EAP/TLS DLINK DWL-2000AP+ Setup Problem XP Client
Hi, I've setup eap/tls with freeradius in my network. I'm using certificates signed by a private CA. Here is my problem: When i check validate server certificate in client's connection properties, radius an access challenge and nothing happens: Sending Access-Challenge of id 3 to 192.168.145.13:1812 EAP-Message = 0x010400350d80002b14030100010116030100209e7c62b412a95e4583fd662183c3cfd5ff3aa01d4cf27de813dc6cc9b040fc78 Message-Authenticator = 0x State = 0xf48deff8e489ad47d9acb4c64dc756f4 With box unchecked, everything seems to be ok in freeradius logs. But just after Access-Accept packet, AP reboots and client connection dies. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 26 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 26 modcall: group authenticate returns ok for request 26 Sending Access-Accept of id 10 to 192.168.145.13:1812 MS-MPPE-Recv-Key = 0x7ace5e49f382cd4ad52cbef684f2380b2d9982659a2779ca55e3e7f243277363 MS-MPPE-Send-Key = 0xa44f01b3c2487c7ac23853a6b1c9fb645f3cf9780ed791d772bf639eb8dc6f63 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = wireless-12 Finished request 26 I'm confused, where to find error? My AP HW, freeradius configuration, or certificate stuff. Please guide me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User-Name - Reg Expr - auth-type accept
Hello Nicolas,
thanks a lot, this works fine :-)
regards, Michael
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Nicolas Baradakis
Sent: Tuesday, August 16, 2005 5:51 PM
To: FreeRadius users mailing list
Subject: Re: User-Name - Reg Expr - auth-type accept
Michael Poser wrote:
The regular expression match with the Mac-Address, but 4
lines behind it,
the log says: auth: No authenticate method (Auth-Type)
configuration found
for the request: I am confused, in the users file is the statement
Auth-Type := Accept,. What is wrong?
All the check items should be on the first line.
--8--
DEFAULT User-Name =~ ^([0-9a-fA-F]){6}-([0-9a-fA-F]{6})$,
Auth-Type := Accept
Reply-Message = Hallo Regulaerer Ausdruck `%{User-Name}`
--8--
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
Ben Thompson wrote: The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? You could test the variable Client-IP-Address in the users file. testuser Client-IP-Address == 10.0.0.1, Password := azerty Tunnel-Private-Group-ID:1 := 1, Fall-Through = Yes testuser Client-IP-Address == 10.0.0.2, Password := azerty Tunnel-Private-Group-ID:1 := 2, Fall-Through = Yes -- Nicolas Baradakis Hi Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_x99
Hi all, Can anybody tell me what the rlm_x99 modules is and does ? It's stopping my compile at the moment and ammjust wondering whether I need it or not. Cheers Ian Davies Software Development Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Disable RADIUS user logins if 'Session-Timeout' falls below 0
Hi All,
I am using FreeRadius with PostgreSQL and everything is running
like a charm besides a small issue.
I am using session-timeout attribute in radreply
table to control user session time.
I have added a trigger on RADACCT table which subtracts amount
of time used by user from RADREPLY each time when he logs in.
It does work but when time is below 0 or negative I need to
stop user from getting into my system and I am failing to do so.
Here are my RADREPLY Table entries
INSERT INTO radreply (id, username, attribute, op, value)
VALUES (2, 'sagar', 'Idle-Timeout', ':=', '300');
INSERT INTO radreply (id, username, attribute, op, value)
VALUES (3, 'sagar', 'Reply-Message', ':=', 'You Have Logged in Successfully');
INSERT INTO radreply (id, username, attribute, op, value)
VALUES (1, 'sagar', 'Acct-Interim-Interval', ':=', '120');
INSERT INTO radreply (id, username, attribute, op, value)
VALUES (4, 'sagar', 'Session-Timeout', ':=',
'-904');
The easiest way would be altering Authenticate SQL and
adding a condition to check Session-Timeout to see it doesnt fall below
0
I am not very good in POSTGRES so can someone please let me
know how to do it.
The other way would be using a Function /Procedure to carry
out this check but my question is how to use procedures/functions in
postgres.conf
authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} \
WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute
= 'Crypt-Password' ) \
ORDER BY Attribute DESC
Sagar Patil
British
Telecommunications plc
Registered office: 81 Newgate
Street London EC1A 7AJ
Registered in England no. 180.
