peap - works but peap + ldap -doesn't works
good morning i hope you can resolve my problem peap works without ldap but when i use ldap whith peap, it doesn' work!! in the file users for peap (when i don't use ldap) robert Auth-Type:=EAP, User-Password =="azertyui" in the file users i replace this line by robert Auth-Type:=LDAP because i use ldap with peap i put my password in my ldap server but peap doesn't work with ldap? why?? when i use eap-tls with ldap, its works if i put a bad cn="..." , eap-tls works. why ?? see this thank you very much for your help radius_xlat: 'cn=zer' -it is a bad cnradius_xlat: 'dc=chales,dc=net'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in dc=chales,dc=net, with filter cn=zerrlm_ldap: object not found or got ambiguous search resultrlm_ldap: search failedrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 4modcall: group authenticate returns ok for request 4Login OK: [clientrad/no User-Password attribute] (from client reseaulocal port 1 cli 000e359e910e) i dont understand why eap-tls work because there is a bad cn!! Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !Créez votre Yahoo! Mail
Authorizating nt-domain users of an Active Directory Group
Hi list, that's my problem: I've been authenticating against an Active Directory Server with just one domain correctly. But now I should authenticate user of differents domains which are included in a group of the Active Directory. The users are from differents domains, some of them belong Active Directory and the others belong to differents nt-domains. The domains are managed by the differents domain controlers (trusted domains) so I just shoud authenticate with ntlm_auth and the option --domain. This all works fine: I can authenticate, but the problem is that I can't find the way to filter in my LDAP module in orther to authorize. I would like to authorize just the members of a group, but I can't find the way to do it just with the user-login and de group name, which are the data that I have. I have tried it filtering in the next way: filter =((DN=My group DN)(member=%{mschap:User-Name})) But it doesn't work. Does anybody know if I can do it via any LDAP attribute? Any othe idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
difference between authorize and authenticate
Good morningWhat is the difference between authorize and authenticate because if authorize don't return ok but authenticate returns ok, eap-tls or peap can work! it is normal when the module "authorize" don't return ok, is it possible to don't validate the users as "login ok: [client/no user password attribute] from ..." thank you very much Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !Créez votre Yahoo! Mail
Strange problem authentication
Hello, I'm back with a very strange problem : it's not a problem of configuration because I arrive to authenticate users sometimes ! I use the native client 802.1X of win XP and one time, freeradius will authenticate the user directly (by asking active directory) and another time, freeradius won't stop to send an Access-Challenge just after the first Access-Request (I wait freeradius does this a moment to see what happened : 200 requests Access-Challenge and nothing else). My server works fine for 2hours this morning, I authenticate 5users correctly without stop the server and at a moment, it stops at the Access-Challenge. Has someone already have this type of problem?? I don't know what I can do like it works sometimes... I don't know too if it is due to the NAS, the server or the client ! Thank you, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAPOL with WinXP SP2 - long delay till Authentication starts off
Hi, I'm using EAP-TLS machine certificates for authentication and VLAN-determination against freeradius 1.0.2 over HP 2524 Cisco 2950 as authenticator. When connecting XP-Clients with machine certificates installed it takes up to 60sec or so till authentication starts. The delay with 2000SP4 is slower, with XSupplicant there is no delay. I remember to have read a Registry-Tweak to this XP-delay-problem, but can't find the source again, even with google ;-) Thank you, Mark Wasmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange Exec-Program problem
okey, copied the same script file to the RADIUS server's box..the same problem occured: Error: Exec-Program: FAILED to execute Does someone have working setup similar to mine using Exec-Program attribute? DB_server--RADIUS_server--NAS Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: On which machine is the script actually ecexuted - on the one i'm runnig the RADIUS server or where the DB is located? On the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
On Fri, 6 May 2005, Alan DeKok wrote: Babar Shafiq [EMAIL PROTECTED] wrote: I know i can see the reject cause while running in debug mode but I want to store the reject causes in database or logs it. so it will be helpful in future for support people,customer support etc, so they can inform users what is the exact cause of the rejection !! Then always run the server in debugging mode. Or, write scripts to log reasons for failure. log_badlogins from the dialupadmin package will do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco SIP Authuntication
Hello, I am trying to register Cisco SIP nas using MySql db. But i could not. The cisco log is syaing: SecurityDenial Here is the format our cisco AccessRequest : Mon May 09 12:01:21 2005, (204+538ae76f-150) ,Sent xxx.xxx.xxx.xxx:1812Radius AccessRequest { session id = 99 UserName: 1212 NasIpAddress: xxx.xxx.xxx.xxx NasPortType: 0 ServiceType: 1 Cisco VSA( 1): xpgk-request-type=user Cisco VSA( 1): xpgk-sip-auth1= xxx.xxx.xxx.xxx Cisco VSA( 1): xpgk-sip-auth2=REGISTER:sip:80.231.14.197 Cisco VSA( 1): [EMAIL PROTECTED] Cisco VSA( 1): xpgk-sip-auth4=200814479400a46bb3029d803e01e112 SipDigestResponce: 200814479400a46bb3029d803e01e112 SipAuth VSA( 1): xxx.xxx.xxx.xxx SipAuth VSA( 2): a6c5250051437f10801143ec6559@ hatifservver3.hatifsss.com SipAuth VSA( 3): REGISTER SipAuth VSA( 4): sip:80.231.14.197 } Mon May 09 12:01:24 2005, (204+538ae76f-150) ,Recv xxx.xxx.xxx.xxx:1812Radius AccessReject { session id = 99 } Mon May 09 12:01:24 2005, (204+538ae76f-150) ,Sent xxx.xxx.xxx.xxx:1721H.225 registrationReject { requestSeqNum = 14120 protocolIdentifier = 0.0.8.2250.0.2 rejectReason = securityDenial null gatekeeperIdentifier = 4 characters { 006d 0065 0072 0061 softswitch } } I searched in mailing list, but no luck. If will be really appreciate if any one has this solutions. Lateef Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgresql problem/question
I'm trying to use postgresql to store my radius data. I have most of it working except for a stored procedure to return the static routing/addressing information for a login. It tries to work but I don't get the correct output in radtest. select * from generate_radreply('[EMAIL PROTECTED]'); id | username | attribute | op | value +--+---++ 104032 | [EMAIL PROTECTED] | Framed-IP-Address | := | 1.2.3.4 When I run radtest: rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=59, length=56 Framed-IP-Address = 255.255.255.255 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP The other reply items come from radgroupreply. When I run radiusd -X I see this in the logs: modcall[post-auth]: module sql returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 59 to 127.0.0.1:57298 Framed-IP-Address BARE-WORD := Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Any ideas why my data is not making it back? Thanks dave -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage of PEAP/MSCHAPv2 and Called-Station-Id in wireless LAN.
