Returning parameters from script fails

[Roman Suzi]

Hi,

we are using freeradius 0.9.3 CVS snapshot of May, 24 on RH Linux 7.3.
And now we have different problem with scripts: Values do not return
when there are more than one attribute.

To explain it simple:

This works:

#!/usr/bin/python
# Auth script

# print Framed-IP-Netmask = 255.255.255.255
print Framed-IP-Address = 217.107.182.222
sys.exit(0)


While this does not:

#!/usr/bin/python
# Auth script

print Framed-IP-Netmask = 255.255.255.255
print Framed-IP-Address = 217.107.182.222
sys.exit(0)

(radius sees no attributes at all)

It worked before we updated radius. Are we doing anything wrong?

Thank you for any hints in advance!

Sincerely yours, Roman A.Suzi
-- 
 - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] -


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_eap_leap: No User-Password or NT-Password configured for this user

[Joseph Silvin]

Hi,

I am trying to authenticate Cisco AP 1200 against FreeRadius through
LDAP.The following is the error I am getting after stage 2 rlm_eap_leap:
No User-Password or NT-Password configured for this user. The LDAP
authentication is getting done. and the EAP is also getting started. But,
the credentials of the LDAP is not getting used for EAP.

Please suggest the reason for this error. Log is given below.

Joseph

===
rad_recv: Access-Request packet from host 192.168.1.7:21645, id=245,
length=125
User-Name = FAnthony
Framed-MTU = 1400
Called-Station-Id = 000e.d7b1.008b
Calling-Station-Id = 000f.2478.85cf
Message-Authenticator = 0x2f568765c076a1cc35ec515b50580740
EAP-Message = 0x0202000d0146416e74686f6e79
NAS-Port-Type = Wireless-802.11
NAS-Port = 485
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.7
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
  rlm_eap: EAP packet type notification id 2 length 13
  rlm_eap: EAP Start not found
  modcall[authorize]: module eap returns updated for request 0
rlm_realm: No '@' in User-Name = FAnthony, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'o=MyOrg'
radius_xlat:  '(uid=FAnthony)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0
rlm_ldap: bind as cn=Admin,o=MyOrg/removed to 192.168.1.41:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony)
ldap_release_conn: Release Id: 0
radius_xlat:  '((uid=FAnthony)(objectclass=top))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter
((uid=FAnthony)(objectclass=top))
rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 156
users: Matched DEFAULT at 175
  modcall[authorize]: module files returns ok for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for FAnthony
radius_xlat:  '(uid=FAnthony)'
radius_xlat:  'o=MyOrg'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony)
rlm_ldap: checking if remote access for FAnthony is allowed by
proposedaltorgunit
rlm_ldap: Password header not found in password (91CA0741343JHUG6C9A32A21F)
for user FAnthony
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user FAnthony authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 0
  rlm_eap: EAP packet type notification id 2 length 13
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type leap
  rlm_eap_leap: Stage 2
  rlm_eap_leap: Issuing AP Challenge
  rlm_eap_leap: Successfully initiated
  modcall[authenticate]: module eap returns ok for request 0
modcall: group authenticate returns ok for request 0
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/radius/radacct/192.168.1.7/reply-detail-20040524'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.1.7/reply-detail-20040524
  modcall[post-auth]: module reply_log returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Challenge of id 245 to 192.168.1.7:21645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0103001811010008b94601729c9a3dd446416e74686f6e79
Message-Authenticator = 0x
State =
0xe3166619f4e5ebeceeecf4c8ad538f14c2b3b1406fa168fb18df0f59e7687b3844c0e160
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.1.7:21645, id=246,
length=190
User-Name = FAnthony
Framed-MTU = 1400
Called-Station-Id = 000e.d7b1.008b
Calling-Station-Id = 000f.2478.85cf
Message-Authenticator = 0xbbf0ade28f802ee85b254d14fd07308c
EAP-Message =
0x0203002811010018e24bd48592abbef7378f8fc67fcd97fe01e0cfd3cba39e1446416e74686f6e79
NAS-Port-Type = Wireless-802.11
NAS-Port = 485
State =
0xe3166619f4e5ebeceeecf4c8ad538f14c2b3b1406fa168fb18df0f59e7687b3844c0e160
Service-Type = Framed-User
NAS-IP-Address = 

Re: MySQL and EAP-TLS

[James]

Alle 18:51, marted 25 maggio 2004, Alan DeKok ha scritto:
 James [EMAIL PROTECTED] wrote:
  I know that it is possible to use EAP-TLS for authentication
  purposes together with My-SQL for authorization. However I cannot
  figure out what to put in radiuscheck in lieu of the password
  attribute

   Nothing.

Thank you Alan for your reply but i need some more explanation. What did you 
mean when you said Nothing? Should I leave empty the Attribute and Value 
columns in radiuscheck table or should I create a new radiuscheck table 
without them or should I not even use such table?

Thank you again. 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap_leap: No User-Password or NT-Password configured for this user

[Kostas Kalevras]

On Wed, 26 May 2004, Joseph Silvin wrote:

 Hi,

 I am trying to authenticate Cisco AP 1200 against FreeRadius through
 LDAP.The following is the error I am getting after stage 2 rlm_eap_leap:
 No User-Password or NT-Password configured for this user. The LDAP
 authentication is getting done. and the EAP is also getting started. But,
 the credentials of the LDAP is not getting used for EAP.

 Please suggest the reason for this error. Log is given below.

 Joseph

 ===
 rad_recv: Access-Request packet from host 192.168.1.7:21645, id=245,
 length=125
 User-Name = FAnthony
 Framed-MTU = 1400
 Called-Station-Id = 000e.d7b1.008b
 Calling-Station-Id = 000f.2478.85cf
 Message-Authenticator = 0x2f568765c076a1cc35ec515b50580740
 EAP-Message = 0x0202000d0146416e74686f6e79
 NAS-Port-Type = Wireless-802.11
 NAS-Port = 485
 Service-Type = Framed-User
 NAS-IP-Address = 192.168.1.7


[...]

 rlm_ldap: Password header not found in password (91CA0741343JHUG6C9A32A21F)
 for user FAnthony

The above is the error you are looking for. Check the password_header ldap
configuration directive.

 rlm_ldap: looking for check items in directory...
 rlm_ldap: looking for reply items in directory...


