Logs say I am authentication is OK but XP tells me it's not?
My guess is the pass to the accounting software fails. Any ideas? modcall: entering group Auth-Type for request 7 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 Sending Access-Accept of id 168 to 127.0.0.1:32771 MS-CHAP2-Success = 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 323937324536 MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logs say I am authentication is OK but XP tells me it's not?
Please disregard this message, I have checked /var/log/messages and found CHAP gave a Reject message. - Original Message - From: keith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 5:11 PM Subject: Logs say I am authentication is OK but XP tells me it's not? My guess is the pass to the accounting software fails. Any ideas? modcall: entering group Auth-Type for request 7 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 Sending Access-Accept of id 168 to 127.0.0.1:32771 MS-CHAP2-Success = 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 323937324536 MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS + Cisco AP1100
Hello, I'm having problems authenticating windows XP clients using EAP-TTLS (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2. In logs i only see outer authentication [EMAIL PROTECTED]. Can anyone have it working? Thanks Nuno Fernandes Freeradius config: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } # ttls { #default_eap_type = md5 #copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } Users File: User1 User-Password == passwd1 Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 4 Freeradius logs show: rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10, length=157 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1 EAP-Message = 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d NAS-Port-Type = Virtual NAS-Port = 20 Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 10 to 192.168.0.253:1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11, length=209 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x13fa184ce90d2922912773ddc1189ee5 EAP-Message = 0x0202003c15800032160301002d012903017803310085f1af3aaa504b75c9a1e5942f5e4cdcdd3b5d06f7548d8550ad020f02000a0100 NAS-Port-Type = Virtual NAS-Port = 20 State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 1 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying
Re: TTLS + Cisco AP1100
Ooopps.. I do see User1.. but i see [EMAIL PROTECTED] How do i rewrite it to remove realm so there is a match at users file? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote: Hello, I'm having problems authenticating windows XP clients using EAP-TTLS (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2. In logs i only see outer authentication [EMAIL PROTECTED]. Can anyone have it working? Thanks Nuno Fernandes Freeradius config: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } # ttls { #default_eap_type = md5 #copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } Users File: User1 User-Password == passwd1 Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 4 Freeradius logs show: rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10, length=157 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1 EAP-Message = 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d NAS-Port-Type = Virtual NAS-Port = 20 Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 10 to 192.168.0.253:1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11, length=209 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x13fa184ce90d2922912773ddc1189ee5 EAP-Message = 0x0202003c15800032160301002d012903017803310085f1af3aaa504b75c9a1e5942f5e4cdcdd3b5d06f7548d8550ad020f02000a0100 NAS-Port-Type = Virtual NAS-Port = 20 State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP
Re: TTLS + Cisco AP1100
The problems seems to be here.. modcall[authorize]: module auth_log returns ok for request 4 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = User1 rlm_realm: Proxying request from user User1 to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 4 modcall[authorize]: module files returns notfound for request 4 modcall: group authorize returns ok for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Any sugestions? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:47, Nuno Miguel Pais Fernandes wrote: Ooopps.. I do see User1.. but i see [EMAIL PROTECTED] How do i rewrite it to remove realm so there is a match at users file? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote: Hello, I'm having problems authenticating windows XP clients using EAP-TTLS (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2. In logs i only see outer authentication [EMAIL PROTECTED]. Can anyone have it working? Thanks Nuno Fernandes Freeradius config: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } # ttls { #default_eap_type = md5 #copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } Users File: User1 User-Password == passwd1 Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 4 Freeradius logs show: rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10, length=157 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1 EAP-Message = 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d NAS-Port-Type = Virtual NAS-Port = 20 Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group
rlm_sqlcounter query parameter
Hello it is possible to define the query parameter in sqlcounter.conf? %k = %b = I just want to specify the date where the AcctSessionTime will be compute(SUM).