Dear sir, (B (BI am constructing a wireles LAN system for office usage. (BIn the system, I want to make availabe two types of access, one for guests (Band another for staffs. (BTo provide two types of access, I use APs which can treat multiple (Bcombination of ESSID (Band tagged-VLAN. (BIn current state, I succeed wireless connection by PEAP/MSCHAPv2, with (Bfreeradius's (Busers file below (FreeBSD_5.3 and pre-compiled freeradius-1.0.2). (B (B user-idUser-Password == "password_for_user-id" (B (BTo distinguish guest's access and staff's access on the system, I want to (Buse following users file, (Bbut don't work. (B (B staff-idUser-Password == "password_for_staff", Called-Station-Id (B== "string_including_ssid-for-staff" (B guest-idUser-Password == "password_for_guest", Called-Station-Id (B== "string_including_ssid-for-guest" (B (BIn requests from AP, Called-Station-Id = "string_including_ssid-for-*" are (Bincluded exactly. (B (BMy questions are 1) combination of PEAP/MSCHAPv2 and Called-Station-Id is (Ballowed or (Bnot allowed in freeradius-1.0.2, and 2) if allowed, how can I do for the (Bproblem? (B (BI tried many variation of *.conf and users files. Any kind of comments are (Bappliciated. (B (BThank you. (B (BH. Yamawaki (B (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange Exec-Program problem
Hi Edgars, I use the Exec-Program attribute in my /etc/raddb/acct_users for extra features DEFAULT Acct-Status-Type == Start Exec-Program = /bin/bash /usr/local/scripts/radius/radius.sh hope this helps Edgars wrote: okey, copied the same script file to the RADIUS server's box..the same problem occured: Error: Exec-Program: FAILED to execute Does someone have working setup similar to mine using Exec-Program attribute? DB_server--RADIUS_server--NAS Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: On which machine is the script actually ecexuted - on the one i'm runnig the RADIUS server or where the DB is located? On the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Jandre Some people are alive only because it is illegal to kill them. _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strange Exec-Program problem
Hi, is it possible to have a username passed to the Exec-Program script on Accounting-Update packets? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jandre Olivier Sent: Montag, 09. Mai 2005 15:25 To: freeradius-users@lists.freeradius.org Subject: Re: strange Exec-Program problem Hi Edgars, I use the Exec-Program attribute in my /etc/raddb/acct_users for extra features DEFAULT Acct-Status-Type == Start Exec-Program = /bin/bash /usr/local/scripts/radius/radius.sh hope this helps Edgars wrote: okey, copied the same script file to the RADIUS server's box..the same problem occured: Error: Exec-Program: FAILED to execute Does someone have working setup similar to mine using Exec-Program attribute? DB_server--RADIUS_server--NAS Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: On which machine is the script actually ecexuted - on the one i'm runnig the RADIUS server or where the DB is located? On the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Jandre Some people are alive only because it is illegal to kill them. _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorizating nt-domain users of an Active Directory Group
Hi list, that's my problem: I've been authenticating against an Active Directory Server with just one domain correctly. But now I should authenticate user of differents domains which are included in a group of the Active Directory. The users are from differents domains, some of them belong Active Directory and the others belong to differents nt-domains. The domains are managed by the differents domain controlers (trusted domains) so I just shoud authenticate with ntlm_auth and the option --domain. This all works fine: I can authenticate, but the problem is that I can't find the way to filter in my LDAP module in orther to authorize. I would like to authorize just the members of a group, but I can't find the way to do it just with the user-login and de group name, which are the data that I have. I have tried it filtering in the next way: filter =((DN=My group DN)(member=%{mschap:User-Name})) But it doesn't work. Does anybody know if I can do it via any LDAP attribute? Any othe idea? Thanks in advance for any help!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools distributed on multiple FreeRADIUS Servers
On Sat, 7 May 2005, Nizar Shana'ah wrote: Hello all, I have two freeRADIUS Server, the second one is used for redundancy, how can i distribute the IP pools and have full redundancy, I am afraid of the conflicts that this may cause, I dont want them leasing the same IP to multiple clients when something happens and the other server is down. See bug #46 http://bugs.freeradius.org/show_bug.cgi?id=46 rlm_ippool should also renew ip address leasing informatio on accounting-start packets to achieve full redundancy (as long as accounting relaying works fine). Right now the lease databases are only synchronized on accounting-stop packets which means that a backup server *may* give out an ip already taken. BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
daily limit