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

intermediate accounting

[Silvestre Malta]

Hello list

Is it possible to activate "intermediate 
accounting" in freeradius ?

the objective is:

i have a proxy radius (radius1) , that autenticate 
and send accounting packets to another radius server (radius2)

sometimes, i have client's that when thei 
disconnect, radius2 don't receive the stop packet for accounting
of that session, so i have think in doing 
intermediate accounting, radius1 will send accounting packets to radius2 

in interval's of 10 minutes, so if there is a 
problem and stop packet from radius1 doesn't reach radius2 i will
have some information from accounting because 
radius1 have previously send that information
so i loose some information but i don't lose it all 
...

Best regards

Re: eap-tls with XP client and linux client

[Ulf Jakobsson]

Alan DeKok wrote:
Szabo David [EMAIL PROTECTED] wrote:
Why does the Xp client lose the connection when the RAdius server is
cleaning up requests?

  It doesn't.  The two events are completely independent.
  What's probably happening is that there's a Session-Timeout sent in
the reply, which tells the AP to kick the client off after a short
period of time.
  Alan DeKok.
How do you mean? How do I change that variable?
Is the variable in the answer from the radius answer to the client?
/Ulf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap_leap: No User-Password or NT-Password configured for this user

[Joseph Silvin]

Hi,

Thanks.
I have rectified the password_header and now the Password header is gone.
But still the EAP is not taking the LDAP password (  rlm_eap_leap: Stage
4).

My config:

radiusd.conf
---

default_eap_type = md5


users
---

DEFAULT Auth-Type = LDAP
  Fall-Through = 1

Instead of this, if I put (as below) manually, the card associated with the
AP. (LDAPPassword is the actual password)


DEFAULT Auth-Type = LDAP, User-Password = LDAPPassword
  Fall-Through = 1

Waiting for your comments.

Joseph



Revised Log below.
=

rad_recv: Access-Request packet from host 192.168.1.7:21646, id=16,
length=125
User-Name = FAnthony
Framed-MTU = 1400
Called-Station-Id = 000e.d7b1.008b
Calling-Station-Id = 000f.2478.85cf
Message-Authenticator = 0xe8f0eb5a20be270bdf42e04b15641dd6
EAP-Message = 0x0202000d0146416e74686f6e79
NAS-Port-Type = Wireless-802.11
NAS-Port = 495
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.7
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
  rlm_eap: EAP packet type notification id 2 length 13
  rlm_eap: EAP Start not found
  modcall[authorize]: module eap returns updated for request 0
rlm_realm: No '@' in User-Name = FAnthony, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'o=MyOrg'
radius_xlat:  '(uid=FAnthony)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0
rlm_ldap: bind as cn=Admin,o=MyOrg/deleted to 192.168.1.41:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony)
ldap_release_conn: Release Id: 0
radius_xlat:  '((uid=FAnthony)(objectclass=top))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter
((uid=FAnthony)(objectclass=top))
rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 156
users: Matched DEFAULT at 175
  modcall[authorize]: module files returns ok for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for FAnthony
radius_xlat:  '(uid=FAnthony)'
radius_xlat:  'o=MyOrg'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony)
rlm_ldap: checking if remote access for FAnthony is allowed by
proposedaltorgunit
rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user FAnthony authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 0
  rlm_eap: EAP packet type notification id 2 length 13
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type leap
  rlm_eap_leap: Stage 2
  rlm_eap_leap: Issuing AP Challenge
  rlm_eap_leap: Successfully initiated
  modcall[authenticate]: module eap returns ok for request 0
modcall: group authenticate returns ok for request 0
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/radius/radacct/192.168.1.7/reply-detail-20040524'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.1.7/reply-detail-20040524
  modcall[post-auth]: module reply_log returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Challenge of id 16 to 192.168.1.7:21646
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x01030018110100087900c7559163b3ae46416e74686f6e79
Message-Authenticator = 0x
State =
0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.7:21646, id=17,
length=190
User-Name = FAnthony
Framed-MTU = 1400
Called-Station-Id = 000e.d7b1.008b
Calling-Station-Id = 000f.2478.85cf
Message-Authenticator = 0x61f158e50ab18ae2609916cdde5d3768
EAP-Message =
0x0203002811010018010364ea1f5cfcc8d6a0ce99255ffd208bbc7dd9f77326a246416e74686f6e79
NAS-Port-Type = Wireless-802.11
NAS-Port = 495
State =
0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2
  

max6000 and freeradius - authentication ok, log into radius-mysql not send full information

[Dilson]

Hi all,

I needlog on radius radacct ( mysql database 
) this information ConnectInfo_Start and 
ConnectInfo_stop of max users ( max6000 ).
Authentication it's ok, but this information don't 
log on database.
Anyware can be help me?

Thanks,

Dilson.

PEAP vs EAP/TLS

[BLANCA FERRERO RODRIGUEZ]

One doubt, basically the operation between server and AP is the same in EAP/TLS and 
PEAP but for the fact that in the former the user has a cert and in the latter a 
screen should be prompted for the user to introduce its login and passw so the RADIUS 
must check them in the users file?

sorry for the basic question but I'm not able to get the prompt for my user and I'm 
trying to discard any basic mistake in concepts

thanks

bfr



isn't it? 
- Mensaje original -
De: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED]
Fecha: Martes, Mayo 25, 2004 8:45 am
Asunto: Re: peap user

 
   I'm configuring PEAP. I think the freeradius config is Ok.
  ...
   modcall: group authorize returns updated for request 0
 rad_check_password:  Found Auth-Type Reject
 rad_check_password: Auth-Type = Reject, rejecting user
  
   Nope, it's not.
  
   Alan DeKok.
  
 
 I think that message comes because the user sent by my AP to the 
 radius is not in my users file, and it matches a default user I 
 added with Auth-Type = reject... but it makes sense doesn't it?
 
 
 bfr
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Returning parameters from script fails (solved)

[Roman Suzi]

I forgot to add comma:

print Framed-IP-Netmask = 255.255.255.255,
print Framed-IP-Address = 217.107.182.222,

Sincerely yours, Roman A.Suzi
-- 
 - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] -

On Wed, 26 May 2004, Roman Suzi wrote:


 Hi,

 we are using freeradius 0.9.3 CVS snapshot of May, 24 on RH Linux 7.3.
 And now we have different problem with scripts: Values do not return
 when there are more than one attribute.

