enabling syslog service in freeradius-1.1.1
Hi All,How to send the freeradius server logs to remote syslog server??Is it a compile time option? or we need to specify in config script to build with syslog option. or starting the server with radiusd -l syslog is enough ? How do i go ahead? Please reply me if you have any idea.Thanks,Sumi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding on Auth-Type 'digest' in authenticate section
On 5/10/06, raviprakash sunkara [EMAIL PROTECTED] wrote: Hello Everybody, I'm working on Openser currently . Now I integrated FreeRadius in openser. I installed freeradius and radiusclient-ng in to box.. In client.conf file - - - - - - - - - - - - - - - - - client 192.168.2.55 { secret = radiustest shortname = hyperion. nastype =other. } users file - - - - - - - - - - - - - - - - - test Auth-Type :=Accept, Service-Type == SIP-Caller-AVPs testNAS-IP-Address == 192.168.2.55 , Auth-Type := Digest, Password == test, Reply-Message == Hello 777 user id testing the radius server in openser. bbye * * * * ** * * * * * * * * * * * * * * * * Try this in the users file : test User-Password := test Reply-Message == Hello 777 user id testing the radius server in openser. bbye Auth-Type is not necessary, but set it to digest instead of Digest if you really want it. Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
Antonio Matera wrote: Hallo, thanks for your answer. Now I post all my configuration and log, in this way I suppose that is much easy understand my problem. my eap.conf file is: Your eap.conf is irrelevant because... authorize { preprocess mschap suffix #eap files } ...you've disabled eap by commenting it out. Why do people insist on breaking the server? Start with the default config and make small changes to work towards what you need. Making massive changes without understanding the consequences just breaks it. authenticate { Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } #eap } I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log: Of course you do. How else would EAP work? Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93, length=180 User-Name = create-net\\antonio Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=cn-test Service-Type = Login-User Message-Authenticator = 0x2f697be434714d8586f8cc481b01874f EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f ...and since this is an EAP request, you need eap to work. This really isn't that hard... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf file in MYSQL DB? [Virus checked]
Hi, I just set up freeradius1.1.1 with MySQL and startet some basic tests - first question I ran into was: Can I (I assume I can) force freeradius not to use the clients.conf file for checkinf for known clients, but put this information into MySQL? (I assume this would be in the nas table of the radius-db) I think it should be done in the radiusd.conf file in the Clients configuration section, that currently looks like that: # CLIENTS CONFIGURATION # # Client configuration is defined in clients.conf. # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE ${confdir}/clients.conf what should I state here? thank you thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding on Auth-Type 'digest' in authenticate section
Hello Everybody, I'm working on Openser currently . Now I integrated FreeRadius in openser. I installed freeradius and radiusclient-ng in to box.. In client.conf file - - - - - - - - - - - - - - - - - client 192.168.2.55 { secret = radiustest shortname = hyperion. nastype =other. } users file - - - - - - - - - - - - - - - - - test Auth-Type :=Accept, Service-Type == SIP-Caller-AVPs test NAS-IP-Address == 192.168.2.55 , Auth-Type := Digest, Password == test, Reply-Message == Hello 777 user id testing the radius server in openser. bbye * * * * ** * * * * * * * * * * * * * * * * proxy.conf file realm 192.168.2.55 { type = radius authhost = 192.168.2.55 accthost = 192.168.2.55 secret = radiustest } After this I tested the radius by using radiusd -X radiusd.conf[1840] unknown Auth-Type Digest in authenticate section. radtest test test 192.168.2.55 1812 radiustest Sending Access-Request of id 192 to 192.168.2.55 port 1812 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 Re-sending Access-Request of id 192 to 192.168.2.55 port 1812 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 Re-sending Access-Request of id 192 to 192.168.2.55 port 1812 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 Please help me in this Regard.. Its very very urgent -- Thanks and Regards Sunkara Ravi Prakash (Voip Developer)Hyperion Technologywww.hyperion-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
Antonio Matera wrote: Your eap.conf is irrelevant because... authorize { preprocess mschap suffix #eap files } ...you've disabled eap by commenting it out. Why do people insist on breaking the server? Start with the default config and make small changes to work towards what you need. Making massive changes without understanding the consequences just breaks it. In the second part off my last mail I have insert the log with eap config. The changes in my server are for the EAP-TLS authentication. I need two different authentication for my purpose. I don't understand you here. I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log: Of course you do. How else would EAP work? I re-write my log with eap conf. radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) It's hard to be sure since it looks like you've pasted together 3 or 4 runs of the server into one debug log, but the above message is very clear. Logon failure. The radius server is working fine. For some reason ntlm_auth is failing your password. This could be because you've typed it wrong, or a samba or AD/NT misconfiguration. Try removing the --domain argument from the ntlm_auth helper. If create-net is your default domain it should not be needed and I've seen issues with it before. Does ntlm_auth --username=antonio --password=yourpass work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco vpn radius
hi i would like to configure my cisco 2620 router as VPN concentrator with a 12.3 IOS and i use a radius server (freeradius) to authenticate the users of the VPN but when the radius get the ip config to the router then the router don't relay these informations to the VPN client and it assigns an ip in its pool. i don't know how must i config the router in order that it uses the radius ip config to configure the VPN client... if i delete the pool from the router then i cannot connect on the VPN router and i didn't find any configuration to specify the router to use the ip config from the radius... i hope i'm clear !! begin:vcard fn:Pierre LEONARD n:LEONARD;Pierre org:Debian Etch - Testing ;Linux user email;internet:[EMAIL PROTECTED] title:Student - Network Telecoms version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL Encrypted passwords
