Re: openssl fails
you have to put the path to files which he can't find. - Original Message - From: pelusa vali [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, December 29, 2005 12:34 AM Subject: openssl fails hi everybody, well finally get install openssl v0.9.8a, now when i try to generate certificates to be used with freeradius (eap-tls or eap-peap) i use these command to CERTIFICATE AUTHORITY GENERATION: #openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:clue1 -passout pass:clue1 #openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:clue1 -passout pass:clue1 #openssl pkcs12 -in root.p12 -out root.pem -passin pass:clue1 -passout pass:clue1 (i copied root.p12 from freeradius files) #openssl x509 -inform PEM -outform DER -in root.pem -out root.der #rm -rf newreq.pem and these to SERVER CERTIFICATE GENERATION: #openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:clue1 #openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem right here, when using this command i get this error: Error opening CA private key ./demoCA/private/cakey.pem 4161:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen ('./demoCA/private/cakey.pem' ,'r') 4161:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351: unable to load CA private key well i really don't understand what this mean but reviewed ./demoCA/private/cakey.pem and effectively it's there, so why openssl cann't locate it?? why unable to load CA private key?? so, i tried this: #openssl x509 -inform PEM -outform DER -in demoCA/cacert.pem -out demoCA/cacert.der but now get this: 4201:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE excuse if this question is so trivial but i really don't understand it. could any body help and tell me what is happening?? thanks for your patience and help. _ Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: http://latam.msn.com/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2005 11:47 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:( What's going wrong? Your message doesn't include anything that I can see is a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius vs NT Domain Authentication
Alan,I'm already reading the confs files, but I still can't make this work. Can you check the log bellow? Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc//raddb/proxy.conf Config: including file: /etc//raddb/clients.confConfig: including file: /etc//raddb/snmp.confConfig: including file: /etc//raddb/eap.confConfig: including file: /etc//raddb/sql.confmain: prefix = /usr/local main: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radiusmain: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no main: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120 proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionary read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setup Module: Library search path is /usr/local/libModule: Loaded exec exec: wait = yesexec: program = (null)exec: input_pairs = requestexec: output_pairs = (null) exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded SMB smb: server = server.domain.comsmb: backup = server.domain.comsmb: domain = DOMAINModule: Instantiated smb (smb) Module: Loaded PAP pap: encryption_scheme = cryptModule: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = nomschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5eap: timer_expire = 60eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc//raddb/huntgroupspreprocess: hints = /etc//raddb/hints preprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = prefixrealm: delimiter = \realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (ntdomain) realm: format = suffix realm: delimiter = @realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc//raddb/usersfiles: acctusersfile = /etc//raddb/acct_users files: preproxy_usersfile = /etc//raddb/preproxy_usersfiles: compat = noModule: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%ddetail: detailperm = 384detail: dirperm = 493 detail: locking = noModule: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmpradutmp: username = %{User-Name}radutmp: case_sensitive = yes radutmp: check_with_nas = yesradutmp: perm = 384radutmp: callerid = yesModule: Instantiated radutmp (radutmp) Listening on authentication *:1812Listening on accounting *:1813Ready to process requests. rad_recv: Access-Request packet from host
radiusd core dumps on authentication (solaris 9)
Hello freeradius-users! I am currently experiencing an authentication problem and am wondering if anyone has run into something similar (or has an answer as to what I'm doing wrong I am running freeradius 1.0.5 on a Solaris 9 box. I have my users accounts currently stored in a NIS/YP database hosted by a Linux (Suse SLES9) server. My users - configuration file - currently looks like this: DEFAULT Auth-Type = Pam Fall-Through = No I have tried using Auth-Type = {System | Pam | unix}. No matter which I try radiusd core dumps as soon as it comes to the Authenticate module (see debug log below). This does not happen if I set Auth-Type = Local, then everything works as expected. _But_ that would give me two username / password databases to maintain - which is not something I look forward to Anyone have any ideas as to