PEAP-EAP-MSCHAPv2
Hi, I have a couple of questions. Would greatly appreciate any help. 1- I keep getting the following error rlm_eap_mschapv2: Response contains contradictory length 0 54 while using PEAP-EAP-MSCHAPv2 to authenticate the XSupplicant with FreeRADIUS. Following is the partial lof from FreeRADIUS run in debug mode: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 70 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Response contains contradictory length 0 54 rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 70 modcall: group authenticate returns invalid for request 70 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x8183340 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Could someone please help with this? Am I doing a configuration setting wrong or my XSupplicant is misbeaving? 2- I have seen some exmaple PEAP-EAP-MSCHAPv2 logs on the internet they contain the following two lines: rlm_passwd: Added LM-Password: '1EF2AC3C7865B1F2AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'E5810F3C99AE2ABB2232ED8458A61309' to config_items I am not sure what do they signify here because I do not get these while I run PEAP-MSCHAPv2. Could someone please tell what do they mean? Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth from cisco to freeradius msql
On Tuesday 07 December 2004 03:25, Lim Han Shyong wrote: Hi Lim Thanks for all your help. I found the problem, on the cisco router i had radius bound to the loopback Interface therefor it was not part of the Lan address, Basically ID10T Problem.. Adam > Hi: > > Mean did u add the > Service-Type = NAS -Prompt-User > into your sql database..? i mean in the reply message. > > > > HSL > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Frog > Sent: Monday, December 06, 2004 8:02 PM > To: [EMAIL PROTECTED] > Subject: Re: auth from cisco to freeradius msql > > > I'm using mysql for authentication. > > On Monday 06 December 2004 10:29, Lim Han Shyong wrote: > > Hi: > > > > Hmm.. What u set in your user file ? > > > > userAuth-Type:= Local, User-Password = "testing" > > Service-Type = NAS-Prompt-User > > > > > > this mine, it can done basic authentication. Probably can have a try ^_^ > > > > > > HSL > > > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Frog > > Sent: Monday, December 06, 2004 4:10 PM > > To: [EMAIL PROTECTED] > > Subject: Re: auth from cisco to freeradius msql > > > > > > Yes but if I try get access from my router or dialup the auth fails. > > > > > > Adam > > > > On Friday 03 December 2004 11:02, Lim Han Shyong wrote: > > > Hi, > > > > > > Not understand what u want... radius already authenticate and send > > > the Access accept packet back. > > > > > > > > > HSL > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Frog > > > Sent: Friday, December 03, 2004 4:53 PM > > > To: [EMAIL PROTECTED] > > > Subject: auth from cisco to freeradius msql > > > > > > > > > Hi list > > > > > > I'm in the process of setting up my first radius server. Radius starts > > ok > > > > and > > > auths with radtest but from cisco it does not. I'm running Fedora Core > > > 2 with > > > freeradius ver 1.0.1 using cisco 1601 (testing) > > > > > > here is the cisco setup followed by radius radiusd -f startup then > > > > when > > > > > I > > > try and authenticate in debug mode. > > > > - > > > > >- > > > > - > > > > >- - > > > > > > aaa new-model > > > aaa authentication login default group radius none > > > aaa authentication login none none > > > aaa authentication login unilynx local > > > aaa authentication login consoleport none > > > aaa authentication ppp default group radius none > > > aaa authentication ppp unilynx-radius group radius local > > > aaa authentication ppp radppp if-needed group radius > > > aaa authorization network default group radius > > > aaa accounting update newinfo > > > aaa accounting network default wait-start group radius > > > > > > > > > > > > ip radius source-interface Loopback0 > > > snmp-server engineID local 0009020142062DED > > > snmp-server community public RO 97 > > > radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 > > > > non-standard > > > > > radius-server retransmit 2 > > > radius-server timeout 8 > > > radius-server deadtime 2 > > > radius-server key password > > > > - > > > > >- > > > > - > > > > >- --- > > > Fri Dec 3 10:38:47 2004 : Info: Starting - reading configuration files > > > > ... > > > > > Fri Dec 3 10:38:47 2004 : Debug: reread_config: reading radiusd.conf > > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > > file: /usr/local/etc/raddb/proxy.conf > > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > > file: /usr/local/etc/raddb/clients.conf > > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > > file: /usr/local/etc/raddb/snmp.conf > > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > > file: /usr/local/etc/raddb/sql.conf > > > Fri Dec 3 10:38:47 2004 : Debug: main: prefix = "/usr/local" > > > Fri Dec 3 10:38:47 2004 : Debug: main: localstatedir = > > "/usr/local/var" > > > > Fri Dec 3 10:38:47 2004 : Debug: main: logdir = > > > "/usr/local/var/log/radius" > > > Fri Dec 3 10:38:47 2004 : Debug: main: libdir = > > > "/home/temp/freeradius/freeradius-1.0.1/src/modules" > > > Fri Dec 3 10:38:47 2004 : Debug: main: radacctdir = > > > "/usr/local/var/log/radius/radacct" > > > Fri Dec 3 10:38:47 2004 : Debug: main: hostname_lookups = no > > > Fri Dec 3 10:38:47 2004 : Debug: main: max_request_time = 30 > > > Fri Dec 3 10:38:47 2004 : Debug: main: cleanup_delay = 5 > > > Fri Dec 3 10:38:47 2004 : Debug: main: max_requests = 1024 > > > Fri Dec 3 10:38:47 2004 : Debug: main: delete_blocked_requests = 0 > > > Fri Dec 3 10:38:47 2004 : Debug: main: port = 0 > > > Fri Dec 3 10:38:47 2004 : Debug: main: allow_core_dumps = no > > > Fri Dec 3 10:38:47 2004 : Debug: main:
Check Multiple Calling-Station-Id in mysql
Hi to all, I'm using freeradius 1.0.1. I'm trying to check multiple calling-station-id store in mysql but return message access-reject. I don't know how and whats the problem is. Anyone plz help me. TQ +++---++---+ | id | UserName | Attribute | op | Value | +++---++---+ | 1 | ultrabalad | User-Password | == | budakbaik | +++---++---+ ++++ | id | UserName | GroupName | ++++ | 1 | ultrabalad | ultrabalad | ++++ +++++--+ | id | GroupName | Attribute | op | Value| +++++--+ | 10 | ultrabalad | Calling-Station-Id | =~ | 00032f042f51 | | 9 | ultrabalad | Calling-Station-Id | =~ | 10032f042f51 | +++++--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Missing radius.log file and radacct folder
Hi I'm using users file for authentication.the problem is there are no radius directory inside var directory. so there are no record or information about users. 1. is this directory automatically created when I installed freeradius? 2. What may caused this to happen? Insatllation? Misconfiguration ? Any commented entry that should be uncomment? - I already try to find all radius.log 3. When I run the radius deamon with other option such as -y, there are error messege that i get, which like Fail to create PID ...no such file or directory is this the effect of the missing radius directory that stored user information? or is there other reason on it? 4. Except I mkdir a radius directory and create a radius.log file and radacct directory in it, is there any other way so that the logfile exist (such as run some miss execute file or else) so it can work appropriately with FR server? thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with pidfile
