Re: force set EAP-Type
1) You're not following my directions. It doesn't matter if you're using MySQL, test it with the users file first, to be sure that it works as I described. 2) You need to read the debug output of the server. That tells you what's going on, and why. I don't think so. I already do this. I try set up files with users files. username Auth-Type: Reject It works. Reject username. username EAP-Type: LEAP Nothing happens (preffered peap still working). So i try set this with mysql insert into radgroupcheck set groupname='ap',attribute='Auth-Type',op=':=',value='Reject'; it works. group ap is rejecting insert into radgroupcheck set groupname='apcka',attribute='EAP-Type',op=':=',value='LEAP'; Nothing happens (preffered peap still working). Maybe i'm wrong but it seems to me that attribute EAP-Type is ignored or is replaced by preferred_eap_type. -- Bc. Jan 'EIS' Satko Slovak University of Agriculture network system managerTr. A. Hlinku 2 Tel: +421 37 7412 616 949 76 Nitra Slovakia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to resolve following scenario: two groups of clients accessing wifi AP ++
Hallo all, - Let's have an wifi AP with 802.1x support and ability to run in mixed mode (it is eap-tls and WEP together) - standard users have X509 certificates and they connect to the AP by EAP-TLS encrypted connection and can access all intranet resources. - visitors do not have any valid certificate and they can use wifi only in WEP mode (there is configured static wep key). The access is allowed in according to their MAC address. Task: - I would like to assign IP addresses to these two groups of clients from different subnets (let's say 10.0.1.0/24 and 10.0.2.0/24) to be able allow or deny access to the intranet resources. - also how to do the MAC address resolution in freeradius? - Is it configurable completely by freeradius or does it need other cooperative sw ? - did anybody solve such task? Thanks in advance, z.p. -- Zdenek Pizl Systinet Corporation Vinohradska 190 130 00 Praha 3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Tue, 20 Jul 2004, pengfei wrote: Hi all, I am new to radius, and want to ask following question: 1) How can I get to know that the Session-Timeout value is sent back as a response to the request! (any examples on how to set up the Session-Timeout attribute?) Either run the server debug or use a radius sniffer. As for examples it depends on your user database (flat files,sql,ldap etc). For the users file: userService-Type == Framed-User,Framed-Protocol == PPP Session-Timeout = 14400 Service-Type = Framed-User 2) when a request came in, sometimes I found that there are multiple records in the radacct table with same AcctSessionId and AcctUniqueId; what is the reason to cause that and what will be the solution for it. Your database is slow, so the accounting packets the NAS sends to your radius server, timeout. In the mean time the radius server has been able to store the accounting record so you end up with duplicate records. The answer is to fix your database and maybe enlarge your nas radius timeout. Thanks -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
David Winter Senior Network Engineer Planet-Telecom, Inc. Tampa FL (813)901-5182 Office (813)864-3162 Direct (813)817-4204 Mobile (813)881-9762 Fax -- AIM: mobofool ICQ: 3563403 MSN:[EMAIL PROTECTED] Y!:vt_fool Kostas Kalevras wrote: On Tue, 20 Jul 2004, pengfei wrote: Hi all, I am new to radius, and want to ask following question: 1) How can I get to know that the Session-Timeout value is sent back as a response to the request! (any examples on how to set up the Session-Timeout attribute?) Either run the server debug or use a radius sniffer. As for examples it depends on your user database (flat files,sql,ldap etc). For the users file: user Service-Type == Framed-User,Framed-Protocol == PPP Session-Timeout = 14400 Service-Type = Framed-User 2) when a request came in, sometimes I found that there are multiple records in the radacct table with same "AcctSessionId" and "AcctUniqueId"; what is the reason to cause that and what will be the solution for it. Your database is slow, so the accounting packets the NAS sends to your radius server, timeout. In the mean time the radius server has been able to store the accounting record so you end up with duplicate records. The answer is to fix your database and maybe enlarge your nas radius timeout. Thanks -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is there a ChangeLog
I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail. Im looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc Thanks.