Thanks Bogdan, I've tried with mysql and the crypt passwords and it works fine. Now I still wondering if there is any way with PAP to enable crypted passwords with MD5 or SHA1. I don't know if I understood ok, tell me if I'm wrong. I think that at the moment it's impossible to enable MD5 or SHA1 for encrypted passwords, but that they are working on it, so perhaps in future versions this will be possible. Thanks, Miguel Angel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
Hallo, ok now it works, there was a problem with the nt domain. one question: it is possible to configure in the same time a MS-CHAP module like this with nt-domain and another with LDAP? I have tried it but if I activate the MS-CHAP module the LDAP authentication doesn't work, whitout MS-CHAP, LDAP works. Any idea? Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco vpn radius
Pierre LEONARD a écrit : hi i would like to configure my cisco 2620 router as VPN concentrator with a 12.3 IOS and i use a radius server (freeradius) to authenticate the users of the VPN but when the radius get the ip config to the router then the router don't relay these informations to the VPN client and it assigns an ip in its pool. i don't know how must i config the router in order that it uses the radius ip config to configure the VPN client... if i delete the pool from the router then i cannot connect on the VPN router and i didn't find any configuration to specify the router to use the ip config from the radius... i hope i'm clear !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html i forgot to join my config ***radiusd.conf* prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } passwd user2ip { filename = /etc/freeradius/user2ip format = *User-Name:=Framed-IP-Address hashsize = 100 } } authorize { preprocess files user2ip } authenticate { } preacct { preprocess files } accounting { detail } session { } post-auth { } pre-proxy { } post-proxy { } *clients.conf*** client 127.0.0.1 { secret= testing123 shortname= localhost nastype = other } client @ip routeur VPN { secret= clé partagé radius/routeur shortname= router nastype= cisco } *users** DEFAULT Tunnel-Type = VLAN, Fall-Through = 1 DEFAULTNas-Port == 2, Nas-IP-Address == @ip routeur VPN Idle-Timeout = 300, Fall-through = 1 pierreUser-Password == pierrot Tunnel-Private-Group-Id = 12, totoUser-Password == titi Tunnel-Private-Group-Id = 13, *user2ip pierre:192.168.6.6 toto:192.168.10.10 *router* Current configuration : 2759 bytes ! version 12.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn2600 ! boot-start-marker boot system tftp c2600-ik9o3s3-mz.123-18.bin private boot system tftp c2600-ik9o3s3-mz.123-18.bin2 private boot system tftp c2600-ik9o3s3-mz.123-18.bin3 private boot-end-marker ! enable secret 5 $1$j8hq$EhL3/t7cL.uNf5spPQ7mX0 ! aaa new-model ! ! aaa group server radius group-radius server private auth-port 1812 acct-port 1813 ! aaa authentication login leo local aaa authentication login authentication-radius group group-radius aaa authorization network groupleo local aaa authorization configuration authorization-radius group group-radius aaa session-id common ip subnet-zero ip cef ! ! no ip domain lookup ! ip audit po max-events 100 ! ! username pierre password 7 111915000E ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 ! ! crypto isakmp client configuration group test-cisco-vpn key key-vpn domain u-bordeaux.fr pool pool-cisco-vpn ! ! crypto ipsec transform-set set-cisco-vpn esp-3des esp-md5-hmac ! crypto dynamic-map dynmap-cisco-vpn 10 set transform-set set-cisco-vpn ! ! crypto map clientmap-cisco-vpn client
Accounting - FramedIPAddress - DHCP/IPPOOL
Hello, I have a freeradius server, I use an eap/ttls authentication with 802.1x and ldap. I want to save the username, the ip adress, the MAC address, the start time and the stop time of the connection with the accounting function (with mysql). I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... What do you think about this ? Have you an other solution ? Sorry my english is rusty ... and thanks for your answers Regards, Psymad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
Antonio Matera wrote: Hallo, ok now it works, there was a problem with the nt domain. one question: it is possible to configure in the same time a MS-CHAP module like this with nt-domain and another with LDAP? I'm not sure I understand what you mean. Could you be more specific? I have tried it but if I activate the MS-CHAP module the LDAP authentication doesn't work, whitout MS-CHAP, LDAP works. Any idea? Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
I'm not sure I understand what you mean. Could you be more specific? Now I have the MS-CHAP module configured ad it works with the nt users authentication. I have a LDAP server where I have other users. I have configured the LDAP module on freeradius ad it works. The problem is that if I activate both modules, the LDAP authentication doesn't works, but if I remove MS-CHAP auth LDAP works fine. I suppose that there is a problem with the check of the correct user in the correct module. Thanks, bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Automatic redirection
Stefan Winter [EMAIL PROTECTED] writes: Is there a way to redirect a authenticated user to a specific web address depending on there login information? Captive Portal or faking DNS responses Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
mad a écrit : Hello, I have a freeradius server, I use an eap/ttls authentication with 802.1x and ldap. I want to save the username, the ip adress, the MAC address, the start time and the stop time of the connection with the accounting function (with mysql). I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... What do you think about this ? Have you an other solution ? Sorry my english is rusty ... and thanks for your answers Regards, Psymad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html i've a similar problem...but i don't arrive to assign fixed ip to a vpn client. my radius server (freeradius) send ip config like ip address, netmask, vlan and the router receive this info but it don't use. i don't know how configure it in order to say that it must relay config from the radius in my router config i cannot specify the authorization like aaa authorization network authorization-radius group group-radius and i must replace network by configuration because with network the router send the name of the client isakmp group as user name and cisco as password but i haven't specify this password. i don't understand where he found this pass... i know that i don't answers your request but if you could show me your configuration maybe i will understand my error ! thanks ps: are you french ? begin:vcard fn:Pierre LEONARD n:LEONARD;Pierre org:Debian Etch - Testing ;Linux user email;internet:[EMAIL PROTECTED] title:Student - Network Telecoms version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clients.conf file in MYSQL DB? [Virus checked]
