Can Simultaneous-Use be used with EAP-TLS?
I am using EAP-TLS for authentication so I have no use for a backend db to check username/password credentials. However, I would still like to prevent simultaneous logins with the same certificate. Is this possible without having an sql database? I have "Simultaneous-Users := 1" set in the "users" configuration file but it doesn't seem to do anything. Clients are being checked against this line in "users" DEFAULT Simultaneous-Use :=1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients
I have a question Is possible no have secret for X client? Tanx, Abel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin
Hello, I need administer my freeradius+mysql, and I ask: There is some utility in addition to dialup_admin? Tanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: > Roberto Greiner <[EMAIL PROTECTED]> wrote: > >>> Show the *full* log. >>> >> rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 >> User-Name = "[EMAIL PROTECTED]" >> > > Is this the log from the home server? If so, why? You already said > the username wasn't stripped, so showing that the home server receives > it non-stripped is pointless. > > If this is the log from the proxying server, then it's not doing > proxying, so of course it isn't stripping the username. > > >> rlm_realm: Adding Stripped-User-Name = "rgreiner" >> rlm_realm: Proxying request from user rgreiner to realm test.com >> rlm_realm: Adding Realm = "test.com" >> rlm_realm: Authentication realm is LOCAL. >> > > You've marked that realm as something that shouldn't be proxied. > Why do you expect it to be proxied? > Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login. Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
King, Michael wrote: > > > -Original Message- > I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so > you're free to upgrade then, too. > > > I think question he was trying to get across, is 2.0 going to be > significantly different from 1.1.3 from a config standpoint. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > Actually it's both: to know if the new version was expect to be ready soon and if the general structure would be too different, but since it's still months before 2.0 is ready, I will go for 1.1.3. :-) Thank you for the feedback, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
Andris wrote: ... > Usernames without whitespaces authorize succesfully. When > run ntlm_auth manal and write usernames like 'user 1' than work. And > i want put a NT group requirment too like a 'Domain Users' ntlm_auth > string is: > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" Try using: ntlm_auth = '...', i.e. use single quotes rather than double quotes. The issue appears to be that the User-Name string is expanded *before* the 'exec program' code is being called. That means the splitting of the program arguments by spaces is hitting the space in the username. What *should* happen is that entire string gets sent to the 'exec program' code, which splits the string by spaces, and *then* expands User-Name. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Alan DeKok wrote: Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote: Over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the radius log states that port 1812 is already in use. "top" shows 100% cpu usage It looks like http://bugs.freeradius.org/show_bug.cgi?id=365 The solution is to not re-initialize the modules on HUP. It works in *most* cases, because the code handling the HUP tries to wait until all of the modules have stopped. But if your back-end DB's are slow, it doesn't have much choice but to proceed with handling the HUP. Most people don't see it because the modules respond quickly. I'd say the first step to a work-around is to make sure none of the modules you're using are blocking the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have discovered the root of the problem. When I enable the "check_cert_cn = %{User-Name}" option in eap.conf and successfully authenticate 1 user , a restart or stop of the radiusd service leads to a zombie process which needs to be killed with "kill -9". If this option is disabled, as is the default setting, radiusd can be restarted normally without issue. This issue does not occur if either a) no users have attempted to authenticate, or b) users have authenticated but were rejected. Is this a known issue? Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Session-Timeout be used to force users to re-authenticate?
Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote: > I am trying to force my wireless clients to re-authenticate with the > RADIUS server every 30 minutes (1800 seconds) with the Session-Timeout > setting. Currently I am testing with just one user, and the > Session-Timeout = 1800 setting is being sent with the Radius Access > Accept message (I can see it in the Accept Accept message when I run in > debug mode). However, this seems to have no affect. The user does not > re-authenticate at the given interval. Then the AP does not support Session-Timeout. There really isn't a good way to do this, if the AP doesn't support it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding proxying to our EAP setup
Hello, I've been using FreeRADIUS for years to do PEAP/MSCHAP2 WPA authentications, and it's worked well enough to be a set-it-and-forget-it solution. I'm currently running 1.0.4, but would upgrade if it would help me accomplish the goals in this message. However, changing environments bring me back into the config, and I'm not sure how to do what I want. We've been using ntlm_auth against the AD for our primary authentication, with a fallback to sql and plaintext passwords for local accounts. I'd like to change from maintaining my own sql copy/user database to RADIUS proxying to someone else's server. >From a few trial/error tests, I have two questions about proxying and EAP. What's the recommended way to configure failover proxying/realms when there's no realm-ish identifier? When "user" logs in, I want them to check against ntlm_auth, and if that fails, resort back to a proxied realm as "user". Right now, I'm doing that via the default config realm suffix {} module, and a realm NULL section in proxy.conf. Is there a better way? Hints or something? Does this involve the configurable_failover documentation? Second question involves proxies and EAP. Since my upstream RADIUS server I'm proxying to doesn't seem to support EAP, is it even possible for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a 'normal' RADIUS packet to relay? Or do I have to get the upstream server to support EAP? It seems like if suffix (realm) module is anywhere in the authorize section, it proxies the entire EAP packet. Can I tell it only to do that at a certain stage in the process? How would you recommend I configure this? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can Session-Timeout be used to force users to re-authenticate?
Is it possible to use the Session-Timeout setting to force wireless clients to re-authenticate with the RADIUS server at a given interval? Unfortunately my Acesss Point does not provide this functionality, so I either have to do it via a supplicant such as the Funk Odyssey Client or on the Freeradius server. I am running Freeradius 1.1.3 on a Debian Sarge 3.1 system and I'm using EAP-TLS for authentication. I don't think it matters but I'm using a Buffalo WHR-G54S Wireless Router with the DD-WRT v23 SP2 firmware. I am trying to force my wireless clients to re-authenticate with the RADIUS server every 30 minutes (1800 seconds) with the Session-Timeout setting. Currently I am testing with just one user, and the Session-Timeout = 1800 setting is being sent with the Radius Access Accept message (I can see it in the Accept Accept message when I run in debug mode). However, this seems to have no affect. The user does not re-authenticate at the given interval. Here's my setting from the users file: "Jason Wittlin-Cohen" Session-Timeout = 1800 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for reply. I can't subdivide in two groups ... I need 1 group, with several pools ... Thanks - Roberto Gonzalez Azevedo Jan Mulders wrote: > You're using the wrong syntax for including the pools in each section. > > Here's an example from my own config... > > modules { >ippool 512k_high { > ># range-start,range-stop: The start and end ip ># addresses for the ip pool >range-start =x.x.x.6 >range-stop =x.x.x.66 > ># netmask: The network mask used for the ip's >netmask = 255.255.255.0 > ># cache-size: The gdbm cache size for the db ># files. Should be equal to the number of ip's ># available in the ip pool >cache-size = 60 > ># session-db: The main db file used to allocate ip's to > clients >session-db = ${raddbdir}/ippool.512k_high > ># ip-index: Helper db index file used in multilink >ip-index = ${raddbdir}/ipindex.512k_high > ># override: Will this ippool override a > Framed-IP-Address already set >override = no > ># maximum-timeout: If not zero specifies the maximum > time in seconds an ># entry may be active. Default: 0 >maximum-timeout = 0 >} > ippool 512k_low { > ... > > > instantiate { > } > > authorize { >preprocess >sql > } > > authenticate { >pap > } > > preacct { >preprocess > } > > accounting {l >radutmp >512k_high >512k_low >10m_high >10m_low >sql > } > > > session { >radutmp >sql > > } > post-auth { >sql >512k_high >512k_low >10m_high >10m_low > } > > > Also, I notice that 'mygroup' has IP assignments from 2 pools. This > can't work, because RADIUS will just select the first one it gets from > MySQL. May I suggest either subdividing your users into two groups, or > merging the two groups? > > Hope this helps, > > Jan > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJsW3F+EMwkXLsEwRAvBWAJ9gCqSst7b9rwLCHhb3f/PO91jFSgCfcKRv V5wK1k3//j5PcVBqOte5FAc= =xw2T -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Roberto Greiner <[EMAIL PROTECTED]> wrote: > > Show the *full* log. > > rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 > User-Name = "[EMAIL PROTECTED]" Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless. If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username. > rlm_realm: Adding Stripped-User-Name = "rgreiner" > rlm_realm: Proxying request from user rgreiner to realm test.com > rlm_realm: Adding Realm = "test.com" > rlm_realm: Authentication realm is LOCAL. You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
