User Authentication via Websitewith Apache
hi i would like to authenticate my user via apache-ssl over a website where the user must fill in his AD username and password. only if this is correct he can access the internet. my question is, if this is possible. an what i have to use that this would be secure. like the traffic between client-ap-freeradius. eap-tls? peap/mschapv2 ... i have no idea... pls help me :-) thx Konne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes in access-challenge
Hi all, Is it "normal" that the attributes contained in the access-accept packet are also contained in the Access-Challenge packets sent by Freeradius ? Is there a way to force Freeradius to return the attributes associated to the user in the access-accept packet only ? Many thanks. David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem to authenticate via peap/mschapv2
hi i like to authenticate with my AD over peap/mschapv2... but i become following error... my clients are windowsXP SP2 with SecureW2... my test accesspoint d-link dwl900+ and freeradius 1.0.5 i dont know why they dont send the User-Password... rad_recv: Access-Request packet from host 192.168.13.10:1226, id=16, length=127 User-Name = wuser NAS-IP-Address = 192.168.13.10 NAS-Port = 0 Called-Station-Id = 00-80-C8-15-26-66 Calling-Station-Id = 00-0F-B5-E1-90-E6 NAS-Identifier = numanu Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000a017775736572 Message-Authenticator = 0xf332a25b2eaf0c9e25c989631c721dc5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = wuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 3 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=wireless,dc=my,dc=dom' radius_xlat: '((sAMAccountname=wuser)(objectClass=person))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=wireless,dc=my,dc=dom, with filter ((sAMAccountname=wuser)(objectClass=person)) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=CN=wuser,OU=wireless,DC=my,DC=dom))((objectClass=GroupOfUniqueNames)(uniquemember=CN=wuser,OU=wireless,DC=my,DC=dom)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=wireless,dc=my,dc=dom, with filter ((cn=wireless)(|((objectClass=GroupOfNames)(member=CN=wuser,OU=wireless,DC=my,DC=dom))((objectClass=GroupOfUniqueNames)(uniquemember=CN=wuser,OU=wirel ss,DC=my,DC=dom rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=wuser,OU=wireless,DC=my,DC=dom, with filter (objectclass=*) rlm_ldap: performing search in CN=wireless,OU=Groups,DC=my,DC=dom, with filter (cn=wireless) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 218 modcall[authorize]: module files returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for wuser radius_xlat: '((sAMAccountname=wuser)(objectClass=person))' radius_xlat: 'ou=wireless,dc=my,dc=dom' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=wireless,dc=my,dc=dom, with filter ((sAMAccountname=wuser)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user wuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Login incorrect: [wuser] (from client ap port 0 cli 00-0F-B5-E1-90-E6) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 sec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple 'users' files possible?
Hi, So, I have to merge the files and find another solution... ...umm, this is documented in a couple of places! have just one single 'users' file - and then within that file, pull in the user-editable oneseg $INCLUDE dept-a-users.txt $INCLUDE dept-b-users.txt alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache with proxy
Le mardi 22 novembre 2005 à 12:31 +0100, Nicolas Baradakis a écrit : Romain GAILLEGUE wrote: I have recently installed two freeradius servers one in server mode with MySQL authentication and an other in proxy mod. But sometime the connexion between the two servers is broken. I would like to know if it's possible to have a cache on the proxy ? You may look at the module rlm_caching and raddb/experimental.conf in a CVS snapshot. Great Thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Mac-Authentication based on Call-Check