Radius setup
Hey all, I am new to setting up radius but from what I read, it should be very simple to achieve my goal. I have done a lot of reading from both the web site, /doc directory and the file comments too. This is what I'm trying to do: We have a PIX box and I have a Redhat systems with all the password in /etc/password. I have installed FreeRADIUS on it (latest version). All I would like to accomplish is for VPN clients to use their existing usernames and password in /etc/password to authenticate. I have edited client.conf and put the correct entry for the PIX box. Besides configuring the PIX, am I missing anything on the FreeRADIUS side to make this happen? BTW, radtest works just fine. Thanks in advance, Alhagie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql table locks
jesk [EMAIL PROTECTED] wrote: im not really sure, why a simple delete statement with an extra of low_priority or the mysqldump without any locking argument will cause an lock of the whole table. It's MySQL, and has nothing to do with FreeRADIUS. Other databases don't have this feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: machine authentication
I am trying to get machine authentication working using freeradius and a Windows XP SP1 client. I originally tried to make this work with freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work. Here is what I see when I sniff the traffic between the client and the AP using ethereal. Client AP -- EAPOL Start --- ---Request, Identity Response, Identity --- ---Request, EAP-TLS And that is it. The client never responds to the Request, EAP-TLS. Below is the contents of that last packet from the AP to the client: 802.1x Authentication Version: 1 Type: EAP Packet (0) Length: 6 Extensible Authentication Protocol Code: Request (1) Id: 17 Length: 6 Type: EAP-TLS [RFC2716] [Adoba] (13) Flags (0x20): Start On the server side I see the following rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73, length=173 User-Name = host/testwire.bridgewater.edu NAS-IP-Address = 147.138.120.170 Called-Station-Id = 00-20-a6-52-b4-6c Calling-Station-Id = 00-90-4b-7d-d5-47 NAS-Identifier = WritingWAP Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0212002201686f73742f74657374776972652e62726964676577617465722e656475 Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a Invalid operator for item Prefix: reverting to '==' Sending Access-Challenge of id 73 to 147.138.120.170:6001 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011300060d20 Message-Authenticator = 0x State = 0xc3ff0ce5bfdff596d099ec32ec73aece I am not sure why the XP client never responds to the Request, EAP-TLS packet. On the XP client I have it set to do machine authentication. In the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before I set AuthMode I received errors about not being able to find a certificate to use. Setting SupplicantMode to 3 did not change the behavior. I have a certificate with a CN of testwire.bridgewater.edu in the personal store of the local computer account. I just don't understand what is happening and any help would be greatly appreciated. Joe Meslovich [EMAIL PROTECTED] Associate Network/Systems Engineer IT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force set EAP-Type
Jan Satko [EMAIL PROTECTED] wrote: I don't think so. I already do this. I try set up files with users files. Which is exactly what I told you not to do. I even told you why. Go back and read my original post. Implement the suggestions it contains. Maybe i'm wrong but it seems to me that attribute EAP-Type is ignored or is replaced by preferred_eap_type. Because you didn't do what I said. If you had run the server in debugging mode, you would see WHY setting EAP_Type in the users file doesn't work. Stop telling me I'm wrong, and follow my suggestions. I've done it, it works, and I don't see why you're wasting your time arguing with me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to resolve following scenario: two groups of clients accessing wifi AP ++
Zdenek Pizl [EMAIL PROTECTED] wrote: - I would like to assign IP addresses to these two groups of clients from different subnets (let's say 10.0.1.0/24 and 10.0.2.0/24) to be able allow or deny access to the intranet resources. RADIUS supports assigning IP addresses to users. - also how to do the MAC address resolution in freeradius? You look at the attributes in the request packet. - Is it configurable completely by freeradius or does it need other cooperative sw ? You should be able to do it in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
Anson Rinesmith [EMAIL PROTECTED] wrote: I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail. Have you tried doc/ChangeLog? I'm looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc. I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius setup
If you can radtest directly to the server, then you need to setup the PIX to do its VPN authentication against the server. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alhagie Puye Sent: Wednesday, July 21, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: Radius setup Hey all, I am new to setting up radius but from what I read, it should be very simple to achieve my goal. I have done a lot of reading from both the web site, /doc directory and the file comments too. This is what I'm trying to do: We have a PIX box and I have a Redhat systems with all the password in /etc/password. I have installed FreeRADIUS on it (latest version). All I would like to accomplish is for VPN clients to use their existing usernames and password in /etc/password to authenticate. I have edited client.conf and put the correct entry for the PIX box. Besides configuring the PIX, am I missing anything on the FreeRADIUS side to make this happen? BTW, radtest works just fine. Thanks in advance, Alhagie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql and freeradius
hi all i make a freeradius with mysql on redhat 9. i have two problems: i notice that the symbol # is written as =23 , is there any way to fix this? i will appreciate. second, i want to make the authentication only on the NAS Ip, is there any way to do this. any help will be appreciate. thanks _ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + unixodbc + mssql
Does anyone use this combination? I am trying to use unixodbc with freetds to connect to a MS SQL 2000 server. Queries work when I put them into isql, but for some reason, they don't when freeradius runs them. I am unable to report the SQL error because the sql_error function in sql_unixodbc causes a seg fault if it tries to look up the error. I have tried the mssql.conf and db_mssql.sql from freeradius 0.7 as well as the sql.conf and a modified db_mysql.sql from 0.9.3. Same problem: rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user Currently using: Freeradius 0.9.3 unixODBC 2.2.9 freetds 0.62.4 linux 2.4.20 The other configuration files are the same as on an already working Freeradius + PostgreSQL server. Thanks, Fei - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
username's and password
Hello all I have an excel sheet with 10,000 username's and password and i am trying to import them into mysql databse, does anyone out there know of a way to do it.. Thank you Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username's and password