"Abel Monzon" <[EMAIL PROTECTED]> wrote: ... > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user You didn't tell the server what the "known good' password is for the user. See the FAQ for how to configure a test user. There IS documentation for the server. Go read it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
"King, Michael" <[EMAIL PROTECTED]> wrote: > Not to rude, have you had a chance to poke that Patch again? Reload it from the same URL as last time. If it still crashes, see doc/bugs. I don't see how it can crash at all, so the crash looks like a symptom of another issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
Alan DeKok wrote: > Roberto Greiner <[EMAIL PROTECTED]> wrote: > >> I have a server running GNU-Radius 1.3, and was preparing to migrate it >> to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being >> developed. My doubt is, should I go ahead and install 1.1.3, or wait and >> go straight for 2.0? The GNU-Radius machine is not giving me troubles >> for now, and there are no heavy time constraints to make the switch. >> Should I wait or go now for 1.1.3, updating later to 2.0? >> > > I would say 1.1.3 is fine to use. 2.0 will be out in a few months, > so you're free to upgrade then, too. > > Alan DeKok. > Ok. Thx Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1.1.3 or 2.0?
-Original Message- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: > Roberto Greiner <[EMAIL PROTECTED]> wrote: > >> But when I send a user with the test.com domain, it wasn't stripped. The >> radiusd -X log below shows the behavior: >> > > Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = "[EMAIL PROTECTED]" User-Password = "teste" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "test.com" rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 modcall[authorize]: module "files" returns notfound for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/teste] (from client dsu24 port 0) Sending Access-Reject of id 4 to 143.107.71.24 port 4126 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 4 with timestamp 4526adb5 Nothing to do. Sleeping until we see a request. -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Not to rude, have you had a chance to poke that Patch again? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 04, 2006 6:54 PM To: FreeRadius users mailing list Subject: Re: Windows Vista doing PEAP "King, Michael" <[EMAIL PROTECTED]> wrote: > Things didn't work so hot. :-( Seg Fault Arg. I'll go back and poke the patch again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
taft <[EMAIL PROTECTED]> wrote: > socks v5 can support EAP authentication, and I figure out that freeradius > can do that too. So I am wondering if EAP is a connection between socksv5 > and freeradius. Once again, very slowly. If the socks program you're using doesn't say it can use RADIUS, you can't integrate them. EAP is not RADIUS. EAP is transported over RADIUS. See the documentation. But for that to work, you need a RADIUS implementation in the socks program. Again, that means reading the documentation of the socks program you're using. ... As I said before. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
You're using the wrong syntax for including the pools in each section. Here's an example from my own config... modules { ippool 512k_high { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start =x.x.x.6 range-stop =x.x.x.66 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 60 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/ippool.512k_high # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/ipindex.512k_high # override: Will this ippool override a Framed-IP-Address already set override = no # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } ippool 512k_low { ... instantiate { } authorize { preprocess sql } authenticate { pap } preacct { preprocess } accounting {l radutmp 512k_high 512k_low 10m_high 10m_low sql } session { radutmp sql } post-auth { sql 512k_high 512k_low 10m_high 10m_low } Also, I notice that 'mygroup' has IP assignments from 2 pools. This can't work, because RADIUS will just select the first one it gets from MySQL. May I suggest either subdividing your users into two groups, or merging the two groups? Hope this helps, Jan On 06/10/06, Roberto Gonzalez Azevedo <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm having some trouble with ippool. I have some ip pools who need to be distributed for my clients. There is a example, my radiusd.conf: ... ippool p0 { range-start = xx.xx.xx.1 range-stop = xx.xx.xx.20 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p0 ip-index = ${raddbdir}/ippool/db.ipindex.p0 override = yes maximum-timeout = 0 } ippool p1 { range-start = xx.xx.xx.21 range-stop = xx.xx.xx.40 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p1 ip-index = ${raddbdir}/ippool/db.ipindex.p1 override = yes maximum-timeout = 0 } ... In accounting: accounting { ... group mypools { p0 p1 } ... } In post-auth: post-auth { ... group mypools { p0 p1 } ... } In (mysql) radgroupcheck : +-+---+--++-+--+ | id | GroupName | Attribute| op | Value | prio | +-+---+--++-+--+ | 30 | mygroup | Pool-Name| := | p0 |1 | | 31 | mygroup | Pool-Name| := | p1 |1 | ... It's working, but my clients only catch IP from the first pool (p0). They never catch from others pools (p1, p2 ...). Somebody already had a problem like this? Thanks !!! - -- - Roberto Gonzalez Azevedo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/ NFDvR7t4usmdljxm/xB26XQ= =xMzx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
