Re: Throttle On Cap
I need some help with implementing Throttle on Cap Usage type feature for Could you elaborate a bit what this Throttle on Cap Usage is supposed to do? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpN01K29iKPm.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem about Chap-Password and User-Password
Dear all, I've just installed freeradius 1.0.2 on my debian3.1 system. I've got two radius clients. One can be authorized normally and the other one failed to be authorized. Here's my log. Would anyone be kind enough to analyze it for me? Thanks in advance and any help would be appreciated. The failing one: rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199, length=239 User-Name = abc Service-Type = Login-User NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.2 WISPr-Logoff-URL = https://10.10.10.1/logout.user; WISPr-Location-Name = GEMTEK_SYSTEMS,Terminal_Worldwide WISPr-Location-ID = isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS Framed-IP-Address = 10.10.10.10 Calling-Station-Id = 0060B325AB48 Called-Station-Id = 00904BBDFAD0 Acct-Session-Id = 44A4C9148546 User-Password = Ye~\2409 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user -- 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [abc] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module unix returns notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 The successful one: rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0, length=84 User-Name = abc CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2 NAS-IP-Address = 192.168.1.1 Acct-Session-Id = 5b01 NAS-Port = 3 CHAP-Challenge = 0x00ac45bdd7e79c6af29ee0b413c874a8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 2 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user -- 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql):
Re: Problem about Chap-Password and User-Password
Hello! It seems that your client is using a quite unusual character in his password. That leads to encoding problems with your database backend. The solution is to either list that character in safe_characters for the database (I don't really recommend that, given that \240 is a bit too unusual) or store the password not literal in the database, but properly encoded. the rlm_sql module will then take the user's password, encode it, and check it against the same-encoded string in the database. Of course, the problem might also be that your shared secret for this client isn't correct, as the end of the failed attempt suggests. But given that all but one character in the password are nicely printable, my guess is that it's really just a weird character in the password. In any case, you can verify that using a more straightforward password and see it that works. Greetings, Stefan Winter Am Freitag, 30. Juni 2006 09:37 schrieb Kun Niu: Dear all, I've just installed freeradius 1.0.2 on my debian3.1 system. I've got two radius clients. One can be authorized normally and the other one failed to be authorized. Here's my log. Would anyone be kind enough to analyze it for me? Thanks in advance and any help would be appreciated. The failing one: rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199, length=239 User-Name = abc Service-Type = Login-User NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.2 WISPr-Logoff-URL = https://10.10.10.1/logout.user; WISPr-Location-Name = GEMTEK_SYSTEMS,Terminal_Worldwide WISPr-Location-ID = isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS Framed-IP-Address = 10.10.10.10 Calling-Station-Id = 0060B325AB48 Called-Station-Id = 00904BBDFAD0 Acct-Session-Id = 44A4C9148546 User-Password = Ye~\2409 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user -- 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [abc] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module unix returns notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 The successful one: rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0, length=84 User-Name = abc CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2 NAS-IP-Address = 192.168.1.1 Acct-Session-Id = 5b01 NAS-Port = 3 CHAP-Challenge = 0x00ac45bdd7e79c6af29ee0b413c874a8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP
freeradius with alcatel omniswitch 6600
Hi, I am using freeradius 1.0.5 with alcatel omniswitch 6600-24. I want to put a user in a VLAN. Could someone tell me how to configure this user in the "users" configuration file of freeradius (if you can give me an example file)? what attributes do I have to put in it? And what vendor attribut do I have to add in dictionary.alcatel file? Here is the contain of my actual dictionary.alcatel file. --- # # Alcatel Broadband Access Server dictionary. # # Version: 1.00 10-July-2002 Lasse Johnsen [EMAIL PROTECTED] # $Id: dictionary.alcatel,v 1.3 2004/02/16 22:33:10 aland Exp $ # VENDOR Alcatel 3041 # # Alcatel Vendor Specific Extensions # # ATTRIBUTE AAT-Client-Primary-DNS 5 ipaddr Alcatel ATTRIBUTE AAT-Client-Primary-WINS-NBNS 6 ipaddr Alcatel ATTRIBUTE AAT-Client-Secondary-WINS-NBNS 7 ipaddr Alcatel #ATTRIBUTE AAT-Client-Primary-DNS 8 ipaddr Alcatel ATTRIBUTE AAT-PPP-Address 9 ipaddr Alcatel ATTRIBUTE AAT-ATM-Direct 21 string Alcatel ATTRIBUTE AAT-IP-TOS 22 integer Alcatel ATTRIBUTE AAT-IP-TOS-Precedence 23 integer Alcatel ATTRIBUTE AAT-IP-TOS-Apply-To 24 integer Alcatel ATTRIBUTE AAT-MCast-Client 27 integer Alcatel ATTRIBUTE AAT-Vrouter-Name 61 string Alcatel ATTRIBUTE AAT-Require-Auth 62 integer Alcatel ATTRIBUTE AAT-IP-Pool-Definition 63 string Alcatel ATTRIBUTE AAT-Assign-IP-Pool 64 integer Alcatel ATTRIBUTE AAT-Data-Filter 65 string Alcatel ATTRIBUTE AAT-Source-IP-Check 66 integer Alcatel ATTRIBUTE AAT-ATM-VPI 128 integer Alcatel ATTRIBUTE AAT-ATM-VCI 129 integer Alcatel ATTRIBUTE AAT-Input-Octets-Diff 130 integer Alcatel ATTRIBUTE AAT-Output-Octets-Diff 131 integer Alcatel ATTRIBUTE AAT-User-MAC-Address 132 string Alcatel ATTRIBUTE AAT-ATM-Traffic-Profile 133 string Alcatel VALUE AAT-MCast-Client Multicast-No 0 VALUE AAT-MCast-Client Multicast-Yes 1 VALUE AAT-Require-Auth Not-Require-Auth 0 VALUE AAT-Require-Auth Require-Auth 1 VALUE AAT-Source-IP-Check Source-IP-Check-No 0 VALUE AAT-Source-IP-Check Source-IP-Check-Yes 1 VALUE AAT-IP-TOS IP-TOS-Normal 0 VALUE AAT-IP-TOS IP-TOS-Disabled 1 VALUE AAT-IP-TOS IP-TOS-Cost 2 VALUE AAT-IP-TOS IP-TOS-Reliability 4 VALUE AAT-IP-TOS IP-TOS-Throughput 8 VALUE AAT-IP-TOS IP-TOS-Latency 16 VALUE AAT-IP-TOS-Apply-To IP-TOS-Apply-To-Incoming 1024 VALUE AAT-IP-TOS-Apply-To IP-TOS-Apply-To-Both 3072 VALUE AAT-IP-TOS-Apply-To IP-TOS-Apply-To-Outgoing 2048 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Normal 0 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-One 32 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Two 64 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Three 96 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Four 128 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Five 160 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Six 192 VALUE AAT-IP-TOS-Precedence IP-TOS-Precedence-Pri-Seven 224 --- Thanks fhcom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type in rlm_perl
On Thursday 29 June 2006 16:06, Evil I_Am wrote: Hi Which hash i should inspect to find out the value of the Auth-Type attribute? RAD_CHECK -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple AD-Domains with rlm_ldap
ntlm_auth should work. I'm less sure how to configure multiple AD
domains in ldap.
Alan DeKok.
Okay, according to an earlier posting
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045377.html
i did this:
What you need to do is to configure a *different* ntlm_auth, only
for clear-text passwords. The simplest way to do this is to use the
exec module:
modules {
...
exec win_domain {
wait = yes
input_pairs = request
output_pairs = reply
program = ntlm_auth --username=\%{User-Name}\
--password=\%{User-Password}\ --domain=usmisgne
}
...
}
Now list win_domain in the authenticate section, and add the
following entry to the users file:
DEFAULT Auth-Type = win_domain
But the authentication still fails.
Did i make some mistakes in my config?
Maybe here?
