentioned about using my windows login to auth. Anyway the user sent to the radius is not my login!!! any idea? bfr - Mensaje original - De: Bob McCormick [EMAIL PROTECTED] Fecha: Lunes, Mayo 24, 2004 6:42 pm Asunto: Re: peap user Sounds like a client side problem. What supplicant are you using? Are you using the one built into Win2k or WinXP? Both of those have checkboxes to automatically use your machine name or your windows login name. Make sure those aren't checked. On May 24, 2004, at 10:33 AM, BLANCA FERRERO RODRIGUEZ wrote: Hi, I'm configuring PEAP. I think the freeradius config is Ok. I'm using an Aironet AP 1100 configured to support 802.1X authentication and WEP and my wireless network is enabled to use PEAP auth. the fact is that when I try to authenticate my card against radius I'm not asked to enter a user and a passw and it directly uses an unknown user for me called PEAP-mi_card_MAC. Wasn't I suppossed to de asked to enter the user? I add the logs in case they can help. thanks a lot bfr rad_recv: Access-Request packet from host 172.26.0.3:1645, id=6, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x642163f9e77208900dc76dd8c5b48981 EAP-Message = 0x0202001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 63 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 6 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 40b22f94 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, length=161 User-Name = PEAP-000CCE21141B Framed-MTU = 1400 Called-Station-Id = 0040.96a0.19dc Calling-Station-Id = 000c.ce21.141b NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xbabd2bd7b3b9a2cf23018d052dcc7582 EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 64 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = ap_cisco Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = PEAP-000CCE21141B, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched DEFAULT at 177 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 1 for
RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
Thanks for your responding. I downloaded freeradius-0.9.3-0.i586.rpm (I guessed there is a typo here, should be ...i386..) I tried to install using rpm, but I got some errors relate to dependencies (i.e. insserv, fillup, libasn1.so.6, etc), where can I download these packages? Thanks Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool not deallocating ip's
Hello freeradius-users, I have a problem with rlm_ippool - it's not deallocating ip's from pool, and i think i'm somewhat close to its solution, but i want to do all things right, that's why i'm here again. FreeBSD 4.8R-p14, freeradius-0.9.3 with cvs version of rlm_ippool (* Version: $Id: rlm_ippool.c,v 1.20.2.2 2003/10/09 01:05:17 phampson Exp $) When radiusd receives request from NAS, like this Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP MS-CHAP-Challenge = xx MS-CHAP2-Response = xx NAS-Identifier = zeus.startatom.ru NAS-Port-Type = Ethernet NAS-Port = 1984 rlm_ippool allocates ip address and writes this entry in his db under two keys, NAS address and NAS port: rlm_ippool: Searching for an entry for nas/port: zeus.startatom.ru/1984 rlm_ippool: Allocating ip to nas/port: zeus.startatom.ru/1984 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.253.207 to client on nas zeus.startatom.ru,port 1984 modcall[post-auth]: module legal_pool returns ok for request 0 Then, when this client disconnects, rlm_ippool somehow turning NAS-Identifier to direct ip address instead of FQDN. This is Stop request: rad_recv: Accounting-Request packet from host 62.33.65.2:2107, id=71, length=162 Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP Framed-IP-Address = 192.168.253.207 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = zeus.startatom.ru NAS-Port-Type = Ethernet NAS-Port = 1984 Acct-Status-Type = Stop Acct-Session-Id = s-1474470826 Acct-Multi-Session-Id = Acct-Delay-Time = 0 Acct-Input-Octets = 656 Acct-Input-Packets = 2 Acct-Output-Octets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 13 See? NAS-Identifier is the same FQDN, but rlm_ippool thinks differently: rlm_ippool: Searching for an entry for nas/port: 62.33.65.2/1984 rlm_ippool: Entry not found modcall[accounting]: module legal_pool returns ok for request 2 And as a result when client disconnects, his address doesn't deallocates from pool, and after some time radiusd is run out of addresses, and clients cannot connect. I solved this problem by adding simple attr_rewrite entry to post-auth block (before ippool entry): attr_rewrite NAS { attribute = NAS-Identifier searchin = packet searchfor = zeus.startatom.ru replacewith = 62.33.65.2 new_attribute = no } So, it's always direct ip written to db, and when rlm_ippool check entry on Stop request, it successefully deallocates ip address from pool. I think, this workaround will work for me, but are there another way to make rlm_ippool work without that? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