what's going on? TIA, Johan PS. No idea if this helps but I have an old freeraidius 1.0.2 lying around. The results (using the same config files) are the same. debug log --- /etc/init/freeradiusd start Module: Instantiated realm (MIP02) realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (NULL) detail: detailfile = /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /opt/freeradius/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /opt/freeradius/var/log/radius/radacct/detail-combined detail: detailperm = 384 detail: dirperm = 493 detail: locking = yes Module: Instantiated detail (accounting_replication_log) detail: detailfile = /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) detail: detailfile = /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.11.249:3644, id=171, length=121 NAS-IP-Address = 192.168.11.249 NAS-Identifier = vrr_ggsn_2 Called-Station-Id = .xxx.xx Service-Type = Framed-User Framed-Protocol = GPRS-PDP-Context NAS-Port-Type = Virtual User-Name = daniel User-Password = secret Calling-Station-Id = Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/opt/freeradius/var/log/radius/radacct/192.168.11.249/auth-detail-20051229' rlm_detail: /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/192.168.11.249/auth-detail-20051229 modcall[authorize]: module auth_log returns ok for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string radiusd for pam.conf lookup Segmentation Fault - core dumped radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client authenticated but no internet connection
Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Dlink Switch Authentication Problem
Hello, i am using freeradius in my computer with the ip 10.0.0.6 i have a dlink 3226s model switch in my network and its ip is 10.0.0.250 i want this switch to verify username and password from radius server (10.0.0.6) i have added 10.0.0.250 as a client to the radius servers clients.conf and users files and i introduced a user. but still it doesnt connect. where may be the error? when i test locally, it seems as working but teh switch doesnt connect to radius? thank you, using command radius server (10.0.0.6) [EMAIL PROTECTED] clients.conf client 10.0.0.250 { secret = 250 shortname = 1 } [EMAIL PROTECTED] users steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 127.0.0.1, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #radtest steve testing 10.0.0.6 1812 testing okay what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
So here I have the hole output again. So long I see, there is no certificate exchange?? NAS-Identifier = 0014bfa57781 NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0xdd3d83f19e08787f6907798c30ef7b7c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xd69dcd7c75cc15eea53e2baca8acbce5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = schneeball.netz-von-frank NAS-IP-Address = 192.168.1.2 Called-Station-Id = 0014bfa57781 Calling-Station-Id = 000e2e3ee98f NAS-Identifier = 0014bfa57781 NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0xf5f960c2cb0c4acc07d7f9d962b26fd9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module auth_log returns ok for request 1 modcall[authorize]: module attr_filter returns noop for request 1 rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xa87e53fdb3ded6be7a711bf1e3a79879 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = schneeball.netz-von-frank NAS-IP-Address = 192.168.1.2 Called-Station-Id = 0014bfa57781 Calling-Station-Id = 000e2e3ee98f NAS-Identifier = 0014bfa57781 NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator
RE: FreeRadius and Dlink Switch Authentication Problem
Selam, Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim : client.conf dosyani asagidaki gibi editler misin ? client 10.0.0.250 { secret = 250 shortname = switch nastype = cisco } Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi saglayabilirsin. steve Auth-Type := System Service-Type = Shell-User, Login-Service = Telnet, Login-IP-Host = 0.0.0.0, Login-TCP-Port = Telnet Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir hata var demektir. Bi de israrla tacacs+ diyorum : ) Kolay gelsin , Inci Gedik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kai Geek Sent: 29 Aralık 2005 Perşembe 14:24 To: freeradius-users@lists.freeradius.org Subject: FreeRadius and Dlink Switch Authentication Problem Hello, i am using freeradius in my computer with the ip 10.0.0.6 i have a dlink 3226s model switch in my network and its ip is 10.0.0.250 i want this switch to verify username and password from radius server (10.0.0.6) i have added 10.0.0.250 as a client to the radius servers clients.conf and users files and i introduced a user. but still it doesnt connect. where may be the error? when i test locally, it seems as working but teh switch doesnt connect to radius? thank you, using command radius server (10.0.0.6) [EMAIL PROTECTED] clients.conf client 10.0.0.250 { secret = 250 shortname = 1 } [EMAIL PROTECTED] users steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 127.0.0.1, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #radtest steve testing 10.0.0.6 1812 testing okay what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Dlink Switch Authentication Problem
