Returning parameters from script fails
Hi, we are using freeradius 0.9.3 CVS snapshot of May, 24 on RH Linux 7.3. And now we have different problem with scripts: Values do not return when there are more than one attribute. To explain it simple: This works: #!/usr/bin/python # Auth script # print Framed-IP-Netmask = 255.255.255.255 print Framed-IP-Address = 217.107.182.222 sys.exit(0) While this does not: #!/usr/bin/python # Auth script print Framed-IP-Netmask = 255.255.255.255 print Framed-IP-Address = 217.107.182.222 sys.exit(0) (radius sees no attributes at all) It worked before we updated radius. Are we doing anything wrong? Thank you for any hints in advance! Sincerely yours, Roman A.Suzi -- - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_leap: No User-Password or NT-Password configured for this user
Hi, I am trying to authenticate Cisco AP 1200 against FreeRadius through LDAP.The following is the error I am getting after stage 2 rlm_eap_leap: No User-Password or NT-Password configured for this user. The LDAP authentication is getting done. and the EAP is also getting started. But, the credentials of the LDAP is not getting used for EAP. Please suggest the reason for this error. Log is given below. Joseph === rad_recv: Access-Request packet from host 192.168.1.7:21645, id=245, length=125 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0x2f568765c076a1cc35ec515b50580740 EAP-Message = 0x0202000d0146416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 485 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = FAnthony, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=FAnthony)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0 rlm_ldap: bind as cn=Admin,o=MyOrg/removed to 192.168.1.41:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=FAnthony)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter ((uid=FAnthony)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for FAnthony radius_xlat: '(uid=FAnthony)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) rlm_ldap: checking if remote access for FAnthony is allowed by proposedaltorgunit rlm_ldap: Password header not found in password (91CA0741343JHUG6C9A32A21F) for user FAnthony rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user FAnthony authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module eap returns ok for request 0 modcall: group authenticate returns ok for request 0 modcall: entering group post-auth for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.7/reply-detail-20040524' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.7/reply-detail-20040524 modcall[post-auth]: module reply_log returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Challenge of id 245 to 192.168.1.7:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0103001811010008b94601729c9a3dd446416e74686f6e79 Message-Authenticator = 0x State = 0xe3166619f4e5ebeceeecf4c8ad538f14c2b3b1406fa168fb18df0f59e7687b3844c0e160 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21645, id=246, length=190 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0xbbf0ade28f802ee85b254d14fd07308c EAP-Message = 0x0203002811010018e24bd48592abbef7378f8fc67fcd97fe01e0cfd3cba39e1446416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 485 State = 0xe3166619f4e5ebeceeecf4c8ad538f14c2b3b1406fa168fb18df0f59e7687b3844c0e160 Service-Type = Framed-User NAS-IP-Address =
Re: MySQL and EAP-TLS
Alle 18:51, marted 25 maggio 2004, Alan DeKok ha scritto: James [EMAIL PROTECTED] wrote: I know that it is possible to use EAP-TLS for authentication purposes together with My-SQL for authorization. However I cannot figure out what to put in radiuscheck in lieu of the password attribute Nothing. Thank you Alan for your reply but i need some more explanation. What did you mean when you said Nothing? Should I leave empty the Attribute and Value columns in radiuscheck table or should I create a new radiuscheck table without them or should I not even use such table? Thank you again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_leap: No User-Password or NT-Password configured for this user
On Wed, 26 May 2004, Joseph Silvin wrote: Hi, I am trying to authenticate Cisco AP 1200 against FreeRadius through LDAP.The following is the error I am getting after stage 2 rlm_eap_leap: No User-Password or NT-Password configured for this user. The LDAP authentication is getting done. and the EAP is also getting started. But, the credentials of the LDAP is not getting used for EAP. Please suggest the reason for this error. Log is given below. Joseph === rad_recv: Access-Request packet from host 192.168.1.7:21645, id=245, length=125 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0x2f568765c076a1cc35ec515b50580740 EAP-Message = 0x0202000d0146416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 485 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 [...] rlm_ldap: Password header not found in password (91CA0741343JHUG6C9A32A21F) for user FAnthony The above is the error you are looking for. Check the password_header ldap configuration directive. rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
intermediate accounting
Hello list Is it possible to activate "intermediate accounting" in freeradius ? the objective is: i have a proxy radius (radius1) , that autenticate and send accounting packets to another radius server (radius2) sometimes, i have client's that when thei disconnect, radius2 don't receive the stop packet for accounting of that session, so i have think in doing intermediate accounting, radius1 will send accounting packets to radius2 in interval's of 10 minutes, so if there is a problem and stop packet from radius1 doesn't reach radius2 i will have some information from accounting because radius1 have previously send that information so i loose some information but i don't lose it all ... Best regards
