Re: openssl fails
you have to put the path to files which he can't find.
- Original Message -
From: pelusa vali [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Thursday, December 29, 2005 12:34 AM
Subject: openssl fails
hi everybody, well finally get install openssl v0.9.8a, now when i try to
generate certificates to be used with freeradius (eap-tls or eap-peap) i
use these command to CERTIFICATE AUTHORITY GENERATION:
#openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:clue1 -passout pass:clue1
#openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:clue1 -passout pass:clue1
#openssl pkcs12 -in root.p12 -out root.pem -passin pass:clue1 -passout
pass:clue1
(i copied root.p12 from freeradius files)
#openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#rm -rf newreq.pem
and these to SERVER CERTIFICATE GENERATION:
#openssl req -new -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:clue1
#openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpserver_ext -extfile
xpextensions -infiles newreq.pem
right here, when using this command i get this error:
Error opening CA private key ./demoCA/private/cakey.pem
4161:error:02001002:system library:fopen:No such file or
directory:bss_file.c:349:fopen ('./demoCA/private/cakey.pem' ,'r')
4161:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
unable to load CA private key
well i really don't understand what this mean but reviewed
./demoCA/private/cakey.pem and effectively it's there, so why openssl
cann't locate it?? why unable to load CA private key??
so, i tried this:
#openssl x509 -inform PEM -outform DER -in demoCA/cacert.pem -out
demoCA/cacert.der
but now get this:
4201:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
excuse if this question is so trivial but i really don't understand it.
could any body help and tell me what is happening?? thanks for your
patience and help.
_
Las mejores tiendas, los precios mas bajos, entregas en todo el mundo,
YupiMSN Compras: http://latam.msn.com/compras/
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2005 11:47 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:( What's going wrong? Your message doesn't include anything that I can see is a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius vs NT Domain Authentication
Alan,I'm already reading the confs files, but I still can't make this work. Can you check the log bellow? Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc//raddb/proxy.conf
Config: including file: /etc//raddb/clients.confConfig: including file: /etc//raddb/snmp.confConfig: including file: /etc//raddb/eap.confConfig: including file: /etc//raddb/sql.confmain: prefix = /usr/local
main: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radiusmain: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no
main: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120
proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionary
read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setup
Module: Library search path is /usr/local/libModule: Loaded exec exec: wait = yesexec: program = (null)exec: input_pairs = requestexec: output_pairs = (null)
exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded SMB
smb: server = server.domain.comsmb: backup = server.domain.comsmb: domain = DOMAINModule: Instantiated smb (smb)
Module: Loaded PAP pap: encryption_scheme = cryptModule: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes
mschap: require_encryption = nomschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5eap: timer_expire = 60eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc//raddb/huntgroupspreprocess: hints = /etc//raddb/hints
preprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)
Module: Loaded realm realm: format = prefixrealm: delimiter = \realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (ntdomain) realm: format = suffix
realm: delimiter = @realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc//raddb/usersfiles: acctusersfile = /etc//raddb/acct_users
files: preproxy_usersfile = /etc//raddb/preproxy_usersfiles: compat = noModule: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%ddetail: detailperm = 384detail: dirperm = 493
detail: locking = noModule: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmpradutmp: username = %{User-Name}radutmp: case_sensitive = yes
radutmp: check_with_nas = yesradutmp: perm = 384radutmp: callerid = yesModule: Instantiated radutmp (radutmp) Listening on authentication *:1812Listening on accounting *:1813Ready to process requests.
rad_recv: Access-Request packet from host
radiusd core dumps on authentication (solaris 9)
Hello freeradius-users!
I am currently experiencing an authentication problem and am wondering
if anyone has run into something similar (or has an answer as to what
I'm doing wrong
I am running freeradius 1.0.5 on a Solaris 9 box. I have my users
accounts currently stored in a NIS/YP database hosted by a Linux (Suse
SLES9) server. My users - configuration file - currently looks like
this:
DEFAULT Auth-Type = Pam
Fall-Through = No
I have tried using Auth-Type = {System | Pam | unix}. No matter which I
try radiusd core dumps as soon as it comes to the Authenticate module
(see debug log below). This does not happen if I set Auth-Type = Local,
then everything works as expected. _But_ that would give me two username
/ password databases to maintain - which is not something I look forward
to Anyone have any ideas as to what's going on?