This electronic message contains information from British Telecommunications
plc which may
be privileged or confidential. The information is intended to be for the use of
the individual(s) or
entity named above. If you are not the intended recipient be aware that any
disclosure,
copying, distribution or use of the contents of this information is prohibited.
If you have
received this electronic message in error, please notify us by telephone or
email (to the
numbers or address above) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling CVS snapshot dies
On Wed, Aug 17, 2005 at 12:35:58AM +0200, Koos Beens wrote: Koos Beens [EMAIL PROTECTED] wrote: I am trying to compile a cvs snapshot, in debian with command dpkg-buildpackage -us -uc -rfakeroot -b It dies with this message: Ok... try tomorrow's snapshot. Alan DeKok. Thank you, it is working. A small thing/bug however, the mysql .deb will not install if the freeradius server is'nt started. Once it's started it install's ok. Hmm. Is that the 'restart' command failing? Or something else? -- --- Paul TBBle Hampson, MCSE 8th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] No survivors? Then where do the stories come from I wonder? -- Capt. Jack Sparrow, Pirates of the Caribbean License: http://creativecommons.org/licenses/by/2.1/au/ --- pgpuHknJYNmf8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.0.4 crashing when getting Request
Hello there, I have a little problem with setting up FreeRADIUS with MySQL Support properly. My Linux Distro is Debian Sarge 3.1. I installed all necessary libraries and compiled FreeRadius with MySQL enabled. Then I installed all necessary MySQL tables and configured FreeRadius to do EAP-TLS with MySQL as backend. All seems to work nice until the server finally recieves a first request. The server segfaults and that's the end. I have no idea what could have gone wrong Does someone of you have an idea what to do? Sincerely, Sebastian Mauer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS DLINK DWL-2000AP+ Setup Problem XP Client
Greetings, Am Mittwoch, 17. August 2005 08:16 schrieb Ceyhun K�: Hi, I've setup eap/tls with freeradius in my network. I'm using certificates signed by a private CA. Here is my problem: When i check validate server certificate in client's connection properties, radius an access challenge and nothing happens: Sending Access-Challenge of id 3 to 192.168.145.13:1812 EAP-Message = 0x010400350d80002b14030100010116030100209e7c62b412a95e4583fd662183c3cfd 5ff3aa01d4cf27de813dc6cc9b040fc78 Message-Authenticator = 0x State = 0xf48deff8e489ad47d9acb4c64dc756f4 With box unchecked, everything seems to be ok in freeradius logs. But just after Access-Accept packet, AP reboots and client connection dies. If your AP actually reboots, it's probably an AP problem. Try upgrading firmware. Keep smiling yanosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.4 crashing when getting Request
Sebastian Mauer wrote: I have a little problem with setting up FreeRADIUS with MySQL Support properly. My Linux Distro is Debian Sarge 3.1. I installed all necessary libraries and compiled FreeRadius with MySQL enabled. Then I installed all necessary MySQL tables and configured FreeRadius to do EAP-TLS with MySQL as backend. All seems to work nice until the server finally recieves a first request. The server segfaults and that's the end. I have no idea what could have gone wrong Does someone of you have an idea what to do? Please post the gdb output. Follow the instructions at: http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.4 crashing when getting Request
Greetings, Am Mittwoch, 17. August 2005 12:21 schrieb Sebastian Mauer: Hello there, I have a little problem with setting up FreeRADIUS with MySQL Support properly. My Linux Distro is Debian Sarge 3.1. I installed all necessary libraries and compiled FreeRadius with MySQL enabled. Then I installed all necessary MySQL tables and configured FreeRadius to do EAP-TLS with MySQL as backend. All seems to work nice until the server finally recieves a first request. The server segfaults and that's the end. Did you use strace? Have you verified, that the mysql-connection is actually working as setted up? Keep smiling yanosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
Cian Phillips wrote: If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin I have a howto on LDAP and FreeRADIUS at http://vuksan.com/linux/dot1x/802-1x-LDAP.html I have successfully used it for WPA with Linksys and Foundry Networks APs. Should work with Cisco. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius Authorization
Hi, I have small newbie questions.. I want to configure freeRadius for authentication authorization. I am able to do proper authentication. 1) I want to configure my users in multiple groups (depending on their roles). How to do that? 2) And what is the common practice for this? How this is managed in any enterprise servers / enterprise networks who uses radius server for the AAA? Thanks... Regards, abera Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson [EMAIL PROTECTED] wrote: Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? Memory. Also, the CPU time required to walk it's internal representation (linked list). In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Yes. Or, if the mappings are relatively simple, you could look at rlm_passwd, which does simple mappins. It uses a hash to look up data, so it should be fast. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_x99
