Problems with hints file when i use freeradius-1.0.1
Hello, I want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. Begining of my hints file: sergk Strip-User-Name = No Hint := admin It matches only username sergk with freeradius-0.8.1. But it matches any username with freeradius-1.0.1. Is it bug or feature ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Rohaizam Abu Bakar wrote: How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? You might try a different approach: - store accounting in detail files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unexpected message in the radius.log
Hello, today figured out that on FR 1.0.1 the following Info message appears if the user enter an incorrect password: Info: rlm_sql (sql): No matching entry in the database for request from user [edgars] In the previous versions i think it was like usual - Login incorrect bla bla bla. Has this been changed? Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius doesn't send cisco-avpairs
I have following entry in the users file: bob User-Password == bob Cisco-AVpair = access-list 188 deny ip any any, Fall-Through = YES Whats wrong? try it like this: Cisco-AVPair = ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63, Cisco-AVPair += ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63 the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange, attr_rewrite doesn't work normally
hello all I have a problem with attr_rewrite : I have added an attribute in /usr/share/freeradius/freeradius/dictionnary Reply-Message-2 65string I haven't added in /etc/freeradius/dictionnary because it doesn't work !! in radius.conf my configuration is: attr_rewrite passparunproxy { attribute = Reply-Message-2 searchin = reply searchfor = replacewith = TEST 1 (Proxy) ignore_case = no new_attribute = yes max_matches = 10 append = no } attr_rewrite passparunproxy1 { attribute = Reply-Message searchin = reply searchfor = replacewith = Proxy ignore_case = no new_attribute = yes max_matches = 10 append = no } and in post_proxy section { passparunproxy passparunproxy1 } when a user is accepted, i have reply-message and reply-message 2. when a user is reject, i have only reply-message. I don't understand that ?? ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange, attr_rewrite doesn't work normally
On Mon, 24 Jan 2005, Nans Delrieu wrote: hello all I have a problem with attr_rewrite : when a user is accepted, i have reply-message and reply-message 2. when a user is reject, i have only reply-message. I don't understand that ?? Only a few attributes are allowed in an access-reject. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attr_rewrite problem...
Hello My configuration is : Proxy Radius --- primary radius --- secondary radius --- remote radius for realm company.com --- In Primary Radius, I want to add in reply message the text LOCAL (for example (primary radius return : Reply-Message = original text + LOCAL is it possible ? i have make that but it doens't work : in primary radius, radiusd.conf attr_rewrite LOCAL { attribute = Reply-Message searchin = reply searchfor = [+ ] # is it the good parameter ?, is there a man for this parameter ?? replacewith = LOCAL ignore_case = no new_attribute = no max_matches = 1 append = yes } authorize { LOCAL#is it the good place to put LOCAL ? } it doesn't work. help me ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius doesn't send cisco-avpairs
Çäðàâñòâóéòå, Markus. Âû ïèñàëè 24 ÿíâàðÿ 2005 ã., 15:15:50: I have following entry in the users file: bob User-Password == bob Cisco-AVpair = access-list 188 deny ip any any, Fall-Through = YES Whats wrong? try it like this: Cisco-AVPair = ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63, Cisco-AVPair += ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63 the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah found it already. Thanks to all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius doesn't send cisco-avpairs
Hello, freeradius-users. I have following entry in the users file: bob User-Password == bob Cisco-AVpair = access-list 188 deny ip any any, Fall-Through = YES radreply log saying that all ok: Packet-Type = Access-Accept Fri Jan 21 17:55:56 2005 Service-Type = Framed-User Session-Timeout = 86400 Cisco-AVPair = access-list 188 deny ip any any Framed-Protocol = PPP But user aren't getting into. Thats what tcpdump showing: rad-access-accept 80 [id 94] Attr[ Service_type{#539} Session_timeout{24:00:00 hours} [|radius] [!radius] means that tcpdump is truncating the packet. Run tcpdump and set the snaplen. On my system -s 0 will capture the whole packet. If you don't have that option, try -s 1024. That should be plenty. freeradius doesn't sends attributes after Session_timeout. Here is what look like right rad-access-accept: rad-access-accept 35 [id 222] Attr[ Service_type{#539} Session_timeout{05:27:24 hours} Proxy_state{0} ] freeradius act like a proxy to icradius. Whats wrong? mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using Freeradius whith PEAP authentication
Hi, again. For resolve my the problem whidt freeradius, i update my system for the red hat 9.0, this version of linux have one version of openssl who supports the tls tunnels for the eap methods. Thanks again Paulo Ferreira. Alan DeKok wrote: Paulo Alexandre Caceres Ferreira [EMAIL PROTECTED] wrote: Hi,now i install the 0.9.7e version of openssl in my system (Red Hat Linux 7.3) without problems, but freeradius return the same error. What i'am doing rong? The compile process is still using the older version. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and proxyRADIUS (with FreeRadius)