Have you checked the permissions of the directories freeradius is trying to write to (/usr/local/var/run), to ensure the user that is running radiusd can write to it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of zack musa Sent: Tuesday, 7 December 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Problem with pidfile Hi. There's a problem when I try something in radiusd -... failed writing process id to file /usr/local/var/run/radiusd.pid ...no such file or directory... is the file need to be created by ourselves? or is there any misconfiguration or installation problem? how can I make radius server to write its PID when I'm running it? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with pidfile
Hi. There's a problem when I try something in radiusd -... failed writing process id to file /usr/local/var/run/radiusd.pid ...no such file or directory... is the file need to be created by ourselves? or is there any misconfiguration or installation problem? how can I make radius server to write its PID when I'm running it? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Missing radius.log file and radacct folder
Hi I'm using users file for authentication.the problem is there are no radius directory inside var directory. so there are no record or information about users. 1. is this directory automatically created when I installed freeradius? 2. What may caused this to happen? Insatllation? Misconfiguration ? Any commented entry that should be uncomment? - I already try to find all radius.log 3. When I run the radius deamon with other option such as -y, there are error messege that i get, which like Fail to create PID ...no such file or directory is this the effect of the missing radius directory that stored user information? or is there other reason on it? 4. Except I mkdir a radius directory and create a radius.log file and radacct directory in it, is there any other way so that the logfile exist (such as run some miss execute file or else) so it can work appropriately with FR server? __ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: auth from cisco to freeradius msql
Hi: Mean did u add the Service-Type = NAS -Prompt-User into your sql database..? i mean in the reply message. HSL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frog Sent: Monday, December 06, 2004 8:02 PM To: [EMAIL PROTECTED] Subject: Re: auth from cisco to freeradius msql I'm using mysql for authentication. On Monday 06 December 2004 10:29, Lim Han Shyong wrote: > Hi: > > Hmm.. What u set in your user file ? > > user Auth-Type:= Local, User-Password = "testing" > Service-Type = NAS-Prompt-User > > > this mine, it can done basic authentication. Probably can have a try ^_^ > > > HSL > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Frog > Sent: Monday, December 06, 2004 4:10 PM > To: [EMAIL PROTECTED] > Subject: Re: auth from cisco to freeradius msql > > > Yes but if I try get access from my router or dialup the auth fails. > > > Adam > > On Friday 03 December 2004 11:02, Lim Han Shyong wrote: > > Hi, > > > > Not understand what u want... radius already authenticate and send > > the Access accept packet back. > > > > > > HSL > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Frog > > Sent: Friday, December 03, 2004 4:53 PM > > To: [EMAIL PROTECTED] > > Subject: auth from cisco to freeradius msql > > > > > > Hi list > > > > I'm in the process of setting up my first radius server. Radius starts ok > > and > > auths with radtest but from cisco it does not. I'm running Fedora Core 2 > > with > > freeradius ver 1.0.1 using cisco 1601 (testing) > > > > here is the cisco setup followed by radius radiusd -f startup then > > when > > > I > > try and authenticate in debug mode. > > > > - > >- > > - > > >- - > > > > aaa new-model > > aaa authentication login default group radius none > > aaa authentication login none none > > aaa authentication login unilynx local > > aaa authentication login consoleport none > > aaa authentication ppp default group radius none > > aaa authentication ppp unilynx-radius group radius local > > aaa authentication ppp radppp if-needed group radius > > aaa authorization network default group radius > > aaa accounting update newinfo > > aaa accounting network default wait-start group radius > > > > > > > > ip radius source-interface Loopback0 > > snmp-server engineID local 0009020142062DED > > snmp-server community public RO 97 > > radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 > > non-standard > > > radius-server retransmit 2 > > radius-server timeout 8 > > radius-server deadtime 2 > > radius-server key password > > > > - > >- > > - > > >- --- > > Fri Dec 3 10:38:47 2004 : Info: Starting - reading configuration files > > ... > > > Fri Dec 3 10:38:47 2004 : Debug: reread_config: reading radiusd.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/proxy.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/clients.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/snmp.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/sql.conf > > Fri Dec 3 10:38:47 2004 : Debug: main: prefix = "/usr/local" > > Fri Dec 3 10:38:47 2004 : Debug: main: localstatedir = "/usr/local/var" > > Fri Dec 3 10:38:47 2004 : Debug: main: logdir = > > "/usr/local/var/log/radius" > > Fri Dec 3 10:38:47 2004 : Debug: main: libdir = > > "/home/temp/freeradius/freeradius-1.0.1/src/modules" > > Fri Dec 3 10:38:47 2004 : Debug: main: radacctdir = > > "/usr/local/var/log/radius/radacct" > > Fri Dec 3 10:38:47 2004 : Debug: main: hostname_lookups = no > > Fri Dec 3 10:38:47 2004 : Debug: main: max_request_time = 30 > > Fri Dec 3 10:38:47 2004 : Debug: main: cleanup_delay = 5 > > Fri Dec 3 10:38:47 2004 : Debug: main: max_requests = 1024 > > Fri Dec 3 10:38:47 2004 : Debug: main: delete_blocked_requests = 0 > > Fri Dec 3 10:38:47 2004 : Debug: main: port = 0 > > Fri Dec 3 10:38:47 2004 : Debug: main: allow_core_dumps = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_stripped_names = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_file = > > "/usr/local/var/log/radius/radius.log" > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_badpass = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_goodpass = no > > Fri Dec 3 10:38:47 2004 : Debug: main: pidfile = > > "/usr/local/var/run/radiusd/radiusd.pid" > > Fri Dec 3 10:38:47 2004 : Debug: main: user = "(null)" > > Fri Dec 3 10:38:47 2004 : Debug: main: group = "(null)" > > Fri Dec 3 10:38:47 2004
Re: Using PEAP or EAP-TTLS on Linux/Unix without 802.1x?
"Steve Chan" <[EMAIL PROTECTED]> wrote: > The problem is that for a large deployment (say, hundreds of client > hosts), managing those secrets becomes an issue. If you share secrets > then the compromise of 1 system reveals the secret for all systems > sharing it, if you keep individual secrets, you need to track them and > make sure the configurations on the machines are right. Yup. > Administratively, it becomes easier if you could just depend on a > negotiated TLS connection. It should be possible to hack a PAM module to use the xsupplicant code, to do EAP-TTLS or EAP-PEAP. But it would then have to talk to something which does RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using PEAP or EAP-TTLS on Linux/Unix without 802.1x?