Iandc Davies [EMAIL PROTECTED] wrote: Can anybody tell me what the rlm_x99 modules is and does ? X9.9 challenge-response token cards. It's stopping my compile at the moment and ammjust wondering whether I need it or not. You probably don't need it. Just delete the whole directory, and it should be fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Disable RADIUS user logins if 'Session-Timeout' falls below 0
[EMAIL PROTECTED] wrote: I have added a trigger on RADACCT table which subtracts amount of time used by user from RADREPLY each time when he logs in. It does work but when time is below 0 or negative I need to stop user from getting into my system and I am failing to do so. rlm_sqlcounter does this already. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP attributes into freeradius
Here is my goal:
I would like to assign an attribute to certain users in ldap and have
freeradius look for that attribute to determine whether or not to reply
back to the NAS device with an IP address pool name. The users with the
attribute set would not have the Pool sent and the users without the
attribute set would have the pool sent.
Here is the rule that I have set for it in the users file:
DEFAULT Huntgroup-Name == dialup
Idle-Timeout = 1800,
Fall-Through = Yes
DEFAULT Huntgroup-Name == dialup, No-Pool != 1
USR-Framed_IP_Address_Pool_Name = POOL,
Idle-Timeout := 120,
Fall-Through = Yes
dialup is the ldap module I have setup in the radiusd.conf file. Here is
that entry:
ldap dialup {
server = localhost
identity = cn=Manager,dc=domain,dc=com
password = *
basedn = ou=Users,o=domain.com,dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap
ldap_connections_number = 288
groupname_attribute = gidNumber
groupmembership_filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
The problem I'm seeing is that radius doesn't seem to use the value of
No-Pool. I have it in the ldap-dialup.attrmap as:
checkItem No-PoolradiusNoPool
radiusNoPool is the ldap attribute with a value of 1.
Where else do I need to add the new attribute No-Pool in order for
freeradius to use it?
Joe H.
GWI Operations.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
On Wed, 2005-08-17 at 10:51 -0400, Alan DeKok wrote: Ben Thompson [EMAIL PROTECTED] wrote: Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? Memory. Also, the CPU time required to walk it's internal representation (linked list). In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Yes. Or, if the mappings are relatively simple, you could look at rlm_passwd, which does simple mappins. It uses a hash to look up data, so it should be fast. Alan DeKok. Hi Thanks for the info, I will have a look at rlm_passwd. Meanwhile I have tested a setup using the huntgroups file combined with the use of mutliple DEFAULT entries in the users file like this :- huntgroups file group1 NAS-Identifier == accesspoint5 group1 NAS-Identifier == accesspoint2 group2 NAS-Identifier == switch6 group2 NAS-Identifier == switch3 etc.. users file user1 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes user2 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes DEFAULT Tunnel-Type:1 := VLAN, Tunnel-Medium-Type:1 := IEEE-802, Fall-Through = Yes DEFAULT Huntgroup-Name == group1 Tunnel-Private-Group-ID:1 := 3970, Fall-Through = Yes DEFAULT Huntgroup-Name == group2 Tunnel-Private-Group-ID:1 := 4025 This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? I am currently running on a dual Xeon 2.8Ghz with 2GB of RAM which is dedicated to running FreeRADIUS. Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes into freeradius
Joe H [EMAIL PROTECTED] wrote: Where else do I need to add the new attribute No-Pool in order for freeradius to use it? raddb/dictionary See also man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson [EMAIL PROTECTED] wrote: This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? Yes. But also: user2 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes If that's all you're doing with usernames, I'd still suggest using rlm_passwd. It'll be a lot easier to manage, and faster, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi, at the moment i´m planing to build a Network based out of 20 VLAN over 8 Nortel switches. Depending on the given Layout of the Network I need to add some PC´s to more than one Port based VLAN. Is it posible to give the VLAN ID over the Radius Server, and is it possible to send more than one VLAN ID for one Client to the Switch? Does this work? Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 16, 2005 at 18:18 -0800 wrote: Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin No problem. Sorry, I don't have any Cisco experience -- it's a bit beyond our budget at this point. Now, the D-Link and Linksys $50-special AP's, that's a different story! :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius VLANID Question
Hi, at the moment i´m planing to build a Network based out of 20 VLAN over 8 Nortel switches. Depending on the given Layout of the Network I need to add some PC´s to more than one Port based VLAN. Is it posible to give the VLAN ID over the Radius Server, and is it possible to send more than one VLAN ID for one Client to the Switch? Does this work? Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL Problem???
