Re: Pam radius authentication

2006-10-20 Thread danieldinu 


Isn't there anyone who tried this implementation?


Hi!
if you are reffering to this line:
account required pam_radius_auth.so debug
than here is the explanation:
  The pam configuration can be:
...
auth   sufficient   /lib/security/pam_radius_auth.so [options]
...
accountsufficient   /lib/security/pam_radius_auth.so
 (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE)
 
On the other hand, I don't care if I don't use this module for accounting. As 
a matter of fact, I tried in many configurations, even without using it for 
accounting.
The main concern is to succed in authetincating the users!!! if anyone can 
help me accomplish that, I would be happy and I will not mind about 
accounting...





Hi,

 I don't understand why you are saying that you are invoking 
 pam_radius_auth in the wrong place and for the wrong reason...please, be 
 more specific and if you know the right configuration, enlight me!
 
  #%PAM-1.0
  auth   required pam_securetty.so
  auth   sufficient   pam_radius_auth.so debug
  auth   required /lib/security/pam_unix_auth.so
  accountrequired pam_radius_auth.so debug
  

explain

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP and accounting

2006-10-20 Thread Angel L. Mateo 
Hello,

I am developing my freeradius server (version 1.1.2) to use it in a WPA
wireless environment with EAP authentication.

Until this moment (without EAP) the accounting information collected by
freeradius is in the form:

- detail-MMDD:

Fri Oct 20 11:07:59 2006
User-Name = username@realm
NAS-Port = 2161
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = X.X.X.X
Class = 0x69636172756d
Calling-Station-Id = 172.18.201.166
Acct-Status-Type = Start
Acct-Session-Id = 15D003FA
Tunnel-Client-Endpoint:0 = 172.18.201.166
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = nas IP address
NAS-Port-Type = Virtual
Proxy-State = 0x323034
Client-IP-Address = client ip address
Acct-Unique-Session-Id = e43a1da655ba3ef3
Stripped-User-Name = username
Realm = realm
Timestamp = 1161335279

- auth-detail-MMDD:

Packet-Type = Access-Request
Fri Oct 20 11:10:14 2006
User-Name = username@realm
User-Password = 190482
NAS-Identifier = nas id
NAS-IP-Address = nas ip
Proxy-State = 0x323433
Client-IP-Address = client ip

But with EAP the files has the same form, but username is always
anonymous, because the real authentication is made through the tunnel
connection.

I want to know if there is any way to configure radius to log the real
username instead of anonymous in the log files.

Thanks.


-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and checking request status in post-proxy

2006-10-20 Thread Jakub Wartak 
Dnia czwartek, 19 października 2006 23:55, Pshem Kowalczyk napisał:
 Hi,

 I have a simple question - is it possible to check the status of
 request (Accept/Reject) in a post-proxy phase using rlm_perl? And if
 so - how?

 kind regards
 pshemko
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

http://wiki.freeradius.org/Rlm_perl states that there is post_proxy handler:

#func_post_proxy = post_proxy

# Function to handle post_proxy
sub post_proxy {
   # For debugging purposes only
#   log_request_attributes;
   return RLM_MODULE_OK;
}

You could try example.pl with hacked log_request_attributes ( displaying other 
hashes than %RAD_REQUEST ). Also remember to put perl into correct places in 
radiusd.conf

Note that proxy wiki entry states the following:

The remote server replies with ACK or REJECT 
   On ACK:   The initial Auth-Type is set to Accept
   On REJECT:The initial Auth-Type is set to Reject

But I haven't tested such setups yet.

-- 
Jakub Wartak
-vnull
http://vnull.pcnet.com.pl/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP with Freeradius - Again

2006-10-20 Thread Velikanov 
Good Day.

I use Oracle with Freeradius.
 The situation with SNMP is as follows now:
1. When i have sql in radiusd.conf and such string:
snmp = no
then i have working radiusd with Oracle
2. When i have no sql , but have
snmp = yes
then i have working radiusd with SNMP
3. When i have sql in radiusd.conf and
snmp = yes
i have not working radiusd, debug does not contain any strings with SMUX
and it is finished with:

Module: Instantiated sql (sql)
Segmentation fault

In all cases the configurations was the same, except pointed  above

 I post you the  radiusd -X of last case (3) with sql and snmp = yes

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/oraclesql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: snmp = yes
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = nobody
 main: group = nobody
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/etc/raddb/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = yes
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded Pam
 pam: pam_auth = radiusd
Module: Instantiated pam (pam)
Module: Loaded eap
 eap: default_eap_type = md5
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = yes
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /usr/local/etc/raddb/users
 files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
 files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = Acct-Session-Id, NAS-IP-Address, Login-IP-Host,
Login-TCP-Port
Module: Instantiated acct_unique (acct_PIX)
 exec: wait = yes
 exec: program = /usr/local/etc/raddb/radius.auth
 exec: input_pairs = request
 exec: output_pairs = request
 exec: packet_type = (null)
Module: Instantiated exec (echo)
Module: Loaded SQL
 sql: driver = rlm_sql_oracle
 sql: server = 192.168.98.100
 sql: port = 1521
 sql: login = inter1_odessa
 sql: password = inter1_odessa
 sql: radius_db = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =
apusold)(PORT = 1521))(CONNECT_DATA = (SERVICE_NAME = APUSOLD)))
 sql: nas_table = nas
 sql: sqltrace = no
 sql: sqltracefile =

freeradius-snapshot-20061020 make error

2006-10-20 Thread Velikanov 
Good Day.
Such error in freeradius-snapshot-20061020  during make
What to do?

 Making all in rlm_acct_unique...
gmake[6]: Entering directory
`/u01/data/freeradius-snapshot-20061020/src/modules/rlm_acct_unique'
/u01/data/freeradius-snapshot-20061020/libtool --mode=compile
gcc  -g -O2 -I/u01/data/freeradius-snapshot-20061020/src  -c
rlm_acct_unique.c
mkdir .libs
 gcc -g -O2 -I/u01/data/freeradius-snapshot-20061020/src -c
rlm_acct_unique.c  -fPIC -DPIC -o .libs/rlm_acct_unique.o
In file included from rlm_acct_unique.c:28:
/u01/data/freeradius-snapshot-20061020/src/freeradius-devel/radiusd.h:390:
error: syntax error before va_list

Thanks

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and accounting

2006-10-20 Thread Franck 
Hi,

with which AP has you this values. Because with my dlink DWL-2000+, EAP
work but i'm not all this infos :(

Franck

 Hello,

   I am developing my freeradius server (version 1.1.2) to use it in a WPA
 wireless environment with EAP authentication.

   Until this moment (without EAP) the accounting information collected by
 freeradius is in the form:

 - detail-MMDD:

 Fri Oct 20 11:07:59 2006
 User-Name = username@realm
 NAS-Port = 2161
 Service-Type = Framed-User
 Framed-Protocol = PPP
 Framed-IP-Address = X.X.X.X
 Class = 0x69636172756d
 Calling-Station-Id = 172.18.201.166
 Acct-Status-Type = Start
 Acct-Session-Id = 15D003FA
 Tunnel-Client-Endpoint:0 = 172.18.201.166
 Acct-Authentic = RADIUS
 Acct-Delay-Time = 0
 NAS-IP-Address = nas IP address
 NAS-Port-Type = Virtual
 Proxy-State = 0x323034
 Client-IP-Address = client ip address
 Acct-Unique-Session-Id = e43a1da655ba3ef3
 Stripped-User-Name = username
 Realm = realm
 Timestamp = 1161335279

 - auth-detail-MMDD:

 Packet-Type = Access-Request
 Fri Oct 20 11:10:14 2006
 User-Name = username@realm
 User-Password = 190482
 NAS-Identifier = nas id
 NAS-IP-Address = nas ip
 Proxy-State = 0x323433
 Client-IP-Address = client ip

   But with EAP the files has the same form, but username is always
 anonymous, because the real authentication is made through the tunnel
 connection.

   I want to know if there is any way to configure radius to log the real
 username instead of anonymous in the log files.

   Thanks.


 --
 Angel L. Mateo Martínez
 Sección de Telemática
 Área de Tecnologías de la Información   _o)
 y las Comunicaciones Aplicadas (ATICA)  / \\
 http://www.um.es/atica_(___V
 Tfo: 968367590
 Fax: 968398337


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-- 
http://www.linuxpourtous.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP and accounting

2006-10-20 Thread King, Michael 
Yes.  It's possible.