Merhabalar Inci hanim, oncelikle yardimlariniz icin cok tesekkur ederim. Ancak tacacs kullanamiyoruz cunku switchlerin cogu Dlink ve 3226 modeli yani tacacs yok. radius server destekliyorlar. bu nedenle radius kullanmam gerek. #radiusd -X diyerek debug moda aliyorum ve benim ip adresim 10.0.0.185 radius server ise 10.0.0.6'da calisiyor. switch ise (dlink marka) 10.0.0.250 ip adresine sahip. ben #telnet 10.0.0.250 komutunu verdigim zaman switchin kendi icindeki kullanici ile (admin) girebiliyorum. ama hicbir log dusmuyor. ne onerirsiniz? - Original Message - From: Inci Gedik [EMAIL PROTECTED] To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Subject: RE: FreeRadius and Dlink Switch Authentication Problem Date: Thu, 29 Dec 2005 15:20:43 +0200 Selam, Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim : client.conf dosyani asagidaki gibi editler misin ? client 10.0.0.250 { secret = 250 shortname = switch nastype = cisco } Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi saglayabilirsin. steve Auth-Type := System Service-Type = Shell-User, Login-Service = Telnet, Login-IP-Host = 0.0.0.0, Login-TCP-Port = Telnet Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir hata var demektir. Bi de israrla tacacs+ diyorum : ) Kolay gelsin , Inci Gedik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kai Geek Sent: 29 Aralık 2005 Perşembe 14:24 To: freeradius-users@lists.freeradius.org Subject: FreeRadius and Dlink Switch Authentication Problem Hello, i am using freeradius in my computer with the ip 10.0.0.6 i have a dlink 3226s model switch in my network and its ip is 10.0.0.250 i want this switch to verify username and password from radius server (10.0.0.6) i have added 10.0.0.250 as a client to the radius servers clients.conf and users files and i introduced a user. but still it doesnt connect. where may be the error? when i test locally, it seems as working but teh switch doesnt connect to radius? thank you, using command radius server (10.0.0.6) [EMAIL PROTECTED] clients.conf client 10.0.0.250 { secret = 250 shortname = 1 } [EMAIL PROTECTED] users steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 127.0.0.1, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #radtest steve testing 10.0.0.6 1812 testing okay what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? Learn your platform. Since you have auth already it is a network issue from there. You are not passing either the AP/router/client the correct config or they are not configured correctly somehow. Check reply attr for framed address, gateway and the like. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Dlink Switch Authentication Problem
Kai Geek wrote: what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? outpt of radiusd -X? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. This looks to me like a question for the chillispot mailing list. But, just a wild guess, did you enable NAT on the router (the one with chillispot)? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
On Thursday 29 December 2005 04:16, mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred Check your iptables and firewall settings. Make sure you have your firewall turned off at the router. Chillispot has a thing about firewalls at the router. At least thats what I have found. -- LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Dlink Switch Authentication Problem
Tekrar Merhaba, Radius calisiyor ise switch in icindeki kullanici adi ile login olamamaniz gerekiyor. Demekki bir yerde sorun var. Radius, switch in kendi kullanici Hesabi ile yapilan loginleri bir yere yazmaz. Telnet islemi sirasinda radius Bulunamadi seklinde bir yanit aliyor musunuz? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kai Geek Sent: 29 Aralık 2005 Perşembe 15:40 To: FreeRadius users mailing list Subject: RE: FreeRadius and Dlink Switch Authentication Problem Merhabalar Inci hanim, oncelikle yardimlariniz icin cok tesekkur ederim. Ancak tacacs kullanamiyoruz cunku switchlerin cogu Dlink ve 3226 modeli yani tacacs yok. radius server destekliyorlar. bu nedenle radius kullanmam gerek. #radiusd -X diyerek debug moda aliyorum ve benim ip adresim 10.0.0.185 radius server ise 10.0.0.6'da calisiyor. switch ise (dlink marka) 10.0.0.250 ip adresine sahip. ben #telnet 10.0.0.250 komutunu verdigim zaman switchin kendi icindeki kullanici ile (admin) girebiliyorum. ama hicbir log dusmuyor. ne onerirsiniz? - Original Message - From: Inci Gedik [EMAIL PROTECTED] To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Subject: RE: FreeRadius and Dlink Switch Authentication Problem Date: Thu, 29 Dec 2005 15:20:43 +0200 Selam, Radius un debug ettin mi ? Sen switch e baglanmaya calisirken ekrana neler geliyor bir bakar misin ? Birde calisan bir sistemden ornek veriim : client.conf dosyani asagidaki gibi editler misin ? client 10.0.0.250 { secret = 250 shortname = switch nastype = cisco } Users dosyasindaki kulanici tanimlamasini asagidaki gibi yapip, linux sisteminde steve diye bir kullanici acip bir de sifre verirsen baglantiyi saglayabilirsin. steve Auth-Type := System Service-Type = Shell-User, Login-Service = Telnet, Login-IP-Host = 0.0.0.0, Login-TCP-Port = Telnet Linux altinda port numaralarinda acik degil mi ? Bu