Hi there ! I've a problem with my proxyRADIUS server : I've configured two freeradius server (each in v1.0.1, EAP-TTLS activated). When I log on the first server (from a Cisco AP-1100), it's OK. I change IP address of the radius server on the NAS : direct login is ok. Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and clients.conf on each servers of course) but I've this log on the second server : rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000e.8440.bbb0 Calling-Station-Id = 000d.54a1.6e8e Service-Type = Login-User Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9 EAP-Message = 0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 8731 NAS-IP-Address = 192.168.7.1 NAS-Identifier = ap-maquette Proxy-State = 0x323035 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 2 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 158 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e) Delaying request 5 for 1 seconds Finished request 5 I don't understand where is my mistake but the message is clear : rlm_eap: Identity does not match User-Name, setting from EAP Identity. is this patch usefull ? or isn't possible to have EAP-TTLS proxified ? http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html In the archive list, I've found a solution with the file hints but I'm not able to understand the syntax (the guy says he has used this) : %{Stripped-User-Name:-%{User-Name}} Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing and/or monitoring freeradius with PEAP
I've got freeradius setup to authenticate wireless clients with PEAP/MSCHAP (to an Active Directory backend) and now I'm looking for a way to test/monitor the radius server. Ideally, I'd like to do something like radtest, but test either PEAP or at least the MSCHAP authentication portion. Does anyone here know of any programs or scripts out there to test radius with MSCHAP authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and proxyRADIUS (with FreeRadius)
*oups* sorry ! option 'nostrip' in proxy.conf missed... it works now ! Regards, David David ROUMANET a écrit : Hi there ! I've a problem with my proxyRADIUS server : I've configured two freeradius server (each in v1.0.1, EAP-TTLS activated). When I log on the first server (from a Cisco AP-1100), it's OK. I change IP address of the radius server on the NAS : direct login is ok. Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and clients.conf on each servers of course) but I've this log on the second server : rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 000e.8440.bbb0 Calling-Station-Id = 000d.54a1.6e8e Service-Type = Login-User Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9 EAP-Message = 0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 8731 NAS-IP-Address = 192.168.7.1 NAS-Identifier = ap-maquette Proxy-State = 0x323035 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 2 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 158 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e) Delaying request 5 for 1 seconds Finished request 5 I don't understand where is my mistake but the message is clear : rlm_eap: Identity does not match User-Name, setting from EAP Identity. is this patch usefull ? or isn't possible to have EAP-TTLS proxified ? http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html In the archive list, I've found a solution with the file hints but I'm not able to understand the syntax (the guy says he has used this) : %{Stripped-User-Name:-%{User-Name}} Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is anyone running freeradius on a Windows server?
I am running it but having problems starting external scripts. Some type of path problem. Need info on where to get a build for windows. George Schoggins Enterasys Networks Phone: 407-268-9894 FAX: 407-268-9881 Cell: 407-808-6013 Email: [EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-md5 with ldap backend
Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use and proxied clients
I am stumped on this one: I have used the Simultaneous-Use attrib and checkrad script for sometime now with great success. But recently we made some network changes and now some of our users are connecting from another network. All radius requests are proxied via the local radius server to our radius server. The auth'ing/acc'ting works fine. But for these proxied requests no simultaneous-use check is performed - checkrad script is not run (I have verified this by modifying checkrad) and user is denied access. I have added entries for each of the clients that are proxied as well as the remote radius server doing the proxying in clients.conf and configured them of type other. But it does not work. From what I can tell it appears that if a request is proxied then freeradius does not use checkrad and automatically denies request. Is this how it is designed? Or am I missing something? I'm out of ideas. Any input or thoughts? --- Ed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- NextGen$. --- In a world without fences nor walls - who needs windows and gates ? On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix. Merleau Ponty L'éloge de la philosophie signature.asc Description: OpenPGP digital signature
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: From what I can tell it appears that if a request is proxied then freeradius does not use checkrad and automatically denies request. Is this how it is designed? Or am I missing something? The software is designed that way because the network is designed that way. checkrad checks NASes. It can't check RADIUS servers, because there is no way to ask a RADIUS server if a user is still online. Checkrad can't check the NASes of the other RADIUS servers, as those NASes don't know who you are, they only know the RADIUS servers they talk to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 3550 switch VLAN assignment by RADIUS doesn't work
