Start & Stop Time
Hi, I'm using freeradius 0.9.3 on Linux Server, every thing is working well but I get the accounting records for the Dialup users with the server time and that gives me some problems since I have two Radius systems. If you could help me in registering the dialup calls with the Access Server time on both the local records and the DataBase (oracle) records. Regards, Nader Sayeh * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. <[EMAIL PROTECTED]>. *
WG: download from CVS and error to compile
maybe same problem on Solaris: changing to libltdl directory and doing there configure / make results in "file not found" which can be fixed by copying the Makefile of Stable 1.0.1 into that "libltdl" directory and doing the make: the subdir compiles fine. Similar, editing the Makefile and replacing the relative path to the libltdl with the absolute path seems to fix the problem. ... maybe some PATH has changed or should be set different now? Kind regards Matthias Rumitz TC Unix / Netzwerke - Originalnachricht - Von: Rohaizam Abu Bakar <[EMAIL PROTECTED]> Datum: Mittwoch, Januar 26, 2005 5:15 am Betreff: download from CVS and error to compile > FreeBSD: 4.10p4 > > Download the whole tree from CVS and try to compile.. > > # ./configure => OK > > # make > > Making all in libltdl... > gmake[1]: Entering directory `/var/src/TEST3/radiusd/libltdl' > gmake[1]: *** No rule to make target `all'. Stop. > gmake[1]: Leaving directory `/var/src/TEST3/radiusd/libltdl' > gmake: *** [common] Error 1 > > Googled and found that a lot of people experiencing this > problem... any work around? > > thanks.. > > --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performance of freeradius when access-request
hi, all: I was testing the performance of freeradius using the radclient, from the result, i think it's far away from what i need. my configuration: freeradius + pap/crypt + files(Exec-Program) + acct_unique + realm/suffix + preprocess + expr i write a script calling the radclient, named aaaload as the following: #!/bin/bash DICTIONARY="" radclient=/usr/local/freeradius/bin/radclient echo ( echo "User-Name = \"demo\"" echo "User-Password = \"demo\"" echo "UserOrg = \"myorg.org\"" echo "ClientType = 4" ) | $radclient -c 200 $DICTIONARY -x 192.168.250.101 auth testing123 i run the script aaaload twices: (200 users) time ./aaaload OUTPUT1: real0m13.320s user0m0.164s sys 0m0.176s OUTPUT2: real0m13.516s user0m0.164s sys 0m0.203s there are any offical statistics about the performance? or anybody can point to me how to do better performance testing? thanks. [EMAIL PROTECTED] main]# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Pentium(R) 4 CPU 2.40GHz stepping: 9 cpu MHz : 2400.073 cache size : 512 KB fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips: 4767.06 [EMAIL PROTECTED] main]# cat /proc/meminfo total:used:free: shared: buffers: cached: Mem: 526266368 513994752 122716160 67158016 404652032 Swap: 1069277184 24186880 1045090304 MemTotal: 513932 kB MemFree: 11984 kB MemShared: 0 kB Buffers: 65584 kB Cached: 394900 kB SwapCached:268 kB Active: 287652 kB Inact_dirty:152048 kB Inact_clean: 34896 kB Inact_target:94916 kB HighTotal: 0 kB HighFree:0 kB LowTotal: 513932 kB LowFree: 11984 kB SwapTotal: 1044216 kB SwapFree: 1020596 kB Committed_AS: 129060 kB Ö Àñ£¡ Leo Lei [EMAIL PROTECTED] 2005-01-26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
download from CVS and error to compile
FreeBSD: 4.10p4 Download the whole tree from CVS and try to compile.. # ./configure => OK # make Making all in libltdl...gmake[1]: Entering directory `/var/src/TEST3/radiusd/libltdl'gmake[1]: *** No rule to make target `all'. Stop.gmake[1]: Leaving directory `/var/src/TEST3/radiusd/libltdl'gmake: *** [common] Error 1 Googled and found that a lot of people experiencing this problem... any work around? thanks.. --haizam
Re: RE: mysql ?
