Exec-Program in acct_users doesn't work
Hi, I have a problem with Accounting-script-execution in raddb/acct_users : -- DEFAULT Acct-Status-Type == Stop Exec-Program = echo PRUEBA /home/pru.txt -- The file where the program writes has written premission for everybody: -- -rw-rw-rw- 1 rootroot 0 mar 11 08:36 pru.txt -- I execute radiusd like root in debug mode: -- # radiusd -s -X -- The log appear to be OK but it doesn´t execute the script: -- rad_recv: Accounting-Request packet from host 10.1.1.200:1646, id=13, length=333 Acct-Session-Id = 0022 Called-Station-Id = 0002.8a79.c907 Calling-Station-Id = 000c.42c8.5h5e Cisco-AVPair = ssid=SSID Cisco-AVPair = nas-location=unspecified Cisco-AVPair = vlan-id=346 Cisco-AVPair = auth-algo-type=eap-ttls Acct-Authentic = RADIUS Cisco-AVPair = connect-progress=Call Up Acct-Session-Time = 135 Acct-Input-Octets = 132828 Acct-Output-Octets = 291212 Acct-Input-Packets = 503 Acct-Output-Packets = 478 Acct-Terminate-Cause = Lost-Carrier Cisco-AVPair = disc-cause-ext=No Reason User-Name = user Acct-Status-Type = Stop NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 284 NAS-Port = 284 Service-Type = Framed-User NAS-IP-Address = 10.1.1.200 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 12 modcall[preacct]: module preprocess returns noop for request 12 rlm_acct_unique: Hashing 'NAS-Port = 284,Client-IP-Address = 10.1.1.200,NAS-IP-Address = 10.1.1.200,Acct-Session-Id = 0022,User-Name = user' rlm_acct_unique: Acct-Unique-Session-ID = 8407a49fc8bced26. modcall[preacct]: module acct_unique returns ok for request 12 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = user rlm_realm: Proxying request from user user to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Accounting realm is LOCAL. modcall[preacct]: module suffix returns noop for request 12 acct_users: Matched DEFAULT at 10 modcall[preacct]: module files returns ok for request 12 modcall: group preacct returns ok for request 12 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 12 radius_xlat: '/var/log/radius/radacct/10.1.1.200/detail-20050311' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.1.1.200/detail-20050311 modcall[accounting]: module detail returns ok for request 12 modcall[accounting]: module unix returns ok for request 12 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'user' modcall[accounting]: module radutmp returns ok for request 12 modcall: group accounting returns ok for request 12 radius_xlat: 'echo PRUEBA /home/pru.txt' Exec-Program: echo PRUEBA /home/pru.txt Sending Accounting-Response of id 13 to 10.1.1.200:1646 Finished request 12 Going to the next request -- The detail_log works perfectly and the authentication/authorization too (EAP-TTLS,PAP, with LDAP users), but the Exec-program doesn`t work. I've tried with 'Exec-Program = logger stop-received' but nothing happen. It´s the same with CentOS 3.4 (like RHEL3update4, freeradius-1.0.1) and CentOS 4 (like RHEL4, freeradius 1.0.1-2), anybody has the same problem? I'm doing something wrong ? Thanks in advance fow any help, Luis A. Herrero - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
You are missing: aaa authentication network default group radius The attributes you posted earlier are correct. You can also specify the VLAN name instead of the number which may help you if the VLAN ids are different on different networks. -- DaveD Thanks for help but my switch doesn't know this command. Is it possible that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported? On Mar 10, 2005, at 7:51 AM, Horschtel wrote: I try but it doesn't work. I try another radius server and it failed also. I the properties of the Attribute 81 I see should be a string. So I think I did a mistake on the switch configuration. I post the configuration here : Current configuration : 3985 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname rum34 ! aaa new-model aaa authentication login default line enable aaa authentication dot1x default group radius enable secret 5 . enable password 7 ! ip subnet-zero ip domain-name mms-dresden.de ! ! spanning-tree extend system-id no spanning-tree vlan 65 no spanning-tree vlan 255 ! ! interface FastEthernet0/1 switchport mode trunk no ip address ! interface FastEthernet0/2 switchport access vlan dynamic switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/3 switchport mode access no ip address ! interface FastEthernet0/4 no ip address ! interface FastEthernet0/5 no ip address shutdown ! interface FastEthernet0/6 no ip address ! interface FastEthernet0/7 no ip address ! interface FastEthernet0/8 no ip address ! interface FastEthernet0/9 