Winbind problem when exec radiusd
Hil list! I'm trying to authenticate Active Directory Users via freeradius (1.0.2). I can do it in a general case (user and domain) without problem. Now a have to do it restricting the authentication to the members of a group. I can exect the script (as is put in radiusd.conf) correct from the command line: Deb:~# /usr/bin/ntlm_auth --username=javi2 --require-membership-of='AAMM\MyGroup' --domain=AAMM password: NT_STATUS_OK: Success (0x0) Deb:~# /usr/bin/ntlm_auth --username=javi2 --require-membership-of='AAMM\OtherGroup' --domain=AAMM password: NT_STATUS_LOGON_FAILURE: Logon failure (0xc06d) Deb:~# So samba and winbind look to be correctly configured, but when radius exect it, looks as if winbind couldn't resolve group's name. My line on radiusd.conf is: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --require-membership-of='AAMM\\MyGroup' --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} And get the next logs: radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=javi2 --require-membership-of='AAMM\MyGroup' --domain=AAMM --challenge=6b480cf181ded625 --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 --require-membership-of='AAMM\MyGroup' --domain=AAMM --challenge=6b480cf181ded625 --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! Does anybody know why could it be happening? Thanks in advance for any help!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius crash
okey, thanks for the input. Really don't know where could be the problem and it's appearing not constantly - it may be a day or they could be some weeks. If refering to your other post, i have this /usr/local/var/run/radiusd directory..the only thing i've changed till now is i've set all the permissions to the pid file. Let's see what'll happen. Edgars Lucas Aimaretto wrote: you mean radiusd -X? Can this full debug information somehow be saved in a file instead of dirrectly on the console? Edgars, you can try 'radiusd -X radius.log 21 ' with this youre a redirecting everything to radius.log. please, let us know how did you do, because yesterday I had same problem. Radius stoped working, but I could see the listening sockets when 'netstat -putan' was executed. But, when I send to radius an access-request with nt-radping ( app to test radius ) I had no answer from it ... and it kind of worried me ... Regards, Lucas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troubleshoot EAP-TTLS : I can't understand why it's not working.
do you want my real IP addresses, passwords and a direct access to my networks ? ;) I know that, it's just for security... however, thanks to you to have took some time to respond to me :) (sorry if my english is bad, it's not my best quality)... David [EMAIL PROTECTED] a écrit : NAS-IP-Address = 10.256.256.256 256 has never been a vaild octet in an IP address. Use a real IP address and I suspect that your results will be much better. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:David ROUMANET n:ROUMANET;David org:CICG adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38 email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau tel;work:+33 (0)4 76 51 46 08 x-mozilla-html:TRUE url:http://www.grenet.fr version:2.1 end:vcard
Freeradius Clusters
Hi All, Im looking to put freeradius into a ISP site and we run a 4 server LVS cluster, what Im wanting to know is if we do the following in the config authorize { preprocess chap sql } authenticate { Auth-Type CHAP { chap } } preacct { preprocess acct_unique } accounting { sql } session { sql } post-auth { sql } If that will allow us to run in a pure SQL mode and just share the same Radiue SQL database between each server in the cluster Cheers Tristram
Re: Logging in radpostauth
Lorel hardy wrote: I would like to know and to do something like log more information in the table radpostauth. Maybe it will be usefull to have mac address of the client and the reply message send by radius ? It's straight forward: add more fields in your SQL table and edit the postauth_query in raddb/sql.conf. Is somebody think or do something about it ? There is a general purpose example provided in FreeRADIUS. If you want something specific to your site, I don't think anybody is going to do it in your place. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+NOCAT on the separated machine