Re: eap-tls with XP client and linux client
Alan DeKok wrote: Szabo David [EMAIL PROTECTED] wrote: Why does the Xp client lose the connection when the RAdius server is cleaning up requests? It doesn't. The two events are completely independent. What's probably happening is that there's a Session-Timeout sent in the reply, which tells the AP to kick the client off after a short period of time. Alan DeKok. How do you mean? How do I change that variable? Is the variable in the answer from the radius answer to the client? /Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_leap: No User-Password or NT-Password configured for this user
Hi, Thanks. I have rectified the password_header and now the Password header is gone. But still the EAP is not taking the LDAP password ( rlm_eap_leap: Stage 4). My config: radiusd.conf --- default_eap_type = md5 users --- DEFAULT Auth-Type = LDAP Fall-Through = 1 Instead of this, if I put (as below) manually, the card associated with the AP. (LDAPPassword is the actual password) DEFAULT Auth-Type = LDAP, User-Password = LDAPPassword Fall-Through = 1 Waiting for your comments. Joseph Revised Log below. = rad_recv: Access-Request packet from host 192.168.1.7:21646, id=16, length=125 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0xe8f0eb5a20be270bdf42e04b15641dd6 EAP-Message = 0x0202000d0146416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 495 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = FAnthony, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=FAnthony)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0 rlm_ldap: bind as cn=Admin,o=MyOrg/deleted to 192.168.1.41:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=FAnthony)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter ((uid=FAnthony)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for FAnthony radius_xlat: '(uid=FAnthony)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) rlm_ldap: checking if remote access for FAnthony is allowed by proposedaltorgunit rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user FAnthony authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module eap returns ok for request 0 modcall: group authenticate returns ok for request 0 modcall: entering group post-auth for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.7/reply-detail-20040524' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.7/reply-detail-20040524 modcall[post-auth]: module reply_log returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Challenge of id 16 to 192.168.1.7:21646 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01030018110100087900c7559163b3ae46416e74686f6e79 Message-Authenticator = 0x State = 0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21646, id=17, length=190 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0x61f158e50ab18ae2609916cdde5d3768 EAP-Message = 0x0203002811010018010364ea1f5cfcc8d6a0ce99255ffd208bbc7dd9f77326a246416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 495 State = 0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2
max6000 and freeradius - authentication ok, log into radius-mysql not send full information
Hi all, I needlog on radius radacct ( mysql database ) this information ConnectInfo_Start and ConnectInfo_stop of max users ( max6000 ). Authentication it's ok, but this information don't log on database. Anyware can be help me? Thanks, Dilson.
PEAP vs EAP/TLS
One doubt, basically the operation between server and AP is the same in EAP/TLS and PEAP but for the fact that in the former the user has a cert and in the latter a screen should be prompted for the user to introduce its login and passw so the RADIUS must check them in the users file? sorry for the basic question but I'm not able to get the prompt for my user and I'm trying to discard any basic mistake in concepts thanks bfr isn't it? - Mensaje original - De: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] Fecha: Martes, Mayo 25, 2004 8:45 am Asunto: Re: peap user I'm configuring PEAP. I think the freeradius config is Ok. ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user Nope, it's not. Alan DeKok. I think that message comes because the user sent by my AP to the radius is not in my users file, and it matches a default user I added with Auth-Type = reject... but it makes sense doesn't it? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning parameters from script fails (solved)
I forgot to add comma: print Framed-IP-Netmask = 255.255.255.255, print Framed-IP-Address = 217.107.182.222, Sincerely yours, Roman A.Suzi -- - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] - On Wed, 26 May 2004, Roman Suzi wrote: Hi, we are using freeradius 0.9.3 CVS snapshot of May, 24 on RH Linux 7.3. And now we have different problem with scripts: Values do not return when there are more than one attribute. To explain it simple: This works: #!/usr/bin/python # Auth script # print Framed-IP-Netmask = 255.255.255.255 print Framed-IP-Address = 217.107.182.222 sys.exit(0) While this does not: #!/usr/bin/python # Auth script print Framed-IP-Netmask = 255.255.255.255 print Framed-IP-Address = 217.107.182.222 sys.exit(0) (radius sees no attributes at all) It worked before we updated radius. Are we doing anything wrong? Thank you for any hints in advance! Sincerely yours, Roman A.Suzi -- - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP vs EAP/TLS