sekilde bir kontrol edersen bir de conf dosyani inceleyebiliriz. O zaman conf dosyanda bir hata var demektir. Bi de israrla tacacs+ diyorum : ) Kolay gelsin , Inci Gedik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kai Geek Sent: 29 Aralık 2005 Perşembe 14:24 To: freeradius-users@lists.freeradius.org Subject: FreeRadius and Dlink Switch Authentication Problem Hello, i am using freeradius in my computer with the ip 10.0.0.6 i have a dlink 3226s model switch in my network and its ip is 10.0.0.250 i want this switch to verify username and password from radius server (10.0.0.6) i have added 10.0.0.250 as a client to the radius servers clients.conf and users files and i introduced a user. but still it doesnt connect. where may be the error? when i test locally, it seems as working but teh switch doesnt connect to radius? thank you, using command radius server (10.0.0.6) [EMAIL PROTECTED] clients.conf client 10.0.0.250 { secret = 250 shortname = 1 } [EMAIL PROTECTED] users steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 127.0.0.1, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #radtest steve testing 10.0.0.6 1812 testing okay what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-._ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai Ozgur Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See
A small question...
Hello everybody, I wish you a merry christmas. I have one small question, something I don't understand, and I didn't found any explication nowhere : I have something like this : --- radiusd.conf authorization { ... etc_smbpasswd files ... } --- users DEFAULT Auth-Type != MS-CHAP . DEFAULT Auth=Type == MS-CHAP . In the debug output of radiusd, I see something like : rlm_passwd: Added LM-Password: '' to config_items rlm_passwd: Added NT-Password: '' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP That's done before the mod_call to 'files'. However, there's no matched entry in 'users'. What does it mean ? Why is not Auth-Type set to MS-CHAP before to look at 'users' ? Is there a doc somewhere that precisely describes how the server chains things ? But perhaps it's a big secret, a kind of graal that only radius core developpers can touch ? :-) However, a public version could be really helpfull... -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
On Dec 29, 2005, at 8:39 AM, LeRoy DeVries wrote: On Thursday 29 December 2005 04:16, mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred Check your iptables and firewall settings. Make sure you have your firewall turned off at the router. Chillispot has a thing about firewalls at the router. At least thats what I have found. I would beg to differ. You should not be turning off firewall rules at the gateway. If properly set up you can use iptables on the Chillispot server and still work through an existing firewall. I have this working in multiple locations. Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem. Resolved!!!
Thanks to your patience Alan, I have resolved !!! I have reinstalled freeradius. The errors was in radiusd.conf. Sorry but I did not know that for any modify in users file it was needed restart radiusd :-( The others old files do not give errors. I haved included the difference between the bad radiusd.conf file and the good (my new) radiusd.conf file. 20c20,21 bind_address = * --- 54,84c55,60 pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = ldap.your.domain basedn = o=My Org,c=UA filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } --- #$INCLUDE ${confdir}/eap.conf eap { default_eap_type = md5 md5 { } } 136c112 $INCLUDE ${confdir}/postgresql.conf --- $INCLUDE ${confdir}/sql.conf 173a150 175a153 177a156,157 preprocess 182,197d161 exec echo { wait = yes program = /bin/echo %{User-Name} input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } 205,207d168 chap mschap suffix 209,210d169 files sql 213,222d171 Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix 225a175 files 233d182 unix 234a184 sql 237a188 sql 239a191 sql 244d195 Good year to all the participants to the mailing-list!!! BYE On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote: From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Thu, 29 Dec 2005 02:22:19 -0500 Subject: Re: EAP-MD5 Authentication problem Marco Spiga [EMAIL PROTECTED] wrote: However as soon as installed freeradius I have tried radtest and it worked well, also whith users inserted in radcheck table of postgresql and authentication EAP MD5 has not never worked. The entry in the users file isn't being matched because you edited radiusd.conf, and broke the server. modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall: group authorize returns updated for request 0 See? There's no mention of the files module, or that any entry in the users file was matched. So you can edit the users file forever, and it won't affect anything... because *you* told the server to not look at the users file. # eap sets the authenticate type as EAP authorize { ... eap } And rather than quoting your exact authorize section, you've edited it. Since I can read the debug output, I can tell what you've done. But by editing the radiusd.conf pieces you quoted, you've gone out of your way to make it more difficult for anyone to be able to help you. In short, if you don't know what the entries in radiusd.conf do, DON'T EDIT THEM. The default configuration is set up that way for a reason. IT WORKS. If you had used the default configuration, the users file entry would have worked as I said. But because you edited the default configuration (and didn't say you edited it), you broke it, and the users fil entry didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---fine del testo--- -- ! Messaggio da Marco ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres + freeradius trouble
Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius vs NT Domain Authentication
Richard Bortolucci [EMAIL PROTECTED] wrote: I'm already reading the confs files, but I still can't make this work. Can you check the log bellow? First, nothing in the debug log shows anything going wrong, or a user being rejected. Could you PLEASE explain why what you expect, and say WHY the debug log isn't doing what you expect? Saying it doesn't work, and relying on someone else to do all of the work to figure it out is annoying. rlm_eap: processing type md5 You won't be able to authenticate against an NT domain when using EAP-MD5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd core dumps on authentication (solaris 9)
Johan Ramm-Ericson [EMAIL PROTECTED] wrote: I am currently experiencing an authentication problem and am wondering if anyone has run into something similar (or has an answer as to what I'm doing wrong ... pam_pass: using pamauth string radiusd for pam.conf lookup Segmentation Fault - core dumped Read doc/bugs And you probably don't want to use pam. It's horrible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A small question...
Samuel Degrande [EMAIL PROTECTED] wrote: --- users DEFAULT Auth-Type != MS-CHAP . DEFAULT Auth=Type == MS-CHAP . You can't do that kind of comparison with the users file. Is there a doc somewhere that precisely describes how the server chains things ? Yes. The man pages for the modules, and the doc/ directory contain files describing how the server works. Read them. But perhaps it's a big secret, a kind of graal that only radius core developpers can touch ? :-) However, a public version could be really helpfull... When you figure it out, add it to the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging ONLY failed authentication and not correct?
Hi two questions. #1 Is there a way to log only incorrect logins in radius.log and to ignore correct logins (so as to not fill up the log file)? #2 When I do get a login incorrect right now I get: Auth: Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/CHAP-Password] (from client blah.host.com port 2912 cli xxx) Is there anyway to get the chap password that the user entered to show up.. or is there no way to do the reverse encryption? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 6:59 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres + freeradius trouble
Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile 1.0.5
Hi all, Although I haven't had any trouble compiling 1.0.4, it seems almost impossible to do the same with 1.0.5. I extract the oficial tarball to my debian system, edit debian/rules to fit my requirements (disable-shared, with-experimental-modules) and run dpkg-buildpackage, nut I get the following error: cannot find -lrlm_eap_tls I've searching for this issue, but the only thing I found were several patches, already included on debian/patches Any help?? With the same config. I'm able to compile 1.0.4 Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgres + freeradius trouble
a bit more information: radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): No matching entry in the database for request from user [user2] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Andr Lemos wrote: Hi, I'm sorry to be bothering you, but I'm having a strange problem with this combo. I am using freeradius 1.0.5 and have the following user: radius=# select * from radcheck order by id; id | username | attribute | op | value +--+-++- 10 | user2 | Framed-Protocol | != | PPP 14 | user2 | NAS-Port-Type | == | Virtual 16 | user2 | Password | == | teste if I remove the id 10, everything works as expected, but if I leave it as is, I can't authorize the user, although it matches the id 14 and the 10. The message I get is: rlm_sql (sql): No matching entry in the database for request from user [user2] which seems rather strange. Any insight you could give me? Very much appreciate it. -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ Andr Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351969495155 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The entries should be ordered
In man 5 users, HINTS, from: http://www.freeradius.org/doc/users.5.html#index Does the entries should be ordered mean in alphabetical order? (username first) TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. I would also suggest checking that the certificates includes the Windows extended OID field. See the scripts directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups file, aclip