Hi everyone. I've installed freeradius+mysql on sun solaris sparc5 platform and nocat authentication+gateway in the other machine. It's seems that freradadius and mysql run without any problem also it can authenticate nocat users in the same time. But my radacct table in mysql is empty, and it's seems no accounting have been done. I've checking clients.conf, radiusd.conf and sql.conf several time and it seems ok. Also I have seen that my nocat.conf in gateway also no problem. My radius.log also not created when i installed. Do you guy's have any idea about this ?..Thanks
Re: ACL on LDAP
Sven Hartge wrote: Um 04:27 Uhr am 15.05.05 schrieb Chan Min Wai: I'm working with freeradius that running EAP auth, the account info is with LDAP server. Just want to know what kind of Right did the freeradius need to have on the LDAP server so that the ACL on the LDAP server can be control. Also, I'm abit confused on the Password on LDAP, did we need to READ it or we just have to AUTH with it? If you want to use any CHAP-like authentication method, Freeradius needs a) READ access (through some sort of proxy user) and b) clear text passwords. If you want to use EAP-TTLS, you just need AUTH, but cannot use MSCHAPv2, but are forced to do something else, like PAP (which is no problem inside a TTLS tunnel.) Grüße, Sven. Ok Thank Get it clear now... Will try later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradisu+nocat on the separated machine
Hi everyone. I've installed freeradius+mysql on sun solaris sparc5 platform and nocat authentication+gateway in the other machine. It's seems that freradadius and mysql run without any problem also it can authenticate nocat users in the same time. But my radacct table in mysql is empty, and it's seems no accounting have been done. I've checking clients.conf, radiusd.conf and sql.conf several time and it seems ok. Also I have seen that my nocat.conf in gateway also no problem. My radius.log also not created when i installed. Do you guy's have any idea about this ?..Thanks
how to change the radius database's name radius to another one ?
dear all,where does the program create database ? i can't find it.just find where it creates tables.i use mysql.anyone who knows please tell me ,thanx. shenwei
Re: how to change the radius database's name radius to another one ?
You need to create your own database based on the SQL schema provided with freeradius. The rest you config in the sql.conf in your raddb dir, usually in /etc/raddb or /usr/local/etc/raddb On Mon, 16 May 2005 18:10:39 +0800 shenwei [EMAIL PROTECTED] wrote: dear all, where does the program create database ? i can't find it. just find where it creates tables. i use mysql. anyone who knows please tell me , thanx. shenwei - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization problem (Cisco Aironet 1200)
Hello I know it's more a Cisco issue, but maybe someone here had the same problem. For Authentication, users use PEAP/MS-Chapv2, that is working fine. For Authorization, I want to use per-user ACL, from user profiles from FreeRadius server with an MySQL backend. As a test, I put some cisco-AVpair attribute in my user profile (ip:inacl#1=deny ip any 10.88.88.150). The Access-Accept packet looks correct. I tried some other Cisco AVPair attributes like ip:addr=... , others ACL..., but I can't make it work. My AccessPoint just does not care about its VSA. Does anyone see why ? Below: - FR log - AP log - AP conf Freeradius log: Sending Access-Accept of id 54 to 10.88.88.1:21645 Framed-IP-Address = 255.255.255.254 Cisco-AVPair = ip:inacl#1=deny ip any 10.88.88.150 Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = None Service-Type = Framed-User MS-MPPE-Recv-Key = 0x85098227b29b979d69966940c5e9bdac5d41947907e977cdd6f c2fd3f2f2afa2 MS-MPPE-Send-Key = 0x1b6b847254ac9389da683cd4e558390f962d95dae0db19a08ed ec5e6fb0f0edd EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = palpatine Finished request 77 AP log: *Mar 1 00:06:37.924: RADIUS: Received from id 21645/54 10.88.88.150:1812, Access-Accept, len 244 *Mar 1 00:06:37.924: RADIUS: authenticator FC 9A E4 8B 24 C2 13 61 - B2 30 22 FA 22 8C C1 2D *Mar 1 00:06:37.924: RADIUS: Framed-IP-Address [8] 6 255.255.255.255 *Mar 1 00:06:37.925: RADIUS: Vendor, Cisco [26] 43 *Mar 1 00:06:37.925: RADIUS: Cisco AVpair [1] 37 ip:inacl#1=deny ip any 10.88.88.150 *Mar 1 00:06:37.925: RADIUS: Framed-Protocol [7] 6 PPP [1] *Mar 1 00:06:37.925: RADIUS: Framed-MTU [12] 6 1500 *Mar 1 00:06:37.925: RADIUS: Framed-Compression [13] 6 None [0] *Mar 1 00:06:37.926: RADIUS: Service-Type[6] 6 Framed[2] *Mar 1 00:06:37.926: RADIUS: Vendor, Microsoft [26] 58 *Mar 1 00:06:37.926: RADIUS: MS-MPPE-Recv-Key [17] 52 *Mar 1 00:06:37.926: RADIUS: E5 79 9A 38 F2 9A A5 FB B3 53 35 4A 10 21 92 FC [?y?8?S5J?!??] *Mar 1 00:06:37.926: RADIUS: FF 7B 0A 0B AB FF 3F 02 2D 95 BB D5 52 88 45 D4 [?{??-???R?E?] *Mar 1 00:06:37.926: RADIUS: 83 85 A6 56 99 C7 1A AB 1F 97 52 9A 75 66 3E 55 [???V??R?ufU] *Mar 1 00:06:37.927: RADIUS: 5E 4B[^K] *Mar 1 00:06:37.927: RADIUS: Vendor, Microsoft [26] 58 *Mar 1 00:06:37.927: RADIUS: MS-MPPE-Send-Key [16] 52 *Mar 1 00:06:37.927: RADIUS: E9 2B 40 5C 14 A3 BE 0E F6 2A F1 D7 15 71 90 D7 [EMAIL PROTECTED] *Mar 1 00:06:37.928: RADIUS: 32 DA 01 5C 9B F4 83 BC 31 9D 34 F6 A7 12 E7 BF [2??\1?4?] *Mar 1 00:06:37.928: RADIUS: 8D D3 E5 4A 6A 9E 39 C3 F5 3A EC D6 37 D2 CF 56 [???Jj?9??:??7??V] *Mar 1 00:06:37.928: RADIUS: B1 8A[??] *Mar 1 00:06:37.928: RADIUS: EAP-Message [79] 6 *Mar 1 00:06:37.928: RADIUS: 03 0A 00 04 [] *Mar 1 00:06:37.928: RADIUS: Message-Authenticato[80] 18 * *Mar 1 00:06:37.929: RADIUS: User-Name [1] 11 palpatine *Mar 1 00:06:37.930: RADIUS(0006): Received from id 21645/54 Access Point conf (I followed the Cisco docs) ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization ipmobile default group rad_pmip aaa authorization network default group radius aaa accounting update periodic 2 aaa accounting network acct_methods start-stop group rad_acct aaa session-id common dot11 aaa csid ietf ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers tkip ! ssid morgane8021X authentication open eap eap_methods authentication key-management wpa accounting acct_methods ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.88.88.1 255.255.0.0 no ip route-cache ! ip http server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100 ip radius source-interface BVI1 snmp-server view dot11view ieee802dot11 included snmp-server community open RW snmp-server community ieee view ieee802dot11 RW snmp-server enable traps tty radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
Segmentation Fault with EAP-TLS
Hi I am trying to Install Freeradius1.0.2 on Redhat 7.2. and am using openssl-0.9.7. I have installed openssl in /usr/local/openssl and to install freeradius i executed the following commands ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib make and make install Before the make , I also ensured that the makefile for tls was generated properly The installation seems successful, but in case of a EAP-TLS request, the server gives a segmentation fault as in the following logs: modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization TLS_accept: SSLv3 read client hello A TLS_accept: SSLv3 write server hello A ./run-radius: line 5: 1164 Segmentation fault /usr/local/sbin/radiusd -X -A Having gone through other mails in the list, this looks like a problem with 2 version of openssl running on the machine and freeradius is not looking for the right one. But the information provided by ldd command on the system shows that the freeradius is looking for the library files at /usr/local/openssl/lib ( which is where i have installed openssl0.9.7) I Also Attempted this :tried editing the /etc/ld.so.conf and appended /usr/local/openssl/lib. And executed ldconfig -v to update the ld.so.cache. Although it looks like the problem is due to 2 different versions of openssl, but still the ldd command executed on rlm_eap_tls.so and rlm_eap_tls.so-1.0.2 and radiusd show that they use the libcrypto0.9.7 and libssl.0.9.7 which i have installed at/usr/loca/openssl/lib. Following is the output of the ldd commmands executed on these three files... 