Re: Need help installing 1.0.4 on RHEL update 4
On Fri, Jul 08, 2005 at 11:36:33AM -0400, Ken George wrote:
> I am not a RHEL expert, but have installed the 1.0.1 RPM of freeradius.
> I am trying to get freeradius to authenticate against a Windows 2003
> Active Directory.
> Once I can get radtest to work on the server I'll configure the clients
> (Cisco VPN 3005 and console access for all my other Cisco rotuers,
> switches, etc).
> Since 1.0.1 is older I thought I'd try to get 1.0.4 in before banging
> out my .conf file problems.
> I get the following errors when I try to ./configure 1.0.4
> configure:7989: checking for ut_xtime in struct utmpx
> configure:8005: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
> -DOPENSSL_NO_KRB5conftest.c 1>&5
> configure: In function `main':
> configure:8001: structure has no member named `ut_xtime'<-- the
> first problem
> configure: failed program was:
> #line 7993 "configure"
> #include "confdefs.h"
>
> #include
> #ifndef offsetof
> #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER)
> #endif
>
> int main() {
> int foo = offsetof(struct utmpx, ut_xtime)
> ; return 0; }
There's no ut_xtime in struct utmpx. Why is this a problem?
> configure:8336: checking for asn1.h,snmp.h,snmp_impl.h
> configure:8364: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
> -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5
> In file included from configure:8356:
> /usr/include/ucd-snmp/asn1.h:7:2: #error "Please update your headers or
> configure using --enable-ucd-snmp-compatibility" <-- (this error then
> occurs multiple times)
This is because you're using net-snmp in ucd-snmp compatibility
mode, and that is not supported in stock 1.0.4. You can try this
patch:
http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radiusd/debian/patches/Attic/01_NET-SNMP_build_support.dpatch?rev=1.1.2.2&content-type=text/plain&hideattic=0
although be warned that if your net-snmp is not configured exactly
the same as your FreeRADIUS, you _will_ get nasty nasty problems. I
believe these problems were first observed on a RedHat system, which
ships a net-snmp package which doesn't neccessarily match the defines
you need to build FreeRADIUS.
Your other choice is to upgrade to CVS HEAD, but that may not be in
working condition right now. (Someone mentioned a proxying problem
earlier...)
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating to a Windows 2003 active directory
"Ken George" <[EMAIL PROTECTED]> wrote: > When I try to test with radtest I get the following: ... The debug logs from the server are helpful. The output of "radtest" isn't. > Exerpts from radiusd.conf and users follow: ... You can't get passwords from AD. It's impossible. You have to use ntlm_auth. Please read "radiusd.conf". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help installing 1.0.4 on RHEL update 4
"Ken George" <[EMAIL PROTECTED]> wrote: > I get the following errors when I try to ./configure 1.0.4 100% of what you posted isn't errors, it's internal logs from "configure", as it tries to figure out what's on your system. Calling them "errors" is a mistake, and misleading. Posting the log file is not very useful, either. Are there REAL errors you ran into? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
Gandalf the Gray <[EMAIL PROTECTED]> wrote: > I would like to submit user and password to my LDAP > server, and this one have to check the right > relationship! LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. > Now: is it possible to tell MSCHAP to use LDAP or > passwd file to authenticate the user? > And, before this, is it possible to obtain the PW from > the EAP challenge in order to submit it further? No. It's impossible, and designed to be impossible. Make the LDAP server return a clear-text, or NT-Password to FreeRADIUS, and it will Just Work. Any other combination is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 1.1.0-pre0 - CVS Snapshot of 30th of June
"Jaco van Tonder" <[EMAIL PROTECTED]> wrote: > Assertion failed in request_list.c, line 724 > > This ONLY happens for proxied requests. All local requests gets > authenticated ok. > > What can be the problem The code is being updated. Did you not see my response to the previous report of this problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
Stefan Winter <[EMAIL PROTECTED]> wrote: > Speaking of a radar - is an implementation of the Diameter protocol > something you have on that radar as well? Why the heck would we do that? > To my knowledge, no real usable implementation exists. The only > serious thing on Open Source side I have seen is opendiameter > (www.opendiameter.org), but they are only providing libraries for > Diameter internals so far. If you want to do a real, practical task, > like "I would like to authnuse Active Directory as a backend > authentication and TTLS-PAP for the credential transport" you are > pretty much on your own right now. See "wire diameter", from Taiwan. I recall it's a student project, but it does give a minimal diameter server. But again, can you think of *one* client implementation of diameter? I can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/mschapv2 fails first time
"Graham, Robert" <[EMAIL PROTECTED]> wrote: > I FINALLY got a user to authenicate against Active Directory via > freeradius using PEAP and mschapv2. but I still have one issue. When > the user first logons, the authenication fails. Approximately 60 > seconds later the client tries to re-authenicate and it is succesful. > The client (supplicant) is usingaegis client and both logon and desktop > profiles are the same. Any ideas? The debug log, even though it's large, contains the answers. Look for words like "invalid", or "reject', or "fail". > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack alert > eaptls_verify returned 4 > eaptls_process returned 4 > rlm_eap_peap: EAPTLS_OTHERS > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 5 > modcall: group authenticate returns invalid for request 5 > auth: Failed to validate the user. That would seem to say that something went wrong. It's not clear why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with installing to /etc and /var