There is a nas table you can use. It's the last table db_mysql.sql creates; Then you have to enable it in sql.conf # Set to 'yes' to read radius clients from the database ('nas' table) #readclients = yes I haven't tried it but it should work. Bogdan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] On Behalf Of [EMAIL PROTECTED] Sent: May 10, 2006 5:57 AM To: FreeRadius users mailing list Subject: clients.conf file in MYSQL DB? [Virus checked] Hi, I just set up freeradius1.1.1 with MySQL and startet some basic tests - first question I ran into was: Can I (I assume I can) force freeradius not to use the clients.conf file for checkinf for known clients, but put this information into MySQL? (I assume this would be in the nas table of the radius-db) I think it should be done in the radiusd.conf file in the Clients configuration section, that currently looks like that: # CLIENTS CONFIGURATION # # Client configuration is defined in clients.conf. # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE ${confdir}/clients.conf what should I state here? thank you thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 withrlm_sqlippool module: 'radiusd' segmentation fault
Hi, The purpose of this mail is to give you an insight on some stuff I've been trying at work (playing some could argue) that I'd like to share in case it could be useful to any of you out there. I won't describe all the issues I've had during the compilation, configuration and functional/performance testing nor ask you for help but rather just describe what I've done and document one of the last problems I had which kept me awake a few nights (segmentation fault). I have for the past 4 weeks been trying to evaluate if FreeRadius can be used as a AAA in an UMTS network with a large amount of subscribers for the GPRS Data services. With if it can be used I mean essentially if it can handle: (1) Functionality: basic Authentication/Authorization/Accounting, IP Address allocation and some GPRS attribute to IP Address mapping storage. (2) High Availability (no single point of failure HW/SW) (3) Distributed Architecture (performance target of 250 requests/second peak hour at a reasonable HW/SW cost) For the purpose of this test I have decided to use (32 bit due to problems getting it to compile with 64 bit on SPARC with the distributed binaries from MySQL): (a) Solaris 8 on SPARC (selected due to the fact that these machines were pretty much idle at my company similar tests were run on x86 PCs based on Fedora Linux Core 4). (b) MySQL 5.0.21 (MAX version) 32 bit SPARC binary distribution. (c) Freeradius 1.1.1 (originally with 1.1.0 but due to bugs on the Dictionary and thanks to recommendation (mail archives) from Alan DeKok I upgraded. (d) For IP allocation I'm using the rlm_sqlippool module (hard to tell its version because it's not version controlled as far as I could see, I got it from a Russian website) as per Alan DeKok's recommendation (mail archives). It will require some customization as I'm looking into being able to define IP pools as being comprised of several (not just one) start/end IP ranges. The test bed is basically two physical nodes each running the same software i.e. radiusd, mysqld and ndbd (MySQL clustered storage engine process). The NAS (in UMTS these are called GGSN) will load-balance the requests (directly or through an IP Load Balancer or even a freeradius proxy haven't decided yet which). This configuration allows vertical (bigger machines) and horizontal (more machines) scalability by adding more CPU:s or extra nodes to the cluster respectively for improved performance. I have tested the vertical scalability and it's linear with the CPU utilization. The horizontal will be tested in the coming days (hard to get hold of the required HW for the tests). I will publish some results (more quantitative than this email) then. Last but not least (and in connection to the subject of this email) one bug I found on the rlm_sqlippool that I have (as I mentioned hard to tell its version) is that during load testing and given the right circumstances (multiple NAS, Solaris architecture, MySQL Cluster storage engine only and high CPU utilization) I was getting a core dump of the 'radiusd' process. The problem was during the post-authorization phase of the sqlippool module on the 'allocate-find' SQL statement result retrieval due to the fact that the expected result row (just one expected with just one field containing the IP address to allocate) had invalid memory references (a row is modelled as an array of references to result columns and the only reference was invalid and therefore causing a segmentation fault to happen). Looking at the code and debugging it for a while I noticed that the memory holding the result set was being released before it was being used (though previously a reference to the first and only row had been kept) hence causing unpredictable results. Anyhow the code changes to fix this was to simply move the 'sql_finish_select_query' function call (which indirectly calls the MySQL function 'mysql_free_result' to release memory allocated to the result set) a few lines down the 'sqlippool_query1' function which is the one retrieving the IP Address to be allocated in 'rlm_sqlippool.c' file. See below for details: 1 /* 2* Query the database expecting a single result row 3*/ 4 static int sqlippool_query1(char * out, int outlen, const char * fmt, SQLSOCK * sqlsocket, void * instance, REQU 5 EST * request, char * param, int param_len) 6 { 7 rlm_sqlippool_t * data = (rlm_sqlippool_t *) instance; 8 char expansion[MAX_STRING_LEN * 4]; 9 char query[MAX_STRING_LEN * 4]; 10 SQL_ROW row; 11 int r; 12 13 sqlippool_expand(expansion, sizeof(expansion), fmt, instance, param, param_len); 14 15 /* 16 * Do an xlat on the provided string 17 */ 18 if (request) { 19
RE: FreeRadius + MySQL Encrypted passwords