Auth-Type win_domain{
win_domain
}
Robert
My ntlm_auth shell-command works:
~# /usr/bin/ntlm_auth --username=john.smith --password='smith1000'
--domain=SOUTH
NT_STATUS_OK: Success (0x0)
but radtest fails:
~# radtest john.smith smith1000 localhost 1645 testing123
abbreviated freeradius -X output:
auth: type win_domain
Processing the authenticate section of radiusd.conf
modcall: entering group win_domain for request 0
radius_xlat: '/usr/bin/ntlm_auth --username=john.smith
--password='smith1000' --domain=SOUTH'
Exec-Program: /usr/bin/ntlm_auth --username=john.smith --password='smith1000'
--domain=SOUTH
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
rlm_exec (win_domain): External script failed
Here are my config files and the complete freeradius -X output:
radiusd.conf
-
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}
}
ldap {
server = 10.187.64.3
identity = CN=Hans
Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de
password = Gerti1000
basedn = DC=winlab,DC=rsnhm,DC=t-com,DC=de
filter = sAMAccountname=%{User-Name}
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
Re: Freeradius-Users Digest, Vol 14, Issue 119
Daer Stefan, Thanks for your reply. Maybe I should check the share secret of the client and the server. Since the passwords for both clients are 123.Relatively simple in testing.:) Hope that the client is a standard implementation. Thanks again for your reply. Sincerely, Kun Message: 3 Date: Fri, 30 Jun 2006 09:49:00 +0200 From: Stefan Winter [EMAIL PROTECTED] Subject: Re: Problem about Chap-Password and User-Password To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-15 Hello! It seems that your client is using a quite unusual character in his password. That leads to encoding problems with your database backend. The solution is to either list that character in safe_characters for the database (I don't really recommend that, given that \240 is a bit too unusual) or store the password not literal in the database, but properly encoded. the rlm_sql module will then take the user's password, encode it, and check it against the same-encoded string in the database. Of course, the problem might also be that your shared secret for this client isn't correct, as the end of the failed attempt suggests. But given that all but one character in the password are nicely printable, my guess is that it's really just a weird character in the password. In any case, you can verify that using a more straightforward password and see it that works. Greetings, Stefan Winter Am Freitag, 30. Juni 2006 09:37 schrieb Kun Niu: Dear all, I've just installed freeradius 1.0.2 on my debian3.1 system. I've got two radius clients. One can be authorized normally and the other one failed to be authorized. Here's my log. Would anyone be kind enough to analyze it for me? Thanks in advance and any help would be appreciated. The failing one: rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199, length=239 User-Name = abc Service-Type = Login-User NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.2 WISPr-Logoff-URL = https://10.10.10.1/logout.user; WISPr-Location-Name = GEMTEK_SYSTEMS,Terminal_Worldwide WISPr-Location-ID = isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS Framed-IP-Address = 10.10.10.10 Calling-Station-Id = 0060B325AB48 Called-Station-Id = 00904BBDFAD0 Acct-Session-Id = 44A4C9148546 User-Password = Ye~\2409 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user -- 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [abc] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module unix returns notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 The successful one: rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0, length=84 User-Name = abc CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2 NAS-IP-Address = 192.168.1.1 Acct-Session-Id = 5b01 NAS-Port = 3 CHAP-Challenge =
RE: FW: mpd+freeradius+AD
Title: RE: FW: mpd+freeradius+AD
Ok, this is my users file
test Auth-Type := MS-CHAP
Framed-IP-Address = 192.168.10.65
DEFAULT Auth-Type := MS-CHAP
And this is freeradius log, then I connect to mpd via test account:
Login OK: [test/no User-Password attribute] (from client localhost port 0 cli 192.168.12.126)
Sending Access-Accept of id 121 to 127.0.0.1 port 49791
Framed-IP-Address = 192.168.10.65
MS-CHAP2-Success = 0x01533d4245433430393843434139344338323441384431463938303641384133453236394441413430
MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139
NAS-Identifier = testradius.ion.ru
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 192.168.12.126
User-Name = test
Framed-IP-Address = 192.168.10.12
Acct-Status-Type = Start
Acct-Session-Id = 1652038-pptp0
Acct-Multi-Session-Id = 1652038-pptp0
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 29, 2006 7:05 PM
To: Undisclosed.Recipients :
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to
assign IP to user I should use users freeradius file. But I couldn't
configure it correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Try without the comma
run the server in debug mode(radiusd -X)
and use radclient
Framed-IP-Address = 192.168.10.65,
I think you can put this in AD. Don't know...