Look in eap.conf  In each EAP section (TTLS and PEAP) this code snippet exists

#  The reply attributes sent to the NAS are
#  usually based on the name of the user
#  'outside' of the tunnel (usually
#  'anonymous').  If you want to send the
#  reply attributes based on the user name
#  inside of the tunnel, then set this
#  configuration entry to 'yes', and the reply
#  to the NAS will be taken from the reply to
#  the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Angel L. Mateo
Sent: Friday, October 20, 2006 5:12 AM
To: FreeRadius users mailing list
Subject: EAP and accounting

Hello,

I am developing my freeradius server (version 1.1.2) to use it in a WPA 
wireless environment with EAP authentication.

Until this moment (without EAP) the accounting information collected by 
freeradius is in the form:

- detail-MMDD:

Fri Oct 20 11:07:59 2006
User-Name = username@realm
NAS-Port = 2161
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = X.X.X.X
Class = 0x69636172756d
Calling-Station-Id = 172.18.201.166
Acct-Status-Type = Start
Acct-Session-Id = 15D003FA
Tunnel-Client-Endpoint:0 = 172.18.201.166
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = nas IP address
NAS-Port-Type = Virtual
Proxy-State = 0x323034
Client-IP-Address = client ip address
Acct-Unique-Session-Id = e43a1da655ba3ef3
Stripped-User-Name = username
Realm = realm
Timestamp = 1161335279

- auth-detail-MMDD:

Packet-Type = Access-Request
Fri Oct 20 11:10:14 2006
User-Name = username@realm
User-Password = 190482
NAS-Identifier = nas id
NAS-IP-Address = nas ip
Proxy-State = 0x323433
Client-IP-Address = client ip

But with EAP the files has the same form, but username is always 
anonymous, because the real authentication is made through the tunnel 
connection.

I want to know if there is any way to configure radius to log the real 
username instead of anonymous in the log files.

Thanks.


--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: static IP's with rlm_perl

2006-10-20 Thread Garber, Neal 
 $RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200';

Perhaps the problem is that your are assigning a string to an attribute
of type ipaddr (look in /usr/local/share/freeradius/dictionary.rfc2865)?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Windows Vista doing PEAP

2006-10-20 Thread Dourty, Brian R. \(IATS\) 
Yeah, I'll do it today.

Brian

 -Original Message-
 From: freeradius-users-
 [EMAIL PROTECTED] [mailto:freeradius-
 [EMAIL PROTECTED] On Behalf Of
 King, Michael
 Sent: Thursday, October 19, 2006 4:24 PM
 To: FreeRadius users mailing list
 Subject: RE: Windows Vista doing PEAP
 
 Could you try the patch Alan has posted, run the server in debug mode,
 and post the logs?
 
 Please don't do this on a production server.
 
 For some reason, the patch is causing my server to segfault.  (It
 doesn't matter what the OS is (WinXP, VISTA, they all cause it to seg
 fault with DEBUG printing)
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:freeradius-users-
 [EMAIL PROTECTED]
 On Behalf Of Dourty, Brian R. (IATS)
 Sent: Thursday, October 19, 2006 4:44 PM
 To: FreeRadius users mailing list
 Subject: RE: Windows Vista doing PEAP
 
 We have also posted here about our difficulties with Windows Vista and
 our FR. It isn't working for us either.
 
 Brian
 
  -Original Message-
  From: freeradius-users-
  [EMAIL PROTECTED]
[mailto:freeradius-
  [EMAIL PROTECTED] On Behalf
Of
  King, Michael
  Sent: Thursday, October 19, 2006 2:52 PM
  To: FreeRadius users mailing list
  Subject: RE: Windows Vista doing PEAP
 
 
 
  -Original Message-
  Sorry - I've come late to this thread. Do we have a general problem
  with Vista failing to authenticate against FR, or is this just one
  instance failing, and we know of other instances where it is
working?
 
 
 
 
  It's most likely I'm the first to try it, and I've had.
  Difficulties
  :-)
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: static IP's with rlm_perl

2006-10-20 Thread Garber, Neal 
 $RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200';

See if the following helps:

use Socket;
.
.
.
$RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200');


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: static IP's with rlm_perl

2006-10-20 Thread Alan DeKok 
Michael Gale [EMAIL PROTECTED] wrote:
 rlm_perl: Added pair Framed-IP-Address = 192.168.77.200
...
 Sending Access-Accept of id 70 to 127.0.0.1 port 32809
 Framed-IP-Address = 255.255.255.254

  FreeRADIUS DOES NOT send Framed-IP-Address = 255.255.255.254 in
the default config.  It is being sent because YOUR LOCAL CONFIG is
telling the server to do that.