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/10 no ip address ! interface FastEthernet0/11 no ip address ! interface FastEthernet0/12 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 ip address xxx.xxx.xxx.209 255.255.255.0 no ip route-cache ! ip default-gateway xxx.xxx.xxx.1 ip http server ! snmp-server engineID local 8009030BBE855001 snmp-server group grp_snmp v3 auth snmp-server community xxx RO snmp-server enable traps snmp linkdown linkup snmp-server host xxx.xxx.xxx.101 version 2c pub radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx radius-server retransmit 3 ! line con 0 ip netmask-format decimal line vty 0 4 password 7 x line vty 5 15 password 7xx ! ntp clock-period 17179903 ntp server xxx.xxx.xxx.196 end -- Original Message -- From: David ROUMANET [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org Date: Thu, 10 Mar 2005 10:27:28 +0100 Try this : Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 13, It works on my FreeRADIUS Horschtel a écrit : Hi my situation is freeradius give the switch wrong attribute parameters. The users config file says: Username Auth-Type == EAP, User-Password == xxx Framed-Type = Framed, Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 13 . on freeradius debuging I can see: .. Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Tunnel-Private-Group-Id = 13 and thats the problem. I think the Tunnel-Private-Group-Id is not more an Integer The Switch Radius Debug 04:57:06: Attribute 65 6 0106 04:57:06: Attribute 64 6 010D 04:57:06: Attribute 81 5 0131334F Attribute 65 and 64 are ok but Attribute 81 is the problem Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- CICG http://www.grenet.fr/David ROUMANET Tel : 04 76 51 46 08 *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent via the WebMail system at oleco.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 11. März 2005 09:24 schrieb Horschtel: Thanks for help but my switch doesn't know this command. Is it possible that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported? Yes. Be careful with the IOS versions. Older versions do not have this feature implemented. You have to install a quite new IOS. I also had problem with a 2950. No problem with a new IOS and a 3550. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCMWJRqndXpO3Yl5sRAsw1AJ9ioJf43GKMDaYmzXtkFKLRKR0qCACgmlph z9p5g/kt6UwiYN87qRF7xfA= =LW3z -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius daemon
I've never used OSX, so I don't know about the no daemons thing, but if you really really can't run it as a daemon, maybe you could use daemontools? http://cr.yp.to/daemontools.html On Thu, 2005-03-10 at 22:58, Mahesh S Kudva wrote: Hi All Running on MacOS X panther, I cannot run freeradius as a daemon. I am forced to run in debugging mode. Log files are also not updated. Any inputs are welcome. Thanks in advance Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
Michael Schwartzkopff wrote: Thanks for help but my switch doesn't know this command. Is it possible that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported? Yes. Be careful with the IOS versions. Older versions do not have this feature implemented. You have to install a quite new IOS. I also had problem with a 2950. No problem with a new IOS and a 3550. Has anyone implemented a setup where e.g. Tunnel-Type, VLAN information is stored in LDAP instead of in the users file ? Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 11. März 2005 15:40 schrieb Vladimir Vuksan: Michael Schwartzkopff wrote: Thanks for help but my switch doesn't know this command. Is it possible that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported? Yes. Be careful with the IOS versions. Older versions do not have this feature implemented. You have to install a quite new IOS. I also had problem with a 2950. No problem with a new IOS and a 3550. Has anyone implemented a setup where e.g. Tunnel-Type, VLAN information is stored in LDAP instead of in the users file ? Vladimir Yes, I did. I also wrote an article about it which was published in the Linux Magazin both German and English version. Please mail your private adress and I can help your further. misch (sobachka) multinet dot de - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCMa8kqndXpO3Yl5sRAsohAJwIqRnyY1Yn3ZoJ0NuAdkKczAqGQACePYmd 0tVIRmLt1XBMjSVav/096D0= =GnIl -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users doesn't work
