Problems with hints file when i use freeradius-1.0.1
Hello, I want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. Begining of my hints file: sergk Strip-User-Name = No Hint := admin It matches only username sergk with freeradius-0.8.1. But it matches any username with freeradius-1.0.1. Is it bug or feature ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Rohaizam Abu Bakar wrote: How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? You might try a different approach: - store accounting in detail files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unexpected message in the radius.log
Hello, today figured out that on FR 1.0.1 the following Info message appears if the user enter an incorrect password: Info: rlm_sql (sql): No matching entry in the database for request from user [edgars] In the previous versions i think it was like usual - Login incorrect bla bla bla. Has this been changed? Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius doesn't send cisco-avpairs
I have following entry in the users file: bob User-Password == bob Cisco-AVpair = access-list 188 deny ip any any, Fall-Through = YES Whats wrong? try it like this: Cisco-AVPair = ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63, Cisco-AVPair += ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63 the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange, attr_rewrite doesn't work normally
hello all
I have a problem with attr_rewrite :
I have added an attribute in
/usr/share/freeradius/freeradius/dictionnary
Reply-Message-2 65string
I haven't added in /etc/freeradius/dictionnary because it doesn't work
!!
in radius.conf my configuration is:
attr_rewrite passparunproxy {
attribute = Reply-Message-2
searchin = reply
searchfor =
replacewith = TEST 1 (Proxy)
ignore_case = no
new_attribute = yes
max_matches = 10
append = no
}
attr_rewrite passparunproxy1 {
attribute = Reply-Message
searchin = reply
searchfor =
replacewith = Proxy
ignore_case = no
new_attribute = yes
max_matches = 10
append = no
}
and in post_proxy section {
passparunproxy
passparunproxy1
}
when a user is accepted, i have reply-message and reply-message 2.
when a user is reject, i have only reply-message.
I don't understand that ??
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange, attr_rewrite doesn't work normally
On Mon, 24 Jan 2005, Nans Delrieu wrote: hello all I have a problem with attr_rewrite : when a user is accepted, i have reply-message and reply-message 2. when a user is reject, i have only reply-message. I don't understand that ?? Only a few attributes are allowed in an access-reject. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attr_rewrite problem...
Hello
My configuration is : Proxy Radius --- primary radius
--- secondary radius
--- remote radius for realm
company.com
---
In Primary Radius, I want to add in reply message the text LOCAL (for
example (primary radius return : Reply-Message = original text +
LOCAL
is it possible ?
i have make that but it doens't work :
in primary radius,
radiusd.conf
attr_rewrite LOCAL {
attribute = Reply-Message
searchin = reply
searchfor = [+ ] # is it the good parameter ?, is there a man for
this parameter ??
replacewith = LOCAL
ignore_case = no
new_attribute = no
max_matches = 1
append = yes
}
authorize {
LOCAL#is it the good place to put LOCAL ?
}
it doesn't work. help me
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius doesn't send cisco-avpairs
Çäðàâñòâóéòå, Markus. Âû ïèñàëè 24 ÿíâàðÿ 2005 ã., 15:15:50: I have following entry in the users file: bob User-Password == bob Cisco-AVpair = access-list 188 deny ip any any, Fall-Through = YES Whats wrong? try it like this: Cisco-AVPair = ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63, Cisco-AVPair += ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63 the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah found it already. Thanks to all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius doesn't send cisco-avpairs
Hello, freeradius-users.
I have following entry in the users file:
bob User-Password == bob
Cisco-AVpair = access-list 188 deny ip any any,
Fall-Through = YES
radreply log saying that all ok:
Packet-Type = Access-Accept
Fri Jan 21 17:55:56 2005
Service-Type = Framed-User
Session-Timeout = 86400
Cisco-AVPair = access-list 188 deny ip any any
Framed-Protocol = PPP
But user aren't getting into. Thats what tcpdump showing:
rad-access-accept 80 [id 94] Attr[ Service_type{#539}
Session_timeout{24:00:00 hours} [|radius]
[!radius] means that tcpdump is truncating the packet. Run tcpdump and
set the snaplen. On my system -s 0 will capture the whole packet. If you
don't have that option, try -s 1024. That should be plenty.
freeradius doesn't sends attributes after Session_timeout. Here is what
look like right rad-access-accept: rad-access-accept 35 [id 222] Attr[
Service_type{#539} Session_timeout{05:27:24 hours} Proxy_state{0} ]
freeradius act like a proxy to icradius.