Thanx for the info, i know where to start from now. just a quick one if i use phpmyadmin how would i be able to tell it for example username how will i be able to tell it which field to enter username in? Thanx once more Sarky On Wed, 21 Jul 2004 17:24:40 +0100, Alain Perry wrote: Le mer 21/07/2004 à 17:08, sarky a écrit : I have an excel sheet with 10,000 username's and password and i am trying to import them into mysql databse, does anyone out there know of a way to do it.. You can save it as a .CSV file (using file-save as...) in excel, and then make a script using your favorite language or use phpmyadmin to import it into mysql. You may also be able to import directly using the MySQL ODBC driver that allows MS Office to exchange data with it IIRC. Hope this helps, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: username's and password
To be sure, just add column headers to your excel sheet before you export it. Just make your headers match your field names. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of sarky Sent: Wednesday, July 21, 2004 11:43 AM To: [EMAIL PROTECTED] Subject: Re: username's and password Thanx for the info, i know where to start from now. just a quick one if i use phpmyadmin how would i be able to tell it for example username how will i be able to tell it which field to enter username in? Thanx once more Sarky On Wed, 21 Jul 2004 17:24:40 +0100, Alain Perry wrote: Le mer 21/07/2004 à 17:08, sarky a écrit : I have an excel sheet with 10,000 username's and password and i am trying to import them into mysql databse, does anyone out there know of a way to do it.. You can save it as a .CSV file (using file-save as...) in excel, and then make a script using your favorite language or use phpmyadmin to import it into mysql. You may also be able to import directly using the MySQL ODBC driver that allows MS Office to exchange data with it IIRC. Hope this helps, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Radius setup
Hey all, I am new to setting up radius but from what I read, it should be very simple to achieve my goal. I have done a lot of reading from both the web site, /doc directory and the file comments too. This is what I'm trying to do: We have a PIX box and I have a Redhat systems with all the password in /etc/password. I have installed FreeRADIUS on it (latest version). All I would like to accomplish is for VPN clients to use their existing usernames and password in /etc/password to authenticate. I have edited client.conf and put the correct entry for the PIX box. Besides configuring the PIX, am I missing anything on the FreeRADIUS side to make this happen? BTW, radtest works just fine. Thanks in advance, Alhagie. P.S Anyone running PIX with Radius authentication using Cisco VPN Clients? I would like some tips on that setup. This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Re: force set EAP-Type
Jan Satko [EMAIL PROTECTED] wrote:
What i already set is:
1. files {} moved before $INCLUDE eap.conf
That won't affect anything.
2. In authorize section moved files before eap.
That will help some things, and may cause other problems.
PEAP still working.
Yes. It's independent of the files module...
So i make change to users. Now it is..
wds-ap Auth-Type := EAP, EAP-Type := LEAP
BlahPEAP is working again..
With your setup, that should force LEAP.
What version are you running?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Hi, i want to restrict users to just one session, but i have this problem.. When i debug the requests of the NAS to the radius server i find this: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radutmp: WARNING: checkrad will probably not work! I make some tests and of course the simultaneous-use restriction is not working , the NAS I'm using is (Ip3 Networks NAS 200 model) . It supports SNMP because i can get information with the snmpwalk command. I've tried with all the possible NAS values that the radius accepts and nothing. If i run checkrad manually it asks me for a port, i think this is the port that the NAS is missing... So basically i'm stuck in this. Any help would be greatly appreciated. Regards, Karina. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is there a ChangeLog
My biggest issue is that I want to bring in a second and third ISP to use our radius service. I want to present each ISP with their error log, without seeing the other ISPs errors. I am currently at a loss on how to do this. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog Anson Rinesmith [EMAIL PROTECTED] wrote: Can the /var/log/radiusd.log file be sent to a database instead? Not currently. But you can write a script to post-process radiusd.log, and put it into a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
Anson Rinesmith [EMAIL PROTECTED] wrote: My biggest issue is that I want to bring in a second and third ISP to use our radius service. I want to present each ISP with their error log, without seeing the other ISPs errors. I am currently at a loss on how to do this. As I said, post-process them. If you can tell the messages apart when putting them into any theoretical DB, you can tell them apart when reading them from radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is there a ChangeLog
On Wed, 21 Jul 2004, Anson Rinesmith wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 9:06 AM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog Anson Rinesmith [EMAIL PROTECTED] wrote: I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail. Have you tried doc/ChangeLog? I'm looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc. I'm not sure what you mean by that. Can the /var/log/radiusd.log file be sent to a database instead? I have written my own user interface and it would be much simpler if I could show my clients their error logs by querying a table, rather than parsing a file. You can use the perl script bin/log_badlogins from dialupadmin to log bad logins to the radacct. You can also use the post-auth section of the sql module to store authentication requests to the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
There was a program written to work with Squid that sent the logs to a database. It used a FIFO for the log file, so squid would write to the FIFO and The program would read from the FIFO. The program would decipher the logs and insert the relevant data into a table. I believe the program was written in Perl and was called squid2mysql or something like that. I think I may have ported it to PostgreSQL, I will see if I have it archived somewhere. I have considered making a rlm_log module but have not had time to delve into it yet. Once such a module exists having the data exported to a DB and file for redundancy, should not be too difficult. For now I will try to find the pipe based stuff, and see what I can do with it. Anson Rinesmith wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 9:06 AM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog Anson Rinesmith [EMAIL PROTECTED] wrote: I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail. Have you tried doc/ChangeLog? I'm looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc. I'm not sure what you mean by that. Can the /var/log/radiusd.log file be sent to a database instead? I have written my own user interface and it would be much simpler if I could show my clients their error logs by querying a table, rather than parsing a file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is there a ChangeLog