On Tuesday 20 December 2005 16:03, Adam KOSA wrote: Hi all, google and the wiki search option did not answer my question, it may be too dumb to ask. i have the following huntgroup contents: aclip Calling-Station-Id == 127.0.0.1 aclip Calling-Station-Id == 127.0.0.11 aclip Calling-Station-Id == 10.61.11.17 aclip Calling-Station-Id == 10.61.13.41 ... aclip Calling-Station-Id == 10.61.14.10 aclip NAS-Port-Type == Async for restricting the logins to our cisco devices. what i'm looking for is the ability to use 127.0.0.0/24 or 127.0.0.1-255 instead of the first two lines. the above / and - syntax did not work. is this possible? what doc am i missing? See man 5 users and look at the =~ operator. Match on the first 3 octets of the IP address and it should have the desired effect. Kevin Bonner pgp6G95n3VVbB.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 9:00 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. I would also suggest checking that the certificates includes the Windows extended OID field. See the scripts directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The entries should be ordered
M T [EMAIL PROTECTED] wrote: Does the entries should be ordered mean in alphabetical order? (username first) It means they're processed from the top of the users file to the bottom, in that order. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.0.5 rlm_ldap crashing
Hi Guys. I'm doing a stress test on 1.0.5 running on FreeBSD 5.4-RELEASE and when start_tls is enabled radiusd crashed somwhere in the rlm_ldap module. I can't seem to make it produce a core file to properly inspect it. The server is running as root and core dumps are enabled in the config file. When i disable start_tls it does not crash. It always crased with signal 6 at random periods. Here's an error: rlm_ldap: attempting LDAP reconnection rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Got Id: 1 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap01.totftds.int.distributel.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem radiusd in free(): error: chunk is already free rlm_ldap: starting TLS Abort Any pointers on how to debug this problem ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using freradius 1.0.5 to secure an WLAN AP
So now it works better. After set the IP of the radius server from * to a real IP. But now I get this error: rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=157 User-Name = schneeball.netz-von-frank NAS-IP-Address = 192.168.1.2 Called-Station-Id = 0014bfa57781 Calling-Station-Id = 000e2e3ee98f NAS-Identifier = 0014bfa57781 NAS-Port = 24 Framed-MTU = 1400 State = 0x67b9d350a906536416e7852c3c0a23d0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090006030d Message-Authenticator = 0x97c747363c9fb963fe9a5ed06bc93479 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = schneeball.netz-von-frank, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Frank Buttner Sent: Thursday, December 29, 2005 9:30 PM To: 'FreeRadius users mailing list' Subject: RE: using freradius 1.0.5 to secure an WLAN AP Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization for proxy?
What is the procedure of proxy? Even if we proxy [EMAIL PROTECTED] to a remote server, our radius will still go thru the authorization module listed in authorize of radiusd.conf? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan, I'm not sure i follow. I don't have a CA cert directory set. Only a file. Should i also set tls_cacertdir ? Thanx Paul Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Here's another one: rlm_ldap: (re)connect to ldap01.mtlcnds.int.distributel.net:389, authentication 0 User-Password = test123 NAS-IP-Address = 1.1.1.1 rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: - authorize rlm_ldap: ldap_start_tls_s() User-Name = [EMAIL PROTECTED]rlm_ldap: performing user authorization for ip_fixe rlm_ldap: performing user authorization for ip_fixe rlm_ldap: could not start TLS Connect error rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: performing user authorization for ip_fixe rlm_ldap: ldap_get_conn: Checking Id: 0 User-Password = test123rlm_ldap: ldap_get_conn: Checking Id: 1 rad_recv: Access-Request packet from host 10.224.4.117:65039rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: (re)connection attempt failed rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem, id=86, length=69 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_get_conn: Checking Id: 1 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: search failed rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/ NAS-IP-Address = 206.80.253.241rlm_ldap: ldap_get_conn: Checking Id: 3 rlm_ldap: ldap_get_conn: Checking Id: 2 rlm_ldap: ldap_release_conn: Release Id: 1 rlm_ldap: ldap_get_conn: Checking Id: 3 User-Name = [EMAIL PROTECTED]radiusd in free(): error: chunk is already free rlm_ldap: ldap_get_conn: Checking Id: 4 Abort Crashed at about same place. Thanx Paul On Thu, 2005-12-29 at 16:56 -0500, Alan DeKok wrote: Paul Khavkine [EMAIL PROTECTED] wrote: rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert File to /usr/local/radiusd/current/etc/raddb/certs/cacert.pem That second entry should be a directory, not a file. There's a typo in the debugging output which makes that harder to figure out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization for proxy?