TIA,
Johan
PS. No idea if this helps but I have an old freeraidius 1.0.2 lying
around. The results (using the same config files) are the same.
debug log
---
/etc/init/freeradiusd start
Module: Instantiated realm (MIP02)
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (NULL)
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /opt/freeradius/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/detail-combined
detail: detailperm = 384
detail: dirperm = 493
detail: locking = yes
Module: Instantiated detail (accounting_replication_log)
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (pre_proxy_log)
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (post_proxy_log)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.11.249:3644, id=171,
length=121
NAS-IP-Address = 192.168.11.249
NAS-Identifier = vrr_ggsn_2
Called-Station-Id = .xxx.xx
Service-Type = Framed-User
Framed-Protocol = GPRS-PDP-Context
NAS-Port-Type = Virtual
User-Name = daniel
User-Password = secret
Calling-Station-Id =
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/opt/freeradius/var/log/radius/radacct/192.168.11.249/auth-detail-20051229'
rlm_detail:
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/opt/freeradius/var/log/radius/radacct/192.168.11.249/auth-detail-20051229
modcall[authorize]: module auth_log returns ok for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Pam
auth: type PAM
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string radiusd for pam.conf lookup
Segmentation Fault - core dumped
radiusd
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client authenticated but no internet connection
Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Dlink Switch Authentication Problem
Hello,
i am using freeradius in my computer with the ip 10.0.0.6
i have a dlink 3226s model switch in my network and its ip is 10.0.0.250
i want this switch to verify username and password from radius server
(10.0.0.6)
i have added 10.0.0.250 as a client to the radius servers clients.conf and
users files and i introduced a user. but still it doesnt connect. where may be
the error?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
thank you,
using command radius server (10.0.0.6)
[EMAIL PROTECTED] clients.conf
client 10.0.0.250 {
secret = 250
shortname = 1
}
[EMAIL PROTECTED] users
steve Auth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#radtest steve testing 10.0.0.6 1812 testing
okay
what problem ?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
So here I have the hole output again. So long I see, there is no certificate
exchange??
NAS-Identifier = 0014bfa57781
NAS-Port = 24
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b
Message-Authenticator = 0xdd3d83f19e08787f6907798c30ef7b7c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module attr_filter returns noop for request 0
rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 30
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to 192.168.1.2:2068
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xd69dcd7c75cc15eea53e2baca8acbce5
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163
User-Name = schneeball.netz-von-frank
NAS-IP-Address = 192.168.1.2
Called-Station-Id = 0014bfa57781
Calling-Station-Id = 000e2e3ee98f
NAS-Identifier = 0014bfa57781
NAS-Port = 24
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b
Message-Authenticator = 0xf5f960c2cb0c4acc07d7f9d962b26fd9
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229
modcall[authorize]: module auth_log returns ok for request 1
modcall[authorize]: module attr_filter returns noop for request 1
rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 1 length 30
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 0 to 192.168.1.2:2068
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0xa87e53fdb3ded6be7a711bf1e3a79879
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163
User-Name = schneeball.netz-von-frank
NAS-IP-Address = 192.168.1.2
Called-Station-Id = 0014bfa57781
Calling-Station-Id = 000e2e3ee98f
NAS-Identifier = 0014bfa57781
NAS-Port = 24
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b
Message-Authenticator
RE: FreeRadius and Dlink Switch Authentication Problem
Selam,
Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler
geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim :
client.conf dosyani asagidaki gibi editler misin ?
client 10.0.0.250 {
secret = 250
shortname = switch
nastype = cisco
}
Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux
sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi
saglayabilirsin.
steve Auth-Type := System
Service-Type = Shell-User,
Login-Service = Telnet,
Login-IP-Host = 0.0.0.0,
Login-TCP-Port = Telnet
Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol
edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir hata
var demektir.
