Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
On Thu, Sep 09, 2004 at 05:09:48PM +0200, [EMAIL PROTECTED] wrote: Well, this exactly what I'd like to do: to build a one and to get it working... But I need some help from developers. So who wants cooperate ? Any help/hints are welcome http://bugs.freeradius.org/show_bug.cgi?id=42 I was thinking about this recently, and maybe a better solution would be a new module, unless you can find a way to make the new module process the old gdbm library? People also want a SQL-backended rlm_ippool module, ala rlm_sqlcounter I suspect. This might be a good time to introduce rlm_sqlippool, with configurable keys and no legacy hangovers. If you're after a more generic ippool algorithm, I posted one here a couple of years ago, but Kostas managed to fix the livelock (I think) in rlm_ippool so it wasn't needed. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting dialup user statistics
hi there. is there a freeradius script that gets statistics from a NAS besides from radwho? i would like create a script that gets whos connected on E1 #1 and E1 #2, is that possible? pls advise. thanks, milver nisay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via EAP_SIM
Hi guys, Could you please check what is wrong with the eam or eap sim? I try to authenticate EAP SIM user, and wrore a rlm_sim_map to replace rlm_sim_file. I got the 3 triplets and add pair for 3 triplets. But when I use eap_client with 802.1x AP, it fail to authenticate my connection. The Freeradius version is 1.0 pre3 Thanks and regards. The message as following... $ radiusd -Xxx Fri Sep 10 16:33:51 2004 : Info: Starting - reading configuration files ... Fri Sep 10 16:33:51 2004 : Debug: reread_config: reading radiusd.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/sql.conf Fri Sep 10 16:33:51 2004 : Debug: main: prefix = /usr/local Fri Sep 10 16:33:51 2004 : Debug: main: localstatedir = /usr/local/var Fri Sep 10 16:33:51 2004 : Debug: main: logdir = /usr/local/var/log/radius Fri Sep 10 16:33:51 2004 : Debug: main: libdir = /usr/local/lib Fri Sep 10 16:33:51 2004 : Debug: main: radacctdir = /usr/local/var/log/radius/radacct Fri Sep 10 16:33:51 2004 : Debug: main: hostname_lookups = no Fri Sep 10 16:33:51 2004 : Debug: main: snmp = no Fri Sep 10 16:33:51 2004 : Debug: main: max_request_time = 30 Fri Sep 10 16:33:51 2004 : Debug: main: cleanup_delay = 5 Fri Sep 10 16:33:51 2004 : Debug: main: max_requests = 1024 Fri Sep 10 16:33:51 2004 : Debug: main: delete_blocked_requests = 0 Fri Sep 10 16:33:51 2004 : Debug: main: port = 0 Fri Sep 10 16:33:51 2004 : Debug: main: allow_core_dumps = no Fri Sep 10 16:33:51 2004 : Debug: main: log_stripped_names = no Fri Sep 10 16:33:51 2004 : Debug: main: log_file = /usr/local/var/log/radius/radius.log Fri Sep 10 16:33:51 2004 : Debug: main: log_auth = yes Fri Sep 10 16:33:51 2004 : Debug: main: log_auth_badpass = yes Fri Sep 10 16:33:51 2004 : Debug: main: log_auth_goodpass = yes Fri Sep 10 16:33:51 2004 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Fri Sep 10 16:33:51 2004 : Debug: main: user = (null) Fri Sep 10 16:33:51 2004 : Debug: main: group = (null) Fri Sep 10 16:33:51 2004 : Debug: main: usercollide = no Fri Sep 10 16:33:51 2004 : Debug: main: lower_user = no Fri Sep 10 16:33:51 2004 : Debug: main: lower_pass = no Fri Sep 10 16:33:51 2004 : Debug: main: nospace_user = no Fri Sep 10 16:33:51 2004 : Debug: main: nospace_pass = no Fri Sep 10 16:33:51 2004 : Debug: main: checkrad = /usr/local/sbin/checkrad Fri Sep 10 16:33:51 2004 : Debug: main: proxy_requests = yes Fri Sep 10 16:33:51 2004 : Debug: security: max_attributes = 200 Fri Sep 10 16:33:51 2004 : Debug: security: reject_delay = 1 Fri Sep 10 16:33:51 2004 : Debug: security: status_server = no Fri Sep 10 16:33:51 2004 : Debug: main: debug_level = 0 Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading dictionary Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading naslist Fri Sep 10 16:33:51 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading clients Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading realms Fri Sep 10 16:33:51 2004 : Debug: radiusd: entering modules setup Fri Sep 10 16:33:51 2004 : Debug: Module: Library search path is /usr/local/lib Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded expr Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated expr (expr) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded PAP Fri Sep 10 16:33:51 2004 : Debug: pap: encryption_scheme = crypt Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated pap (pap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded CHAP Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated chap (chap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded MS-CHAP Fri Sep 10 16:33:51 2004 : Debug: mschap: use_mppe = yes Fri Sep 10 16:33:51 2004 : Debug: mschap: require_encryption = no Fri Sep 10 16:33:51 2004 : Debug: mschap: require_strong = no Fri Sep 10 16:33:51 2004 : Debug: mschap: with_ntdomain_hack = no Fri Sep 10 16:33:51 2004 : Debug: mschap: passwd = (null) Fri Sep 10 16:33:51 2004 : Debug: mschap: authtype = MS-CHAP Fri Sep 10 16:33:51 2004 : Debug: mschap: ntlm_auth = (null) Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated mschap (mschap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded eap Fri Sep 10 16:33:51 2004 : Debug: RLM_EAP eap_instantiate Fri Sep 10 16:33:51 2004 : Debug: eap: default_eap_type = sim Fri Sep 10 16:33:51 2004 : Debug: eap: timer_expire = 60 Fri Sep 10 16:33:51 2004 : Debug: eap: ignore_unknown_eap_types = no Fri Sep 10 16:33:51 2004 : Debug: eap: cisco_accounting_username_bug = no Fri Sep 10 16:33:51 2004 : Debug: EAP eaptype_load Fri Sep 10 16:33:51 2004 : Debug: rlm_eap: Loaded and initialized type md5 Fri Sep 10 16:33:51 2004 : Debug: EAP eaptype_load Fri Sep 10 16:33:51 2004 : Debug: rlm_eap: Loaded