Hello. I'm currently working on my diploma thesis, and I'm sorting some things out at the moment. The task is, to authenticate mac-adresses through a cisco catalyst 6500. A pretty new feature called mac-authentication-bypass is available in CatOS and works well with Cisco ACS 4.0 beta. Due to our demands we want to deploy freeradius, with a mysql database. It works like that. The switch sends an Access-Request with the connecting MAC in the Caller-ID Field and Sevice Type is set to 10, hence Call Ceck. Radius now authenticates the users on a given MAC (Caller ID) instead of a user/password. I haven't set up freeradius yet, but I'm slighty familar with the settings that have to be done. In table radcheck I create attribute Calling-Station-ID with value MAC-Address (f.e. ff-ee-11-22-33-44), this value will be checked against. I also have to edit the sql.conf (user, database etc) and telling radiusd.conf to use sql in the authorise section. I'm sticking to the Freeradius MySQL howto by Scott Bartlett for that. :) The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf? Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis. Any thoughts? Thanks in advance. Bye Florian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
King, Michael wrote: Ignore the freeRADIUS package. Due to license restrictions, it cannot contain the binaries for OpenSSL. We have to use the source. Indeed. Download the latest release of freeRADIUS Unzip freeRADIUS Tar -zxvf freeradius-1.0.5.tar.gz Switch to the directory then ./configure --disable-shared make make install I don't recommend this method to the Debian users, because it confuses dpkg about the files installed on the system and it's not possible to uninstall the files later. I think it's a lot better to build FreeRADIUS from sources using dpkg-buildpackage. $ tar zxf freeradius-1.0.5.tar.gz $ cd freeradius-1.0.5 $ fakeroot dpkg-buildpackage -b -uc $ sudo dpkg -i ../freeradius_1.0.5-0_i386.deb You can look at my notes if you want: http://www.mpking.com/articles.php?lng=enpg=55 Please add a note about dpkg-buildpackage, too. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Mac Authentication
I'm looking for a document that describes in detail the working of RADIUS MAC Authentication. (which attributes are sent in the access-request, which values should be in there etc) This because I'm going to write code to allow RADIUS MAC Authentication in our NAS. Thx in advance -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients.conf attributes, multiples users files.
Breuer Nicolas wrote: I think the easiest way is to configure the name of the auth files into the clients.conf NAS1 : file: users NAS2 : file: users2, etc.. With this type of config, we can easily manage multiple type of users/ auth with one radiusd on one port.. I'd suggest to have a single users file, and test the NAS-IP-Address in the attributes of the request. totoNAS-IP-Address == 10.0.0.1, User-Password := azerty Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254 titiNAS-IP-Address == 10.0.0.2, User-Password := qsdfgh Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: tool for testing machine authentication
Johan Ramm-Ericson wrote: Hi, having just recently succesfully setup freeradius and being somewhat frustrated with the documentation, I felt there may be someway I could contribute to improve it. A while back there was a thread on the mailinglist to the effect of setting up a Wiki. Has this seen any progression? If not, I'll be glad to put in some effort to get this done. Also, I'm willing to pitch in on writing the documentation, however my freeradius experience is so recent that I'd probably only be able to do any good with well-defined tasks... I set up an empty wiki a few weeks ago with the intention to start a FreeRadius wiki. http://s92562228.onlinehome.us/wiki ... it is still empty ... Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Hi, I have configured freeradius with WPA support using suse Using Windows mobile 2003 machine i could successfully authenticate. The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Thanks Patrice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius WPA Problèm
Hi, I have configured freeradius with WPA support using suse Using Windowssmobile 2003 machine i could successfully authenticate. The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Thanks Patrice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple 'users' files possible?