Bi de israrla tacacs+ diyorum : )
Kolay gelsin ,
Inci Gedik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kai Geek
Sent: 29 Aralık 2005 Perşembe 14:24
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius and Dlink Switch Authentication Problem
Hello,
i am using freeradius in my computer with the ip 10.0.0.6
i have a dlink 3226s model switch in my network and its ip is 10.0.0.250
i want this switch to verify username and password from radius server
(10.0.0.6)
i have added 10.0.0.250 as a client to the radius servers clients.conf and
users files and i introduced a user. but still it doesnt connect. where may
be the error?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
thank you,
using command radius server (10.0.0.6)
[EMAIL PROTECTED] clients.conf
client 10.0.0.250 {
secret = 250
shortname = 1
}
[EMAIL PROTECTED] users
steve Auth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#radtest steve testing 10.0.0.6 1812 testing
okay
what problem ?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Dlink Switch Authentication Problem
Merhabalar Inci hanim,
oncelikle yardimlariniz icin cok tesekkur ederim. Ancak tacacs kullanamiyoruz
cunku switchlerin cogu Dlink ve 3226 modeli yani tacacs yok. radius server
destekliyorlar. bu nedenle radius kullanmam gerek.
#radiusd -X
diyerek debug moda aliyorum ve benim ip adresim 10.0.0.185 radius server ise
10.0.0.6'da calisiyor. switch ise (dlink marka) 10.0.0.250 ip adresine sahip.
ben
#telnet 10.0.0.250
komutunu verdigim zaman switchin kendi icindeki kullanici ile (admin)
girebiliyorum. ama hicbir log dusmuyor. ne onerirsiniz?
- Original Message -
From: Inci Gedik [EMAIL PROTECTED]
To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
Subject: RE: FreeRadius and Dlink Switch Authentication Problem
Date: Thu, 29 Dec 2005 15:20:43 +0200
Selam,
Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler
geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim :
client.conf dosyani asagidaki gibi editler misin ?
client 10.0.0.250 {
secret = 250
shortname = switch
nastype = cisco
}
Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux
sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi
saglayabilirsin.
steve Auth-Type := System
Service-Type = Shell-User,
Login-Service = Telnet,
Login-IP-Host = 0.0.0.0,
Login-TCP-Port = Telnet
Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol
edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir hata
var demektir.
Bi de israrla tacacs+ diyorum : )
Kolay gelsin ,
Inci Gedik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kai Geek
Sent: 29 Aralık 2005 Perşembe 14:24
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius and Dlink Switch Authentication Problem
Hello,
i am using freeradius in my computer with the ip 10.0.0.6
i have a dlink 3226s model switch in my network and its ip is 10.0.0.250
i want this switch to verify username and password from radius server
(10.0.0.6)
i have added 10.0.0.250 as a client to the radius servers clients.conf and
users files and i introduced a user. but still it doesnt connect. where may
be the error?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
thank you,
using command radius server (10.0.0.6)
[EMAIL PROTECTED] clients.conf
client 10.0.0.250 {
secret = 250
shortname = 1
}
[EMAIL PROTECTED] users
steve Auth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#radtest steve testing 10.0.0.6 1812 testing
okay
what problem ?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? Learn your platform. Since you have auth already it is a network issue from there. You are not passing either the AP/router/client the correct config or they are not configured correctly somehow. Check reply attr for framed address, gateway and the like. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Dlink Switch Authentication Problem
Kai Geek wrote: what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? outpt of radiusd -X? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. This looks to me like a question for the chillispot mailing list. But, just a wild guess, did you enable NAT on the router (the one with chillispot)? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
On Thursday 29 December 2005 04:16, mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred Check your iptables and firewall settings. Make sure you have your firewall turned off at the router. Chillispot has a thing about firewalls at the router. At least thats what I have found. -- LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Dlink Switch Authentication Problem
Tekrar Merhaba,
Radius calisiyor ise switch in icindeki kullanici adi ile login olamamaniz
gerekiyor. Demekki bir yerde sorun var. Radius, switch in kendi kullanici
Hesabi ile yapilan loginleri bir yere yazmaz. Telnet islemi sirasinda radius
Bulunamadi seklinde bir yanit aliyor musunuz?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kai Geek
Sent: 29 Aralık 2005 Perşembe 15:40
To: FreeRadius users mailing list
Subject: RE: FreeRadius and Dlink Switch Authentication Problem
Merhabalar Inci hanim,
oncelikle yardimlariniz icin cok tesekkur ederim. Ancak tacacs
kullanamiyoruz cunku switchlerin cogu Dlink ve 3226 modeli yani tacacs yok.
radius server destekliyorlar. bu nedenle radius kullanmam gerek.