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 1:23 PM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog Anson Rinesmith [EMAIL PROTECTED] wrote: My biggest issue is that I want to bring in a second and third ISP to use our radius service. I want to present each ISP with their error log, without seeing the other ISPs errors. I am currently at a loss on how to do this. As I said, post-process them. If you can tell the messages apart when putting them into any theoretical DB, you can tell them apart when reading them from radiusd.conf. That's my problem, I DON'T know how to tell them apart. Looking at any entry from the radius.log file, I don't know if it for my customers, ISP2 or ISP3. Using the 'cli' won't help as we have overlapping customer bases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication detail logging
Is there any easy way to log a detail log of attributes received in access_request messages, similar to acct logs? Thanks, Simon. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is there a ChangeLog
If you've got some code working for postgre, I'm sure I could port that to work for mysql. I'm willing to do the work, I just don't know where to get the differentiating information from freeradius so I know what ISP that user belongs to. Something based on Called-Station-ID like the users and acct_users file (DEFAULT Called-Station-Id == 1234567890, Proxy-To-Realm := ISP1) would be useful. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Guy Fraser Sent: Wednesday, July 21, 2004 1:27 PM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog There was a program written to work with Squid that sent the logs to a database. It used a FIFO for the log file, so squid would write to the FIFO and The program would read from the FIFO. The program would decipher the logs and insert the relevant data into a table. I believe the program was written in Perl and was called squid2mysql or something like that. I think I may have ported it to PostgreSQL, I will see if I have it archived somewhere. I have considered making a rlm_log module but have not had time to delve into it yet. Once such a module exists having the data exported to a DB and file for redundancy, should not be too difficult. For now I will try to find the pipe based stuff, and see what I can do with it. Anson Rinesmith wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 9:06 AM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog Anson Rinesmith [EMAIL PROTECTED] wrote: I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail. Have you tried doc/ChangeLog? I'm looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc. I'm not sure what you mean by that. Can the /var/log/radiusd.log file be sent to a database instead? I have written my own user interface and it would be much simpler if I could show my clients their error logs by querying a table, rather than parsing a file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is free-radius authenticates with newly added entry into users file without restart?
I am sorry I am new freeradius, could you give me little bit detail about configuration to enable that. And If I have user table with username and password columns then how to point to those columns in table for db module? Thank you, Sathish, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of apellido jr., wilfredo p. Sent: Wednesday, July 21, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: Is free-radius authenticates with newly added entry into users file without restart? rlm_fastusers module or use database. - Original Message - From: Sathish Challa To: [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 2:08 AM Subject: Is free-radius authenticates with newly added entry into users file without restart? Hi, Is free-radius recognizes users file updated by any external script and authenticate with newly added user with out restarting the free-radius server? If Yes, how to configure that way? Thank you, Sathish, www.goremote.com
Re: EAP-TLS: machine authentication
I just wanted to add some information to this message. I turned on EAPOL file tracing in the registery. When I look at the trace log that is created on the client and error is occuring when the client should be generating the response that contains its credentials. The error code in the EAPOL log is -2146893802. From what I've seen that error code has to do with not finding a keyset pair. When doing machine authentication do the certificates need to be installed in a special manner? When I go into mmc I see the certificates that I installed in the local computer store. Joe Meslovich On Wed, 21 Jul 2004, Joe Meslovich wrote: I am trying to get machine authentication working using freeradius and a Windows XP SP1 client. I originally tried to make this work with freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work. Here is what I see when I sniff the traffic between the client and the AP using ethereal. Client AP -- EAPOL Start --- ---Request, Identity Response, Identity--- ---Request, EAP-TLS And that is it. The client never responds to the Request, EAP-TLS. Below is the contents of that last packet from the AP to the client: 802.1x Authentication Version: 1 Type: EAP Packet (0) Length: 6 Extensible Authentication Protocol Code: Request (1) Id: 17 Length: 6 Type: EAP-TLS [RFC2716] [Adoba] (13) Flags (0x20): Start On the server side I see the following rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73, length=173 User-Name = host/testwire.bridgewater.edu NAS-IP-Address = 147.138.120.170 Called-Station-Id = 00-20-a6-52-b4-6c Calling-Station-Id = 00-90-4b-7d-d5-47 NAS-Identifier = WritingWAP Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0212002201686f73742f74657374776972652e62726964676577617465722e656475 Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a Invalid operator for item Prefix: reverting to '==' Sending Access-Challenge of id 73 to 147.138.120.170:6001 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011300060d20 Message-Authenticator = 0x State = 0xc3ff0ce5bfdff596d099ec32ec73aece I am not sure why the XP client never responds to the Request, EAP-TLS packet. On the XP client I have it set to do machine authentication. In the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before I set AuthMode I received errors about not being able to find a certificate to use. Setting SupplicantMode to 3 did not change the behavior. I have a certificate with a CN of testwire.bridgewater.edu in the personal store of the local computer account. I just don't understand what is happening and any help would be greatly appreciated. Joe Meslovich [EMAIL PROTECTED] Associate Network/Systems EngineerIT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Joe Meslovich [EMAIL PROTECTED] Associate Network/Systems Engineer IT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap module instantiation fails on sol8 but not on redhat?