Freeradius versus Radiator study
I'am doing a non-fundamentalist study about Freeradius versus Radiator (http://www.open.com.au/radiator/), costs not-involved, to see what to use at work. I looking for other studys, experiences, papers, opinions, etc.. to cross notes on advantages and disadvantages of each. In terms of funcionalities, we want to have PEAP and MS-CHAPv2 support. A administration tool, like dialup_admin is greatly appreciated since in the end, it will be a large system. Thanking you in advance, -- Nuno Morgadinho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
At Tue, 15 Jun 2004 11:55:00 -0400, Alan DeKok wrote: Please don't CC me on messages. I already read the list, and I don't need to see the same message twice. Sorry Alan (replied to all by accident) I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr attributes (Location-Id, LocationName and LogoffUrl) to the access request packets and 2 attributes (Location-Id, Location-Name) to the accounting packets before they get proxied to the home radius. In preproxy_users, you should be able to do: #--- DEFAULT User-Name =~ @testrealm$, Packet-Type == Access-Request Wispr-Location-Id = foo, Wispr-LocationName = bar, ... After adding the files module in pre-proxy section, worked like a charm. Wonderful and elegant configuration (much better from the one I came up with). Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? Thanks for everything. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting Users when using mysql
Good morning everyone: I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the users file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Change the proxy access-accept into a access-reject
Sylvain Toe [EMAIL PROTECTED] wrote: I want my PROXY radius to: - Send an access-reject when receiving an access-accept from the REMOTE radius. - Send an access-accept when receiving an access-reject from the REMOTE radius. Is it something possible (with freeradius 0.9.3)? Not really. If you create your own module, you should be able to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Does someone have an idea how to start this? Which files define the logic of the proxy process in source code? Thanks Sylvain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
On Tue, 15 Jun 2004, Matthew Schumacher wrote: Alan DeKok wrote: Gary McKinney [EMAIL PROTECTED] wrote: From following this thread I am wondering how many transactions a second can a DB handle successfully perform before the system starts to lose information??? That depends on the DB. Oracle is fast, PostGreSQL is fast, MySQL is less fast. I am wondering for a given platform and OS (such as linux or FreeBSD running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI hard-drive subsystem) how many transactions can the FreeRadius system handle in a second??? I use postgres and have done a bit of tuning so it's as fast as it's going to be on this hardware, but even with very fast servers there is only so much inserts you can do at a time before you run out of DB connection handles and this is almost always going to happen long before radius reaches it's processing limits, especially when you have several million rows like I do. I think the most graceful way to handle this would be to add a function to rlm_sql that writes the accounting packet to a detail log then call that before returning RLM_MODULE_FAIL. The name of the file could be defined in the sql {} part of the config file. This way any sql based failures will at least be written somewhere instead of lost forever. This detail file could be fed back to the server at some other point in time. You don't need to do code changes. Just use configurable failover with the sql and detail modules. I'm a very poor C programmer so before I start looking into this further perhaps Alan and comment on any problems he sees with this and describe any problems I may run into with calling rlm_detail from rlm_sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
On Tue, 15 Jun 2004, Matthew Schumacher wrote: Alan DeKok wrote: Matthew Schumacher [EMAIL PROTECTED] wrote: ... http://lists.freeradius.org/pipermail/freeradius-users/2004-June/032678.html Alan DeKok. I never saw that and assumed my message never made it... After fighting with the list trying to make it work I subscribed with another account and asked again. Sorry... Anyway: Or, if the rate gets too high, *stop* logging to the database, and use a detail file. Then, when the rate drops, feed the detail file back into the server. I know how to feed the detail file back to the server with the radrelay util, but wouldn't that require me to run two radius servers? One configured to accept accounting from the NAS logging to a detail file, and another configured to write to the DB? Also, say I did all that, the radrelay tool sends radius accounting messages even faster than the nas. Perhaps I'm missing something, but AFAIK the only way to ensure radrelay will send packets as fast as possible but will slow down if it does not get responses. The algorithm: if (r-retrans_num 20) r-retrans = now + 70; else r-retrans = now + 3 + (3 * r-retrans_num); so if your db is not fast enough radrelay will slow down according to your radius server response time. that the data is put in the database is to have a very fast database that can handle the connection rate of radrelay or a fast NAS with a zillion clients authenticating at once. It would be great if the server would reject accounting messages if there isn't a DB handle that way accounting would fail over to the secondary where the message is queued to be forwarded back to the primary when it comes back. This would make having a DB backend much more accurate for accounting. I suppose sending everything to a server acting as a accounting proxy with network rate limiting between it and the server with the DB backend could work but that solution seems more complex than it should be. thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user groups in freeradius