Title: Message Hello Miguel, To be honest I'm not sure! The last reply from Alan says that this functionality is in the CVs head and not in 1.1.x. I'm not sure exactly what that means. But I guess you are right, at the moment it is impossible to use MD5 or SHA1. I guess the best practice would be to have the Radius behind a really good firewall to make sure nobody will be able to get the users db. Bogdan. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Angel QuilesSent: May 10, 2006 3:07 AMTo: FreeRadius users mailing listSubject: Re: FreeRadius + MySQL Encrypted passwords Thanks Bogdan, I've tried with mysql and the crypt passwords and it works fine. Now I still wondering if there is any way with PAP to enable crypted passwords with MD5 or SHA1. I don't know if I understood ok, tell me if I'm wrong. I think that at the moment it's impossible to enable MD5 or SHA1 for encrypted passwords, but that they are working on it, so perhaps in future versions this will be possible. Thanks, Miguel Angel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: clients.conf file in MYSQL DB? [Virus checked]
Hi Bogdan, Then you have to enable it in sql.conf # Set to 'yes' to read radius clients from the database ('nas' table) #readclients = yes thanks for that the lines you provided weren't in my sql.conf file, but I added them I haven't tried it but it should work. I am pleased to tell you, that in fact it works :-) thanks again thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
mad wrote: Hello, I have a freeradius server, I use an eap/ttls authentication with 802.1x and ldap. I want to save the username, the ip adress, the MAC address, the start time and the stop time of the connection with the accounting function (with mysql). I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. Correct I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? I'm afraid so. EAP happens before IPs are assigned, and doesn't interact with DHCP. I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... The omshell one is a clever idea. But you're right, it's not very stable. I think for the moment processing the DHCP logs or lease database and adding it to the radius accouting table will be needed. The other way would be to get a list of IP-mac (either by processing the logs or snmpwalk ipnettomedia of the router) and dump them to a file, then use the hints and an exec module to insert the IP into the accounting requests. Obviously the accounting-start will happen before you have that info, but the interim and accounting-stop should be ok. So, something like this in hints: DEFAULT Framed-IP-Address = `{exec:lookup_ip}` and in radiusd.conf: modules { exec lookup_ip { wait = yes program = /usr/local/bin/lookup_ip input_pairs = request } } If you have access to the DHCP servers leases database (assuming ISC dhcpd) then the following would work as a script (or something like it - this is untested): #!/bin/sh BUF=`mktemp` if [ $? -ne 0 ] then exit 1 fi trap rm -f $BUF EXIT # Radius attributes are in environment variables # Calling-Station-Id is... MAC=$CALLING_STATION_ID if [ -z $MAC ] then exit 1 fi DHCP_LEASES=/var/lib/dhcp/dhcpd.leases awk -v MAC=$MAC ' /^#/ { next; } /^lease / { our_lease=0; ip=$2; next; } /^}/ { if (our_lease) { if (state!=active) del leases[ip]; else leases[ip] = mac; } ip = ; our_lease = 0; next; } { if (!ip) next; if ($1==binding $2==state) { state = $3; gsub(/;/,,state); } else if ($1==hardware $2==ethernet) { mac = $3; gsub(/;/,,mac); if (mac==MAC) { our_lease = 1; } } } END { for (ip in leases) { print ip, mac; } }' $DHCP_LEASES $BUF NUM_LEASES=`wc -l $BUF | awk '{ print $1 }'` if [ $NUM_LEASES -gt 1 ] then # 1 lease for this mac, help! exit 1 elif [ $NUM_LEASES -ne 1 ] then # no leases exit 1 else ip=`cut -d ' ' -f 1 $BUF` echo $ip fi What do you think about this ? Have you an other solution ? Sorry my english is rusty ... and thanks for your answers Your english is better than my - well, anything! Regards, Psymad Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL Encrypted passwords
Hi, To be honest I'm not sure! The last reply from Alan says that this functionality is in the CVs head and not in 1.1.x. I'm not sure exactly what that means. But I guess you are right, at the moment it is it means that the feature is in the latest bleeding edge version - you must use CVS to get it - its not available in the latest .tar archived version. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
Yes, I'm french ... I hope you understand fine my english I send my configuration = radiusd.conf ... ippool test { range-start = xxx.xxx.xxx.250 range-stop = xxx.xxx.xxx.253 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = yes maximum-timeout = 0 } ... post-auth { test } ... = users DEFAULT Huntgroup-Name == xxx, Ldap-Group == test-ldap, Autz-Type := Ldap, Pool-Name := test Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = xx ... = SWITCH aaa new-model aaa authentication dot1x default group radius none aaa authorization network default group radius aaa authorization configuration default group radius aaa accounting dot1x default start-stop group radius I think there are all ... for use ippool ... I hope that there are no error because I have change my configuration since I have try to use ippool. Thanks for your answer Regards, 2006/5/10, Pierre LEONARD [EMAIL PROTECTED]: mad a écrit : Hello, I have a freeradius server, I use an eap/ttls authentication with 802.1x and ldap. I want to save the username, the ip adress, the MAC address, the start time and the stop time of the connection with the accounting function (with mysql). I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... What do you think about this ? Have you an other solution ? Sorry my english is rusty ... and thanks for your answers Regards, Psymad -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmli've a similar problem...but i don't arrive to assign fixed ip to a vpn client.my radius server (freeradius) send ip config like ip address, netmask,vlan and the router receive this info but it don't use.i don't know how configure it in order to say that it must relay config from the radiusin my router config i cannot specify the authorization like aaa authorization network authorization-radius group group-radius andi must replace network by configuration because with network the router send the name of the client isakmpgroup as user name and cisco as password but i haven't specify thispassword. i don't understand where he found this pass... i know that i don't answers your request but if you could show me yourconfiguration maybe i willunderstand my error !thanksps: are you french ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding on radiusd.conf file