One doubt, basically the operation between server and AP is the same in EAP/TLS and PEAP but for the fact that in the former the user has a cert and in the latter a screen should be prompted for the user to introduce its login and passw so the RADIUS must check them in the users file? I don't know for PEAP but with EAP-TLS, you just need the password for the key of the client-certificate on supplicant, and the password for the key of the server-certificate on the FreeRADIUS server. But this passwords don't go trough the network. (And you need the root/CA certificate on each side of course). Then on linux xsupplicant you can put the pass in your TLS config file, then the connexion is automatic. On windows maybe you have a prompt for password at each connexions, I'm working on it actually I hope I haven't say a mistake and that can help you. Fred sorry for the basic question but I'm not able to get the prompt for my user and I'm trying to discard any basic mistake in concepts thanks bfr isn't it? - Mensaje original - De: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] Fecha: Martes, Mayo 25, 2004 8:45 am Asunto: Re: peap user I'm configuring PEAP. I think the freeradius config is Ok. ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user Nope, it's not. Alan DeKok. I think that message comes because the user sent by my AP to the radius is not in my users file, and it matches a default user I added with Auth-Type = reject... but it makes sense doesn't it? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and EAP-TLS
James [EMAIL PROTECTED] wrote: Thank you Alan for your reply but i need some more explanation. What did you mean when you said Nothing? Should I leave empty the Attribute and Value columns in radiuscheck table or should I create a new radiuscheck table without them or should I not even use such table? You don't need to do anything. EAP-TLS is authenticated via certificates, and therefore needs *nothing* from MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate accounting
Silvestre Malta [EMAIL PROTECTED] wrote: Is it possible to activate intermediate accounting in freeradius ? If your NAS sends accounting updates, yes. sometimes, i have client's that when thei disconnect, radius2 don't receive the stop packet for accounting of that session, so i have think in doing intermediate accounting, radius1 will send accounting packets to radius2 in interval's of 10 minutes, With what data? It can't invent the data. The NAS has to send accounting updates. Nothing else can send that information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max6000 and freeradius - authentication ok, log into radius-mysql not send full information
Dilson [EMAIL PROTECTED] wrote: I need log on radius radacct ( mysql database ) this information ConnectInfo_Start and ConnectInfo_stop of max users ( max6000 ). Authentication it's ok, but this information don't log on database. See the FAQ. The server logs only what the NAS sends it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP vs EAP/TLS
BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] wrote: One doubt, basically the operation between server and AP is the same in EAP/TLS and PEAP but for the fact that in the former the user has a cert and in the latter a screen should be prompted for the user to introduce its login and passw so the RADIUS must check them in the users file? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate accounting
Ok, so if the NAS send accounting updates, do i need to make any extra configuration in FreeRadius to be able to receive those accounting updates ? tanks - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 3:26 PM Subject: Re: intermediate accounting Silvestre Malta [EMAIL PROTECTED] wrote: Is it possible to activate intermediate accounting in freeradius ? If your NAS sends accounting updates, yes. sometimes, i have client's that when thei disconnect, radius2 don't receive the stop packet for accounting of that session, so i have think in doing intermediate accounting, radius1 will send accounting packets to radius2 in interval's of 10 minutes, With what data? It can't invent the data. The NAS has to send accounting updates. Nothing else can send that information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate accounting
Silvestre Malta [EMAIL PROTECTED] wrote: so if the NAS send accounting updates, do i need to make any extra configuration in FreeRadius to be able to receive those accounting updates ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Authentication Problem
=?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: 1. If I use the freeradius server and client for CHAP authentication using command $ echo User-Name=someuser | radclient localhost auth shared secret key ,it returns Nothing . That's because you're not using CHAP there. 2. If I use another RADIUS Server (not freeradius) and try to login through freeradius client with command (FOR PAP) $ echo User-Name=someuser,User-Password=somepassword | radclient localhost auth shared secret key ,It works absolutely fine. So... you're comparing not using CHAP on FreeRADIUS, to using PAP with another server. Why? (FOR CHAP) ,I am facing problem with it when I use the command $ echo User-Name=someuser | radclient localhost:port auth shared secret key ,it returns me Received response ID 51, code 11, length=163 Reply-Message = Your Offline challenge 0840 2828.Enter your PIN and this challenge in your Offline Client.Enter the result! That isn't FreeRADIUS. Then I generate the CHAP-Password entering the PIN and the challenge in my offline client Then I use the command $ echo User-Name=someuser,CHAP-Password=generatedpassword,CHAP-Challenge=0840 2828,State=asmentionedabove | radclient server_ip:port auth shared secret key and it return me the Wrong Credentials always. I would suggest asking the vendor of the other RADIUS server what the problem is. The problem has nothing to do with FreeRADIUS, so far as I can tell. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and EAP-TLS