Hi, I have a problem with Accounting-script-execution in raddb/acct_users : -- DEFAULT Acct-Status-Type == Stop Exec-Program = echo PRUEBA /home/pru.txt -- I don't know if you can do it like that. You could try writing a script such as this. #!/bin/sh /bin/echo PRUEBA /home/pru.txt Or if you are intending to do something else with that, this will show you all the variables passed to it #!/bin/sh /usr/bin/printenv /home/variables.txt Then call that script instead. Exec-Program /path/to/yourscript.sh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Logging
Morning all. I believe I read not to long ago on the list a thread concerning logging failed logins and the reasons for the failure so that tech support personnel could assist customers? I do not recall the eventual outcome and or solution if any. So, here is a more direct question for logging errors. We currently log the errors to our syslog. We monitor the log via a web interface so that our tech support can see when and why a customer is not getting a successful login, e.g. wrong username, puts in CAPS, adds spaces and the like and repeated efforts to hack into our system. Is there a way to log only the failed attempts and the reason to a log so we can continue to have a quick and easy way to assist customers with failied logins as indicated above? Thanks Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Logging
On Fri, 11 Mar 2005, Data Processing Fone Net wrote: Morning all. I believe I read not to long ago on the list a thread concerning logging failed logins and the reasons for the failure so that tech support personnel could assist customers? I do not recall the eventual outcome and or solution if any. So, here is a more direct question for logging errors. We currently log the errors to our syslog. We monitor the log via a web interface so that our tech support can see when and why a customer is not getting a successful login, e.g. wrong username, puts in CAPS, adds spaces and the like and repeated efforts to hack into our system. Is there a way to log only the failed attempts and the reason to a log so we can continue to have a quick and easy way to assist customers with failied logins as indicated above? See the log_badlogins script in dialupadmin. Thanks Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Validating using EAP TLS
We are using FreeRADIUS Version 1.0.2, for host , built on Feb 23 2005 at 15:02:37 We are trying to validate a client XP machine using eap-tls. We used OpenSSL 0.9.7a Feb 19 2003 to generate the certs. I think we have everything configured correctly. We followed FreeRADIUS EAP/TLS - WinXP HOWTO at http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html We still do not get a connection. Following is an excerpt from radiusd -X Can anyone give me idea what is going on? Thanks in advance! Bill Stewart :-) Kaman Corporation 1332 Blue Hills Avenue Bloomfield, Connecticut, 06002 (860) 243-7058 rad_recv: Access-Request packet from host 149.158.3.250:1598, id=179, length=69 User-Name = 00-01-f4-ec-97-29 User-Password = NOPASSWORD NAS-IP-Address = 149.158.3.250 NAS-Port = 2 rad_rmspace_pair: User-Password now 'NOPASSWORD' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module preprocess returns ok for request 34 modcall[authorize]: module chap returns noop for request 34 modcall[authorize]: module mschap returns noop for request 34 rlm_realm: No '@' in User-Name = 00-01-f4-ec-97-29, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 34 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 34 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 34 modcall: group authorize returns ok for request 34 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 modcall[authenticate]: module unix returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user. Login incorrect: [00-01-f4-ec-97-29/NOPASSWORD] (from client wapcor001 port 2) rad_lowerpair: User-Name now '00-01-f4-ec-97-29' rad_rmspace_pair: User-Name now '00-01-f4-ec-97-29' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module preprocess returns ok for request 34 modcall[authorize]: module chap returns noop for request 34 modcall[authorize]: module mschap returns noop for request 34 rlm_realm: No '@' in User-Name = 00-01-f4-ec-97-29, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 34 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 34 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 34 modcall: group authorize returns ok for request 34 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 modcall[authenticate]: module unix returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user. Login incorrect: [00-01-f4-ec-97-29/NOPASSWORD] (from client wapcor001 port 2) Delaying request 34 for 1 seconds Finished request 34 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 