Hello Everybody, I'm working on openser, recently I install freeradius for AAA. By seeing the Documentation from http://openser.org/docs/openser-radius-1.0.x.html I followed that. While testing the radius server by ' radiusd -X its shows radiusd.conf[1840] unknown Auth-type Digest in authenticate section --- what its means. And also By Typing ' radtest 444 444 192.168.2.55 1812 radiustest its shows below one. Sending Access-Request of id 236 to 192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 Re-sending Access-Request of id 236 to 192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 What its means one . Is it error ? I run this in my box . where in my box installed openser , freeradius and radiusclinet-ng.. Please help me and main thing is, Is any mistakes in my english please excuse me..-- Thanks and Regards with cheersSunkara Ravi Prakash (Voip Developer) [EMAIL PROTECTED]Hyperion Technologywww.hyperion-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding on radiusd.conf file
Make sure you handle the Digest problem first. This error means you are selecting an auth-type of 'digest' for the user's authentication request but you don't have the rlm_digest module configured. Look in doc/rlm_digest in the source tree on how to configure this module, what it does, etc... Good luck. Chris Carver Pennswoods.net Network Engineer raviprakash sunkara wrote: Hello Everybody, I'm working on openser, recently I install freeradius for AAA. By seeing the Documentation from http://openser.org/docs/openser-radius-1.0.x.html I followed that. While testing the radius server by ' radiusd -X its shows radiusd.conf[1840] unknown Auth-type Digest in authenticate section --- what its means. And also By Typing ' radtest 444 444 192.168.2.55 http://192.168.2.55 1812 radiustest its shows below one. Sending Access-Request of id 236 to 192.168.2.55 http://192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 http://255.255.255.255 Re-sending Access-Request of id 236 to 192.168.2.55 http://192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 http://255.255.255.255 What its means one . Is it error ? I run this in my box . where in my box installed openser , freeradius and radiusclinet-ng.. Please help me and main thing is, Is any mistakes in my english please excuse me.. -- Thanks and Regards with cheers Sunkara Ravi Prakash (Voip Developer) [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hyperion Technology www.hyperion-tech.com http://www.hyperion-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf file in MYSQL DB? [Virus checked]
[EMAIL PROTECTED] wrote: Can I (I assume I can) force freeradius not to use the clients.conf file for checkinf for known clients, but put this information into MySQL? (I assume this would be in the nas table of the radius-db) Yes. You have to list at least one client in the clients.conf file, though. 127.0.0.1 should do it. I think it should be done in the radiusd.conf file in the Clients configuration section, that currently looks like that: No. See the SQL configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
mad [EMAIL PROTECTED] wrote: I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. Exactly. I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? It's impossible to use ippool with EAP. I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... A well written DHCP server should be as flexible as FreeRADIUS, and allow you to write the IP to an SQL table. Unfortunately, there is no such DHCP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 withrlm_sqlippool module: 'radiusd' segmentation fault
Robles Rodriguez,Alejandro [EMAIL PROTECTED] wrote: I have for the past 4 weeks been trying to evaluate if FreeRadius can be used as a AAA in an UMTS network with a large amount of subscribers for the GPRS Data services. I believe others are doing this today. FreeRADIUS scales very well. 10 million subscribers shouldn't be a problem in a carefully designed system. I'm done for now more details will come later meanwhile I have a question: is the rlm_sqlippool module going to be part of a freeradius release in the near future and if not, what would it be the procedure to follow for it to happen? An uopdated version of the module is in CVS head. If there's interest, it could be back-ported to 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Privileged Login on CISCO using freeradius and MySQL [Virus checked]
Hi, I hope someone can help me with that - I dont seem to be able to, after hours of Googling and trying ... :-( I want to allow an admin to login to a Cisco-box, authenticated via radius and get immediately to privileged level ( so he doesnt have to do a enable when he logged in to the box) I have put the following into the 'radgroupreply' table of the MySQL-Database mysql select * from radgroupreply; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | lanmgmt | cisco-avpair | = | shell:priv-lvl=15 | ++---+--++---+ (For the operator I have already tried ':=') My 'radreply'-table is currently empty The other tables look like this: mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | pudilt | Password | == | 1234 | ++--+---++---+ 1 row in set (0.00 sec) mysql select * from radgroupcheck; ++---+---++---+ | id | GroupName | Attribute | op | Value | ++---+---++---+ | 1 | lanmgmt | Auth-Type | == | Local | ++---+---++---+ 1 row in set (0.00 sec) mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | pudilt | lanmgmt |1 | +--+---+--+ 1 row in set (0.00 sec) Is the 'cisco-avpair' parameter misplaced, or should I look for the error on the CISCO-config (using IOS 12.1)? thanks alot thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with_ntdomain_hack
I cant seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I cant get it to work? Where is the 1 place (or places) to set with_ntdomain_hack =yes to get the supplicants auto settings to work? Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
So even though the AP must know the information, we are unable to get it into the radius accounting? We have to script the coordination between the DHCP server? Message: 4 Date: Wed, 10 May 2006 12:52:36 -0400 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Accounting - FramedIPAddress - DHCP/IPPOOL To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] mad [EMAIL PROTECTED] wrote: I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information. Exactly. I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ? It's impossible to use ippool with EAP. I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ... A well written DHCP server should be as flexible as FreeRADIUS, and allow you to write the IP to an SQL table. Unfortunately, there is no such DHCP server. Alan DeKok. -- Walter Reynolds University of Michigan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wildcards in Username and Passwd