okay, i'm working with 1.0.0pre3 on a sol8 box. Just last week i had this version of freeradius working on a RedHat Enterprise box without any problems. ./configure make make install all with no errors (done the same on both boxes with the only diff being the sol8 box has oracle 9.2.0.4 running on it for the accounting). i have the clients.conf file set up with all our nas devices (in old 0.8.1 they were listed in clients file). I moved our old users file to new location (i still have 0.8.1 running, and turn it off when i try to start 1.0.0). the 0.8.1 is in /usr/local and 1.0.0 is in /opt/csw so there shouldn't be any conflicts in config files I made some mods to the radiusd.conf (which i didn't do on redhat box) and they are as follows: log_file = /home/radius/radius.log libdir = /usr/lib:/usr/local/lib:/opt/sfw/lib:/opt/csw/lib:/opt/oracle/products/9.2.0/lib max_request_time = 10 max_requests = 256000 port = 1645 log_auth = yes proxy_requests = no (and comment out $INCLUDE below it) max_servers = 100 # added to exec so i wasn't seeing the error on startup output = none with the exception of the output=none these are from our old radiusd.conf for 0.8.1. when i radiusd -X this is my output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/csw/etc/raddb/clients.conf Config: including file: /opt/csw/etc/raddb/snmp.conf Config: including file: /opt/csw/etc/raddb/eap.conf Config: including file: /opt/csw/etc/raddb/sql.conf main: prefix = /opt/csw main: localstatedir = /opt/csw/var main: logdir = /opt/csw/var/log/radius main: libdir = /usr/lib:/usr/local/lib:/opt/sfw/lib:/opt/csw/lib:/opt/oracle/products/9.2.0/lib main: radacctdir = /opt/csw/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 10 main: cleanup_delay = 5 main: max_requests = 256000 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /home/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /opt/csw/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /opt/csw/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib:/usr/local/lib:/opt/sfw/lib:/opt/csw/lib:/opt/oracle/products/9.2.0/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Segmentation fault (core dumped) i've also trussed it while doing radiusd -X it basically shows same thing, dieing just before instantiating PAP module. this is the output from truss (the lines dealing with the PAP module anyways) open(/usr/lib/rlm_pap.la, O_RDONLY) Err#2 ENOENT open(/usr/local/lib/rlm_pap.la, O_RDONLY) = 5 fstat64(5, 0xFFBEE1A0) = 0 ioctl(5, TCGETA, 0xFFBEE12C)Err#25 ENOTTY read(5, # r l m _ p a p . l a.., 8192) = 756 read(5, 0x0018506C, 8192) = 0 llseek(5, 0, SEEK_CUR) = 756 close(5)= 0 stat(/usr/local/lib/rlm_pap-0.8.1.so, 0xFFBEDA74) = 0 open(/usr/local/lib/rlm_pap-0.8.1.so, O_RDONLY) = 5 fstat(5, 0xFFBEDA74)= 0 mmap(0x, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0xFEF7 mmap(0x, 73728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0xFEF0 mmap(0xFEF1, 6428, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 5, 0) = 0xFEF1 munmap(0xFEF02000, 57344) = 0 memcntl(0xFEF0, 2476, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(5)= 0 munmap(0xFEF7, 8192)= 0 time() = 1090364475 Module: Loaded PAP write(1, M o d u l e : L o a d.., 20) = 20 time() = 1090364475 Incurred fault #6, FLTBOUNDS %pc = 0xFF0C2314 siginfo: SIGSEGV SEGV_MAPERR addr=0x7475AC2C Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x7475AC2C *** process killed *** anyone have any guesses, clues, ideas why this worked fine when tested
Re: EAP module return code for proxy case [Re: help with EAP proxy]
Just so I'm on the right page, I assume I should do the patch and submit it in the usual way? If so, I'll clarify my understanding of what needs to happen. In eap.c/eap_start, I can return EAP_OK instead of EAP_NOOP for the proxy case. I dont see any other cases where EAP_OK is returned now. Then in rlm_eap.c/eap_authorize, in the switch statement for the eap_start return code, I can add an EAP_OK case that will return RLM_MODULE_OK. I can also add a config note in doc/rlm_eap. Dave Alan DeKok wrote: Dave Mason [EMAIL PROTECTED] wrote: Along the way, I noticed that in the 1.0 server code, rlm_eap returns NOOP both for Access-Requests with an EAP-Message to be proxied and for Access-Requests with no EAP at all. It would be useful for me to write a configurable failover block in the authorize section of radiusd.conf that distinguishes between the two. Ok... Maybe it could return HANDLED in that case? No. That return code means there's a RADIUS reply packet ready to be sent to the client. Maybe RLM_MODULE_NOOP for no EAP-Message, and RLM_MODULE_OK for an EAP-Message which will be proxied. This should also be documented in the man page for rlm_eap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius on Red Hat ES 3