i586 is right (that means it is for pentium class machines). Got rpmfind.net and search for them or try googling them. A nice tool called yum ( http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1.rh90.noarch.rpm ) can help with installing rpms with dependencies. A 'yum install freeradius' will take care of all the dependencies. Good luck --- Henry Le [EMAIL PROTECTED] wrote: Thanks for your responding. I downloaded freeradius-0.9.3-0.i586.rpm (I guessed there is a typo here, should be ...i386..) I tried to install using rpm, but I got some errors relate to dependencies (i.e. insserv, fillup, libasn1.so.6, etc), where can I download these packages? Thanks Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Segmentation Fault on LDAP Bind
Problem recreated on RH9 with gcc 3.4.0 Turns out the problem is not related to Fedora/RH or gcc: Remove --with-cyrus-sasl when you ./configure OpenLDAP 2.1.30 -Original Message- From: Paul Bender [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius Segmentation Fault on LDAP Bind I would love to hear your results. I have compiled it with both gcc 3.3.3 (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) and gcc 3.4.0 (gcc version 3.4.0 20040519 (Red Hat Linux 3.4.0-2)). In both cases, I get a segmentation fault. I spent a little time trying to get it to core dump, but I have not been successful. I did 'ulimit -c unlimited', enabled core dumps in radiusd.conf and compiled freeradius with --enable-developer. Yet, it still does not core dump on a segmentation fault. Willey Kurt D wrote: I am working on the same type of project with Fedora Core 1 and gcc 3.3.3, getting the same segmentation fault... I just built a new RedHat 9 test box with gcc 3.2.2-5; works great, even connecting to the LDAP server via OpenSSL. I think the problem may is gcc (on the OpenLDAP and/or FreeRADIUS compile) or Fedora. What gcc are you using? I am recompiling now but the test box is sloow. Will post results as they become available. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0!!!!
I tried yum but still did not take care all of my dependencies. I guess I have to search one by one then. Thank you very much Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: RE: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 i586 is right (that means it is for pentium class machines). Got rpmfind.net and search for them or try googling them. A nice tool called yum ( http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1.rh90.noarch.rpm ) can help with installing rpms with dependencies. A 'yum install freeradius' will take care of all the dependencies. Good luck --- Henry Le [EMAIL PROTECTED] wrote: Thanks for your responding. I downloaded freeradius-0.9.3-0.i586.rpm (I guessed there is a typo here, should be ...i386..) I tried to install using rpm, but I got some errors relate to dependencies (i.e. insserv, fillup, libasn1.so.6, etc), where can I download these packages? Thanks Henry -Original Message- From: Amedzekor Kafui [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: Please help to setup Freeradius-0.9.3 on my Red Hat Linux 9.0 Use the freeradius rpms for installation. They are a lot easier to use. Remember to download freeradius-postgresql freeradius-mysql rpms if you need them. --- Henry Le [EMAIL PROTECTED] wrote: Hi All, I really need your help to setup freeradius-0.9.3 on my Red Hat machine. I downloaded and installed Freeradius-0.9.3 as instructed on my Red Hat Linux 9.0 machine. I did the follow steps to install it [root]#tar zxvf freeradius-0.9.3.tar.gz [root]#./configure --disable-share [root]#make [root]#make install Ater installing it, I tried to run it as following command [root]#radiusd -X and got the error like this: radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1186] Failed to link to module 'rlm_expr': file not found I looked at the radiusd.conf file at line 1186 and it looked like # #The 'expression' module currently has no configuration # expr {} # # I checked and saw the rlm_expr file is in ./freeradius-0.9.3/src/modules directory I checked and saw the rlm_expr.a, rlm_expr.la, rlm_expr-0.9.3.1a files in /usr/local/lib directory I don't understand why I got that error. Is that problem relate to freeradius installation? If it is, I want to uninstall it and restart from scratch whichi rerun configure, then make then make install. But I don't know how to uninstall it, would anybody please help me to uninstall Freeradius-0.9.3 from Red Hat Linux (9.0)? Thank you in advanced Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Domains - Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start - Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ap-confg Description: Binary data
Dynamic VLAN assignment
I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alan is the King!