Whats wrong?
mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using Freeradius whith PEAP authentication
Hi, again. For resolve my the problem whidt freeradius, i update my system for the red hat 9.0, this version of linux have one version of openssl who supports the tls tunnels for the eap methods. Thanks again Paulo Ferreira. Alan DeKok wrote: Paulo Alexandre Caceres Ferreira [EMAIL PROTECTED] wrote: Hi,now i install the 0.9.7e version of openssl in my system (Red Hat Linux 7.3) without problems, but freeradius return the same error. What i'am doing rong? The compile process is still using the older version. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and proxyRADIUS (with FreeRadius)
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 000e.8440.bbb0
Calling-Station-Id = 000d.54a1.6e8e
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = ap-maquette
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module files returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing and/or monitoring freeradius with PEAP
I've got freeradius setup to authenticate wireless clients with PEAP/MSCHAP (to an Active Directory backend) and now I'm looking for a way to test/monitor the radius server. Ideally, I'd like to do something like radtest, but test either PEAP or at least the MSCHAP authentication portion. Does anyone here know of any programs or scripts out there to test radius with MSCHAP authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and proxyRADIUS (with FreeRadius)
*oups* sorry !
option 'nostrip' in proxy.conf missed...
it works now !
Regards,
David
David ROUMANET a écrit :
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0,
length=162
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 000e.8440.bbb0
Calling-Station-Id = 000d.54a1.6e8e
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = ap-maquette
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module files returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli
000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
-
David ROUMANET Tel : 04 76 51 46 08
Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is anyone running freeradius on a Windows server?
I am running it but having problems starting external scripts. Some type of path problem. Need info on where to get a build for windows. George Schoggins Enterasys Networks Phone: 407-268-9894 FAX: 407-268-9881 Cell: 407-808-6013 Email: [EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-md5 with ldap backend
Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use and proxied clients
I am stumped on this one: I have used the Simultaneous-Use attrib and checkrad script for sometime now with great success. But recently we made some network changes and now some of our users are connecting from another network. All radius requests are proxied via the local radius server to our radius server. The auth'ing/acc'ting works fine. But for these proxied requests no simultaneous-use check is performed - checkrad script is not run (I have verified this by modifying checkrad) and user is denied access. I have added entries for each of the clients that are proxied as well as the remote radius server doing the proxying in clients.conf and configured them of type other. But it does not work. From what I can tell it appears that if a request is proxied then freeradius does not use checkrad and automatically denies request. Is this how it is designed? Or am I missing something? I'm out of ideas. Any input or thoughts? --- Ed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- NextGen$. --- In a world without fences nor walls - who needs windows and gates ? On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix. Merleau Ponty L'éloge de la philosophie signature.asc Description: OpenPGP digital signature
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: From what I can tell it appears that if a request is proxied then freeradius does not use checkrad and automatically denies request. Is this how it is designed? Or am I missing something? The software is designed that way because the network is designed that way. checkrad checks NASes. It can't check RADIUS servers, because there is no way to ask a RADIUS server if a user is still online. Checkrad can't check the NASes of the other RADIUS servers, as those NASes don't know who you are, they only know the RADIUS servers they talk to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 3550 switch VLAN assignment by RADIUS doesn't work
Hi, I have a little problem. A configured my linux xsupplicant for 802.1X authentication on a port of a Cisco 3550 switch. Authentication works through radius, if port is assigned statically to a VLAN I can ping other boxes on the segment but if I assign VLAN to the port from the RADIUS I got a RADIUS: EAP-login: radius didn't send any vlan messge when debugging on the cisco switch. I have the aaa authorization network default none, too. What can be the problem? Levente | Levente Janovszki | Bekes County Library JUST 4 lines 4 U | | e-mail:[EMAIL PROTECTED] | Bekescsaba, Derkovits sor 1. HUNGARY Zip: 5600 | | Linux. Just use it | *The operating system collapsed* | | w/o fear of panic: | *OKCancel * | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: I understand that it can't ask a radius server but is it possible to have it check the original nas instead? As I said once before: Checkrad can't check the NASes of the other RADIUS servers, as those NASes don't know who you are, they only know the RADIUS servers they talk to. To expand a little: It's a bad idea to go poking at NASes you don't own. I do have the client info for the NASes of the other server so that they can know who our radius server is. That makes no sense to me. Listing NASes from another RADIUS server in your clients.conf file is a waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-use and proxied clients