I a getting an error when I try to install freeRadius on a Red Hat ES 3 machine. This is the error: error: Failed dependencies: ld.so.1 is needed by freeradius-0.9.3-2 Any ideas if freeRadius is supported on this version of RH? If so, where can I get this module? (Embedded image moved to file: pic21797.gif)attachment: pic21797.gif
Problem setting up Radius to use Primary and Secondary Mysql Databases .
Hi all ..
Radius = R1
MySql Prim = DB1
Mysql Sec = DB2
i am unable to configure Radius to operate in fail over to DB2 incase
DB1 goes down .
The configuration details are as follows.
1) In radiusd.conf i am doing an include on sql1.conf and sql2.conf.
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
These two files exist in the correct location .
2) In Radiusd.conf 's authorize section i have replaced sql
entry with the following lines
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
On starting the server in debug mode i get the following errors ..
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
ERROR: Cannot find a configuration entry for module sql1.
Can any one tell me if i am missing some thing in the configuration .
??? (~ ~ )
o
FYI ... I was able to make single mysql server work with radius
successfully . And as a second step i was in the process of adding
mysql redundency . So basically all my tables , data etc etc works
fine in the same arrangemnet .
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay question
Hi, I have a live freeradius server and I'm trialing a new system which is running a second instance of freeradius on the same host. I am using radrelay to send a copy of all accounting messages to the new server for testing. The problem is that I need the resulting Client-IP-Address attribute to be the address of the original client, not of my radrelay source. I don't really want to start hacking FR code to do this - does anyone know if I can do it through configuration? Thanks, Simon. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem setting up Radius to use Primary and Secondary Mysql Databases .
Hmm - think I saw an earlier posting (it's in the archives) about this very
subject!
I think you want to take a look at the configurable_failover file in the doc
directory where you untarred the freeradius package - it describes what you
are looking for...
gm...
- Original Message -
From: Ali Asghar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 5:55 PM
Subject: Problem setting up Radius to use Primary and Secondary Mysql
Databases .
Hi all ..
Radius = R1
MySql Prim = DB1
Mysql Sec = DB2
i am unable to configure Radius to operate in fail over to DB2 incase
DB1 goes down .
The configuration details are as follows.
1) In radiusd.conf i am doing an include on sql1.conf and sql2.conf.
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
These two files exist in the correct location .
2) In Radiusd.conf 's authorize section i have replaced sql
entry with the following lines
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
On starting the server in debug mode i get the following errors ..
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
ERROR: Cannot find a configuration entry for module sql1.
Can any one tell me if i am missing some thing in the configuration .
??? (~ ~ )
o
FYI ... I was able to make single mysql server work with radius
successfully . And as a second step i was in the process of adding
mysql redundency . So basically all my tables , data etc etc works
fine in the same arrangemnet .
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius on RedHat ES3
I a getting an error when I try to install freeRadius on a Red Hat ES 3 machine. This is the error: error: Failed dependencies: ld.so.1 is needed by freeradius-0.9.3-2 Any ideas if freeRadius is supported on this version of RH? If so, where can I get this module? (Embedded image moved to file: pic21797.gif) that is odd, i just installed 1.0.0pre3 on a box with this os just last week ./configure make make install all with no errors... and it started up and was authenticating users within an hour (it was a test machine for wireless authentication via a small cheap router that could supposedly do authentication via an radius server...) what sort of install did you do on ES3? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Segmentation Fault, 1.0 pre3, ldap w/ssl
Michael
You haven't indicated which operating system you encountered this on. I
have experienced this problem on both Fedora Core 2 and Red Hat
Enterprise 3 ES. The problem (at least with the former OS distro) is due
to the differing verions of SASL used by the OpenLDAP libraries and
FreeRadius' rlm_ldap. I saw that Redhat appears to have fixed the FC2
version of FreeRadius - the source/binary RPMs are available on Rawhide.