Hello I have a customer who would like to have 100% MAC address lock down on their network. To do that we are able to have the Ethernet Switches Send the Device MAC address as the Username and password to the Radius Server. The question I have is on the radius server is it possible to set a wildcard so that any device showing 00-E0-BB as the MAC Address prefix will automatically be accepted then I can throw the usual variables back at the port. If this is possible then I can avoid having to enter 300 Devices into the Radius table. Thanks in Advance Jason Montogmery - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
-Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
You are right, it was that I was lowercasing the username before authentication... After I turned that off, I am getting further, it still doesn't work and I believe it is because of a problem with Stripped-User-Name and ntlm_auth ntlm_auth is getting called with the entire username DOMAIN\user and not user I don't understand why, as in the config file it says: --username=%{Stripped-User-Name:-%{User-Name:-None}} I didn't edit that part of the ntlm_auth line, just corrected the path.. I know this is a problem because when I use ntlm_auth from the command line I can't use --username=DOMAIN\user I have to use --username=user I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with --username= Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 3:39 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack -Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius radclient problem and sql dialupadmin question
I have installed FreeRadius (latest version) to my system and all goes well until it gets to the rlm_* files. I have tried specifying the mysql directory at /usr/lib/mysql and it seemed to fix a few of those errors in the make process but then it just errors out. So I blew away that installation because I am really trying to get this working with mysql. This attempt I'm really trying to get working because I think the linker setups up the libs more correctly. Using Suse 10.0 doing a source rpm install and let it do all the magic. It installs everything to the /etc/raddb directory and other default directories, but now I am running into this issue. After the install is done I run radiusd -x for a test and everything is working and listening for requests. As soon as a add a user to the users.txt file and run radtest is where I get my errors. After running *radtest steve testing localhost 1812 testing123* I get the following. *radclient: dict_init: Couldn't open dictionary /usr/local/etc/raddb/dictionary: No such file or directory. * I can however use the radclient -d command to switch make it switch directories. I have no idea why it is wanting to push to that directory. The installation put the dictionary in the following. */etc/raddb/dictionary *and */usr/share/freeradius/dictionary. *Is there a way to make it default to the */usr/share/freeradius/dictionary*? After running with the *radtest -d /usr/share/freeradius/dictionary steve testing localhost 1812 testing123 *I get the accept message request from my test user. Furthermore looking at the file /etc/raddb/dictionary I see* $Include /usr/share/freeradius/dictionary* and looking at */usr/share/freeradius/dictionary *has all the include statements for the rest of the dictionary files. Where am I missing the configuration to change the default setting for where radclient is wanting to look? Why the using Yast configured it look there I have no clue but it seems like an easy fix. *SQL Dialup Admin* *Questions?* --- 1.) In all the guides I have found you modify the sql.conf and radiusd.conf files to get it working. In my /etc/raddb directory however I have a mysql.conf file; do I need to use this file instead? 2.)(not really a question) Before hand I was getting all the rlm_*** errors but know using Yast I believe the linker is now having everything work. As what I have changed is the following. In radiusd.conf I changed under authorize and accounting, I uncommented out the sql parts and commented out the files part. And in sql.conf I changed my settings to locahost and my login information. Now when I run radiusd -x and I get ready to accept requests like everything is working with no errors and all my databases have connected. 3.) Dialup Admin problems I am experiencing. I know this isn't dialup admin forums/mailing list but I figured I would find the most help here. Find Users still seems to do nothing even when I create users through Dialup Admin. And when I go to edit users I get the following: Warning: main(password.php3) [function.main]: failed to open stream: No such file or directory in /srv/www/dialup_admin/lib/sql/password_check.php3 on line 2 Fatal error: main() [function.require]: Failed opening required 'password.php3' (include_path='/usr/share/php') in /srv/www/dialup_admin/lib/sql/password_check.php3 on line 2 I'm no php expert but I really couldn't find what would be wrong here? I have no password on dialupadmin currently. 4.) How exactly do I test if Dialup Admin is working correctly? Also is there any documentation someone could point me to with what all the values and fields mean. It seems a bit different than working with the text files. I didn't see a place from secret. So if someone could point me a guide/documention explaining this I would appreciate it. Thank you for your time reading this. Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
Try this ntlm_auth string (Watch for page breaks in email) ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challeng e} --nt-response=%{mschap:NT-Response} -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Chris Liles Sent: Wednesday, May 10, 2006 3:51 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack You are right, it was that I was lowercasing the username before authentication... After I turned that off, I am getting further, it still doesn't work and I believe it is because of a problem with Stripped-User-Name and ntlm_auth ntlm_auth is getting called with the entire username DOMAIN\user and not user I don't understand why, as in the config file it says: --username=%{Stripped-User-Name:-%{User-Name:-None}} I didn't edit that part of the ntlm_auth line, just corrected the path.. I know this is a problem because when I use ntlm_auth from the command line I can't use --username=DOMAIN\user I have to use --username=user I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with --username= Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] ius.org [mailto:[EMAIL PROTECTED] .freeradius.org] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 3:39 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack -Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 with rlm_sqlippool module: 'radiusd' segmentation fault