#radiusd -X
diyerek debug moda aliyorum ve benim ip adresim 10.0.0.185 radius server ise
10.0.0.6'da calisiyor. switch ise (dlink marka) 10.0.0.250 ip adresine
sahip. ben
#telnet 10.0.0.250
komutunu verdigim zaman switchin kendi icindeki kullanici ile (admin)
girebiliyorum. ama hicbir log dusmuyor. ne onerirsiniz?
- Original Message -
From: Inci Gedik [EMAIL PROTECTED]
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Subject: RE: FreeRadius and Dlink Switch Authentication Problem
Date: Thu, 29 Dec 2005 15:20:43 +0200
Selam,
Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler
geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim :
client.conf dosyani asagidaki gibi editler misin ?
client 10.0.0.250 {
secret = 250
shortname = switch
nastype = cisco
}
Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux
sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi
saglayabilirsin.
steve Auth-Type := System
Service-Type = Shell-User,
Login-Service = Telnet,
Login-IP-Host = 0.0.0.0,
Login-TCP-Port = Telnet
Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol
edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir
hata
var demektir.
Bi de israrla tacacs+ diyorum : )
Kolay gelsin ,
Inci Gedik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On
Behalf Of Kai Geek
Sent: 29 Aralık 2005 Perşembe 14:24
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius and Dlink Switch Authentication Problem
Hello,
i am using freeradius in my computer with the ip 10.0.0.6
i have a dlink 3226s model switch in my network and its ip is 10.0.0.250
i want this switch to verify username and password from radius server
(10.0.0.6)
i have added 10.0.0.250 as a client to the radius servers clients.conf and
users files and i introduced a user. but still it doesnt connect. where
may
be the error?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
thank you,
using command radius server (10.0.0.6)
[EMAIL PROTECTED] clients.conf
client 10.0.0.250 {
secret = 250
shortname = 1
}
[EMAIL PROTECTED] users
steve Auth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#radtest steve testing 10.0.0.6 1812 testing
okay
what problem ?
when i test locally, it seems as working but teh switch doesnt connect to
radius?
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
.-. .-._
: : : : :_;
.-' : .--. : `-. .-. .--. ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;
Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+
--
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-
List info/subscribe/unsubscribe? See
A small question...
Hello everybody, I wish you a merry christmas.
I have one small question, something I don't understand, and I didn't
found any explication nowhere :
I have something like this :
--- radiusd.conf
authorization {
...
etc_smbpasswd
files
...
}
--- users
DEFAULT Auth-Type != MS-CHAP .
DEFAULT Auth=Type == MS-CHAP .
In the debug output of radiusd, I see something like :
rlm_passwd: Added LM-Password: '' to config_items
rlm_passwd: Added NT-Password: '' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items
rlm_passwd: Adding Auth-Type = MS-CHAP
That's done before the mod_call to 'files'. However, there's no matched entry
in 'users'.
What does it mean ? Why is not Auth-Type set to MS-CHAP before to
look at 'users' ?
Is there a doc somewhere that precisely describes how the server chains things ?
But perhaps it's a big secret, a kind of graal that only
radius core developpers can touch ? :-) However, a public version could be
really helpfull...
--
Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1
Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
On Dec 29, 2005, at 8:39 AM, LeRoy DeVries wrote: On Thursday 29 December 2005 04:16, mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred Check your iptables and firewall settings. Make sure you have your firewall turned off at the router. Chillispot has a thing about firewalls at the router. At least thats what I have found. I would beg to differ. You should not be turning off firewall rules at the gateway. If properly set up you can use iptables on the Chillispot server and still work through an existing firewall. I have this working in multiple locations. Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem. Resolved!!!
Thanks to your patience Alan, I have resolved !!!
I have reinstalled freeradius.
The errors was in radiusd.conf.
Sorry but I did not know that for any modify in users file it was needed
restart radiusd :-(
The others old files do not give errors.
I haved included the difference between the bad radiusd.conf file and the good
(my new) radiusd.conf file.