 To explain it simple:

 This works:

 #!/usr/bin/python
 # Auth script

 # print Framed-IP-Netmask = 255.255.255.255
 print Framed-IP-Address = 217.107.182.222
 sys.exit(0)


 While this does not:

 #!/usr/bin/python
 # Auth script

 print Framed-IP-Netmask = 255.255.255.255
 print Framed-IP-Address = 217.107.182.222
 sys.exit(0)

 (radius sees no attributes at all)

 It worked before we updated radius. Are we doing anything wrong?

 Thank you for any hints in advance!

 Sincerely yours, Roman A.Suzi
 --
  - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] -


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP vs EAP/TLS

[Frédéric EVRARD]

 One doubt, basically the operation between server and AP is the same in
 EAP/TLS and PEAP but for the fact that in the former the user has a cert
 and in the latter a screen should be prompted for the user to introduce
 its login and passw so the RADIUS must check them in the users file?

I don't know for PEAP but with EAP-TLS, you just need the password for the
key of the client-certificate on supplicant, and the password for the key
of the server-certificate on the FreeRADIUS server. But this passwords
don't go trough the network. (And you need the root/CA certificate on each
side of course).
Then on linux xsupplicant you can put the pass in your TLS config file,
then the connexion is automatic. On windows maybe you have a prompt for
password at each connexions, I'm working on it actually
I hope I haven't say a mistake and that can help you.

Fred

 sorry for the basic question but I'm not able to get the prompt for my
 user and I'm trying to discard any basic mistake in concepts

 thanks

 bfr



 isn't it?
 - Mensaje original -
 De: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED]
 Fecha: Martes, Mayo 25, 2004 8:45 am
 Asunto: Re: peap user


   I'm configuring PEAP. I think the freeradius config is Ok.
  ...
   modcall: group authorize returns updated for request 0
 rad_check_password:  Found Auth-Type Reject
 rad_check_password: Auth-Type = Reject, rejecting user
 
   Nope, it's not.
 
   Alan DeKok.
 

 I think that message comes because the user sent by my AP to the
 radius is not in my users file, and it matches a default user I
 added with Auth-Type = reject... but it makes sense doesn't it?


 bfr


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and EAP-TLS

[Alan DeKok]

James [EMAIL PROTECTED] wrote:
 Thank you Alan for your reply but i need some more explanation. What
 did you mean when you said Nothing? Should I leave empty the
 Attribute and Value columns in radiuscheck table or should I create
 a new radiuscheck table without them or should I not even use such
 table?

  You don't need to do anything.  EAP-TLS is authenticated via
certificates, and therefore needs *nothing* from MySQL.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: intermediate accounting

[Alan DeKok]

Silvestre Malta [EMAIL PROTECTED] wrote:
 Is it possible to activate intermediate accounting in freeradius ?

  If your NAS sends accounting updates, yes.

 sometimes, i have client's that when thei disconnect, radius2 don't
 receive the stop packet for accounting
 of that session, so i have think in doing intermediate accounting,
 radius1 will send accounting packets to radius2
 in interval's of 10 minutes,

  With what data?  It can't invent the data.

  The NAS has to send accounting updates.  Nothing else can send that
information.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: max6000 and freeradius - authentication ok, log into radius-mysql not send full information

[Alan DeKok]

Dilson [EMAIL PROTECTED] wrote:
 I need log on radius radacct ( mysql database ) this information
 ConnectInfo_Start and ConnectInfo_stop of max users ( max6000 ).
 Authentication it's ok, but this information don't log on database.

  See the FAQ.  The server logs only what the NAS sends it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP vs EAP/TLS

[Alan DeKok]

BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] wrote:
 One doubt, basically the operation between server and AP is the same
 in EAP/TLS and PEAP but for the fact that in the former the user has
 a cert and in the latter a screen should be prompted for the user to
 introduce its login and passw so the RADIUS must check them in the
 users file?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: intermediate accounting

[Silvestre Malta]

Ok,

so if the NAS send accounting updates, do i need to make any extra
configuration
in FreeRadius to be able to receive those accounting updates ?

tanks

- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 3:26 PM
Subject: Re: intermediate accounting


 Silvestre Malta [EMAIL PROTECTED] wrote:
  Is it possible to activate intermediate accounting in freeradius ?

   If your NAS sends accounting updates, yes.

  sometimes, i have client's that when thei disconnect, radius2 don't
  receive the stop packet for accounting
  of that session, so i have think in doing intermediate accounting,
  radius1 will send accounting packets to radius2
  in interval's of 10 minutes,

   With what data?  It can't invent the data.

   The NAS has to send accounting updates.  Nothing else can send that
 information.

   Alan DeKok.


 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: intermediate accounting

[Alan DeKok]

Silvestre Malta [EMAIL PROTECTED] wrote:
 so if the NAS send accounting updates, do i need to make any extra
 configuration
 in FreeRadius to be able to receive those accounting updates ?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP Authentication Problem

[Alan DeKok]

=?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote:
 1. If I use the freeradius server and client for CHAP
 authentication using command
 
 $ echo User-Name=someuser | radclient localhost auth
 shared secret key
 
 ,it returns Nothing .

  That's because you're not using CHAP there.

 2. If I use another RADIUS Server (not freeradius) and
 try to login through 
freeradius client with command
 (FOR PAP)
 
 $ echo User-Name=someuser,User-Password=somepassword
 | radclient localhost auth shared secret key
   ,It works absolutely fine.

  So... you're comparing not using CHAP on FreeRADIUS, to using PAP
with another server.

  Why?

 (FOR CHAP) ,I am facing problem with it when I use the
 command
 $ echo User-Name=someuser | radclient localhost:port
 auth shared secret key
,it returns me 
Received response ID 51, code 11, length=163
   Reply-Message = Your Offline challenge 0840
 2828.Enter your PIN and this challenge in your Offline
 Client.Enter the result!

  That isn't FreeRADIUS.

 Then I generate the CHAP-Password entering the PIN and
 the challenge in my offline client
   Then I use the command
   $ echo
 User-Name=someuser,CHAP-Password=generatedpassword,CHAP-Challenge=0840
 2828,State=asmentionedabove | radclient
 server_ip:port auth shared secret key
   and it return me the Wrong Credentials always.

  I would suggest asking the vendor of the other RADIUS server what
the problem is.

  The problem has nothing to do with FreeRADIUS, so far as I can tell.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and EAP-TLS

[James]

   You don't need to do anything.  EAP-TLS is authenticated via
 certificates, and therefore needs *nothing* from MySQL.