Title: Re: Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 with rlm_sqlippool module: 'radiusd' segmentation fault Alan DeKok [EMAIL PROTECTED] wrote: I have for the past 4 weeks been trying to evaluate if FreeRadius can be used as a AAA in an UMTS network with a large amount of subscribers for the GPRS Data services. I believe others are doing this today. FreeRADIUS scales very well. 10 million subscribers shouldn't be a problem in a carefully designed system. Well, I'm wondering if this is in a clustered configuration i.e. multiple nodes handling the load and cooperating (sharing data such as IP pools). If this is the case I'd be interested to know a few accounts to find out more about their architecture (behind freeradius such as database servers, etc). Any clues? I'd really like o create some sort of standard architecture for freeradius that can scale and is reliable and have it in a real environment for a while for others to have confidence when making this same decision that I'm about to make. I'm done for now more details will come later meanwhile I have a question: is the rlm_sqlippool module going to be part of a freeradius release in the near future and if not, what would it be the procedure to follow for it to happen? An uopdated version of the module is in CVS head. If there's interest, it could be back-ported to 1.1.x. I have compared my version with that of the CVS root and apart form some small differences that I'll investigate further I noticed that it has the same bug that I found. The problem is that I don't know how to report it. Can you help? Also I think it'd be a good idea to back-port it to 1.1.x. Who decides this and how do I express my interest? Thank you! Cheers, Alejandro Robles. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
I changed the username portion to what you suggested and it works :) Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 4:12 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack Try this ntlm_auth string (Watch for page breaks in email) ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challeng e} --nt-response=%{mschap:NT-Response} -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Chris Liles Sent: Wednesday, May 10, 2006 3:51 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack You are right, it was that I was lowercasing the username before authentication... After I turned that off, I am getting further, it still doesn't work and I believe it is because of a problem with Stripped-User-Name and ntlm_auth ntlm_auth is getting called with the entire username DOMAIN\user and not user I don't understand why, as in the config file it says: --username=%{Stripped-User-Name:-%{User-Name:-None}} I didn't edit that part of the ntlm_auth line, just corrected the path.. I know this is a problem because when I use ntlm_auth from the command line I can't use --username=DOMAIN\user I have to use --username=user I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with --username= Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] ius.org [mailto:[EMAIL PROTECTED] .freeradius.org] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 3:39 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack -Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius radclient problem and sql dialupadmin question
Eric Hilden [EMAIL PROTECTED] wrote: After running *radtest steve testing localhost 1812 testing123* I get the following. *radclient: dict_init: Couldn't open dictionary /usr/local/etc/raddb/dictionary: No such file or directory. * Odds are that you have a partial install, or multiple installations. After running with the *radtest -d /usr/share/freeradius/dictionary steve testing localhost 1812 testing123 *I get the accept message request from my test user. The etc directory SHOULD have a dictionary in it that includes /usr/share/freeradius/dictionary. The purpose is to have site-local attributes. Furthermore looking at the file /etc/raddb/dictionary I see* $Include /usr/share/freeradius/dictionary* Then you are using radclient from one install, and the dictionaries from another installation of the server. Where am I missing the configuration to change the default setting for where radclient is wanting to look? Nothing. The default installation WORKS. It's only when you do multiple installations, and then partially remove one, that there are problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wildcards in Username and Passwd
Jason Montgomery wrote: Hello I have a customer who would like to have 100% MAC address lock down on their network. To do that we are able to have the Ethernet Switches Send the Device MAC address as the Username and password to the Radius Server. The question I have is on the radius server is it possible to set a wildcard so that any device showing “00-E0-BB” as the MAC Address prefix will automatically be accepted then I can throw the usual variables back at the port. If this is possible then I can avoid having to enter 300 Devices into the Radius table. This may give you some ideas: http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Attributes_for_further_processing But, I should warn you, that anyone wanting to break into your customers' network can sneeze and have a machine fake a MAC address. Hell, some Cisco equipment even have a builtin command to do it (handy for replacing/upgrading routers without messing up local ARP tables). Hopefully there is some other form of authentication. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
Walter Reynolds [EMAIL PROTECTED] wrote: So even though the AP must know the information, we are unable to get it into the radius accounting? Yes. Although the AP does not necessarily know the information. If it's running a DHCP server, it knows. Otherwise, it would have to sniff DHCP traffic, and compare MACs from EAP to those in DHCP. Most AP vendors haven't written the code to do DHCP sniffing, so... no IP's in RADIUS accounting packets. We have to script the coordination between the DHCP server? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wildcards in Username and Passwd