Long Live The KING hear, hear... - Original Message - From: Kostas Zorbadelos [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: RH List Account [EMAIL PROTECTED] Sent: Monday, May 24, 2004 3:50 AM Subject: Re: Alan is the King! At Fri, 21 May 2004 11:03:45 -0300, RH List Account wrote: This is indeed very interesting. I 'll keep it in mind... (Opensource + support = convincing managers to switch!) Folks, I just wanted to publicly thank Alan DeKok for his invaluable assistance last week. We had a problem that we were kicking ourselves over and just couldn't get. After a search online, we found www.cladju.org. I don't think it's well enough publicised here, but Alan does do RADIUS consulting, and can make your FreeRADIUS problems go away very very quickly. If you have a problem, and have found Alan's tireless answering of questions on this list to be useful, consider contacting him directly. He quickly found our problem, and we have now been able to turn on a new service, easily justifying his very modest fee. Open source is great, but people gotta eat. Alan, hats off to you. Robert Hof Internet Architect Transact Bermuda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
I honestly don't know, but I'd love to find out. Three things I can think of to try... 1) You should be able to specify a vlan for your cypher suite, something like this encryption vlan mode 90 mode ciphers wep128 You might see if that makes any difference 2) You could try using encryption mode web mandatory instead of ciphers. 3) You could try upgrading to the latest IOS version for your AP, and/or open a TAC case. On May 24, 2004, at 1:55 PM, Chris Bshaw wrote: Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start - Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ap-confg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with new proxy code
Stephan Jaeger [EMAIL PROTECTED] wrote: Here you go, this time another it happend in another line of request_list.c: Assertion failed in request_list.c, line 580 Ok. *That* error is expected. I haven't added code to allocate more sockets when the current one gets full. Under high load, there can be more than 256 requests outstanding to the same home server. The current code is told to blow up after 256, so I guess I need to fix it to handle that high-load scenario. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Assistance please
Hello everyone, I'm new to the Linux / Radius. I would greatly appreciate feedback to the problem I'm encountering. I'm using Luisa v. 5 freeRadius v. 0.9.3 and OpenLDAP 2.1.25 To troubleshoot I'm utility NTRadPing v.1.5 When I test a user account [NTRadPing] I get response: Access-Accept (everything seems ok - the user authenticates fine) The problem is that [attribute dump] does not show what groups the user belongs to. Steps I've taken so far: I modified the ldap.attrmap file as follow: replyItem Login-LAT-Group securityRole securityRole is the attribute I see in the OpenLDAP After modifying the file... I'm now receiving a reply in attribute Dump (not what I expected)the only value I see is Users e.g. -Attribute Dump- Login-LAT-Groups=Users I was expecting the value Change Password and Users and Luisa Administrator. ---Attribute Dump- Login-LAT-Groups=Users, Change Password, Administrator The string Change Password has a space in it - is this why the full string is not replied? Is radius supposed to only return back a single attribute? My objective is for radius to return a list of the groups the user belongs to. Thank you, Denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem using Calling-Station-Id-Attribute in radcheck
Hello, I´m using Freeradius (May,24,2004) with Mysql and PEAP for Authentication of a Wireless-Lan Client. If I only check Username Password, everything works fine. Now, I want also to check the MAC-Address of this Wireless-Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | canram | User-Password | == | 123123 | | 2 | canram | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? Please see the freeradiusdebug output below. rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=125 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0163616e72616d Message-Authenticator = 0xfc56758dc0f3401bff35dc7ff7661def Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'canram' rlm_sql (sql): sql_set_user escaped user -- 'canram' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'canram' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'canram' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.200.245:2048 EAP-Message = 0x0101001604100f6fa9e8b28c56ac8f9621226c76b4ae Message-Authenticator = 0x State = 0xde6114c592a60d68537235ef5398a9b4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=138 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 State = 0xde6114c592a60d68537235ef5398a9b4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0xdeaffa0daedbb6a175f225a568170aa8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]:
RE: Freeradius Segmentation Fault on LDAP Bind
I build zlib, openssl, openssh, openldap, etc from the newest source, my guess is the openldap libs that freeradius uses... I haven't picked through the openldap ./configure or checked logs for discrepancies yet; I rebuilding a server just happy that I know how to get it working. -Original Message- From: Paul Bender [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius Segmentation Fault on LDAP Bind Thanks for the info. Do you know what interaction between FreeRADIUS and OpenLDAP is triggering this problem? I ask because Red Hat has compiled OpenLDAP with SASL support for some time, and I have many other services that access OpenLDAP without a problem. Willey Kurt D wrote: Problem recreated on RH9 with gcc 3.4.0 Turns out the problem is not related to Fedora/RH or gcc: Remove --with-cyrus-sasl when you ./configure OpenLDAP 2.1.30 -Original Message- From: Paul Bender [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius Segmentation Fault on LDAP Bind I would love to hear your results. I have compiled it with both gcc 3.3.3 (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) and gcc 3.4.0 (gcc version 3.4.0 20040519 (Red Hat Linux 3.4.0-2)). In both cases, I get a segmentation fault. I spent a little time trying to get it to core dump, but I have not been successful. I did 'ulimit -c unlimited', enabled core dumps in radiusd.conf and compiled freeradius with --enable-developer. Yet, it still does not core dump on a segmentation fault. Willey Kurt D wrote: I am working on the same type of project with Fedora Core 1 and gcc 3.3.3, getting the same segmentation fault... I just built a new RedHat 9 test box with gcc 3.2.2-5; works great, even connecting to the LDAP server via OpenSSL. I think the problem may is gcc (on the OpenLDAP and/or FreeRADIUS compile) or Fedora. What gcc are you using? I am recompiling now but the test box is sloow. Will post results as they become available. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem using Calling-Station-Id-Attribute in radcheck
Maybe your OP needs to be := Just something you could try, before an educated answer happens by. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Stefan Grünbaum Sent: Monday, May 24, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: Problem using Calling-Station-Id-Attribute in radcheck Hello, I´m using Freeradius (May,24,2004) with Mysql and PEAP for Authentication of a Wireless-Lan Client. If I only check Username Password, everything works fine. Now, I want also to check the MAC-Address of this Wireless-Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | canram | User-Password | == | 123123 | | 2 | canram | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? Please see the freeradiusdebug output below. rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=125 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0163616e72616d Message-Authenticator = 0xfc56758dc0f3401bff35dc7ff7661def Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'canram' rlm_sql (sql): sql_set_user escaped user -- 'canram' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'canram' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'canram' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.200.245:2048 EAP-Message = 0x0101001604100f6fa9e8b28c56ac8f9621226c76b4ae Message-Authenticator = 0x State = 0xde6114c592a60d68537235ef5398a9b4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=138 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 State = 0xde6114c592a60d68537235ef5398a9b4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0xdeaffa0daedbb6a175f225a568170aa8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module
RE: Problem using Calling-Station-Id-Attribute in radcheck
Actually, this has to do with the tunnelled request. PEAP does not copy this attribute into the tunnelled request, so your comparison fails. You'll need to do this check on the outside of the tunnel, such as: canram FreeRADIUS-Proxied-To !* , Calling-Station-Id != 000d88522f1f, Auth-Type := Reject canram FreeRADIUS-Proxied-To == 127.0.0.1, User-Password == 123123 The above lines may wrap, but each is on its own separate line. --Mike On Mon, 2004-05-24 at 17:14, Anson Rinesmith wrote: Maybe your OP needs to be := Just something you could try, before an educated answer happens by. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Stefan Grünbaum Sent: Monday, May 24, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: Problem using Calling-Station-Id-Attribute in radcheck Hello, I´m using Freeradius (May,24,2004) with Mysql and PEAP for Authentication of a Wireless-Lan Client. If I only check Username Password, everything works fine. Now, I want also to check the MAC-Address of this Wireless-Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | canram | User-Password | == | 123123 | | 2 | canram | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? Please see the freeradiusdebug output below. rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=125 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0163616e72616d Message-Authenticator = 0xfc56758dc0f3401bff35dc7ff7661def Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'canram' rlm_sql (sql): sql_set_user escaped user -- 'canram' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'canram' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'canram' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.200.245:2048 EAP-Message = 0x0101001604100f6fa9e8b28c56ac8f9621226c76b4ae Message-Authenticator = 0x State = 0xde6114c592a60d68537235ef5398a9b4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=138 User-Name = canram NAS-IP-Address
Re: Dynamic VLAN assignment
i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: url redirect+user status
Behalf Of Szabo David Sent: Sunday, May 23, 2004 5:44 PM I would like to set a web page that the users who are authenticated by the Radius server see at first when they open their web browser. I don't have any idea to do this. Can anyone help me? this has to be done by your AP/NAS/whatever not freeradius. Although you could supply an attribute telling your AP to where the user should be redirected.. I have another question. How can I check that the users are still using the wireless network? I see the login-time. But I'd like to know the logoff-time if it's possible. again, job of your AP. depends on what your using it should send a stop record or at least Alives' Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Segmentation Fault on LDAP Bind
Alan DeKok wrote: Paul Bender [EMAIL PROTECTED] wrote: I do not believe I am using TLS (or SSL) to connect to the LDAP server, since I have set start_tls=0 in my ldap module configuration and since freeradius is attempting to connect to the ldap (not the ldaps) port. See doc/bugs for details on more detailed bug reporting information. Also, see bugs.freeradius.org Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think I found it. The problem appears to be that rlm_ldap checks for and links against libsasl, but the OpenLDAP libraries use libsasl2. As a result, when FreeRADIUS runs, it loads both libsasl.so and libsasl2.so. This causes a problem since they contain incompatible versions of sasl_client_new. It appears that with both of them loaded, OpenLDAP ends up calling the sasl_client_new in libsasl.so but it was compiled against the version of sasl_client_new in libsasl2.so. As a result, it segfaults. Having said that, I cannot figure out why rlm_ldap checks for and links against libsasl. If I stop rlm_ldap from linking against libsasl, everything appears to work. Does anyone know why rlm_ldap needs libsasl? Anyway, for those that care, here is what I did to find the problem: I did a backtrace from within gdb, which I have included below (with the password replaced). It has been pointed out in this thread that FreeRADIUS does not segfault when OpenLDAP is compiled without SASL support. Looking at the backtrace, the segfault is happening in sasl_client_new. Interestingly, based on the line number and arguments for sasl_client_new, OpenLDAP appears to be using the sasl_client_new from SASL 1.5.28 not from SASL 2.1.18. However, based on the line number for ldap_int_sasl_open, OpenLDAP appears to be using the sasl_client_new from SASL2. The agruments for this function change from SASL1 to SASL2. Therefore, if the wrong version of sasl_client_new is being called, then there could be a real problem. Using 'info shared' within gdb reveals that both libsasl.so.7 and libsasl2.so.2 are loaded and that the memory location for the sasl_client_new in the backtrace is within the address range of libsasl.so.7. I moved all the libsasl libraries and restarted freeradius. Freeradius would not start because rlm_ldap needed libsasl.so.7. When I look at rlm_ldap, I find that during its configuration, it is checking for libsasl. However, looking at the code, I cannot figure out why it needed libsasl. Therefore, I rebuilt freeradius with the libsasl libraries moved so that rlm_ldap would not find time. Once I installed this version of freeradius, freeradius no longer segfaulted. - bt - #0 0x00ad361d in sasl_client_new (service=0x44ef79 ldap, serverFQDN=0x82d5b48 server.private, prompt_supp=0x82d5b78, secflags=137190264, pconn=0x44ec40) at client.c:435 #1 0x004304a8 in ldap_int_sasl_open (ld=0x82d56f0, lc=0x82d5ac8, host=0x82d5b48 server.private) at cyrus.c:476 #2 0x0042abee in ldap_int_open_connection (ld=0x82d56f0, conn=0x82d5ac8, srv=0x82d5a58, async=0) at open.c:348 #3 0x0043ce69 in ldap_new_connection (ld=0x82d56f0, srvlist=0x82d5a58, use_ldsb=1, connect=1, bind=0x0) at request.c:315 #4 0x0042a6a1 in ldap_open_defconn (ld=0x82d56f0) at open.c:32 #5 0x0043c9df in ldap_send_initial_request (ld=0x82d56f0, msgtype=96, dn=0x82cb120 uid=radiusd,ou=users,dc=private, ber=0x82d57b0) at