20c20,21
bind_address = *
---
54,84c55,60
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = ldap.your.domain
basedn = o=My Org,c=UA
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
---
#$INCLUDE ${confdir}/eap.conf
eap {
default_eap_type = md5
md5 {
}
}
136c112
$INCLUDE ${confdir}/postgresql.conf
---
$INCLUDE ${confdir}/sql.conf
173a150
175a153
177a156,157
preprocess
182,197d161
exec echo {
wait = yes
program = /bin/echo %{User-Name}
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
205,207d168
chap
mschap
suffix
209,210d169
files
sql
213,222d171
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
225a175
files
233d182
unix
234a184
sql
237a188
sql
239a191
sql
244d195
Good year to all the participants to the mailing-list!!!
BYE
On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote:
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Thu, 29 Dec 2005 02:22:19 -0500
Subject: Re: EAP-MD5 Authentication problem
Marco Spiga [EMAIL PROTECTED] wrote:
However as soon as installed freeradius I have tried radtest and it worked
well, also whith users inserted in
radcheck table of postgresql and authentication EAP MD5 has not never
worked.
The entry in the users file isn't being matched because you edited
radiusd.conf, and broke the server.
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_eap: EAP packet type response id 210 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
modcall: group authorize returns updated for request 0
See? There's no mention of the files module, or that any entry in
the users file was matched. So you can edit the users file
forever, and it won't affect anything... because *you* told the server
to not look at the users file.
# eap sets the authenticate type as EAP
authorize {
...
eap
}
And rather than quoting your exact authorize section, you've
edited it.
Since I can read the debug output, I can tell what you've done. But
by editing the radiusd.conf pieces you quoted, you've gone out of
your way to make it more difficult for anyone to be able to help you.
In short, if you don't know what the entries in radiusd.conf do,
DON'T EDIT THEM. The default configuration is set up that way for a
reason. IT WORKS.
If you had used the default configuration, the users file entry
would have worked as I said. But because you edited the default
configuration (and didn't say you edited it), you broke it, and the
users fil entry didn't work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---fine del testo---
--
! Messaggio da Marco !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres + freeradius trouble
Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius vs NT Domain Authentication
Richard Bortolucci [EMAIL PROTECTED] wrote: I'm already reading the confs files, but I still can't make this work. Can you check the log bellow? First, nothing in the debug log shows anything going wrong, or a user being rejected. Could you PLEASE explain why what you expect, and say WHY the debug log isn't doing what you expect? Saying it doesn't work, and relying on someone else to do all of the work to figure it out is annoying. rlm_eap: processing type md5 You won't be able to authenticate against an NT domain when using EAP-MD5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd core dumps on authentication (solaris 9)
Johan Ramm-Ericson [EMAIL PROTECTED] wrote: I am currently experiencing an authentication problem and am wondering if anyone has run into something similar (or has an answer as to what I'm doing wrong ... pam_pass: using pamauth string radiusd for pam.conf lookup Segmentation Fault - core dumped Read doc/bugs And you probably don't want to use pam. It's horrible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A small question...
Samuel Degrande [EMAIL PROTECTED] wrote: --- users DEFAULT Auth-Type != MS-CHAP . DEFAULT Auth=Type == MS-CHAP . You can't do that kind of comparison with the users file. Is there a doc somewhere that precisely describes how the server chains things ? Yes. The man pages for the modules, and the doc/ directory contain files describing how the server works. Read them. But perhaps it's a big secret, a kind of graal that only radius core developpers can touch ? :-) However, a public version could be really helpfull... When you figure it out, add it to the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging ONLY failed authentication and not correct?