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base
system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering _expression_.
That's fine for filtering vpn users access to local net. But how could I
assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
2003 can do 1 and 2 in my questions, so I have to realize how to setup
this in mpd + freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 04:21:14PM +0300, Kostas Kalevras wrote: On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. Thanks Kostas, I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Primary an Decondary
Hi People. My name is Vinicius, and i have a freeradius in my company. But i have a question: Some way of mine radius work with primary and secondary proxy radius?? That is, if the first radius died the second radius in the proxy get up??? Excuse for the bad English I hope you will understand my mail Thank you very much for all Vinicius Bufoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Primary an Decondary
Am Freitag, 30. Juni 2006 13:31 schrieb Vinicius Bufoni: Hi People. My name is Vinicius, and i have a freeradius in my company. But i have a question: Some way of mine radius work with primary and secondary proxy radius?? That is, if the first radius died the second radius in the proxy get up??? Vinicius Bufoni 1) Configure both identical 2) Put both IP addresses in the NASs. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpi1OCUQIDZs.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap
file.
Probably because Account-Status is a check item, and not in the
request. It will have to go into the request for it to be compared in
the acct_users file.
Alan DeKok.
---
so must it be added to the request artificially before the comparision happens?
i'm not sure what the recommended what to achieve this is...
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: mpd+freeradius+AD
On Friday 30 June 2006 11:57, Егоров Сергей wrote:
Ok, this is my users file
testAuth-Type := MS-CHAP
Framed-IP-Address = 192.168.10.65
DEFAULT Auth-Type := MS-CHAP
And this is freeradius log, then I connect to mpd via test account:
Login OK: [test/no User-Password attribute] (from client localhost port 0
cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791
Framed-IP-Address = 192.168.10.65
MS-CHAP2-Success =
0x01533d424543343039384343413934433832344138443146393830364138413345323
6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119,
length=139 NAS-Identifier = testradius.ion.ru
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 192.168.12.126
User-Name = test
Framed-IP-Address = 192.168.10.12
Acct-Status-Type = Start
Acct-Session-Id = 1652038-pptp0
Acct-Multi-Session-Id = 1652038-pptp0
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
In this log freeradius said that account test OK, and his address
192.168.10.65. But mpd replace it this his own. How could I improve it?
use radius-ip
read more here /usr/local/share/doc/mpd/mpd22.html
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 29, 2006 7:05 PM
To: Undisclosed.Recipients :
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to
assign IP to user I should use users freeradius file. But I couldn't
configure it correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Try without the comma
run the server in debug mode(radiusd -X)
and use radclient
Framed-IP-Address = 192.168.10.65,
I think you can put this in AD. Don't know...
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base
system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering expression.
That's fine for filtering vpn users access to local net. But how could
I assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one.