I have zero "0" in mine... and all works well. Original Message ==> From: " Joel Eddy" <[EMAIL PROTECTED]> ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 I hate to be the one that asks the stupid question of the day but here goes. In the Table radgroupreply in database radius what goes in the prio entry? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication
Hi I've test EAP/TLS authentication with freeradius wich work well. But it seems to work as well when username (same name as installed certificate on PC mobile) is removed on users.conf file, ie. EAP authentication still Ok for this certificate removed on users.conf. Someone has idea about it ? Does it mean that EAP doesn't use users.conf ? Why radwho doesn't work with EAP connections ? Thanks for any answer. Jacques VUVANT
Re: Active Directory and FreeRadius
> Hello all, > I am trying to configure FreeRadius to auth against Active > Directory. I was wondering if anyone on the list has done this successfully. > I thought the best way to go was to connect to A.D. as if it was an LDAP > server, (please let me know if there is a better way). > > Any tips or docs would be greatly appreciated. > Before anyone asks.I would love to use OpenLDAP instead, but that is not > my karma. > > I started radiusd in debug mode and here is the output I am getting: > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > length=48 > User-Name = "deyoungb" > User-Password = "secret" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for deyoungb > radius_xlat: '(cn=deyoungb)' > radius_xlat: 'DC=am,DC=sony,DC=com' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 > rlm_ldap: bind as CN=~MyAccessAccount,OU=Service > Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter > (cn=deyoungb) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user deyoungb authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. > rad_check_password: Found Auth-Type System > auth: type "System" > ERROR: Unknown value specified for Auth-Type. Cannot perform requested > action. > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > length=48 > Sending Access-Reject of id 112 to 43.191.104.141:2611 > --- Walking the entire request list --- > Waking up in 3 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 112 with timestamp 41f6f231 > Nothing to do. Sleeping until we see a request. > > What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Thanks.. Will try it out... Do I need to make any addition/changes in Makefile to compile radsqlrelay...? If yes... What changes is needed.. thanks.. --haizam - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: Sent: Monday, January 24, 2005 19:16 Subject: Re: SQL db failover Rohaizam Abu Bakar wrote: How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? You might try a different approach: - store accounting in "detail" files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory and FreeRadius
Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = "deyoungb" User-Password = "secret" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. Thanks in advance! ~Brandon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql ?
I hate to be the one that asks the stupid question of the day but here goes. In the Table radgroupreply in database radius what goes in the prio entry? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 2610 and freeradius-mysql..
[EMAIL PROTECTED] wrote: Hi I'm using freeradius + mysql and two cisco access server (2610 and 5300). I have group default defined on my database with an entry to Called-Station-Id that look like this: ++---+---++-+ | id | GroupName | Attribute | op | Value | ++---+---++-+ | 1 | mygroup | Auth-Type | := | Local | | 16 | mygroup | Called-Station-Id | != | xxx | | . |. | . | . | . | | . |. | . | . | . | | . |. | . | . | . | ++---+---++-+ The problem is that every connections from 5300 are O.K, but all connections from 2610 fail. If i'm delete the Called-Station-Id entry from my database, then there not errors conection from 2610: everything work O.K. Looks like the 2610 does not send the Called-Station-Id or send a other one than you expect it to send. Try some debugging and take a closer look at the transmited attributes. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pbroblem with CRL check
1. Create a folder somewhere (doesn't matter where, as long as the
radiusd process can read it).
# mkdir /my_ca
2. Copy your CA certs and your CRLs to .pem files into this directory.
# cp johns-cacert.pem /my_ca
# cp johns-crl.pem /my_ca
# cp jims-cacert.pem /my_ca
# cp jims-crl.pem /my_ca
...
...
3. run c_rehash (/usr/local/bin/c_rehash?
/usr/local/ssl/bin/c_rehash? wherever OpenSSL put it).
# c_rehash /my_ca
Doing .
jims-cacert.pem => 1987cbba.0
johns-crl.pem => 033b73a6.r0
johns-cacert.pem => 033b73a6.0
jims-crl.pem => 1987cbba.r0
...
...
#
4. edit eap.conf, commenting out CA_file, and specifying CA_path.
tls {
...
...
#CA_file = ${raddbdir}/ca/cacert.pem
CA_path = /my_ca
check_crl = yes
...
...
}
You can add and remove CA certs and CRL files as you choose to
trust or untrust them, on the fly. Just rerun "c_rehash /my_ca" every
time you do.
Dean.
Jacques VUVANT wrote:
Hi all
I've installed and use freeradius 1.0.1 for EAP/TLS
auntentication. It work well without CRL. But each time I want to
active check_crl = yes on eap.conf file , authentication fail with
following message :
*** unable to get certificate CRL***
Someone can help me on following questions :
what looks like crl file ?
where (dorectory) do the be ?
some modifications to do on .conf file ?