Josh, Thanks for the reply. From Josh Howlett <[EMAIL PROTECTED]> > >The User-Password attribute is protected to a reasonable degree of >security if you make the effort to generate (and protect) a "good" >secret for your RADIUS peers. This generally satisfies the cryptowonks >in the places I've seen RADIUS deployed. The problem is that for a large deployment (say, hundreds of client hosts), managing those secrets becomes an issue. If you share secrets then the compromise of 1 system reveals the secret for all systems sharing it, if you keep individual secrets, you need to track them and make sure the configurations on the machines are right. Administratively, it becomes easier if you could just depend on a negotiated TLS connection. > Failing that, IPSec with PSK is the next easiest solution. I wanted to see where the client library rabbit hole would lead me before going to IPSEC or other external tunnelling tools. Thanks, Steve
Re: Using PEAP or EAP-TTLS on Linux/Unix without 802.1x?
Steve Chan wrote: What we're looking to do is pass a cleartext password over a cryptographically secure Radius connection from Unix/Linux clients to a Radius server. Users will be trying to login via ssh or on the console, and PAM is configured to go to Radius for authentication. The standard security for Radius has many critics, and we're trying to figure out how to appease the crypto-police. The User-Password attribute is protected to a reasonable degree of security if you make the effort to generate (and protect) a "good" secret for your RADIUS peers. This generally satisfies the cryptowonks in the places I've seen RADIUS deployed. Failing that, IPSec with PSK is the next easiest solution. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using PEAP or EAP-TTLS on Linux/Unix without 802.1x?
Hello, I'm researching what it would take to have strong encryption of the channel between Linux client machines and a FreeRadius server. It looks like FreeRadius supports PEAP and EAP-TTLS. Both these are supported by the Open 802.1x package, however I am interested in using PEAP or EAP-TTLS to encrypt Unix login authentication requests, and not wireless connections to an access point. Looking at Open1x, it doesn't seem to be appropriate for this kind of application (does anyone else know better?) I grepped through the source for the radius libraries that come with FreeRadius and didn't see anything related to PEAP or EAP-TTLS. Will the client libraries handle PEAP or EAP-TTLS? Are there any open source packages out there that can take care of this? What we're looking to do is pass a cleartext password over a cryptographically secure Radius connection from Unix/Linux clients to a Radius server. Users will be trying to login via ssh or on the console, and PAM is configured to go to Radius for authentication. The standard security for Radius has many critics, and we're trying to figure out how to appease the crypto-police. Thanks for any help, Steve
Re: authentication fails with peap when proxied
Andree Toonk <[EMAIL PROTECTED]> wrote: > With the "nostrip" option the response always is "rlm_mschap: FAILED: > MS-CHAP2-Response is incorrect" But it's no longer complaining about User-Name not matching EAP identity. >rlm_realm: Looking up realm "test.nl" for User-Name = "[EMAIL PROTECTED]" >rlm_realm: Found realm "test.nl" >rlm_realm: Adding Stripped-User-Name = "test" Why are you stripping the username AGAIN? I thought you said you weren't stripping it. Don't strip the username. Doing so will break EAP, and MS-CHAP, as you are discovering. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay transmission rate
"Bruno Lague" <[EMAIL PROTECTED]> wrote: > - added the above "loadbalance" section in accounting section of > radiusd.conf, The name was implemented as "load-balance". > - start radiusd, and get this: >radiusd.conf[1808] Unknown module rcode 'relay_detail1'. It's trying to load a module called "loadbalance". Change the name, and it should work. I'll write some more docs in a few days... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay transmission rate
>>> threading sound like an idea yes. Another idea is to get load-balancing >> code >>> inside freeradius. Then you could do something like the following: >>> accounting { >>> loadbalance { >>> relay_detail1 >>> relay_detail2 >>> relay_detail3 >>> } >>> } >>> >>> radrelay relay_detail1 >>> radrelay relay_detail2 >>> radrelay relay_detail3 >>> >>> >>> That way you don't need to change much (apart from a few changes to the >>> server >>> core) and you increase the overall performance by parallelizing radrelay >> and >>> the detail module. >> >> Agree that would work too. I'd be glad to give it a try as soon as it's >> available. > >Well, Alan was quite nice to provide that feature in a flash :-D, so it's >available in CVS. Trying to try it, but can't get it to work. I must be doing something obviously wrong, just can't see what. - I downloaded freeradius-snapshot-20041205.tar.gz + modcall.c v1.26. - configure/make/make install'ed - added the above "loadbalance" section in accounting section of radiusd.conf, - added a "detail" item for each entry of that loadbalance section (also tried without it, same result). - start radiusd, and get this: radiusd.conf[1808] Unknown module rcode 'relay_detail1'. any help appreciated... thanks, Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication fails with peap when proxied
Alan, .-- My secret spy satellite informs me that at 6-12-2004 19:03 Alan DeKok wrote: You are stripping the User-Name attribue when proxying. Don't do that. Thanks for your reply. Actualy I tried with nostrip and without nostrip. With the "nostrip" option the response always is "rlm_mschap: FAILED: MS-CHAP2-Response is incorrect" But whith the same username and password combi and using ttls (PAP) it does work With the nostrip option in the proxy file: realm test.nl { type= radius authhost= $someIP:1812 accthost= $someIP:1813 secret = testing123 nostrip } <> PEAP: Setting User-Name to [EMAIL PROTECTED] PEAP: Adding old state with 78 a7 PEAP: Sending tunneled request EAP-Message = 0x0208003f1a0208003a318ab2035ead265938c799548cd7e840967022e4f099837e551c4ec9b262696dd9aa825bba237f14c60074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "[EMAIL PROTECTED]" State = 0x78a730b344c6d6887536347359a08e53 Framed-MTU = 1400 Called-Station-Id = "000d.ed77.d2c7" Calling-Station-Id = "0009.5ba1.06eb" NAS-Port-Type = Virtual NAS-Port = 270 Service-Type = Login-User NAS-IP-Address = 145.100.24.21 NAS-Identifier = "AP1-5.matrix.asp.nl" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/127.0.0.1/auth-detail-20041206' rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/auth-detail-20041 206 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Looking up realm "test.nl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "test.nl" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm test.nl rlm_realm: Adding Realm = "test.nl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched test at 1 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 the username seems to be [EMAIL PROTECTED], but in the user file it is test. could this be the cause? how should I fix this? Any advise on this? thanks in advance, regards Andree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroup + MySQL : User-Name works, Group does not