Hey jck, Oh, I am sorry, yeah how stupid of me. Yup I ran into that very same thing, Dang let me remember what I did to fix it and I'll email ya the solution. See ya Michael A Cooper BCCISP.net http://www.bccisp.net 281-854-2079 "Technology that counts, voices that matter!" - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Friday, July 08, 2005 6:39 PM Subject: Problems with installing to /etc and /var Hello Michael, On Fri, Jul 08, 2005 at 05:36:26PM -0500, Michael Cooper wrote: Hello jck, I don't know what the proper permissions are, however My problem is not permissions related. I am trying to install FreeRADIUS so that it references /etc/raddb, and writes to /var/log/radius. Instead, I receive the following upon startup: radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied Granted, this is a permissions error. Please note, I am not worried about the permission error. Instead, I am worried about radiusd trying to reference: /usr/local/var/log/radius/radius.log when it should be referring to: /var/log/radius/radius.log I still require assistance with this matter! - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Friday, July 08, 2005 4:37 PM Subject: Problems with installing to /etc and /var >I am running freeradius-1.0.4 from source, on SLES 9.0. I want to >install >freeradius so that it uses /etc and /var, and not /usr/local/etc and >/usr/local/var. > >If I do: > >/usr/local/src/freeradius-1.0.4 # make clean && make distclean > >/usr/local/src/freeradius-1.0.4 # >./configure --disable-shared --without-rlm_x99_token --prefix=/ >--localstatedir=/var --sysconfdir=/etc --exec-prefix=/ > --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local > --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local > --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local && > make > >Why do I receive this error message: > >/usr/local/src/freeradius-1.0.4 # src/main/radiusd >Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files >... >radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: >Permission denied > (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) It looks like to me you have to chmod 644 /usr/local/var/log/radius/ <- this dir then also make sure it is creating the proper log file -> radius.log Maybe one of these othere gurus know better what to tell you I ran into that problem as well a week ago I think. > > >There should be no reference to: > >Couldn't open /usr/local/var/log/radius/radius.log > >Full logs of configure and make are viewable at: >http://www.southwestern.edu/~johnk/freeradius_build_logs.txt > >Additionaly, why isn't there a Makefile method for deinstallation? > >Thanks, >--johnk >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 7/6/2005 > Good luck, Michael A Cooper BCCISP.net http://www.bccisp.net 281-854-2079 "Technology that counts, voices that matter!" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, --johnk - End forwarded message - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 7/6/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
Gerald Krause <[EMAIL PROTECTED]> wrote: > we have only cisco NAS's in production and all the examples on cisco.com > using "outbound". They also give ACS in their examples. Does that mean you use ACS? In any case, it's simple enough to fix, if you so care. Edit /etc/raddb/dictionary, and add the definitions you like. You can then use them in your configuration. > but i'am in doubt because i saw nobody else with this 'problem' (yea, maybe > because it is not really one). are they all using "outbound-user" from > beginning? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with installing to /etc and /var
[EMAIL PROTECTED] wrote: > My problem is not permissions related. I am trying to install FreeRADIUS > so that it references /etc/raddb, and writes to /var/log/radius. The locations of the files and directories used by the server are defined in radiusd.conf. $ vi /etc/raddb/radiusd.conf /logdir :wq Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with installing to /etc and /var
Hello Michael, On Fri, Jul 08, 2005 at 05:36:26PM -0500, Michael Cooper wrote: > Hello jck, > > I don't know what the proper permissions are, however My problem is not permissions related. I am trying to install FreeRADIUS so that it references /etc/raddb, and writes to /var/log/radius. Instead, I receive the following upon startup: radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied Granted, this is a permissions error. Please note, I am not worried about the permission error. Instead, I am worried about radiusd trying to reference: /usr/local/var/log/radius/radius.log when it should be referring to: /var/log/radius/radius.log I still require assistance with this matter! > > - Original Message - > From: <[EMAIL PROTECTED]> > To: > Sent: Friday, July 08, 2005 4:37 PM > Subject: Problems with installing to /etc and /var > > > >I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install > >freeradius so that it uses /etc and /var, and not /usr/local/etc and > >/usr/local/var. > > > >If I do: > > > >/usr/local/src/freeradius-1.0.4 # make clean && make distclean > > > >/usr/local/src/freeradius-1.0.4 # > >./configure --disable-shared --without-rlm_x99_token --prefix=/ > >--localstatedir=/var --sysconfdir=/etc --exec-prefix=/ > > --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local > > --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local > > --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local && > > make > > > >Why do I receive this error message: > > > >/usr/local/src/freeradius-1.0.4 # src/main/radiusd > >Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files > >... > >radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: > >Permission denied > > (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) > It looks like to me you have to chmod 644 /usr/local/var/log/radius/ <- > this dir then also make sure it is creating the proper log file -> > radius.log > Maybe one of these othere gurus know better what to tell you I ran > into that problem as well a week ago I think. > > > > > >There should be no reference to: > > > >Couldn't open /usr/local/var/log/radius/radius.log > > > >Full logs of configure and make are viewable at: > >http://www.southwestern.edu/~johnk/freeradius_build_logs.txt > > > >Additionaly, why isn't there a Makefile method for deinstallation? > > > >Thanks, > >--johnk > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > > >-- > >No virus found in this incoming message. > >Checked by AVG Anti-Virus. > >Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 7/6/2005 > > > > Good luck, > Michael A Cooper > BCCISP.net > http://www.bccisp.net > 281-854-2079 > "Technology that counts, voices that matter!" > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you, --johnk - End forwarded message - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with installing to /etc and /var
Hello jck, I don't know what the proper permissions are, however - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Friday, July 08, 2005 4:37 PM Subject: Problems with installing to /etc and /var I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install freeradius so that it uses /etc and /var, and not /usr/local/etc and /usr/local/var. If I do: /usr/local/src/freeradius-1.0.4 # make clean && make distclean /usr/local/src/freeradius-1.0.4 # ./configure --disable-shared --without-rlm_x99_token --prefix=/ --localstatedir=/var --sysconfdir=/etc --exec-prefix=/ --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local && make Why do I receive this error message: /usr/local/src/freeradius-1.0.4 # src/main/radiusd Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) It looks like to me you have to chmod 644 /usr/local/var/log/radius/ <- this dir then also make sure it is creating the proper log file -> radius.log Maybe one of these othere gurus know better what to tell you I ran into that problem as well a week ago I think. There should be no reference to: Couldn't open /usr/local/var/log/radius/radius.log Full logs of configure and make are viewable at: http://www.southwestern.edu/~johnk/freeradius_build_logs.txt Additionaly, why isn't there a Makefile method for deinstallation? Thanks, --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 7/6/2005 Good luck, Michael A Cooper BCCISP.net http://www.bccisp.net 281-854-2079 "Technology that counts, voices that matter!" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap password failing with Cisco