Hello, i'm realy happy my rlm_sqlcounter now run as i hope :-) but now i have 3 another case, i have three model voucher. 1st for 4 hours and the voucher valid for 2 days, 2nd 8 hours, valid for four days, last is one day, valid for 24 hours, so when the user log in, *maybe* the radius will log the user start time and will close the session when the session is over limit. how can i make like that ? what should i read ? please advice. -- Best regards, ./avd mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to restrict group of users
I have two groups of users adsl-1 accessing the network trough hunt-adsl-1 huntgroup and adsl-2 accessing the network trough hunt-adsl-2 huntgroup. Need to block adsl-2 users going trough hunt-adsl-1 huntgroup. I have this in the users file: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Huntgroup-Name == hunt-adsl-1, Ldap-Group == adsl-1, User-Profile := uid=adsl-1,ou=profiles,dc=domain,dc=net Fall-Through = no DEFAULT Huntgroup-Name == hunt-adsl-2, Ldap-Group == adsl-2, User-Profile := uid=adsl-2,ou=profiles,dc=domain,dc=net Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Access Denied! You are not a PPP subscriber! I need to make sure that this configuration works before I go online. I apreciate any help. P4P _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: daily limit
Hm... maybe you should set the SQL statements in your sqlcounter.conf file that can be usually found in /etc/raddb or /usr/local/etc/raddb depending on distribution... You can define the different counters for your vouchers that will count time or traffic by defining them in the file I mentioned... I dont know, but maybe you should take a look at /usr/share/doc/packages/freeradius/rlm_sqlcounter if you already didnt do that... Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of avudz Sent: Montag, 09. Mai 2005 16:03 To: freeradius-users@lists.freeradius.org Subject: daily limit Hello, i'm realy happy my rlm_sqlcounter now run as i hope :-) but now i have 3 another case, i have three model voucher. 1st for 4 hours and the voucher valid for 2 days, 2nd 8 hours, valid for four days, last is one day, valid for 24 hours, so when the user log in, *maybe* the radius will log the user start time and will close the session when the session is over limit. how can i make like that ? what should i read ? please advice. -- Best regards, ./avd mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap - works but peap + ldap -doesn't works
dssd dsfdsfdsf wrote: good morning i hope you can resolve my problem peap works without ldap but when i use ldap whith peap, it doesn' work!! in the file users for peap (when i don't use ldap) robert Auth-Type:=EAP, User-Password ==azertyui in the file users i replace this line by robert Auth-Type:=LDAP because i use ldap with peap i put my password in my ldap server but peap doesn't work with ldap? why?? The only way PEAP will work with LDAP if you have the NT/LM hashes or plain-text passwords stored in the LDAP database. For example if you used Samba LDAP backend you would likely have NT/LM hashes. If you don't have NT/LM hashes or plain-text passwords you will need to use EAP-TTLS with PAP for inner tunnel authentication. I have a write-up on how to set up FreeRADIUS with OpenLDAP at http://vuksan.com/linux/dot1x/802-1x-LDAP.html Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql problem/question
Dave, Not sure if I'll be much help on this one, but I'll do my best. In my radgroupreply I have Auth-Type := Local I don't know if that will fix it or not. Also, I think freeradius had a file sql.conf that had to have stuff uncommented to get it to record certain info. Yours should be postgresql.conf. You also need to tell radiusd.conf to use that file if you haven't already. Have you been down through the radiusd.conf file to uncomment things in there too? I remember having to read over it and make changes there. Hope this helps. If I think of anything else I'll let you know. Nice activation interface. Also when you get time this today give me a call. I want to get with you on the DSL lines for us and put together a plan of attack. SQL result Host: localhost Database: radius Generation Time: May 09, 2005 at 10:02 AM Generated by: phpMyAdmin 2.6.0-pl2 / MySQL 3.23.58 SQL-query: SELECT * FROM `radgroupreply` LIMIT 0, 30; Rows: 8 id GroupName Attribute op Value prio 1 dialin Framed-Compression := Van-Jacobsen-TCP-IP 0 2 dialin Framed-Protocol := PPP 0 3 dialin Service-Type := Framed-User 0 4 dialin Auth-Type := Local 0 5 dialin Framed-MTU := 1500 0 6 dialin Session-Timeout := 14400 0 7 dialin Idle-Timeout := 1200 0 8 dialin Port-Limit := 1 0 - Original Message - From: Dave Weis [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, May 09, 2005 6:58 AM Subject: postgresql problem/question I'm trying to use postgresql to store my radius data. I have most of it working except for a stored procedure to return the static routing/addressing information for a login. It tries to work but I don't get the correct output in radtest. select * from generate_radreply('[EMAIL PROTECTED]'); id | username | attribute | op | value +--+---++ 104032 | [EMAIL PROTECTED] | Framed-IP-Address | := | 1.2.3.4 When I run radtest: rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=59, length=56 Framed-IP-Address = 255.255.255.255 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP The other reply items come from radgroupreply. When I run radiusd -X I see this in the logs: modcall[post-auth]: module sql returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 59 to 127.0.0.1:57298 Framed-IP-Address BARE-WORD := Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Any ideas why my data is not making it back? Thanks dave -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to restrict group of users