You don't need to do anything. EAP-TLS is authenticated via certificates, and therefore needs *nothing* from MySQL. Hi Alan, as usual (unfortunately) I didn't make myself clear on describing what i need. Basically, i want to authenticate users via EAP-TLS but i need also to look up on the database for adding some custom attributes on the RADIUS replies. These attributes can be, for instance, VLAN ids or other vendor specific attributes. How can this be done? Thank you for you patience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls with XP client and linux client
Has no one else had this problem? Maybe this is a solution (didn't work for me): http://support.microsoft.com/?kbid=822596 I have also tested with 2 different radius servers (one linux, one windows), the problem is the same. For me it seems that the problem is on the client side, not the radius server side. Any ideas Alan ? Tanks in advance. /Regards Ulf Ulf Jakobsson wrote: Alan DeKok wrote: Szabo David [EMAIL PROTECTED] wrote: Why does the Xp client lose the connection when the RAdius server is cleaning up requests? It doesn't. The two events are completely independent. What's probably happening is that there's a Session-Timeout sent in the reply, which tells the AP to kick the client off after a short period of time. Alan DeKok. How do you mean? How do I change that variable? Is the variable in the answer from the radius answer to the client? /Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No password configured for the user
Hi, I have some issues to use FreeRadius 0.9.3 on RedHat Linux ES 3. This is the debug log: Thread 2 handling request 16, (4 handled so far) User-Name = 000347158dea User-Password = 000347158dea Called-Station-Id = 0040.96a0.2db9 Calling-Station-Id = 0003.4715.8dea NAS-Port-Type = Virtual NAS-Port = 312 NAS-IP-Address = 192.168.0.51 modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 modcall[authorize]: module chap returns noop for request 16 modcall[authorize]: module eap returns noop for request 16 rlm_realm: No '@' in User-Name = 000347158dea, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 16 users: Matched DEFAULT at 158 modcall[authorize]: module files returns ok for request 16 modcall[authorize]: module mschap returns noop for request 16 modcall: group authorize returns ok for request 16 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. Delaying request 16 for 1 seconds Finished request 16 Going to the next request --- And this is the part of the users file -- 000347-158dea Auth-Type := Local, User-Password == x DEFAULT Auth-Type = Local Fall-Through = 1 - From the posting, I found some similar posts. The fixes are retyping the password in the users file and NAS server, etc. I tried many times, still no luck. So if this is the password problem, what's the trick to make this working? Thanks! -Yuemo CONFIDENTIALITY NOTICE: DO NOT READ THIS EMAIL IF YOU ARE NOT THE INTENDED RECIPIENT. The information in this email may contain confidential and/or privileged material. If you are not the intended recipient, your review, forwarding, copying, distribution, or any other use or disclosure of any information in this email is prohibited. If you received this email in error, please contact us by return email at [EMAIL PROTECTED] and destroy all copies of this email, University of Minnesota Physicians Confidentiality Notice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory/radiusServiceType
I currently have FreeRADIUS setup to authenticate users against Active Directory and the local users file. Now I want to use it as the RADIUS server for my Extreme network switches. My hope is to be able to use the Active Directory accounts to authenticate the users to the switch via FreeRADIUS. After doing some research I see that I need to return the radiusServiceType attribute to the Extreme switch. My understanding is that this will have to reside in the LDAP schema/database, correct? If this is correct, to extend the AD schema, I need an OID for the radiusServiceType attribute that needs to be unique. I have been unable to find what the X.500 OID for this attribute is. Anyone know this? From the RADIUS-LDAPv3.schema attributetype ( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) Or you can use private numbers. Here is a link to a page about extending schemas with openldap. http://www.openldap.org/doc/admin21/schema.html#Extending%20Schema Is there another way to do this that I am missing? I know I can use the users file, but that is not ideal as it is another place that passwords have to be managed and I cannot enforce password policies easily this way. Any guidance would be greatly appreciated. Thanks, Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Q]: Assigning VLANs and restricting logins?