Never mind. I missed post_proxy_authorization in proxy.conf. Thanks, Kevin kevin wrote: What is the procedure of proxy? Even if we proxy [EMAIL PROTECTED] to a remote server, our radius will still go thru the authorization module listed in authorize of radiusd.conf? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
Paul Khavkine [EMAIL PROTECTED] wrote: Crashed at about same place. doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The entries should be ordered
Thank you, Mr. DeKok. Ivery muchappreciateyour taking the time to respond. I've seen the processing sequence mentioned frequently in my reading, and thought perhaps the "should be ordered" was somewhat more significant than merely alphabetical. After my initial eMail to this list, I happened to come across something in the mail archives and felt http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-January/027248.html (subject heading: radcheck entries) was helpful in clarifying the meaning (at least to my understanding) of "should be ordered" …. with emphasis on Byron's response (included below) (from above link) The gist of the mail-list inquiry from Klaus Heck is: "Now I want allow more than one computer per user name, meaning I want to add another entry with the same name Charlie Brown, but with a different MAC address value. In the standard implementation of freeradius, this does not work. It seems as if it just checks the first value it read, or it checks more than one, but all need to match simultaneously. The first time the condition does not hold, the reject is sent. Is there a way to change the behavior of freeradius in order to have more than one entry for the same UserName? It should send an access-accept whenever at least one entry is true." Byron's response is: Make sure you have a fall through on the first one listed if you don't it will read the first entry and with no fall through it gets rejected. MT On 12/29/05, Alan DeKok [EMAIL PROTECTED] wrote: M T [EMAIL PROTECTED] wrote: Does the entries should be ordered mean in alphabetical order?(username first)It means they're processed from the top of the users file to the bottom, in that order.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freradius 1.0.5 to secure an WLAN AP
=?us-ascii?Q?Frank_Buttner?= [EMAIL PROTECTED] wrote: rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? Your supplicant is broken. Very broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 1.0.5 rlm_ldap crashing
Title: RE: FreeRADIUS 1.0.5 rlm_ldap crashing -Original Message- From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Thu 12/29/2005 7:06 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 1.0.5 rlm_ldap crashing Paul Khavkine [EMAIL PROTECTED] wrote: Crashed at about same place. doc/bugs The server is not producing a core dump. I did compile it with --enable-developer and allow_core_dumps is set to yes. The server is running as root. Still no core. Thanx Paul Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate but there is accounting record
Hi, I've found unusual activity wherethere is an attemptto authenticatebut unsuccesfulldue to no entry in database (LDAP) but there is accounting record for it. Beloware the log accounting record. Any comments on this.. TQ.. Fri Oct 21 22:03:06 2005 : Auth: Login incorrect (rlm_ldap: User not found): [assasaas] (from client 61.6.116.2 port 143) Fri Oct 21 22:03:08 2005 Acct-Session-Id = "0026190D" Framed-Protocol = PPP Framed-IP-Address = 61.6.116.27 User-Name = "assasaas" Acct-Authentic = RADIUS Acct-Session-Time = 7 Acct-Input-Octets = 762 Acct-Output-Octets = 494 Acct-Input-Packets = 16 Acct-Output-Packets = 15 Acct-Terminate-Cause = User-Error Acct-Status-Type = Stop Called-Station-Id = "20878830" NAS-Port-Type = Async NAS-Port = 143 Connect-Info = "28800 V34/V42bis/LAPM" Service-Type = Framed-User NAS-IP-Address = 61.6.116.2 Acct-Delay-Time = 0 Client-IP-Address = 61.6.116.2 Acct-Unique-Session-Id = "62a6e1512da039e2" Stripped-User-Name = "assasaas" Realm = "NULL" Timestamp = 1129903388 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate but there is accounting record
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've found unusual activity where there is an attempt to authenticate but unsuccesfull due to no entry in database (LDAP) but there is accounting record for it. Ask the NAS vendor why they do this. FreeRADIUS just logs the accounting packets that the NAS sends. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html