Hi, I have a little problem. A configured my linux xsupplicant for 802.1X authentication on a port of a Cisco 3550 switch. Authentication works through radius, if port is assigned statically to a VLAN I can ping other boxes on the segment but if I assign VLAN to the port from the RADIUS I got a RADIUS: EAP-login: radius didn't send any vlan messge when debugging on the cisco switch. I have the aaa authorization network default none, too. What can be the problem? Levente | Levente Janovszki | Bekes County Library JUST 4 lines 4 U | | e-mail:[EMAIL PROTECTED] | Bekescsaba, Derkovits sor 1. HUNGARY Zip: 5600 | | Linux. Just use it | *The operating system collapsed* | | w/o fear of panic: | *OKCancel * | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: I understand that it can't ask a radius server but is it possible to have it check the original nas instead? As I said once before: Checkrad can't check the NASes of the other RADIUS servers, as those NASes don't know who you are, they only know the RADIUS servers they talk to. To expand a little: It's a bad idea to go poking at NASes you don't own. I do have the client info for the NASes of the other server so that they can know who our radius server is. That makes no sense to me. Listing NASes from another RADIUS server in your clients.conf file is a waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-use and proxied clients
That makes no sense to me. Listing NASes from another RADIUS server in your clients.conf file is a waste of time. Alan DeKok. Its not a waste of time if one has permission to poke the remote NASes and wants to check them for multiple login attempts. But I guess freeradius can't do this. Thanks, Ed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: Its not a waste of time if one has permission to poke the remote NASes and wants to check them for multiple login attempts. But I guess freeradius can't do this. As always, you have source. You can make it do whatever you want. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Freeradius and postgres
On Sat, 2005-22-01 at 01:55 -0800, [EMAIL PROTECTED] wrote: Thanks for the information. What I was missing was the Auth-Type in Radgroupcheck. That is new to me. I did not have do that with the older version of Freeradius. When did that change? I did not see any references to that Auth-Type in any of the docs nor in the archive of the mailing list. Again I appreciate the quick response. If I remember correctly the entries I have are not required, but I was using them as place holders from when Auth-Type := Local was either required or worked. I am fairly sure that Auth-Type := SQL is not even a valid entry, I just used it to show how data is used in radgroupcheck. Thanks Kevin At 05:12 PM 1/21/2005, you wrote: On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote: I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can authenticate to a users file. But when I try to use radcheck in postgres I get login incorrect. I am trying to upgrade from freeradius .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just fine. I have created the tables using provided sql script. I configured radiusd.conf to use sql authentication. I have compared radiusd on the new machine to the radiusd on the old machine. They are as identical as they can be considering changes in the conf file. Does anybody have any other ideas or know of any isue with current version of freeeradius and postgres Thanks Kevin Waters Below is some sample data I use for testing PostgreSQL . The password for troll is skunk {sh1 encrypted} you will need to generate a redhat linux compatable {des or md5} password for it to authenticate on an RH system. NOTE: If you want to use the users file and sql, you can not have any Auth-Type attributes in your DEFAULT entries. The data below is supposed to be tab delimited. --Start of file-- ...snip... COPY radgroupcheck (groupname, attribute, op, value) FROM stdin; ppp-unlimited Auth-Type := SQL ppp-static Auth-Type := SQL nas-prompt Auth-Type := SQL \. ...snip... --End of file-- ...snip... -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Hey, Thanks for the help... Still having difficulty, although I think you are right on target. LDAP appear to respond correctly then Radius states that the User-Password attribute is missing. Isn't this what I set with the ldap.attrmap and dictionary_mapping in the radiusd.conf? Here are snippets from configs and the radiusd -X output for the failed eap request... Please let me know if more is needed. Thanks, Matt ldap.attrmap: checkItem User-Password userPassword radiusd.conf: modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } mschap { authtype = MS-CHAP } ldap { server = localhost identity = cn=Manager,dc=yoyo,dc=com password = secret basedn = dc=yoyo,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { preprocess eap files mschap ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } *Users File: testuser Auth-Type := EAP, User-Password == testpass raduser Auth-Type := Local, User-Password == testpass DEFAULT Auth-Type := LDAP Fall-Through = 1 *radiusd -X output to failed eap request for ldap user rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 NAS-IP-Address = 192.168.1.238 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xf884d8f729a9e770bd73e8e33f6e22e7 NAS-Port = 20 Framed-MTU = 1490 User-Name = matt_moore Calling-Station-Id = 00-B0-D0-74-C3-5A EAP-Message = 0x0201000f016d6174745f6d6f6f7265 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type notification id 1 length 15 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated users: Matched DEFAULT at 154 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for matt_moore radius_xlat: '(uid=matt_moore)' radius_xlat: 'dc=yoyo,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=yoyo,dc=com, with filter (uid=matt_moore) rlm_ldap: Added password test123 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value test123 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user matt_moore authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid modcall: group Auth-Type returns invalid auth: Failed to validate the user. Login incorrect: [matt_moore/no User-Password attribute] (from client plant1 port 20 cli 00-B0-D0-74-C3-5A) Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.238:2048, id=98, length=117 Sending Access-Reject of id 98 to 192.168.1.238:2048 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 98 with timestamp 41f56ee2 Nothing to do. Sleeping until we see a request. --- NextGen$'s ShaDow [EMAIL PROTECTED] wrote: I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do
Radius for 802.1X and TKIP
I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius for 802.1X and TKIP
hi TKIP is the encryption method used on the wireless link. radius is designed to be independent of the access technology used by the NAS. in other words, TKIP is something which is not known to the radius server - by design. the radius server will - if available - provide the NAS (802.11 access point in that case) with the raw key material. however it is up to the NAS to derive the necessary keys from it. you configure the NAS to use TKIP on the link. freeradius is automatically configured in a way that will derive and attach key material to the access-accept message sent to the solicited NAS. you can see the MPPE-*** attributes in the access-accept message in the full log (radiusd -s -X) ciao artur Dani Camps wrote: I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use pyrad 0.8 client to test freeradius server
Suresh: Hi, I am new to freeradius server.I have installed freeradius server 1.0.1 version in my gobolinux machine. I have also installed the pyrad client 0.8 version in my machine. I have made the radtest for server testing.It is working fine.How can I test the pyrad client with the radius server . Somebody kindly assist me in how to connect the radius server with the radius client (pyrad 0.8) or how to check whether the server client are working fine or not http://www.stud.ntnu.no/~bgrotan/radtest.py together with running radiusd in verbose/debug-mode got me help a long way. -- Regards Bjørn Ove Grøtan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Matt Moore [EMAIL PROTECTED] wrote: DEFAULT Auth-Type := LDAP Fall-Through = 1 ... rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 ... User-Name = matt_moore EAP-Message = 0x0201000f016d6174745f6d6f6f7265 LDAP doesn't do EAP, as you may have discovered. The solution is to not set Auth-Type. Please READ radiusd.conf. The text before the authenticate section explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pbroblem with CRL check
Hi all I've installed and use freeradius1.0.1 for EAP/TLS auntentication. It work well without CRL. But each time I want to active check_crl = yes on eap.conf file , authentication fail with following message : *** unable to get certificate CRL*** Someone can help me on following questions : what looks like crl file ? where (dorectory)do the be ? some modifications to do on .conf file ? Thanks for any answer Jacques VUVANT
Re: peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 Suse 9.2) T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- (freeradius 1.0.0 Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #John Doe Auth-Type := Local, User-Password == hello # Reply-Message = Hello, %u jaskajokUser-Password == Reititys3 # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user account expiration question
is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970! Isn't there some check item where I can just enter a normal date format? -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius postgreSQL - stored procedures
Hello... I am trying to make freeradius authenticate some access packets using the output of SQL stored procedures (that eventually would do the billing as well). Can it be done? And if yes, how? thank you -- Siderite [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
I updated all the server to freebsd 4.10 with the latest patch release, rebuilt world and kernel and I am still having the same issue when I attempt to restart or HUP the radiusd process. It seems to be looping as Alan said. I did do the gdb and when it I issue the radiusd.sh restart command, it prints this to the screen and stops. Program received signal SIGTERM, Terminated. 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 I'm not sure how helpful that will be to anyone but it's all the information it showed. Let me know if this rings any bells. Joe H. On Wed, 19 Jan 2005, Alan DeKok wrote: Joe H [EMAIL PROTECTED] wrote: With my situation, doing the restart of the process causes radius to stop working and the radius process climbs to about 90% CPU usage. It sounds like it's in a busy loop. My suggestion is to use gdb to attach to the running process, and see where in the source it's busy-looping. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html