You are correct about being able to sneeze and break into the network. But luckily all machines with that prefix will be placed into a Ethernet Only VLAN. The Devices with that prefix belong to a Ethernet based phone system (www.3com.com/nbx) so anyone who breaks into that vlan will only be able to see the broadcast Ethernet packets the phones are sending out occasionally. As a extra layer of security the phone system itself will only communicate with phones that have already been configured in its internal mac table list. Thanks for the help Jason -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Dennis Skinner Sent: Wednesday, May 10, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: Wildcards in Username and Passwd Jason Montgomery wrote: Hello I have a customer who would like to have 100% MAC address lock down on their network. To do that we are able to have the Ethernet Switches Send the Device MAC address as the Username and password to the Radius Server. The question I have is on the radius server is it possible to set a wildcard so that any device showing 00-E0-BB as the MAC Address prefix will automatically be accepted then I can throw the usual variables back at the port. If this is possible then I can avoid having to enter 300 Devices into the Radius table. This may give you some ideas: http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Att ributes_for_further_processing But, I should warn you, that anyone wanting to break into your customers' network can sneeze and have a machine fake a MAC address. Hell, some Cisco equipment even have a builtin command to do it (handy for replacing/upgrading routers without messing up local ARP tables). Hopefully there is some other form of authentication. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius radclient problem and sql dialupadmin question
Is there a proper way to reinstall something you installed. Alan DeKok wrote: Eric Hilden [EMAIL PROTECTED] wrote: After running *radtest steve testing localhost 1812 testing123* I get the following. *radclient: dict_init: Couldn't open dictionary /usr/local/etc/raddb/dictionary: No such file or directory. * Odds are that you have a partial install, or multiple installations. After running with the *radtest -d /usr/share/freeradius/dictionary steve testing localhost 1812 testing123 *I get the accept message request from my test user. The etc directory SHOULD have a dictionary in it that includes /usr/share/freeradius/dictionary. The purpose is to have site-local attributes. Furthermore looking at the file /etc/raddb/dictionary I see* $Include /usr/share/freeradius/dictionary* Then you are using radclient from one install, and the dictionaries from another installation of the server. Where am I missing the configuration to change the default setting for where radclient is wanting to look? Nothing. The default installation WORKS. It's only when you do multiple installations, and then partially remove one, that there are problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring request from unknown home server
Hi everyone, I am running freeradius version 1.0.4 on Fedora Core 4. I am trying to authenticate mt VPN users on my Cisco VPN concentrator to my ldap server. I am trying to use my radius server to proxy the authentication requests to the ldap server. After setting the radius server up and trying to authenticate a user, the radius server is giving me the following error. rad_recv: Access-Request packet from host 172.16.1.2:1042, id=10, length=71 Ignoring request from unknown home server 172.16.1.2:1042 I am fairly new to freeradius. What do I need to do to make this work. Any info is greatly appreciated. -Thanks Jarrid Keller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring request from unknown home server
Jarrid Keller [EMAIL PROTECTED] wrote: After setting the radius server up and trying to authenticate a user, the radius server is giving me the following error. rad_recv: Access-Request packet from host 172.16.1.2:1042, id=10, length=71 Ignoring request from unknown home server 172.16.1.2:1042 The machine you're sending packets to has multiple IP's. FreeRADIUS is sending packets to one IP, and getting responses from another. The solution is to: a) configure the proxy server to send to the IP 172.16.1.2 b) (preferred) configure the home server to listen on one IP address only, and not *. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding on radtest
Hi Everybody I'm working on openser + freeradius. Recently Installed both . I had a issue below onw, actual what this means... By Typing ' radtest 444 444 192.168.2.55 1812 radiustest its shows below one. Sending Access-Request of id 236 to 192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 Re-sending Access-Request of id 236 to 192.168.2.55 port 1812 User-Name = 444 User-Password = 444 NAS-IP-Address = 255.255.255.255 -- Thanks and Regards with cheersSunkara Ravi Prakash (Voip Developer)Hyperion Technologywww.hyperion-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP: what password backends can be used?
Hello readers, I've browsed the FAQs, the mailing list archives but I have failed to find a definite, clear answer to this: what kind of user/password back-end can work if one is to support MS-CHAP? is anything storing crypt or MD5 passwords (/etc/passwd+shadow, NIS, LDAP) hopeless? (I suspect it is) I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It works fine if I use PAP and no encryption. If I want to use encryption, I need MS-CHAP, right? Right now my FreeRADIUS server is configured to use PAM. It runs on a box that is a NIS master, as well as a LDAP server with a directory built from NIS data using the well-known migration scripts (but FreeRADIUS doesn't talk to LDAP now). The master source of authentication is /etc/passwd and /etc/shadow, so passwords are in MD5 format. Is there any way I can get FreeRADIUS to handle MS-CHAP authentication requests from the Cisco box in this context? (i'm kind of expecting a big no here, but I want to be sure) If I'm not using Samba or a domain controller, do I need cleartext passwords to achieve this? where? in the users file only? In radiusd.conf, the mschap module has parameters for a Samba smpasswd format file or invoking ntlm_auth. If neither is set, where does it try to get the password from? I'm confused. Thanks for any reply, pointers etc. Greets, _Alain_ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html