  Look at your local config to see where that 255.55.255.253 IP is
being set.  Fix it.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-snapshot-20061020 make error

2006-10-20 Thread Alan DeKok 
Velikanov [EMAIL PROTECTED] wrote:
 Such error in freeradius-snapshot-20061020  during make
 What to do?

  I'll commit a fix today.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: static IP's with rlm_perl

2006-10-20 Thread Michael Gale 

Hello,

No, that did not work, with the setting below the debug shows:

--snip--
.
rlm_perl: Added pair Framed-IP-Address = ��M
...
Sending Access-Accept of id 73 to 127.0.0.1 port 32813
Framed-IP-Address = 255.255.255.254

--snip--

Before when I was setting it with a string I looked fine in the logs:

--snip--

rlm_perl: Added pair Framed-IP-Address = 192.168.77.200
 (however it was not sent out)
...
Sending Access-Accept of id 71 to 127.0.0.1 port 32811
Framed-IP-Address = 255.255.255.254

--snip--

Thanks for the suggestion.

Michael

Garber, Neal wrote:

$RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200';


See if the following helps:

use Socket;
.
.
.
$RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200');


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Windows Vista doing PEAP

2006-10-20 Thread King, Michael 
Use this one if the one on the website doesn't work for you

Index: src/modules/rlm_eap/rlm_eap.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/rlm_eap.c,v
retrieving revision 1.26.2.1.2.1
diff -u -r1.26.2.1.2.1 rlm_eap.c
--- src/modules/rlm_eap/rlm_eap.c   6 Feb 2006 16:23:52 -
1.26.2.1.2.1
+++ src/modules/rlm_eap/rlm_eap.c   18 Oct 2006 21:15:45 -
@@ -338,6 +338,7 @@
 *  We are done, wrap the EAP-request in RADIUS to send
 *  with all other required radius attributes
 */
+   DEBUG2(VISTA[%s:%d]: here,  __func__, __LINE__);
rcode = eap_compose(handler);

/*
@@ -515,6 +516,7 @@
 *  We are done, wrap the EAP-request in RADIUS to
send
 *  with all other required radius attributes
 */
+   DEBUG2(VISTA[%s:%d]: here,  __func__, __LINE__);
rcode = eap_compose(handler);

/*
Index: src/modules/rlm_eap/eap.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/eap.c,v
retrieving revision 1.52.4.1
diff -u -r1.52.4.1 eap.c
--- src/modules/rlm_eap/eap.c   6 Feb 2006 16:23:49 -   1.52.4.1
+++ src/modules/rlm_eap/eap.c   18 Oct 2006 21:15:45 -
@@ -1,4 +1,4 @@
-/*
+ /*
  * eap.crfc2284  rfc2869 implementation
  *
  * Version: $Id: eap.c,v 1.52.4.1 2006/02/06 16:23:49 nbk Exp $
@@ -382,7 +382,10 @@
eap_packet_t*hdr;
uint16_t total_length = 0;

-   if (reply == NULL) return EAP_INVALID;
+   if (reply == NULL) {
+ DEBUG2(VISTA[%s:%d]: eap_wireformat invalid,   __func__,
__LINE__);
+ return EAP_INVALID;
+   }

total_length = EAP_HEADER_LEN;
if (reply-code  3) {
@@ -469,6 +472,8 @@
 *  mentioned restriction.
 */
reply-id = handler-eap_ds-response-id;
+   DEBUG2(VISTA[%s:%d]: reply-id %d,  __func__,
__LINE__, reply-id);
+   DEBUG2(VISTA[%s:%d]: reply-code %d,   __func__,
__LINE__,reply-code);

switch (reply-code) {
/*
@@ -506,16 +511,20 @@
 *  that the TTLS and PEAP modules can call it to do most
 *  of their dirty work.
 */
+   DEBUG2(VISTA[%s:%d]: eap-request-code %d,   __func__,
__LINE__, eap_ds-request-code);
+   DEBUG2(VISTA[%s:%d]: eap-request-type.type %d,   __func__,
__LINE__, eap_ds-request-type.type);
+   DEBUG2(VISTA[%s:%d]: handler-eap_type %d,   __func__,
__LINE__, handler-eap_type);
+
if (((eap_ds-request-code == PW_EAP_REQUEST) ||
 (eap_ds-request-code == PW_EAP_RESPONSE)) 
(eap_ds-request-type.type == 0)) {
rad_assert(handler-eap_type = PW_EAP_MD5);
rad_assert(handler-eap_type = PW_EAP_MAX_TYPES);
+   DEBUG2(VISTA[%s:%d]: Setting EAP type,   __func__,
__LINE__);

eap_ds-request-type.type = handler-eap_type;
}

-
if (eap_wireformat(reply) == EAP_INVALID) {
return RLM_MODULE_INVALID;
}
@@ -598,6 +607,8 @@
break;
}