request.c:98 #6 0x004328b7 in ldap_sasl_bind (ld=0x82d56f0, dn=0x82cb120 uid=radiusd,ou=users,dc=private, mechanism=0x0, cred=0xfef0d9f0, sctrls=0x82d5b78, cctrls=0x82d5b78, msgidp=0xfef0d9ec) at sasl.c:143 #7 0x004332d0 in ldap_simple_bind (ld=0x82d56f0, dn=0x82d5b78 ȧ«, passwd=0x0) at sbind.c:81 #8 0x0042a565 in ldap_bind (ld=0x82d56f0, dn=0x82d5b78 ȧ«, passwd=0x82d5b78 ȧ«, authmethod=128) at bind.c:71 #9 0x0061764d in ldap_connect (instance=0x82d15b8, dn=0x82cb120 uid=radiusd,ou=users,dc=private, password=0x82cb148 , auth=0, result=0xfef0dac8) at rlm_ldap.c:1675 #10 0x00617d8d in perform_search (instance=0x82d15b8, conn=0x82d1840, search_basedn=0xfef0dc70 dc=private, scope=2, filter=0xfef0e070 (uid=paul), attrs=0x82d18f8, result=0xfef0db68) at rlm_ldap.c:685 #11 0x0061a369 in ldap_authorize (instance=0x82d15b8, request=0x82d3c10) at rlm_ldap.c:1145 #12 0x08057e24 in modcall (component=1, c=0x82ce528, request=0x82d3c10) at modcall.c:219 #13 0x080580c6 in modcall (component=1, c=0x82cb4e8, request=0x82d3c10) at modcall.c:252 #14 0x080571b4 in indexed_modcall (comp=1, idx=2785, request=0x82d5b78) at modules.c:469 #15 0x08053e15 in rad_authenticate (request=0x82d3c10) at auth.c:552 #16 0x0804c917 in rad_respond (request=0x82d3c10, fun=0x8053d70 rad_authenticate) at radiusd.c:1664 #17 0x0804e4d0 in main (argc=2, argv=0xfef10504) at radiusd.c:1452 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin web pages' buttons problem.
Hi Kostas, On Mon, 24 May 2004, you wrote in reply to my posted message below. You wrote (in reply): Try asking for the corresponding pages directly, like: http://your-machine-name/dialupadmin-dir/accounting.php3 I did the above and I still get a blank page as before. You also wrote (in reply): What do you mean by not loading? Sorry for the mislead. I meant that the pages weren't showing what they were supposed to show and were showing blank pages or just a blank green screen. That is, after clicking on the the buttons like Accounting, Statistics, Online, Users, New User, Edit Group, and New Group. In my httpd.conf I have also included:AddType application/x-httpd-php .php3 AddType application/x-httpd-php .php4 I have also made sure that the general_base_dir path inside admin.conf is correct. The other buttons like Home, User Statistics, Bad Users, Failed Logins, Find User, Show Groups, Check Server, Help and About show properly when clicked on. Is there anything I'm missing? Cheers, Shannon On Sun, 23 May 2004, Shannon Sariman wrote: Hi All, I'm nearly there with dialup_admin being fully operational on my RH 8.0 machine, but some of the buttons like Accounting, Statistics, Online Users, New User, Edit Group, and New Group, aren't loading when I click on them, on my web browser. I have thoroughly (???), gone through each button's relevant php file and has seen no problem in the file (and so I think). My include statements in each respective php file look correct, but the buttons won't load their php files. Am I missing anything here? Try asking for the corresponding pages directly, like: http://your-machine-name/dialupadmin-dir/accounting.php3 What do you mean by not loading? Any help is much appreciated. Thanx in advance. Shannon Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Entry
I have configured Freeradius.0.9.3 with mysql for accounting. My problem is Mysql records duplicate entry for single clients entry. I think start query is ok start update is also ok stop update is ok stop insert is insert eventhough the record is already there help me in this problem. The stop packet will probably be sent by your client twice. It looks like your radius server is not responding fast enough to the client. So the client assumes that the record has not reached the radius and is sending it for the second time. Check the indexes on your tables and try to estimate the time taken for each insert. This should solved the problem. thanks Thank u kiran for ur kind help. I also think like that about this problem. because I am recording the data so far away from the client it has to cross across 3 or more gateways so there may be a problem. Another question if my client is comes through a tunnel my system records the data information on the tunnel IP only not treat as a client record what I have to do. If you know pls help me thanks thanks thanks __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem using Calling-Station-Id-Attribute in radcheck