WIN 2003 can do 1 and 2 in my questions, so I have to realize how to
setup this in mpd + freeradius. I already authenticate users from AD
group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Diferent Session-Timeout depending on NAS
Hi people, I have been working with RADIUS for sereral years and now we want to implement a different accounting for prepaid cards. I will explain my quesion shortly. Two types of hotspots zones: Spain and Mexico. Everyone know prizces in Mexico are cheaper than in Spain. Well, my accounts are valid in both countries, however the conection time are shorter in Spain than in Mexico. How can I modify the Session-Timeout attribute depending on NAS? Thanks. _ Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. http://astrocentro.msn.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diferent Session-Timeout depending on NAS
Two types of hotspots zones: Spain and Mexico. Everyone know prizces in Mexico are cheaper than in Spain. Well, my accounts are valid in both countries, however the conection time are shorter in Spain than in Mexico. How can I modify the Session-Timeout attribute depending on NAS? First, a general question: all those geographically disperse NASes are connected to *one* central server? Huh. My proposed solution: add a line to the users file for each NAS saying DEFAULT NAS-IP-Address == 1.2.3.4 Session-Timeout := Whatever-you-like (assuming the NAS sends his IP address as attribute. If it doesn't, and is directly connected, use Client-IP-Address instead). That way, you can set Session-Timeout on a per-NAS basis. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpEe8Z6L08Ka.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius_xlat question
Hi, I am trying to strip off some information in the username. I have domain\\username and I have a script to strip domain\\ and return the username. After executing the script it returns the username but radius_xlat adds a space right after the user name. How do I get rid of that space. Any suggestions would be appreciated. Thanks... radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/etc/raddb/nodomain.sh %u' rlm_exec (exec): Executing /usr/local/freeradius/etc/raddb/nodomain.sh %u radius_xlat: '/usr/local/freeradius/etc/raddb/nodomain.sh jdoe' Exec-Program: /usr/local/freeradius/etc/raddb/nodomain.sh jdoe Exec-Program output: jdoe Exec-Program-Wait: plaintext: jdoe Exec-Program: returned: 0 rlm_exec (exec): result 0 radius_xlat: '(SamAccountName=jdoe )' rlm_ldap: ldap_get_conn: Checking Id: 0 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Throttle On Cap
I am trying to achieve the following simply, subscriber get a ADSL connection where they get 200Mb usage @ 512k/256k, and when they have exceeded 200Mb usage, the speed is throttled to 64/64k. Cheers Alex -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Stefan Winter Sent: Thursday, 29 June 2006 6:54 p.m. To: FreeRadius users mailing list Subject: Re: Throttle On Cap I need some help with implementing Throttle on Cap Usage type feature for Could you elaborate a bit what this Throttle on Cap Usage is supposed to do? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Failed dependencies: libeap-1.1.2.so is needed by freeradius-1.1.2-0.i386
On Thursday 29 June 2006 01:49, Alberto Cruz wrote: Hi Kevin and everybody. I'm attaching a file with all the warnings that I got with the rpmbuild process. It seems there is something wrong with the libtool Is this a problem related to RedHAT Enterprise 4.0 or is this a problem with the Make files process? Could anybody help me to fix this behavior? Regards Alberto Cruz On my CentOS 4 test box, I tried building the 1.1.2 RPM and received the same errors I see in your output file. I used the --with-system-libtool configure option to get the RPM build to work correctly. My system libtool version is 1.5.6, and I've has no RPM build issues on older Fedora/CentOS boxes with system libtool versions of 1.5.X. According to bug#330, someone tried building on CentOS 4 and had problems using the system libtool and GNU ld configure options, so those options were removed. Kevin Bonner pgpdRNRLhzZub.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Throttle On Cap
Alex Abraham [EMAIL PROTECTED] wrote: I am trying to achieve the following simply, subscriber get a ADSL connection where they get 200Mb usage @ 512k/256k, and when they have exceeded 200Mb usage, the speed is throttled to 64/64k. Unless the NAS documentation explains how to do this, it's impossible. i.e. If the NAS supports Change of Authorization attributes, you could give them one service to start, and then monitor the accounting packets. Once they hit 200Mb, you would have to run a script on the server to send a CoA packet to the NAS, which *might* honor the request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Throttle On Cap
Hi Alan, i.e. If the NAS supports Change of Authorization attributes, you could give them one service to start, and then monitor the accounting packets. Once they hit 200Mb, you would have to run a script on the server to send a CoA packet to the NAS, which *might* honor the request. I had some else tell me that this was the only way I could do this. General question what are the typical type of models used overseas with ADSL. As a workaround, do you think I could have session time set to 1hr whereby the customer will need to log in then during the logging in process, check their usage which will indicate if they are usage is over and then change some attribute which controls the speed on the NAS. I don't know freeradius enough but where could I do invoke this in Freeradius. I also have these attributes specific to the vendor, could you advise me how I can incorporate this into Freeradius. Thanks in advance Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Disable user
hi there i have Freeradius 1.0.5 and using MYSQL backend how can i disble a user from logging in? hope you can help. Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