Thanks for any answer
Jacques VUVANT
Total Control 1000; Connect speed accounting
Greetings, We are analyzing large amounts of RADIUS accounting data generated by Total Control 1000 NAS, and finding some inconsistencies in connect speed reporting. It seems USR-Speed-Of-Connection is logged in all stop records, but USR-Final-Tx-Link-Data-Rate is logged for only most stop records (in other words, some stop records are missing USR-Initial-Tx-Link-Data-Rate). I guess my question is one or more of the following: 1. What data or value does 'USR-Speed-Of-Connection' really represent? 2. What data or value does 'USR-Final-Tx-Link-Data-Rate' really represent? 3. If I want to analyze average connect speeds, which field would be best to analyze? It feels like USR-Final-Tx-Link-Data-Rate is the one, but the fact that it is not always reported really messes with our data. I realize this is most likely a NAS question, and I am asking UT Starcom. I am just hoping someone on the list may have some experience with this. Thanks, in advance, for any help/suggestions/pointers. David A. Allen Manager, Network Department Great Works Internet 207-286-8686 x 106 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user account expiration question
On Tuesday 25 January 2005 11:48 am, Alan DeKok wrote: > Chuck <[EMAIL PROTECTED]> wrote: > > I'm looking for something I can set date such as 02/02/2005 > > > > or some such syntax > > The server accepts dates like "January 1 2005 12:33:44" > > Very often in these cases, simply trying something that might work > is a good idea. Interesting. Thank you. I guess I'm a bit too literal sometimes. I read the attributes for it and consider it gospel especially when there is nothing to indicate that any other type of entry would not break it. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Chuck "Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that..." -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user account expiration question
Chuck <[EMAIL PROTECTED]> wrote: > I'm looking for something I can set date such as 02/02/2005 > > or some such syntax The server accepts dates like "January 1 2005 12:33:44" Very often in these cases, simply trying something that might work is a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool address
hi people
does anyone kown how to configure freeradius so that it dynamically
asigns ip address from several pools?
FILE: radius.conf
ippool operaciones {
range-start = 10.192.129.10
range-stop = 10.192.129.127
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
ippool redes {
range-start = 10.192.129.128
range-stop = 10.192.129.159
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
FILE: users
DEFAULT Auth-Type := LDAP
Fall-Through = 1
user1 Pool-Name=operaciones
user2 Pool-Name=redes
it does not work :(
thanks in advance
--
#
Alfonso Lazaro Tellez <[EMAIL PROTECTED]>
c\Ribera del Sena s/nTfono: 91202
Edificio APOT
Campo de las Naciones (Madrid)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication!!
Kirti S. Bajwa schrieb: > rlm_chap: login attempt by "test" with CHAP password > rlm_chap: Could not find clear text password for user > test > > I believe that the problem lies in the above description. > If that is > correct, why the password be clear test? Sorry? Somehow that sentence seems to be missing some word. > I think somewhere a setting is missing!! HELP. There are essentially two ways to represent a password: cleartext or hashed. From the cleartext, you always can get the hashed password but never vice versa. Even worse, if you hash a password twice, it will be totally different the second time and there is no way to get from one hashed form to another hashed form or compare two hashes to check if they "belong" to the same password. Password verification now takes a hashed password and a cleartext pssword and checks if the cleartext password can be hashed to the hashed password. So one side always has to provide the cleartext password. Either you pass a clear text password from your computer to the NAS which passes it to the radius server (and then, the radius server only needs to know a password hash), _or_ your computer only passes a hash to the NAS (based on the clear text password you entered), then the cleartext password needs to be stored on the radius server to be able to do the password check. In your case, either your computer connecting to the NAS or the NAS seems to have "decided" (or is configured that way) that passing the clear text password over the "line" (or "air", if WLAN) would be to dangerous, so it's transmitting a hashed password. Then, the radius server needs to know the cleartext password. So either store the cleartext passwords on the radius server or change the NAS's (or user's computer's) configuration to do "PAP" instead of "CHAP". HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users comming from different Huntgroups
Roger Peña Escobio wrote: Mensaje citado por Florian Prester <[EMAIL PROTECTED]>: Dustin Doris wrote: [...] You have serverB in both huntgroups. The first one that matches will be used. Therefore, serverB will only be in the premium huntgroup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes I know, because I want the premium people to be able to login at every server, (serverA and serverB). Looking into the huntfile comming with the sourcecode, the server 192.168.2.5 is in both huntgroups (alphen and business) as well! I thought the procedure is like that: The request is arriving, first the username is looked up, then (if) the huntgroup is searched inthe huntgroupe file. If the huntgroup is found, the IP-Address must match!! But this looks like if a huntgroup is set, radius is looking for the NAS-IP-Address in the huntgroup file and the first matching IP-Address is taken, and therefore the depending huntgroup!!! So how can I then manage to have two groups, where the normal users may login from some NAS and the premium users may login from the same and some more!! what about checking Group and not NAS-IP for the premium group and Group _and_ NAS-IP for the normal group in the use file ? i think that what you want to do is more easy without huntgroup at all, just using NAS-IP-Address and Group member (rad)cheking in the users file. roger -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) "Whatever you do will be insignificant, but it is very important that you do it." Gandhi -- - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, but i do not want to work with UNIX-groups on the server. florian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication!!