If you enable log_auth you will get an auth_detail... file that has the requests from the adsl-1 and adls-2 that you could use with radclient to verify that it will do what you want. make a backup of all files you were going to change. make changes. (like the old radiusd -X -p 1645) Modify radiusd.conf to change port = 0 to port = 1645 radiusd -X 21RAD-test change back to port = 0 tail RAD-test (look for Ready fix any errors {kill the test radisud -X process} and repeat) radclient -t1 radius.master:1645 auth SECRET data_from_auth_detail... look in RAD-test to see everything that happened On Mon, 2005-05-09 at 08:19, E L wrote: I have two groups of users adsl-1 accessing the network trough hunt-adsl-1 huntgroup and adsl-2 accessing the network trough hunt-adsl-2 huntgroup. Need to block adsl-2 users going trough hunt-adsl-1 huntgroup. I have this in the users file: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Huntgroup-Name == hunt-adsl-1, Ldap-Group == adsl-1, User-Profile := uid=adsl-1,ou=profiles,dc=domain,dc=net Fall-Through = no DEFAULT Huntgroup-Name == hunt-adsl-2, Ldap-Group == adsl-2, User-Profile := uid=adsl-2,ou=profiles,dc=domain,dc=net Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Access Denied! You are not a PPP subscriber! I need to make sure that this configuration works before I go online. I apreciate any help. P4P _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-Proxy attr_rewrite based on an if condition
Hello, Is there a way that I could add a new attribute if I receive a specific attribute from a proxy radius. For example: Proxy radius sends a packet which contains an idle-timeout of 30s. However based on this condition I want to send a session-timeout of 180s. ( There is a change in the actual attribute, not just value and the idles-timeout is not forwarded to the access-server.) Modules { if(idle-timeout == 30){ attr_rewrite test { searchfor = searchin = reply replacewith = 180 new_attribute = yes attribute = Session-Timeout } } } post-proxy { test } Thank you, Wilhelm
Re: Need to restrict group of users
E L [EMAIL PROTECTED] wrote: I need to make sure that this configuration works before I go online. I apreciate any help. Set up a test server, and run it in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 1.0.2
Paul Seaman [EMAIL PROTECTED] wrote: Hey, I'm trying to compile 1.0.2, and I get the following errors (snipped at the end for brevity) - it seems to be related to EAP, is the simple way to fix this or maybe an easy way to tell it I'm not interested in the EAP module? Delete the rlm_eap directory, and do ./configure, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: I have just checked out 1.0.2 and found out RadZap does not work i even did what was said to copy the radzap.c from CVS to 1.0.2 and compile it, but still no Joy with radzap and i do rely on that on a daily bases. You couldn't have copied radzap.c from the CVS head to 1.0.2, because it doesn't exist in the CVS head. Copy radwho.c radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco SIP auth problem
Abdul Lateef [EMAIL PROTECTED] wrote: xpgk-sip-auth4=b493b44cd7875041c11b92e638f74b2d But the Radius is not responding for this request and the log apearing SecurityDenial null Posting the same message multiple times, and ignoring a previous answer is rude. Go ask your NAS vendor what this means. No one here knows. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem authentication
Sylvain Clerc [EMAIL PROTECTED] wrote: I use the native client 802.1X of win XP and one time, freeradius will authenticate the user directly (by asking active directory) and another time, freeradius won't stop to send an Access-Challenge just after the first Access-Request FreeRADIUS does things only when the NAS asks. So if FreeRADIUS is sending Access-Challenges, it's because the NAS (or winxp client) is asking it to. For some reason, the client doesn't like the response from FreeRADIUS, and is starting the authentication process over from scratch. Find out why the client is doing this, cand you will be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql problem/question
Dave Weis [EMAIL PROTECTED] wrote: The other reply items come from radgroupreply. When I run radiusd -X I see this in the logs: modcall[post-auth]: module sql returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 59 to 127.0.0.1:57298 Framed-IP-Address BARE-WORD := It looks like the SQL module is giving the wrong value to the create attribute function. From looking as your example, your data doesn't match the schema FreeRADIUS expects. select * from generate_radreply('[EMAIL PROTECTED]'); id | username | attribute | op | value That should be ... attribute value op See the SQL schema included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of PEAP/MSCHAPv2 and Called-Station-Id in wireless LAN.