Hi, does freeradius server manage the user groups in its config file ? Because it's not possible for me to use unix group (/etc/group) ! :( So, i tested this: # Autorise certains login DEFAULT Auth-Type := LDAP, NAS-IP-Address == xxx.xxx.xxx.xxx, User-Name =~ id1|id2|id3|id4 Fall-Through = No But the problem was the line is too long (about 50 usernames). And thus I would like to create a group with all these usernames. Thks Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About rlm_sql (sql): Error getting data from database
Hi, I am a fresh user, I config the Freeradius 0.93 in my linux box. it can work with the users file authentication but not with my postgreSQL. How Can I do, Here is the message, Please help me! = rad_recv: Access-Request packet from host 10.0.0.9:32769, id=61, length=58 User-Name = george User-Password = 123456 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_realm: No '@' in User-Name = george, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'george' rlm_sql (sql): sql_set_user escaped user -- 'george' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'george' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'george' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'george' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'george' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql: unknown attribute Auth_Type rlm_sql (sql): Error getting data from database = Here is the FreeRadius startup log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/postgresql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = yes main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) : dead_time = 120 Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module:
using free radius with TTLS/PEAP with MD5 hashed passwords
After reading the documentation, it seems that when TTLS or PEAP is used, there needs to be a text file or database with usernames and passwords in clear text ... Currently, what we have is a MSSQL database which has a table of usernames and passwords hashed using MD5... there is also a procedure on the MSSQL which can MD5 hash any given string ... My question is can we use PAP with TTLS or PEAP ... so that the password is encrypted over the air, decrypted by freeradius (or the access point and forwarded to freeradius ) and then freeradius encrypts the cleartext password into MD5 for a comparison with the database? Appreciate any pointers that you may have ... :) What I would like to have is: 1. Passwords are encrypted in the air ... (from WiFi Card to AP, preferably with rotating keys) 2. Passwords are decrypted by either AP or freeradius ... so that we can do MD5 on the clear text passwords ... Is this possible? -- Robert Yeo Victoria Junior College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Assuming you are running Linux. You would do rate limiting in the OS. Check this out: http://lartc.org/howto/lartc.qdisc.html Matthew Schumacher wrote: List, Is there a way to rate limit radius requests in the freeradius server? Whenever the router guy kicks a router full of DSL connections we get a flood of radius accounting messages which overloads the database server causing There are no DB handles to use! error messages. While the DB can handle the current load, it can get overrun in certain circumstances. I figure some form of rate limiting causing the radius server to only handle so many requests per second might be the solution to this. Another question I have is what exactly happens with that error message is logged? Does radius retry to insert the accounting record or does it simply drop it? Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
- Original Message - From: Linda Pagillo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 12:54 PM Subject: Rejecting Users when using mysql Good morning everyone: Good afternoon. I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the users file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. If you just want suspended, then I would add a column suspended and edit the sql query in sql.conf If you need more complex checking that can't be done with sql queries, then you might look at the exec or perl modules to execute external scripts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About rlm_sql (sql): Error getting data from database
On Wed, 2004-06-16 at 06:04, [EMAIL PROTECTED] wrote: rlm_sql: unknown attribute Auth_Type Here's your problem. Auth_Type is not a valid attribute. Change that to Auth-Type (dash, not underscore). -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: No MS-CHAP-Challenge in the request
freeradius 0.9.3 . rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 0 Any pointers appreciated. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using free radius with TTLS/PEAP with MD5 hashed passwords
On Wed, 16 Jun 2004, Robert Yeo wrote: After reading the documentation, it seems that when TTLS or PEAP is used, there needs to be a text file or database with usernames and passwords in clear text PEAP needs clear text TTLS depends on the inner authentication mechanism. If you use PAP you don't need clear text password you can have them encrypted in any form you want. ... Currently, what we have is a MSSQL database which has a table of usernames and passwords hashed using MD5... there is also a procedure on the MSSQL which can MD5 hash any given string ... My question is can we use PAP with TTLS or PEAP ... so that the password is encrypted over the air, decrypted by freeradius (or the access point and forwarded to freeradius ) and then freeradius encrypts the cleartext password into MD5 for a comparison with the database? Why not just always keep the passwords encrypted? This on demand encryption does not have any real point. Appreciate any pointers that you may have ... :) What I would like to have is: 1. Passwords are encrypted in the air ... (from WiFi Card to AP, preferably with rotating keys) 2. Passwords are decrypted by either AP or freeradius ... so that we can do MD5 on the clear text passwords ... Is this possible? -- Robert Yeo Victoria Junior College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + Cisco AP1100
Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: The problems seems to be here.. ... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user That would appear to be informative. You didn't tell the server how to authenticate the tunneled session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval
Dale Tan Lee Cheong [EMAIL PROTECTED] wrote: I set the acct-interim-interval in access-reply as acct-interim-interval = 300 ... And the NAS doesn't do what you tell it. Fix the NAS. There's nothing you can do to the server that will make the NAS send accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
Kostas Zorbadelos [EMAIL PROTECTED] wrote: Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? I would recommend preproxy_users, simply because it's easier to configure. The only reason that both are marked experimental is that they weren't heavily tested. They're probably OK now (~8 months or more after they were written.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
Linda Pagillo [EMAIL PROTECTED] wrote: I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the users file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? You can put similar entries in the SQL database. It takes username, operator, and value, just like the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Kostas Kalevras [EMAIL PROTECTED] wrote: You don't need to do code changes. Just use configurable failover with the sql and detail modules. In 1.0.0, very true. The only problem then comes in having an external program read the detail file, and add the information to the database. This should probably NOT send the requests back through the server... Any suggestions for a script to do this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user groups in freeradius
Lionel Gavage [EMAIL PROTECTED] wrote: does freeradius server manage the user groups in its config file ? No. Because it's not possible for me to use unix group (/etc/group) ! :( Read the man page for rlm_passwd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using free radius with TTLS/PEAP with MD5 hashed passwords
Robert Yeo [EMAIL PROTECTED] wrote: After reading the documentation, it seems that when TTLS or PEAP is used, there needs to be a text file or database with usernames and passwords in clear text No. TTLS PEAP have tunneled authentication methods. Those tunneled authentication methods have restrictions on what passwords they take. PAP: clear-text or encrypted passwords CHAP: clear-text MS-CHAP (and variants): clear-text or NT-Password EAP-MD5: clear-text EAP-GTC: clear-text Currently, what we have is a MSSQL database which has a table of usernames and passwords hashed using MD5... Then you can't use many of the authentication methods listed above, independent of them being in TTLS or PEAP. My question is can we use PAP with TTLS or PEAP ... so that the password is encrypted over the air, decrypted by freeradius (or the access point and forwarded to freeradius ) and then freeradius encrypts the cleartext password into MD5 for a comparison with the database? TTLS supports tunneled PAP. But the client has to be configured to use PAP in the tunnel, and the server CANNOT tell the client to use PAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
keith [EMAIL PROTECTED] wrote: rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request You set Auth-Type = MS-CHAP. Don't. Any pointers appreciated. Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_expr question
nsinit [EMAIL PROTECTED] wrote: You have to put the Value in back-quotes: `%{expr: %{Call-Refrence}` I have tried it, but it didn't work. Then you're probably not using 1.0.0-pre* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius versus Radiator study
Nuno Morgadinho [EMAIL PROTECTED] wrote: I'am doing a non-fundamentalist study about Freeradius versus Radiator (http://www.open.com.au/radiator/), costs not-involved, to see what to use at work. I looking for other studys, experiences, papers, opinions, etc.. to cross notes on advantages and disadvantages of each. There isn't much publicly available. It really depends on what you want out of a server. FreeRADIUS is *much* faster than RADIATOR, and will scale much better in high-load situations. Radiator (being written in Perl) is probably easier for the average person to customize. But FreeRADIUS is designed so that 99% of what people do is in the default config, and Just Works. In terms of funcionalities, we want to have PEAP and MS-CHAPv2 support. 