Logging Access-Reject in SQL
Hi group, Is it possible to get FreeRadius to log Access-Reject in the radpostauth sql table? Any hints are welcome. \raymond
RE: Class attribute
Dear Alan, I defined the Class attribute as a string because when I store it in mysql it does not store its ASCII representation. Below there is the output generated by freeradius (debug mode) from startup until it receives the Accounting Request containing the Class attribute. (See at the bottom of the message). As I said, if I edit the file /etc/freeradius/dictionary with the line: ATTRIBUTE Class 25 string the Class attribute does not appear in the request as: Class = 'whatever_string' But instead: /usr/lib (Unknown Type 779252325) However, when I edit directly the dictionary (under /usr/share/freeradius/) everything works as expected. Thanks for any help, Alex == Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = xx sql: password = xxx sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = yes sql: sqltracefile = /var/log/freeradius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT
Re: LDAP (continued...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ol On Thursday 09 September 2004 19:06, Hugo Sousa wrote: My Windows 2000 domain is office.netsystems.pt. The user I'm using is administrator. Is this wrong? ldap { server = 192.168.2.1 identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password basedn = dc=office,dc=netsystems,dc=PT filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) () } Try cn=administrator,cn=users,dc=office,dc=netsystems,dc=pt as the administrator DN (identity). - -- Hugo Chasqueira Public Key: http://search.keyserver.net:11371/pks/lookup?op=getsearch=0x8BD14B82 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQXVOjFeRi4vRS4IRAv6XAKCXemyYxEHFAyQOtq8eDASJNZEZeACfRInJ eLbIsU7F/JZjlE4233PoWUg= =AJIa -END PGP SIGNATURE-
RE: Logging Access-Reject in SQL
sure, nothing is impossible. my sql.conf looks something like this: # Allow for storing data after authentication postauth_table = radpostauth postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) and in radiusd.conf post-auth { ... # See Authentication Logging Queries in sql.conf sql # # Access-Reject packets are sent through the REJECT sub-section # of the post-auth section. # Post-Auth-Type REJECT { sql } ... Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond Myren Sent: Friday, September 10, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: Logging Access-Reject in SQL Hi group, Is it possible to get FreeRadius to log Access-Reject in the radpostauth sql table? Any hints are welcome. \raymond --- auto-converted to plaintext by ELAB4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging Access-Reject in SQL
Hi Michael + group, Tanks! It works great now. I properly just need another cup of coffee... \raymond -Original Message- From: Michael Markstaller [mailto:[EMAIL PROTECTED] Sent: 10. september 2004 11:41 To: [EMAIL PROTECTED] Subject: RE: Logging Access-Reject in SQL sure, nothing is impossible. my sql.conf looks something like this: # Allow for storing data after authentication postauth_table = radpostauth postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) and in radiusd.conf post-auth { ... # See Authentication Logging Queries in sql.conf sql # # Access-Reject packets are sent through the REJECT sub-section # of the post-auth section. # Post-Auth-Type REJECT { sql } ... Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond Myren Sent: Friday, September 10, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: Logging Access-Reject in SQL Hi group, Is it possible to get FreeRadius to log Access-Reject in the radpostauth sql table? Any hints are welcome. \raymond --- auto-converted to plaintext by ELAB4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
On Fri, 10 Sep 2004, Paul Hampson wrote: On Thu, Sep 09, 2004 at 05:09:48PM +0200, [EMAIL PROTECTED] wrote: Well, this exactly what I'd like to do: to build a one and to get it working... But I need some help from developers. So who wants cooperate ? Any help/hints are welcome http://bugs.freeradius.org/show_bug.cgi?id=42 I was thinking about this recently, and maybe a better solution would be a new module, unless you can find a way to make the new module process the old gdbm library? Why write a new module exactly? The key stucture has enough space for storing an md5 result if that is what you are concerned about. People also want a SQL-backended rlm_ippool module, ala rlm_sqlcounter I suspect. Why is an sql version necessary? The rlm_sqlcounter module has no value in the 95% of cases. It's usefull only in cases with really complicated sql queries. The same goes for the ippool module. This might be a good time to introduce rlm_sqlippool, with configurable keys and no legacy hangovers. If you're after a more generic ippool algorithm, I posted one here a couple of years ago, but Kostas managed to fix the livelock (I think) in rlm_ippool so it wasn't needed. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp is not written
Alan, I searched and found the parameter Port-Limit, but I'd say your NAS has problems, then. I'll check the NAS and also the Access-Request packets. Thank you for your help! Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialupAccess attribute - access denied by default
Title: dialupAccess attribute - access denied by default Does anyone know why does this message dialupAccess attribute - access denied by default appears? rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
RE: LDAP (continued...)