Arne Götje (高盛華) wrote: On Wednesday 23 November 2005 13:50, Lewis Bergman wrote: This is exactly my question whether this will work or the second entry will just overwrite the first one. Maybe this is a stupid question, but since you knew exactly what *might* work, have you tried it? It takes about 10 minutes to setup a test radius server if you don't want to mess with your prduction one. Give it a shot and let us all know. I tested it with my production server now... it turns out, that it does not work. Only the first line in the radius.conf file will be taken, the second one ignored. So, I have to merge the files and find another solution... Good to know. Maybe the $INCLUDE method? I have seen that used in the dictionary files so I would think it would work in users as well. SO, use the default users file with a few $INCLUDE 's that pull in your populated users files. Worth a shot anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Authentication via Websitewith Apache
Konne wrote: hi i would like to authenticate my user via apache-ssl over a website where the user must fill in his AD username and password. only if this is correct he can access the internet. my question is, if this is possible. an what i have to use that this would be secure. like the traffic between client-ap-freeradius. eap-tls? peap/mschapv2 ... i have no idea... pls help me :-) wifidog, nocat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD IntegrationWindowsXP NTLM Tutorial]
Thank you. I'm a relative new Debian addict, so I was unaware of the repercussions. I learned something today, time to go home. :-) I'll throw that into my notes. Based on the list activity in the last few days, I'm hoping to reformat, and make clearer my notes. Seems there is a need for it. Someone mentioned setting up a Wiki. I'd actually prefer that, since people can fix my mistakes. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On I don't recommend this method to the Debian users, because it confuses dpkg about the files installed on the system and it's not possible to uninstall the files later. I think it's a lot better to build FreeRADIUS from sources using dpkg-buildpackage. $ tar zxf freeradius-1.0.5.tar.gz $ cd freeradius-1.0.5 $ fakeroot dpkg-buildpackage -b -uc $ sudo dpkg -i ../freeradius_1.0.5-0_i386.deb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy radius GTC
Hi, I know proxying for PEAP/EAP-MsChapV2 is ok with FreeRadius. Or, I want to know if proxying for PEAP/EAP-GTC is working too ? Thanks BenjO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error with free radius, as5800, and ascend data types
Hi, We have this radius-reply-attribute in our radius configuration (free-radius): ip in forward tcp est However, when someone dials up to our as5800 it generates this error: rlm_sql: Failed to create the pair: failed to parse Ascend binary attribute: Unknown string est in IP data filter est seems to be a valid Ascend attribute.. any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki
Is it possible to get a wiki going on the freeradius site, or at least a link to an official-unofficial wiki. I know that people have pdf's and notes on various sites, but it would be great if the people in charge were willing to designate an official place for wiki. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error with free radius, as5800, and ascend data types
Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only expect it to return values that are either RFC attributes or Cisco VSAs. Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: 23 November 2005 15:12 To: freeradius-users@lists.freeradius.org Subject: Error with free radius, as5800, and ascend data types Hi, We have this radius-reply-attribute in our radius configuration (free-radius): ip in forward tcp est However, when someone dials up to our as5800 it generates this error: rlm_sql: Failed to create the pair: failed to parse Ascend binary attribute: Unknown string est in IP data filter est seems to be a valid Ascend attribute.. any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
www.freeradius.de - Forum
hi, i found a freeradius forum for germans... http://www.freeradius.de ciao Konne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with free radius, as5800, and ascend data types
Cisco has an option to accept the non-standard Ascend attributes ( note, NOT the VSA's but the early Ascend attempt to use higher numbered standard attributes ). In regards to the original poster, does the filter value work if you use it in a 'users' file syntax? Also, what version of FreeRADIUS? -Chris On Nov 23, 2005, at 9:45 AM, Guy Davies wrote: Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only expect it to return values that are either RFC attributes or Cisco VSAs. Rgds, Guy -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap with MySQL don't work