Hi two questions. #1 Is there a way to log only incorrect logins in radius.log and to ignore correct logins (so as to not fill up the log file)? #2 When I do get a login incorrect right now I get: Auth: Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/CHAP-Password] (from client blah.host.com port 2912 cli xxx) Is there anyway to get the chap password that the user entered to show up.. or is there no way to do the reverse encryption? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 6:59 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres + freeradius trouble
Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile 1.0.5
Hi all, Although I haven't had any trouble compiling 1.0.4, it seems almost impossible to do the same with 1.0.5. I extract the oficial tarball to my debian system, edit debian/rules to fit my requirements (disable-shared, with-experimental-modules) and run dpkg-buildpackage, nut I get the following error: cannot find -lrlm_eap_tls I've searching for this issue, but the only thing I found were several patches, already included on debian/patches Any help?? With the same config. I'm able to compile 1.0.4 Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgres + freeradius trouble
a bit more information: radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): No matching entry in the database for request from user [user2] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Andr Lemos wrote: Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The entries should be ordered
In man 5 users, HINTS, from: http://www.freeradius.org/doc/users.5.html#index Does the entries should be ordered mean in alphabetical order? (username first) TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. I would also suggest checking that the certificates includes the Windows extended OID field. See the scripts directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups file, aclip
On Tuesday 20 December 2005 16:03, Adam KOSA wrote: Hi all, google and the wiki search option did not answer my question, it may be too dumb to ask. i have the following huntgroup contents: aclip Calling-Station-Id == 127.0.0.1 aclip Calling-Station-Id == 127.0.0.11 aclip Calling-Station-Id == 10.61.11.17 aclip Calling-Station-Id == 10.61.13.41 ... aclip Calling-Station-Id == 10.61.14.10 aclip NAS-Port-Type == Async for restricting the logins to our cisco devices. what i'm looking for is the ability to use 127.0.0.0/24 or 127.0.0.1-255 instead of the first two lines. the above / and - syntax did not work. is this possible? what doc am i missing? See man 5 users and look at the =~ operator. Match on the first 3 octets of the IP address and it should have the desired effect. Kevin Bonner pgp6G95n3VVbB.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 9:00 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. I would also suggest checking that the certificates includes the Windows extended OID field. See the scripts directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The entries should be ordered
M T [EMAIL PROTECTED] wrote: Does the entries should be ordered mean in alphabetical order? (username first) It means they're processed from the top of the users file to the bottom, in that order. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.0.5 rlm_ldap crashing
Hi Guys. I'm doing a stress test on 1.0.5 running on FreeBSD 5.4-RELEASE and when start_tls is enabled radiusd crashed somwhere in the rlm_ldap module. I can't seem to make it produce a core file to properly inspect it. The server is running as root and core dumps are enabled in the config file. When i disable start_tls it does not crash. It always crased with signal 6 at random periods. Here's an error: rlm_ldap: attempting LDAP reconnection rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Got Id: 1 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem radiusd in free(): error: chunk is already free rlm_ldap: starting TLS Abort Any pointers on how to debug this problem ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
So now it works better. After set the IP of the radius server from * to a real IP. But now I get this error: rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=157 User-Name = schneeball.netz-von-frank NAS-IP-Address = 192.168.1.2 Called-Station-Id = 0014bfa57781 Calling-Station-Id = 000e2e3ee98f NAS-Identifier = 0014bfa57781 NAS-Port = 24 Framed-MTU = 1400 State = 0x67b9d350a906536416e7852c3c0a23d0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090006030d Message-Authenticator = 0x97c747363c9fb963fe9a5ed06bc93479 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Frank Buttner Sent: Thursday, December 29, 2005 9:30 PM To: 'FreeRadius users mailing list' Subject: RE: using freradius 1.0.5 to secure an WLAN AP Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization for proxy?
What is the procedure of proxy? Even if we proxy [EMAIL PROTECTED] to a remote server, our radius will still go thru the authorization module listed in authorize of radiusd.conf? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan, I'm not sure i follow. I don't have a CA cert directory set. Only a file. Should i also set tls_cacertdir ? Thanx Paul Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Here's another one: rlm_ldap: (re)connect to ldap01.mtlcnds.int.distributel.net:389, authentication 0 User-Password = test123 NAS-IP-Address = 1.1.1.1 rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: ldap_start_tls_s() User-Name = [EMAIL PROTECTED]rlm_ldap: performing user authorization for ip_fixe rlm_ldap: performing user authorization for ip_fixe rlm_ldap: could not start TLS Connect error rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: performing user authorization for ip_fixe rlm_ldap: ldap_get_conn: Checking Id: 0 User-Password = test123rlm_ldap: ldap_get_conn: Checking Id: 1 rad_recv: Access-Request packet from host 10.224.4.117:65039rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connection attempt failed rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem, id=86, length=69 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: search failed rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/ NAS-IP-Address = 206.80.253.241rlm_ldap: ldap_get_conn: Checking Id: 3 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_release_conn: Release Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 3 User-Name = [EMAIL PROTECTED]radiusd in free(): error: chunk is already free rlm_ldap: ldap_get_conn: Checking Id: 4 Abort Crashed at about same place. Thanx Paul On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization for proxy?