Install windows 2000 support tools, if you don't have them installed already. You'll have to check your server CDs or microsoft's website to find them. Once you have Windows 2000 Support Tools installed login to the AD machine as the administrator. Then go to Control Panel, Administrative Tools, Windows 2000 Support Tools, Tools, and finally ADSI Edit. That will give you a view into the LDAP tree of your server. As suggested in a previous post, it looks like the users are stored in cn=users as default, so if you didn't change anything when you set it up, you may want to just give that a shot. Hope that is helpful. Dusty Doris On Fri, 10 Sep 2004, sousa.hugo wrote: I don't have an LDAP browser. It's a simple Windows 2000 Server with AD installed. How can I install the LDAP browser so that my FR works? Please give me an ideia :-) -Original Message- From: [EMAIL PROTECTED] on behalf of Dustin Doris Sent: Fri 9/10/2004 1:27 AM To: [EMAIL PROTECTED] Cc: Subject: RE: LDAP (continued...) On Thu, 9 Sep 2004, sousa.hugo wrote: I'm using the Domain ADMINISTRATOR account, so it should have access to everything. I think the problem is in one of this lines: identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password basedn = dc=office,dc=netsystems,dc=PT Yes that is where the problem is. Is the syntax incorrect? My domain is called office.netsystems.pt. The syntax is correct. However, are you sure that is the correct info for that user? Do you have access to an ldap browser on that machine that will show the tree for you? -Original Message- From: [EMAIL PROTECTED] on behalf of Dustin Doris Sent: Thu 9/9/2004 7:40 PM To: [EMAIL PROTECTED] Cc: Subject: Re: LDAP (continued...) My Windows 2000 domain is office.netsystems.pt. The user I'm using is administrator. Does this user actually exist in your ldap directory with that password? You will need to find a user that exists in your AD that has read access to the part of the tree your users are in. Is this wrong? ldap { server = 192.168.2.1 identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password basedn = dc=office,dc=netsystems,dc=PT filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) (.) } Something is wrong because I'm getting: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 What should I change to correct this problem? Thanks. Regards, Hugo Sousa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting dialup user statistics
Milver S. Nisay [EMAIL PROTECTED] wrote: is there a freeradius script that gets statistics from a NAS besides from radwho? radwho doesn't get statistics from the NAS. It gets the statistics from the radutmp file. To query the NAS, see checkrad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Class attribute
Lopez, A. [EMAIL PROTECTED] wrote: As I said, if I edit the file /etc/freeradius/dictionary with the line: ATTRIBUTE Class 25 string the Class attribute does not appear in the request as: Class =3D 'whatever_string' But instead:=20 /usr/lib (Unknown Type 779252325) However, when I edit directly the dictionary (under /usr/share/freeradius/) everything works as expected. Wild. I have no idea why that error message comes up on your system, but I've found what looks to be the underlying problem, and committed the fix. It will be in 1.0.1, and any later release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute - access denied by default
On Fri, 10 Sep 2004, Hugo Sousa wrote: Does anyone know why does this message dialupAccess attribute - access denied by default appears? rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default Does that answer your question? Please also read doc/rlm_ldap In general, comment out the access_attribute directive in radiusd.conf rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
Timolthy Keithy [EMAIL PROTECTED] wrote: Are there any instruction, step-by-step on how to build the RADIUS server for WPA and WPA2 (802.11a/b/g). http://www.freeradius.org/doc/ And would there be possible to install the RADIUS server separate from DHCP server? if yes, how to? FreeRADIUS has no connection to any DHCP server. They are always completely independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP (continued...)
Problem solved. I downloaded LDAP browser from SOFTerra and saw all the info that I need. The correct is: CN=Administrator,CN=Users,DC=office,DC=netsystems,DC=pt Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: sexta-feira, 10 de Setembro de 2004 15:59 To: [EMAIL PROTECTED] Subject: RE: LDAP (continued...) Install windows 2000 support tools, if you don't have them installed already. You'll have to check your server CDs or microsoft's website to find them. Once you have Windows 2000 Support Tools installed login to the AD machine as the administrator. Then go to Control Panel, Administrative Tools, Windows 2000 Support Tools, Tools, and finally ADSI Edit. That will give you a view into the LDAP tree of your server. As suggested in a previous post, it looks like the users are stored in cn=users as default, so if you didn't change anything when you set it up, you may want to just give that a shot. Hope that is helpful. Dusty Doris On Fri, 10 Sep 2004, sousa.hugo wrote: I don't have an LDAP browser. It's a simple Windows 2000 Server with AD installed. How can I install the LDAP browser so that my FR works? Please give me an ideia :-) -Original Message- From: [EMAIL PROTECTED] on behalf of Dustin Doris Sent: Fri 9/10/2004 1:27 AM To: [EMAIL PROTECTED] Cc: Subject: RE: LDAP (continued...) On Thu, 9 Sep 2004, sousa.hugo wrote: I'm using the Domain ADMINISTRATOR account, so it should have access to everything. I think the problem is in one of this lines: identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password basedn = dc=office,dc=netsystems,dc=PT Yes that is where the problem is. Is the syntax incorrect? My domain is called office.netsystems.pt. The syntax is correct. However, are you sure that is the correct info for that user? Do you have access to an ldap browser on that machine that will show the tree for you? -Original Message- From: [EMAIL PROTECTED] on behalf of Dustin Doris Sent: Thu 9/9/2004 7:40 PM To: [EMAIL PROTECTED] Cc: Subject: Re: LDAP (continued...) My Windows 2000 domain is office.netsystems.pt. The user I'm using is administrator. Does this user actually exist in your ldap directory with that password? You will need to find a user that exists in your AD that has read access to the part of the tree your users are in. Is this wrong? ldap { server = 192.168.2.1 identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password basedn = dc=office,dc=netsystems,dc=PT filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) (.) } Something is wrong because I'm getting: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 What should I change to correct this problem? Thanks. Regards, Hugo Sousa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute - access denied by default
On Fri, 10 Sep 2004 15:52:39 +0100 Hugo Sousa [EMAIL PROTECTED] wrote: Does anyone know why does this message dialupAccess attribute - access denied by default appears? comment the line in radiusd.conf with access_attr restart freeradius and see the message appears again. Tiago Fernandes rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal pgptpghfPQ0iS.pgp Description: PGP signature
Radius groups per device
ver. freeradius-0.7.1 I have been researching for a week or two and have come up blank. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. Thanks, -Mike * Michael Gleissner *RHCE* Network Specialist (847) 925-6831 William Rainey Harper College 1200 W. Algonquin Rd. Palatine, IL 60067 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius groups per device
Michael Gleissner [EMAIL PROTECTED] wrote: ver. freeradius-0.7.1 Hmm... I suggest upgrading to 1.0.0. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. The server will read unix groups, see the FAQ. I don't think 0.7.1 will do non-unix groups. 1.0.0 will, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Title: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Continuing my quest to integrate freeradius with Active Directory here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
Fwd: Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/9/2004 10:59:31 PM Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with Active Directory), you'll need to use the ntlm_auth hooks in the mschap module. --Mike On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote: Continuing my quest to integrate freeradius with Active Directory here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Are you talking about this: #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} There is no other way to perform authentication on the Domain Controller ? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: sexta-feira, 10 de Setembro de 2004 17:30 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with Active Directory), you'll need to use the ntlm_auth hooks in the mschap module. --Mike On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote: Continuing my quest to integrate freeradius with Active Directory. here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql support for safe-characters
Hi, I notice that in 1.0.0 the safe-characters configuration item in postgresql.conf doesn't do anything. Or maybe I'm doing something wrong. I added a comma, but the comma in the value of Wispr-Location-Name is substituted by =2C in the radacct table. This is what I have added in postgresql.conf: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /, I know that Michael Griego has been working on the rlm_sql module to make it more flexible for mutliple groups etc... In what version of freeradius is it expected that the safe-characters configuration will be supported? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql support for safe-characters
On Fri, 10 Sep 2004, Thor Spruyt wrote: Hi, I notice that in 1.0.0 the safe-characters configuration item in postgresql.conf doesn't do anything. Or maybe I'm doing something wrong. I added a comma, but the comma in the value of Wispr-Location-Name is substituted by =2C in the radacct table. This is what I have added in postgresql.conf: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /, It should work in 1.0.0. What do you see in debug mode for the safe-characters value? This feature is independent of sql driver. I know that Michael Griego has been working on the rlm_sql module to make it more flexible for mutliple groups etc... In what version of freeradius is it expected that the safe-characters configuration will be supported? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
All, I may have solved the problem below, but I now think it has caused another. When I first installed FreeRadius, I noticed that my AP2000 units did not send the Account-Session-Time variable back in the stop packets. I assume that this is just a feature of the Orinoco APs to not report session time. To alleviate that problem, I had taken the Accounting On/Off SQL statement and replaced the Accounting Update statement with it. The reason I did this was because the Accounting On/Off SQL statement used (logout time login time) to figure Account-Session-Time rather than expecting it back from the NAS. This indeed solved my session time issues, and sessions began reporting the proper time. But I think doing this caused the problem below somehow. Once I changed it back to the original Accounting Update statement (the one expecting Account-Session-Time variable), the Wrong ID problem went away. Well, it didnt go away but at least the active sessions are now still in place and Im not dropping users. So I guess my question is now how do I get Account-Session-Times when my NAS devices do not report this variable? Is there an easy way to do this? I assumed a simple modification to the SQL statement to figure (logout time login time) would do the trick, but I could be wrong. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? Thank you! Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sumpter Sent: Friday, September 03, 2004 1:09 PM To: [EMAIL PROTECTED] Subject: Orinoco AP2000 - Logout Entry Has Wrong ID? Hello everyone! Ive been banging my head against a wall for several days now trying to figure out a problem Im having with AP-2000 units and FreeRadius. I have 5 AP-2000 units in the field, all upgraded to the latest firmware (2.4.11). Ive set everything up to do both Radius authentication and accounting. Everything works fine actually to a point. The accounting part of all this is about to drive me insane. First the basics. Im running the latest stable release of FreeRadius, using MySQL for both authentication and accounting. This is all running on a RedHat 8.0 machine. The authentication part of the system is working like gangbusters, and I havent found a problem anywhere within that part of the system. All my problems seem to come from the accounting side of things. Im getting these errors in the logs from a few of the AP units: Error: rlm_radutmp: Logout entry for NAS Reaves Hill 2.4 port 2 has wrong ID When this happens, the server no longer shows anyone on that particular AP as being logged on, although they are according to the AP themselves. After a few minutes they will slowly come back as Logged On as they re-authenticate, but the errors come back up in the logs again and clear everyone off. I do have a couple of AP units that are not exhibiting this behavior, and Ive found the common denominator. The AP units that appear to work properly only have one user per AP I never have the accounting errors from those APs and session times are working as expected. But if I connect another client to them, sure enough I get the error and accounting stats go down the tubes again. Im WAG that the AP units are assigning different ports to the users as other clients connect than what was reported in the start packets. I think this is what is confusing everything and causing me grief. Is there any way to get a unique accounting packet without relying on the Port ID from the AP (Session-ID, maybe)? Has anyone else noticed these problems when using AP-2000 units with FreeRadius? If I need to supply more information, just let me know what you need and Ill post it. Thank you! Brian
Re: rlm_sql support for safe-characters
Kostas Kalevras wrote: It should work in 1.0.0. What do you see in debug mode for the safe-characters value? This feature is independent of sql driver. Huh... I was editing the configuration file of a server that doesn't do sql accounting. I now edited the correct configuration file and it works like a charm :) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
hi Are there any instruction, step-by-step on how to build the RADIUS server for WPA and WPA2 (802.11a/b/g). yes, there are. today, it should work out of the box (well, there is no box, but still). the good news from the pov of the radius server is that all these things you mentioned are transparent for it; the AP has to do a/b/g and WPA/WPA2 from the keying information received from the server (that may be kind of half true, because at least WPA2 is not yet released and thus half ready). in any case, if you have an AP you bought recently, it should work with FR directly. And would there be possible to install the RADIUS server separate from DHCP server? if yes, how to? hmm? yes, the two instances have no relation to each other whatsoever. you install the first and then the second. just for the case: no, it is NOT possible to assign IP addresses by 802.1X; you have to do DHCP after the authentication (yes, it is strange). the Client is Windows XP, which has support for 802.1x client. true, and it should work, PEAP/MS-CHAPv2 and TLS are supported by FR. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementation question
I apologize for asking this question but I havent been able to find the answer in the FAQ's or anything on Freeradius. I am looking to implement this for my college because the microsoft solution is kinda ugly. I have two domains on my network, one for faculty/staff and the other for students. Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Brian Sumpter [EMAIL PROTECTED] wrote: So I guess my question is now how do I get Account-Session-Times when my NAS devices do not report this variable? In general, if the NAS doesn't send information, you can't log it. In this case, the server does have the time when it received the start packet, and the time when it received the stop packet. It can theoretically calculate the difference, and use it a the Acct-Session-Time. Is there an easy way to do this? I assumed a simple modification to the SQL statement to figure (logout time - login time) would do the trick, but I could be wrong. Maybe. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? Probably. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote: Are you talking about this: #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Yes. There is no other way to perform authentication on the Domain Controller ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? I just want to understand why. Btw.. (I'm already compiling Samba to have nmbd, etc) Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:10 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: Are you talking about this: #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Yes. There is no other way to perform authentication on the Domain Controller ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cant Get Called Number
Ugur GUNCER [EMAIL PROTECTED] wrote: I tried to get called number from Cisco-AVPair attribute with , '%{Cisco-AVPair}', There are multiple Cisco-AVPair attributes in the packet, and 1.0.0 can only look at the first. In the current CVS snapshots, see 'doc/variables.txt' for how to refer to 1 of N attributes in a packet. And %{gw-rxd-cdn=ton:2,npi:1,#:}, If you have cisco_with_vsa_hack set, and gw-rxd-cdn is defined as an attribute in one of the dictionaries, then %{gw-rxd-cdn} should work to get the whole value of the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote: But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementation question
Ronald I. Nutter [EMAIL PROTECTED] wrote: Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? Not really. But you CAN see if a user exists in one domain, and if not, check the other domain. Once you know the user exists, and what his password is, authentication is independent of domain. MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. You can do exactly the same thing with FreeRADIUS, but run all of the servers on one machine, just using different ports. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? If there are a lot of users, an SQL or LDAP database would be best. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementation question
Alan: Thanks for the reply. Where can I found out more details on how to do this ? Didn't see that much with the FAQ or readmes on the freeradius web site. Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, September 10, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: Re: Implementation question Ronald I. Nutter [EMAIL PROTECTED] wrote: Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? Not really. But you CAN see if a user exists in one domain, and if not, check the other domain. Once you know the user exists, and what his password is, authentication is independent of domain. MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. You can do exactly the same thing with FreeRADIUS, but run all of the servers on one machine, just using different ports. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? If there are a lot of users, an SQL or LDAP database would be best. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius groups per device
I ended up using the huntgroups file to do this (i.e.): Juniper-M-SeriesNAS-IP-Address == 10.1.1.20 User-Name = sally Then in my users file: DEFAULT Huntgroup-Name == Juniper-M-Series Auth-Type := LDAP, Fall-Through = No This gave me the ability to let sally auth on the the Juniper-M but login on everything else. Do a man on huntgroups and users file. Hope this helps... Robert On Fri, Sep 10, 2004 at 10:22:52AM -0500, Michael Gleissner wrote: ver. freeradius-0.7.1 I have been researching for a week or two and have come up blank. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. Thanks, -Mike * Michael Gleissner *RHCE* Network Specialist (847) 925-6831 William Rainey Harper College 1200 W. Algonquin Rd. Palatine, IL 60067 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:21 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementation question
Ronald I. Nutter [EMAIL PROTECTED] wrote: Thanks for the reply. Where can I found out more details on how to do this ? Didn't see that much with the FAQ or readmes on the freeradius web site. There's no documentation describing how to configure the server for your site. Instead, there's documentation which describes how to configure the server to do different things. I suggest reading the files in doc/ and raddb/, to see how the functionality provided there maps to what you want to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I'm storing user information on the Windowze Active Directory, ONLY. So, LDAP doesn't apply, right ??? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:51 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL tables
I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
I know Alan responded to this already, but I'll inject some notes as well. On Fri, 2004-09-10 at 12:07, Brian Sumpter wrote: When I first installed FreeRadius, I noticed that my AP2000 units did not send the Account-Session-Time variable back in the stop packets. I assume that this is just a feature of the Orinoco APs to not report session time. This is indeed true of the screwed up RADIUS implementation on the AP-2000s. They do not report session time with the Account-Session-Time attribute. They expect you to calculate it after-the-fact based on the Start and Stop packet times. Oh well, it's doable. I assumed a simple modification to the SQL statement to figure (logout time login time) would do the trick, but I could be wrong. Like Alan said, this is probably doable. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? This is another feature of the APs. For some reason, they do not take the time to report the correct port in the Access Request packets. They simply set it to 0. This is quite annoying. You do, however, get the Called-Station-Id in the Access Request packets. You DON'T get the Called-Station-Id in the ACCOUNTING packets (very annoying), however you *do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9 is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports for repeater-type environments. Anyway, the fact that it does this should not affect anything in the account as autz/auth and accounting are totally seperate functions. It's just a large annoyance. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
To simply answer your question, if you're not storing any sort of Access Allowed/Denied attribute in AD (iow, all your users are allowed to auth to RADIUS), and you're not pulling any supplemental check/reply RADIUS attributes from LDAP, then no, you don't need the LDAP module. For what you're doing, you probably do not need it based on what you're saying. --Mike On Fri, 2004-09-10 at 13:50, Hugo Sousa wrote: I'm storing user information on the Windowze Active Directory, ONLY. So, LDAP doesn't apply, right ??? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:51 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Michael Griego wrote: This is indeed true of the screwed up RADIUS implementation on the AP-2000s. They do not report session time with the Account-Session-Time attribute. They expect you to calculate it after-the-fact based on the Start and Stop packet times. Oh well, it's doable. This is another feature of the APs. For some reason, they do not take the time to report the correct port in the Access Request packets. They simply set it to 0. This is quite annoying. You do, however, get the Called-Station-Id in the Access Request packets. You DON'T get the Called-Station-Id in the ACCOUNTING packets (very annoying), however you *do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9 is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports for repeater-type environments. Anyway, the fact that it does this should not affect anything in the account as autz/auth and accounting are totally seperate functions. It's just a large annoyance. Luckily I don't use this device :) You might consider reporting your issues to the manufacturer. If they don't want to do anything about it, then you might consider throwing them out :) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Luckily I don't use this device :) Yes, you are lucky. You might consider reporting your issues to the manufacturer. I've hounded them on actual problems in their RADIUS implementation (Session-Timeout not working as advertised, etc) as well as other problems with their products on numerous occasions. Doing that proved so problematic (vendor was inept at recreating the errors, was not responsive, etc) that I decided to live with what we have for the time being and work around it. It was no longer worth it to hound them, they didn't listen. If they don't want to do anything about it, then you might consider throwing them out :) That requires money. :) We have a significant investment in their equipment at the moment, however we're making efforts to move away as soon as it's fiscally possible. Anyway, any more discussion on this should be taken off list. I'd be happy to talk to anyone about the specifics if they want to email me directly. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth Type Digest Not found
I installed freeradius-0.9.1 to work with SER. They gave a test example to add a user in users file with following contents: testAuth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest But when I run radius with radiusd -X, it gives following error: /usr/local/etc/raddb/users[75]: Parse error (check) for entry test: Unknown value Digest for attribute Auth-Type Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. Any idea about this Thanks, Jawad ___ Do you Yahoo!? Shop for Back-to-School deals on Yahoo! Shopping. http://shopping.yahoo.com/backtoschool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL tables
I see that in Oracle database tables, the nas table has ipaddr as a field, but not in MySQL. Does this mean that MySQL's nas table is not yet support in FreeRadius? Dickon... Dickon Newman wrote: I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Michael Griego [EMAIL PROTECTED] wrote: Anyway, any more discussion on this should be taken off list. I'd be happy to talk to anyone about the specifics if they want to email me directly. File a bug report on bugs.freeradius.org. Include a short description of features that have to be added to any RADIUS server (not just FreeRADIUS) to work with the AP. Name the AP by manufacturer, and model. Then, wait for google to index it, and watch when the manufacturer notices that people start asking questions about why their AP doesn't do RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth Type Digest Not found
jawad bokhari [EMAIL PROTECTED] wrote: They gave a test example to add a user in users file with following contents: testAuth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest But when I run radius with radiusd -X, it gives following error: /usr/local/etc/raddb/users[75]: Parse error (check) for entry test: Unknown value Digest for attribute Did you list the digest module in the authorize section? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL tables
Sorry to bother everyone, but I think I've found a solution. I added a field called ipaddr after shortname and radius debugging said it loaded the client from the tables, but set the secret to be the field port. So I removed the field type thus shifting all the others up...and now the debugging shows the secret correctly. On testing, the client was allowed to use this radius server. I hope everyone sees these messages as helpful, not useless clutter! Sorry... Dickon... Dickon Newman wrote: I see that in Oracle database tables, the nas table has ipaddr as a field, but not in MySQL. Does this mean that MySQL's nas table is not yet support in FreeRadius? Dickon... Dickon Newman wrote: I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Executing External Program
Hi am trying to excecute a program before autentification so I could deny access if it is on a callingstationnumber ban list on mysql.. But Script is not being Excecuting.. what seems the problem? radiud.conf exec test{ wait = yes program = /usr/local/bin/php -f /scriptest/test.php input_pairs = request output_pairs = reply packet_type = Access-Request } Test.php ?php ob_start(); $clientcallingstation = $_ENV['CALLING_STATION_ID']; $calledstationid = $_ENV['CALLED_STATION_ID']; ob_end_clean(); //log to txt function logtotxt($somecontent) { $filename = 'log.txt'; $handle = fopen($filename, 'a'); fwrite($handle, $somecontent); fclose($handle); } logtotxt(Script Was Excecuted); // Make a test if (!empty($clientcallingstation) !empty($calledstationid)) { logtotxt($clientcallingstation:$calledstationid); $retval = 0; } else { // otherwise reject $retval = 1; } exit ($retval); ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