= INSERT into radacct (AcctSessionId, AcctUniqu eId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctS topTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, Ac ctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminat eCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDe lay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name} ', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB( '%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Inpu t-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station- Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Fra med-IP-Address}', '0', '%{Acct-Delay-Time}') sql: group_membership_query = SELECT GroupName FROM usergroup WHERE UserName=' %{SQL-User-Name}' sql: connect_failure_retry_delay = 60 sql: simul_count_query = sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddr ess, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct W HERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 sql: postauth_table = radpostauth sql: postauth_query = INSERT into radpostauth (id, user, pass, reply, date) va lues ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Typ e}', NOW()) sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01 23456789.-_: / rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.47.50:21646, id=65, length=145 User-Name = awal Framed-MTU = 1400 Called-Station-Id = 00-40-96-A1-9F-C4 Calling-Station-Id = 00-12-F0-22-79-12 Message-Authenticator = 0x04eb8fff25ee06be6ea964e1e7a714f7 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 278 State = 0x3ea1310276e93e8b451633cdf6c3dbf9 Service-Type = Framed-User NAS-IP-Address = 172.16.47.50 NAS-Identifier = venus Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 radius_xlat: '/var/log/radius/radacct/172.16.47.50/auth-detail-20051123' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.47.50/auth-detail-20051123 modcall[authorize]: module auth_log returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 modcall[authorize]: module digest returns noop for request 3 rlm_realm: No '/' in User-Name = awal, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module IPASS returns noop for request 3 rlm_realm: No '@' in User-Name = awal, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_realm: No '\' in User-Name = awal, looking up realm NULL rlm_realm: No such realm NULL modcall
Re: User Authentication via Websitewith Apache
hi, i´m very interesting in this too. I want the same but all user/passwd are in mysql database, how can i redirect all traffic? and i want that local MAC list are in the radius server and not in the Access Point. any help? Lewis Bergman escribió: Konne wrote: hi i would like to authenticate my user via apache-ssl over a website where the user must fill in his AD username and password. only if this is correct he can access the internet. my question is, if this is possible. an what i have to use that this would be secure. like the traffic between client-ap-freeradius. eap-tls? peap/mschapv2 ... i have no idea... pls help me :-) wifidog, nocat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn;quoted-printable:Ib=C3=A1n Cabrillo Bartolom=C3=A9 n;quoted-printable;quoted-printable:Cabrillo Bartolom=C3=A9;Ib=C3=A1n org:IFCA adr;quoted-printable;quoted-printable:detr=C3=A1s de la facultad deciencias;;avda. de los castros s/n;santander;cabtabria;39005;espa=C3=B1a email;internet:[EMAIL PROTECTED] tel;work:942202082 tel;fax:942200935 tel;cell:669930421 version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with free radius, as5800, and ascend data types
We are running FR version 1.0.5 And no, it doesn't seem to work in the users file syntax. On 11/23/05, Chris Parker [EMAIL PROTECTED] wrote: Cisco has an option to accept the non-standard Ascend attributes ( note, NOT the VSA's but the early Ascend attempt to use higher numbered standard attributes ). In regards to the original poster, does the filter value work if you use it in a 'users' file syntax? Also, what version of FreeRADIUS? -Chris On Nov 23, 2005, at 9:45 AM, Guy Davies wrote: Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only expect it to return values that are either RFC attributes or Cisco VSAs. Rgds, Guy -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius WPA issue
Hi, I make test on Windows Pocket PC and Windows mobile 2003 in WPA and TKIP. The mobile 2003 is not able to be authenticated and pocket PC with need for 1070 requetes to authenticate itself. Herewith the debug Help me pease Patrice eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - ppcse01 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of ppcse01 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ppcse01 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1057 modcall[authorize]: module preprocess returns ok for request 1057 modcall[authorize]: module chap returns noop for request 1057 modcall[authorize]: module mschap returns noop for request 1057 rlm_realm: No '@' in User-Name = ppcse01, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1057 rlm_eap: EAP packet type response id 8 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1057 users: Matched entry ppcse01 at line 109 modcall[authorize]: module files returns ok for request 1057 modcall: group authorize returns updated for request 1057 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1057 