On Dec 6, 2004, at 12:57 PM, Alan DeKok wrote: Jason Lixfeld <[EMAIL PROTECTED]> wrote: Hi. I'm reposting this in hopes that someone will be able to give me some insight as to what I've missed... There were issues with the huntgroup code, but I think they've been fixed in 1.0.x. We're using 1.0.1 If not, my suggestion is to poke at rlm_preprocess, to see when/where it decides "no huntgroup access". I'll poke at the module, but I'm not very versed in C so it would be an undertaking to say the least :) mysql> select * from usergroup where UserName like 'beantest%'; +-++---+ | id | UserName | GroupName | +-++---+ | 527 | [EMAIL PROTECTED] | wireless | +-++---+ Ah... that's the issue. That's an SQL group. The "Group" attribute means "look for the user in /etc/groups", which is failing for you, because the user isn't in /etc/groups. You'll have to do a different kind of grouping. I'm not familiar with SQL, so I can't say how. Thanks. I think I recall a post with something like SQL-Group in huntgroups so I'll try that. I believe I saw Ldap-Group as well so that might be the ticket. Alan DeKok. Thanks again, Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication fails with peap when proxied
Andree Toonk <[EMAIL PROTECTED]> wrote: > Now I want to proxy all requests with @test.nl to another radius server. > This works for ttls but when I use PEAP the authentication always fails. You are stripping the User-Name attribue when proxying. Don't do that. > realm test.nl { > type= radius > authhost= $someIP:1812 > accthost= $someIP:1813 > secret = testing123 nostrip > } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ADSL Accounting
"Mike Smith" <[EMAIL PROTECTED]> wrote: > I am having trouble with usage based statistics because freeradius stores > its Acct-Input-Octets and Acct-Output-Octets octets in an integer. The RFC's specifiy that those attributes go into a 32-bit integer in the RADIUS packet. FreeRADIUS is therefore limited by the RFC's. > While this is great for Dial-up monitoring it a bit of a problem for ADSL > when the Input and Output values often exceed 4294967295 bytes > at which point it resets to 0. FreeRADIUS has no control over that. > I have asked our provider to send us the Gigawords attribute but they > do not support it. So my question is are the Freeradius developers > working on a solution to this one at the moment, or is this a complete > rewrite into another language to overcome it? There is no real solution, other than having the provider send the Gigawords attribute. FreeRADIUS can't log information it doesn't have. What may *help* is that if your provider sends accounting packets quickly enough (like every 10 minutes), to keep track of the *last* value for Access-Input-Octets. If the new value is smaller than the old one, yuo can "guess" that it rolled over, and add 2^32 to the new value. It's a hack, but it will help. It won't be perfect, though. > Anyone know a way round it other than me writing a daemon that > collects the data and then passes it to freeradius afterward. Collects *what* data? You just said that the provider wasn't sending Gigawords attributes to you. Why would another daemon be able to do something that FreeRADIUS can't? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: huntgroup + MySQL : User-Name works, Group does not
Jason Lixfeld <[EMAIL PROTECTED]> wrote: > Hi. I'm reposting this in hopes that someone will be able to give me > some insight as to what I've missed... There were issues with the huntgroup code, but I think they've been fixed in 1.0.x. If not, my suggestion is to poke at rlm_preprocess, to see when/where it decides "no huntgroup access". > > mysql> select * from usergroup where UserName like 'beantest%'; > > +-++---+ > > | id | UserName | GroupName | > > +-++---+ > > | 527 | [EMAIL PROTECTED] | wireless | > > +-++---+ Ah... that's the issue. That's an SQL group. The "Group" attribute means "look for the user in /etc/groups", which is failing for you, because the user isn't in /etc/groups. You'll have to do a different kind of grouping. I'm not familiar with SQL, so I can't say how. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug with dead_time and max_request_time?
John Horne <[EMAIL PROTECTED]> wrote: > But these aren't home servers. They are external servers i.e. "home" servers so far as the proxy is concerned. > In that respect the local server should proxy the request to the > second server because it has nothing to do with the first server - > they are in different locations. I understand. My point was that proxying the request to the second server is pointless 99% of the time, as the NAS has already given up on the request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
> Hi > > I'm having some problems getting Session_Timeout to function - when the > time limit is reached nothing happens (I assume it is suposed to send > some sort of disconnect message). Is there anything else that needs set > alongside this to have it function? > Using - Freeradius 1.0.1 and Chillispot (which supports this attribute) > - accounting is on and set to send updates every minute... If you mean you are sending back Session-Timeout in the reply attributes on an Access Accept, then that is up to the NAS to disconnect the user. Radius doesn't send a disconnect message to the NAS, the NAS is supposed to use that reply value and disconnect when the time is up. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi I'm having some problems getting Session_Timeout to function - when the time limit is reached nothing happens (I assume it is suposed to send some sort of disconnect message). Is there anything else that needs set alongside this to have it function? Using - Freeradius 1.0.1 and Chillispot (which supports this attribute) - accounting is on and set to send updates every minute... Thanks Neil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication fails with peap when proxied
Hi, I've setup up a 802.1x network with cisco 1200 APs and freeradius (1.0.1). All works fine when the users are know localy (users file), this includes ttls with mschapv2 and peap. Now I want to proxy all requests with @test.nl to another radius server. This works for ttls but when I use PEAP the authentication always fails. When the AP is configured to use this radius server directly authentication succeeds. So the problem seems to be: Athentication requests wich are proxied using PEAP always fails. The client I use is the odyssey client (3.0.3). My config looks like this: proxy.conf realm test.nl { type= radius authhost= $someIP:1812 accthost= $someIP:1813 secret = testing123 } on the authoritive test.nl radius server the users file is like this: BOFH:/usr/local/freeradius/etc/raddb# cat users test User-Password == "test" Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-Id:1 = 207 BOFH:/usr/local/freeradius/etc/raddb# (only this test user, no other entries). debug info from this host (on which user test is known): when using peap is see the following: "rlm_eap: Identity does not match User-Name, setting from EAP Identity." <> rad_recv: Access-Request packet from host 145.100.24.100:1814, id=0, length=151 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "000d.ed77.d2c7" Calling-Station-Id = "0009.5ba1.06eb" Message-Authenticator = 0x6b73b58ed562557bbe3486082ba11bfd EAP-Message = 0x02010011017465737440746573742e6e6c NAS-Port-Type = Virtual NAS-Port = 389 Service-Type = Login-User NAS-IP-Address = 145.100.24.21 NAS-Identifier = "AP1-5.matrix.asp.nl" Proxy-State = 0x313237 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/145.100.24.100/auth-detail-20041206' rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/145.100.24.100/auth-detail-20041206 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched test at 1 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 145.100.24.100:1814 Proxy-State = 0x313237 Waking up in 4 seconds... With the nostrip option in the proxy file: realm test.nl { type= radius authhost= $someIP:1812 accthost= $someIP:1813 secret = testing123 nostrip } The response I always is "rlm_mschap: FAILED: MS-CHAP2-Response is incorrect" But whith the same username ans password combi and using ttls (PAP) it does work <> PEAP: Setting User-Name to [EMAIL PROTECTED] PEAP: Adding old state with 78 a7 PEAP: Sending tunneled request EAP-Message = 0x0208003f1a0208003a318ab2035ead265938c799548cd7e840967022e4f099837e551c4ec9b262696dd9aa825bba237f14c60074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "[EMAIL PROTECTED]" State = 0x78a730b344c6d6887536347359a08e53 Framed-MT