Hello all, I have been successfully providing 802.1x authentication to my wireless users for approx six months. This was implemented using ntlm_auth, PEAP, and MSCHAPV2 (windows XP client) against an Active Directory backend. We had a power spike, which produced multiple simultaneous drive failures and there is little but corrupted data left on my server. I managed to retrieve my config files from backup, but had to do a clean install, recreate SSL certs, etc. I am using freeradius-1.0.0-5 on Suse 9.2 Pro. I *believe* this snippet from my debug output shows the problem: snip- eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS -snip-- This would *seem* to indicate a problem with my certificate generation. I've deleted and re-created my certs on both the server and the client 4 times now. I've tried giving the certs different names, thinking that they weren't deleted correctly from WinXP's mmc panel. I'm following this howto on cert creation: http://jeremy.austux.net/resources/network/eaptls.html I'm pretty sure that this is the same howto I followed last time and it, just worked. I'm only about 95% sure that my certs are the problem. If someone could at least confirm that, it would help. If anyone can pinpoint my issue more precisely I would be eternally grateful, as I'm really in a bind right now. Any and all suggestions are most welcome. Thanks much! ~Brandon * **Exhaustive info below:* * I have the following relevant software installed: samba-3.0.9-2.3 samba-winbind-3.0.9-2.3 openssl-0.9.7d-25 Here are a couple radtest outputs (note: the user here is local, not AD and obviously this is by-passing certificates). houston:/etc/raddb # radtest test testing localhost 43.191.108.31 SECRET Sending Access-Request of id 135 to 127.0.0.1:1812 User-Name = test User-Password = testing NAS-IP-Address = houston NAS-Port = 43 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=135, length=20 houston:/etc/raddb # houston:/etc/raddb # radtest test wrongpw localhost 43.191.108.31 SECRET Sending Access-Request of id 156 to 127.0.0.1:1812 User-Name = test User-Password = wrongpw NAS-IP-Address = houston NAS-Port = 43 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=156, length=20 houston:/etc/raddb # .So that works as it should. Here's an ntlm_auth output: houston:/etc/raddb # /usr/bin/ntlm_auth --username=deyoungb --domain=AM password: NT_STATUS_OK: Success (0x0) houston:/etc/raddb # that works too, but, Houston...we still have a problem. here is a full debug output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap:
Release date for 1.1.0/CVS?
Is there any news of a approximate release date for the 1.1.0 line of FreeRADIUS? Which bugs are currently showstoppers for this line to be released as stable? Thanks, Wes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues authenticating vs 2003 AD
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain. Here is the output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=39, length=72 Service-Type = Framed-User Framed-Protocol = PPP User-Name = ppptest CHAP-Password = 0xa3de2596eae8f89f46e35d612d8858ac55 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ppptest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ppptest radius_xlat: '(sAMAccountName=ppptest)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to domcon.company.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=ppptest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ppptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by ppptest with CHAP password rlm_chap: Could not find clear text password for user ppptest modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 127.0.0.1:32769 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 39 with timestamp 4303762d Nothing to do. Sleeping until we see a request. Any ideas? Both mschap and chap are enabled in the radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Machine Authentications
I currently have our wireless users authenticating to our Active Directory 2003 domain using PEAP and TTLS. We want to proxy our machine authentications off to something else that can authenticate them. Does anyone have any examples of how to do this? I know all the machine accounts show up on my NAS as host/machinename Whereas my users are : Domain\Username Or Username - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Machine Authentications
King, Michael [EMAIL PROTECTED] wrote: We want to proxy our machine authentications off to something else that can authenticate them. Does anyone have any examples of how to do this? I know all the machine accounts show up on my NAS as host/machinename In the users file, do: DEFAULT EAP-Message *= 0x00, User-Name =~ /, Proxy-To-Realm := foo That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL Problem???