YAMAWAKI Hisashi [EMAIL PROTECTED] wrote: To distinguish guest's access and staff's access on the system, I want to use following users file, but don't work. See the FAQ for problems like it doesn't work My questions are 1) combination of PEAP/MSCHAPv2 and Called-Station-Id is allowed or not allowed in freeradius-1.0.2, and 2) if allowed, how can I do for the problem? Yes, it's allowed. And since you didn't describe the problem, it's impossible to say what the solution is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql problem/question
Alan DeKok wrote: Dave Weis [EMAIL PROTECTED] wrote: The other reply items come from radgroupreply. When I run radiusd -X I see this in the logs: modcall[post-auth]: module sql returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 59 to 127.0.0.1:57298 Framed-IP-Address BARE-WORD := It looks like the SQL module is giving the wrong value to the create attribute function. From looking as your example, your data doesn't match the schema FreeRADIUS expects. select * from generate_radreply('[EMAIL PROTECTED]'); id | username | attribute | op | value That should be ... attribute value op See the SQL schema included with the server. I'm looking at db_postgresql.sql and see this: CREATE TABLE radreply ( id SERIAL PRIMARY KEY, UserNameVARCHAR(30) DEFAULT '' NOT NULL, Attribute VARCHAR(30), op VARCHAR(2) NOT NULL DEFAULT '=', Value VARCHAR(40) ); which is what I used for the layout. It looks the same in db_mysql.sql also. Is it position sensitive or does it use column names? Thanks dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Incorrect NAS Name Being Sent By Client
I've installed freeradius-1.0.1-1.RHEL3 and have recently configured an RHAS 3.0 server as a radius client. I've configured the client server so ssh login requests will go authenticate to a RADIUS server. Is there a configuration file I can edit so that my client will send the correct NAS name (client hostname) instead of the daemon (sshd) that's authenticating to the RADIUS server? Thanks In Advance!
Re: RadZap
Sorry i meant radzap and radwho.c, i copied them both and did ./configure --with- experimental-modules and then make but i noticed it broke during the make process and that is what i got during the weekend. /usr/include/bits/socket.h:275: parse error before '' token In file included from /usr/include/_G_config.h:44, from /usr/include/libio.h:32, from /usr/include/stdio.h:72, from ../include/libradius.h:30, from ../include/radiusd.h:10, from radwho.c:51: /usr/include/gconv.h: At top level: /usr/include/gconv.h:72: parse error before size_t /usr/include/gconv.h:88: parse error before size_t /usr/include/gconv.h:97: parse error before size_t /usr/include/gconv.h:174: parse error before size_t /usr/include/gconv.h:177: parse error before '}' token In file included from /usr/include/libio.h:32, from /usr/include/stdio.h:72, from ../include/libradius.h:30, from ../include/radiusd.h:10, from radwho.c:51: /usr/include/_G_config.h:47: field `__cd' has incomplete type /usr/include/_G_config.h:50: field `__cd' has incomplete type /usr/include/_G_config.h:52: confused by earlier errors, bailing out gmake[4]: *** [radwho.o] Error 1 gmake[4]: Leaving directory `/root/freeradius-1.0.2/src/main' gmake[3]: *** [common] Error 1 Anyideas? -- Original Message --- From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Mon, 09 May 2005 13:30:15 -0400 Subject: Re: RadZap Sarkis Gabriel [EMAIL PROTECTED] wrote: I have just checked out 1.0.2 and found out RadZap does not work i even did what was said to copy the radzap.c from CVS to 1.0.2 and compile it, but still no Joy with radzap and i do rely on that on a daily bases. You couldn't have copied radzap.c from the CVS head to 1.0.2, because it doesn't exist in the CVS head. Copy radwho.c radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql problem/question
Dave Weis [EMAIL PROTECTED] wrote: which is what I used for the layout. It looks the same in db_mysql.sql also. Is it position sensitive or does it use column names? Hmm... The queries in SQL.conf select id, username, attribute, value, op. So it should work, unless you edited the queries. But the problem is still that the op field from SQL is being into the value for the attribute, and vice-versa. Fix that, and the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect NAS Name Being Sent By Client
[EMAIL PROTECTED] wrote: I've installed freeradius-1.0.1-1.RHEL3 and have recently configured an RHAS 3.0 server as a radius client. Using... what as a radius client? Is there a configuration file I can edit so that my client will send the correct NAS name (client hostname) instead of the daemon (sshd) that's authenticating to the RADIUS server? Since you didn't way what RADIUS client you're using, I have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: Sorry i meant radzap and radwho.c, i copied them both and did ./configure --with- experimental-modules and then make but i noticed it broke during the make process and that is what i got during the weekend. shrug Try grabbing a copy of the pre-release for 1.0.3 from CVS. See recent messages on the list for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: just to confirm is it this cvs command cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -j release_1_0 radiusd No. that is the one i got and i tried to compile it from scratch but it fails on ./configure I hate playing twenty questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0 being added to every second line of asscend data filter