+   DEBUG2(VISTA]: rcode %d, rcode);
+
return rcode;
 } 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: static IP's with rlm_perl

2006-10-20 Thread Michael Gale 

Hello,

I found in the users file the following:

DEFAULTService-Type == Framed-User
   Framed-IP-Address = 255.255.255.254,
   Framed-MTU = 576,
   Service-Type = Framed-User,
   Fall-Through = Yes

It seems that the settings in the users file override was is set in by 
the rlm_perl module.


Also, those settings were in that file by default, in the freeradius RPM 
I installed.


Michael

Alan DeKok wrote:

Michael Gale [EMAIL PROTECTED] wrote:

rlm_perl: Added pair Framed-IP-Address = 192.168.77.200

...

Sending Access-Accept of id 70 to 127.0.0.1 port 32809
Framed-IP-Address = 255.255.255.254


  FreeRADIUS DOES NOT send Framed-IP-Address = 255.255.255.254 in
the default config.  It is being sent because YOUR LOCAL CONFIG is
telling the server to do that.

  Look at your local config to see where that 255.55.255.253 IP is
being set.  Fix it.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP with Freeradius - Again

2006-10-20 Thread Kevin Bonner 
On Friday 20 October 2006 05:59, Velikanov wrote:
 Good Day.

 I use Oracle with Freeradius.
  The situation with SNMP is as follows now:
 1. When i have sql in radiusd.conf and such string:
 snmp = no
 then i have working radiusd with Oracle
 2. When i have no sql , but have
 snmp = yes
 then i have working radiusd with SNMP
 3. When i have sql in radiusd.conf and
 snmp = yes
 i have not working radiusd, debug does not contain any strings with
 SMUX and it is finished with:

 Module: Instantiated sql (sql)
 Segmentation fault

 In all cases the configurations was the same, except pointed  above

SNMP/SMUX support should not affect the rlm_sql module in any way.

See doc/bugs for steps to debug the segfault issue and identify where the 
program is actually failing.

Kevin Bonner


pgp14fIiKv3Cb.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: static IP's with rlm_perl

2006-10-20 Thread Kevin Bonner 
On Friday 20 October 2006 10:32, Michael Gale wrote:
 Hello,

   No, that did not work, with the setting below the debug shows:

 --snip--
  Framed-IP-Address = 255.255.255.254

Where is that attribute/value pair being added?  If that is being set after 
your perl functions are processed, then it's possible the operator being used 
is allowing that attribute to be overwritten.  Framed-IP-Address is not in 
the default FreeRADIUS config, so you've most likely added it somewhere and 
that is causing your problem.

Kevin Bonner


pgpydH6rbysTz.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pppd/pptp + freeradius + static IP FYI

2006-10-20 Thread Michael Gale 

Hello,

	FYI - Requirements for me to give out static IP address to users using 
the following:


pptpd-1.3.3-1.fc4
ppp-2.4.3-5.fc4
freeradius-mysql-1.1.3-1
freeradius-debuginfo-1.1.3-1
freeradius-1.1.3-1
freeradius-unixODBC-1.1.3-1
freeradius-postgresql-1.1.3-1

I have a rlm_perl module that I use to authenticate users and provide 
static IP addresses. I came across the following info / issues when 
setting this up:


1. /etc/raddb/users file
	This file contained a default entry for Framed-IP-Address which was 
overriding the value set by the rlm_perl module. The DEFAULT options 
needed to be changed to remove the setting of the IP address.


2. /etc/pptpd.conf file
	In this file I uncommented the delegate option to allow the IP 
address to be set by the radius or chap-secrets. So PPTP will NOT pass 
an IP address to pppd. So disables the localip and remoteip options at 
the bottom.


	* With this option commented out, the IP address returned by freeradius 
was still being taken and given to the client, however the pptpd 
documentation says to enable the delegate option if you are going to 
do that.