Hi First, thanx to all who replied to my earlier emails on EAP/TLS + WEP key generation.I seem to have this working now. Now I have some new questions d'oh: 1. I have read that I can have freeradius run a script via Exec-Program-Wait at authentication time. I was just wondering would it be possible to use this to perform a query over IP on the client station (eg: snmp or something)? 2. I have seen mails and docs on allowing freeradius assign VLAN IDs at authentication time. I am presuming this would be more suitable for wired ethernet switches than wireless access points on APs with VLAN capabilities (eg: my Cisco Aironet 1200) you attach to an SSID (which is associated with a VLAN). I am guessing the answer to this is probably no, but would it be possible to have freeradius dynamically associate a client station to an SSID at authentication time? My interest in these is because I would like if possible to be able to check each client station to see if it has the latest patches, virus protection s/w etc. and if it doesn't I would like to either disconnect it, or dump it in some kind of quarantine SSID (VLAN). and finally: 3. Is it possible using EAP/TLS to restrict how many times a station with a particular certificate connects to the wireless net.i.e. if someone takes their certificate and installs it on 10 wireless machines, can I configure freeradius (and/or my access point) so that only one active wireless connection is allowed for that certificate? Thanx again for all the recent help, and thanx in advance for any help on these. Chris Bradshaw. _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and EAP-TLS
James [EMAIL PROTECTED] wrote: Basically, i want to authenticate users via EAP-TLS but i need also to look up on the database for adding some custom attributes on the RADIUS replies. These attributes can be, for instance, VLAN ids or other vendor specific attributes. How can this be done? http://www.frontios.com/freeradius.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No password configured for the user
On Wed, 2004-05-26 at 11:14, Yuemo Zeng wrote: Thread 2 handling request 16, (4 handled so far) User-Name = 000347158dea 000347-158dea Auth-Type := Local, User-Password == x Just a guess here.notice anything different about the username in the request and the users file? FreeRADIUS is correctthere is no password in the DEFAULT line which is what it matched, not the user you have above -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com signature.asc Description: This is a digitally signed message part
IS it necessary to start and stop raddb everytime the clients.conf is modified
Thanks Eric Echeverri
Re: No password configured for the user
Hi, The problem is resolved. The - is a problem, but not the main one, since I changed a couple of times. The main one is the password. Your posting lets me look at the debug log more carefully. It turned out that the NAS sends out the caller's password as the caller's name itself, in this case, the MAC itself. I tried to follow some article, http://www.wi-fitechnology.com/Wi-Fi_Reports_and_Papers/Freeradius_Deployment_of_MAC_Address.html. This is why I am stucked. The lessons I learnt are relying on the debug log and paying attention to the NAS. Thanks for your help! -Yuemo [EMAIL PROTECTED] 05/26/04 11:48AM On Wed, 2004-05-26 at 11:14, Yuemo Zeng wrote: Thread 2 handling request 16, (4 handled so far) User-Name = 000347158dea 000347-158dea Auth-Type := Local, User-Password == x Just a guess here.notice anything different about the username in the request and the users file? FreeRADIUS is correctthere is no password in the DEFAULT line which is what it matched, not the user you have above -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com CONFIDENTIALITY NOTICE: DO NOT READ THIS EMAIL IF YOU ARE NOT THE INTENDED RECIPIENT. The information in this email may contain confidential and/or privileged material. If you are not the intended recipient, your review, forwarding, copying, distribution, or any other use or disclosure of any information in this email is prohibited. If you received this email in error, please contact us by return email at [EMAIL PROTECTED] and destroy all copies of this email, University of Minnesota Physicians Confidentiality Notice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Challenge Response
I'm still trying to get PEAP working with LDAP. I'm wondering if the problem is with the client at this point. From the debugging out put and ethereal it looks like the radius server keeps sending access challenges but the client just keeps sending requests in return instead of a response. If someone could confirm this or let me know I'm wrong I would appreciate it. I have pasted the output below. TIA -Barry Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = mycomp1.mycomp.com ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=Manager,dc=mycomp,dc=com ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = (blahh) ldap: basedn = dc=mycomp,dc=com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = (null) ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP userPassword mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP
Re: eap-tls with XP client and linux client
Ulf Jakobsson [EMAIL PROTECTED] wrote: I have also tested with 2 different radius servers (one linux, one windows), the problem is the same. For me it seems that the problem is on the client side, not the radius server side. Then there probably isn't much that can be done to the RADIUS server to fix it. Have you tried using a different AP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Chris Bshaw [EMAIL PROTECTED] wrote: 1. I have read that I can have freeradius run a script via Exec-Program-Wait at authentication time. I was just wondering would it be possible to use this to perform a query over IP on the client station (eg: snmp or something)? Scripts can do anything you want. would it be possible to have freeradius dynamically associate a client station to an SSID at authentication time? No. The SSID's are done in a layer *below* the layers that FreeRADIUS sees. My interest in these is because I would like if possible to be able to check each client station to see if it has the latest patches, virus protection s/w etc. and if it doesn't I would like to either disconnect it, or dump it in some kind of quarantine SSID (VLAN). For that, you have to wait until the client gets an IP address, which can happen ~1s after the RADIUS authentication. Basically, you can't do these checks until after the RADIUS authentication has succeeded, which means that you can't use the checks to change the RADIUS response. 3. Is it possible using EAP/TLS to restrict how many times a station with a particular certificate connects to the wireless net.i.e. if someone takes their certificate and installs it on 10 wireless machines, can I configure freeradius (and/or my access point) so that only one active wireless connection is allowed for that certificate? You can set Simultaneous-Use on the server, which will do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge Response
In case anyone is interested I finally got this working. I downloaded the latest snapshot from CVS. I edited 3 files: In radius.conf I configured the LDAP settings (ie server name, binddn,etc), and uncommented ldap in the Authorize section. In eap.conf I uncommented the peap section and most of the tls section. In clients.conf I simply allowed the class c I am using. Of course I will need to make this more secure by creating my own certs and such. This was also tested with a plain text password in LDAP so I will try using NT passwords (md4 I guess). Barry Stewart wrote: I'm still trying to get PEAP working with LDAP. I'm wondering if the problem is with the client at this point. From the debugging out put and ethereal it looks like the radius server keeps sending access challenges but the client just keeps sending requests in return instead of a response. If someone could confirm this or let me know I'm wrong I would appreciate it. I have pasted the output below. TIA -Barry Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = mycomp1.mycomp.com ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=Manager,dc=mycomp,dc=com ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = (blahh) ldap: basedn = dc=mycomp,dc=com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = (null) ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP
Re: [Q]: Assigning VLANs and restricting logins?