ADSL Accounting
I am having trouble with usage based statistics because freeradius stores its Acct-Input-Octets and Acct-Output-Octets octets in an integer. While this is great for Dial-up monitoring it a bit of a problem for ADSL when the Input and Output values often exceed 4294967295 bytes at which point it resets to 0. I have asked our provider to send us the Gigawords attribute but they do not support it. So my question is are the Freeradius developers working on a solution to this one at the moment, or is this a complete rewrite into another language to overcome it? Anyone know a way round it other than me writing a daemon that collects the data and then passes it to freeradius afterward. Cheers Mike _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay transmission rate (Kostas Kalevras)
On Mon, 6 Dec 2004, Bruno Lague wrote: I 've been working on a few changes to radrelay, mainly regarding making the sleep time configurable and adding a few more things. The changes have been made in radsqlrelay initialy but they 'll go in radrelay also. That won't change your numbers but at least make a few things configurable. good, that's a useful intermediate step - will allow to tune without changing code. OK do a cvs update on radrelay.c. You can now set the sleep time between sending packets and also how many packets we must send before we sleep (default one). ms_sleep/isdateline are also inline now. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: huntgroup + MySQL : User-Name works, Group does not
Hi. I'm reposting this in hopes that someone will be able to give me some insight as to what I've missed... Thanks for your time! Begin forwarded message: From: Jason Lixfeld <[EMAIL PROTECTED]> Date: December 3, 2004 8:37:47 PM EST To: [EMAIL PROTECTED] Subject: huntgroup + MySQL : User-Name works, Group does not Reply-To: [EMAIL PROTECTED] Hello... I'm having a hard time wrapping my head around some problems I'm having with huntgroups. I'm trying to permit access only based on if a request comes from a certain huntgroup and the user is a member of said group. Here's radtest: # radtest [EMAIL PROTECTED] beantest 127.0.0.1 10 testing123 ppp 255.255.255.255 Sending Access-Request of id 156 to 127.0.0.1:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "beantest" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=156, length=20 The output from -X for that radtest: rad_recv: Access-Request packet from host 127.0.0.1:3469, id=160, length=80 User-Name = "[EMAIL PROTECTED]" User-Password = "beantest" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 39 No huntgroup access: [EMAIL PROTECTED] (from client localhost port 10) modcall[authorize]: module "preprocess" returns reject for request 39 modcall: group authorize returns reject for request 39 Invalid user: [EMAIL PROTECTED] (from client localhost port 10) Delaying request 39 for 1 seconds Finished request 39 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 160 to 127.0.0.1:3469 Waking up in 4 seconds... The entry in huntgroups: wirelesshuntNAS-IP-Address == 255.255.255.255 Group = wireless And finally the SQL data for that user: mysql> select * from radcheck where Value = 'wirelesshunt'; +-++++--+ | id | UserName | Attribute | op | Value| +-++++--+ | 539 | [EMAIL PROTECTED] | Huntgroup-Name | == | wirelesshunt | +-++++--+ 1 row in set (0.00 sec) mysql> select * from usergroup where UserName like 'beantest%'; +-++---+ | id | UserName | GroupName | +-++---+ | 527 | [EMAIL PROTECTED] | wireless | +-++---+ 1 row in set (0.00 sec) So reading the users file, I see this: # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes As I understand it, the Huntgroup-Name for swilson is a check item. I've matched that in my radcheck table above. I read the huntgroups file and I see this: # Matching is done while RADIUS scans the user file; if it # includes the selection criterium "Huntgroup-Name == XXX" # the huntgroup is looked up in this file to see if it # matches. There can be multiple definitions of the same # huntgroup; the first one that matches will be used. # # This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. ... ... ... #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 # User-Name = rogerl, # User-Name = henks, # Group = business, # Group = staff So in my case, it should check sql (in the authorize module, files is commented out and sql is in there). I have no explicit User-Name configured in huntgroups, but as per the comments above, my sql membership of usergroup for the my test user above should be valid for Group = The funny thing about all this is if I change my huntgroup to this: wirelesshuntNAS-IP-Address == 255.255.255.255 Group = wireless, User-Name = [EMAIL PROTECTED] It works like a charm, except I want to match on group, not explicitly match based on username: rad_recv: Access-Request packet from host 127.0.0.1:4215, id=183, length=80 User-Name = "[EMAIL PROTECTED]"
Re: radrelay transmission rate (Kostas Kalevras)
On Mon, 6 Dec 2004, Bruno Lague wrote: Well, NR_SLOTS does not really matter if your accounting is quick enhough. Try commenting out the ms_sleep() between the do_send() calls. I had tried this too, and just retried again, and the rate goes down to ~30 packets/sec. Looks like the trafic becomes quite bursty, and the retransmission pattern causes intermittent silent periods. For example, packet 434 is a response from RS2 to RS1, and packet 435 goes out 14.52 seconds after it (request from RS1 to RS2). I saw 37 periods of 1-sec or more silence, The silence can be attributed to the backoff mechanism of radrelay. Maybe we could sleep after we 've sent a few packets instead of sleeping after every packet.You can try to put in ms_sleep() after a few packets have been sent (say every 4-5 packets). That's a nice thing to know, thanks. I 'll put it in radrelay anyway. I also need to take a look at radclient and see if it's worth to use the same mechanism. Note that the CPU on RS1 (running the radrelay instance that is processing the backlog) still takes less than 1% of CPU, with or without the above changes. That's normal it's an I/O bound application. well, CPU is ~0%, and so is disk usage, and bandwidth usage. For the moment, no resource is pushed to its limit. Well, even for 200 reqs/sec, that's ~200KB/sec for the disk and much less for the network. As for CPU, i don't think that rate can be a problem. So 0-1% is normal. threading sound like an idea yes. Another idea is to get load-balancing code inside freeradius. Then you could do something like the following: accounting { loadbalance { relay_detail1 relay_detail2 relay_detail3 } } radrelay relay_detail1 radrelay relay_detail2 radrelay relay_detail3 That way you don't need to change much (apart from a few changes to the server core) and you increase the overall performance by parallelizing radrelay and the detail module. Agree that would work too. I'd be glad to give it a try as soon as it's available. Well, Alan was quite nice to provide that feature in a flash :-D, so it's available in CVS. thanks, Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay transmission rate (Kostas Kalevras)