3. /etc/ppp/options.pptpd file
	Once the delegate option was enabled, pppd would fail with the  error 
Could not determine local IP address. Since this address is no longer 
being set. Simple added the same IP address used in pptpd.conf localip 
to the options.pptpd file in the format:

ipaddress:

According to the man page:
OPTIONS
   local_IP_address:remote_IP_address
  Set  the  local  and/or remote interface IP addresses. 
Either one may be omitted.  The IP addresses can be specified with a 
host name or in decimal dot notation (e.g. 150.234.56.78).  The default 
local address is the (first) IP address of the system (unless the 
noipdefault option is  given).   The  remote  address will be obtained 
from the peer if not specified in any option.  Thus, in simple cases, 
this option is not required.  If a local and/or remote IP address is 
specified with this option, pppd will not accept a different value from 
the  peer  in  the IPCP negotiation, unless the ipcp-accept-local and/or 
ipcp-accept-remote options are given, respectively.


I added the system's IP address with the colon, with allowed pppd to 
determine it's localip and radius to set the client's IP address.



--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dialupadmin and PHP Question

2006-10-20 Thread Darcy Parker 
Thanx - But I beleive that my biggest problem is that I am using PHP5 
not PHP4 and If I install PHP4 it breaks other packages I have that 
depend on PHP5.


Darcy

[EMAIL PROTECTED] wrote:

Hi Darcy,

What I feel, you might have missed some linux packages to install and
because of those only, you are getting dependancy error.
I have install freeradius dialupadmin on debian linux machine. I am
listing my package lists for php and mysql. 


debian:~# dpkg -l | grep php
ii  php4   4.3.10-16  server-side, HTML-embedded scripting
languag
ii  php4-cgi   4.3.10-16  server-side, HTML-embedded scripting
languag
ii  php4-cli   4.3.10-16  command-line interpreter for the php4
script
ii  php4-common4.3.10-16  Common files for packages built from
the php
ii  php4-mysql 4.3.10-16  MySQL module for php4

debian:~# dpkg -l | grep mysql
ii  libdbd-mysql-p 2.9006-1   A Perl5 database interface to the
MySQL data
ii  libmysqlclient 4.0.24-10sarge mysql database client library
ii  mysql-client   4.0.24-10sarge mysql database client binaries
ii  mysql-common   4.0.24-10sarge mysql database common files (e.g.
/etc/mysql
ii  mysql-server   4.0.24-10sarge mysql database server binaries
ii  php4-mysql 4.3.10-16  MySQL module for php4

Hp this helps !!

Vineet
-Original Message-
From: Darcy Parker [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 20, 2006 1:06 AM

To: freeradius-users@lists.freeradius.org
Subject: Dialupadmin and PHP Question

Good day all,

I am running ubuntu 6.06, I have apache2, PHP5, and MySql installed.
I ran the following command to install freeradius:

[EMAIL PROTECTED]:~# apt-get install freeradius freeradius-ldap
freeradius-mysql freeradius-krb5 libperl5.8

I then ran the following command to get dialupadmin

[EMAIL PROTECTED]:~# apt-get install freeradius-dialupadmin Reading
package lists... Done Building dependency tree... Done Some packages
could not be installed. This may mean that you have requested an
impossible situation or if you are using the unstable distribution that
some required packages have not yet been created or been moved out of
Incoming.

Since you only requested a single operation it is extremely likely that
the package is simply not installable and a bug report against that
package should be filed.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  freeradius-dialupadmin: Depends: php4 but it is not going to be
installed
E: Broken packages


How do I make this work or is there something else I can use?
(Webmin?)

Darcy



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Issuing certificates with a Windows CA for PEAP auth

2006-10-20 Thread Hector.Ortiz 
When generating certificates for use by FreeRadius EAP-TLS, there is an 
extension which is to be added to the certificate in order for the client to be 
able to validate the certificate against a root CA certificate. If such 
extension is not present in your FreeRadius certificate, the auth process will 
fail, because the client will stop communicating with your server due that it 
can't validate your cert. Some people would say that it is better to have 
EAP-TTLS, but sometimes it is not easy to deploy such a PKI. If you want to use 
EAP-TLS and if you happen to have your CA running on a Winbugs box, then this 
might be of help. We are going to generate a request using openssl and issue 
the certificate with winbugs with the extension needed embeded into the cert 
file.

There are two ways of doing this. For either of them, you need to have openssl 
installed in the computer where your freeradius server is and a Certification 
Authority running on a Winbugs box.