On 7/1/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Brent Smith schrieb: > > > I am trying to get freeradius to authenticate chap for a > > ISDN backup call on a cisco. I am running version 1.0.1. > > I am in control of server and clients, so I know the > > passwords match, but the logs say they do not. > > IIRC earlier 1.0.x releases have problems with MD5 (and > this CHAP) an some hardware (e.g. 64-bit (like AMD-64) > or big-endian (like SPARC) processors), so if you're running > one of those, an update might be helpful. Search the mailing > list archives for details... I am not running on any of those platforms, but I upgraded to 1.0.4 with the same result. > > Also, if all is fine in that respect, your paket seems to contain > CHAP-Password only, no "CHAP-Challenge". IIRC, there's > a rule on how to automatically derive a CHAP-Challenge > from the rest of the RADIUS paket, but I have no idea how > well this is supported by server and various clients, so > maybe there some problem hidden there? > > Regards, > Stefan > There has to be other users out there who are using chap with Ciscos. Anyone? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shipping freeradius and mysql
On Fri, 8 Jul 2005 14:00:09 -0700 (PDT) Sonali Karmarkar <[EMAIL PROTECTED]> wrote: > Hi, > > I am using freeradius 1.0.2 on mandrake 10.1. > The question I want to post is about shipping freeradius > to customers. > I have written a script to install freeradius, mysql, java and > my product. Every time I use the script, I run into different > errors while installing freeradius. The errors range from > rlm_sql drivers errors , rlm_token errors, sometimes c compiler > settings on my system. Seems like your script needs some sanity checks, e.g check if mysql headers are there etc before compiling. > What is the correct way to ship freeradius to the customer so that > all the installation errors are taken care of ? One way would be to create a package for your system with precompiled binaries. Another way would be to use a system with ports or similar if you want to compile your freeradius. And then possibly create a package of your compiled bins. On FreeBSD you run: # cd /usr/ports/net/freeradius/ ; make package Then you can install your package on any supported system with pkg_add freeradius-1.0.2.tbz Pretty trivial. It is also doable on Mandarek if you build an rpm. Btw, 1.0.2 has security holes and 1.0.4 is out. Cheers, Marcin Jessa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
hello alan, Am Freitag, 8. Juli 2005 22:37 schrieb Alan DeKok: > Gerald Krause <[EMAIL PROTECTED]> wrote: > > according to rfc2865 value 5 of attr 6 should be named "Outbound" and > > not "Outbound-User" (if i have read the rfc well) and that causes all > > my dial-out's fail after installing v1.0.4 because all users where > > configured with "Outbound". even though fixing was dead easy - have i > > misunderstood the rfc? > > No. But the names are essentially irrelevant. yes, i know. > You didn't say what you upgraded from (or if you upgraded), or if > you just typed in "outbound" from the RFC's. we have only cisco NAS's in production and all the examples on cisco.com using "outbound". since using freeradius (from 0.4 or so, livingston/cistron before) i remember that i stumbled on this more then once (after every upgrade?) but asking now the first time about some basics: i know i can easily change all my "outbound" values into "outbound-user" in order to make further upgrades simpler but i wonder if it would make sense to change the default value in the dictionary or include "outbound" in dictionary.cisco (even it looks not cisco specific because the rfc tells the same)? but i'am in doubt because i saw nobody else with this 'problem' (yea, maybe because it is not really one). are they all using "outbound-user" from beginning? do they all edit the dictionary? or nobody runs dial-out? hm, sounds more philosophic ;) ...anyway, that was my impulse to ask. -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with installing to /etc and /var
I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install freeradius so that it uses /etc and /var, and not /usr/local/etc and /usr/local/var. If I do: /usr/local/src/freeradius-1.0.4 # make clean && make distclean /usr/local/src/freeradius-1.0.4 # ./configure --disable-shared --without-rlm_x99_token --prefix=/ --localstatedir=/var --sysconfdir=/etc --exec-prefix=/ --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local && make Why do I receive this error message: /usr/local/src/freeradius-1.0.4 # src/main/radiusd Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) There should be no reference to: Couldn't open /usr/local/var/log/radius/radius.log Full logs of configure and make are viewable at: http://www.southwestern.edu/~johnk/freeradius_build_logs.txt Additionaly, why isn't there a Makefile method for deinstallation? Thanks, --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP docs
Maybe http://howtos.linux.com/howtos/8021X-HOWTO/freeradius.shtml and http://www.dslreports.com/forum/remark,9286052~mode=flat could help you! On 7/7/05, Albrecht, Robert-Manfred <[EMAIL PROTECTED]> wrote: > Hello, > > some months I had a cool document describing the installation of freeradius > for eap-peap (over wlan) with windows as client. > > I lost the url. Could anyone forward me the url ? > > Regard, > Robert > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with the PEAP configuration
Yeah yeah! I forgot the debug log: rad_recv: Access-Request packet from host 192.168.20.7:55049, id=131, length=136 User-Name = "jairo" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x024f000a016a6169726f Message-Authenticator = 0x2d2f9ce59d72aedecb32c31db5cbf1ed Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: 'jairo' rlm_sql (sql): sql_set_user escaped user --> 'jairo' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'jairo' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'jairo' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'jairo' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'jairo' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Eap auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 131 to 192.168.20.7:55049 EAP-Message = 0x01561920 Message-Authenticator = 0x State = 0x73087f91b1e8f8d908364c1aeea4fc1f Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55048, id=132, length=224 User-Name = "jairo" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x73087f91b1e8f8d908364c1aeea4fc1f Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02500050198000461603010041013d030142ceeedbb9bd19eb466e47c1cf1b58144e405ca28fb495535ea26f31c0d076221600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xca8acd898fe7920feb3e4ef9dc5f726f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 radius_xlat: 'jairo' rlm_sql (sql): sql_set_user escaped user --> 'jairo' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'jairo' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'jairo' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'jairo' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'jairo' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type Eap auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0662], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write se