1.0.0 has this, and is interoperable with many clients. A administration tool, like dialup_admin is greatly appreciated since in the end, it will be a large system. That will administer users, but you'll still have to edit the servers other configuration files by hand. FreeRADIUS is currently being used in many systems with 10^6 or more users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Kostas Kalevras wrote: radrelay will send packets as fast as possible but will slow down if it does not get responses. The algorithm: if (r-retrans_num 20) r-retrans = now + 70; else r-retrans = now + 3 + (3 * r-retrans_num); so if your db is not fast enough radrelay will slow down according to your radius server response time. Are you sure? My understanding is that radius replys but finds that it doesn't have a DB connection handle and drops insert. If your right then much of my concerns are not valid. If radius didn't reply then packets dropped due to lack of DB time would be retransmitted. schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: You don't need to do code changes. Just use configurable failover with the sql and detail modules. In 1.0.0, very true. The only problem then comes in having an external program read the detail file, and add the information to the database. This should probably NOT send the requests back through the server... Any suggestions for a script to do this? Alan DeKok. Okay, I'll start reading up on getting the config together, as far as a script to read in the over flow that is trivial to do in perl. Sounds like the code I was looking for is already there. schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool
Hi All , i what to know if its possible to use ippools and sql?? i mean having a table with the ippools in the sql database best regards Marco Marques
Re: freeRADIUS+AD help
On 6/15/04 7:18 PM, Veerabhushan Hatte at [EMAIL PROTECTED] wrote: I was going through the mail responses and I am facing some problem for the same configuration. I have few questions and your help is greatly appreciated. 1. Do I need enable pam authentication to use LDAP? I don't think so. We do not have PAM active on our instance of radiusd. 2. If I need to use pam, do I need to install OpenLDAP to run LDAP on freeRADIUS? I think you may need openLDAP installed when you compile radiusd. We run radiusd on OSX so we already had LDAP installed. I think I saw your original email that you were having trouble starting radiusd and one user suggested that you needed openLDAP prior to compilation. If it does in fact now start, you can use the follwing edits to adjust you configs. Our works like a charm now. One pitfall we had is that when the user is looked up in AD, the cn= LDAP property looks at AD's Display Name. This means that if Michael Check is logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same as the account name (user name). The default in AD is to set cn as 'Michael Check'. You need to change it to 'mcheck'. The same goes for the account that radiusd uses to look up the information in the AD. In our case ldapuser and radiusserver. We still haven't figured out if there is an LDAP property that maps the username to AD's account (user) name. If you or others know of it, I'd like to know. If you could send me the configuration file for LDAP configuration, it would be really helpful. The following setup allows users to be authenticated off 2 diff AD LDAP servers depending on the domain (realm). Users without a domain are athenticated off the first AD LDAP server. The requests come from a ras and a vpn concentrator on the foo1 network to radiusd which is also on the foo1 network. We use the AD property access_attr=msNPAllowDialin to determine whether the user can log in. This is the boolean in AD whether to allow VPN/Dial-in under the account properties. clients.conf # client 192.168.2.28 { secret= secretpass shortname= vpn.foo1.com nastype= cisco } client 192.168.2.29 { secret= secretpass shortname= ras.foo1.com nastype= patton } # proxy.conf realm foo1.com { type= radius authhost= LOCAL accthost= LOCAL } realm foo2.com { type= radius authhost= LOCAL accthost= LOCAL } users # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # #DEFAULTAuth-Type := system #Fall-Through = 1 # # Setup all accounts to be checked against the MAI-LDAP module # This is for users that do not specify a realm (ie. @foo.com) # DEFAULTAutz-Type := FOO1 Auth-Type := FOO1, Fall-Through = 1 DEFAULT Realm == NULL, Autz-Type := FOO1, Auth-Type := FOO1 DEFAULT Realm == foo1.com, Autz-Type := FOO1, Auth-Type := FOO1 DEFAULTRealm == foo2.com, Autz-Type := FOO2, Auth-Type := FOO2 radiusd.conf # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap FOO1 { server = 192.168.2.5 identity = cn=ldapuser,cn=users,dc=foo1,dc=com password = foopass basedn = cn=users,dc=foo1,dc=com filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) access_attr=msNPAllowDialin password_attribute=userPassword # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = {clear} # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes #
Re: ip pool
Marco Marques [EMAIL PROTECTED] wrote: i what to know if its possible to use ippools and sql?? i mean having a table with the ippools in the sql database Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Matthew Schumacher [EMAIL PROTECTED] wrote: Kostas Kalevras wrote: radrelay will send packets as fast as possible but will slow down if it does not get responses. ... Are you sure? My understanding is that radius replys but finds that it doesn't have a DB connection handle and drops insert. The server shouldn't reply if there's a problem storing the accounting data. If your right then much of my concerns are not valid. If radius didn't reply then packets dropped due to lack of DB time would be retransmitted. In theory, yes. In practice, you don't want accounting packets to be lost, say if your NAS goes down. It would be better to *always* log the accounting packets *somewhere*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Baystack 350's and 450's
I'm running freeradius 1.0.0-pre1 and need to support Baystack 350's and 450's. Can anyone give me any useful hints, including what nastype to specify in clients.conf? TIA, Pat Rebert __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does radius reply to the nas when it can't find a DB handle?
Or does it drop it altogether causing the nas to resend the packet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does radius reply to the nas when it can't find a DB handle?