> I 've been working on a few changes to radrelay, mainly regarding making the > sleep time configurable and adding a few more things. The changes have been > made > in radsqlrelay initialy but they 'll go in radrelay also. That won't change > your > numbers but at least make a few things configurable. > good, that's a useful intermediate step - will allow to tune without changing code. > > I also tried various values of NR_SLOTS, but it doesn't change the overall > > time it takes to transfer a large backlog of accounting requests. > > Well, NR_SLOTS does not really matter if your accounting is quick enhough. > Try commenting out the ms_sleep() between the do_send() calls. I had tried this too, and just retried again, and the rate goes down to ~30 packets/sec. Looks like the trafic becomes quite bursty, and the retransmission pattern causes intermittent silent periods. For example, packet 434 is a response from RS2 to RS1, and packet 435 goes out 14.52 seconds after it (request from RS1 to RS2). I saw 37 periods of 1-sec or more silence, listed in this below: No.TimeSource Destination Info 651.900217192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=616) 1292.741964192.168.12.80 192.168.12.34 Accounting Response(5) (id=7, l=20) 2881.857164192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 2905.989420192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=616) 35611.695879 192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=616) 43514.520559 192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 7361.346075192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 9112.044088192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 10792.088782192.168.12.34 192.168.12.80 Accounting Request(4) (id=1, l=618) 12641.970677192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 14631.826821192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=618) 16601.881720192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 19161.593158192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 20651.727769192.168.12.34 192.168.12.80 Accounting Request(4) (id=1, l=620) 27621.740835192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 28314.966427192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 28858.717565192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 32302.007186192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 33762.199381192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 35971.820478192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 37311.794183192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 41672.125003192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 47072.043159192.168.12.34 192.168.12.80 Accounting Request(4) (id=1, l=620) 49651.586214192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 51312.111933192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 52982.088369192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 55211.750188192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 58921.934175192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 64591.809148192.168.12.34 192.168.12.80 Accounting Request(4) (id=1, l=620) 68551.856238192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 70292.015883192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 73901.962640192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 77641.936479192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 82461.374217192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 84921.877480192.168.12.34 192.168.12.80 Accounting Request(4) (id=1, l=620) 90222.055465192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) 94911.375418192.168.12.34 192.168.12.80 Accounting Request(4) (id=0, l=620) > > Note that the CPU on RS1 (running the radrelay instance that is processing > > the backlog) still takes less than 1% of CPU, with or without the above > > changes. > > That's normal it's an I/O bound application. well, CPU is ~0%, and so is disk usage, and bandwidth usage. For the moment, no resource is pushed to its limit. > threading sound like an idea yes. Another idea is to get load-balancing code > inside freeradius. Then you could do something like the following: > accounting { > loadbalance { > relay_detail1 >
Re: [radius] Re: FR ignoring case and Simultaneous Use
On Sun, 5 Dec 2004, Nick Marino wrote: - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, December 05, 2004 9:02 PM Subject: [radius] Re: FR ignoring case and Simultaneous Use "Nick Marino" <[EMAIL PROTECTED]> wrote: I have a situation with users being able to login using various case letters in there logins and bypassing Simultaneous Use even though Simultaneous Use is in effect. Yeah... I've been discussing some changes to radutmp with Kostas that will also fix that problem. The issue is that the NAS is case-sensitive, so the server has to remember what case the user logged in with, otherwise radutmp won't work. But the server is case in-sensitive, because you don't care if it's 'dean" or "Dean". The only solution in the current server is to forcibly change all usernames to one case. "checkrad" won't work sometimes then, as it will ask the NAS for "dean" when "DEAN" is the name used to log in. Alan DeKok. Ok what about setting the option in the sql.conf to force all users names to lower case when someone logs in, would that then force Dean to dean and Simultaneous Use would then work as it should? You can do the following: set lower_user = before in radiusd.conf (also setting nospace_user = before might help). Then change checkrad to do a case/space ignore match on the provided username when querying the nas. Then things should work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Command authorization
There are settings in the Cisco IOS that will allow you to authenticate an administrator through a freeradius server Lim Han Shyong wrote: Hi all: I would like use freeradius to authenticate telnet service into cisco. Its work after setup. So now my further questions are . 1. How i configure the command authorization with freeradius? which mean i only allow user to enter certain command during the telnet session. 2. How i build the access list to restrict user who can telnet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
I'm having the same problem, but no seems to know the answer, I'll let you know if I find out some info Regards Adam On Sunday 05 December 2004 11:26, Thor Spruyt wrote: > Read the documentation of your NAS, it might expect certain attribute/value > pairs in the reply that you're not sending. > Maybe the NAS has some debugging features also? > > -- > Regards, > > Thor Spruyt > E: [EMAIL PROTECTED] > W: www.thor-spruyt.com > M: +32 (0)475 67 22 65 > Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth > Huysmans) via www.salesguide.be > Ontdek de Telenet Hotspot service op www.telenet.be/hotspots > > - Original Message - > From: Rafael Gómez > To: [EMAIL PROTECTED] > Sent: Saturday, December 04, 2004 8:10 PM > Subject: Authentication Problem > > > Everytime an user tries to connect the answer is the following > > > rad_recv: Access-Request packet from host 209.127.82.2:1645, id=189, > length=94 > NAS-IP-Address = 209.127.82.2 > NAS-Port = 40 > NAS-Port-Type = Virtual > User-Name = "rgomez" > Called-Station-Id = "9933" > Calling-Station-Id = "2122852879" > User-Password = "zqn58ifm" > Service-Type = Framed-User > Framed-Protocol = PPP > rlm_eap: EAP-Message not found > rlm_sql (sql): Reserving sql socket id: 0 > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck > WHERE Username = 'rgomez' ORDER BY id > rlm_sql_mysql: query: SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch >eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'rgomez' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: > SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = > 'rgomez' ORDER BY id > rlm_sql_mysql: query: SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre >ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'rgomez' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released > sql socket id: 0 > Login OK: [rgomez/zqn58ifm] (from client cantv port 40 cli 2122852879) > Sending Access-Accept of id 189 to 209.127.82.2:1645 > Framed-Protocol := PPP > Framed-MTU = 1500 > Framed-Compression = Van-Jacobson-TCP-IP > Idle-Timeout = 62000 > > As you can see there is not a accountiong answer. In the user's computer > the access is denied I don´t know why. I test the radius server with > radtest localy and ntradping remotely. Both ofthem work well. The problems > is when I try to dial and authenticate via that server. I installed another > server and I have the same. > > Anyone who can help?. > > Thanks in advance > Rafael Gomez > CCOM Venezuela > [EMAIL PROTECTED] tel: > fax: 58-212-286.06.63 > 58-212-286.17.19 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth from cisco to freeradius msql