That makes no sense to me. Listing NASes from another RADIUS server in your clients.conf file is a waste of time. Alan DeKok. Its not a waste of time if one has permission to poke the remote NASes and wants to check them for multiple login attempts. But I guess freeradius can't do this. Thanks, Ed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use and proxied clients
Ed Henderson [EMAIL PROTECTED] wrote: Its not a waste of time if one has permission to poke the remote NASes and wants to check them for multiple login attempts. But I guess freeradius can't do this. As always, you have source. You can make it do whatever you want. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Freeradius and postgres
On Sat, 2005-22-01 at 01:55 -0800, [EMAIL PROTECTED] wrote:
Thanks for the information. What I was missing was the Auth-Type in
Radgroupcheck. That is new to me. I did not have do that with the older
version of Freeradius. When did that change? I did not see any references
to that Auth-Type in any of the docs nor in the archive of the mailing
list.
Again I appreciate the quick response.
If I remember correctly the entries I have are not required, but I
was using them as place holders from when Auth-Type := Local was
either required or worked. I am fairly sure that Auth-Type := SQL
is not even a valid entry, I just used it to show how data is used
in radgroupcheck.
Thanks
Kevin
At 05:12 PM 1/21/2005, you wrote:
On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote:
I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it
installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can
authenticate to a users file. But when I try to use radcheck in
postgres I get login incorrect. I am trying to upgrade from freeradius
.7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just
fine. I have created the tables using provided sql script. I
configured radiusd.conf to use sql authentication. I have compared
radiusd on the new machine to the radiusd on the old machine. They are
as identical as they can be considering changes in the conf file. Does
anybody have any other ideas or know of any isue with current version
of freeeradius and postgres
Thanks
Kevin Waters
Below is some sample data I use for testing PostgreSQL .
The password for troll is skunk {sh1 encrypted} you will
need to generate a redhat linux compatable {des or md5}
password for it to authenticate on an RH system.
NOTE: If you want to use the users file and sql, you
can not have any Auth-Type attributes in your DEFAULT
entries.
The data below is supposed to be tab delimited.
--Start of file--
...snip...
COPY radgroupcheck (groupname, attribute, op, value) FROM stdin;
ppp-unlimited Auth-Type := SQL
ppp-static Auth-Type := SQL
nas-prompt Auth-Type := SQL
\.
...snip...
--End of file--
...snip...
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Hey, Thanks for the help...
Still having difficulty, although I think you are
right on target.
LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing. Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?
Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.
Thanks,
Matt
ldap.attrmap:
checkItem User-Password userPassword
radiusd.conf:
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
mschap {
authtype = MS-CHAP
}
ldap {
server = localhost
identity = cn=Manager,dc=yoyo,dc=com
password = secret
basedn = dc=yoyo,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
preprocess
eap
files
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
*Users File:
testuser Auth-Type := EAP, User-Password ==
testpass
raduser Auth-Type := Local, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
Fall-Through = 1
*radiusd -X output to failed eap request for
ldap user
rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
NAS-IP-Address = 192.168.1.238
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
NAS-Port = 20
Framed-MTU = 1490
User-Name = matt_moore
Calling-Station-Id = 00-B0-D0-74-C3-5A
EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP packet type notification id 1 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated
users: Matched DEFAULT at 154
modcall[authorize]: module files returns ok
modcall[authorize]: module mschap returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat: '(uid=matt_moore)'
radius_xlat: 'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for
authentication.
modcall[authenticate]: module ldap returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/no User-Password
attribute] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do. Sleeping until we see a request.