Matthew Schumacher wrote: Or does it drop it altogether causing the nas to resend the packet? Sorry, I noticed you answered this question just after I sent this post: For others this missed it and for the archive: Are you sure? My understanding is that radius replys but finds that it doesn't have a DB connection handle and drops insert. The server shouldn't reply if there's a problem storing the accounting data. If your right then much of my concerns are not valid. If radius didnt' reply then packets dropped due to lack of DB time would be retransmitted. In theory, yes. In practice, you don't want accounting packets to be lost, say if your NAS goes down. It would be better to *always* log the accounting packets *somewhere*. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No memory on Solaris
I have a bug prone setup, but here goes: Solaris 2.9 with: Freeradius-1.0.0-pre2 and/or Freeradius-0.9.3 unixODBC 2.2.8 freetds 0.62.3 trying to connect to: MSSQL 7.0 Database via unixODBC I can use tsql and isql to query the database with the select statements I've written and I have the exact same setup working in production on two debian linux boxes, so I know that it can work. Anyway, the first radtest I do here's what happens: Wed Jun 16 16:01:26 2004 : Info: Ready to process requests. Wed Jun 16 16:01:26 2004 : Debug: Thread 1 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 2 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 3 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 4 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32995, id=78, length=57 Wed Jun 16 16:01:54 2004 : Debug: --- Walking the entire request list --- Wed Jun 16 16:01:54 2004 : Debug: Waking up in 31 seconds... Wed Jun 16 16:01:54 2004 : Debug: Threads: total/active/spare threads = 5/0/5 Wed Jun 16 16:01:54 2004 : Debug: Thread 5 got semaphore Wed Jun 16 16:01:54 2004 : Debug: Thread 5 handling request 0, (1 handled so far) User-Name = steve User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Wed Jun 16 16:01:54 2004 : Debug: Processing the authorize section of radiusd.conf Wed Jun 16 16:01:54 2004 : Debug: modcall: entering group authorize for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module chap returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Wed Jun 16 16:01:54 2004 : Debug: rlm_realm: No '@' in User-Name = steve, looking up realm NULL Wed Jun 16 16:01:54 2004 : Debug: rlm_realm: No such realm NULL Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module suffix returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jun 16 16:01:54 2004 : Debug: users: Matched steve at 80 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module files returns ok for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module mschap returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 0 Wed Jun 16 16:01:54 2004 : Debug: radius_xlat: 'steve' Wed Jun 16 16:01:54 2004 : Debug: rlm_sql (sql): sql_set_user escaped user -- 'steve' Wed Jun 16 16:01:54 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM freeradAuthCheck WHERE Username = 'steve' ORDER BY id' Wed Jun 16 16:01:54 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Wed Jun 16 16:01:54 2004 : Debug: query: SELECT id,UserName,Attribute,Value,op FROM freeradAuthCheck WHERE Username = 'steve' ORDER BY id Wed Jun 16 16:02:23 2004 : Error: no memory between the sql query and the no memory statement it eats up a crap load of memory and makes the server unresponsive, but due to good error handling I guess it kills itself gracefully. Obviously 0.9.3 and 1.0.0-pre2 have the problem, I didn't check past that. I know it involves my unixodbc/freetds, but using isql doesn't cause these errors. Can anyone tell me what sort of commands I can do to bring to light more of what's going on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan You set Auth-Type = MS-CHAP. Don't. OK. Any pointers appreciated. Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. What Auth Type would I use for the following? rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 Or do I change the users file? (Which I am about to try ) Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: user groups in freeradius
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 16 juin 2004 16:46 À : [EMAIL PROTECTED] Objet : Re: user groups in freeradius Lionel Gavage [EMAIL PROTECTED] wrote: does freeradius server manage the user groups in its config file ? No. Is it on the roadmap ?;) Because it's not possible for me to use unix group (/etc/group) ! :( Read the man page for rlm_passwd. The different usernames are stored in LDAP and not exist on the level system. Lionel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
keith [EMAIL PROTECTED] wrote: What Auth Type would I use for the following? Generally, you *don't* set Auth-Type. The server will figure it out. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 There's no password, so there's no way to authenticate the request. In this case, Auth-Type = Reject is the only thing to do. Or do I change the users file? (Which I am about to try ) Don't make changes unless you know what you're changing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hot to define a Group