Hi Alan,

as usual (unfortunately) I didn't make myself clear on describing what i need.
Basically, i want to authenticate users via EAP-TLS but i need also to look up 
on the database for adding some custom attributes on the RADIUS replies.
These attributes can be, for instance, VLAN ids or other vendor specific 
attributes. 

How can this be done?

Thank you for you patience. 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-tls with XP client and linux client

[Ulf Jakobsson]

Has no one else had this problem?
Maybe this is a solution (didn't work for me):
http://support.microsoft.com/?kbid=822596
I have also tested with 2 different radius servers (one linux, one 
windows), the problem is the same. For me it seems that the problem is 
on the client side, not the radius server side.

Any ideas Alan ?
Tanks in advance.
/Regards Ulf
Ulf Jakobsson wrote:
Alan DeKok wrote:
Szabo David [EMAIL PROTECTED] wrote:
Why does the Xp client lose the connection when the RAdius server is
cleaning up requests?

  It doesn't.  The two events are completely independent.
  What's probably happening is that there's a Session-Timeout sent in
the reply, which tells the AP to kick the client off after a short
period of time.
  Alan DeKok.

How do you mean? How do I change that variable?
Is the variable in the answer from the radius answer to the client?
/Ulf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No password configured for the user

[Yuemo Zeng]

Hi,

I have some issues to use FreeRadius 0.9.3 on RedHat Linux ES 3.

This is the debug log:

Thread 2 handling request 16, (4 handled so far)
User-Name = 000347158dea
User-Password = 000347158dea
Called-Station-Id = 0040.96a0.2db9
Calling-Station-Id = 0003.4715.8dea
NAS-Port-Type = Virtual
NAS-Port = 312
NAS-IP-Address = 192.168.0.51
modcall: entering group authorize for request 16
  modcall[authorize]: module preprocess returns ok for request 16
  modcall[authorize]: module chap returns noop for request 16
  modcall[authorize]: module eap returns noop for request 16
rlm_realm: No '@' in User-Name = 000347158dea, looking up realm
NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 16
users: Matched DEFAULT at 158
  modcall[authorize]: module files returns ok for request 16
  modcall[authorize]: module mschap returns noop for request 16
modcall: group authorize returns ok for request 16
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No password configured for the user
auth: Failed to validate the user.
Delaying request 16 for 1 seconds
Finished request 16
Going to the next request
---

And this is the part of the users file
--
000347-158dea   Auth-Type := Local, User-Password == x

DEFAULT Auth-Type = Local
Fall-Through = 1

-

From the posting, I found some similar posts. The fixes are retyping
the password in the users file and NAS server, etc. I tried many times,
still no luck.

So if this is the password problem, what's the trick to make this
working?

Thanks!

-Yuemo

CONFIDENTIALITY NOTICE:  DO NOT READ THIS EMAIL IF YOU ARE NOT THE
INTENDED RECIPIENT. The information in this email may contain
confidential and/or privileged material. If you are not the intended
recipient, your review, forwarding, copying, distribution, or any other
use or disclosure of any information in this email is prohibited. If you
received this email in error, please contact us by return email at
[EMAIL PROTECTED] and destroy all copies of this email,
University of Minnesota Physicians Confidentiality Notice

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Active Directory/radiusServiceType

[Dustin Doris]

 I currently have FreeRADIUS setup to authenticate users against Active
 Directory and the local users file.  Now I want to use it as the RADIUS
 server for my Extreme network switches.  My hope is to be able to use the
 Active Directory accounts to authenticate the users to the switch via
 FreeRADIUS.

 After doing some research I see that I need to return the radiusServiceType
 attribute to the Extreme switch.  My understanding is that this will have
 to reside in the LDAP schema/database, correct?  If this is correct, to
 extend the AD schema, I need an OID for the radiusServiceType attribute
 that needs to be unique.  I have been unable to find what the X.500 OID for
 this attribute is.  Anyone know this?

From the RADIUS-LDAPv3.schema

attributetype
   ( 1.3.6.1.4.1.3317.4.3.1.32
  NAME 'radiusServiceType'
  DESC ''
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE
   )

Or you can use private numbers.  Here is a link to a page about extending
schemas with openldap.

http://www.openldap.org/doc/admin21/schema.html#Extending%20Schema



 Is there another way to do this that I am missing?  I know I can use the
 users file, but that is not ideal as it is another place that passwords
 have to be managed and I cannot enforce password policies easily this way.

 Any guidance would be greatly appreciated.

 Thanks,
 Mark Capelle



 CONFIDENTIALITY NOTICE:  This e-mail may contain trade secrets or
 privileged, undisclosed or otherwise confidential information. If you have
 received this e-mail in error, you are hereby notified that any review,
 copying or distribution of this message in whole or in part is strictly
 prohibited. Please inform the sender immediately and destroy the original
 transmittal. Thank you for your cooperation.


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Q]: Assigning VLANs and restricting logins?

[Chris Bshaw]

Hi
First, thanx to all who replied to my earlier emails on EAP/TLS + WEP key 
generation.I seem to have this working now.

Now I have some new questions d'oh:
1. I have read that I can have freeradius run a script via Exec-Program-Wait 
at authentication time. I was just wondering would it be possible to use 
this to perform a query over IP on the client station (eg: snmp or 
something)?

2. I have seen mails and docs on allowing freeradius assign VLAN IDs at 
authentication time. I am presuming this would be more suitable for wired 
ethernet switches than wireless access points on APs with VLAN capabilities 
(eg: my Cisco Aironet 1200) you attach to an SSID (which is associated with 
a VLAN). I am guessing the answer to this is probably no, but would it be 
possible to have freeradius dynamically associate a client station to an 
SSID at authentication time?

My interest in these is because I would like if possible to be able to check 
each client station to see if it has the latest patches, virus protection 
s/w etc. and if it doesn't I would like to either disconnect it, or dump it 
in some kind of quarantine SSID (VLAN).

and finally:
3. Is it possible using EAP/TLS to restrict how many times a station with a 
particular certificate connects to the wireless net.i.e. if someone 
takes their certificate and installs it on 10 wireless machines, can I 
configure freeradius (and/or my access point) so that only one active 
wireless connection is allowed for that certificate?

Thanx again for all the recent help, and thanx in advance for any help on 
these.

Chris Bradshaw.
_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and EAP-TLS

[Alan DeKok]

James [EMAIL PROTECTED] wrote:
 Basically, i want to authenticate users via EAP-TLS but i need also
 to look up on the database for adding some custom attributes on the
 RADIUS replies.  These attributes can be, for instance, VLAN ids or
 other vendor specific attributes.
 
