Re: Pam radius authentication
Isn't there anyone who tried this implementation? Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and accounting
Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and checking request status in post-proxy
Dnia czwartek, 19 października 2006 23:55, Pshem Kowalczyk napisał: Hi, I have a simple question - is it possible to check the status of request (Accept/Reject) in a post-proxy phase using rlm_perl? And if so - how? kind regards pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://wiki.freeradius.org/Rlm_perl states that there is post_proxy handler: #func_post_proxy = post_proxy # Function to handle post_proxy sub post_proxy { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } You could try example.pl with hacked log_request_attributes ( displaying other hashes than %RAD_REQUEST ). Also remember to put perl into correct places in radiusd.conf Note that proxy wiki entry states the following: The remote server replies with ACK or REJECT On ACK: The initial Auth-Type is set to Accept On REJECT:The initial Auth-Type is set to Reject But I haven't tested such setups yet. -- Jakub Wartak -vnull http://vnull.pcnet.com.pl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius - Again
Good Day. I use Oracle with Freeradius. The situation with SNMP is as follows now: 1. When i have sql in radiusd.conf and such string: snmp = no then i have working radiusd with Oracle 2. When i have no sql , but have snmp = yes then i have working radiusd with SNMP 3. When i have sql in radiusd.conf and snmp = yes i have not working radiusd, debug does not contain any strings with SMUX and it is finished with: Module: Instantiated sql (sql) Segmentation fault In all cases the configurations was the same, except pointed above I post you the radiusd -X of last case (3) with sql and snmp = yes Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/oraclesql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = nobody main: group = nobody main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/etc/raddb/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded Pam pam: pam_auth = radiusd Module: Instantiated pam (pam) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = yes preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = Acct-Session-Id, NAS-IP-Address, Login-IP-Host, Login-TCP-Port Module: Instantiated acct_unique (acct_PIX) exec: wait = yes exec: program = /usr/local/etc/raddb/radius.auth exec: input_pairs = request exec: output_pairs = request exec: packet_type = (null) Module: Instantiated exec (echo) Module: Loaded SQL sql: driver = rlm_sql_oracle sql: server = 192.168.98.100 sql: port = 1521 sql: login = inter1_odessa sql: password = inter1_odessa sql: radius_db = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = apusold)(PORT = 1521))(CONNECT_DATA = (SERVICE_NAME = APUSOLD))) sql: nas_table = nas sql: sqltrace = no sql: sqltracefile =
freeradius-snapshot-20061020 make error
Good Day. Such error in freeradius-snapshot-20061020 during make What to do? Making all in rlm_acct_unique... gmake[6]: Entering directory `/u01/data/freeradius-snapshot-20061020/src/modules/rlm_acct_unique' /u01/data/freeradius-snapshot-20061020/libtool --mode=compile gcc -g -O2 -I/u01/data/freeradius-snapshot-20061020/src -c rlm_acct_unique.c mkdir .libs gcc -g -O2 -I/u01/data/freeradius-snapshot-20061020/src -c rlm_acct_unique.c -fPIC -DPIC -o .libs/rlm_acct_unique.o In file included from rlm_acct_unique.c:28: /u01/data/freeradius-snapshot-20061020/src/freeradius-devel/radiusd.h:390: error: syntax error before va_list Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Hi, with which AP has you this values. Because with my dlink DWL-2000+, EAP work but i'm not all this infos :( Franck Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.linuxpourtous.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
Yes. It's possible. Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Angel L. Mateo Sent: Friday, October 20, 2006 5:12 AM To: FreeRadius users mailing list Subject: EAP and accounting Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: static IP's with rlm_perl
$RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200'; Perhaps the problem is that your are assigning a string to an attribute of type ipaddr (look in /usr/local/share/freeradius/dictionary.rfc2865)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Yeah, I'll do it today. Brian -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of King, Michael Sent: Thursday, October 19, 2006 4:24 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP Could you try the patch Alan has posted, run the server in debug mode, and post the logs? Please don't do this on a production server. For some reason, the patch is causing my server to segfault. (It doesn't matter what the OS is (WinXP, VISTA, they all cause it to seg fault with DEBUG printing) -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Dourty, Brian R. (IATS) Sent: Thursday, October 19, 2006 4:44 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP We have also posted here about our difficulties with Windows Vista and our FR. It isn't working for us either. Brian -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of King, Michael Sent: Thursday, October 19, 2006 2:52 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP -Original Message- Sorry - I've come late to this thread. Do we have a general problem with Vista failing to authenticate against FR, or is this just one instance failing, and we know of other instances where it is working? It's most likely I'm the first to try it, and I've had. Difficulties :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: static IP's with rlm_perl
$RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200'; See if the following helps: use Socket; . . . $RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200'); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
Michael Gale [EMAIL PROTECTED] wrote: rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 ... Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 FreeRADIUS DOES NOT send Framed-IP-Address = 255.255.255.254 in the default config. It is being sent because YOUR LOCAL CONFIG is telling the server to do that. Look at your local config to see where that 255.55.255.253 IP is being set. Fix it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-snapshot-20061020 make error
Velikanov [EMAIL PROTECTED] wrote: Such error in freeradius-snapshot-20061020 during make What to do? I'll commit a fix today. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
Hello, No, that did not work, with the setting below the debug shows: --snip-- . rlm_perl: Added pair Framed-IP-Address = ��M ... Sending Access-Accept of id 73 to 127.0.0.1 port 32813 Framed-IP-Address = 255.255.255.254 --snip-- Before when I was setting it with a string I looked fine in the logs: --snip-- rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 (however it was not sent out) ... Sending Access-Accept of id 71 to 127.0.0.1 port 32811 Framed-IP-Address = 255.255.255.254 --snip-- Thanks for the suggestion. Michael Garber, Neal wrote: $RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200'; See if the following helps: use Socket; . . . $RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200'); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Use this one if the one on the website doesn't work for you Index: src/modules/rlm_eap/rlm_eap.c === RCS file: /source/radiusd/src/modules/rlm_eap/rlm_eap.c,v retrieving revision 1.26.2.1.2.1 diff -u -r1.26.2.1.2.1 rlm_eap.c --- src/modules/rlm_eap/rlm_eap.c 6 Feb 2006 16:23:52 - 1.26.2.1.2.1 +++ src/modules/rlm_eap/rlm_eap.c 18 Oct 2006 21:15:45 - @@ -338,6 +338,7 @@ * We are done, wrap the EAP-request in RADIUS to send * with all other required radius attributes */ + DEBUG2(VISTA[%s:%d]: here, __func__, __LINE__); rcode = eap_compose(handler); /* @@ -515,6 +516,7 @@ * We are done, wrap the EAP-request in RADIUS to send * with all other required radius attributes */ + DEBUG2(VISTA[%s:%d]: here, __func__, __LINE__); rcode = eap_compose(handler); /* Index: src/modules/rlm_eap/eap.c === RCS file: /source/radiusd/src/modules/rlm_eap/eap.c,v retrieving revision 1.52.4.1 diff -u -r1.52.4.1 eap.c --- src/modules/rlm_eap/eap.c 6 Feb 2006 16:23:49 - 1.52.4.1 +++ src/modules/rlm_eap/eap.c 18 Oct 2006 21:15:45 - @@ -1,4 +1,4 @@ -/* + /* * eap.crfc2284 rfc2869 implementation * * Version: $Id: eap.c,v 1.52.4.1 2006/02/06 16:23:49 nbk Exp $ @@ -382,7 +382,10 @@ eap_packet_t*hdr; uint16_t total_length = 0; - if (reply == NULL) return EAP_INVALID; + if (reply == NULL) { + DEBUG2(VISTA[%s:%d]: eap_wireformat invalid, __func__, __LINE__); + return EAP_INVALID; + } total_length = EAP_HEADER_LEN; if (reply-code 3) { @@ -469,6 +472,8 @@ * mentioned restriction. */ reply-id = handler-eap_ds-response-id; + DEBUG2(VISTA[%s:%d]: reply-id %d, __func__, __LINE__, reply-id); + DEBUG2(VISTA[%s:%d]: reply-code %d, __func__, __LINE__,reply-code); switch (reply-code) { /* @@ -506,16 +511,20 @@ * that the TTLS and PEAP modules can call it to do most * of their dirty work. */ + DEBUG2(VISTA[%s:%d]: eap-request-code %d, __func__, __LINE__, eap_ds-request-code); + DEBUG2(VISTA[%s:%d]: eap-request-type.type %d, __func__, __LINE__, eap_ds-request-type.type); + DEBUG2(VISTA[%s:%d]: handler-eap_type %d, __func__, __LINE__, handler-eap_type); + if (((eap_ds-request-code == PW_EAP_REQUEST) || (eap_ds-request-code == PW_EAP_RESPONSE)) (eap_ds-request-type.type == 0)) { rad_assert(handler-eap_type = PW_EAP_MD5); rad_assert(handler-eap_type = PW_EAP_MAX_TYPES); + DEBUG2(VISTA[%s:%d]: Setting EAP type, __func__, __LINE__); eap_ds-request-type.type = handler-eap_type; } - if (eap_wireformat(reply) == EAP_INVALID) { return RLM_MODULE_INVALID; } @@ -598,6 +607,8 @@ break; } + DEBUG2(VISTA]: rcode %d, rcode); + return rcode; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
Hello, I found in the users file the following: DEFAULTService-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes It seems that the settings in the users file override was is set in by the rlm_perl module. Also, those settings were in that file by default, in the freeradius RPM I installed. Michael Alan DeKok wrote: Michael Gale [EMAIL PROTECTED] wrote: rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 ... Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 FreeRADIUS DOES NOT send Framed-IP-Address = 255.255.255.254 in the default config. It is being sent because YOUR LOCAL CONFIG is telling the server to do that. Look at your local config to see where that 255.55.255.253 IP is being set. Fix it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius - Again
On Friday 20 October 2006 05:59, Velikanov wrote: Good Day. I use Oracle with Freeradius. The situation with SNMP is as follows now: 1. When i have sql in radiusd.conf and such string: snmp = no then i have working radiusd with Oracle 2. When i have no sql , but have snmp = yes then i have working radiusd with SNMP 3. When i have sql in radiusd.conf and snmp = yes i have not working radiusd, debug does not contain any strings with SMUX and it is finished with: Module: Instantiated sql (sql) Segmentation fault In all cases the configurations was the same, except pointed above SNMP/SMUX support should not affect the rlm_sql module in any way. See doc/bugs for steps to debug the segfault issue and identify where the program is actually failing. Kevin Bonner pgp14fIiKv3Cb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
On Friday 20 October 2006 10:32, Michael Gale wrote: Hello, No, that did not work, with the setting below the debug shows: --snip-- Framed-IP-Address = 255.255.255.254 Where is that attribute/value pair being added? If that is being set after your perl functions are processed, then it's possible the operator being used is allowing that attribute to be overwritten. Framed-IP-Address is not in the default FreeRADIUS config, so you've most likely added it somewhere and that is causing your problem. Kevin Bonner pgpydH6rbysTz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pppd/pptp + freeradius + static IP FYI
Hello, FYI - Requirements for me to give out static IP address to users using the following: pptpd-1.3.3-1.fc4 ppp-2.4.3-5.fc4 freeradius-mysql-1.1.3-1 freeradius-debuginfo-1.1.3-1 freeradius-1.1.3-1 freeradius-unixODBC-1.1.3-1 freeradius-postgresql-1.1.3-1 I have a rlm_perl module that I use to authenticate users and provide static IP addresses. I came across the following info / issues when setting this up: 1. /etc/raddb/users file This file contained a default entry for Framed-IP-Address which was overriding the value set by the rlm_perl module. The DEFAULT options needed to be changed to remove the setting of the IP address. 2. /etc/pptpd.conf file In this file I uncommented the delegate option to allow the IP address to be set by the radius or chap-secrets. So PPTP will NOT pass an IP address to pppd. So disables the localip and remoteip options at the bottom. * With this option commented out, the IP address returned by freeradius was still being taken and given to the client, however the pptpd documentation says to enable the delegate option if you are going to do that. 3. /etc/ppp/options.pptpd file Once the delegate option was enabled, pppd would fail with the error Could not determine local IP address. Since this address is no longer being set. Simple added the same IP address used in pptpd.conf localip to the options.pptpd file in the format: ipaddress: According to the man page: OPTIONS