1) ldd /usr/local/sbin/radiusd libcrypt.so.1 = /lib/libcrypt.so.1 (0x40033000) libnsl.so.1 = /lib/libnsl.so.1 (0x4006) libresolv.so.2 = /lib/libresolv.so.2 (0x40076000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x40088000) libcrypto.so.2 = /lib/libcrypto.so.2 (0x4009d000) libssl.so.2 = /lib/libssl.so.2 (0x4016) libradius-1.0.2.so = /usr/local/lib/libradius-1.0.2.so (0x4018e000) libsnmp-0.4.2.1.so = /usr/lib/libsnmp-0.4.2.1.so (0x401a1000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x401f8000) libdl.so.2 = /lib/libdl.so.2 (0x401fe000) libc.so.6 = /lib/i686/libc.so.6 (0x40202000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) 2)ldd /usr/local/lib/rlm_eap_tls-1.0.2.so libssl.so.0.9.7 = /usr/local/openssl/lib/libssl.so.0.9.7 (0x40024000) libcrypto.so.0.9.7 = /usr/local/openssl/lib/libcrypto.so.0.9.7 (0x40053000) libnsl.so.1 = /lib/libnsl.so.1 (0x40146000) libresolv.so.2 = /lib/libresolv.so.2 (0x4015c000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4016e000) libc.so.6 = /lib/i686/libc.so.6 (0x40183000) libdl.so.2 = /lib/libdl.so.2 (0x402bf000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) 3) libssl.so.0.9.7 = /usr/local/openssl/lib/libssl.so.0.9.7 (0x40024000) libcrypto.so.0.9.7 = /usr/local/openssl/lib/libcrypto.so.0.9.7 (0x40053000) libnsl.so.1 = /lib/libnsl.so.1 (0x40146000) libresolv.so.2 = /lib/libresolv.so.2 (0x4015c000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4016e000) libc.so.6 = /lib/i686/libc.so.6 (0x40183000) libdl.so.2 = /lib/libdl.so.2 (0x402bf000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) can any of you help me on understanding where i am going wrong and whats else i need to be doiing to get this fixed. thanks a lot regards arun - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault with EAP-TLS
Hi, 1) ldd /usr/local/sbin/radiusd libcrypt.so.1 = /lib/libcrypt.so.1 (0x40033000) libnsl.so.1 = /lib/libnsl.so.1 (0x4006) libresolv.so.2 = /lib/libresolv.so.2 (0x40076000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x40088000) libcrypto.so.2 = /lib/libcrypto.so.2 (0x4009d000) libssl.so.2 = /lib/libssl.so.2 (0x4016) libradius-1.0.2.so = /usr/local/lib/libradius-1.0.2.so (0x4018e000) libsnmp-0.4.2.1.so = /usr/lib/libsnmp-0.4.2.1.so (0x401a1000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x401f8000) libdl.so.2 = /lib/libdl.so.2 (0x401fe000) libc.so.6 = /lib/i686/libc.so.6 (0x40202000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) Well, /lib/libcrypto.so.2 and /lib/libssl.so.2 don't really look like the right libs, that should probably the same ...so.0.9.7 libs that are used here: 2)ldd /usr/local/lib/rlm_eap_tls-1.0.2.so libssl.so.0.9.7 = /usr/local/openssl/lib/libssl.so.0.9.7 (0x40024000) libcrypto.so.0.9.7 = /usr/local/openssl/lib/libcrypto.so.0.9.7 (0x40053000) libnsl.so.1 = /lib/libnsl.so.1 (0x40146000) libresolv.so.2 = /lib/libresolv.so.2 (0x4015c000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4016e000) libc.so.6 = /lib/i686/libc.so.6 (0x40183000) libdl.so.2 = /lib/libdl.so.2 (0x402bf000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault with EAP-TLS
Thanks a lot., i am new and totally clueless as to what i need to be doing . I did use ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib What else do i need to be doing to make the radiusd read the right libraries regards, arun On 5/16/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, 1) ldd /usr/local/sbin/radiusd libcrypt.so.1 = /lib/libcrypt.so.1 (0x40033000) libnsl.so.1 = /lib/libnsl.so.1 (0x4006) libresolv.so.2 = /lib/libresolv.so.2 (0x40076000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x40088000) libcrypto.so.2 = /lib/libcrypto.so.2 (0x4009d000) libssl.so.2 = /lib/libssl.so.2 (0x4016) libradius-1.0.2.so = /usr/local/lib/libradius-1.0.2.so (0x4018e000) libsnmp-0.4.2.1.so = /usr/lib/libsnmp-0.4.2.1.so (0x401a1000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x401f8000) libdl.so.2 = /lib/libdl.so.2 (0x401fe000) libc.so.6 = /lib/i686/libc.so.6 (0x40202000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) Well, /lib/libcrypto.so.2 and /lib/libssl.so.2 don't really look like the right libs, that should probably the same ...so.0.9.7 libs that are used here: 2)ldd /usr/local/lib/rlm_eap_tls-1.0.2.so libssl.so.0.9.7 = /usr/local/openssl/lib/libssl.so.0.9.7 (0x40024000) libcrypto.so.0.9.7 = /usr/local/openssl/lib/libcrypto.so.0.9.7 (0x40053000) libnsl.so.1 = /lib/libnsl.so.1 (0x40146000) libresolv.so.2 = /lib/libresolv.so.2 (0x4015c000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4016e000) libc.so.6 = /lib/i686/libc.so.6 (0x40183000) libdl.so.2 = /lib/libdl.so.2 (0x402bf000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault with EAP-TLS
Hi, Thanks a lot., i am new and totally clueless as to what i need to be doing . I did use ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib What else do i need to be doing to make the radiusd read the right libraries I'm not sure, either. Using a modified configure command like LDFLAGS=-L/usr/local/openssl/lib -lssl -lcrypto ./configure --with... might be worth a try. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Clusters
Hi. Should be fine, this is mine for comparision: http://www.yazzy.org/configs/linux/freeradius/radiusd.conf I additionally use following for sqlcounter: dailycounter weeklycounter monthlycounter On Mon, 16 May 2005 20:56:04 +1200 Tristram J. Cheer [EMAIL PROTECTED] wrote: Hi All, I'm looking to put freeradius into a ISP site and we run a 4 server LVS cluster, what I'm wanting to know is if we do the following in the config authorize { preprocess chap sql } authenticate { Auth-Type CHAP { chap } } preacct { preprocess acct_unique } accounting { sql } session { sql } post-auth { sql } If that will allow us to run in a pure SQL mode and just share the same Radiue SQL database between each server in the cluster Cheers Tristram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help installing.
Hello, My name is Adam Oakley and I am trying to set up freeradius on a Linux redhat 9 server. I have downloaded the package and tried installing and I can get a couple of steps into it and then it will not let me go any farther. So I was wondering if anyone could help me get this installed and up and working. So please email me at this email address. Thanks a lot. Adam D. Oakley NOC Engineer I ITPI Solutions 115 Evergreen Heights Drive Suite 312 Pittsburgh, PA 15229 412.415.6312 - Office 412.415.5301 - Fax [EMAIL PROTECTED] www.itpipgh.com
Help with this error: configure: warning: FAILURE: rlm_eap_tls requires: libssl
Hi, I'm trying to get freeradius to configure eap_tls but, I keep running into a config problem. I have openssl installed like so config --prefix=/usr/local/openssl097g --openssldir=/usr/local/openssl097g no-shared This seems to work. Then I configure freeradius like this. configure --disable-shared --with-openssl-includes=/usr/local/openssl097g/include \ --with-openssl-libraries=/usr/local/openssl097g/lib \ --prefix=/usr/local/radius This is the config output --- configuring in ./types/rlm_eap_tls running /bin/sh ./configure --disable-shared --with-openssl-includes=/usr/local/openssl097g/include/ --with-openssl-libraries=/usr/local/openssl097g/lib/ --prefix=/usr/local/radius --enable-ltdl-install --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/openssl097g/include/ -Wall -D_GNU_SOURCE -DNDEBUG ) works... yes checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/openssl097g/include/ -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking for openssl/ssl.h... yes checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... no checking how to run the C preprocessor... (cached) gcc -E checking for openssl/err.h... (cached) yes checking for openssl/engine.h... (cached) yes configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: libssl. --- As you can see I'm missing libssl. What is this and how do I install it or point freeradius to it? Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS auth questions.