 How can this be done?

  http://www.frontios.com/freeradius.html

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No password configured for the user

[Dennis Skinner]

On Wed, 2004-05-26 at 11:14, Yuemo Zeng wrote:

 Thread 2 handling request 16, (4 handled so far)
 User-Name = 000347158dea


 000347-158dea   Auth-Type := Local, User-Password == x

Just a guess here.notice anything different about the username in
the request and the users file?

FreeRADIUS is correctthere is no password in the DEFAULT line which
is what it matched, not the user you have above

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com


signature.asc
Description: This is a digitally signed message part

IS it necessary to start and stop raddb everytime the clients.conf is modified

[Eric]

Thanks

Eric Echeverri

Re: No password configured for the user

[Yuemo Zeng]

Hi,

The problem is resolved.

The - is a problem, but not the main one, since I changed a couple of
times. The main one is the password.

Your posting lets me look at the debug log more carefully. It turned
out that the NAS sends out the caller's password as the caller's name
itself, in this case, the MAC itself.  I tried to follow some article,
http://www.wi-fitechnology.com/Wi-Fi_Reports_and_Papers/Freeradius_Deployment_of_MAC_Address.html.
This is why I am stucked.

The lessons I learnt are relying on the debug log and paying attention
to the NAS.

Thanks for your help!

-Yuemo

 [EMAIL PROTECTED] 05/26/04 11:48AM 
On Wed, 2004-05-26 at 11:14, Yuemo Zeng wrote:

 Thread 2 handling request 16, (4 handled so far)
 User-Name = 000347158dea


 000347-158dea   Auth-Type := Local, User-Password == x

Just a guess here.notice anything different about the username in
the request and the users file?

FreeRADIUS is correctthere is no password in the DEFAULT line
which
is what it matched, not the user you have above

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com

CONFIDENTIALITY NOTICE:  DO NOT READ THIS EMAIL IF YOU ARE NOT THE
INTENDED RECIPIENT. The information in this email may contain
confidential and/or privileged material. If you are not the intended
recipient, your review, forwarding, copying, distribution, or any other
use or disclosure of any information in this email is prohibited. If you
received this email in error, please contact us by return email at
[EMAIL PROTECTED] and destroy all copies of this email,
University of Minnesota Physicians Confidentiality Notice

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Challenge Response

[Barry Stewart]

I'm still trying to get PEAP working with LDAP.  I'm wondering if the 
problem is with the client at this point.  From the debugging out put 
and ethereal it looks like the radius server keeps sending access 
challenges but the client just keeps sending requests in return instead 
of a response.  If someone could confirm this or let me know I'm wrong I 
would appreciate it.  I have pasted the output below.  TIA

-Barry
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = mycomp1.mycomp.com
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=Manager,dc=mycomp,dc=com
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = (blahh)
ldap: basedn = dc=mycomp,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter = 
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file 
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP userPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP 

Re: eap-tls with XP client and linux client

[Alan DeKok]

Ulf Jakobsson [EMAIL PROTECTED] wrote:
 I have also tested with 2 different radius servers (one linux, one 
 windows), the problem is the same. For me it seems that the problem is 
 on the client side, not the radius server side.

  Then there probably isn't much that can be done to the RADIUS server
to fix it.

  Have you tried using a different AP?

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Q]: Assigning VLANs and restricting logins?

[Alan DeKok]

Chris Bshaw [EMAIL PROTECTED] wrote:
 1. I have read that I can have freeradius run a script via Exec-Program-Wait 
 at authentication time. I was just wondering would it be possible to use 
 this to perform a query over IP on the client station (eg: snmp or 
 something)?

  Scripts can do anything you want.

 would it be 
 possible to have freeradius dynamically associate a client station to an 
 SSID at authentication time?

  No.  The SSID's are done in a layer *below* the layers that
FreeRADIUS sees.

 My interest in these is because I would like if possible to be able to check 
 each client station to see if it has the latest patches, virus protection 
 s/w etc. and if it doesn't I would like to either disconnect it, or dump it 
 in some kind of quarantine SSID (VLAN).

  For that, you have to wait until the client gets an IP address,
which can happen ~1s after the RADIUS authentication.

  Basically, you can't do these checks until after the RADIUS
authentication has succeeded, which means that you can't use the
checks to change the RADIUS response.

 3. Is it possible using EAP/TLS to restrict how many times a station with a 
 particular certificate connects to the wireless net.i.e. if someone 
 takes their certificate and installs it on 10 wireless machines, can I 
 configure freeradius (and/or my access point) so that only one active 
 wireless connection is allowed for that certificate?

  You can set Simultaneous-Use on the server, which will do this.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Challenge Response

[Barry Stewart]

In case anyone is interested I finally got this working.  I downloaded 
the latest snapshot from CVS.  I edited 3 files:
In radius.conf I configured the LDAP settings (ie server name, 
binddn,etc), and uncommented ldap in the Authorize section.  In 
eap.conf I uncommented the peap section and most of the tls section.  In 
clients.conf I simply allowed the class c I am using.

Of course I will need to make this more secure by creating my own certs 
and such.  This was also tested with a plain text password in LDAP so I 
will try using NT passwords (md4 I guess). 


Barry Stewart wrote:
I'm still trying to get PEAP working with LDAP.  I'm wondering if the 
problem is with the client at this point.  From the debugging out put 
and ethereal it looks like the radius server keeps sending access 
challenges but the client just keeps sending requests in return 
instead of a response.  If someone could confirm this or let me know 
I'm wrong I would appreciate it.  I have pasted the output below.  TIA

-Barry
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = mycomp1.mycomp.com
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=Manager,dc=mycomp,dc=com
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = (blahh)
ldap: basedn = dc=mycomp,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter = 
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) 

ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file 
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP 

Re: [Q]: Assigning VLANs and restricting logins?

[Chris Bshaw]

Hi Alan...
Thanx for the info.
  Basically, you can't do these checks until after the RADIUS
authentication has succeeded, which means that you can't use the
checks to change the RADIUS response.
Is there any post-authentication mechanism I could use in FreeRadius to 
revoke the authenticationi.e. allow the user to authenticate long enough 
to make the checks over IP via an Exec-Program-Wait and if they fail the 
checks, freeradius 'tells' (?) the access point to disconnect the client?

Thanx in advance.
Chris.
_
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Q]: Assigning VLANs and restricting logins?