Hi Alan... Thanx for the info. Basically, you can't do these checks until after the RADIUS authentication has succeeded, which means that you can't use the checks to change the RADIUS response. Is there any post-authentication mechanism I could use in FreeRadius to revoke the authenticationi.e. allow the user to authenticate long enough to make the checks over IP via an Exec-Program-Wait and if they fail the checks, freeradius 'tells' (?) the access point to disconnect the client? Thanx in advance. Chris. _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Chris Bshaw [EMAIL PROTECTED] wrote: Is there any post-authentication mechanism I could use in FreeRadius to revoke the authenticationi.e. allow the user to authenticate long enough to make the checks over IP via an Exec-Program-Wait and if they fail the checks, freeradius 'tells' (?) the access point to disconnect the client? Nope. But you can run a script to tell another program that a user authenticated. That other program can then wait however long it wants, and do whatever it wants with the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
Hi Alan, Would it be right to say that a RADIUS server in 802.1X authentication allows a client to be authenticated but can not unauthenticate a authenticated client and let the AP(Nas) know about this unauthentication. I guess it comes down to RADIUS server responds to clients but does not initiate talking to clients. So, if I log on with my XP laptop through 802.1X successfully and then a few minutes later, the system admin logged off all users (including me) with the intent to force reauthentications. But, my laptop thinks it's still authenticated and logged in. Is there a way from the RADIUS server to notify the client so, the client detects it's unauthenticated and tries to start 802.1X session again. Otherwise, I would need to disassociate and associate again. Thanks, Htin -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, May 26, 2004 1:56 PM To: [EMAIL PROTECTED] Subject: Re: [Q]: Assigning VLANs and restricting logins? Chris Bshaw [EMAIL PROTECTED] wrote: Is there any post-authentication mechanism I could use in FreeRadius to revoke the authenticationi.e. allow the user to authenticate long enough to make the checks over IP via an Exec-Program-Wait and if they fail the checks, freeradius 'tells' (?) the access point to disconnect the client? Nope. But you can run a script to tell another program that a user authenticated. That other program can then wait however long it wants, and do whatever it wants with the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and mschapv2 problems
Hi. I've been using FreeRadius recent CVS version to authenticate wireless Windows XP/2k users via EAP and Cisco AP1000 series. I've so far suceeded in EAP/TLS and EAP/TTLS, as well as with non-EAP modules (PAP and CHAP) just to test if it is all properly setup. However, I'm failing with EAP/PEAP. Certificates are fine (as stated above), however MS-CHAPv2 (rlm_mschap) seems to be causing problems: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Passwords are stored in MySQL, but they're proven to be read correctly (and I've tried with users file too). I've read this list archives throughly, and I've tried most of the stuff people were reporting. Is there anything else I could check? Should I try with NT-hashed passwords? Should I try with auth_ntlm to debug chap responses? TIA. -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RH9 and Freeradius make error
Please look at the following and if possible kindly advise to the best way forward. The freeradius-snapshot-20040525 is installed on RH9 (2.4.20-8) as per instructions: From http://www.dslreports.com/forum/remark,9286052~mode=flat ./configure --with-openssl-includes=/usr/local/openssl/include \ --with-openssl-libraries=/usr/local/openssl/lib \ --prefix=/usr/local/radius make I installed RH9 issue of mysql (not dev.) to see if it would solve the problem...it did not. MySql is not required at this stage of the test. I am new to Linux and your patience would be greatly appreciated. Making static in rlm_sql_mysql... gmake[10]: Entering directory `/usr/src/radius/freeradius-snapshot-20040525/src/modules/rlm_sql/drivers/rlm_sql_mysq l' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arit h -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested- externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I'/usr/include' -I/usr/src/radius/freeradius-sn apshot-20040525/libltdl -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before MYSQL sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of `sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of `result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': sql_mysql.c:62: `mysql_sock' undeclared (first use in this function) sql_mysql.c:62: (Each undeclared identifier is reported only once sql_mysql.c:62: for each function it appears in.) sql_mysql.c:65: parse error before ')' token sql_mysql.c:76: warning: implicit declaration of function `mysql_init' sql_mysql.c:77: warning: implicit declaration of function `mysql_real_connect' sql_mysql.c:84: `CLIENT_FOUND_ROWS' undeclared (first use in this function) sql_mysql.c:86: warning: implicit declaration of function `mysql_error' sql_mysql.c:86: warning: format argument is not a pointer (arg 3) sql_mysql.c: In function `sql_destroy_socket': sql_mysql.c:103: warning: unused parameter `config' sql_mysql.c: In function `sql_check_error': sql_mysql.c:122: `CR_SERVER_GONE_ERROR' undeclared (first use in this function) sql_mysql.c:123: `CR_SERVER_LOST' undeclared (first use in this function) sql_mysql.c:131: `CR_OUT_OF_MEMORY' undeclared (first use in this