I'm using mysql for authentication. On Monday 06 December 2004 10:29, Lim Han Shyong wrote: > Hi: > > Hmm.. What u set in your user file ? > > user Auth-Type:= Local, User-Password = "testing" > Service-Type = NAS-Prompt-User > > > this mine, it can done basic authentication. Probably can have a try ^_^ > > > HSL > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Frog > Sent: Monday, December 06, 2004 4:10 PM > To: [EMAIL PROTECTED] > Subject: Re: auth from cisco to freeradius msql > > > Yes but if I try get access from my router or dialup the auth fails. > > > Adam > > On Friday 03 December 2004 11:02, Lim Han Shyong wrote: > > Hi, > > > > Not understand what u want... radius already authenticate and send > > the Access accept packet back. > > > > > > HSL > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Frog > > Sent: Friday, December 03, 2004 4:53 PM > > To: [EMAIL PROTECTED] > > Subject: auth from cisco to freeradius msql > > > > > > Hi list > > > > I'm in the process of setting up my first radius server. Radius starts ok > > and > > auths with radtest but from cisco it does not. I'm running Fedora Core 2 > > with > > freeradius ver 1.0.1 using cisco 1601 (testing) > > > > here is the cisco setup followed by radius radiusd -f startup then > > when > > > I > > try and authenticate in debug mode. > > > > - > >- > > - > > >- - > > > > aaa new-model > > aaa authentication login default group radius none > > aaa authentication login none none > > aaa authentication login unilynx local > > aaa authentication login consoleport none > > aaa authentication ppp default group radius none > > aaa authentication ppp unilynx-radius group radius local > > aaa authentication ppp radppp if-needed group radius > > aaa authorization network default group radius > > aaa accounting update newinfo > > aaa accounting network default wait-start group radius > > > > > > > > ip radius source-interface Loopback0 > > snmp-server engineID local 0009020142062DED > > snmp-server community public RO 97 > > radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 > > non-standard > > > radius-server retransmit 2 > > radius-server timeout 8 > > radius-server deadtime 2 > > radius-server key password > > > > - > >- > > - > > >- --- > > Fri Dec 3 10:38:47 2004 : Info: Starting - reading configuration files > > ... > > > Fri Dec 3 10:38:47 2004 : Debug: reread_config: reading radiusd.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/proxy.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/clients.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/snmp.conf > > Fri Dec 3 10:38:47 2004 : Debug: Config: including > > file: /usr/local/etc/raddb/sql.conf > > Fri Dec 3 10:38:47 2004 : Debug: main: prefix = "/usr/local" > > Fri Dec 3 10:38:47 2004 : Debug: main: localstatedir = "/usr/local/var" > > Fri Dec 3 10:38:47 2004 : Debug: main: logdir = > > "/usr/local/var/log/radius" > > Fri Dec 3 10:38:47 2004 : Debug: main: libdir = > > "/home/temp/freeradius/freeradius-1.0.1/src/modules" > > Fri Dec 3 10:38:47 2004 : Debug: main: radacctdir = > > "/usr/local/var/log/radius/radacct" > > Fri Dec 3 10:38:47 2004 : Debug: main: hostname_lookups = no > > Fri Dec 3 10:38:47 2004 : Debug: main: max_request_time = 30 > > Fri Dec 3 10:38:47 2004 : Debug: main: cleanup_delay = 5 > > Fri Dec 3 10:38:47 2004 : Debug: main: max_requests = 1024 > > Fri Dec 3 10:38:47 2004 : Debug: main: delete_blocked_requests = 0 > > Fri Dec 3 10:38:47 2004 : Debug: main: port = 0 > > Fri Dec 3 10:38:47 2004 : Debug: main: allow_core_dumps = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_stripped_names = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_file = > > "/usr/local/var/log/radius/radius.log" > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_badpass = no > > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_goodpass = no > > Fri Dec 3 10:38:47 2004 : Debug: main: pidfile = > > "/usr/local/var/run/radiusd/radiusd.pid" > > Fri Dec 3 10:38:47 2004 : Debug: main: user = "(null)" > > Fri Dec 3 10:38:47 2004 : Debug: main: group = "(null)" > > Fri Dec 3 10:38:47 2004 : Debug: main: usercollide = no > > Fri Dec 3 10:38:47 2004 : Debug: main: lower_user = "no" > > Fri Dec 3 10:38:47 2004 : Debug: main: lower_pass = "no" > > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_user = "no" > > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_pass = "no" > > Fri Dec 3 10:38:47 2004 : Debug: main: checkrad =
Re: Bug with dead_time and max_request_time?
On Fri, 2004-12-03 at 15:53 -0500, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > The problem is that if the first server fails and the local server > > receives a request then it tries to talk to the first DEFAULT server and > > fails, eventually marking it as 'dead'. This is fine but the local > > server also sends back to the client a reject rather than trying the > > second DEFAULT server. > > By the time the local server decides that the home server is dead, > there is a 99% chance that the NAS has already given up on the request. > > There generally isn't much point in trying to send the request to > another home server. > But these aren't home servers. They are external servers used as part of the authentication process and as such are configured as two seperate DEFAULT realm servers with external 'authhost' domain names. In that respect the local server should proxy the request to the second server because it has nothing to do with the first server - they are in different locations. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: auth from cisco to freeradius msql
Hi: Hmm.. What u set in your user file ? userAuth-Type:= Local, User-Password = "testing" Service-Type = NAS-Prompt-User this mine, it can done basic authentication. Probably can have a try ^_^ HSL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frog Sent: Monday, December 06, 2004 4:10 PM To: [EMAIL PROTECTED] Subject: Re: auth from cisco to freeradius msql Yes but if I try get access from my router or dialup the auth fails. Adam On Friday 03 December 2004 11:02, Lim Han Shyong wrote: > Hi, > > Not understand what u want... radius already authenticate and send the > Access accept packet back. > > > HSL > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Frog > Sent: Friday, December 03, 2004 4:53 PM > To: [EMAIL PROTECTED] > Subject: auth from cisco to freeradius msql > > > Hi list > > I'm in the process of setting up my first radius server. Radius starts ok > and > auths with radtest but from cisco it does not. I'm running Fedora Core 2 > with > freeradius ver 1.0.1 using cisco 1601 (testing) > > here is the cisco setup followed by radius radiusd -f startup then when > I > try and authenticate in debug mode. > > -- - >- - > > aaa new-model > aaa authentication login default group radius none > aaa authentication login none none > aaa authentication login unilynx local > aaa authentication login consoleport none > aaa authentication ppp default group radius none > aaa authentication ppp unilynx-radius group radius local > aaa authentication ppp radppp if-needed group radius > aaa authorization network default group radius > aaa accounting update newinfo > aaa accounting network default wait-start group radius > > > > ip radius source-interface Loopback0 > snmp-server engineID local 0009020142062DED > snmp-server community public RO 97 > radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 non-standard > radius-server retransmit 2 > radius-server timeout 8 > radius-server deadtime 2 > radius-server key password > > -- - >- --- > Fri Dec 3 10:38:47 2004 : Info: Starting - reading configuration files ... > Fri Dec 3 10:38:47 2004 : Debug: reread_config: reading radiusd.