179 to 149.158.3.250:1598 Waking up in 4 seconds... rad_recv: Access-Request packet from host 149.158.3.250:1599, id=180, length=108 Message-Authenticator = 0x37d8f90a68b1ec4c01b9e2733740fd0f User-Name = kmnradius NAS-IP-Address = 149.158.3.250 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-97-29 EAP-Message = 0x0201000e016b6d6e726164697573 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 35 modcall[authorize]: module preprocess returns ok for request 35 modcall[authorize]: module chap returns noop for request 35 modcall[authorize]: module mschap returns noop for request 35 rlm_realm: No '@' in User-Name = kmnradius, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 35 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 35 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 35 rlm_eap:
Radius, Cisco 1600 and Windows Clients
Dear List, I apologize if this issue has been discussed, but I couldn't find any docs that help me out. I have a network with a cisco 1601R connected to Internet and a radius server (simply an ethernet switch with windows workstations, the router and the server running freeradius). I'm trying to configure the cisco so clients dial to it, the cisco validate the user and password with the radius, and if everything is ok, it opens the door to that client for accessing Internet. I've based my freeradius installation reading http://www.frontios.com/freeradius.html so the server is running ok and the tests show me that it's validating as I need. The communication between the router and the server is also ok. The big problem is between the NAS and the clients. I read almost everything I've found in cisco about VTI, VPDN, PPP, AAA and RADIUS, but I cannot make it work... Besides I'm no sure about what kind of windows client I should use (pppoe as an ADSL connection or VPN with the ip of the router to dial-in). I'll appreciatte any comment, or perhaps you know a good howto or something that I could read. THANKS IN ADVANCE!!! Sincerely, Agustín - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable EAP-TTLS inner PAP
TAYLAN KIRAN [EMAIL PROTECTED] wrote: You say You we only need to enable EAP-TTLS but it does not work. You can find debug log as following. ... users: Matched entry deneme at line 152 modcall[authorize]: module files returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 4 modcall: group authenticate returns fail for request 4 You are setting Auth-Type := EAP in line 152 of the users file. DO NOT DO THAT. IT IS NOT NECESSARY. Please read eap.conf. It EXPLAINS THIS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Validating using EAP TLS
Stewart, Bill [EMAIL PROTECTED] wrote: We still do not get a connection. Following is an excerpt from radiusd -X Can anyone give me idea what is going on? The client isn't doing EAP-TLS. There's no mention of it in the debug log. rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 modcall[authenticate]: module unix returns notfound for request 34 The user 00-01-f4-ec-97-29 is not in /etc/passwd. I'm not surprised. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Validating using EAP TLS
This line: Login incorrect: [00-01-f4-ec-97-29/NOPASSWORD] (from client wapcor001 port Seems to me to mean that the authenticating workstation lacks an account in the users file. Try adding the user id 00-01-f4-ec-97-29 with password NOPASSWORD to the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Validating using EAP TLS
Alan, Thanks! Here is a better excerp. The 00-01-f4-ec-97-29 is not in /etc/passwd is from the section trying to validate by mac address. We need this to validate printers. rad_recv: Access-Request packet from host 149.158.3.250:1651, id=232, length=108 Message-Authenticator = 0x26921ca4713a8050cfbd9339f8341564 User-Name = kmnradius NAS-IP-Address = 149.158.3.250 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-97-29 EAP-Message = 0x0201000e016b6d6e726164697573 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 31 modcall[authorize]: module preprocess returns ok for request 31 modcall[authorize]: module chap returns noop for request 31 modcall[authorize]: module mschap returns noop for request 31 rlm_realm: No '@' in User-Name = kmnradius, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 31 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 31 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 31 modcall: group authorize returns updated for request 31 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 31 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 31 modcall: group authenticate returns handled for