function) sql_mysql.c:132: `CR_COMMANDS_OUT_OF_SYNC' undeclared (first use in this function) sql_mysql.c:133: `CR_UNKNOWN_ERROR' undeclared (first use in this function) sql_mysql.c: In function `sql_query': sql_mysql.c:151: `mysql_sock' undeclared (first use in this function) sql_mysql.c:160: warning: implicit declaration of function `mysql_query' sql_mysql.c:161: warning: implicit declaration of function `mysql_errno' sql_mysql.c: In function `sql_store_result': sql_mysql.c:175: `mysql_sock' undeclared (first use in this function) sql_mysql.c:181: warning: implicit declaration of function `mysql_store_result' sql_mysql.c:184: warning: format argument is not a pointer (arg 3) sql_mysql.c:173: warning: unused parameter `config' sql_mysql.c: In function `sql_num_fields': sql_mysql.c:202: `mysql_sock' undeclared (first use in this function) sql_mysql.c:204:5: warning: MYSQL_VERSION_ID is not defined sql_mysql.c:207: warning: implicit declaration of function `mysql_num_fields' sql_mysql.c:211: warning: format argument is not a pointer (arg 3) sql_mysql.c:199: warning: unused parameter `config' sql_mysql.c: In function `sql_num_rows': sql_mysql.c:257: `mysql_sock' undeclared (first use in this function) sql_mysql.c:260: warning: implicit declaration of function `mysql_num_rows' sql_mysql.c:255: warning: unused parameter `config' sql_mysql.c: In function `sql_fetch_row': sql_mysql.c:277: `mysql_sock' undeclared (first use in this function) sql_mysql.c:286: warning: implicit declaration of function `mysql_fetch_row' sql_mysql.c:286: warning: assignment makes pointer from integer without a cast sql_mysql.c:275: warning: unused parameter `config' sql_mysql.c: In function `sql_free_result': sql_mysql.c:305: `mysql_sock' undeclared (first use in this function) sql_mysql.c:308: warning: implicit declaration of function `mysql_free_result' sql_mysql.c:303: warning: unused parameter `config' sql_mysql.c: In function `sql_error': sql_mysql.c:327: `mysql_sock' undeclared (first use in this function) sql_mysql.c:330: warning: return discards qualifiers from pointer
FW: Need Assistance please
Alan, I'd first would like to extend my gratitude for answering my email. I'd also like to apoligize to everyone on the list for my confusion. I've been reading the book RADIUS by Jonathan Hassell, I've been reading archives for a while now. Can anyone suggest a good book with sample information? My problem is as follow: Is radius supposed to only return back a single attribute? That's what you told it to do. An attribute with one value (even with commas) is very different than attributes with multiple values. My suggestion is to create multiple entries in the LDAP schema for the Login-LAT-Group, as there is no Login-LAT-GroupS attribute. Each value should then be +=User(first) +=Change Password (second) etc... Alan DeKok. Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers securityRoletestgroup1 securityRoletestgroup2 securityRoleChange Password securityRoleLuisa Administrator I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItem Login-LAT-Group securityRole I thought by modifying this line to match the LDAP attribute would return all values for the user (testuser) in the LDAP schema. When I use NTRadPing the response is: Sending authentication request to server test.server:1645 Transmitting packet, code=1 id=0 length=50 Received response from the server in 10 milliseconds Reply packet code=2 id0 length=27 Response: Access-Accept attribute dump-- Login-LAT-Group=Users Can you or anyone suggest any howto site. I've read the LDAP doc and it doesn't mention how to implement this. Is this possible? Did I miss a step? Thank you -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Attributes
I have Cisco 2509 NAS box. I want it to send me all the accounting attributes mentioned in RFC's and that is used by freeRADIUS. Presently, it sends very few accounting attributes. Can anyone tell me how to configure NAS to add more accounting attributes besides what it sends. Thanks, Nishant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
PEAP requires a certificate for the server, but not for the clients. What are the differences between PEAP and EAP-TTLS? Which one is more secure? Which one has broader support in supplicants? Can I use both eap-ttls and peap? -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Would it be right to say that a RADIUS server in 802.1X authentication allows a client to be authenticated but can not unauthenticate a authenticated client and let the AP(Nas) know about this unauthentication. I guess it comes down to RADIUS server responds to clients but does not initiate talking to clients. That's true, the radius server just responds to the NAS equipment (being that wireless access point or a dial-up access server or a VPN access server etc...). So, if I log on with my XP laptop through 802.1X successfully and then a few minutes later, the system admin logged off all users (including me) with the intent to force reauthentications. But, my laptop thinks it's still authenticated and logged in. Well if the admin, instructs the NAS equipment to log-off all the users your laptop should know immediately that its disassociated from the wifi AP. When your laptop ties to log-on again, and makes that request to the AP, the AP will contact the radius server again. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