Problems with the PEAP configuration
Hi! I'd finally knew why the client (Xp-SP2) was sending the username "PEAP-MacAddress" to the radius. I have installed the "Cisco Aironet Client Utility" (and the aironet drivers), and this software changed the EAP methods on XP and sends the mentioned user instead of the real one when tries PEAP auth. Now, the real username comes to the radius, the authorize comes ok, but the authenticate returns "handled" and the client doesn't authenticates well. I was looking the debug output and now i don't see where i can dig for details. EAP/TLS works fine already. Maybe i'm misleading something? What i'm doing wrong? Again, thks a lot for your help, it's annoying answer to too many similar questions, i know, but i didn't find something to do now of this. AND, i was thinking on make an updated version of the guides so ppl with less exp (like me!) can read and don't disturb you. =) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shipping freeradius and mysql
Hi, I am using freeradius 1.0.2 on mandrake 10.1. The question I want to post is about shipping freeradius to customers. I have written a script to install freeradius, mysql, java and my product. Every time I use the script, I run into different errors while installing freeradius. The errors range from rlm_sql drivers errors , rlm_token errors, sometimes c compiler settings on my system. What is the correct way to ship freeradius to the customer so that all the installation errors are taken care of ? Thanks and Regards Sonali - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
Gerald Krause <[EMAIL PROTECTED]> wrote: > according to rfc2865 value 5 of attr 6 should be named "Outbound" and not > "Outbound-User" (if i have read the rfc well) and that causes all my > dial-out's fail after installing v1.0.4 because all users where configured > with "Outbound". even though fixing was dead easy - have i misunderstood > the rfc? No. But the names are essentially irrelevant. You didn't say what you upgraded from (or if you upgraded), or if you just typed in "outbound" from the RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Service-Type: Outbound vs. Outbound-User
hi, according to rfc2865 value 5 of attr 6 should be named "Outbound" and not "Outbound-User" (if i have read the rfc well) and that causes all my dial-out's fail after installing v1.0.4 because all users where configured with "Outbound". even though fixing was dead easy - have i misunderstood the rfc? -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: High performance request remapping / rewriting
Phil Mayers <[EMAIL PROTECTED]> wrote:
> ...but that's still too large, so maybe:
>
> nasip -> zone
> clientmac -> clienttype (there are 5 types - unreg, guest, roaming,
> home, blocked)
> (clienttype, zone) -> vlan
>
> ...which would be much smaller, but I can't see how you do this.
The simplest way is to not use the "users" file. Use rlm_passwd,
and have multiple instances. e.g.
modules {
...
passwd nas2zone {
filename = ${raddbdir}/nas2zone.txt
format = "*Client-IP-Address:~Zone-Name
hashsize = 1000
allowmultiplekeys = no
}
passwd mac2type {
filename = ${raddbdir}/mac2type.txt
format = "*Calling-Station-Id:~MAC-Type
hashsize = 1000
allowmultiplekeys = no
}
...
}
List "nas2zone" and "mac2type" in the "authorize" section, and
create new attribures in the dictionary: Zone-Name & MAC-Type.
After that, the rlm_passwd module can't really use 2 attributes to
look up data, so you'll have to use the "users" file, as in your post.
But the "passwd" module lets you manage the nas & Mac mappings as
simple flat-text files, which is pretty nice.
> # Fallback - unknown hosts
> DEFAULT Calling-Station-Id =~
> "^[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}$"
> , User-Password = `%{0}`
>Kind = "unreg"
The "passwd" module doesn't have defaults, so I'm not sure how to do
the above.
> Ideally an apache-like feature of DBM mapping is what's needed of
> something like:
>
> /etc/raddb/radiusd.conf:
>
> attr_rewrite nas2zone {
>attribute = NAS-IP-Address
>searchin = packet
>searchfor = "(.*)"
>replacewith = "%{dbm:nas2zone:%{1}}"
That's not a bad idea. The dynamic string expansion functionality
of the server would be very good for that.
> The issue is that this needs to go very very fast - at peak times (e.g.
> say a reboot of a PC cluster during overnight maintenance) the DHCP
> servers get ~50 requests/second, so a radius server(s) would need to
> answer with similar performance.
That is a high load.
> I'm assuming rlm_exec would have similar if not worse performance
> characterisitcs (spawning 50 processes a second during peak times does
> not strike me as overly sensible). Is there an rlm_socket:
No, sorry. That would be a good idea, though. OpenRADIUS does
this, which is a good idea for many situations. But passing that much
data through a socket may be problematic.
If all else fails, try using rlm_perl. The version in 1.0.4 may
have issues, but the one in the CVS head should be OK.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool corrections
"Marek Gradzki" <[EMAIL PROTECTED]> wrote: > unfortunately all sessions that are terminated in the box working > with radius come to this device by the same port. So I had to > rewrite a little bit rlm_ippool module to verify used ip addresses > not only by nas device and nas port but also by user name. The version of rlm_ippool in the CVS snapshot has a configurable key, so it should solve this problem. ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "LOGIN INCORRECT" and "LOGIN OK"
Bruno Machado <[EMAIL PROTECTED]> wrote: > I already tried to discover the problem, but I didn't > find anything. Have you tried running it in debugging mode? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"LOGIN INCORRECT" and "LOGIN OK"