request 31 Sending Access-Challenge of id 232 to 149.158.3.250:1651 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x5599c28ab72f3dfde79ae5c18602a18a Finished request 31 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... Thnaks Bill -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, March 11, 2005 1:20 PM To: freeradius-users@lists.freeradius.org Subject: Re: Validating using EAP TLS Stewart, Bill [EMAIL PROTECTED] wrote: We still do not get a connection. Following is an excerpt from radiusd -X Can anyone give me idea what is going on? The client isn't doing EAP-TLS. There's no mention of it in the debug log. rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 modcall[authenticate]: module unix returns notfound for request 34 The user 00-01-f4-ec-97-29 is not in /etc/passwd. I'm not surprised. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Record in radacct
Hi, I am using mysql to store all calling history form the cisco nas. I have some problem with duplicate records in my radacct table. but always the AcctSessionId are diffrent to each duplication record here is what i am getting in my radacct: 386 8e30580b-7-dff63424V1 385 8e30580b-7-dff63424T1 here is sqltrace log: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('bda61098-8-aee1424T1', 'cd546ec681ab2320', '123456', '', '212.77.213.111', '', 'Async', '2005-03-11 21:58:58', '0', '0', '', '', '', '0', '0', '0097776560455', '123456', '', 'Login-User', '', '', '0', '0'); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('bda61098-8-aee1424V1', 'ab1b56ec4d2aaa26', '123456', '', '212.77.213.111', '', 'Async', '2005-03-11 21:58:58', '0', '0', '', '', '', '0', '0', '0097776560455', '123456', '', 'Login-User', '', '', '0', '0'); UPDATE radacct SET AcctStopTime = '2005-03-11 21:59:03', AcctSessionTime = '0', AcctInputOctets = '152', AcctOutputOctets = '300', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = 'bda61098-8-aee1424V1' AND UserName = '123456' AND NASIPAddress = '212.77.213.111'; UPDATE radacct SET AcctStopTime = '2005-03-11 21:59:03', AcctSessionTime = '0', AcctInputOctets = '152', AcctOutputOctets = '300', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = 'bda61098-8-aee1424T1' AND UserName = '123456' AND NASIPAddress = '212.77.213.111'; Please help me how i can stop one record. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Radius wrote: Sure does. We use it from time to time, when our wholesale connections don't send a good disconnect. radzap IP-Address S:port [EMAIL PROTECTED] ... Hum ... Not working.. [EMAIL PROTECTED] root]# radwho Login Name What TTY When From Location [EMAIL PROTECTED] dcmwaiATocesb.com. shell S145 Thu 18:05 192.168.0 [EMAIL PROTECTED] root]# radzap 192.168.0.16 S:S145 [EMAIL PROTECTED] Sat Mar 12 03:19:07 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] root]# radwho Login Name What TTY When From Location [EMAIL PROTECTED] dcmwaiATocesb.com. shell S145 Thu 18:05 192.168.0 [EMAIL PROTECTED] root]# Any idea/guide? Regards Chan Min Wai Chan Min Wai wrote: Hello all, I found that this script isn't working for me, so wonder if this script is still working? What does this script check anyway? did this scrip need checkrad to work? Just wonder anyone have the guide to patch checkrad to work with another oid with snmp way? regards. Thank You Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCMe+OV0p9slMZLW4RAhtuAKCWaH6ma+tUb2R5a18XXQjcKj8zbACdFmBW /k6/583BCcC5dONf3zqZGlo= =ZQ4r -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Validating using EAP TLS
Stewart, Bill [EMAIL PROTECTED] wrote: Thanks! Here is a better excerp. EAP-TLS involves many, many packets going back and forth for one login session. You've only shown one packet, and there are no errors visible in it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user list, update and get user info
Hi, I have configured the freeRADIUS server on a box B. and I have configured pam on another box A, so that all logins to the box A will be authenticated by the radius server (running on box B). 1) I want to get the list of all users configured in a radius server. may be using pam or some other scripts running on B. Is it possible? if so how to do that? 2) Can I add/delete/modify a radius user from my module running on A? 3) I am running an application on box A, which needs authentication and authorization (which will be sent to radius server running on B). Now for a particular user, my module on A sends a request to radius server running on B. radius server on B should authenticate the user and send back the credential (information like if the user has admin privilege or not etc etc) to my module A. Is it possible. If so, how can I do that? Thanks in advance, Regards, Arupam _ Get headhunted by 5000 tech recruiters. http://www.naukri.com/tieups/tieups.php?othersrcp=736 Post your CV on naukri.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA EAP-PEAP and OS X client problem