Hello! I have some attributes I want to add to a group of users. I can define a DEFAULT-entry in the /etc/raddb/users file and there check for a Group-Attribute. But how do I set this Attribute? A simple Group = groupname does not work... I'm sorry if this is a stupid question but I can't find the answer, neither in the FAQ nor in the mailing list archive! I am using beta 2 of Freeradius 1.0.0 on a Fedora Core 2 machine. thanks, tobias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user groups in freeradius
Lionel Gavage [EMAIL PROTECTED] wrote: Because it's not possible for me to use unix group (/etc/group) ! :( Read the man page for rlm_passwd. The different usernames are stored in LDAP and not exist on the level system. Perhaps you haven't read my response, or the man page for rlm_passwd. rlm_passwd allows you to define groups *outside* of the normal Unix /etc/group system. The man page describes how to do it. Stop arguing with me, and follow the instructions in the man page. It will let you create groups, it will not use the Unix group system, and the users don't have to exist anywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
Marco Marques [EMAIL PROTECTED] wrote: i what to know if its possible to use ippools and sql?? i mean having a table with the ippools in the sql database Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html so i can assing ips from that pool to my users Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. What Auth Type would I use for the following? rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 using -chap -mschap -mschap-v2 in the pptpd options file and changing the Auth-Type to Accept. FreeRadius accepts the request and accounting begins So pptpd, pppd and freeradius work as long as I do not try to authenticate. Using +chap -mschap -mschap-v2 in the pptpd options file causes a failure with CHAP and changing the Auth-Type to Local. causes a failure with CHAP. radtest works. CHAP does not. My current guess/test is the radius plugin is failing to get/set the password. Any pointers appreciated. My current assumptions 1. The Kernel for Suse 8.1 will work without modification (I assumed this for SuSe 9.0 and it is correct for 9.0 ) I do not currently know how to test for this and I really want to avoid compiling a new kernel, (the target machine is 1000km away) I am prepared to drop encyption as all I want from the system is the accounting functions. 2. The source for radiusclient 0.3.2 from Suse will work with Suse pppd 2.4.2 This is the current assumption that I will test by removing the radiusclient and installing Suse binaries from Suse 8.1. 3. CHAP uses the password from /etc/shadow Pruned Log Follows for pppd. Jun 16 17:55:13 kbri-comms pppd[17207]: Plugin radius.so loaded. Jun 16 17:55:13 kbri-comms pppd[17207]: RADIUS plugin initialized. Jun 16 17:55:13 kbri-comms pppd[17207]: pppd 2.4.2 started by root, uid 0 Jun 16 17:55:13 kbri-comms pppd[17207]: using channel 100 Jun 16 17:55:13 kbri-comms pppd[17207]: Using interface ppp0 cut note=following line may be relevant/ Jun 16 17:55:13 kbri-comms pptpd[17206]: GRE: Bad checksum from pppd. cut note=following line may be relevant, why is the name reference kbri-comms (The name of the machine) / Jun 16 17:55:16 kbri-comms pppd[17207]: sent [CHAP Challenge id=0x43 a02158198d975ca8eabe710acfe16d46, name = kbri-comms] cut note=here the name for CHAP is as the user request/ Jun 16 17:55:16 kbri-comms pppd[17207]: rcvd [CHAP Response id=0x43 4a4198eeb36edfebfeef64f0dbebf0bf579c54ba7392c283fa566306189 e229a735573d1fd1bb0dd00, name = keith_xp] cut note=rc_avpair_new: unknown attribute 11 ??/ Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 11 Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 25 Jun 16 17:55:16 kbri-comms pppd[17207]: Jun 16 17:55:16 kbri-comms pppd[17207]: Peer keith_xp failed CHAP authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, What Auth Type would I use for the following? Generally, you *don't* set Auth-Type. The server will figure it out. OK. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = keith_xp NAS-IP-Address = 192.168.1.150 NAS-Port = 0 There's no password, so there's no way to authenticate the request. I found I can get a password by setting +chap in the pptpd options file. In this case, Auth-Type = Reject is the only thing to do. Agreed. Or do I change the users file? (Which I am about to try ) Don't make changes unless you know what you're changing, and why. You've hit the problem on the head, my lack of knowledge in relation to freeradius ...:-) The interesting part for me is I have had some success with two machines (mschap-v2 login ins and accounting - no encryption of data as yet), and the third, the one I have to produce the results on, is somehow different and beyond my current state of knowledge. Now about to try dropping the Auth-Type from the users file. Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tcpserver
Does anyone use the tcpserver to serve radiusd? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
keith [EMAIL PROTECTED] wrote: Using +chap -mschap -mschap-v2 in the pptpd options file causes a failure with CHAP Then you've done something to break the server. and changing the Auth-Type to Local. causes a failure with CHAP. Of course. I *did* say don't set Auth-Type, did I not? radtest works. CHAP does not. CHAP works. Pruned Log Follows for pppd. And not for the server. Wonderful. I suggest posting your questions on the pppd list, as you don't seem to have many questions about FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
keith [EMAIL PROTECTED] wrote: So I believe my current hurdle is getting the information from pppd to freeradius and I believe this is the best list for that. No. You're trying to get pppd to send radius requests which contain certain attributes. There is NOTHING you can do to FreeRADIUS which will make pppd send those attributes. Therefore, this list is NOT the right place to ask how to configure pppd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, No. You're trying to get pppd to send radius requests which contain certain attributes. There is NOTHING you can do to FreeRADIUS which will make pppd send those attributes. Therefore, this list is NOT the right place to ask how to configure pppd. Understood, thanks. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error getting data from database
Thanks Mike, I chance it from Auth_Type To Auth-Type, But now the problem is : auth: type (null) Here is the deatail. Please help me out! Thanks a lot! == Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): sql_set_user escaped user -- 'tom' Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tom' ORDER BY id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tom' ORDER BY id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tom'ORDER BY id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tom'ORDER BY id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Released sql socket id: 4 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module sql returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jun 17 11:23:59 2004 : Debug: users: Matched DEFAULT at 154 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module files returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module mschap returns noop for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall: group authorize returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type 654321 Thu Jun 17 11:23:59 2004 : Debug: auth: type (null) Thu Jun 17 11:23:59 2004 : Debug: auth: Failed to validate the user. Thu Jun 17 11:23:59 2004 : Auth: Login incorrect: [tom/654321] (from client ed_radius port 0) RE Please help me out! Thanks a lot! Michael Griego [EMAIL PROTECTED]: On Wed, 2004-06-16 at 06:04, [EMAIL PROTECTED] wrote: rlm_sql: unknown attribute Auth_Type Here's your problem. Auth_Type is not a valid attribute. Change that to Auth-Type (dash, not underscore). -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This mail sent through NZOL Webmail: http://webmail.nzol.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rewriting attributes based on NAS
Hi, just thought about some things to fix some attributes but didn't find the right glue where to start (probably attr_rewrite). Using lates 1.0 pre-2, I have some NAS giving me attributes in either wrong way or not the way I'd want them ;) - a Cisco L2TP-LAC saying MAS-Port-Type ISDN (2) instead of something meaningful like 5 or 16 How can I rewrite packets a specific way only for a specific NAS ? - again a Cisco, reporting Null with ISDN for Connect-Info (77) (Async reports fine), so I'm looking for a way to probably copy X-Ascend-Data-Rate (which it reports) into Connect-Info if Connect-Info is Null - next one would be to append the data from Cisco-AVPair = v92-info=.. to Connect-Info - do something meaningful to log Cisco-AVPair = isakmp-group-id=.. and Cisco-AVPair = isakmp-initator-ip=.. It's basically all about the same thing. Another thing I came into was to filter outbound attributes in Access-Accept based on NAS(IP). Filtering by realms is easy with attrs but how to filter based on NAS ? Background is, I've static Framed-IP's xDSL-users but they're using also dialin in on other NAS'es where they should get a dynamic Framed-IP from the NAS' local-pool.. Any idea would be appreciated.. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database
I make a mistak in the radcheck table. set the attribute to Auth-Type actually it should be Password. I update the table and everything is fine. Thanks a lot! Cheers! nsinit [EMAIL PROTECTED]: Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type 654321 why Auth-Type 654321 ??? Hello World! [EMAIL PROTECTED] 2004-06-17 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This mail sent through NZOL Webmail: http://webmail.nzol.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Ok. I can use radrelay. But. I do not understand the reason why the replicate-to-realm is being removed from server. There are two operators now wich we have roaming agreements with. But what will we do if their amount grows to 10, 20? We'll have to start up to 20 instances of radrelay. And monitor their states. Not good, is it? Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: radrelay seem to do more than i need. So? Replicate-To-Realm won't work. If it does, you're using an older version of the server, and that feature will STOP working when you upgrade. Don't use Replicate-To-Realm. Actually the task is to copy accounting for specific CLID of roaming users to their home AAA server. radrelay works directly with detail file which contains not only roaming CLIDs. So... configure the server to have a variant of the detail module which is used only to log the roaming users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html