All, I appreciate the help everyone has provided on this. At least now I know it isn't just me! I've been banging my head against a wall on this one for a week and come to find out it's a problem with the AP's themselves. Good stuff to know. :) I've altered the accounting_stop_query in sql.conf to the following in an attempt to log session times (since Orinoco doesn't think that it is important to have them): -- accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'; -- This statement appears to be working properly, and I'm now getting session times when I log in and out. I'm still watching the logs to make sure I don't have any more of the disappearing users I had from using the other statement (accounting_on_off). As of now no users have disappeared -- I'll let everyone know if it happens again. At this point everything appears to be working properly. Other than the occasional Wrong ID error in the logs, everything looks fine. On a separate note, what does other Wisps use for the following Radius settings in their AP units? AUTH SECTION: Authorization Lifetime (0=disable, 900-43200 seconds) ACCT SECTION: Accounting Inactivity Timer (minutes) Currently, I have the Authorization Lifetime set to 0 (disable), and the Accounting Inactivity Timer set to 60 minutes. I'm not sure what would be best for these settings. What do others find the most useful here? Thanks again for all the help. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Friday, September 10, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: Orinoco AP2000 - Logout Entry Has Wrong ID? I know Alan responded to this already, but I'll inject some notes as well. On Fri, 2004-09-10 at 12:07, Brian Sumpter wrote: When I first installed FreeRadius, I noticed that my AP2000 units did not send the Account-Session-Time variable back in the stop packets. I assume that this is just a feature of the Orinoco AP's to not report session time. This is indeed true of the screwed up RADIUS implementation on the AP-2000s. They do not report session time with the Account-Session-Time attribute. They expect you to calculate it after-the-fact based on the Start and Stop packet times. Oh well, it's doable. I assumed a simple modification to the SQL statement to figure (logout time - login time) would do the trick, but I could be wrong. Like Alan said, this is probably doable. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? This is another feature of the APs. For some reason, they do not take the time to report the correct port in the Access Request packets. They simply set it to 0. This is quite annoying. You do, however, get the Called-Station-Id in the Access Request packets. You DON'T get the Called-Station-Id in the ACCOUNTING packets (very annoying), however you *do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9 is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports for repeater-type environments. Anyway, the fact that it does this should not affect anything in the account as autz/auth and accounting are totally seperate functions. It's just a large annoyance. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
On Fri, 2004-09-10 at 15:34, Brian Sumpter wrote: Currently, I have the Authorization Lifetime set to 0 (disable), and the Accounting Inactivity Timer set to 60 minutes. I'm not sure what would be best for these settings. What do others find the most useful here? See docs/misc-nas. If you're not using the 2.4.11 firmware, it won't let you set anything less than 2 hours for authorization lifetime. I personally set the autz lifetime to 15 minutes to force reauth of the users and leave the inactivity timer at the default 5 minutes. The autz lifetime isn't as much of a deal on the Proxims since they have a rekeying interval as well. So, you can set the rekeying interval, and the AP will continue to provide dynamic keys without forcing reauthentication. I set the autz lifetime to that, though, because there are times when I need to block people (viruses tearing up the network and such), so I use the reauth sequence to catch them and take them off the network. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP PAP
Greetings, I have a problem with FR1.0.0 and chap/pap. Knowns: FreeBSD 4.7-RELEASE FreeRadius 1.0.0 (downloaded today, not CVS) National dialup provider sending both PAP CHAP requests. Problem: I have 2 types of authentication... those in the users file (for chap and locl pap when attributes have to be returned) and those in the unix password file.The problem I am having is when the national provider send a CHAP password. It generates the following error: Fri Sep 10 17:04:54 2004 : Auth: rlm_unix: Attribute User-Password is required for authentication. Cann ot use CHAP-Password. Debug output: rad_recv: Access-Request packet from host 216.126.204.150:32813, id=67, length=136 NAS-IP-Address = 63.152.3.17 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x01e954782973979c56336c6a5df5bf4ebc Called-Station-Id = 9069840005 Calling-Station-Id = 9066438271 NAS-Port = 13677 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User X-Ascend-PreSession-Time = 38 X-Ascend-Xmit-Rate = 50667 X-Ascend-Data-Rate = 24000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 users: Matched DEFAULT at 527 users: Matched DEFAULT at 546 users: Matched DEFAULT at 553 modcall[authorize]: module files returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: Looking up realm netonecom.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm netonecom.net rlm_realm: Adding Stripped-User-Name = tstandrew rlm_realm: Proxying request from user tstandrew to realm netonecom.net rlm_realm: Adding Realm = netonecom.net rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_chap: login attempt by tstandrew with CHAP password rlm_chap: Could not find clear text password for user tstandrew modcall[authenticate]: module chap returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/CHAP-Password] (from client ikano port 13677 cli 9066438271) Delaying request 2 for 1 seconds Finished request 2 Going to the next request This is on a live server (emergency repair! old files and 3 sets of backups toast) any help would be apprecieated! -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html