I have set up FreeRADIUS with PEAP. I tried logging in with a Mac OS X client however it keeps telling me eapolclient[4468]: eapmschapv2_success_request: invalid server auth response What is confusing is that rlm_eap_peap returns SUCCESS. modcall: group authenticate returns ok for request 15 PEAP: Got tunneled reply RADIUS code 2 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = testuser PEAP: Processing from tunneled session code 0x8114900 2 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = testuser PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 0 to 192.168.1.56:2051 EAP-Message = 0x0108002a1900170301001f626d085b50da9850c44b9b8394e4a675f1e1d57a9522d14a19191cd2dec1a3 Message-Authenticator = 0x State = 0x88988c2d95089a7dda42900570faeef3 Finished request 15 My configuration is as follows eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } gtc { auth_type = PAP } tls { private_key_password = private_key_file = /etc/freeradius/cert.pem certificate_file = /etc/freeradius/cert.pem CA_file = /etc/ldap/ca.crt dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } Any clues ? Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging details for failed logins
Hi, running FR 1.0.1 with mysql, I'm still seeking for some method to log failed login with resonable descriptive error messages.. Now, the postauth_query only gives me Access-Reject and the zero session lenght radacct-entries only have User-Error expanded from %{Acct-Terminate-Cause} Isn't there any variable I can use in sql.conf to log the messages I get in radius.log (Login incorrect Home server says so, Auth: Outside allowed timespan etc.) in either radacct or radpostauth ? Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap...
Radius wrote: Radzap is mainly for the stale radwho that are not there but still showing loged in. Yep that user is already logout due to a power cycle/reboot in the NAS. So radzap is the right tools to get the zombie users off radius. radwho first to see the one you want. then do a radwho -r to get the detailed . radzap 111.111.111.111 S560 [EMAIL PROTECTED] Ok it is not working 111.111.111.111 is the NAS switch iP. S560 is the Connection Port. [EMAIL PROTECTED] is the userlogin name. Well, any other debug message or anything I should before continue? I really want to get this function working... Regards, Thank you Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dustin Doris wrote: On Wed, 2 Mar 2005, Chan Min Wai wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan Min Wai wrote: Dustin Doris wrote: the variable for this script is 1) the NAS ip (the dhcp object class) 2) the Client MAC address 3) the ip address from ippool 4) the subnet from the ippool Strange ... I've it solved by this way... exec test { wait = yes program = /bin/bash /usr/local/bin/test %{Calling-Station-id} %{Nas-Ip-Address} input_pairs = reply output_pairs = reply } /usr/local/bin/test # !/usr/bin/bash #testing script printenv /tmp/exec-program-wait echo $FRAMED_IP_ADDRESS $FRAMED_IP_NETMASK /tmp/radtest echo $1 /tmp/radtest echo $2 /tmp/radtest exit cat /tmp/radtest 192.168.0.206 255.255.255.0 00-11-09-5f-a9-8b 192.168.0.16 Interesting :) Is this the right way? That will work, good idea. Will Post a better version which will also have the remove of dhcpd there... So hold for a while.. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCMm68V0p9slMZLW4RAjrwAJ9JAMXZ/VycgXlGzKa6yvV1LewFzACfaEun 06gT5B7CBJXVivv7+ERpu94= =iMCr -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap...
Maybe you need to (sometime a .)/usr/local/freeradius/bin/radzap etc. Chan Min Wai wrote: Radius wrote: Radzap is mainly for the stale radwho that are not there but still showing loged in. Yep that user is already logout due to a power cycle/reboot in the NAS. So radzap is the right tools to get the zombie users off radius. radwho first to see the one you want. then do a radwho -r to get the detailed . radzap 111.111.111.111 S560 [EMAIL PROTECTED] Ok it is not working 111.111.111.111 is the NAS switch iP. S560 is the Connection Port. [EMAIL PROTECTED] is the userlogin name. Well, any other debug message or anything I should before continue? I really want to get this function working... Regards, Thank you Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html