Roberto Greiner <[EMAIL PROTECTED]> wrote: > I have a server running GNU-Radius 1.3, and was preparing to migrate it > to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being > developed. My doubt is, should I go ahead and install 1.1.3, or wait and > go straight for 2.0? The GNU-Radius machine is not giving me troubles > for now, and there are no heavy time constraints to make the switch. > Should I wait or go now for 1.1.3, updating later to 2.0? I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius ntlm_auth problem
Andris <[EMAIL PROTECTED]> wrote: > I sucesfully installed a free radius server with ntlm_auth, but have one > problem. I have user names in Windows 2003 domain with whitespaces like > 'user 1' 'user 2' (i know this is a bit lame, but they was created about > years ago and be wery hard to change), these username with whitespaces > ntlm_auth string won't authorize. So... what command is being executed? What are the results? Again, showing the output of debugging mode is MUCH MORE HELPFUL than saying "stuff doesn't work". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Roberto Greiner <[EMAIL PROTECTED]> wrote: > But when I send a user with the test.com domain, it wasn't stripped. The > radiusd -X log below shows the behavior: Show the *full* log. > modcall[authorize]: module "files" returns notfound for request 0 > radius_xlat: '[EMAIL PROTECTED]' ok... and the logs don't show it being proxied. So you're asking a question about why isn't the proxy code doing what you want, and you haven't shown the server doing any proxying. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
Hello, why if I have in my clients.conf this configuration: client localhost { secret = testing123 nastype = other shortname = localhost login = test password = test } and I try #radtest test test localhost testing123 - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, October 05, 2006 10:20 PM Subject: Re: freeradius bug? "Abel Monzon" <[EMAIL PROTECTED]> wrote: Why is Access-Reject? There is a bug of freeradius? Run the server in debugging mode and it will tell you why it's sending a reject. This is documented in the README, FAQ, INSTALL, and daily on this list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 1.1237 (20050929) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com This is the answer of radtest: Module: Instantiated files (files) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 201.220.197.67:32840, id=166, length=50 Service-Type = Framed-User User-Name = "test" User-Password = "test" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [test/test] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 166 to 201.220.197.67 port 32840 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 166 with timestamp 4526856b Nothing to do. Sleeping until we see a request. I not see the problem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users-file overruling anything else
"florian.prester" <[EMAIL PROTECTED]> wrote: > Now my problem are users not listed in the ldap-system. I want to use > the users-file to overrule the ldap-system. Meaning if a user is found > in the users-file and the password matches, ignore everything else. The problem is that the "users" file doesn't do authentication. It only stores a "known good" password for a user. My suggestion is to do: authorize { preprocess chap mschap eap perl files { ok = return updated = return } ldap } And PLEASE don't set "Auth-Type := Local". The "users" file entries should look like: usernameUser-Password := "password" ... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Logs
"Kevin Hemsley" <[EMAIL PROTECTED]> wrote: > With FreeRadius, Is it possible to log accounting data to both SQL and > to standard Radius files? Yes. Just list "detail" and "sql" in the relevant accounting sections. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
> LAN MAC Address: 00:17:94:EE:D8:C6 > Radio 1 MAC Address: 00:17:0F:8C:25:C0 > Radio 2 MAC Address: 00:17:0F:90:25:C0 At the risk of this sounding like a stupid question... If you do a show run in enable mode, do you see a mac-address command after the radio interface (i.e., have you manually changed the MAC addr of the radio)? It is possible to manually change it: int d0 mac-address 0017.0f8c.25c1 Even if you do this, a "sh int" command will still show the real MAC address (I just tried this on one of my test APs). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
> Thanks. What version of IOS are you running? Most are at 12.3(7)JA2. Some of our newer AP's are at 12.3(8)JA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need a read Free Radius admin . . .
I am looking for a real freeradius admin who knows exactly what they are doing? Should be experienced with some references. We need advise, Setup, some maint, and support. Please send me your details. -Troy msn via [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
socks v5 can support EAP authentication, and I figure out that freeradius can do that too. So I am wondering if EAP is a connection between socksv5 and freeradius. any one else has some similar experience? thank you 2006/10/6, Alan DeKok <[EMAIL PROTECTED]>: taft <[EMAIL PROTECTED]> wrote:> I do not know how to integrate socks5 authentication and freeradius > together.If the socks program you're using doesn't say it can use RADIUS, youcan't integrate them.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- please visit my blog http://blog.csdn.net/taft - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
I have just found out the the Cisco, when announcing multiple SSID's will create a virtual mac for the them. So looks like this is a 'feature'. Thanks. On Fri, 6 Oct 2006, Walter Reynolds wrote: Date: Fri, 6 Oct 2006 09:13:20 -0400 From: "Garber, Neal" <[EMAIL PROTECTED]> Subject: RE: Called-Station-ID and Cisco AP's To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Called-Station-Id = "0017.0f8c.25c1" However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? Yes it does, but this is not the mac address for the LAN interface nor either of the radios: LAN MAC Address:00:17:94:EE:D8:C6 Radio 1 MAC Address:00:17:0F:8C:25:C0 Radio 2 MAC Address:00:17:0F:90:25:C0 Have others seen/noticed this before? ... If not, can anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. Thanks. What version of IOS are you running? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 18, Issue 24 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-ID and Cisco AP's
Hi, > I am just starting looking into this, but it seems that the > Called-Station-ID being logged from my Cisco AP's is off: What I see in > the log is the following: this COULD be the way that CISCO differentiates different VLANS on its AP when running in autonomous mode (are you running autonomous or LWAPP mode? you didnt say) ie first WLAN 0017.0f8c.25c0 second WLAN 0017.0f8c.25c1 third WLAN 0017.0f8c.25c2 (hence things like maximum of 8 WLAN on the autonomous etc) etc - its certainly plausible and matches to how they use MAC addresses on their other devices for variouis functions. we arent having this issue . but we are using Cisco 1131/1232 APs in LWAPP mode talking to 1.1.3 FreeRADIUS systems. so there may be some big differences in architecture there. > Here is the information on AP > Cisco Aironet 1200 IOS > Firmware: 12.3(8)JA2 well, thats nice and up to date 12.3(8)JEA does fix a lot of other things though ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two or more ippool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm having some trouble with ippool. I have some ip pools who need to be distributed for my clients. There is a example, my radiusd.conf: ... ippool p0 { range-start = xx.xx.xx.1 range-stop = xx.xx.xx.20 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p0 ip-index = ${raddbdir}/ippool/db.ipindex.p0 override = yes maximum-timeout = 0 } ippool p1 { range-start = xx.xx.xx.21 range-stop = xx.xx.xx.40 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p1 ip-index = ${raddbdir}/ippool/db.ipindex.p1 override = yes maximum-timeout = 0 } ... In accounting: accounting { ... group mypools { p0 p1 } ... } In post-auth: post-auth { ... group mypools { p0 p1 } ... } In (mysql) radgroupcheck : +-+---+--++-+--+ | id | GroupName | Attribute| op | Value | prio | +-+---+--++-+--+ | 30 | mygroup | Pool-Name| := | p0 |1 | | 31 | mygroup | Pool-Name| := | p1 |1 | ... It's working, but my clients only catch IP from the first pool (p0). They never catch from others pools (p1, p2 ...). Somebody already had a problem like this? Thanks !!! - -- - Roberto Gonzalez Azevedo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/ NFDvR7t4usmdljxm/xB26XQ= =xMzx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
2006/10/6, Alan DeKok <[EMAIL PROTECTED]>: Apparently Chillispot doesn't support EAP. I have launched chilli with --eapolenable and without, with the same results. Really, I don't know what must think. However, thank you Alan. Alan DeKok. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Logs
With FreeRadius, Is it possible to log accounting data to both SQL and to standard Radius files? We would like to upgrade our Cistron Radius to FreeRadius, and our accounting system (Rodopi) uses standard Radius logs, but we would like to switch to SQL. Thanks, Kevin. -- Kevin Hemsley [EMAIL PROTECTED] NF7J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users-file overruling anything else UPDATE
Hi, I am using freeradius+perl+ldap. Meaning for every request I get the users information from a LDAP-Server, run it through some perl-code to distinguish some users form others for some reason (:-)). Now my problem are users not listed in the ldap-system. I want to use the users-file to overrule the ldap-system. Meaning if a user is found in the users-file and the password matches, ignore everything else. I think I had it working already, but somehow it does not work anymore! :-( My authorization-section looks as follows: authorize { preprocess chap mschap eap # # Read the 'users' file files # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap # needed to get user information perl # needed to twist the users a little bit :-) } my users-file is standard, containing: "help" Auth-Type := Local, User-Password == "support" Idle-Timeout := 30 UPDATE: Maybe my perl-code is the problem, because I do a REJECT by the Perl-module if the user is not found in the LDAP! Hm, I should not do that, should I? I can grant access, but I should not deny it, if want to grant it later?! Thanks for your help, Florian Prester - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy question
Hy, I'm having a small problem with the proxy.conf file. I added the following entry to proxy.conf: realm test.com{ type= radius authhost= LOCAL accthost= LOCAL secret = foobar strip } But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "test.com" rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' I've tried removing the realm LOCAL entry from proxy.conf, without result. The realm DEFAULT with authhost = LOCAL or = localhost didn't solve either. The only way I managed to get this to work was to write realm test.com { authhost = a.b.c.d . } With a.b.c.d being the local server's real IP (not the localhost IP). Is that the proper way to do it or am I missing something? Thank you, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users-file overruling anything else
Hi, I am using freeradius+perl+ldap. Meaning for every request I get the users information from a LDAP-Server, run it through some perl-code to distinguish some users form others for some reason (:-)). Now my problem are users not listed in the ldap-system. I want to use the users-file to overrule the ldap-system. Meaning if a user is found in the users-file and the password matches, ignore everything else. I think I had it working already, but somehow it does not work anymore! :-( My authorization-section looks as follows: authorize { preprocess chap mschap eap # # Read the 'users' file files # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap # needed to get user information perl # needed to twist the users a little bit :-) } my users-file is standard, containing: "help" Auth-Type := Local, User-Password == "support" Idle-Timeout := 30 Thanks for your help, Florian Prester - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
Date: Fri, 6 Oct 2006 09:13:20 -0400 From: "Garber, Neal" <[EMAIL PROTECTED]> Subject: RE: Called-Station-ID and Cisco AP's To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Called-Station-Id = "0017.0f8c.25c1" However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? Yes it does, but this is not the mac address for the LAN interface nor either of the radios: LAN MAC Address:00:17:94:EE:D8:C6 Radio 1 MAC Address:00:17:0F:8C:25:C0 Radio 2 MAC Address:00:17:0F:90:25:C0 Have others seen/noticed this before? ... If not, can anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. Thanks. What version of IOS are you running? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 18, Issue 24 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac and username
Hi all, first time posting here. Is it possible to reject a user based on UserName and Calling-Station-ID. What I would like to do is reject specific users from logging in on specific machines. And if yes, if it`s possible, an example of the sql query or config would be appreciated. Thank you all JP -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.13.0/464 - Release Date: 2006-10-05 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups, Realms, MySQL
G'day mate, thanks for the quick reply. I already have this in my radiusd.conf: realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } The huntgroups file looks like this: wirelessNAS-IP-Address == 127.0.0.1 wirelessNAS-IP-Address == localhost.localdomain SQL-Group == 3072BY256 radgroupcheck table: | 8 | netmaster | Huntgroup-Name | == | netmaster | | 6 | 3072BY256 | Huntgroup-Name | == | wireless | | 7 | 3072BY256 | Auth-Type | += | local | | 9 | netmaster | Auth-Type | += | local | All of this is still in a test environment so I am able to change whatever is needed. -- Brad McAllister [EMAIL PROTECTED] On Oct 5, 2006, at 6:13 PM, James Wakefield wrote: Brad McAllister wrote: If I removed the huntgroups out of the picture, is works fine. The problem seems to be that the realm is not being stripped off of the username when it checks it against the usergroup table. If more information is needed, please let me know. I would really like to get this working. Thanks! - Brad Have a look at the realm { } instances and attr_rewrite in http:// wiki.freeradius.org/Radiusd.conf. If that doesn't sort you out, could you post (with private info obscured, of course) relevant excerpts from your radgroupcheck table and huntgroups file? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
taft <[EMAIL PROTECTED]> wrote: > I do not know how to integrate socks5 authentication and freeradius > together. If the socks program you're using doesn't say it can use RADIUS, you can't integrate them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > The core of this problem is an error that returns with chillispot when > I authenticate a client with WPA-EAP. > .. > > chillispot[15816]: radius.c: 1634: Received unknown radius packet 11! Apparently Chillispot doesn't support EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
"Mak Moussa" <[EMAIL PROTECTED]> wrote: > Would you still say that it is the ttls.c code, even though ttls w/mschap > worked fine? Yes. > I am looking for a differentiator in the code between mschap and mschapv2, Like the code I pointed you to? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > In the first question (How large is your organization?) > the range 101 - 1000 is missing... > > In the question (How many RADIUS client machines do you have?) > is the last range >101? Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
> Called-Station-Id = "0017.0f8c.25c1" > However, the cisco itself shows something slightly different: > Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? > Have others seen/noticed this before? ... If not, can > anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-ID and Cisco AP's
I am just starting looking into this, but it seems that the Called-Station-ID being logged from my Cisco AP's is off: What I see in the log is the following: Called-Station-Id = "0017.0f8c.25c1" However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 As you can see, the last digit is off. This is not the only one. Another example Called-Station-Id = "0013.6078.7661" MAC Address 00:13:60:78:76:60 The only other system I have on the system (Bluesocket) does not have this discrepancy. I have searched through the archives, but trying to limit search by Called-Station-Id and cisco does not help a lot. Have others seen/noticed this before? If so any pointers to information on it? If not, can anyone else look and see if they are having a similar issue? Here is the information on AP Cisco Aironet 1200 IOS Firmware: 12.3(8)JA2 Using FreeRadius 1.1.2 The only conf file that even mentioned called station ID (that I am using) is radiusd.conf. Here is the subsection #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended # to the original string # append = no #} As it is commented out I do not see that it could be the issue. If you want any conf files let me know, I just did not want to clog up the message with lots of conf info that is not useful. Thanks to all. -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
>have you tried something like>>--username=\"%{mschap:User-Name}\">>you might be able to escape the characters in this way.>>alnayes :( , and \' too - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External module in c++
Hello every body, I only have a simple question to the mailing. Can I program an external module in c++. thanks Best Regards. Guillermo Rodriguez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius ntlm_auth problem
Hi, >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" have you tried something like --username=\"%{mschap:User-Name}\" you might be able to escape the characters in this way. alna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I want to use freeradius to manage my socks5 proxy
I configured a socks5 proxy. This question for me is how to authenticate users who I permit to use my socks5 proxy and account them--such as period and data flow--- I do not know how to integrate socks5 authentication and freeradius together. Is there any one have any idea or can provide me some docs. to help me. Thank you very much-- please visit my blog http://blog.csdn.net/taft - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problem
Hi all, I've wirte about this problem another time here http://lists.freeradius.org/pipermail/freeradius-users/2006-October/057153.html . The core of this problem is an error that returns with chillispot when I authenticate a client with WPA-EAP. .. chillispot[15816]: radius.c: 1634: Received unknown radius packet 11! chillispot[15816]: chilli.c: 4148: radius_proxy_ind() failed! . I've seen the source code of radius.h in chilli at line 73, and I've seen that the packet 11 is RADIUS_CODE_ACCESS_CHALLENGE , so I've thinked that there is an error in EAP authentication. Someone has ideas about this problem? I must solve it . Thank you very much. Best regards. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
Hello! I sucesfully installed a free radius server with ntlm_auth, but have one problem. I have user names in Windows 2003 domain with whitespaces like 'user 1' 'user 2' (i know this is a bit lame, but they was created about years ago and be wery hard to change), these username with whitespaces ntlm_auth string won't authorize. Usernames without whitespaces authorize succesfully. When run ntlm_auth manal and write usernames like 'user 1' than work. And i want put a NT group requirment too like a 'Domain Users' ntlm_auth string is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" How can I fix this ?Thanks!P.S.Sorry my englisg isnt perfect :)Andris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External module in c++
Hello every body, I only have a simple question to the mailing. Can I program an external module in c++. thanks Best Regards. Guillermo Rodriguez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
Hi, > Hello, why if I have in my clients.conf this configuration: > > client localhost { > secret = testing123 > nastype = other > shortname = localhost > login = test > password = test > } > > > and I try #radtest test test localhost testing123 err, the login and password entries are for backend utilities such as simultaneous usage checking (and other SNMP/telnet tools). for this command to work, you have to add a 'test' user to either your users file or to your SQL database, AD, etc etc look at the users file for an example user entry that you can copy/edit at your will. try changing the users entry to reject, accept and add a reply message etc to see stuff being sent back to your radtest command alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPV6 support
Hi, > > time (currently) and ALSO there is a bug. :: (listen on any address) > > causes a segmentation fault. > > WTF? :-) ah. wasnt reported. > Ah. 'struct sockaddr' isn't big enough to hold IPv6 addresses. We > have to use 'struct sockaddr_storage'. > > Thanks, it's now fixed. great. it was late when i was quickly testing that so didnt have time to research if it was a reported bug. guess I dont have to report now. glad to have been of testing service to you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy PEAP-EAP-MSCHAPv2 as MSCHAPv2
Hi, I am trying to set up Freeradius to proxy PEAP/EAP-MSCHAPv2 request as MSCHAPv2 and know that some of you were able to set up this cofiguration successfully i.e. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg22903.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16192.html and others. I have tried the examples in those postings as well as suggestions from other postings without any success. I have started with the default config and turned on the debug option. However, looking at the debug output yet I couldn't quite figure out what went wrong. What I got so far is as follow: 1) Send a PEAP/MSCHAPv2 request using Linux's Xsupplicant or Mac client to the proxy radius 2) Proxy radius terminated EAP locally and proxied request (MSCHAPv2 minus EAP) to home radius 3) Home radius responded with an access-accept packet to proxy radius 4) Proxy Radius sent access-reject to client. See error output below. Tue Oct 3 20:10:37 2006 : Debug: rlm_eap: Request not found in the list Tue Oct 3 20:10:37 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Tue Oct 3 20:10:37 2006 : Debug: rlm_eap: Failed in handler I am running Freeradius 1.1.3 and have attached below my configuration files and an excerpt of the debug output hoping that the mistake would look obvious to some of you and that you could provide some helpful pointers or links. Thanks a lot for your help. -David For the outer identity, I have set it to use 'Anonymous' and the inner identity, I have set it to use '[EMAIL PROTECTED]' radiusd.conf modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } ... } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = wireless private_key_file = ${raddbdir}/certs/host.key certificate_file = ${raddbdir}/certs/host.crt CA_file = ${raddbdir}/certs/ca-root.crt dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no # Note: If I set proxy_tunneled_request_as_eap = yes (proxying the request as eap-mschapv2) # I was able to connect successfully } mschapv2 { } } proxy.conf realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } realm abc.net { type= radius authhost= 199.186.1.2:1645 accthost= 199.186.1.2:1646 secret = wireless nostrip } users: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "abc.net" Debug output (excerpt starting when the home radius replied with an access accept) see attached files for the complete output. Tue Oct 3 20:10:37 2006 : Sending Access-Request of id 30 to 199.186.1.2 port 1645 User-Name = "[EMAIL PROTECTED]"