This one has me curious. Do I have a config error? If so where? When I use radtest I get an the following. [EMAIL PROTECTED] doc]# radtest fred wilma localhost:1812 17 testing123 Sending Access-Request of id 64 to 127.0.0.1:1812 User-Name = fred User-Password = wilma NAS-IP-Address = radius.redlineservices.local NAS-Port = 17 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=64, length=216 Framed-Compression = Van-Jacobson-TCP-IP Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 Idle-Timeout = 600 Session-Timeout = 28800 Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip 209.248.244.128/25 0 Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward 0 Debug output from the server is the same. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=64, length=56 User-Name = fred User-Password = wilma NAS-IP-Address = 255.255.255.255 NAS-Port = 17 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 3 radius_xlat: 'fred' rlm_sql (sql): sql_set_user escaped user -- 'fred' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'fred' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'fred' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'fred' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'fred' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 3 rlm_sql (sql): Processing sql_postauth radius_xlat: 'fred' rlm_sql (sql): sql_set_user escaped user -- 'fred' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'fred', 'wilma', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'fred', 'wilma', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module sql returns ok for request 3 modcall: group post-auth returns ok for request 3 Sending Access-Accept of id 64 to 127.0.0.1:32770 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Idle-Timeout := 600 Session-Timeout = 28800 Ascend-Data-Filter += ip in forward tcp est Ascend-Data-Filter += ip in forward dstip 209.248.244.128/25 0 Ascend-Data-Filter += ip in drop tcp dstport = 25 Ascend-Data-Filter += ip in forward 0 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 64 with timestamp 427fb66a If I query the output dirrectly from my sql I don't get the extra 0's being added. mysql Select radgroupreply.id,radgroupreply.Groupname,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'fred' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---++- ---++ | id | Groupname | Attribute | Value | Op | ++---++- ---++ | 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := | | 35 | dynamic | Framed-Protocol| PPP | := | | 36 | dynamic | Service-type | Framed-User | := | | 37 | dynamic
Re: Incorrect NAS Name Being Sent By Client
Sorry for the confusion. Using... what as a radius client? The client is a RedHat AS 3.0 box with freeradius-1.0.1-1.RHEL3 installed. When users attempt to ssh to the Redhat client it authenticates to a different RADIUS server. The RADIUS client is sending an incorrect NAS name to the RADIUS server. The NAS name that's being sent from the client to the server is that of the daemon (sshd) that's serving login requests on the client. Is there a configuration file I can edit so that my client will send the correct NAS name (client hostname) instead of the daemon (sshd)
Re: RadZap
To be honest i have spent a lot of time working out cvs and i do not know how to check for the version on cvs the only thing i found in the archive about cvs and 1.0.3 is the one below posted few days back and pointing out that it is the current candidate for the official 1.0.3 and it is called release_1_0. I know you dont like playing twenty question but if i have not tried, I would not be asking, i just need to get this new system compiled and working so i can drop version 0.9.3. Thank you once more Sarky -- Original Message --- From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Mon, 09 May 2005 14:53:24 -0400 Subject: Re: RadZap Sarkis Gabriel [EMAIL PROTECTED] wrote: just to confirm is it this cvs command cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -j release_1_0 radiusd No. that is the one i got and i tried to compile it from scratch but it fails on ./configure I hate playing twenty questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql problem/question
Alan DeKok [EMAIL PROTECTED] said: Dave Weis [EMAIL PROTECTED] wrote: which is what I used for the layout. It looks the same in db_mysql.sql also. Is it position sensitive or does it use column names? Hmm... The queries in SQL.conf select id, username, attribute, value, op. So it should work, unless you edited the queries. But the problem is still that the op field from SQL is being into the value for the attribute, and vice-versa. Fix that, and the problem will go away. I changed the format of the records that I was returning to match what you described and it seems to be working. Thanks dave -- Dave Weis Internet Solver, Inc http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: To be honest i have spent a lot of time working out cvs and i do not know how to check for the version on cvs the only thing i found in the archive about cvs and 1.0.3 is the one below posted few days back and pointing out that it is the current candidate for the official 1.0.3 and it is called release_1_0. It will work if you follow the instructions in that message. I know you dont like playing twenty question but if i have not tried, I would not be asking, i just need to get this new system compiled and working so i can drop version 0.9.3. I would like to be able to help you, but you keep saying something went wrong, and giving NO information. I'm not a mind reader, and I *hate* having to play the twenty questions game. if you want someone to help you, then give them enough information so that they can understand what you're doing. If you don't, then you're forcing people to ask you question after question of OK, and what EXACTLY went wrong? If you never say anything other than something went wrong, then no one will be able to help you. Ever. And no one will want to help you, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect NAS Name Being Sent By Client
[EMAIL PROTECTED] wrote: The client is a RedHat AS 3.0 box with freeradius-1.0.1-1.RHEL3 installed. You said that already. Did you think no one read it? When users attempt to ssh to the Redhat client it authenticates to a different RADIUS server. The RADIUS client is sending an incorrect NAS name to the RADIUS server. You said that already, too. The NAS name that's being sent from the client to the server is that of the daemon (sshd) that's serving login requests on the client. You said that already, too. I can play this game, too. What are you using as a RADIUS client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0 being added to every second line of asscend data filter
John Fergusson [EMAIL PROTECTED] wrote: Do I have a config error? If so where? Nope. The Ascend binary attributes are *not* text. Therefore, when they're read from a DB and put into a RADIUS attribute, they may not print in debug mode as exactly the same string as you put in the DB. If I query the output dirrectly from my sql I don't get the extra 0's being added. Exactly. What you put into the DB is one thing. What goes into the packet (or printed in debug mode) is another. There's no problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