Hi friends There are a weird something happening here. This is our log about a user: Wed Jun 29 22:36:03 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client 10.5.0.2 port 5060) Wed Jun 29 22:36:04 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client 10.5.0.2 port 5060) Wed Jun 29 22:36:57 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client 10.5.0.2 port 5060) Wed Jun 29 22:37:00 2005 : Auth: Login OK: [EMAIL PROTECTED]/] (from client 10.5.0.2 port 5060) Wed Jun 29 22:37:00 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client 10.5.0.2 port 5060) I already tried to discover the problem, but I didn't find anything. We are using Radius in a VoIP system. If I configure my SIP client with user's informations, Radius allows my access to the system. Unfortunatly, when the data arrive from the SIP client's user, Radius deny it. Rarely Radius returns "LOGIN OK". Weird... Maybe the ADSL Router's user can be corrupting the data? And our system is working perfectly for the other users. Thanks for any comments. Bruno Machado ___ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug vs. Run mode
Where is your binary? might be under /etc/rc.d/rc.radiusd start Or depending where your binary is located /opt/freeradius/sbin/radiusd will start it /opt/freeradius/sbin/radiusd -x or -xx for debug. Alan DeKok wrote: "Jamie Chitester" <[EMAIL PROTECTED]> wrote: If I run /etc/init.d/radiusd start and try to authenticate I get "no response from server (timed out)" Odds are the server isn't running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug vs. Run mode
"Jamie Chitester" <[EMAIL PROTECTED]> wrote: > If I run /etc/init.d/radiusd start and try to authenticate I get "no > response from server (timed out)" Odds are the server isn't running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: class attribute wont pass
Dusty Doris wrote: rad_recv: Access-Accept packet from host 63.174.xxx.xx:1645, id=1, length=218 Proxy-State = 0x3735 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Data-Filter = "ip in forward tcp est" Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0" Ascend-Data-Filter = "ip in drop tcp dstport = 25" Ascend-Data-Filter = "ip in forward 0" Idle-Timeout = 1800 Session-Timeout = 21600 Propel-Accelerate = 1 X-Ascend-Idle-Limit = 1800 X-Ascend-Maximum-Time = 28800 Class = "IEAS1\005378602\003292" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 73 attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module "attr_filter" returns updated for request 73 What does line 84 of the attrs file say? Perhaps you are filtering out the class attribute. Read the manpage rlm_attr_filter. If you don't intend on filtering any of the reply values, then comment out attr_filter in radiusd.conf. Or maybe you just need to add Class to it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you very much. This pointed me in the right direction. I was filtering out the class attribute, so I added it. I'm still getting used to freeradius. Thanks again. Brian Taylor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug vs. Run mode
I have a problem… I am running fedora core 4 FreeRADIUS 1.0.2 and MySQL 4.1.11 I am using NTRadPing Test Utility to test the radius server I can get Access-Accept response from MySQL only when I am running in debug mode (radiusd –X) If I run /etc/init.d/radiusd start and try to authenticate I get “no response from server (timed out)” Any ideas? Jamie Chitester Information Technology Department Manager City Light Gas & Water Phone: (573)888-5366 ext. 109 Cell: (573)888-7371 Fax: (573)888-3312 http://www.clgw.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to a Windows 2003 active directory
Does anyone have a working radiusd.conf and users file I could see as I
have been unsuccessful configuring
Freeradius 1.0.1 to talk to my Active Directory.
When I try to test with radtest I get the following:
[EMAIL PROTECTED] freeradius-1.0.4]# radtest "ken george" "xx"
localhost 1 testing123
Sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "xx"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Is my radtest string correct?
Exerpts from radiusd.conf and users follow:
Radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "phldcsrv01.us.mi-services.net"
identity = "cn=ken george,o=US
Users,c=us.mi-services.net"
password = 262144
basedn = "o=phldcsrv01,c=us.mi-services.net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
(output suppressed)
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the
request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been
set
chap
#
# If the users are logging in with an MS-CHAP-Chal
Need help installing 1.0.4 on RHEL update 4
I am not a RHEL expert, but have installed the 1.0.1 RPM of freeradius.
I am trying to get freeradius to authenticate against a Windows 2003
Active Directory.
Once I can get radtest to work on the server I'll configure the clients
(Cisco VPN 3005 and console access for all my other Cisco rotuers,
switches, etc).
Since 1.0.1 is older I thought I'd try to get 1.0.4 in before banging
out my .conf file problems.
I get the following errors when I try to ./configure 1.0.4
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
configure:748: checking for gcc
configure:861: checking whether the C compiler (gcc ) works
configure:877: gcc -o conftestconftest.c 1>&5
configure:903: checking whether the C compiler (gcc ) is a
cross-compiler
configure:908: checking whether we are using GNU C
configure:936: checking whether gcc accepts -g
configure:969: checking how to run the C preprocessor
configure:1049: checking for AIX
configure:1075: checking whether gcc needs -traditional
configure:1121: checking whether we are using SUNPro C
configure:1141: checking for ranlib
configure:1176: checking whether byte ordering is bigendian
configure:1269: checking for gmake
configure:1337: checking for gmake
(normal output suppressed)
configure:7793: checking for initgroups
configure:7857: checking whether crypt must be declared
configure:7857: checking whether strncasecmp must be declared
configure:7857: checking whether strcasecmp must be declared
configure:7857: checking whether inet_aton must be declared
configure:7857: checking whether gethostname must be declared
configure:7857: checking whether setlinebuf must be declared
configure:7857: checking whether getusershell must be declared
configure:7857: checking whether endusershell must be declared
configure:7944: checking return type of signal handlers
configure:7989: checking for ut_xtime in struct utmpx
configure:8005: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5conftest.c 1>&5
configure: In function `main':
configure:8001: structure has no member named `ut_xtime'<-- the
first problem
configure: failed program was:
#line 7993 "configure"
#include "confdefs.h"
#include
#ifndef offsetof
#define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER)
#endif
int main() {
int foo = offsetof(struct utmpx, ut_xtime)
; return 0; }
configure:8036: checking for ipi_addr in struct in_pktinfo
configure:8052: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5conftest.c 1>&5
configure:8082: checking for working const
configure:8158: checking type of OS
configure:8173: checking for developer gcc flags
configure:8188: checking for crypt in -lcrypt
configure:8288: checking for setkey in -lcipher
configure:8336: checking for asn1.h,snmp.h,snmp_impl.h
configure:8364: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5
In file included from configure:8356:
/usr/include/ucd-snmp/asn1.h:7:2: #error "Please update your headers or
configure using --enable-ucd-snmp-compatibility" <-- (this error then