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge rlm_eap: RT Modif EAP-Type = 26 EAP-LENGTH = 28 modcall[authenticate]: module eap returns handled for request 1057 modcall: group authenticate returns handled for request 1057 PEAP: Got tunneled Access-Challenge rlm_eap: RT Modif EAP-Type = 25 EAP-LENGTH = 91 modcall[authenticate]: module eap returns handled for request 1057 modcall: group authenticate returns handled for request 1057 Sending Access-Challenge of id 228 to 192.168.105.206:1645 EAP-Message = 0x0109006019001703010018e862a5e7ef6271ecf57a1e9b0d7895f3d803cd249e33ba0c17030100381097afd07da7fef7f5c24685be3da2111f4ba06c4422d9bff38ea5ce97eb0d2c0906622a95e2d7bd2c9faab7257840a0a976464346a142d7 Message-Authenticator = 0x State = 0x6323b543165f673888f160fe0aa0693d Finished request 1057 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.105.206:1645, id=229, length=257 User-Name = ppcse01 Framed-MTU = 1400 Called-Station-Id = 0013.c48a.b3e0 Calling-Station-Id = 0002.b3db.c6ed Service-Type = Login-User Message-Authenticator = 0xa68f17dcd5bedbe27ebd9e3f35c4babb EAP-Message = 0x0209008019001703010018adcd3bd07450f9095c707c6f35995d1638d062e53dba1fd61703010058131b67b9eb6cec348e4f7126023f17926e848b6ea5b3ed6bc15be32453573b52cf8eb91bf4109fa04db28c8ac509c6d5f02857c46fd2a95ca506a086e504ebc8bc0ee66dca5682f3cfe500d02a97facac36fe2eee6b96a4b NAS-Port-Type = Wireless-802.11 NAS-Port = 1886 State = 0x6323b543165f673888f160fe0aa0693d NAS-IP-Address = 192.168.105.206 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1058 modcall[authorize]: module preprocess returns ok for request 1058 modcall[authorize]: module chap returns noop for request 1058 modcall[authorize]: module mschap returns noop for request 1058 rlm_realm: No '@' in User-Name = ppcse01, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1058 rlm_eap: EAP packet type response id 9 length 128 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1058 users: Matched entry ppcse01 at line 109 modcall[authorize]: module files returns ok for request 1058 modcall: group authorize returns updated for request 1058 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1058 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to ppcse01 PEAP: Adding old state with d7 ca Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1058 modcall[authorize]: module preprocess returns ok for request 1058 modcall[authorize]: module chap returns noop for request
RE: Error with free radius, as5800, and ascend data types
Oh, thanks for setting me straight, Chris :) Sounds like a pretty doomed idea to have non-standard uses of the supposedly RFC defined attributes. Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Parker Sent: 23 November 2005 15:53 To: FreeRadius users mailing list Subject: Re: Error with free radius, as5800, and ascend data types Cisco has an option to accept the non-standard Ascend attributes ( note, NOT the VSA's but the early Ascend attempt to use higher numbered standard attributes ). In regards to the original poster, does the filter value work if you use it in a 'users' file syntax? Also, what version of FreeRADIUS? -Chris On Nov 23, 2005, at 9:45 AM, Guy Davies wrote: Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only expect it to return values that are either RFC attributes or Cisco VSAs. Rgds, Guy -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy radius GTC
benjo.fr [EMAIL PROTECTED] wrote: I know proxying for PEAP/EAP-MsChapV2 is ok with FreeRadius. Or, I want to know if proxying for PEAP/EAP-GTC is working too ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Robin Mordasiewicz [EMAIL PROTECTED] wrote: Is it possible to get a wiki going on the freeradius site, or at least a link to an official-unofficial wiki. We're looking into getting one set up this weekend. I know that people have pdf's and notes on various sites, but it would be great if the people in charge were willing to designate an official place for wiki. I agree. I'm way of wikis that allow anyone to edit anything, so we'll look into one that uses logins and revision control to help keep spammers out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap with MySQL don't work
awal.mohamadou [EMAIL PROTECTED] wrote: i've been knocking my head on the wall searching why my freeradius server is not working. can someone help me please? The problem has nothing to do with MySQL. The client isn't receiving the response from the server. Find out why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hi,
Patrice PAPOT [EMAIL PROTECTED] wrote: The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Find out why it's taking so long. Did you try running the server in debugging mode to see what it's doing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with free radius, as5800, and ascend data types
Hrmm yeah.. see that after est? as in estnot est ? Yeah apparently there were a /n and a /r after it, which the database didn't show... ugh. On 11/23/05, Matt [EMAIL PROTECTED] wrote: Hi, We have this radius-reply-attribute in our radius configuration (free-radius): ip in forward tcp est However, when someone dials up to our as5800 it generates this error: rlm_sql: Failed to create the pair: failed to parse Ascend binary attribute: Unknown string est in IP data filter est seems to be a valid Ascend attribute.. any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius WPA Problèm