--- NextGen$'s ShaDow [EMAIL PROTECTED] wrote:
I solved this problem using an other attribute :
in /etc/freeradius/ldap.attrmap :
checkItem User-Password
radiusTunnelPassword
and set up passwords in it ;-)
I think it's only an access right problem on the
LDAP 'userPassword'
attribute...
If that don't solve your problem, please send a copy
of your config.
files and give more informations : It'll be easier
to help.
Regards
Matt Moore a écrit :
Hello all,
I am trying to setup a radius service for eap with
an
ldap backend. I have gotten the ldap backend
working
and I have gotten eap to work with a user defined
in
the users file. Next 2 lines from my users file.
testuser Auth-Type := EAP, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
But, how do
Radius for 802.1X and TKIP
I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius for 802.1X and TKIP
hi TKIP is the encryption method used on the wireless link. radius is designed to be independent of the access technology used by the NAS. in other words, TKIP is something which is not known to the radius server - by design. the radius server will - if available - provide the NAS (802.11 access point in that case) with the raw key material. however it is up to the NAS to derive the necessary keys from it. you configure the NAS to use TKIP on the link. freeradius is automatically configured in a way that will derive and attach key material to the access-accept message sent to the solicited NAS. you can see the MPPE-*** attributes in the access-accept message in the full log (radiusd -s -X) ciao artur Dani Camps wrote: I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use pyrad 0.8 client to test freeradius server
Suresh: Hi, I am new to freeradius server.I have installed freeradius server 1.0.1 version in my gobolinux machine. I have also installed the pyrad client 0.8 version in my machine. I have made the radtest for server testing.It is working fine.How can I test the pyrad client with the radius server . Somebody kindly assist me in how to connect the radius server with the radius client (pyrad 0.8) or how to check whether the server client are working fine or not http://www.stud.ntnu.no/~bgrotan/radtest.py together with running radiusd in verbose/debug-mode got me help a long way. -- Regards Bjørn Ove Grøtan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Matt Moore [EMAIL PROTECTED] wrote: DEFAULT Auth-Type := LDAP Fall-Through = 1 ... rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 ... User-Name = matt_moore EAP-Message = 0x0201000f016d6174745f6d6f6f7265 LDAP doesn't do EAP, as you may have discovered. The solution is to not set Auth-Type. Please READ radiusd.conf. The text before the authenticate section explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pbroblem with CRL check
Hi all I've installed and use freeradius1.0.1 for EAP/TLS auntentication. It work well without CRL. But each time I want to active check_crl = yes on eap.conf file , authentication fail with following message : *** unable to get certificate CRL*** Someone can help me on following questions : what looks like crl file ? where (dorectory)do the be ? some modifications to do on .conf file ? Thanks for any answer Jacques VUVANT
Re: peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 Suse 9.2) T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- (freeradius 1.0.0 Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #John Doe Auth-Type := Local, User-Password == hello # Reply-Message = Hello, %u jaskajokUser-Password == Reititys3 # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user account expiration question
is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970! Isn't there some check item where I can just enter a normal date format? -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius postgreSQL - stored procedures
Hello... I am trying to make freeradius authenticate some access packets using the output of SQL stored procedures (that eventually would do the billing as well). Can it be done? And if yes, how? thank you -- Siderite [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
I updated all the server to freebsd 4.10 with the latest patch release, rebuilt world and kernel and I am still having the same issue when I attempt to restart or HUP the radiusd process. It seems to be looping as Alan said. I did do the gdb and when it I issue the radiusd.sh restart command, it prints this to the screen and stops. Program received signal SIGTERM, Terminated. 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 I'm not sure how helpful that will be to anyone but it's all the information it showed. Let me know if this rings any bells. Joe H. On Wed, 19 Jan 2005, Alan DeKok wrote: Joe H [EMAIL PROTECTED] wrote: With my situation, doing the restart of the process causes radius to stop working and the radius process climbs to about 90% CPU usage. It sounds like it's in a busy loop. My suggestion is to use gdb to attach to the running process, and see where in the source it's busy-looping. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