occurs multiple times)
In file included from configure:8357:
/usr/include/ucd-snmp/snmp.h:7:2: #error "Please update your headers or
configure using --enable-ucd-snmp-compatibility"
In file included from configure:8358:
/usr/include/ucd-snmp/snmp_impl.h:9:2: #error "Please update your
headers or configure using --enable-ucd-snmp-compatibility"
configure: In function `main':
configure:8360: warning: unused variable `a'
configure: failed program was:
#line 8339 "configure"
#include "confdefs.h"
#ifdef HAVE_SYS_TYPES_H
#include
#endif
#ifdef HAVE_STDINT_H
#include
#endif
#ifdef HAVE_STDIO_H
#include
#endif
#ifdef HAVE_NETDB_H
#include
#endif
#ifdef HAVE_UNISTD_H
#include
#endif
#include
#include
#include
int main() {
int a = 1;
; return 0; }
configure:8405: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/include
conftest.c 1>&5
In file included from configure:8397:
/usr/include/ucd-snmp/asn1.h:7:2: #error "Please update your headers or
configure using --enable-ucd-snmp-compatibility"
In file included from configure:8398:
/usr/include/ucd-snmp/snmp.h:7:2: #error "Please update your headers or
configure using --enable-ucd-snmp-compatibility"
In file included from configure:8399:
/usr/include/ucd-snmp/snmp_impl.h:9:2: #error "Please update your
headers or configure using --enable-ucd-snmp-compatibility"
configure: In function `main':
configure:8401: warning: unused variable `a'
configure: failed program was:
#line 8380 "configure"
#include "confdefs.h"
#ifdef HAVE_SYS_TYPES_H
#include
#endif
#ifdef HAVE_STDINT_H
#include
#endif
#ifdef HAVE_STDIO_H
#include
#endif
#ifdef HAVE_NETDB_H
#include
#endif
#ifdef HAVE_UNISTD_H
#include
#endif
#include
#include
#include
int main() {
int a = 1;
; return 0; }
configure:8405: gcc
Re: class attribute wont pass
> rad_recv: Access-Accept packet from host 63.174.xxx.xx:1645, id=1, > length=218 > Proxy-State = 0x3735 > Service-Type = Framed-User > Framed-Protocol = PPP > Ascend-Data-Filter = "ip in forward tcp est" > Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0" > Ascend-Data-Filter = "ip in drop tcp dstport = 25" > Ascend-Data-Filter = "ip in forward 0" > Idle-Timeout = 1800 > Session-Timeout = 21600 > Propel-Accelerate = 1 > X-Ascend-Idle-Limit = 1800 > X-Ascend-Maximum-Time = 28800 > Class = "IEAS1\005378602\003292" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 73 > attr_filter: Matched entry DEFAULT at line 84 > modcall[authorize]: module "attr_filter" returns updated for request 73 What does line 84 of the attrs file say? Perhaps you are filtering out the class attribute. Read the manpage rlm_attr_filter. If you don't intend on filtering any of the reply values, then comment out attr_filter in radiusd.conf. Or maybe you just need to add Class to it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
class attribute wont pass
Hello, I'm running freeradius 0.9.3 (I know.. it's old..), operating in a proxy configuration. I'm having issues with freeradius not passing the "class" attribute back to the NAS after receiving it from one of our proxy customers. I can't put the Class attribute in the user's file because the proxy customer uses different values per customer. We only have one customer that passes the class attribute to us, so this is the first instance where we are having this issue. I've tried changing the attribute value from "octet" to "string" in the dictionary file as was suggested previously on the mailing list, but it doesn't make a difference :-( Here is debug output from radiusd: rad_recv: Access-Request packet from host 63.110.xxx.xx:3401, id=75, length=211 User-Name = "[EMAIL PROTECTED]" User-Password = "6875" NAS-IP-Address = 63.215.xx.xxx NAS-Port = 807 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Data-Rate = 28800 Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = Unknown Ascend-Xmit-Rate = 50667 Called-Station-Id = "317270" Calling-Station-Id = "317862" NAS-Identifier = "nas.ind.Level3.net" Acct-Session-Id = "483826947" NAS-Port-Type = Async Ascend-NAS-Port-Format = 4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 73 modcall[authorize]: module "attr_filter" returns noop for request 73 rlm_realm: Looking up realm "realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "realm.com" rlm_realm: Proxying request from user user to realm realm.com rlm_realm: Adding Realm = "realm.com" rlm_realm: Preparing to proxy authentication request to realm "realm.com" modcall[authorize]: module "suffix" returns updated for request 73 users: Matched DEFAULT at 537 modcall[authorize]: module "files" returns ok for request 73 hints: Matched DEFAULT at 49 modcall[authorize]: module "preprocess" returns ok for request 73 modcall: group authorize returns updated for request 73 Sending Access-Request of id 1 to 63.174.xxx.xx:1645 User-Name = "[EMAIL PROTECTED]" User-Password = "6875" NAS-IP-Address = 63.215.xx.xxx NAS-Port = 807 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Data-Rate = 28800 Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = Unknown Ascend-Xmit-Rate = 50667 Called-Station-Id = "317270" Calling-Station-Id = "317862" NAS-Identifier = "nas.ind.Level3.net" Acct-Session-Id = "483826947" NAS-Port-Type = Async Ascend-NAS-Port-Format = 4 Proxy-State = 0x3735 Waking up in 1 seconds... rad_recv: Access-Accept packet from host 63.174.xxx.xx:1645, id=1, length=218 Proxy-State = 0x3735 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Data-Filter = "ip in forward tcp est" Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0" Ascend-Data-Filter = "ip in drop tcp dstport = 25" Ascend-Data-Filter = "ip in forward 0" Idle-Timeout = 1800 Session-Timeout = 21600 Propel-Accelerate = 1 X-Ascend-Idle-Limit = 1800 X-Ascend-Maximum-Time = 28800 Class = "IEAS1\005378602\003292" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 73 attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module "attr_filter" returns updated for request 73 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 73 users: Matched DEFAULT at 537 modcall[authorize]: module "files" returns ok for request 73 hints: Matched DEFAULT at 49 modcall[authorize]: module "preprocess" returns ok for request 73 modcall: group authorize returns updated for request 73 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED]/6875] (from client acs223 port 807 cli 3178623267) Sending Access-Accept of id 75 to 63.110.xxx.xx:3401 Service-Type := Framed-User Framed-IP-Address := 255.255.255.254 Framed-IP-Netmask := 255.255.255.255 Framed-Protocol := PPP Ascend-Data-Filter = "ip in forward tcp est" Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0" Ascend-Data-Filter = "ip in drop tcp dstport = 25" Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 21600 X-Ascend-Maximum-Time = 28800 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 900 X-Ascend-Idle-Limit = 900 Finished request 73 As you can see in the debug output, the freeradius server receives the class attribute from 63.174.xxx.xx, but when sending back to the NAS at 63.110.xxx.xx, the Class attribut
Re: Dusty Here's the info requested......PAP ok No Chap new Installation.