Hello List: RH9 freeRadius-1.0.1 First I want to admit that I am a newbie to both LINUX & freeRadius: I have setup a freshly installed freeRadius serve. I tested this server by 'radtest' and then 'NTRagPing' utility. The freeRADIUS server authenticates like a charm. Now I set up a 3Com NAS. When I dial-in, authentication is rejected. To investigate the problem, I started the freeRADIUS server in debug mode 'radiusd -X'. After looking into output from the RADIUS Server's debug mode, I noticed the following lines: rlm_chap: login attempt by "test" with CHAP password rlm_chap: Could not find clear text password for user test I believe that the problem lies in the above description. If that is correct, why the password be clear test? I think somewhere a setting is missing!! HELP. Need more explanation, please ask. Kirti - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Kostas - Thank you. I had misunderstood this section (obviously) in what I had read. The explanation below helps alot... All is working now. Thanks, Matt --- Kostas Kalevras <[EMAIL PROTECTED]> wrote: ... > You are setting Auth-Type to LDAP. The ldap module > does not perform > authentication, the eap module does. The ldap module > will just extract the user > password (in the authorize face). Freeradius should > be able to figure out things > on it's own without you having to worry about > setting Auth-Type to anything. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of > Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Joe H schrieb: > I updated all the server to freebsd 4.10 (snipp) > Program received signal SIGTERM, Terminated. > 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 > > I'm not sure how helpful that will be to anyone but it's > all the information it showed. Sounds like it's telling you that everything is OK... Some very wild guessing: I'm wondering if there might be some problem with signal handling. IIRC there are some subtle differences between BSD and System V signal handling. Maybe ignoring the TERM signal during cleanup doesn't work quite as intended or something similar? Doing some experiments with other signal processing functions (sigprocmask,sigaction) to replace "signal(SIGTERM, SIG_IGN);" or adding some output to the signal handling functions so you do see when they are called during shutdown might turn up something... HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user account expiration question
On Tuesday 25 January 2005 04:38 am, Albert Miles Enabe wrote: That one is of type date with the following attribute: # date- 32 bit value in big endian order - seconds since # 00:00:00 GMT, Jan. 1, 1970 I'm looking for something I can set date such as 02/02/2005 or some such syntax > Try the Expiration attribute in radcheck table. > > Chuck <[EMAIL PROTECTED]> wrote: > is there something easier to use than the Expire check item to expire users on > or afer a certain date to trigger a deny response? No one in his right mind > is going to sit there and even use a calculator for the number of seconds > since some date in 1970! > > Isn't there some check item where I can just enter a normal date format? > > -- > > Chuck > > "Windows?? You mean the thirty-two bit extension and graphical shell to a > sixteen-bit patch to an eight-bit operating system originally coded for a > four-bit microprocessor which was written by a two-bit company that can't > stand one bit of competition? Oh, that..." -- Lee Clarke > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Chuck "Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that..." -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing and/or monitoring freeradius with PEAP
Ron Wahler schrieb: > There is a test tool to send an eap request to the > radius Server with a test user. > You could send a test authentication > Off every so often with a script to monitor it's status. Is that "radeapclient" you're referring to? Well, I understood how to make it send an EAP-MD5 request ... > I've got freeradius setup to authenticate wireless > clients with > PEAP/MSCHAP (to an Active Directory backend) and now I'm > looking for a > way to test/monitor the radius server. ... but how would you get it to do PEAP/somehing or EAP-TTLS/something? Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
On Mon, 24 Jan 2005, Matt Moore wrote: Hey, Thanks for the help... Still having difficulty, although I think you are right on target. LDAP appear to respond correctly then Radius states that the User-Password attribute is missing. Isn't this what I set with the ldap.attrmap and dictionary_mapping in the radiusd.conf? Here are snippets from configs and the radiusd -X output for the failed eap request... Please let me know if more is needed. Thanks, Matt DEFAULT Auth-Type := LDAP Fall-Through = 1 You are setting Auth-Type to LDAP. The ldap module does not perform authentication, the eap module does. The ldap module will just extract the user password (in the authorize face). Freeradius should be able to figure out things on it's own without you having to worry about setting Auth-Type to anything. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
I'm guessing you're using the Windows XP supplicant? This looks like a
classic case of your CA certificate not being present on the client machine.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
ealatalo wrote:
Quoting Jacques VUVANT <[EMAIL PROTECTED]>:
Hello T
It seems that the user doens't exist on users.conf
Jacques
Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back
to "no" and that problem solved. But now I get new following problem. :(
Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141
User-Name = "TWIRE12\\jaskajok"
NAS-IP-Address = 10.50.50.13
Called-Station-Id = "00034715cbc3"
Calling-Station-Id = "00022d1d5cb1"
NAS-Identifier = "WARLORD1"
NAS-Port = 29
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b
Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "TWIRE12\jaskajok", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 156
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 92 to 10.50.50.13:1117
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe6b4b0ad3e594db130de344878b1cd7c
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 92 with timestamp 41f6af2e
Nothing to do. Sleeping until we see a request.