Hi all I have two questions relating to the above. 1) I notice that my server is responding to the client with the Cisco-AVPair attributes even if the user's authentication fails due to an incorrect password. Is this normal behaviour? For example, the client log shows: 16/05/2005 08:47:16 PM Test started [2GB_test]- Info:Sending Access-Request of id 0 to 192.168.0.10:1812 User-Name = [EMAIL PROTECTED] User-Password = badpass Info: Access-Reject packet from host 192.168.0.10:1812, id=0, length=86 Cisco-AVPair = ip:ip-unnumbered=Loopback50 Cisco-AVPair = ip:addr-pool=ipnetpool1 16/05/2005 08:47:18 PM Test finished [2GB_test]- As you can see, the server sends back the Cisco-AVPair information even though the user's password is incorrect. Is this normal? If not, how do I go about changing it? 2) In a situation where the password supplied by the client is correct, but the attribute values associated with the request are incorrect, I notice that the server responds with an Access-Accept, but updates the attribute values. For example: 16/05/2005 08:55:10 PM Test started [FreeRADIUS test]- Info:Sending Access-Request of id 0 to 192.168.0.10:1812 Framed-Protocol = PPP Service-Type = Outbound-User User-Name = [EMAIL PROTECTED] User-Password = testpass Info: Access-Accept packet from host 192.168.0.10:1812, id=0, length=98 Framed-Protocol = PPP Service-Type = Framed-User Cisco-AVPair = ip:ip-unnumbered=Loopback52 Cisco-AVPair = ip:addr-pool=ipnetpool3 16/05/2005 08:55:10 PM Test finished [FreeRADIUS test]- As you can see, the Access-Request was for Outbound-User access, which was incorrect for this user's profile. Instead of rejecting it, the RADIUS server accepted and just updated the Service-Type in the Access-Accept packet. Again, is this normal behaviour? If not, how do I go about changing it? Any help with the above would be much appreciated. Details of my system are as follows: Operating System: FreeBSD 5.4-STABLE FreeRADIUS package: freeradius-1.0.2_1 Database: mysql-server-4.1.11_1 Many thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with this error: configure: warning: FAILURE: rlm_eap_tls
Hi, configure --disable-shared --with-openssl-includes=/usr/local/openssl097g/include \ --with-openssl-libraries=/usr/local/openssl097g/lib \ --prefix=/usr/local/radius For static SSL libraries, this simply doesn't work, see the mailing list archive for build problems on Solaris where it was first noticed. The workaround is to use LDFLAGS=-L/usr/local/openssl097g/lib -lssl -lcrypto \ configure all_your_options As you can see I'm missing libssl. What is this and how do I install it or point freeradius to it? It's one of OpenSSL's two libraries and not being detected correctly because configure is using a wrong ordering of libraries when checking for it. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
restrict login based on nas
Hello, Is it possible to restrict usersto login only to specific nas client? So if they use different nas their login should be rejected. Thank you in advance. Bartosz
Re: restrict login based on nas
On May 16, 2005, at 13:34, Bartosz Jozwiak wrote: Hello, Is it possible to restrict users to login only to specific nas client? So if they use different nas their login should be rejected. I do that using a EXEC-PROG-WAIT module. a rlm_exec module will apparently also do that but I haven't had time to convert. There is a macro for the NAS IP address and I just include that in the argument list to the module. There is a doc on variables that has all of the info on that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius accounting compiling question