[Alan DeKok]

Chris Bshaw [EMAIL PROTECTED] wrote:
 Is there any post-authentication mechanism I could use in FreeRadius to 
 revoke the authenticationi.e. allow the user to authenticate long enough 
 to make the checks over IP via an Exec-Program-Wait and if they fail the 
 checks, freeradius 'tells' (?) the access point to disconnect the client?

  Nope.

  But you can run a script to tell another program that a user
authenticated.  That other program can then wait however long it
wants, and do whatever it wants with the results.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Q]: Assigning VLANs and restricting logins?

[Htin Hlaing]

Hi Alan,

Would it be right to say that a RADIUS server in 802.1X authentication
allows a client to be authenticated but can not unauthenticate a
authenticated client and let the AP(Nas) know about this
unauthentication. I guess it comes down to RADIUS server responds to
clients but does not initiate talking to clients.

So, if I log on with my XP laptop through 802.1X successfully and then a
few minutes later, the system admin logged off all users (including me)
with the intent to force reauthentications.  But, my laptop thinks it's
still authenticated and logged in. Is there a way from the RADIUS server
to notify the client so, the client detects it's unauthenticated and
tries to start 802.1X session again.  Otherwise, I would need to
disassociate and associate again.

Thanks,
Htin

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:freeradius-
 [EMAIL PROTECTED] On Behalf Of Alan DeKok
 Sent: Wednesday, May 26, 2004 1:56 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Q]: Assigning VLANs and restricting logins?
 
 Chris Bshaw [EMAIL PROTECTED] wrote:
  Is there any post-authentication mechanism I could use in FreeRadius
to
  revoke the authenticationi.e. allow the user to authenticate
long
 enough
  to make the checks over IP via an Exec-Program-Wait and if they fail
the
  checks, freeradius 'tells' (?) the access point to disconnect the
 client?
 
   Nope.
 
   But you can run a script to tell another program that a user
 authenticated.  That other program can then wait however long it
 wants, and do whatever it wants with the results.
 
   Alan DeKok.
 
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS and mschapv2 problems

[Dinko Korunic]

Hi. I've been using FreeRadius recent CVS version to authenticate
wireless Windows XP/2k users via EAP and Cisco AP1000 series. I've so
far suceeded in EAP/TLS and EAP/TTLS, as well as with non-EAP modules
(PAP and CHAP) just to test if it is all properly setup.

However, I'm failing with EAP/PEAP. Certificates are fine (as stated
above), however MS-CHAPv2 (rlm_mschap) seems to be causing problems:

  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Passwords are stored in MySQL, but they're proven to be read correctly
(and I've tried with users file too).
I've read this list archives throughly, and I've tried most of the stuff
people were reporting. Is there anything else I could check? Should I
try with NT-hashed passwords? Should I try with auth_ntlm to debug chap
responses?

TIA.

-- 
|  |--..-. Dinko 'kreator' Korunic   #include stddisclaimer.h
||   _|  -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com
|__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RH9 and Freeradius make error

[amar]

Please look at the following and if possible kindly advise to the best 
way forward. The freeradius-snapshot-20040525 is installed on RH9 
(2.4.20-8) as per instructions:

From
http://www.dslreports.com/forum/remark,9286052~mode=flat
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
I installed RH9 issue of mysql (not dev.) to see if it would solve the 
problem...it did not. MySql is not required at this stage of the test.

I am new to Linux and your patience would be greatly appreciated.
Making static in rlm_sql_mysql...
gmake[10]: Entering directory 
`/usr/src/radius/freeradius-snapshot-20040525/src/modules/rlm_sql/drivers/rlm_sql_mysq
l'
gcc  -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 
-Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arit
h -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes 
-Wmissing-prototypes -Wmissing-declarations -Wnested-
externs -W -Wredundant-decls -Wundef  -I../.. -I../../../../include 
-I'/usr/include' -I/usr/src/radius/freeradius-sn
apshot-20040525/libltdl -c sql_mysql.c -o sql_mysql.o
sql_mysql.c:39:20: errmsg.h: No such file or directory
sql_mysql.c:40:19: mysql.h: No such file or directory
sql_mysql.c:47: parse error before MYSQL
sql_mysql.c:47: warning: no semicolon at end of struct or union
sql_mysql.c:48: warning: type defaults to `int' in declaration of `sock'
sql_mysql.c:48: warning: data definition has no type or storage class
sql_mysql.c:49: parse error before '*' token
sql_mysql.c:49: warning: type defaults to `int' in declaration of `result'
sql_mysql.c:49: warning: data definition has no type or storage class
sql_mysql.c:51: parse error before '}' token
sql_mysql.c:51: warning: type defaults to `int' in declaration of 
`rlm_sql_mysql_sock'
sql_mysql.c:51: warning: data definition has no type or storage class
sql_mysql.c: In function `sql_init_socket':
sql_mysql.c:62: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:62: (Each undeclared identifier is reported only once
sql_mysql.c:62: for each function it appears in.)
sql_mysql.c:65: parse error before ')' token
sql_mysql.c:76: warning: implicit declaration of function `mysql_init'
sql_mysql.c:77: warning: implicit declaration of function 
`mysql_real_connect'
sql_mysql.c:84: `CLIENT_FOUND_ROWS' undeclared (first use in this function)
sql_mysql.c:86: warning: implicit declaration of function `mysql_error'
sql_mysql.c:86: warning: format argument is not a pointer (arg 3)
sql_mysql.c: In function `sql_destroy_socket':
sql_mysql.c:103: warning: unused parameter `config'
sql_mysql.c: In function `sql_check_error':
sql_mysql.c:122: `CR_SERVER_GONE_ERROR' undeclared (first use in this 
function)
sql_mysql.c:123: `CR_SERVER_LOST' undeclared (first use in this function)
sql_mysql.c:131: `CR_OUT_OF_MEMORY' undeclared (first use in this function)
sql_mysql.c:132: `CR_COMMANDS_OUT_OF_SYNC' undeclared (first use in this 
function)
sql_mysql.c:133: `CR_UNKNOWN_ERROR' undeclared (first use in this function)
sql_mysql.c: In function `sql_query':
sql_mysql.c:151: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:160: warning: implicit declaration of function `mysql_query'
sql_mysql.c:161: warning: implicit declaration of function `mysql_errno'
sql_mysql.c: In function `sql_store_result':
sql_mysql.c:175: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:181: warning: implicit declaration of function 
`mysql_store_result'
sql_mysql.c:184: warning: format argument is not a pointer (arg 3)
sql_mysql.c:173: warning: unused parameter `config'
sql_mysql.c: In function `sql_num_fields':
sql_mysql.c:202: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:204:5: warning: MYSQL_VERSION_ID is not defined
sql_mysql.c:207: warning: implicit declaration of function 
`mysql_num_fields'
sql_mysql.c:211: warning: format argument is not a pointer (arg 3)
sql_mysql.c:199: warning: unused parameter `config'
sql_mysql.c: In function `sql_num_rows':
sql_mysql.c:257: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:260: warning: implicit declaration of function `mysql_num_rows'
sql_mysql.c:255: warning: unused parameter `config'
sql_mysql.c: In function `sql_fetch_row':
sql_mysql.c:277: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:286: warning: implicit declaration of function `mysql_fetch_row'
sql_mysql.c:286: warning: assignment makes pointer from integer without 
a cast
sql_mysql.c:275: warning: unused parameter `config'
sql_mysql.c: In function `sql_free_result':
sql_mysql.c:305: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:308: warning: implicit declaration of function 
`mysql_free_result'
sql_mysql.c:303: warning: unused parameter `config'
sql_mysql.c: In function `sql_error':
sql_mysql.c:327: `mysql_sock' undeclared (first use in this function)
sql_mysql.c:330: warning: return discards qualifiers from pointer 