DeYoung, Brandon [EMAIL PROTECTED] wrote: I *believe* this snippet from my debug output shows the problem: snip- eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS -snip-- This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then helpful, and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release date for 1.1.0/CVS?
Wesley Spadola [EMAIL PROTECTED] wrote: Is there any news of a approximate release date for the 1.1.0 line of FreeRADIUS? When it's ready. Hopefully in the next month or so. Which bugs are currently showstoppers for this line to be released as stable? The EAP linking issues. Other than that, the rest of the work is cleanups. I think it will be released as 2.0, because there are just so many things fixed, and so many new features added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P [EMAIL PROTECTED] wrote: I am handing off a qurest from pppd to radius and am failing with a valid user in the domain. No. The server is failing because it doesn't have a clear-text password. rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... The LDAP module doesn't get a clear-text password from AD, so the server can't authenticate the user. Any ideas? Both mschap and chap are enabled in the radiusd.conf AD won't give the server clear-text passwords. So doing CHAP to AD is *impossible*. You CAN use MS-CHAP, but for that you've got to configure ntlm_auth. Remember, AD is *not* and LDAP server. It just pretends to be one sometimes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL Problem???
Jamie Crawford [EMAIL PROTECTED] wrote: In the statement Odds are they're XP SP2 boxes, where MS broke EAP what exactly is broken. Will XP SP2 not work with PEAP? It won't. This was discussed on the list last week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Thought it was configured, I beleive I have tested it positive in the
past, I want to use ntlm_auth, I had this in there and had tested it
as far as i know:
Radius.conf
ldap {
server = domcon.company.org
basedn = dc=company,dc=org
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=company,dc=org
password = password
Will this not work, if not how to config the ntml?
On 8/17/05, Alan DeKok [EMAIL PROTECTED] wrote:
Tim P [EMAIL PROTECTED] wrote:
I am handing off a qurest from pppd to radius and am failing with a
valid user in the domain.
No.
The server is failing because it doesn't have a clear-text password.
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
The LDAP module doesn't get a clear-text password from AD, so the
server can't authenticate the user.
Any ideas? Both mschap and chap are enabled in the radiusd.conf
AD won't give the server clear-text passwords. So doing CHAP to AD
is *impossible*.
You CAN use MS-CHAP, but for that you've got to configure ntlm_auth.
Remember, AD is *not* and LDAP server. It just pretends to be one
sometimes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
General Question..
Hello, I am new to Radius and Free Radius, so forgave me if this question has been asked or it is crazy.We are in process of change all our authentication and authorization.At the moment every "service" has it's own user-id/password database. Thus authentication/authorization per service is simple. want to deny access to a given user, disable his/her password or that service.As you can imagine this has a big overhead and users have to remember many user-id/password per.Can we use Radius/LDAP to do this.What I was hope we can do is as follow:everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize).The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services?Thank you all for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi everyone, Finally, have it working.. I did not comment out the radutmp in radius.conf for the session database. I had uncommented sql, although lots of good that did. Thanks again, Robin At 03:26 PM 8/16/2005, you wrote: Robin [EMAIL PROTECTED] wrote: The detail files appear to be fine with start, alive and stop packets being listed, but radius.log and radwtmp and radutmp are empty. If radutmp is empty, the debug log will tell you why. Is it possible, I inadvertently set everything to log to the db only? Certainly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: General Question..
So just set Auth-Type for the user to Reject. We do this for suspended (non paying users) until they pay up. No changing password this way. Brent From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Behzad Barzideh Sent: Wednesday, August 17, 2005 4:47 PM To: freeradius-users@lists.freeradius.org Subject: General Question.. Hello, I am new to Radius and Free Radius, so forgave me if this question has been asked or it is crazy. We are in process of change all our authentication and authorization. At the moment every service has it's own user-id/password database. Thus authentication/authorization per service is simple. want to deny access to a given user, disable his/her password or that service. As you can imagine this has a big overhead and users have to remember many user-id/password per. Can we use Radius/LDAP to do this. What I was hope we can do is as follow: everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize). The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services? Thank you all for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SSL Problem???