part of eap.conf
default_eap_type = peap
...
tls {
private_key_password = arvaatko
private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem
# Trusted Root CA list
CA_file = ${raddbdir}/varmenteet/CA-crt.pem
dh_file = ${raddbdir}/varmenteet/certs/dh
random_file = ${raddbdir}/varmenteet/certs/random
...
peap {
default_eap_type = mschapv2
}
**
part of users
jaskajokUser-Password == "Reititys2"
Framed-IP-Address = 10.50.50.12,
Framed-IP-Netmask = 255.255.255.0
***
radiusd.conf -no changes made
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pbroblem with CRL check
For the way the server works currently, you will need to append your CRL file to the end of your CA certificate. When FreeRADIUS reads in the CA certificate, it will get your CRL as well. You must generate your own CRL using the openssl commands. See "man crl" for more information. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Jacques VUVANT wrote: Hi all I've installed and use freeradius 1.0.1 for EAP/TLS auntentication. It work well without CRL. But each time I want to active check_crl = yes on eap.conf file , authentication fail with following message : *** unable to get certificate CRL*** Someone can help me on following questions : what looks like crl file ? where (dorectory) do the be ? some modifications to do on .conf file ? Thanks for any answer Jacques VUVANT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:peap problems
Quoting Jacques VUVANT <[EMAIL PROTECTED]>:
> Hello T
>
> It seems that the user doens't exist on users.conf
>
> Jacques
Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back
to "no" and that problem solved. But now I get new following problem. :(
Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141
User-Name = "TWIRE12\\jaskajok"
NAS-IP-Address = 10.50.50.13
Called-Station-Id = "00034715cbc3"
Calling-Station-Id = "00022d1d5cb1"
NAS-Identifier = "WARLORD1"
NAS-Port = 29
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b
Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "TWIRE12\jaskajok", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 156
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 92 to 10.50.50.13:1117
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe6b4b0ad3e594db130de344878b1cd7c
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 92 with timestamp 41f6af2e
Nothing to do. Sleeping until we see a request.
part of eap.conf
default_eap_type = peap
...
tls {
private_key_password = arvaatko
private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem
# Trusted Root CA list
CA_file = ${raddbdir}/varmenteet/CA-crt.pem
dh_file = ${raddbdir}/varmenteet/certs/dh
random_file = ${raddbdir}/varmenteet/certs/random
...
peap {
default_eap_type = mschapv2
}
**
part of users
jaskajokUser-Password == "Reititys2"
Framed-IP-Address = 10.50.50.12,
Framed-IP-Netmask = 255.255.255.0
***
radiusd.conf -no changes made
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + NT
Hi, I would like use freeradius with domain NT and peap method. I integrated linux box with freeradius in the domain NT4 . I want to use samba + winbind. I see groups and users in the local box linux. What is the configuration in freeradius files. I suppose i have to use ntlm_auth.? Can you help me to work freeradius with NT domain Thanks.
Re: user account expiration question
Try the Expiration attribute in radcheck table. Chuck <[EMAIL PROTECTED]> wrote: is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970!Isn't there some check item where I can just enter a normal date format?-- Chuck"Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that..." -- Lee Clarke- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
freeradius + active directory
Hi, I would like use freeradius with domain NT and peap method. I integrated linux box with freeradius in the domain NT4 . I want to use samba + winbind. I see groups and users in the local box linux. What is the configuration in freeradius files. I suppose i have to use ntlm_auth.? Can you help me to work freeradius with NT domain Thanks.