I think it is best to start all over again. I have been using 0.9.3 basicaly since that was the current version and it is working fine, now i want to upgrade and go for the newer version so i downloaded 1.0.2 and found out that radzap is not working properly. After looking in the MAN pages found out that radzap is a script which uses radwho/radclient to do its job Simple Term that is. So checking up on it, found out that few users had similar problem and in the archive I located a message stating that it will be fixed in 1.0.3 or you can download the cvs and swap files then compile once more. The CVS command i used was the one advising someone else to use and i got radiusd, copied the files and got a compile error when it got to radwho.c I recently downloaded the snapshot - freeradius-snapshot-20050509.tar.gz - and compiled it, bearing in mind the version which is still on the system is 0.9.3. I copied over radzap, radwho, radclient thinking that it might work in place of original radzap so i can see if it works with the current version then change all the scripts i already have in place to the new command line before the upgrade, but no joy, i think it is incompatibility. Sorry once more to go on and on but i think the above gives a better view of what i have done . Sarky -- Original Message --- From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Mon, 09 May 2005 16:51:23 -0400 Subject: Re: RadZap Sarkis Gabriel [EMAIL PROTECTED] wrote: To be honest i have spent a lot of time working out cvs and i do not know how to check for the version on cvs the only thing i found in the archive about cvs and 1.0.3 is the one below posted few days back and pointing out that it is the current candidate for the official 1.0.3 and it is called release_1_0. It will work if you follow the instructions in that message. I know you dont like playing twenty question but if i have not tried, I would not be asking, i just need to get this new system compiled and working so i can drop version 0.9.3. I would like to be able to help you, but you keep saying something went wrong, and giving NO information. I'm not a mind reader, and I *hate* having to play the twenty questions game. if you want someone to help you, then give them enough information so that they can understand what you're doing. If you don't, then you're forcing people to ask you question after question of OK, and what EXACTLY went wrong? If you never say anything other than something went wrong, then no one will be able to help you. Ever. And no one will want to help you, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: The CVS command i used was the one advising someone else to use and i got radiusd, copied the files and got a compile error when it got to radwho.c If you grab the 1.0.x candidate from CVS, you don't have to copy over radwho.c. The previous messages in the list archive say that. And didn't you say in your previous message that it failed in configure? Are you sure you know what's going on in your system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect NAS Name Being Sent By Client
What are you using as a RADIUS client? I'm using pam_radius-1.3.16 as my radius client package. Sorry for the previous confusion on my part. Yes I know I said that already too ;)
Freeradius install problem
Hello, I´ve installed and compiled freeradius on my Linux ubuntu Warty Warthog 4.10 everything went Ok. I run freeradius on debug mode (radiusd -X) ant it seems to work fine: [EMAIL PROTECTED]:/home/maxo # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. then I connect the server to the network and my Internet Service Controller (NAS) also to the network and a client PC to the Internet Service Controller
Re: Freeradius install problem
when you set up the client in the clients.conf did you put all the client info inside {} ? client ip { secret = nosecret shortname = mycomputer } it didn't look that way in the message, but that may have just been for ease of writing... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect NAS Name Being Sent By Client
[EMAIL PROTECTED] wrote: I'm using pam_radius-1.3.16 as my radius client package. Then it should add a NAS-IP-Address attribute, with the IP address of the host. If it doesn't, then it can't find the address of the host. The only way to work around that is to edit the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius install problem
Software Development Group [EMAIL PROTECTED] wrote: Ignoring request from unknown client 172.18.21.100:10005 ... I added a line in the clients.conf file with the details of the ISS: client 192.10.25.100 (ISS's IP address) That isn't the same IP address that the server sees. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Okie i got the CVS once more, i think the way i got it the first time was wrong hence i got the ./configure error. I noticed that i was talking about another email in the archive and not the one originated from you, now i got the cvs and compiled it tomorrow when my brain is functioning properly i will install and configure and play around with radzap. Sorry for the confusion, and thanks for the help. Sarky -- Original Message --- From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Mon, 09 May 2005 17:19:13 -0400 Subject: Re: RadZap Sarkis Gabriel [EMAIL PROTECTED] wrote: The CVS command i used was the one advising someone else to use and i got radiusd, copied the files and got a compile error when it got to radwho.c If you grab the 1.0.x candidate from CVS, you don't have to copy over radwho.c. The previous messages in the list archive say that. And didn't you say in your previous message that it failed in configure? Are you sure you know what's going on in your system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with digest and ser