I manged to fix this. Something was whackinated in my certificate generation process. Followed howto here: http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html And all works well, even with XP SP2. ~Brandon -Original Message- From: DeYoung, Brandon Sent: Wednesday, August 17, 2005 12:38 PM To: 'FreeRadius users mailing list' Subject: RE: SSL Problem??? Thanks for the response Alan, My clients are WinXP SP2 boxes. I have several hundred of these which had been working fine for the last 6 months...until my server blew up. In fact I had more problems getting this setup to work with SP1 and made it a policy for everyone to put SP2 on before I would configure wireless for them. Any other thoughts/workarounds? ~Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jamie Crawford Sent: Wednesday, August 17, 2005 12:22 PM To: freeradius-users@lists.freeradius.org; [EMAIL PROTECTED] Subject: Re: SSL Problem??? In the statement Odds are they're XP SP2 boxes, where MS broke EAP what exactly is broken. Will XP SP2 not work with PEAP? thanks, jamie Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[EMAIL PROTECTED] [EMAIL PROTECTED] 08/17/05 2:10 PM DeYoung, Brandon [EMAIL PROTECTED] wrote: I *believe* this snippet from my debug output shows the problem: snip- eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS -snip-- This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then helpful, and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Callback Cisco to WinXP
Hi, I have to configure an async callback solution using Cisco IOS and Freeradius. Up to now, the user can dial in and will be authenticated against my freeradius server. Anything works fine. After setting up the callback things on the router and on the radius server, the user will still be granted access without any callback options. Debugging the cisco callback during the session setup, I will get the message: Se0/1 MCB: Start Se0/1 MCB: Callback not authorized for this user stefancb ... What I've done so far: On WinXP, I left anything default, so that the user will be given the choice, to be called back if the server makes an offer. On the Cisco, I've configured: interface Serial0/1 physical-layer async ip address 10.1.20.200 255.255.255.0 ip nat inside encapsulation ppp ip tcp adjust-mss 1452 async mode interactive peer default ip address pool modemippool no keepalive ppp callback accept ppp authentication chap ! chat-script offhook ATH1 OK chat-script callback ABORT ERROR ABORT BUSY ATZ OK ATDT \T TIMEOUT60 CONNECT \c line 2 flush-at-activation script modem-off-hook offhook script callback callback modem InOut modem autoconfigure discovery transport input all autoselect during-login autoselect ppp speed 115200 The user is configured on the radius server: stefancbAuth-Type := Local, User-Password == hello Service-Type = Callback-Framed-User, Framed-Protocol = PPP, Cisco-AVPair = ip:dns-servers=10.1.1.2, Cisco-AVPair != ip:wins-servers=10.1.1.2, Cisco-AVPair != lcp:callback-dialstring=0123456, I've also tested Service-Type = Framed-User, What's wrong here? How do I have to set up the user on my Radius Server? Thank You. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About nastype and Checkrad
Sorry.. just something very confuse. I am using a FreeBsd computer as my NAS, may I know what is the nastype for this NAS? Is it other? I know when the nastype is other, the radius server won't call for the checkrad. Therefore, if I want to use the checkrad to check for the simultaneous-use, what should I do? Do I really need to modify the script in the checkrad?? Any reference on how to modify the script in the checkrad? I am seeking it for a long time already through the internet but nothing was found. It is not much information about the checkrad. Please knidly reply. Thanks! Regards Felix ___ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About nastype and Checkrad
Felix Chang [EMAIL PROTECTED] wrote: Sorry.. just something very confuse. I am using a FreeBsd computer as my NAS, may I know what is the nastype for this NAS? Is it other? Yes. I know when the nastype is other, the radius server won't call for the checkrad. Therefore, if I want to use the checkrad to check for the simultaneous-use, what should I do? You resign yoyrself to the fact that you can't call checkrad. Any reference on how to modify the script in the checkrad? It's a Perl script, and not a very complicated one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