I already tried this, but unfortunatelly this doesn´t work too. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Anson Rinesmith Gesendet: Dienstag, 25. Mai 2004 00:14 An: [EMAIL PROTECTED] Betreff: RE: Problem using Calling-Station-Id-Attribute in radcheck Maybe your OP needs to be := Just something you could try, before an educated answer happens by. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Stefan Grünbaum Sent: Monday, May 24, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: Problem using Calling-Station-Id-Attribute in radcheck Hello, I´m using Freeradius (May,24,2004) with Mysql and PEAP for Authentication of a Wireless-Lan Client. If I only check Username Password, everything works fine. Now, I want also to check the MAC-Address of this Wireless-Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | canram | User-Password | == | 123123 | | 2 | canram | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? Please see the freeradiusdebug output below. -- -- rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=125 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0163616e72616d Message-Authenticator = 0xfc56758dc0f3401bff35dc7ff7661def Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'canram' rlm_sql (sql): sql_set_user escaped user -- 'canram' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'canram' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'canram' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.200.245:2048 EAP-Message = 0x0101001604100f6fa9e8b28c56ac8f9621226c76b4ae Message-Authenticator = 0x State = 0xde6114c592a60d68537235ef5398a9b4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=138 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 State = 0xde6114c592a60d68537235ef5398a9b4 NAS-Port-Type
AW: Problem using Calling-Station-Id-Attribute in radcheck
Is there any way, to define all this options only in the mysql-database, because I prefer to manage all user and devices in one database. I don't want to manage a second database or file, like the users file. Btw. what about the copy_request_to_tunnel option in eap.conf. I tried already no and yes but no success. Could this perhaps a way to solve this problem? Thanks so far. Canram. - Michael Griego wrote - Actually, this has to do with the tunnelled request. PEAP does not copy this attribute into the tunnelled request, so your comparison fails. You'll need to do this check on the outside of the tunnel, such as: canram FreeRADIUS-Proxied-To !* , Calling-Station-Id != 000d88522f1f, Auth-Type := Reject canram FreeRADIUS-Proxied-To == 127.0.0.1, User-Password == 123123 The above lines may wrap, but each is on its own separate line. --Mike On Mon, 2004-05-24 at 17:14, Anson Rinesmith wrote: Maybe your OP needs to be := Just something you could try, before an educated answer happens by. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Stefan Grünbaum Sent: Monday, May 24, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: Problem using Calling-Station-Id-Attribute in radcheck Hello, I´m using Freeradius (May,24,2004) with Mysql and PEAP for Authentication of a Wireless-Lan Client. If I only check Username Password, everything works fine. Now, I want also to check the MAC-Address of this Wireless-Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | canram | User-Password | == | 123123 | | 2 | canram | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? Please see the freeradiusdebug output below. rad_recv: Access-Request packet from host 192.168.200.245:2048, id=0, length=125 User-Name = canram NAS-IP-Address = 192.168.200.245 Called-Station-Id = 0006253bdc49 Calling-Station-Id = 000d88522f1f NAS-Identifier = 0006253bdc49 NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0163616e72616d Message-Authenticator = 0xfc56758dc0f3401bff35dc7ff7661def Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = canram, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'canram' rlm_sql (sql): sql_set_user escaped user -- 'canram' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'canram' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'canram' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'canram' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to
RE: problems with radwho
[EMAIL PROTECTED] wrote: I'm having problems getting utmp accounting to work properly on FreeRadius (latest version). When the NAS sends an account-request packet to radius, everything seems ok except for the following line seen in the debug window: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! The corresponding Access Request packet from the NAS contains: NAS-Port-Type = Virtual. NAS-Port-Type does not help here. NAS-Port-Type indicates the type of the port in the NAS where the user is connected. NAS-Port, which is neede by the radutmp, indicates the actual physical port where the user is connected to. So, for one kind of NAS with one kind of connections, the NAS-Port-Type could be the same for every connection, but the NAS-Port would differ. I'm using a HP Procurve 6108 switch. I suspect that radius wants me to set the NAS-Port-Type to ethernet or similar, however I do not know how to get the switch to send a NAS-Port-Type that radius will like. radwho also does not work for my netscreen boxes. The problem here is not the NAS-Port-Type but the lack of NAS-Port. (sorry for the disclaimer at the end... :) -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html