On Thu, 7 Jul 2005, Radius wrote: > OK I can do this, but will the PAP that uses the /etc/passwd be prevented? > > We have both running here. Good question, I think it would. Is there any reason you're using both /etc/passwd and mysql? Why not just use mysql? > > Do I need to add a Auth == Local or something like that after that so it > will > check the MySql database when the /etc/passwd fails? > > Maybe my Fallthough is wrong for 1.0.4. This is runing ok in 0.9.3 > > Thanks > Bob > If there is something coming in the packet that would definately tell you whether they were in sql or /etc/passwd, then you could edit your users file to handle that. Say, if a certain realm, then set Autz-Type to sql, otherwise, set Autz-Type to system. Check out doc/Autz-Type in the sourcecode. If you can't tell whether or not a user would be in sql or /etc/passwd, then you will probably want to do one of two things. First, migrate all the /etc/passwd users into sql. That would be the preferred method (to me at least). Secondly, check out doc/configurable_failover. That document will show you how to do grouping so that you can try one thing first and if that fails, try another before rejecting the user. Its interesting that it worked for you fine in .9, but not now. As I learn more about your setup, I can say that I've never done this before (using mysql and /etc/password with PAP and CHAP). Since it used to work, I have to think that there is just one small thing that needs to be tweaked. Perhaps there is someone on the list that has an easier suggestion for you than what I had above. But you could always throw it together on your lab machine and give it a try and see how it goes. Hope that is a little helpful, at least maybe pointing to some documentation that might interest you. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
High performance request remapping / rewriting
All,
We are looking to implement mac-based vlans with a radius backend. I'm
hoping freeradius is the obvious choice, but I'm having a hard time
seeing how to do what I need.
What I'm looking to is feed FreeRadius from our host registration
database. Each NAS (switch) may potentially have different VLANs on it,
and each registered host may fall into a different vlan "type", so the
radius server needs to map:
(clientmac, nasipaddress) -> vlantag
However, there are ~20k MAC addresses and ~1200 NASes (switches), so
clearly I can't do this:
DEFAULT Calling-Station-Id = "", NAS-IP-Address = ""
DEFAULT Calling-Station-Id = "", NAS-IP-Address = ""
DEFAULT Calling-Station-Id = "", NAS-IP-Address = ""
...
DEFAULT Calling-Station-Id = "", NAS-IP-Address = ""
...because it's 20 million entries. The file as a users compiled to dbm
is >4Gb :o(
I wanted to do some kind of optimisation - the switches are grouped into
zones in our database, and vlans are specific to these zones (normally a
building), so actually something like:
nasip -> zone
(clientmac, zone) -> vlan
...but that's still too large, so maybe:
nasip -> zone
clientmac -> clienttype (there are 5 types - unreg, guest, roaming,
home, blocked)
(clienttype, zone) -> vlan
...which would be much smaller, but I can't see how you do this. I must
admit to being somewhat confused about the request, check and reply
items, but from what I can tell a "users" item consists of:
username OR DEFAULT [comma-separated items to check against
request]
[comma-separated items to add to reply]
...so even with Fall-Through=Yes you can never do this:
DEFAULT NAS-IP-Address = blah
Zone = "foo"
DEFAULT Calling-Station-Id = "00-11-22-33-44-55", User-Password =
"00-11-22-33-44-55"
Kind = "guest"
# Fallback - unknown hosts
DEFAULT Calling-Station-Id =~
"^[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}$"
, User-Password = `%{0}`
Kind = "unreg"
DEFAULT Zone = "foo", Kind = "unreg"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID := "1"
DEFAULT Zone = "foo", Kind = "guest"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID := "2"
...because Zone and Kind are set in the reply, so can't be matched
further down.
rlm_attr_rewrite has the beginnings of what is needed, but a linear
search through 20k regexps for the hosts, followed by 1k regexps for the
switches clearly isn't going to work.
Ideally an apache-like feature of DBM mapping is what's needed of
something like:
/etc/raddb/radiusd.conf:
attr_rewrite nas2zone {
attribute = NAS-IP-Address
searchin = packet
searchfor = "(.*)"
replacewith = "%{dbm:nas2zone:%{1}}"
new_attribute_name = "Zone"
}
...and similarly for Calling-Station-Id -> kind
The issue is that this needs to go very very fast - at peak times (e.g.
say a reboot of a PC cluster during overnight maintenance) the DHCP
servers get ~50 requests/second, so a radius server(s) would need to
answer with similar performance.
I originally tried to do this with rlm_sql direct to our registration
database, but the performance was abominal (which is not an SQL issue)
and eventually it hung the radius server anyway (rlm_sql_postgresql). In
any event I was never super-keen on that for security reasons, though
the fact it was instant-updating once a registration was processed was
very handy.
I'm assuming rlm_exec would have similar if not worse performance
characterisitcs (spawning 50 processes a second during peak times does
not strike me as overly sensible). Is there an rlm_socket:
socket mac_vlan {
path = "/var/run/mac_vlan.unixsock"
wait = yes
input_pairs = request
output_pairs = reply
}
...i.e. keep a persistent connection to something open.