Hello, I am running ubuntu and I am trying to compile FreeRadius with rlm_sqlcounter (following your advice) to be able to keep track of connection usage by user depending on tickets given to them. For this, I am doing: make clean ./configure --with-experimental-modules and get the following error report: [EMAIL PROTECTED]:~/freeradius-1.0.2 $ sudo ./configure --with-experimental-modules configure.txt configure: warning: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: warning: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: warning: silently not building rlm_counter. configure: warning: FAILURE: rlm_counter requires: libgdbm. configure: warning: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: warning: silently not building rlm_dbm. configure: warning: silently not building rlm_ippool. configure: warning: FAILURE: rlm_ippool requires: libgdbm. configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: silently not building rlm_python. configure: warning: FAILURE: rlm_python requires: Python.h libpython2.3. configure: warning: ibm db2 headers not found. Use --with-ibmdb2-include-dir=path. configure: warning: sql submodule 'db2' disabled configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: mysql headers not found. Use --with-mysql-include-dir=path. configure: warning: sql submodule 'mysql' disabled configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled [EMAIL PROTECTED]:~/freeradius-1.0.2 $ (NOTE ) I do have libgdbm3 installed on my system. and obviously running make from that gives me: [EMAIL PROTECTED]:~/freeradius-1.0.2 $ sudo make Password: ltdl.c: In function `lt_dlopenext': ltdl.c:2926: warning: unused variable `file_found' radius.c: In function `rad_decode': radius.c:1429: warning: comparison is always true due to limited range of data type misc.c: In function `ipv6_ntoa': misc.c:355: warning: return warning: assignment discards qualifiers from pointer target type rbtree.c: In function `rbtree_insert': rbtree.c:265: warning: assignment discards qualifiers from pointer target type rbtree.c:278: warning: assignment discards qualifiers from pointer target type radius.c: In function `rad_decode': radius.c:1429: warning: comparison is always true due to limited range of data type misc.c: In function `ipv6_ntoa': misc.c:355: warning: return discards qualifiers from pointer target type rbtree.c: In function `rbtree_insert': rbtree.c:265: warning: assignment discards qualifiers from pointer target type rbtree.c:278: warning: assignment discards qualifiers from pointer target type rlm_eap_gtc.c: In function `gtc_detach': rlm_eap_gtc.c:61: warning: when passing argument 1 of `free' discards qualifiers from pointer target type rlm_eap_gtc.c:62: warning: when passing argument 1 of `free' discards qualifiers from pointer target type rlm_eap_mschapv2.c: In function `eapmschapv2_compose': rlm_eap_mschapv2.c:127: warning: assignation from incompatible pointer type rlm_eap_peap.c: In function `eappeap_authenticate': rlm_eap_peap.c:190: warning: when passing argument 2 of `record_plus' from incompatible pointer type peap.c: In function `eappeap_postproxy': peap.c:375: warning: unused variable `vp' ttls.c: En la función `eapttls_postproxy': ttls.c:744: warning: unused variable `vp' rlm_eap_gtc.c: In function `gtc_detach': rlm_eap_gtc.c:61: warning: passing arg 1 of `free' discards qualifiers from pointer target type rlm_eap_gtc.c:62: warning: passing arg 1 of `free' discards qualifiers from pointer target type rlm_eap_mschapv2.c: In function `eapmschapv2_compose': rlm_eap_mschapv2.c:127: warning: assignment from incompatible pointer type rlm_eap_peap.c: In function `eappeap_authenticate': rlm_eap_peap.c:190: warning: passing arg 2 of `record_plus' from incompatible pointer type peap.c: In function `eappeap_postproxy': peap.c:375: warning: unused variable `vp' ttls.c: In function `eapttls_postproxy': ttls.c:744: warning: unused variable `vp' rlm_exec.c: In function `exec_detach': rlm_exec.c:162: warning: passing arg 2 of `xlat_unregister' from incompatible pointer type rlm_exec.c: In function `exec_instantiate': rlm_exec.c:264: warning: passing arg 2 of `xlat_register' from incompatible pointer type rlm_exec.c: In function `exec_detach': rlm_exec.c:162:
Re: Freeradius accounting compiling question
Software Development Group [EMAIL PROTECTED] wrote: and get the following error report: ... Most of which is not errors. And most of which is unhelpful. (NOTE ) I do have libgdbm3 installed on my system. shrug Check config.log /usr/bin/ld: cannot find -lperl Try installing Perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius accounting compiling question