Never mind. I missed post_proxy_authorization in proxy.conf. Thanks, Kevin kevin wrote: What is the procedure of proxy? Even if we proxy [EMAIL PROTECTED] to a remote server, our radius will still go thru the authorization module listed in authorize of radiusd.conf? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Paul Khavkine [EMAIL PROTECTED] wrote: Crashed at about same place. doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The entries should be ordered
Thank you, Mr. DeKok. Ivery muchappreciateyour taking the time to respond. I've seen the processing sequence mentioned frequently in my reading, and thought perhaps the "should be ordered" was somewhat more significant than merely alphabetical. After my initial eMail to this list, I happened to come across something in the mail archives and felt http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-January/027248.html (subject heading: radcheck entries) was helpful in clarifying the meaning (at least to my understanding) of "should be ordered" …. with emphasis on Byron's response (included below) (from above link) The gist of the mail-list inquiry from Klaus Heck is: "Now I want allow more than one computer per user name, meaning I want to add another entry with the same name Charlie Brown, but with a different MAC address value. In the standard implementation of freeradius, this does not work. It seems as if it just checks the first value it read, or it checks more than one, but all need to match simultaneously. The first time the condition does not hold, the reject is sent. Is there a way to change the behavior of freeradius in order to have more than one entry for the same UserName? It should send an access-accept whenever at least one entry is true." Byron's response is: Make sure you have a fall through on the first one listed if you don't it will read the first entry and with no fall through it gets rejected. MT On 12/29/05, Alan DeKok [EMAIL PROTECTED] wrote: M T [EMAIL PROTECTED] wrote: Does the entries should be ordered mean in alphabetical order?(username first)It means they're processed from the top of the users file to the bottom, in that order.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? Your supplicant is broken. Very broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 1.0.5 rlm_ldap crashing
Title: RE: FreeRADIUS 1.0.5 rlm_ldap crashing -Original Message- From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Thu 12/29/2005 7:06 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 1.0.5 rlm_ldap crashing Paul Khavkine [EMAIL PROTECTED] wrote: Crashed at about same place. doc/bugs The server is not producing a core dump. I did compile it with --enable-developer and allow_core_dumps is set to yes. The server is running as root. Still no core. Thanx Paul Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate but there is accounting record
Hi, I've found unusual activity wherethere is an attemptto authenticatebut unsuccesfulldue to no entry in database (LDAP) but there is accounting record for it. Beloware the log accounting record. Any comments on this.. TQ.. Fri Oct 21 22:03:06 2005 : Auth: Login incorrect (rlm_ldap: User not found): [assasaas] (from client 61.6.116.2 port 143) Fri Oct 21 22:03:08 2005 Acct-Session-Id = "0026190D" Framed-Protocol = PPP Framed-IP-Address = 61.6.116.27 User-Name = "assasaas" Acct-Authentic = RADIUS Acct-Session-Time = 7 Acct-Input-Octets = 762 Acct-Output-Octets = 494 Acct-Input-Packets = 16 Acct-Output-Packets = 15 Acct-Terminate-Cause = User-Error Acct-Status-Type = Stop Called-Station-Id = "20878830" NAS-Port-Type = Async NAS-Port = 143 Connect-Info = "28800 V34/V42bis/LAPM" Service-Type = Framed-User NAS-IP-Address = 61.6.116.2 Acct-Delay-Time = 0 Client-IP-Address = 61.6.116.2 Acct-Unique-Session-Id = "62a6e1512da039e2" Stripped-User-Name = "assasaas" Realm = "NULL" Timestamp = 1129903388 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate but there is accounting record
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've found unusual activity where there is an attempt to authenticate but unsuccesfull due to no entry in database (LDAP) but there is accounting record for it. Ask the NAS vendor why they do this. FreeRADIUS just logs the accounting packets that the NAS sends. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