I'd appreciate any suggestions.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool corrections
Hi there! I have installed and run FreeRadius Server on Solaris 8 (x86 and sparc). Authorization and authentication works with LDAP protocol with OpenLDAP server. Accounting is processed by SQL database (PostgreSQL). I use these radius servers to perform AAA operations as a response to request send from device terminating PPPoE sessions. Also I have to use radius server feature to dynamically assign IP addresses to client sessions. So I have assumed that rlm_ippool module is right for this task. But unfortunately all sessions that are terminated in the box working with radius come to this device by the same port. So I had to rewrite a little bit rlm_ippool module to verify used ip addresses not only by nas device and nas port but also by user name. Unfortunately I have no opportunity to test this rewriten module in orther configurations. If anyone is interested in testing this module please email me, because I would like to be sure that this module will work in other configuration (maybe not everyone), no only in mine. Anyway I will have to verify my corrections because rlm_ippool_tools displays some strange informations on teh screen. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius not configured properly
Hey everyone, I am very new to this so if I screw up and ask a stupid question I apologize, I have freeradius it's version 1.0.2 (I will upgrade when I understand better what's going on) installed on a Mandriva LE 2005 Box and it's the default install not configured as of yet. I added a user via Dialup Admin and then there is the test user also. My network consists of 2 - Portmaster 3 NAS boxes for Dial up and I have 7 Wireless APs (Not concerned about these yet) in the field. I ran radtest against the server with this command -> radtest test test123 127.0.0.1:1645 1645 n4sc4r and also with mcooper and mypass. From what i have read just getting a response is a good thing, from what I understand the server giving a response is half the battle. So I have that working, but not sure where to go or how to configure from here. The following is the response I got not sure what thios is telling me could someone help me out please? Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...--- Walking the entire request list ---Cleaning up request 5 ID 124 with timestamp 42ce6f71Nothing to do. Sleeping until we see a request.Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...rad_recv: Access-Request packet from host 127.0.0.1:32847, id=124, length=56Discarding duplicate request from client mail2:32847 - ID: 124--- Walking the entire request list ---Waking up in 3 seconds...--- Walking the entire request list ---Cleaning up request 4 ID 124 with timestamp 42ce6f6bNothing to do. Sleeping until we see a request.rad_recv: Access-Request packet from host 127.0.0.1:32847, id=124, length=56 User-Name = "test" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5radius_xlat: '' modcall[authorize]: module "sql" returns fail for request 5modcall: group authorize returns fail for request 5 Thanks in advance, Michael A CooperBCCISP.nethttp://www.bccisp.net281-854-2079"Technology that counts, voices that matter!" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
thanks for the help until now! I have another problem on freeradius, related to PEAP. The MSCHAP module needs a couple user-pw to perform authentication... and in the radiusd log I can read that is not possible to retrieve a NT-password or NL-password. But I don't want to use such thing (I read is related to Samba). I would like to submit user and password to my LDAP server, and this one have to check the right relationship! But I know EAP doesn't allow plain text PW, as LDAP needs! Now: is it possible to tell MSCHAP to use LDAP or passwd file to authenticate the user? And, before this, is it possible to obtain the PW from the EAP challenge in order to submit it further? Please give me a little advice... it seems it should be a problem s simple to solve! I already lost 10 days .. to help: I'm working with such a system. - Standard Windows XP client, PEAP-MSCHAPv2 - Aegis supplicant, with all types of EAP - Access Point Cisco Aironet 1200, set to use WPA-TKIP and EAP authentication -Freeradius server, working on GENTOO linux 2005 thank you very much, for everything you could suggest! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with 1.1.0-pre0 - CVS Snapshot of 30th of June
I have a problem when proxying an auth request to another server. The server crashes with the following error: rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=130, length=69 --- Walking the entire request list --- Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) Threads: total/active/spare threads = 5/1/4 Waking up in 1 seconds... User-Name = "[EMAIL PROTECTED]" User-Password = "jjtest" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "IPASS" returns noop for request 0 rlm_realm: Looking up realm "JacoTest" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "JacoTest" rlm_realm: Proxying request from user jacotest to realm JacoTest rlm_realm: Adding Realm = "JacoTest" rlm_realm: Preparing to proxy authentication request to realm "JacoTest" modcall[authorize]: module "suffix" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '[EMAIL PROTECTED]' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '[EMAIL PROTECTED]' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='[EMAIL PROTECTED]'' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='[EMAIL PROTECTED]' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User [EMAIL PROTECTED] not found modcall[authorize]: module "sql" returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "dailycounter" returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 0 modcall[authorize]: module "expiration" returns noop for request 0 modcall[authorize]: module "logintime" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 Assertion failed in request_list.c, line 724 This ONLY happens for proxied requests. All local requests gets authenticated ok. What can be the problem Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco attributes for Freeradius using MySQL db for auth
Defined them in the radgroupreply table and used the += in the op row in that table and voila .. Did'nt have to stick them in the users or hints files in the raddb conf dir ... See example ... rlm_pap: login attempt by "[EMAIL PROTECTED]" with password test3 rlm_pap: Using password "userpassword" for user [EMAIL PROTECTED] authentication. rlm_pap: Using clear text password. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 14 modcall: group Auth-Type returns ok for request 14 Sending Access-Accept of id 3 to clientipaddress:3390 Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair += "ip:ip-unnumbered=Loopback51" Cisco-AVPair += "ip:addr-pool=ipnetpool2" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying with Calling-Station-Id
Stylianos Stylianou wrote: > I am trying to configure freeradius to proxy requests to another radius > based on the Calling Station Id. > > Can anyone help me how to configure my radius server to do this? In the "users" file: DEFAULT Calling-Station-Id == "0102030405", Proxy-To-Realm := realm1.net DEFAULT Calling-Station-Id == "0506070809", Proxy-To-Realm := realm2.com -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can do EAP/TLS, but not EAP/MD5
or simply put 'eap' as the last module in the authorize section. should be the same. Jefri bin Dahari wrote: It works. Thank you very much Vladimir. - Original Message - From: "Vladimir Vuksan" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Friday, July 08, 2005 14:39 Subject: Re: Can do EAP/TLS, but not EAP/MD5 Jefri bin Dahari wrote: I have Freeradius running where wireless users authenticate using EAP/TLS. Now, I would like to use the same server to authenticate wired users using EAP/MD5 on Cisco switch 3750 but it doesn't work. The log shows it doesn't do EAP authentication as shown below. Attached is my eap.conf. You appear to be setting Auth-Type to Local. Check your Users file and see where the Auth-Type := Local or similar is getting set. Comment it out. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying with Calling-Station-Id
Hi, I am trying to configure freeradius to proxy requests to another radius based on the Calling Station Id. Can anyone help me how to configure my radius server to do this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can do EAP/TLS, but not EAP/MD5
It works. Thank you very much Vladimir. - Original Message - From: "Vladimir Vuksan" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Friday, July 08, 2005 14:39 Subject: Re: Can do EAP/TLS, but not EAP/MD5 Jefri bin Dahari wrote: I have Freeradius running where wireless users authenticate using EAP/TLS. Now, I would like to use the same server to authenticate wired users using EAP/MD5 on Cisco switch 3750 but it doesn't work. The log shows it doesn't do EAP authentication as shown below. Attached is my eap.conf. You appear to be setting Auth-Type to Local. Check your Users file and see where the Auth-Type := Local or similar is getting set. Comment it out. Vladimir users: Matched entry jeff at line 6 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