FW: Need Assistance please

[Rivera, Denis]

Alan,
I'd first would like to extend my gratitude for answering my email.
I'd also like to apoligize to everyone on the list for my confusion. 
I've been reading the book RADIUS by Jonathan Hassell, I've been reading
archives for a while now. Can anyone suggest a good book with sample
information? My problem is as follow:

 Is radius supposed to only return back a single attribute?
  That's what you told it to do.  An attribute with one value (even
with commas) is very different than attributes with multiple values.

  My suggestion is to create multiple entries in the LDAP schema for
the Login-LAT-Group, as there is no Login-LAT-GroupS attribute.  Each
value should then be

   +=User(first)
   +=Change Password (second)
   etc...

  Alan DeKok.

Alan, the User Change Password Administrator etc., are already part of
the LDAP schema (under the attribute securityRole) e.g.

Uid=testuser
Attribute   Value
securityRoleUsers
securityRoletestgroup1
securityRoletestgroup2
securityRoleChange Password
securityRoleLuisa Administrator


I've modified the file ldap.attrmap as follow (this is the only change I've
made)

replyItem   Login-LAT-Group securityRole

I thought by modifying this line to match the LDAP attribute would return
all values for the user (testuser) in the LDAP schema.

When I use NTRadPing the response is:
Sending authentication request to server test.server:1645
Transmitting packet, code=1 id=0 length=50
Received response from the server in 10 milliseconds
Reply packet code=2 id0 length=27
Response: Access-Accept
attribute dump--
Login-LAT-Group=Users


Can you or anyone suggest any howto site. I've read the LDAP doc and it
doesn't mention how to implement this.  Is this possible? Did I miss a step?
Thank you


-denis
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting Attributes

[Shah, Nishant B]

I have Cisco 2509 NAS box. I want it to send me all the accounting attributes 
mentioned in RFC's and that is used by freeRADIUS. Presently, it sends very 
few accounting attributes. Can anyone tell me how to configure NAS to add 
more accounting attributes besides what it sends.
Thanks,
Nishant




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP/PEAP

[Damjan]

 PEAP requires a certificate for the server, but not for the clients.  

What are the differences between PEAP and EAP-TTLS?
Which one is more secure?
Which one has broader support in supplicants?

Can I use both eap-ttls and peap?

-- 
damjan | 
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Q]: Assigning VLANs and restricting logins?

[Damjan]

 Would it be right to say that a RADIUS server in 802.1X authentication
 allows a client to be authenticated but can not unauthenticate a
 authenticated client and let the AP(Nas) know about this
 unauthentication. I guess it comes down to RADIUS server responds to
 clients but does not initiate talking to clients.

That's true, the radius server just responds to the NAS equipment (being
that wireless access point or a dial-up access server or a VPN access
server etc...).
 
 So, if I log on with my XP laptop through 802.1X successfully and then a
 few minutes later, the system admin logged off all users (including me)
 with the intent to force reauthentications.  But, my laptop thinks it's
 still authenticated and logged in.

Well if the admin, instructs the NAS equipment to log-off all the users
your laptop should know immediately that its disassociated from the wifi
AP. When your laptop ties to log-on again, and makes that request to the
AP, the AP will contact the radius server again.



-- 
damjan | 
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Q]: Assigning VLANs and restricting logins?

[Htin Hlaing]

 Well if the admin, instructs the NAS equipment to log-off all the
users
 your laptop should know immediately that its disassociated from the
wifi
 AP. When your laptop ties to log-on again, and makes that request to
the
 AP, the AP will contact the radius server again.
 

Admin can/would log off the logged in clients on the domain that the
RADIUS server resides.  That's not a problem.  But how does one tell NAS
equipment about it?  In my case, What would be the protocol to do ask
NAS equipment to disassociate certain clients?

Thanks,
Htin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Q]: Assigning VLANs and restricting logins?

[Damjan]

 Admin can/would log off the logged in clients on the domain that the
 RADIUS server resides.  That's not a problem.  
 But how does one tell NAS
 equipment about it?  In my case, What would be the protocol to do ask
 NAS equipment to disassociate certain clients?

Obviously that depends from NAS to NAS, for ex. I can telnet into my
dial-up access server and kick a user by his ID.

btw, if you don't tell the NAS equipment that a user should be
logged-off you've done nothing by Admin can/would log off the logged in
clients on the domain that the RADIUS server resides. What would that
accomplish (I dont even understand how do you think that will work?!?)

-- 
damjan | 
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Q]: Assigning VLANs and restricting logins?

[Htin Hlaing]

 btw, if you don't tell the NAS equipment that a user should be
 logged-off you've done nothing by Admin can/would log off the logged
in
 clients on the domain that the RADIUS server resides. What would that
 accomplish (I dont even understand how do you think that will work?!?)
 

Thanks. I of course knew that it will not work or did not imply that it
should work without telling the NAS...  Simply wondering if there is a
standard way or part of any standard to do this.