On Mon, 16 May 2005 16:57:10 -0400 Software Development Group [EMAIL PROTECTED] wrote: Hello, I am running ubuntu and I am trying to compile FreeRadius with rlm_sqlcounter Freeradius 1.0.1-2 is avaliable for ubuntu maintained by Paul Hampson [EMAIL PROTECTED]. Try to install it. It should grab the deps you need for compilation if you still need to do that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restrict login based on nas
Hi. This can be done with hungroups or realms. I use RouterOS as my NAS which has a Mikrotik-Realm Attribute. If user's Mikrotik-Realm stored in radcheck differs from the one configured on the NAS, the user gets rejected. This way each user can have separate realm value stored in SQL matching the realm of the NAS. Cheers, Marcin Jessa On Mon, 16 May 2005 17:34:26 -0300 Bartosz Jozwiak [EMAIL PROTECTED] wrote: Hello, Is it possible to restrict users to login only to specific nas client? So if they use different nas their login should be rejected. Thank you in advance. Bartosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help installing.
Hi Adam, did you get help about this? Ernesto Freyre RamírezJefe de OperacionesQnetSoluciones TecnológicasAv. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe- Original Message - From: Adam Oakley To: freeradius-users@lists.freeradius.org Sent: Monday, May 16, 2005 12:25 PM Subject: Need help installing. Hello, My name is Adam Oakley and I am trying to set up freeradius on a Linux redhat 9 server. I have downloaded the package and tried installing and I can get a couple of steps into it and then it will not let me go any farther. So I was wondering if anyone could help me get this installed and up and working. So please email me at this email address. Thanks a lot. Adam D. OakleyNOC Engineer I ITPI Solutions115 Evergreen Heights DriveSuite 312Pittsburgh, PA 15229412.415.6312 - Office412.415.5301 - Fax[EMAIL PROTECTED]www.itpipgh.com
Re: restrict login based on nas
Marcin Jessa wrote: Hi. This can be done with hungroups or realms. I use RouterOS as my NAS which has a Mikrotik-Realm Attribute. If user's Mikrotik-Realm stored in radcheck differs from the one configured on the NAS, the user gets rejected. This way each user can have separate realm value stored in SQL matching the realm of the NAS. So.. how would that work in a situation as follows: Realms: Local = myisp Roaming = globalisp Usergroups: Default = dynamic Roaming = roaming Now these are the rules .. in simple if statements if (realm == myisp) { if (usergroup == dynamic) { auth-type = accept; } else if (usergroup == roaming) { auth-type = reject; } } else if (realm == globalisp) { if (usergroup == dynamic || usergroup == roaming) { auth-type = accept; } } So how then do I specify that which NAS is in which realm? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restrict login based on nas
On Mon, 16 May 2005, Bartosz Jozwiak wrote: Hello, Is it possible to restrict users to login only to specific nas client? So if they use different nas their login should be rejected. Thank you in advance. Bartosz users file could look like this. someuserNAS-IP-Address == 1.1.1.1, User-Password == pass someotheruser NAS-IP-Address == 1.1.1.2, User-Password == pass2 you can do it in other backends as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Moving for Ciscosecure ACS to freeradius
Can anyone suggest a migration path to move from ACS to freeradius. My thoughts are as follows below NAS --- Freeradius --- ACS With freeradius proxying the auth request / accounting to the ACS server and somehow either learning or logging the user / password pair from the nas so that it can be converted later. Is it possible to do this, and also is it possible to add the user to an sql database, check that first the if user is not found try the ACS box then send the error if both fail? Damien - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html