local_IP_address:remote_IP_address Set the local and/or remote interface IP addresses. Either one may be omitted. The IP addresses can be specified with a host name or in decimal dot notation (e.g. 150.234.56.78). The default local address is the (first) IP address of the system (unless the noipdefault option is given). The remote address will be obtained from the peer if not specified in any option. Thus, in simple cases, this option is not required. If a local and/or remote IP address is specified with this option, pppd will not accept a different value from the peer in the IPCP negotiation, unless the ipcp-accept-local and/or ipcp-accept-remote options are given, respectively. I added the system's IP address with the colon, with allowed pppd to determine it's localip and radius to set the client's IP address. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin and PHP Question
Thanx - But I beleive that my biggest problem is that I am using PHP5 not PHP4 and If I install PHP4 it breaks other packages I have that depend on PHP5. Darcy [EMAIL PROTECTED] wrote: Hi Darcy, What I feel, you might have missed some linux packages to install and because of those only, you are getting dependancy error. I have install freeradius dialupadmin on debian linux machine. I am listing my package lists for php and mysql. debian:~# dpkg -l | grep php ii php4 4.3.10-16 server-side, HTML-embedded scripting languag ii php4-cgi 4.3.10-16 server-side, HTML-embedded scripting languag ii php4-cli 4.3.10-16 command-line interpreter for the php4 script ii php4-common4.3.10-16 Common files for packages built from the php ii php4-mysql 4.3.10-16 MySQL module for php4 debian:~# dpkg -l | grep mysql ii libdbd-mysql-p 2.9006-1 A Perl5 database interface to the MySQL data ii libmysqlclient 4.0.24-10sarge mysql database client library ii mysql-client 4.0.24-10sarge mysql database client binaries ii mysql-common 4.0.24-10sarge mysql database common files (e.g. /etc/mysql ii mysql-server 4.0.24-10sarge mysql database server binaries ii php4-mysql 4.3.10-16 MySQL module for php4 Hp this helps !! Vineet -Original Message- From: Darcy Parker [mailto:[EMAIL PROTECTED] Sent: Friday, October 20, 2006 1:06 AM To: freeradius-users@lists.freeradius.org Subject: Dialupadmin and PHP Question Good day all, I am running ubuntu 6.06, I have apache2, PHP5, and MySql installed. I ran the following command to install freeradius: [EMAIL PROTECTED]:~# apt-get install freeradius freeradius-ldap freeradius-mysql freeradius-krb5 libperl5.8 I then ran the following command to get dialupadmin [EMAIL PROTECTED]:~# apt-get install freeradius-dialupadmin Reading package lists... Done Building dependency tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: The following packages have unmet dependencies: freeradius-dialupadmin: Depends: php4 but it is not going to be installed E: Broken packages How do I make this work or is there something else I can use? (Webmin?) Darcy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issuing certificates with a Windows CA for PEAP auth
When generating certificates for use by FreeRadius EAP-TLS, there is an extension which is to be added to the certificate in order for the client to be able to validate the certificate against a root CA certificate. If such extension is not present in your FreeRadius certificate, the auth process will fail, because the client will stop communicating with your server due that it can't validate your cert. Some people would say that it is better to have EAP-TTLS, but sometimes it is not easy to deploy such a PKI. If you want to use EAP-TLS and if you happen to have your CA running on a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file. There are two ways of doing this. For either of them, you need to have openssl installed in the computer where your freeradius server is and a Certification Authority running on a Winbugs box. The first way, and the best one, is as follows: From the computer where your freeradius is, you generate a request and a private key by: shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr The challenge password is important because it'll be used in the freeradius configuration The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs shell:~ # cp mykey.pem /usr/local/etc/raddb/certs server.csr is the certificate request. Copy this file to the computer where you CA is. Then, let's feed this request into your Winbugs CA. Open a command prompt window and type C:\certreq -submit server.csr A window will popup