Well if the admin, instructs the NAS equipment to log-off all the users your laptop should know immediately that its disassociated from the wifi AP. When your laptop ties to log-on again, and makes that request to the AP, the AP will contact the radius server again. Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Obviously that depends from NAS to NAS, for ex. I can telnet into my dial-up access server and kick a user by his ID. btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by Admin can/would log off the logged in clients on the domain that the RADIUS server resides. What would that accomplish (I dont even understand how do you think that will work?!?) -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by Admin can/would log off the logged in clients on the domain that the RADIUS server resides. What would that accomplish (I dont even understand how do you think that will work?!?) Thanks. I of course knew that it will not work or did not imply that it should work without telling the NAS... Simply wondering if there is a standard way or part of any standard to do this. Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help - a very different network config
Hi all Looking for some help. What I need to find out is how to config a radius to auth all my Wireless traffic before issuing an IP via DHCP, then letting it auth on a Windows, Novell or Apple LAN. the other catch is that I need to authenticate to a LDAP server upstream, while allowing all me hardwired PC's to obtain an IP via DHCP but by passing the radius server. I believe I can do this with FreeRADIUS. I don't want much do I? Thanks, Chris Bailey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Mysql Issues!
Hi all,My goal is to use Freeradius with the sql module for authenticatingusers. I'm using version 0.9.3 (installed from rpms i created with thespecfile that came with the tarball).I've been workingoff of this tutorial: http://www.frontios.com/freeradius.htmlI got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server:radtest alexander jujai localhost 17 passwordand i get the following result:[EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password Sending Access-Request of id 240 to 127.0.0.1:1812 User-Name = "alexander" User-Password = "jujai" NAS-IP-Address = gk.orbit2000.net NAS-Port = 17 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20Here is a snippet of the output produced when i run in debug mode: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=240, length=61 User-Name = "alexander" User-Password = "jujai" NAS-IP-Address = 255.255.255.255 NAS-Port = 17 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "alexander", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'alexander' rlm_sql (sql): sql_set_user escaped user -- 'alexander' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'alexander' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'alexander' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [alexander] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 240 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 240 with timestamp 40b49ae9 Nothing to do. Sleeping until we see a request.And here's the only entry in my radcheck table:++--+---++-+| id | UserName | Attribute | op | Value |++--+---++-+| 1 | alexander| Password | == | password|++--+---++-+Any suggestions would be greatly appreciated. I've been working on thisfor several days now and haven't made much progress. I hope I've doneenough footwork on my own to keep away the flames :)Thanks in advance, Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger
RE: Freeradius + Mysql Issues!
hi, i think you have to modify sql.conf and add the table names correctly because your output suggests that radius server is not able to connect to sql server. hence not able to retrieve the user credentials. regards, manjunath -Original Message-From: Alexander Khoo [mailto:[EMAIL PROTECTED]Sent: Thursday, May 27, 2004 9:17 AMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Freeradius + Mysql Issues! Hi all,My goal is to use Freeradius with the sql module for authenticatingusers. I'm using version 0.9.3 (installed from rpms i created with thespecfile that came with the tarball).I've been workingoff of this tutorial: http://www.frontios.com/freeradius.htmlI got but then I proceeded to follow the instructions for sql and haverun in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server:radtest alexander jujai localhost 17 passwordand i get the following result:[EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password Sending Access-Request of id 240 to 127.0.0.1:1812 User-Name = "alexander" User-Password = "jujai" NAS-IP-Address = gk.orbit2000.net NAS-Port = 17 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20Here is a snippet of the output produced when i run in debug mode: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=240, length=61 User-Name = "alexander" User-Password = "jujai" NAS-IP-Address = 255.255.255.255 NAS-Port = 17 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "alexander", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'alexander' rlm_sql (sql): sql_set_user escaped user -- 'alexander' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'alexander' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'alexander' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [alexander] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 240 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 240 with timestamp 40b49ae9 Nothing to do. Sleeping until we see a request.And here's the only entry in my radcheck table:++--+---++-+| id | UserName | Attribute | op | Value |++--+---++-+| 1 | alexander| Password | == | password|++--+---++-+Any suggestions would be greatly appreciated. I've been working on thisfor several days now and haven't made much progress. I hope I've doneenough footwork on my own to keep away the flames :)Thanks in advance, Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger