Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
On Thu, Sep 09, 2004 at 05:09:48PM +0200, [EMAIL PROTECTED] wrote: Well, this exactly what I'd like to do: to build a one and to get it working... But I need some help from developers. So who wants cooperate ? Any help/hints are welcome http://bugs.freeradius.org/show_bug.cgi?id=42 I was thinking about this recently, and maybe a better solution would be a new module, unless you can find a way to make the new module process the old gdbm library? People also want a SQL-backended rlm_ippool module, ala rlm_sqlcounter I suspect. This might be a good time to introduce rlm_sqlippool, with configurable keys and no legacy hangovers. If you're after a more generic ippool algorithm, I posted one here a couple of years ago, but Kostas managed to fix the livelock (I think) in rlm_ippool so it wasn't needed. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting dialup user statistics
hi there. is there a freeradius script that gets statistics from a NAS besides from radwho? i would like create a script that gets whos connected on E1 #1 and E1 #2, is that possible? pls advise. thanks, milver nisay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via EAP_SIM
Hi guys, Could you please check what is wrong with the eam or eap sim? I try to authenticate EAP SIM user, and wrore a rlm_sim_map to replace rlm_sim_file. I got the 3 triplets and add pair for 3 triplets. But when I use eap_client with 802.1x AP, it fail to authenticate my connection. The Freeradius version is 1.0 pre3 Thanks and regards. The message as following... $ radiusd -Xxx Fri Sep 10 16:33:51 2004 : Info: Starting - reading configuration files ... Fri Sep 10 16:33:51 2004 : Debug: reread_config: reading radiusd.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Fri Sep 10 16:33:51 2004 : Debug: Config: including file: /usr/local/etc/raddb/sql.conf Fri Sep 10 16:33:51 2004 : Debug: main: prefix = /usr/local Fri Sep 10 16:33:51 2004 : Debug: main: localstatedir = /usr/local/var Fri Sep 10 16:33:51 2004 : Debug: main: logdir = /usr/local/var/log/radius Fri Sep 10 16:33:51 2004 : Debug: main: libdir = /usr/local/lib Fri Sep 10 16:33:51 2004 : Debug: main: radacctdir = /usr/local/var/log/radius/radacct Fri Sep 10 16:33:51 2004 : Debug: main: hostname_lookups = no Fri Sep 10 16:33:51 2004 : Debug: main: snmp = no Fri Sep 10 16:33:51 2004 : Debug: main: max_request_time = 30 Fri Sep 10 16:33:51 2004 : Debug: main: cleanup_delay = 5 Fri Sep 10 16:33:51 2004 : Debug: main: max_requests = 1024 Fri Sep 10 16:33:51 2004 : Debug: main: delete_blocked_requests = 0 Fri Sep 10 16:33:51 2004 : Debug: main: port = 0 Fri Sep 10 16:33:51 2004 : Debug: main: allow_core_dumps = no Fri Sep 10 16:33:51 2004 : Debug: main: log_stripped_names = no Fri Sep 10 16:33:51 2004 : Debug: main: log_file = /usr/local/var/log/radius/radius.log Fri Sep 10 16:33:51 2004 : Debug: main: log_auth = yes Fri Sep 10 16:33:51 2004 : Debug: main: log_auth_badpass = yes Fri Sep 10 16:33:51 2004 : Debug: main: log_auth_goodpass = yes Fri Sep 10 16:33:51 2004 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Fri Sep 10 16:33:51 2004 : Debug: main: user = (null) Fri Sep 10 16:33:51 2004 : Debug: main: group = (null) Fri Sep 10 16:33:51 2004 : Debug: main: usercollide = no Fri Sep 10 16:33:51 2004 : Debug: main: lower_user = no Fri Sep 10 16:33:51 2004 : Debug: main: lower_pass = no Fri Sep 10 16:33:51 2004 : Debug: main: nospace_user = no Fri Sep 10 16:33:51 2004 : Debug: main: nospace_pass = no Fri Sep 10 16:33:51 2004 : Debug: main: checkrad = /usr/local/sbin/checkrad Fri Sep 10 16:33:51 2004 : Debug: main: proxy_requests = yes Fri Sep 10 16:33:51 2004 : Debug: security: max_attributes = 200 Fri Sep 10 16:33:51 2004 : Debug: security: reject_delay = 1 Fri Sep 10 16:33:51 2004 : Debug: security: status_server = no Fri Sep 10 16:33:51 2004 : Debug: main: debug_level = 0 Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading dictionary Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading naslist Fri Sep 10 16:33:51 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading clients Fri Sep 10 16:33:51 2004 : Debug: read_config_files: reading realms Fri Sep 10 16:33:51 2004 : Debug: radiusd: entering modules setup Fri Sep 10 16:33:51 2004 : Debug: Module: Library search path is /usr/local/lib Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded expr Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated expr (expr) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded PAP Fri Sep 10 16:33:51 2004 : Debug: pap: encryption_scheme = crypt Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated pap (pap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded CHAP Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated chap (chap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded MS-CHAP Fri Sep 10 16:33:51 2004 : Debug: mschap: use_mppe = yes Fri Sep 10 16:33:51 2004 : Debug: mschap: require_encryption = no Fri Sep 10 16:33:51 2004 : Debug: mschap: require_strong = no Fri Sep 10 16:33:51 2004 : Debug: mschap: with_ntdomain_hack = no Fri Sep 10 16:33:51 2004 : Debug: mschap: passwd = (null) Fri Sep 10 16:33:51 2004 : Debug: mschap: authtype = MS-CHAP Fri Sep 10 16:33:51 2004 : Debug: mschap: ntlm_auth = (null) Fri Sep 10 16:33:51 2004 : Debug: Module: Instantiated mschap (mschap) Fri Sep 10 16:33:51 2004 : Debug: Module: Loaded eap Fri Sep 10 16:33:51 2004 : Debug: RLM_EAP eap_instantiate Fri Sep 10 16:33:51 2004 : Debug: eap: default_eap_type = sim Fri Sep 10 16:33:51 2004 : Debug: eap: timer_expire = 60 Fri Sep 10 16:33:51 2004 : Debug: eap: ignore_unknown_eap_types = no Fri Sep 10 16:33:51 2004 : Debug: eap: cisco_accounting_username_bug = no Fri Sep 10 16:33:51 2004 : Debug: EAP eaptype_load Fri Sep 10 16:33:51 2004 : Debug: rlm_eap: Loaded and initialized type md5 Fri Sep 10 16:33:51 2004 : Debug: EAP eaptype_load Fri Sep 10 16:33:51 2004 : Debug: rlm_eap: Loaded
Logging Access-Reject in SQL
Hi group, Is it possible to get FreeRadius to log Access-Reject in the radpostauth sql table? Any hints are welcome. \raymond
RE: Class attribute
Dear Alan,
I defined the Class attribute as a string because when I store it in
mysql it does not store its ASCII representation.
Below there is the output generated by freeradius (debug mode) from
startup until it receives the Accounting Request containing the Class
attribute. (See at the bottom of the message).
As I said, if I edit the file /etc/freeradius/dictionary with the line:
ATTRIBUTE Class 25 string
the Class attribute does not appear in the request as:
Class = 'whatever_string'
But instead:
/usr/lib (Unknown Type 779252325)
However, when I edit directly the dictionary (under
/usr/share/freeradius/) everything works as expected.
Thanks for any help,
Alex
==
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = /var/log/freeradius/radacct/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = xx
sql: password = xxx
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = yes
sql: sqltracefile = /var/log/freeradius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT
Re: LDAP (continued...)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ol
On Thursday 09 September 2004 19:06, Hugo Sousa wrote:
My Windows 2000 domain is office.netsystems.pt. The user I'm using is
administrator.
Is this wrong?
ldap {
server = 192.168.2.1
identity = cn=administrator,dc=office,dc=netsystems,dc=pt
password = password
basedn = dc=office,dc=netsystems,dc=PT
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
()
}
Try cn=administrator,cn=users,dc=office,dc=netsystems,dc=pt as the
administrator DN (identity).
- --
Hugo Chasqueira
Public Key:
http://search.keyserver.net:11371/pks/lookup?op=getsearch=0x8BD14B82
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQXVOjFeRi4vRS4IRAv6XAKCXemyYxEHFAyQOtq8eDASJNZEZeACfRInJ
eLbIsU7F/JZjlE4233PoWUg=
=AJIa
-END PGP SIGNATURE-
RE: Logging Access-Reject in SQL
sure, nothing is impossible. my sql.conf looks something like this:
# Allow for storing data after authentication
postauth_table = radpostauth
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())
and in radiusd.conf
post-auth {
...
# See Authentication Logging Queries in sql.conf
sql
#
# Access-Reject packets are sent through the REJECT sub-section
# of the post-auth section.
#
Post-Auth-Type REJECT {
sql
}
...
Michael
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Raymond Myren
Sent: Friday, September 10, 2004 11:09 AM
To: [EMAIL PROTECTED]
Subject: Logging Access-Reject in SQL
Hi group,
Is it possible to get FreeRadius to log Access-Reject in the
radpostauth
sql table? Any hints are welcome.
\raymond
--- auto-converted to plaintext by ELAB4
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging Access-Reject in SQL
Hi Michael + group,
Tanks! It works great now. I properly just need another cup of coffee...
\raymond
-Original Message-
From: Michael Markstaller [mailto:[EMAIL PROTECTED]
Sent: 10. september 2004 11:41
To: [EMAIL PROTECTED]
Subject: RE: Logging Access-Reject in SQL
sure, nothing is impossible. my sql.conf looks something like this:
# Allow for storing data after authentication
postauth_table = radpostauth
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())
and in radiusd.conf
post-auth {
...
# See Authentication Logging Queries in sql.conf
sql
#
# Access-Reject packets are sent through the REJECT sub-section
# of the post-auth section.
#
Post-Auth-Type REJECT {
sql
}
...
Michael
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Raymond Myren
Sent: Friday, September 10, 2004 11:09 AM
To: [EMAIL PROTECTED]
Subject: Logging Access-Reject in SQL
Hi group,
Is it possible to get FreeRadius to log Access-Reject in the
radpostauth
sql table? Any hints are welcome.
\raymond
--- auto-converted to plaintext by ELAB4
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
On Fri, 10 Sep 2004, Paul Hampson wrote: On Thu, Sep 09, 2004 at 05:09:48PM +0200, [EMAIL PROTECTED] wrote: Well, this exactly what I'd like to do: to build a one and to get it working... But I need some help from developers. So who wants cooperate ? Any help/hints are welcome http://bugs.freeradius.org/show_bug.cgi?id=42 I was thinking about this recently, and maybe a better solution would be a new module, unless you can find a way to make the new module process the old gdbm library? Why write a new module exactly? The key stucture has enough space for storing an md5 result if that is what you are concerned about. People also want a SQL-backended rlm_ippool module, ala rlm_sqlcounter I suspect. Why is an sql version necessary? The rlm_sqlcounter module has no value in the 95% of cases. It's usefull only in cases with really complicated sql queries. The same goes for the ippool module. This might be a good time to introduce rlm_sqlippool, with configurable keys and no legacy hangovers. If you're after a more generic ippool algorithm, I posted one here a couple of years ago, but Kostas managed to fix the livelock (I think) in rlm_ippool so it wasn't needed. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp is not written
Alan, I searched and found the parameter Port-Limit, but I'd say your NAS has problems, then. I'll check the NAS and also the Access-Request packets. Thank you for your help! Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialupAccess attribute - access denied by default
Title: dialupAccess attribute - access denied by default Does anyone know why does this message dialupAccess attribute - access denied by default appears? rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
RE: LDAP (continued...)
Install windows 2000 support tools, if you don't have them installed
already. You'll have to check your server CDs or microsoft's website to
find them.
Once you have Windows 2000 Support Tools installed login to the AD machine
as the administrator. Then go to Control Panel, Administrative Tools,
Windows 2000 Support Tools, Tools, and finally ADSI Edit.
That will give you a view into the LDAP tree of your server. As suggested
in a previous post, it looks like the users are stored in cn=users as
default, so if you didn't change anything when you set it up, you may want
to just give that a shot.
Hope that is helpful.
Dusty Doris
On Fri, 10 Sep 2004, sousa.hugo wrote:
I don't have an LDAP browser.
It's a simple Windows 2000 Server with AD installed.
How can I install the LDAP browser so that my FR works? Please give me an ideia :-)
-Original Message-
From: [EMAIL PROTECTED] on behalf of Dustin Doris
Sent: Fri 9/10/2004 1:27 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: LDAP (continued...)
On Thu, 9 Sep 2004, sousa.hugo wrote:
I'm using the Domain ADMINISTRATOR account, so it should have access to
everything.
I think the problem is in one of this lines:
identity = cn=administrator,dc=office,dc=netsystems,dc=pt
password = password
basedn = dc=office,dc=netsystems,dc=PT
Yes that is where the problem is.
Is the syntax incorrect? My domain is called office.netsystems.pt.
The syntax is correct. However, are you sure that is the correct info for
that user? Do you have access to an ldap browser on that machine that
will show the tree for you?
-Original Message-
From: [EMAIL PROTECTED] on behalf of Dustin Doris
Sent: Thu 9/9/2004 7:40 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: LDAP (continued...)
My Windows 2000 domain is office.netsystems.pt. The user I'm using
is
administrator.
Does this user actually exist in your ldap directory with that
password?
You will need to find a user that exists in your AD that has read
access
to the part of the tree your users are in.
Is this wrong?
ldap {
server = 192.168.2.1
identity =
cn=administrator,dc=office,dc=netsystems,dc=pt
password = password
basedn = dc=office,dc=netsystems,dc=PT
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
(.)
}
Something is wrong because I'm getting:
rlm_ldap: LDAP login failed: check identity, password settings in
ldap
section of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for request 0
What should I change to correct this problem?
Thanks.
Regards,
Hugo Sousa
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting dialup user statistics
Milver S. Nisay [EMAIL PROTECTED] wrote: is there a freeradius script that gets statistics from a NAS besides from radwho? radwho doesn't get statistics from the NAS. It gets the statistics from the radutmp file. To query the NAS, see checkrad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Class attribute
Lopez, A. [EMAIL PROTECTED] wrote: As I said, if I edit the file /etc/freeradius/dictionary with the line: ATTRIBUTE Class 25 string the Class attribute does not appear in the request as: Class =3D 'whatever_string' But instead:=20 /usr/lib (Unknown Type 779252325) However, when I edit directly the dictionary (under /usr/share/freeradius/) everything works as expected. Wild. I have no idea why that error message comes up on your system, but I've found what looks to be the underlying problem, and committed the fix. It will be in 1.0.1, and any later release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute - access denied by default
On Fri, 10 Sep 2004, Hugo Sousa wrote: Does anyone know why does this message dialupAccess attribute - access denied by default appears? rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default Does that answer your question? Please also read doc/rlm_ldap In general, comment out the access_attribute directive in radiusd.conf rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
Timolthy Keithy [EMAIL PROTECTED] wrote: Are there any instruction, step-by-step on how to build the RADIUS server for WPA and WPA2 (802.11a/b/g). http://www.freeradius.org/doc/ And would there be possible to install the RADIUS server separate from DHCP server? if yes, how to? FreeRADIUS has no connection to any DHCP server. They are always completely independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP (continued...)
Problem solved. I downloaded LDAP browser from SOFTerra and saw all the info
that I need.
The correct is: CN=Administrator,CN=Users,DC=office,DC=netsystems,DC=pt
Regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dustin
Doris
Sent: sexta-feira, 10 de Setembro de 2004 15:59
To: [EMAIL PROTECTED]
Subject: RE: LDAP (continued...)
Install windows 2000 support tools, if you don't have them installed
already. You'll have to check your server CDs or microsoft's website to
find them.
Once you have Windows 2000 Support Tools installed login to the AD machine
as the administrator. Then go to Control Panel, Administrative Tools,
Windows 2000 Support Tools, Tools, and finally ADSI Edit.
That will give you a view into the LDAP tree of your server. As suggested
in a previous post, it looks like the users are stored in cn=users as
default, so if you didn't change anything when you set it up, you may want
to just give that a shot.
Hope that is helpful.
Dusty Doris
On Fri, 10 Sep 2004, sousa.hugo wrote:
I don't have an LDAP browser.
It's a simple Windows 2000 Server with AD installed.
How can I install the LDAP browser so that my FR works? Please give me
an ideia :-)
-Original Message-
From: [EMAIL PROTECTED] on behalf of
Dustin Doris
Sent: Fri 9/10/2004 1:27 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: LDAP (continued...)
On Thu, 9 Sep 2004, sousa.hugo wrote:
I'm using the Domain ADMINISTRATOR account, so it should have
access to everything.
I think the problem is in one of this lines:
identity = cn=administrator,dc=office,dc=netsystems,dc=pt
password = password
basedn = dc=office,dc=netsystems,dc=PT
Yes that is where the problem is.
Is the syntax incorrect? My domain is called
office.netsystems.pt.
The syntax is correct. However, are you sure that is the correct
info for
that user? Do you have access to an ldap browser on that machine
that
will show the tree for you?
-Original Message-
From: [EMAIL PROTECTED] on behalf
of Dustin Doris
Sent: Thu 9/9/2004 7:40 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: LDAP (continued...)
My Windows 2000 domain is office.netsystems.pt. The user
I'm using is
administrator.
Does this user actually exist in your ldap directory with
that password?
You will need to find a user that exists in your AD that has
read access
to the part of the tree your users are in.
Is this wrong?
ldap {
server = 192.168.2.1
identity =
cn=administrator,dc=office,dc=netsystems,dc=pt
password = password
basedn = dc=office,dc=netsystems,dc=PT
filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter =
(objectclass=radiusprofile)
(.)
}
Something is wrong because I'm getting:
rlm_ldap: LDAP login failed: check identity, password
settings in ldap
section of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for
request 0
What should I change to correct this problem?
Thanks.
Regards,
Hugo Sousa
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute - access denied by default
On Fri, 10 Sep 2004 15:52:39 +0100 Hugo Sousa [EMAIL PROTECTED] wrote: Does anyone know why does this message dialupAccess attribute - access denied by default appears? comment the line in radiusd.conf with access_attr restart freeradius and see the message appears again. Tiago Fernandes rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal pgptpghfPQ0iS.pgp Description: PGP signature
Radius groups per device
ver. freeradius-0.7.1 I have been researching for a week or two and have come up blank. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. Thanks, -Mike * Michael Gleissner *RHCE* Network Specialist (847) 925-6831 William Rainey Harper College 1200 W. Algonquin Rd. Palatine, IL 60067 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius groups per device
Michael Gleissner [EMAIL PROTECTED] wrote: ver. freeradius-0.7.1 Hmm... I suggest upgrading to 1.0.0. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. The server will read unix groups, see the FAQ. I don't think 0.7.1 will do non-unix groups. 1.0.0 will, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Title: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Continuing my quest to integrate freeradius with Active Directory here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
Fwd: Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/9/2004 10:59:31 PM Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with Active Directory), you'll need to use the ntlm_auth hooks in the mschap module. --Mike On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote: Continuing my quest to integrate freeradius with Active Directory here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Are you talking about this:
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
There is no other way to perform authentication on the Domain Controller ?
Regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: sexta-feira, 10 de Setembro de 2004 17:30
To: [EMAIL PROTECTED]
Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with
Active Directory), you'll need to use the ntlm_auth hooks in the mschap
module.
--Mike
On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote:
Continuing my quest to integrate freeradius with Active Directory.
here goes another problem!
Did anyone already had this problem?
rlm_ldap: - authorize
rlm_ldap: performing user authorization for hugo.sousa
radius_xlat: '(sAMAccountName=hugo.sousa)'
radius_xlat: 'dc=office,dc=netsystems,dc=PT'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with
filter (sAMAccountName=hugo.sousa)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user hugo.sousa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 7
modcall: group Auth-Type returns reject for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
Regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql support for safe-characters
Hi, I notice that in 1.0.0 the safe-characters configuration item in postgresql.conf doesn't do anything. Or maybe I'm doing something wrong. I added a comma, but the comma in the value of Wispr-Location-Name is substituted by =2C in the radacct table. This is what I have added in postgresql.conf: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /, I know that Michael Griego has been working on the rlm_sql module to make it more flexible for mutliple groups etc... In what version of freeradius is it expected that the safe-characters configuration will be supported? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql support for safe-characters
On Fri, 10 Sep 2004, Thor Spruyt wrote: Hi, I notice that in 1.0.0 the safe-characters configuration item in postgresql.conf doesn't do anything. Or maybe I'm doing something wrong. I added a comma, but the comma in the value of Wispr-Location-Name is substituted by =2C in the radacct table. This is what I have added in postgresql.conf: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /, It should work in 1.0.0. What do you see in debug mode for the safe-characters value? This feature is independent of sql driver. I know that Michael Griego has been working on the rlm_sql module to make it more flexible for mutliple groups etc... In what version of freeradius is it expected that the safe-characters configuration will be supported? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
All, I may have solved the problem below, but I now think it has caused another. When I first installed FreeRadius, I noticed that my AP2000 units did not send the Account-Session-Time variable back in the stop packets. I assume that this is just a feature of the Orinoco APs to not report session time. To alleviate that problem, I had taken the Accounting On/Off SQL statement and replaced the Accounting Update statement with it. The reason I did this was because the Accounting On/Off SQL statement used (logout time login time) to figure Account-Session-Time rather than expecting it back from the NAS. This indeed solved my session time issues, and sessions began reporting the proper time. But I think doing this caused the problem below somehow. Once I changed it back to the original Accounting Update statement (the one expecting Account-Session-Time variable), the Wrong ID problem went away. Well, it didnt go away but at least the active sessions are now still in place and Im not dropping users. So I guess my question is now how do I get Account-Session-Times when my NAS devices do not report this variable? Is there an easy way to do this? I assumed a simple modification to the SQL statement to figure (logout time login time) would do the trick, but I could be wrong. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? Thank you! Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sumpter Sent: Friday, September 03, 2004 1:09 PM To: [EMAIL PROTECTED] Subject: Orinoco AP2000 - Logout Entry Has Wrong ID? Hello everyone! Ive been banging my head against a wall for several days now trying to figure out a problem Im having with AP-2000 units and FreeRadius. I have 5 AP-2000 units in the field, all upgraded to the latest firmware (2.4.11). Ive set everything up to do both Radius authentication and accounting. Everything works fine actually to a point. The accounting part of all this is about to drive me insane. First the basics. Im running the latest stable release of FreeRadius, using MySQL for both authentication and accounting. This is all running on a RedHat 8.0 machine. The authentication part of the system is working like gangbusters, and I havent found a problem anywhere within that part of the system. All my problems seem to come from the accounting side of things. Im getting these errors in the logs from a few of the AP units: Error: rlm_radutmp: Logout entry for NAS Reaves Hill 2.4 port 2 has wrong ID When this happens, the server no longer shows anyone on that particular AP as being logged on, although they are according to the AP themselves. After a few minutes they will slowly come back as Logged On as they re-authenticate, but the errors come back up in the logs again and clear everyone off. I do have a couple of AP units that are not exhibiting this behavior, and Ive found the common denominator. The AP units that appear to work properly only have one user per AP I never have the accounting errors from those APs and session times are working as expected. But if I connect another client to them, sure enough I get the error and accounting stats go down the tubes again. Im WAG that the AP units are assigning different ports to the users as other clients connect than what was reported in the start packets. I think this is what is confusing everything and causing me grief. Is there any way to get a unique accounting packet without relying on the Port ID from the AP (Session-ID, maybe)? Has anyone else noticed these problems when using AP-2000 units with FreeRadius? If I need to supply more information, just let me know what you need and Ill post it. Thank you! Brian
Re: rlm_sql support for safe-characters
Kostas Kalevras wrote: It should work in 1.0.0. What do you see in debug mode for the safe-characters value? This feature is independent of sql driver. Huh... I was editing the configuration file of a server that doesn't do sql accounting. I now edited the correct configuration file and it works like a charm :) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
hi Are there any instruction, step-by-step on how to build the RADIUS server for WPA and WPA2 (802.11a/b/g). yes, there are. today, it should work out of the box (well, there is no box, but still). the good news from the pov of the radius server is that all these things you mentioned are transparent for it; the AP has to do a/b/g and WPA/WPA2 from the keying information received from the server (that may be kind of half true, because at least WPA2 is not yet released and thus half ready). in any case, if you have an AP you bought recently, it should work with FR directly. And would there be possible to install the RADIUS server separate from DHCP server? if yes, how to? hmm? yes, the two instances have no relation to each other whatsoever. you install the first and then the second. just for the case: no, it is NOT possible to assign IP addresses by 802.1X; you have to do DHCP after the authentication (yes, it is strange). the Client is Windows XP, which has support for 802.1x client. true, and it should work, PEAP/MS-CHAPv2 and TLS are supported by FR. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementation question
I apologize for asking this question but I havent been able to find the answer in the FAQ's or anything on Freeradius. I am looking to implement this for my college because the microsoft solution is kinda ugly. I have two domains on my network, one for faculty/staff and the other for students. Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Brian Sumpter [EMAIL PROTECTED] wrote: So I guess my question is now how do I get Account-Session-Times when my NAS devices do not report this variable? In general, if the NAS doesn't send information, you can't log it. In this case, the server does have the time when it received the start packet, and the time when it received the stop packet. It can theoretically calculate the difference, and use it a the Acct-Session-Time. Is there an easy way to do this? I assumed a simple modification to the SQL statement to figure (logout time - login time) would do the trick, but I could be wrong. Maybe. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? Probably. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote:
Are you talking about this:
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Yes.
There is no other way to perform authentication on the Domain Controller ?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
But if the domain controller uses LDAP, why do we have to use LDAP and after
that ntlm_auth ???
I just want to understand why.
Btw.. (I'm already compiling Samba to have nmbd, etc)
Regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: sexta-feira, 10 de Setembro de 2004 19:10
To: [EMAIL PROTECTED]
Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote:
Are you talking about this:
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Yes.
There is no other way to perform authentication on the Domain Controller ?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cant Get Called Number
Ugur GUNCER [EMAIL PROTECTED] wrote:
I tried to get called number from Cisco-AVPair attribute
with
, '%{Cisco-AVPair}',
There are multiple Cisco-AVPair attributes in the packet, and 1.0.0
can only look at the first. In the current CVS snapshots, see
'doc/variables.txt' for how to refer to 1 of N attributes in a packet.
And
%{gw-rxd-cdn=ton:2,npi:1,#:},
If you have cisco_with_vsa_hack set, and gw-rxd-cdn is defined
as an attribute in one of the dictionaries, then %{gw-rxd-cdn} should
work to get the whole value of the attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote: But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementation question
Ronald I. Nutter [EMAIL PROTECTED] wrote: Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? Not really. But you CAN see if a user exists in one domain, and if not, check the other domain. Once you know the user exists, and what his password is, authentication is independent of domain. MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. You can do exactly the same thing with FreeRADIUS, but run all of the servers on one machine, just using different ports. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? If there are a lot of users, an SQL or LDAP database would be best. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementation question
Alan: Thanks for the reply. Where can I found out more details on how to do this ? Didn't see that much with the FAQ or readmes on the freeradius web site. Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, September 10, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: Re: Implementation question Ronald I. Nutter [EMAIL PROTECTED] wrote: Is there a way I can have Freeradius authenticate against one domain and if it fails, try the other ? Not really. But you CAN see if a user exists in one domain, and if not, check the other domain. Once you know the user exists, and what his password is, authentication is independent of domain. MS solution involves 2 radius servers and one radius proxy, meaning 3 computers one of which appears to have to be windows 2003 which I don't want to use. You can do exactly the same thing with FreeRADIUS, but run all of the servers on one machine, just using different ports. I am also considering manually entering the users on the radius box itself. Any configuration suggestions ? If there are a lot of users, an SQL or LDAP database would be best. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius groups per device
I ended up using the huntgroups file to do this (i.e.): Juniper-M-SeriesNAS-IP-Address == 10.1.1.20 User-Name = sally Then in my users file: DEFAULT Huntgroup-Name == Juniper-M-Series Auth-Type := LDAP, Fall-Through = No This gave me the ability to let sally auth on the the Juniper-M but login on everything else. Do a man on huntgroups and users file. Hope this helps... Robert On Fri, Sep 10, 2004 at 10:22:52AM -0500, Michael Gleissner wrote: ver. freeradius-0.7.1 I have been researching for a week or two and have come up blank. I would like to create a group in /etc/group that the radius server will recognize. This is for our VPN. The purpose being that if a user is in the group they are allowed access to the VPN if not they can still use radius auth for dial-up. We are using a Cisco 3000 VPN Concentrator. Thanks, -Mike * Michael Gleissner *RHCE* Network Specialist (847) 925-6831 William Rainey Harper College 1200 W. Algonquin Rd. Palatine, IL 60067 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:21 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementation question
Ronald I. Nutter [EMAIL PROTECTED] wrote: Thanks for the reply. Where can I found out more details on how to do this ? Didn't see that much with the FAQ or readmes on the freeradius web site. There's no documentation describing how to configure the server for your site. Instead, there's documentation which describes how to configure the server to do different things. I suggest reading the files in doc/ and raddb/, to see how the functionality provided there maps to what you want to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I'm storing user information on the Windowze Active Directory, ONLY. So, LDAP doesn't apply, right ??? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:51 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL tables
I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
I know Alan responded to this already, but I'll inject some notes as well. On Fri, 2004-09-10 at 12:07, Brian Sumpter wrote: When I first installed FreeRadius, I noticed that my AP2000 units did not send the Account-Session-Time variable back in the stop packets. I assume that this is just a feature of the Orinoco APs to not report session time. This is indeed true of the screwed up RADIUS implementation on the AP-2000s. They do not report session time with the Account-Session-Time attribute. They expect you to calculate it after-the-fact based on the Start and Stop packet times. Oh well, it's doable. I assumed a simple modification to the SQL statement to figure (logout time login time) would do the trick, but I could be wrong. Like Alan said, this is probably doable. Also, my radius logs report every user connection on port 0. However, in the database everyone is coming in on port 2. Would this have something to do with the Port 2 Wrong ID issue below? This is another feature of the APs. For some reason, they do not take the time to report the correct port in the Access Request packets. They simply set it to 0. This is quite annoying. You do, however, get the Called-Station-Id in the Access Request packets. You DON'T get the Called-Station-Id in the ACCOUNTING packets (very annoying), however you *do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9 is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports for repeater-type environments. Anyway, the fact that it does this should not affect anything in the account as autz/auth and accounting are totally seperate functions. It's just a large annoyance. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
To simply answer your question, if you're not storing any sort of Access Allowed/Denied attribute in AD (iow, all your users are allowed to auth to RADIUS), and you're not pulling any supplemental check/reply RADIUS attributes from LDAP, then no, you don't need the LDAP module. For what you're doing, you probably do not need it based on what you're saying. --Mike On Fri, 2004-09-10 at 13:50, Hugo Sousa wrote: I'm storing user information on the Windowze Active Directory, ONLY. So, LDAP doesn't apply, right ??? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:51 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Hugo Sousa [EMAIL PROTECTED] wrote: Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Michael Griego wrote: This is indeed true of the screwed up RADIUS implementation on the AP-2000s. They do not report session time with the Account-Session-Time attribute. They expect you to calculate it after-the-fact based on the Start and Stop packet times. Oh well, it's doable. This is another feature of the APs. For some reason, they do not take the time to report the correct port in the Access Request packets. They simply set it to 0. This is quite annoying. You do, however, get the Called-Station-Id in the Access Request packets. You DON'T get the Called-Station-Id in the ACCOUNTING packets (very annoying), however you *do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9 is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports for repeater-type environments. Anyway, the fact that it does this should not affect anything in the account as autz/auth and accounting are totally seperate functions. It's just a large annoyance. Luckily I don't use this device :) You might consider reporting your issues to the manufacturer. If they don't want to do anything about it, then you might consider throwing them out :) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Luckily I don't use this device :) Yes, you are lucky. You might consider reporting your issues to the manufacturer. I've hounded them on actual problems in their RADIUS implementation (Session-Timeout not working as advertised, etc) as well as other problems with their products on numerous occasions. Doing that proved so problematic (vendor was inept at recreating the errors, was not responsive, etc) that I decided to live with what we have for the time being and work around it. It was no longer worth it to hound them, they didn't listen. If they don't want to do anything about it, then you might consider throwing them out :) That requires money. :) We have a significant investment in their equipment at the moment, however we're making efforts to move away as soon as it's fiscally possible. Anyway, any more discussion on this should be taken off list. I'd be happy to talk to anyone about the specifics if they want to email me directly. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth Type Digest Not found
I installed freeradius-0.9.1 to work with SER. They gave a test example to add a user in users file with following contents: testAuth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest But when I run radius with radiusd -X, it gives following error: /usr/local/etc/raddb/users[75]: Parse error (check) for entry test: Unknown value Digest for attribute Auth-Type Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. Any idea about this Thanks, Jawad ___ Do you Yahoo!? Shop for Back-to-School deals on Yahoo! Shopping. http://shopping.yahoo.com/backtoschool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL tables
I see that in Oracle database tables, the nas table has ipaddr as a field, but not in MySQL. Does this mean that MySQL's nas table is not yet support in FreeRadius? Dickon... Dickon Newman wrote: I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Michael Griego [EMAIL PROTECTED] wrote: Anyway, any more discussion on this should be taken off list. I'd be happy to talk to anyone about the specifics if they want to email me directly. File a bug report on bugs.freeradius.org. Include a short description of features that have to be added to any RADIUS server (not just FreeRADIUS) to work with the AP. Name the AP by manufacturer, and model. Then, wait for google to index it, and watch when the manufacturer notices that people start asking questions about why their AP doesn't do RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth Type Digest Not found
jawad bokhari [EMAIL PROTECTED] wrote: They gave a test example to add a user in users file with following contents: testAuth-Type := Digest, User-Password == test Reply-Message = Hello, test with digest But when I run radius with radiusd -X, it gives following error: /usr/local/etc/raddb/users[75]: Parse error (check) for entry test: Unknown value Digest for attribute Did you list the digest module in the authorize section? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL tables
Sorry to bother everyone, but I think I've found a solution. I added a field called ipaddr after shortname and radius debugging said it loaded the client from the tables, but set the secret to be the field port. So I removed the field type thus shifting all the others up...and now the debugging shows the secret correctly. On testing, the client was allowed to use this radius server. I hope everyone sees these messages as helpful, not useless clutter! Sorry... Dickon... Dickon Newman wrote: I see that in Oracle database tables, the nas table has ipaddr as a field, but not in MySQL. Does this mean that MySQL's nas table is not yet support in FreeRadius? Dickon... Dickon Newman wrote: I'm installing FreeRadius version 1.0.0 and I've only used 0.9.3 with sql. The new version has an additional table called nas. From what I read, this can be used in place of the clients file (or clients.conf). However, the table doesn't reference IP/DNS name of the client at all. How does it work and where can I find details on the fields of this table? I can't find any documentation for this on the website or in the list archives. I'd really like to use this if this is what it can be used for. Thank you in advance for your help, Dickon... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Executing External Program
Hi am trying to excecute a program before autentification so I could deny access if it
is on a callingstationnumber ban list on mysql..
But Script is not being Excecuting.. what seems the problem?
radiud.conf
exec test{
wait = yes
program = /usr/local/bin/php -f /scriptest/test.php
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
Test.php
?php
ob_start();
$clientcallingstation = $_ENV['CALLING_STATION_ID'];
$calledstationid = $_ENV['CALLED_STATION_ID'];
ob_end_clean();
//log to txt
function logtotxt($somecontent)
{
$filename = 'log.txt';
$handle = fopen($filename, 'a');
fwrite($handle, $somecontent);
fclose($handle);
}
logtotxt(Script Was Excecuted);
// Make a test
if (!empty($clientcallingstation) !empty($calledstationid))
{
logtotxt($clientcallingstation:$calledstationid);
$retval = 0;
} else {
// otherwise reject
$retval = 1;
}
exit ($retval);
?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
All,
I appreciate the help everyone has provided on this. At least now I
know it isn't just me! I've been banging my head against a wall on this
one for a week and come to find out it's a problem with the AP's
themselves. Good stuff to know. :)
I've altered the accounting_stop_query in sql.conf to the following in
an attempt to log session times (since Orinoco doesn't think that it is
important to have them):
--
accounting_stop_query =
UPDATE
${acct_table2}
SET
AcctStopTime = '%S',
AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime), AcctInputOctets =
'%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}',
AcctStopDelay = '%{Acct-Delay-Time}',
ConnectInfo_stop = '%{Connect-Info}'
WHERE
AcctSessionId = '%{Acct-Session-Id}'
AND
UserName = '%{SQL-User-Name}'
AND
NASIPAddress = '%{NAS-IP-Address}';
--
This statement appears to be working properly, and I'm now getting
session times when I log in and out. I'm still watching the logs to
make sure I don't have any more of the disappearing users I had from
using the other statement (accounting_on_off). As of now no users have
disappeared -- I'll let everyone know if it happens again.
At this point everything appears to be working properly. Other than the
occasional Wrong ID error in the logs, everything looks fine.
On a separate note, what does other Wisps use for the following Radius
settings in their AP units?
AUTH SECTION: Authorization Lifetime (0=disable, 900-43200 seconds)
ACCT SECTION: Accounting Inactivity Timer (minutes)
Currently, I have the Authorization Lifetime set to 0 (disable), and the
Accounting Inactivity Timer set to 60 minutes. I'm not sure what would
be best for these settings. What do others find the most useful here?
Thanks again for all the help.
Brian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Michael Griego
Sent: Friday, September 10, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
I know Alan responded to this already, but I'll inject some notes as
well.
On Fri, 2004-09-10 at 12:07, Brian Sumpter wrote:
When I first installed FreeRadius, I noticed that my AP2000 units did
not send the Account-Session-Time variable back in the stop packets.
I assume that this is just a feature of the Orinoco AP's to not
report session time.
This is indeed true of the screwed up RADIUS implementation on the
AP-2000s. They do not report session time with the Account-Session-Time
attribute. They expect you to calculate it after-the-fact based on the
Start and Stop packet times. Oh well, it's doable.
I assumed a simple modification to the SQL statement to figure (logout
time - login time) would do the trick, but I could be wrong.
Like Alan said, this is probably doable.
Also, my radius logs report every user connection on port 0. However,
in the database everyone is coming in on port 2. Would this have
something to do with the Port 2 Wrong ID issue below?
This is another feature of the APs. For some reason, they do not take
the time to report the correct port in the Access Request packets. They
simply set it to 0. This is quite annoying. You do, however, get the
Called-Station-Id in the Access Request packets. You DON'T get the
Called-Station-Id in the ACCOUNTING packets (very annoying), however you
*do* get the correct Port ID. FYI, port 2 is the card in slot A, port 9
is the card in slot B, and ports 3-8, 10-15 are any WDS virtual ports
for repeater-type environments. Anyway, the fact that it does this
should not affect anything in the account as autz/auth and accounting
are totally seperate functions. It's just a large annoyance.
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Orinoco AP2000 - Logout Entry Has Wrong ID?
On Fri, 2004-09-10 at 15:34, Brian Sumpter wrote: Currently, I have the Authorization Lifetime set to 0 (disable), and the Accounting Inactivity Timer set to 60 minutes. I'm not sure what would be best for these settings. What do others find the most useful here? See docs/misc-nas. If you're not using the 2.4.11 firmware, it won't let you set anything less than 2 hours for authorization lifetime. I personally set the autz lifetime to 15 minutes to force reauth of the users and leave the inactivity timer at the default 5 minutes. The autz lifetime isn't as much of a deal on the Proxims since they have a rekeying interval as well. So, you can set the rekeying interval, and the AP will continue to provide dynamic keys without forcing reauthentication. I set the autz lifetime to that, though, because there are times when I need to block people (viruses tearing up the network and such), so I use the reauth sequence to catch them and take them off the network. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP PAP
Greetings, I have a problem with FR1.0.0 and chap/pap. Knowns: FreeBSD 4.7-RELEASE FreeRadius 1.0.0 (downloaded today, not CVS) National dialup provider sending both PAP CHAP requests. Problem: I have 2 types of authentication... those in the users file (for chap and locl pap when attributes have to be returned) and those in the unix password file.The problem I am having is when the national provider send a CHAP password. It generates the following error: Fri Sep 10 17:04:54 2004 : Auth: rlm_unix: Attribute User-Password is required for authentication. Cann ot use CHAP-Password. Debug output: rad_recv: Access-Request packet from host 216.126.204.150:32813, id=67, length=136 NAS-IP-Address = 63.152.3.17 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x01e954782973979c56336c6a5df5bf4ebc Called-Station-Id = 9069840005 Calling-Station-Id = 9066438271 NAS-Port = 13677 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User X-Ascend-PreSession-Time = 38 X-Ascend-Xmit-Rate = 50667 X-Ascend-Data-Rate = 24000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 users: Matched DEFAULT at 527 users: Matched DEFAULT at 546 users: Matched DEFAULT at 553 modcall[authorize]: module files returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: Looking up realm netonecom.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm netonecom.net rlm_realm: Adding Stripped-User-Name = tstandrew rlm_realm: Proxying request from user tstandrew to realm netonecom.net rlm_realm: Adding Realm = netonecom.net rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_chap: login attempt by tstandrew with CHAP password rlm_chap: Could not find clear text password for user tstandrew modcall[authenticate]: module chap returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/CHAP-Password] (from client ikano port 13677 cli 9066438271) Delaying request 2 for 1 seconds Finished request 2 Going to the next request This is on a live server (emergency repair! old files and 3 sets of backups toast) any help would be apprecieated! -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