asking you to select the CA where your request is to be submited to. Select the one that you own. This will give you a RequestID. This number is important because it'll be used for the next part. When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, Microsoft specifies that certificates must have the Enhanced Key Usage attribute with the value Server Authentication (OID 1.3.6.1.5.5.7.3.1). [Ref.: http://support.microsoft.com/kb/814394/en-us] Since the certificate request generated in openssl according to the procedure above does not provide this attribute, it is necessary to add it to the pending request with the Windows CLI command certutil. The general syntax is C:\certutil -setextension RequestID ExtensionOID Flags @InFile - The OID for the attribute Enhanced Key Usage is : 2.5.29.37 - The flag value is set to 0. - Create an input text file eku.txt : C:\echo 30 0a 06 08 2b 06 01 05 05 07 03 01 eku.txt Finally, run the following command : C:\certutil -setextension RequestID 2.5.29.37 0 @eku.txt [Comment: to discover the OID of an attribute, it is possible to dump the contents of an existing valid certificate containing the needed attribute with : certutil -v certfile.cer Ref.: http://technet2.microsoft.com/WindowsServer/en/library/165ee684-1c3a-4cc1-9c5b-0bc1ec1e710a1033.mspx?mfr=true] Then, open your Certification Authority application, go to Pending request, right click on the one you modified (RequestID), All tasks-Issue Go to Issued certificates and double-click on the one you just issued (RequestID). A window will open displaying cert's info. Go to the tab Details and check that the field Enhanced Key Usage is present and its value is Server Authentication (1.3.6.1.5.5.7.3.1). Click on the button Copy to file... and save it as either DER encoded or Base-64 encoded, give a filename (let's call it certificate for now) and finish the wizard. This will give you a file certificate.cer. Copy this file to your freeradius server in /usr/local/etc/raddb/certs shell:~ # cd /usr/local/etc/raddb/certs If you exported the certificate as DER encoded there is a final step you have to perform. We need to convert this file to a format FreeRadius can understand. So, now type: shell:/usr/local/etc/raddb/certs # openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem If the certificate is Base-64 encoded, then just rename the file (this step is optional, it's just to be consistent with the eap.conf file at the end of this file). shell:/usr/local/etc/raddb/certs # mv certificate.cer certificate.pem Get your CA certificate, and put it in /usr/local/etc/raddb/certs. Suppose that your CA certificate is DER enconded in a file named ca.cer, then your convert it to PEM by shell:~ # openssl x509 -inform DER -in ca.cer -outform PEM -out ca.pem shell:~ # cp ca.pem /usr/local/etc/raddb/certs Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide. Configure your clients to use PEAP, check the checkbox Validate server certificate and select your Trusted Root Certification Authority from the list. The second way of doing this, which is not very neat, is
CVS make error
Hello all, After much trouble I've managed to get CVS to download the right version of freeradius (not radiusd-cistron...doh), and now I'm having some problems with making it. From what I can see, there's some problems with EAP (which I happen to not need). Is it possible (or even recommended) to remove EAP from the compilation process? If so, how do I go about doing this? Failing that, if somebody is feeling really nice they could code a fix for CVS :) Regards, Jan /root/installs/radiusd-cvs/radiusd/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c -fPIC -DPIC -o .libs/radeapclient.o radeapclient.c: In function `radlog': radeapclient.c:111: warning: implicit declaration of function `va_start' radeapclient.c:111: warning: nested extern declaration of `va_start' radeapclient.c:113: warning: implicit declaration of function `va_end' radeapclient.c:113: warning: nested extern declaration of `va_end' radeapclient.c: In function `log_debug': radeapclient.c:124: warning: nested extern declaration of `va_start' radeapclient.c:111: warning: redundant redeclaration of 'va_start' radeapclient.c:111: warning: previous implicit declaration of 'va_start' was here radeapclient.c:126: warning: nested extern declaration of `va_end' radeapclient.c:113: warning: redundant redeclaration of 'va_end' radeapclient.c:113: warning: previous implicit declaration of 'va_end' was here radeapclient.c: In function `radlog': radeapclient.c:106: warning: 'ap' might be used uninitialized in this function radeapclient.c: In function `log_debug': radeapclient.c:121: warning: 'ap' might be used uninitialized in this function gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c -o radeapclient.o /dev/null 21 /root/installs/radiusd-cvs/radiusd/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libeap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so -lssl -lcrypto -lnsl -lresolv -lpthread -Wl,--rpath -Wl,/usr/local/lib .libs/radeapclient.o(.text+0x13b): In function `radlog': /root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:111: undefined reference to `va_start' .libs/radeapclient.o(.text+0x15a):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:113: undefined reference to `va_end' .libs/radeapclient.o(.text+0x193): In function `log_debug': /root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:124: undefined reference to `va_start' .libs/radeapclient.o(.text+0x1b2):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:126: undefined reference to `va_end' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/installs/radiusd-cvs/radiusd' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS make error
Jan Mulders [EMAIL PROTECTED] wrote: .. Do a CVS update. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Josh Howlett wrote: Again, I have no idea why it's core dumping. It shouldn't be. I don't have Vista, and I can't debug this issue myself. It's up to you. Sorry - I've come late to this thread. Do we have a general problem with Vista failing to authenticate against FR, or is this just one instance failing, and we know of other instances where it is working? It's a general problem. Sadly the netsh ras set tracing * enable thing seems not to be present or work under the vista RCs we've looked at and there was little of value in the event logs so the cause is somewhat hard to pin down. It's definitely PEAP (as opposed to EAP-TLS) related. Knowing MS they've made a TLV that was previously optional, mandatory, or similar. Given the problems seems to be windows-centred, someone with more windows experience may need to get info from the client as to why *it* thinks things are going awry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS problem at phase 1
Hi all, I have been trying to figure this out for couple days, but could not get any clue. My test is about authentication with EAP-TTLS/MSCHAPV2. I am using freeradius v - 1.1.3, on Solaris 10. No matter what I do, I get rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request at the server. Anybody can help me what went wrong ? Here is my configs..and logs (truncated) Awaits some solution... Rafi Here is my eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { rsa_key_exchange = yes dh_key_exchange = no rsa_key_length = 1024 dh_key_length = 1024 verify_depth = 2 pem_file_type = yes private_key_password = wimax i2 test certs private_key_file = /etc/freeradius/etc/certs/key2.pem certificate_file = /etc/freeradius/etc/certs/cert2.pem CA_file = /etc/freeradius/etc/certs/cacert.pem dh_file = /etc/freeradius/etc/certs/dh random_file = /etc/freeradius/etc/certs/random fragment_size = 1024 include_length = yes check_cert_cn = %{User-Name} } ttls { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no } peap { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes } mschapv2 { } } Here is my users file : testuser Auth-Type := EAP, User-Password := testuser DEFAULT Auth-Type := EAP Here is my supplicant config : # cat supplicant.confctrl_interface=/var/tmp/supplicant.ctleap_trace=1enableWiMAXauth=1validateFNECerts=1checkCRL=1ignoreTimeOfDay=0update_config=0data_interface=/var/tmp/supplicant_data.ctl ap_scan=0fast_reauth=1load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.sonetwork={eap=TTLSeap_workaround=1anonymous_identity=anonymous_identityca_path=/var/tmp/truststore ca_cert=/var/tmp/root.crtclient_cert=/var/tmp/cpe.crtprivate_key=/var/tmp/keyprivate_key_passwd=wimax i2 test certsphase2=auth=MSCHAPV2} Here is the radius log (only shown the failed part) rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module fastusers returns updated for request 1^Mmodcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^Mauth: type EAP^M Processing the authenticate section of radiusd.conf^Mmodcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module eap returns invalid for request 1^Mmodcall: leaving group authenticate (returns invalid) for request 1^M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html