On Wednesday 23 November 2005 07:58, Patrice PAPOT wrote: I have configured freeradius with WPA support using suse Using Windowssmobile 2003 machine i could successfully authenticate. The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Which part of the authentication process is slow? Getting the username/ password prompt or connection after entering them? Both of these are delays you will see with Windows Mobile and neither has anything to do with FreeRADIUS. Your logs should show that the actual authentication happens in a matter of seconds or less unless your backend database is slow or you have a configuration issue. Check your logs and run in debug mode if you suspect a problem. Getting the prompt can be sped up by removing all but the essential profiles for your PDAs wireless networks and setting to connect to APs only. If your AP SSID is not broadcast, WM will have difficulty with it no matter what you do but is succesful if you are patient. Usually, after a successful connection, subsequent connections are quite snappy and don't require username and password entry as it will be cached. Connection after entering the user information is often slowed by the acquiring of the network address and doing all the NetBIOS announcements and registrations (whether you care about NetBIOS or not, it does it). Long delays or failures may occur if you are on the fringe of the reception area or there is interference from other APs and Ad-Hoc networks on the same or adjacent channel. Obstructions like walls, metal file cabinets, bodies, etc., must also be considered. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy radius GTC
Alan, Thanks for your answer. I have this architecture : Supplicant -- FreeRadius -- Radius I'have not the choice about Supplicant and Radius. When I want to do PEAP/EAP-GTC or PEAP/EAP-MsChapV2 directly with Supplicant and Radius, it doesn't work. FreeRadius is RFC-Compliant (thank you FreeRadius Team !!), so I put a FreeRaduis like proxy. It's ok for MsChapV2, but it's not for GTC. I keep the same configuration on the FreeRadius (except in eap.conf where default_eap_type = gtc) [the supplicant configuration is ok]. Have you any idea about my mistake ? BenjO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Outter User-Name for Accounting in EAP-TTLS
I am resending this 'cause nobody reponded. Any idea? Kevin I want to use FreeRadius for proxy so our map is like AP - FreeRadius - MyRadius Problem is MyRadius gets user-name=anonymous in accounting. Is there a way that we can put a real user-name to accounting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Mac-Authentication based on Call-Check
florian broder [EMAIL PROTECTED] wrote: The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf? No, it's also in the radcheck table. Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis. In radcheck, also set Auth-Type := Accept if the MAC Call-Check match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Mac Authentication
Jonathan De Graeve [EMAIL PROTECTED] wrote: I'm looking for a document that describes in detail the working of RADIUS MAC Authentication. (which attributes are sent in the access-request, which values should be in there etc) It's not a standard, so it's not documented anywhere. This because I'm going to write code to allow RADIUS MAC Authentication in our NAS. My suggestion is to look at other NAS documentation to see how they do it, and then do the same thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy radius GTC
benjo.fr [EMAIL PROTECTED] wrote: Have you any idea about my mistake ? It would help if you described exactly what you're doing. So far, I can tell you're using PEAP, MSCHAP, and GTC with proxying, but I have no idea what protocol is used where, or what protocol you *want* to be used where. Please explain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Outter User-Name for Accounting in EAP-TTLS
kevin [EMAIL PROTECTED] wrote: I am resending this 'cause nobody reponded. Any idea? Read the list archives. This question came up last week, or the week before. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about deleting old files
Hi Everyone: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Linda PagilloDirector of Technical ServicesN2 The Net, LLC931-372-9179931-520-4031 (FAX)[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius WPA issue