Htin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help - a very different network config

[Christopher M Bailey]

Hi all

Looking for some help.  What I need to find out is how to config a
radius to auth all my Wireless traffic before issuing an IP via DHCP,
then letting it auth on a Windows, Novell or Apple LAN.  the other catch
is that I need to authenticate to a LDAP server upstream, while allowing
all me hardwired PC's to obtain an IP via DHCP but by passing the radius
server.  I believe I can do this with FreeRADIUS.  I don't want much do
I?

Thanks,
Chris Bailey


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + Mysql Issues!

[Alexander Khoo]

Hi all,My goal is to use Freeradius with the sql module for authenticatingusers. I'm using version 0.9.3 (installed from rpms i created with thespecfile that came with the tarball).I've been workingoff of this tutorial: http://www.frontios.com/freeradius.htmlI got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server:radtest alexander jujai localhost 17 passwordand i get the following result:[EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password
Sending Access-Request of id 240 to 127.0.0.1:1812
 User-Name = "alexander"
 User-Password = "jujai"
 NAS-IP-Address = gk.orbit2000.net
 NAS-Port = 17
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20Here is a snippet of the output produced when i run in debug mode:
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=240, length=61
 User-Name = "alexander"
 User-Password = "jujai"
 NAS-IP-Address = 255.255.255.255
 NAS-Port = 17
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "eap" returns noop for request 0
 rlm_realm: No '@' in User-Name = "alexander", looking up realm NULL
 rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat: 'alexander'
rlm_sql (sql): sql_set_user escaped user -- 'alexander'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'alexander' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'alexander' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [alexander]
rlm_sql (sql): Released sql socket id: 4
 modcall[authorize]: module "sql" returns notfound for request 0
 users: Matched DEFAULT at 152
 modcall[authorize]: module "files" returns ok for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
 rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 0
 modcall[authenticate]: module "unix" returns notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 240 to 127.0.0.1:32769
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 240 with timestamp 40b49ae9
Nothing to do. Sleeping until we see a request.And here's the only entry in my radcheck table:++--+---++-+| id | UserName | Attribute | op | Value |++--+---++-+| 1 | alexander| Password | == | password|++--+---++-+Any suggestions would be greatly appreciated. I've been working on thisfor several days now and haven't made much progress. I hope I've doneenough footwork on my own to keep away the flames :)Thanks in advance,
		Do you Yahoo!?Friends.  Fun. Try the all-new Yahoo! Messenger

RE: Freeradius + Mysql Issues!

[Manjunath M Prabhu]

hi,
i 
think you have to modify sql.conf and add the table names correctly because your 
output suggests that radius server is not able to connect to sql 
server.
hence 
not able to retrieve the user credentials.
regards,
manjunath

  -Original Message-From: Alexander Khoo 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, May 27, 2004 9:17 
  AMTo: [EMAIL PROTECTED]Cc: 
  [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Freeradius + 
  Mysql Issues!
  Hi all,My goal is to use Freeradius with the sql module for authenticatingusers. I'm using version 0.9.3 (installed from rpms i created with thespecfile that came with the tarball).I've been workingoff of this tutorial: http://www.frontios.com/freeradius.htmlI got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server:radtest alexander jujai localhost 17 passwordand i get the following result:[EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password
  Sending Access-Request of 
  id 240 to 127.0.0.1:1812
   
  User-Name = "alexander"
   User-Password = 
  "jujai"
   
  NAS-IP-Address = gk.orbit2000.net
   
  NAS-Port = 17
  rad_recv: Access-Reject 
  packet from host 127.0.0.1:1812, id=240, length=20Here is a snippet of the output produced when i run in debug mode:
  rad_recv: Access-Request 
  packet from host 127.0.0.1:32769, id=240, length=61
   
  User-Name = "alexander"
   User-Password = 
  "jujai"
   
  NAS-IP-Address = 255.255.255.255
   
  NAS-Port = 17
  modcall: entering group 
  authorize for request 0
   modcall[authorize]: module 
  "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" 
  returns noop for request 0
   modcall[authorize]: module "eap" 
  returns noop for request 0
   rlm_realm: No '@' in 
  User-Name = "alexander", looking up realm NULL
   rlm_realm: No such realm 
  "NULL"
   modcall[authorize]: module "suffix" 
  returns noop for request 0
  radius_xlat: 'alexander'
  rlm_sql (sql): 
  sql_set_user escaped user -- 'alexander'
  radius_xlat: 'SELECT id,UserName,Attribute,Value,op 
  FROM radcheck WHERE Username = 'alexander' ORDER BY id'
  rlm_sql (sql): Reserving 
  sql socket id: 4
  radius_xlat: 'SELECT 
  radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup 
  WHERE
  usergroup.Username = 
  'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY 
  radgroupcheck.id'
  radius_xlat: 'SELECT id,UserName,Attribute,Value,op 
  FROM radreply WHERE Username = 'alexander' ORDER BY id'
  radius_xlat: 'SELECT 
  radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup 
  WHERE
  usergroup.Username = 
  'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY 
  radgroupreply.id'
  rlm_sql (sql): No matching 
  entry in the database for request from user [alexander]
  rlm_sql (sql): Released 
  sql socket id: 4
   modcall[authorize]: module "sql" 
  returns notfound for request 0
   users: Matched DEFAULT at 
  152
   modcall[authorize]: module "files" 
  returns ok for request 0
   modcall[authorize]: module "mschap" 
  returns noop for request 0
  modcall: group authorize 
  returns ok for request 0
   rad_check_password: Found Auth-Type 
  System
  auth: type 
  "System"
  modcall: entering group 
  authenticate for request 0
   modcall[authenticate]: module "unix" 
  returns notfound for request 0
  modcall: group 
  authenticate returns notfound for request 0
  auth: Failed to validate 
  the user.
  Delaying request 0 for 1 
  seconds
  Finished request 
  0
  Going to the next 
  request
  --- Walking the entire 
  request list ---
  Waking up in 1 
  seconds...
  --- Walking the entire 
  request list ---
  Sending Access-Reject of 
  id 240 to 127.0.0.1:32769
  Waking up in 4 
  seconds...
  --- Walking the entire 
  request list ---
  Cleaning up request 0 ID 
  240 with timestamp 40b49ae9
  Nothing to do. Sleeping until we see a 
  request.And here's the only entry in my radcheck table:++--+---++-+| id | UserName | Attribute | op | Value |++--+---++-+| 1 | alexander| Password | == | password|++--+---++-+Any suggestions would be greatly appreciated. I've been working on thisfor several days now and haven't made much progress. I hope I've doneenough footwork on my own to keep away the flames :)Thanks in advance,
  
  
  Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! 
Messenger