RHEL3 still appears to have the problem, AFAIK. BTW, there is an
existing Bug Report for this - see FreeRadius bug #73.
Tarun
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael
Hare
Sent: Thursday, 22 July 2004 12:35 AM
To: [EMAIL PROTECTED]
Subject: Segmentation Fault, 1.0 pre3, ldap w/ssl
Hello-
I was using FreeRadius 0.8.1 successfully with LDAP. I am investigating
upgrading to 1.0.0pre3 because I am moving the server to a different
machine. I am unable to authenticate users at this point due to seg
faults.
I'll be the first to admit that I am fairly ignorant when it comes to
troubleshooting problems of this nature.
Does anyone have links to a good FAQ where I can find out how to create
a
core file for submissions (assuming this problem is interesting for a
developer to look at)?
Thanks-
-Michael
(debug output)
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Segmentation fault
Some related config
ldap {
server = NOT SHOWN
identity = uid=radius,ou=Apps,o=isp
password = NOT SHOWN
basedn = NOT SHOWN
port = 636
filter = ((uid=%u)(%{Huntgroup-Name}=Y))
start_tls = no
tls_cacertfile = /etc/certs/cacertfile.pem
tls_certfile = /etc/certs/certfile.pem
tls_keyfile = /etc/certs/key_file.pem
tls_require_cert = demand
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
W=
Michael Hare
UW-Madison/WiscNet Network Engineering
Desk: (608) 262-5236
24 Hr Noc: (608) 263-4188
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of
Macquarie Bank or third parties. If you are not the intended recipient of this email
you should not read, print, re-transmit, store or act in reliance on this e-mail or
any attachments, and should destroy all copies of them. Macquarie Bank does not
guarantee the integrity of any emails or any attached files. The views or opinions
expressed are the author's own and may not reflect the views or opinions of Macquarie
Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help with simultaneous-use
Hi, i want to restrict users to just one session, but i have this problem.. When i debug the requests of the NAS to the radius server i find this: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radutmp: WARNING: checkrad will probably not work! I make some tests and of course the simultaneous-use restriction is not working , the NAS I'm using is (Ip3 Networks NAS 200 model) . It supports SNMP because i can get information with the snmpwalk command. I've tried with all the possible NAS values that the radius accepts and nothing. If i run checkrad manually it asks me for a port, i think this is the port that the NAS is missing... So basically i'm stuck in this. Any help would be greatly appreciated. Regards, Karina. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
On Wed, Jul 21, 2004 at 02:27:46PM -0500, Anson Rinesmith wrote: If you've got some code working for postgre, I'm sure I could port that to work for mysql. I'm willing to do the work, I just don't know where to get the differentiating information from freeradius so I know what ISP that user belongs to. Something based on Called-Station-ID like the users and acct_users file (DEFAULT Called-Station-Id == 1234567890, Proxy-To-Realm := ISP1) would be useful. Sounds to me like the aforementioned post-auth SQL query support would suit you best. That way you can log whatever you like into mySQL. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: machine authentication
It's worth ensuring that you have loaded the private key component of the certificate. Depending on how you generated the cert, you might only have the public key which is utterly useless for machine auth. In the cert file you loaded into MMC, check that there are two parts - private and public. Also, if you didn't have to type in a password to load the machine cert, there is a pretty good chance that you are missing the private key component. We are using freeradius 1.0.0-pre3 successfuly with EAP TLS. I can't say it was easy, but we muddled through it and it all seems to work now. Cheers, Ben On Wed, 21 Jul 2004 15:31:58 -0400 (EDT), Joe Meslovich [EMAIL PROTECTED] wrote: I just wanted to add some information to this message. I turned on EAPOL file tracing in the registery. When I look at the trace log that is created on the client and error is occuring when the client should be generating the response that contains its credentials. The error code in the EAPOL log is -2146893802. From what I've seen that error code has to do with not finding a keyset pair. When doing machine authentication do the certificates need to be installed in a special manner? When I go into mmc I see the certificates that I installed in the local computer store. Joe Meslovich On Wed, 21 Jul 2004, Joe Meslovich wrote: I am trying to get machine authentication working using freeradius and a Windows XP SP1 client. I originally tried to make this work with freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work. Here is what I see when I sniff the traffic between the client and the AP using ethereal. Client AP -- EAPOL Start --- ---Request, Identity Response, Identity--- ---Request, EAP-TLS And that is it. The client never responds to the Request, EAP-TLS. Below is the contents of that last packet from the AP to the client: 802.1x Authentication Version: 1 Type: EAP Packet (0) Length: 6 Extensible Authentication Protocol Code: Request (1) Id: 17 Length: 6 Type: EAP-TLS [RFC2716] [Adoba] (13) Flags (0x20): Start On the server side I see the following rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73, length=173 User-Name = host/testwire.bridgewater.edu NAS-IP-Address = 147.138.120.170 Called-Station-Id = 00-20-a6-52-b4-6c Calling-Station-Id = 00-90-4b-7d-d5-47 NAS-Identifier = WritingWAP Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0212002201686f73742f74657374776972652e62726964676577617465722e656475 Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a Invalid operator for item Prefix: reverting to '==' Sending Access-Challenge of id 73 to 147.138.120.170:6001 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011300060d20 Message-Authenticator = 0x State = 0xc3ff0ce5bfdff596d099ec32ec73aece I am not sure why the XP client never responds to the Request, EAP-TLS packet. On the XP client I have it set to do machine authentication. In the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before I set AuthMode I received errors about not being able to find a certificate to use. Setting SupplicantMode to 3 did not change the behavior. I have a certificate with a CN of testwire.bridgewater.edu in the personal store of the local computer account. I just don't understand what is happening and any help would be greatly appreciated. Joe Meslovich [EMAIL PROTECTED] Associate Network/Systems EngineerIT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Joe Meslovich [EMAIL PROTECTED] Associate Network/Systems Engineer IT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Dialup admin web software
Hi, I'm running freeradius and have 3 NAS (POPTOP) servers connecting to this server. I find when a user disconnects because they out of wireless signal or they unplug their wireless card, the system shows them as still logged in and I dont get the final bandwidth usage, I have to manualy delete the start request from the mysql radacc table. Thanks Barry
Re: EAP-TLS: machine authentication
For what it's worth, I encountered a similar problem with EAP/TLS and machine authentication. It turned out that the reason I was having problems was that I had generated my certs in OpenSSL, and OpenSSL was missing one important step that isn't documented on Microsoft's web site about EAP/TLS and machine authentication. I modified OpenSSL (0.9.7d) to add one extra OID to the PKCS#7 keybag attributes holding the client's private key and that solved my problems. Just having this particular OID present was enough to get it working -- it didn't matter what value the OID was set to. The OID was: 1.3.6.1.4.1.311.17.2 In my search on the web for this OID, I found a grand total of ONE useful reference to this OID on the web. From what I can tell, the presence of this OID tells Windows XP that the cert is intended for use by the computer itself, and not by an end-user. The other solution is to use Microsoft's web certificate server to generate these certs. If you want the patch for OpenSSL, let me know and I'd be happy to mail it to you. Please send me the e-mail directly -- mail sent to the list goes into a folder that I only check infrequently. - Dan Ben Walding wrote: It's worth ensuring that you have loaded the private key component of the certificate. Depending on how you generated the cert, you might only have the public key which is utterly useless for machine auth. In the cert file you loaded into MMC, check that there are two parts - private and public. Also, if you didn't have to type in a password to load the machine cert, there is a pretty good chance that you are missing the private key component. We are using freeradius 1.0.0-pre3 successfuly with EAP TLS. I can't say it was easy, but we muddled through it and it all seems to work now. Cheers, Ben On Wed, 21 Jul 2004 15:31:58 -0400 (EDT), Joe Meslovich [EMAIL PROTECTED] wrote: I just wanted to add some information to this message. I turned on EAPOL file tracing in the registery. When I look at the trace log that is created on the client and error is occuring when the client should be generating the response that contains its credentials. The error code in the EAPOL log is -2146893802. From what I've seen that error code has to do with not finding a keyset pair. When doing machine authentication do the certificates need to be installed in a special manner? When I go into mmc I see the certificates that I installed in the local computer store. Joe Meslovich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair attribute
Hello. I have freeradius-0.9.3 with PostgreSQL. How can i process multiple Cisco-AVPair attributes? regards, Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is free-radius authenticates with newly added entry into users file without restart?
This site will help you http://www.frontios.com/freeradius.htmland see dialup_admin too. - Original Message - From: Sathish Challa To: [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:30 AM Subject: RE: Is free-radius authenticates with newly added entry into users file without restart? I am sorry I am new freeradius, could you give me little bit detail about configuration to enable that. And If I have user table with username and password columns then how to point to those columns in table for db module? Thank you, Sathish, -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of apellido jr., wilfredo p.Sent: Wednesday, July 21, 2004 3:19 PMTo: [EMAIL PROTECTED]Subject: Re: Is free-radius authenticates with newly added entry into users file without restart? rlm_fastusers module or use database. - Original Message - From: Sathish Challa To: [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 2:08 AM Subject: Is free-radius authenticates with newly added entry into users file without restart? Hi, Is free-radius recognizes users file updated by any external script and authenticate with newly added user with out restarting the free-radius server? If Yes, how to configure that way? Thank you, Sathish, www.goremote.com
Re: Cisco-AVPair attribute
ngl wrote: Hello. I have freeradius-0.9.3 with PostgreSQL. How can i process multiple Cisco-AVPair attributes? regards, Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try += CArlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