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/proxy.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/clients.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/snmp.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/sql.conf > Fri Dec 3 10:38:47 2004 : Debug: main: prefix = "/usr/local" > Fri Dec 3 10:38:47 2004 : Debug: main: localstatedir = "/usr/local/var" > Fri Dec 3 10:38:47 2004 : Debug: main: logdir = > "/usr/local/var/log/radius" > Fri Dec 3 10:38:47 2004 : Debug: main: libdir = > "/home/temp/freeradius/freeradius-1.0.1/src/modules" > Fri Dec 3 10:38:47 2004 : Debug: main: radacctdir = > "/usr/local/var/log/radius/radacct" > Fri Dec 3 10:38:47 2004 : Debug: main: hostname_lookups = no > Fri Dec 3 10:38:47 2004 : Debug: main: max_request_time = 30 > Fri Dec 3 10:38:47 2004 : Debug: main: cleanup_delay = 5 > Fri Dec 3 10:38:47 2004 : Debug: main: max_requests = 1024 > Fri Dec 3 10:38:47 2004 : Debug: main: delete_blocked_requests = 0 > Fri Dec 3 10:38:47 2004 : Debug: main: port = 0 > Fri Dec 3 10:38:47 2004 : Debug: main: allow_core_dumps = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_stripped_names = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_file = > "/usr/local/var/log/radius/radius.log" > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_badpass = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_goodpass = no > Fri Dec 3 10:38:47 2004 : Debug: main: pidfile = > "/usr/local/var/run/radiusd/radiusd.pid" > Fri Dec 3 10:38:47 2004 : Debug: main: user = "(null)" > Fri Dec 3 10:38:47 2004 : Debug: main: group = "(null)" > Fri Dec 3 10:38:47 2004 : Debug: main: usercollide = no > Fri Dec 3 10:38:47 2004 : Debug: main: lower_user = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: lower_pass = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_user = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_pass = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: checkrad = > "/usr/local/sbin/checkrad" > Fri Dec 3 10:38:47 2004 : Debug: main: proxy_requests = yes > Fri Dec 3 10:38:47 2004 : Debug: proxy: retry_delay = 5 > Fri Dec 3 10:38:47 2004 : Debug: proxy: retry_count = 3 > Fri Dec 3 10:38:47 2004 : Debug: proxy: synchronous = no > Fri Dec 3 10:38:47 2004 : Debug: proxy: default_fallback = no > Fri Dec 3 10:38:47 2004 : D
Re: auth from cisco to freeradius msql
Yes but if I try get access from my router or dialup the auth fails. Adam On Friday 03 December 2004 11:02, Lim Han Shyong wrote: > Hi, > > Not understand what u want... radius already authenticate and send the > Access accept packet back. > > > HSL > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Frog > Sent: Friday, December 03, 2004 4:53 PM > To: [EMAIL PROTECTED] > Subject: auth from cisco to freeradius msql > > > Hi list > > I'm in the process of setting up my first radius server. Radius starts ok > and > auths with radtest but from cisco it does not. I'm running Fedora Core 2 > with > freeradius ver 1.0.1 using cisco 1601 (testing) > > here is the cisco setup followed by radius radiusd -f startup then when > I > try and authenticate in debug mode. > > --- >- - > > aaa new-model > aaa authentication login default group radius none > aaa authentication login none none > aaa authentication login unilynx local > aaa authentication login consoleport none > aaa authentication ppp default group radius none > aaa authentication ppp unilynx-radius group radius local > aaa authentication ppp radppp if-needed group radius > aaa authorization network default group radius > aaa accounting update newinfo > aaa accounting network default wait-start group radius > > > > ip radius source-interface Loopback0 > snmp-server engineID local 0009020142062DED > snmp-server community public RO 97 > radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 non-standard > radius-server retransmit 2 > radius-server timeout 8 > radius-server deadtime 2 > radius-server key password > > --- >- --- > Fri Dec 3 10:38:47 2004 : Info: Starting - reading configuration files ... > Fri Dec 3 10:38:47 2004 : Debug: reread_config: reading radiusd.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/proxy.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/clients.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/snmp.conf > Fri Dec 3 10:38:47 2004 : Debug: Config: including > file: /usr/local/etc/raddb/sql.conf > Fri Dec 3 10:38:47 2004 : Debug: main: prefix = "/usr/local" > Fri Dec 3 10:38:47 2004 : Debug: main: localstatedir = "/usr/local/var" > Fri Dec 3 10:38:47 2004 : Debug: main: logdir = > "/usr/local/var/log/radius" > Fri Dec 3 10:38:47 2004 : Debug: main: libdir = > "/home/temp/freeradius/freeradius-1.0.1/src/modules" > Fri Dec 3 10:38:47 2004 : Debug: main: radacctdir = > "/usr/local/var/log/radius/radacct" > Fri Dec 3 10:38:47 2004 : Debug: main: hostname_lookups = no > Fri Dec 3 10:38:47 2004 : Debug: main: max_request_time = 30 > Fri Dec 3 10:38:47 2004 : Debug: main: cleanup_delay = 5 > Fri Dec 3 10:38:47 2004 : Debug: main: max_requests = 1024 > Fri Dec 3 10:38:47 2004 : Debug: main: delete_blocked_requests = 0 > Fri Dec 3 10:38:47 2004 : Debug: main: port = 0 > Fri Dec 3 10:38:47 2004 : Debug: main: allow_core_dumps = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_stripped_names = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_file = > "/usr/local/var/log/radius/radius.log" > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_badpass = no > Fri Dec 3 10:38:47 2004 : Debug: main: log_auth_goodpass = no > Fri Dec 3 10:38:47 2004 : Debug: main: pidfile = > "/usr/local/var/run/radiusd/radiusd.pid" > Fri Dec 3 10:38:47 2004 : Debug: main: user = "(null)" > Fri Dec 3 10:38:47 2004 : Debug: main: group = "(null)" > Fri Dec 3 10:38:47 2004 : Debug: main: usercollide = no > Fri Dec 3 10:38:47 2004 : Debug: main: lower_user = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: lower_pass = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_user = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: nospace_pass = "no" > Fri Dec 3 10:38:47 2004 : Debug: main: checkrad = > "/usr/local/sbin/checkrad" > Fri Dec 3 10:38:47 2004 : Debug: main: proxy_requests = yes > Fri Dec 3 10:38:47 2004 : Debug: proxy: retry_delay = 5 > Fri Dec 3 10:38:47 2004 : Debug: proxy: retry_count = 3 > Fri Dec 3 10:38:47 2004 : Debug: proxy: synchronous = no > Fri Dec 3 10:38:47 2004 : Debug: proxy: default_fallback = no > Fri Dec 3 10:38:47 2004 : Debug: proxy: dead_time = 120 > Fri Dec 3 10:38:47 2004 : Debug: proxy: post_proxy_authorize = no > Fri Dec 3 10:38:47 2004 : Debug: proxy: wake_all_if_all_dead = no > Fri Dec 3 10:38:47 2004 : Debug: security: max_attributes = 200 > Fri Dec 3 10:38:47 2004 : Debug: security: reject_delay = 1 > Fri Dec 3 10:38:47 2004 : Debug: security: status_server = no > Fri Dec 3 10:38:47 2004 : Debug: main: debug_level = 0 > Fri Dec 3 10:38:
Re: Ignoring request from unknown client
Networking 10.192.1.0/24 or 10.192.0.0/16 On Friday 03 December 2004 20:53, Brian Ammons wrote: > is this NOT supposed to be "10.192.1.11/32"? > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf > > Of Michael > > Basso > > Sent: Friday, December 03, 2004 12:29 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Ignoring request from unknown client > > > > > >client 10.192.1.11 { > > > >secret = testing123 > > > >shortname = mbasso > > > >} > > > > > > > >STILL NO LUCK. > > > > > > Is this a problem with secrets not matching? > > > > No. I am definitely using 'testing123' in the NTRadPing utility. > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > This message has been scanned for viruses and > malicious content by Unilynx Africa mail scanner, and is > believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html