On Wednesday 23 November 2005 11:09, Patrice PAPOT wrote: Hi, I make test on Windows Pocket PC and Windows mobile 2003 in WPA and TKIP. The mobile 2003 is not able to be authenticated and pocket PC with need for 1070 requetes to authenticate itself. Herewith the debug Help me pease There are not 1070 requests shown although the last exchange is 1070. You have an Access-Accept on request 1060 ID 231 timestamp 43844cd7 You have an Access-Accept on request 1070 ID 241 timestamp 43844cda Looks like only 3 seconds transpired between the two. I don't think FreeRADIUS is your problem. Check your Cisco AP and Windows Mobile confiugrations. At one point leap was used. Are you trying to use leap as well as peap? Set your AP only for what you intend to use on your supplicants. They don't work very well if you try to set them to use everything, it will confuse your supplicant. Please don't post the same question to different threads. Zoltan Ori. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Outter User-Name for Accounting in EAP-TTLS
i posted the same question a week a so ago, alan suggested to send the user-name back with the radius response. unfortunately this did not help, it seems that the accesspoints we were using (foundry ironpoint 200) mix them up, foundry is currently examining the case. which ap are you using? regards, markus Zitat von kevin [EMAIL PROTECTED]: I am resending this 'cause nobody reponded. Any idea? Kevin I want to use FreeRadius for proxy so our map is like AP - FreeRadius - MyRadius Problem is MyRadius gets user-name=anonymous in accounting. Is there a way that we can put a real user-name to accounting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about deleting old files
Linda Pagillo [EMAIL PROTECTED] wrote: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about deleting old files
Thank you, sir! - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, November 23, 2005 3:28 PM Subject: Re: Question about deleting old files Linda Pagillo [EMAIL PROTECTED] wrote: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about deleting old files
Alan DeKok wrote: Linda Pagillo [EMAIL PROTECTED] wrote: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Yes. Alan DeKok. - Use package management if possible. As long as it understands you are upgrading package x.1 withpackage x.2 it will replace/delete stuff intelligently for you. To this end, you can keep local packages in apt repositories, use checkinstall, rebuild rpms...so on so forth. Or if you install from source, keep it around and do a make uninstall -- but make sure you have a copy of your /etc/raddb or equivalent directory. The library files are only a problem if you have an unrelated app that may be using those and requiring that specific version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about deleting old files
Thanks! - Original Message - From: Joe Maimon [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, November 23, 2005 3:42 PM Subject: Re: Question about deleting old files Alan DeKok wrote: Linda Pagillo [EMAIL PROTECTED] wrote: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Yes. Alan DeKok. - Use package management if possible. As long as it understands you are upgrading package x.1 withpackage x.2 it will replace/delete stuff intelligently for you. To this end, you can keep local packages in apt repositories, use checkinstall, rebuild rpms...so on so forth. Or if you install from source, keep it around and do a make uninstall -- but make sure you have a copy of your /etc/raddb or equivalent directory. The library files are only a problem if you have an unrelated app that may be using those and requiring that specific version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Mac-Authentication based on Call-Check
If I understand this correctly I could have 3 ways to do RADIUS MAC Authentication: 1) (enterasys seems to do it like this) Username == mac, password == default password set in the nas and that matches the pass in the 'radcheck' table but different from the nas secret 2) (like it seems most vendors are doing it): Username == mac, password == nas-secret (but this also needs username(mac)/password(nas-secret) pairs in 'radcheck' table 3) calling-station-id == mac, username == mac, password == NULL, service-type == Call Check (10) and Auth-Type := Accept My questions: a)could I have a security problem with 2 or 3? b)any suggestions to choose between 1, 2 or 3 or 'just choose whatever works'? Kind Regards, -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] Namens Alan DeKok Verzonden: woensdag 23 november 2005 19:33 Aan: FreeRadius users mailing list Onderwerp: Re: SQL Mac-Authentication based on Call-Check florian broder [EMAIL PROTECTED] wrote: The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf? No, it's also in the radcheck table. Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis. In radcheck, also set Auth-Type := Accept if the MAC Call-Check match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
This is a great howto. Here is my scenario. I have a Windows2k DC that I would like to authenticate against. I have a Cisco VPN 3005 Concentrator that will be terminating VPN's. I would like to use FreeRADIUS to lock the users into groups and authenticate them against AD. I have followed the steps in the howto and everything seems to work fine but FreeRADIUS is ignoring MS-CHAP. I'm using ntradpingmaybe that's a wrong utility for this instance. Here is the output from the test given in the howto server ~ # ntlm_auth --request-nt-key --domain=DOMAIN --username=apuye password: NT_STATUS_OK: My question is...can I use Active Directory if I need to use attribute 25 on FreeRADIUS? If so, how do I make sure that FreeRADIUS uses on MS-CHAP for an authentication method? Output from debug mode: server ~ # /usr/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded
RE: help with EAP MD5 wired authentication
Ok. I finally figured out 1. Comment out the following lines as shown below OR 2. Put your users before these lines. # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # # COMMENTS BEGIN #DEFAULTFramed-Protocol == PPP # Framed-Protocol = PPP, # Framed-Compression = Van-Jacobson-TCP-IP # COMMENTS END From: Anup Parkhi [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED],FreeRadius users mailing listfreeradius-users@lists.freeradius.org To: [EMAIL PROTECTED], freeradius-users@lists.freeradius.org Subject: RE: help with EAP MD5 wired authentication Date: Tue, 22 Nov 2005 21:11:22 + Thanks for responding. I tried that but did not work. radiusd gave the same error message before. If you have it working then please send your radiusd.conf, users file My email is [EMAIL PROTECTED] Anup From: MINODIER David RD-RESA-LAN [EMAIL PROTECTED] To: [EMAIL PROTECTED],FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: RE: help with EAP MD5 wired authentication Date: Tue, 22 Nov 2005 09:31:29 +0100 Since you're using EAP-MD5, you should have in your users file: Xxx Auth-Type := EAP, User-Password == whatever David. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Anup Parkhi Envoyé : mardi 22 novembre 2005 01:54 À : freeradius-users@lists.freeradius.org Objet : help with EAP MD5 wired authentication Hi, I am struggling with EAP-MD5 wired authentication for last couple of days. I checked the web and archives but to no avail. I am using XP supplicant. Tried with Funk's supplicant also but same result. Any help will be highly appreciated. Thanks Anup My users file has following towards the end # On no match, the user is denied access. a User-Password == a test User-Password == test Administrator User-Password == pnbidm123! aparkhi Auth-Type := System, User-Password == aparkhi DEFAULT Auth-Type := Accept Reply-Message = All users are allowed, Welcome %u. Radiusd.conf has 1. modules section ... pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } ... $INCLUDE ${confdir}/eap.conf mschap { ... } files { ... } ... The console output of radiusd -X -s is Ready to process requests. rad_recv: Access-Request packet from host 10.11.12.107:1024, id=76, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = HP ProCurve Switch 2824 User-Name = test Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = 24 Called-Station-Id = 00-0f-20-8d-04-c8 Calling-Station-Id = 00-c0-9f-0d-4a-1f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1010 EAP-Message = 0x020200090174657374 Message-Authenticator = 0xb12214c2d6fb14f33c7cc758ccfb54b7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 76 to 10.11.12.107:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0103001604100118f4899111b27fc08900284095e5e2 Message-Authenticator = 0x State = 0x33fe6026586af730cd367983bb9ea8b6 Finished request 0 Going to the next
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Wed, 23 Nov 2005, Alhagie Puye wrote: I have followed the steps in the howto and everything seems to work fine but FreeRADIUS is ignoring MS-CHAP. I'm using ntradpingmaybe that's a wrong utility for this instance. I don't think you can properly test this with NTRadPing, but I have not been able to figure it out. I have set my wireless access point to use radius and the results I am getting are very different. I would suggest testing a tool that more closely resembles your production gear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More than one sentence in accounting_stop_query
I want to make 2 SQL consultations in the accounting_stop_query field. (in sql.conf) Define a new section like that sql {...} in sql.conf (for example call it postsql), and then invoke it in radiusd.conf in accounting { ... } section: accounting { detail sql postacctsql } You see, all of those methods will be invoked for all acounting packets. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
Actually, I believe the more important questions is to authenticate against Active Directory, do you need MS-CHAP or LDAP? Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robin Mordasiewicz Sent: November 23, 2005 6:16 PM To: FreeRadius users mailing list Subject: RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial] On Wed, 23 Nov 2005, Alhagie Puye wrote: I have followed the steps in the howto and everything seems to work fine but FreeRADIUS is ignoring MS-CHAP. I'm using ntradpingmaybe that's a wrong utility for this instance. I don't think you can properly test this with NTRadPing, but I have not been able to figure it out. I have set my wireless access point to use radius and the results I am getting are very different. I would suggest testing a tool that more closely resembles your production gear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html