Hi all, I'm having trouble at authentication using radius and digest. Look at radius output. The rare thing is that some phones get registered nicely, but others no. The ones who get registered are X-Lite softphones and grandstream. The ones that not, are the ATAs from voip solutions, MTA-V102. Any help would be appreciated. The user is 1991106 and has NO PASSWORD assigned ... ( but all of the users have NO PASSWORD ). Has this no-password thing have something to do with all this ??? rad_recv: Access-Request packet from host IP_SER:33483, id=196, length=269 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0931393931313036 Digest-Attributes = 0x01103230382e3232312e3136392e3838 Digest-Attributes = 0x022a343237666563656136633030666366653433376234396139363436643036663733 63396635353639 Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838 Digest-Attributes = 0x030a5245474953544552 Digest-Response = 9b256af89daa817caf568f682e1d15a6 Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 0x31393931313036 Cisco-AVPair = [EMAIL PROTECTED] NAS-IP-Address = IP_SER NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 213 modcall[authorize]: module preprocess returns ok for request 213 modcall[authorize]: module attr_filter returns noop for request 213 modcall[authorize]: module chap returns noop for request 213 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = 1991106 Digest-Realm = IP_SER Digest-Nonce = 427fecea6c00fcfe437b49a9646d06f73c9f5569 Digest-URI = sip:IP_SER Digest-Method = REGISTER rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module digest returns ok for request 213 rlm_realm: Looking up realm IP_SER for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm IP_SER rlm_realm: Adding Stripped-User-Name = 1991106 rlm_realm: Proxying request from user 1991106 to realm IP_SER rlm_realm: Adding Realm = IP_SER rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 213 radius_xlat: '1991106' rlm_sql (sql): sql_set_user escaped user -- '1991106' radius_xlat: 'rad_authorize_check_query '1991106'' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: '' radius_xlat: 'rad_authorize_reply_query '1991106',''' radius_xlat: '' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 213 modcall: group authorize returns ok for request 213 rad_check_password: Found Auth-Type DIGEST auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 213 A1 = 1991106:IP_SER: A2 = REGISTER:sip:IP_SER KD = b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d06f73c9f556 9:962db7ab8b0547fc8fbaa6408dd6 rlm_digest: FAILED authentication modcall[authenticate]: module digest returns reject for request 213 modcall: group authenticate returns reject for request 213 auth: Failed to validate the user. Sending Access-Reject of id 196 to IP_SER:33483 ... any ideas ?? Look at this NGREP's ... U IP_UA:60975 - IP_SER:5060 REGISTER sip:IP_SER SIP/2.0. Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395. From: sip:[EMAIL PROTECTED];tag=2375800474. To: sip:[EMAIL PROTECTED]. Call-ID: [EMAIL PROTECTED] CSeq: 15158 REGISTER. Contact: sip:[EMAIL PROTECTED]:5070. Expires: 120. Max-Forwards: 70. User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled. Content-Length: 0. U IP_SER:5060 - IP_UA:60975 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64.32.92.159 . From: sip:[EMAIL PROTECTED];tag=2375800474. To: sip:[EMAIL PROTECTED];tag=6f0d146d94c4cb042663ff3cf87e2e72.527a. Call-ID: [EMAIL PROTECTED] CSeq: 15158 REGISTER. WWW-Authenticate: Digest realm=IP_SER, nonce=427feab914e565fceccf1852a2b0ae3b69cb. Content-Length: 0. Warning: 392 IP_SER:5060 Noisy feedback tells: pid=5366 req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER via_cnt==1. U IP_UA:60975 - IP_SER:5060 REGISTER sip:IP_SER SIP/2.0. Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381. From: sip:[EMAIL PROTECTED];tag=1079893788. To: sip:[EMAIL PROTECTED]. Call-ID: [EMAIL PROTECTED] CSeq: 15159 REGISTER. Contact: sip:[EMAIL PROTECTED]:5070. Expires: 120. Authorization: Digest username=1991106, realm=IP_SER, nonce=427feab914e565fceccf1852a2b0ae3b69cb, uri=sip:IP_SER, response=c7dc44af5d16f48c410813a7f4dc98f2. Max-Forwards: 70. User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled. Content-Length: 0. U IP_SER:5060 - IP_UA:60975 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64.32.92.159 . From: sip:[EMAIL PROTECTED];tag=1079893788. To: sip:[EMAIL
Re: problems with digest and ser
Lucas Aimaretto [EMAIL PROTECTED] wrote: I'm having trouble at authentication using radius and digest. Look at radius output. The rare thing is that some phones get registered nicely, but others no. The ones who get registered are X-Lite softphones and grandstream. The ones that not, are the ATAs from voip solutions, MTA-V102. Any help would be appreciated. The user is 1991106 and has NO PASSWORD assigned ... ( but all of the users have NO PASSWORD ). Has this no-password thing have something to do with all this ??? Could be. And I don't think that having no password is a good idea. In any case, if there *wasn't* a password, then the digest module would complain. rlm_digest: FAILED authentication ... ... any ideas ?? The client isn't using the correct digest algorithm? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth not working
Title: ntlm_auth not working Hello all, I seem to have a problem getting freeradius to authenticate users from Active Directory. I have installed and configured Samba and have added the server to the NT domain. I can use: net ads info, wbinfo -g, wbinfo -u successfully. I have modified the necessary freeradius files: radiusd.conf, eap.conf, users, and clients.conf. When I run NTRadPing or radtest I can authenticate local users successfully, but when I try to test users from AD it always fails. I have included the debugging output from the server and client: [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess:
Re: ntlm_auth not working
ntlm_auth is really only useful for people who must do an MSCHAP authentication against a Windows domain. If you are doing a straight User-Password authentication (as you show below in your example), then it might be just as well to set up LDAP authentication against AD as that will work in this case. Using ntlm_auth in that case is really overkill. --Mike Graham, Robert wrote: Hello all, I seem to have a problem getting freeradius to authenticate users from Active Directory. I have installed and configured Samba and have added the server to the NT domain. I can use: net ads info, wbinfo -g, wbinfo -u successfully. I have modified the necessary freeradius files: radiusd.conf, eap.conf, users, and clients.conf. When I run NTRadPing or radtest I can authenticate local users successfully, but when I try to test users from AD it always fails. I have included the debugging output from the server and client: [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap =
Re: problems with digest and ser
Hello, I am facing the same problem. My case is all H.323 IP Phones are able to registered successfully. But I have problem only with SIP IP Phones, which cannot be registered. I searched in the mailing list and i found that Digest type of authuntication can solve the problem. i did the configuration according to draft-sterman-aaa-sip-00.txt. But no luck :) If you find your solutions please let us know to solve others problem. Thank You Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html