The first way, and the best one, is as follows:

From the computer where your freeradius is, you generate a request and a 
private key by: 

   shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr

The challenge password is important because it'll be used in the freeradius 
configuration
The file mykey.pem is the private key. Copy this file to 
/usr/local/etc/raddb/certs
   
   shell:~ # cp mykey.pem /usr/local/etc/raddb/certs

server.csr is the certificate request. Copy this file to the computer where you 
CA is.
Then, let's feed this request into your Winbugs CA. Open a command prompt 
window and type 

   C:\certreq -submit server.csr

A window will popup asking you to select the CA where your request is to be 
submited to. Select the one that you own.
This will give you a RequestID. This number is important because it'll be used 
for the next part.

When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol 
(CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS 
authentication, Microsoft specifies that certificates must have the Enhanced 
Key Usage attribute with the value Server Authentication (OID 
1.3.6.1.5.5.7.3.1).
[Ref.: http://support.microsoft.com/kb/814394/en-us]

Since the certificate request generated in openssl according to the procedure 
above does not provide this attribute, it is necessary to add it to the pending 
request with the Windows CLI command certutil.

The general syntax is

   C:\certutil -setextension RequestID ExtensionOID Flags @InFile

- The OID for the attribute Enhanced Key Usage is : 2.5.29.37
- The flag value is set to 0.
- Create an input text file eku.txt :
  
  C:\echo 30 0a 06 08 2b 06 01 05  05 07 03 01  eku.txt

Finally, run the following command :

   C:\certutil -setextension RequestID 2.5.29.37 0 @eku.txt

[Comment: to discover the OID of an attribute, it is possible to dump the 
contents of an existing valid certificate containing the needed attribute with 
: certutil -v certfile.cer
Ref.: 
http://technet2.microsoft.com/WindowsServer/en/library/165ee684-1c3a-4cc1-9c5b-0bc1ec1e710a1033.mspx?mfr=true]

Then, open your Certification Authority application, go to Pending request, 
right click on the one you modified (RequestID), All tasks-Issue
Go to Issued certificates and double-click on the one you just issued 
(RequestID).
A window will open displaying cert's info. Go to the tab Details and check 
that the field Enhanced Key Usage is present and its value is Server 
Authentication (1.3.6.1.5.5.7.3.1). Click on the button Copy to file... and 
save it as either DER encoded or Base-64 encoded, give a filename (let's call 
it certificate for now) and finish the wizard. This will give you a file 
certificate.cer. Copy this file to your freeradius server in 
/usr/local/etc/raddb/certs

   shell:~ # cd /usr/local/etc/raddb/certs

If you exported the certificate as DER encoded there is a final step you have 
to perform.
We need to convert this file to a format FreeRadius can understand. So, now 
type:

   shell:/usr/local/etc/raddb/certs # openssl x509 -inform DER -in 
certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded, then just rename the file (this step is 
optional, it's just to be consistent with the eap.conf file at the end of this 
file).

   shell:/usr/local/etc/raddb/certs # mv certificate.cer certificate.pem

Get your CA certificate, and put it in /usr/local/etc/raddb/certs. Suppose that 
your CA certificate is DER enconded in a file named ca.cer, then your convert 
it to PEM by 

   shell:~ # openssl x509 -inform DER -in ca.cer -outform PEM -out ca.pem
   shell:~ # cp ca.pem /usr/local/etc/raddb/certs

Now edit your eap.conf file and you are done. A sample eap.conf is at the end 
of this guide.
Configure your clients to use PEAP, check the checkbox Validate server 
certificate and select your Trusted Root Certification Authority from the list.




The second way of doing this, which is not very neat, is

CVS make error

2006-10-20 Thread Jan Mulders 

Hello all,

After much trouble I've managed to get CVS to download the right
version of freeradius (not radiusd-cistron...doh), and now I'm having
some problems with making it.


From what I can see, there's some problems with EAP (which I happen to

not need). Is it possible (or even recommended) to remove EAP from the
compilation process? If so, how do I go about doing this?

Failing that, if somebody is feeling really nice they could code a fix
for CVS :)

Regards,

Jan

/root/installs/radiusd-cvs/radiusd/libtool --mode=compile gcc  -g -O2
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g
-Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs -W -Wredundant-decls -Wundef
-I/root/installs/radiusd-cvs/radiusd/src  -Ilibeap -c radeapclient.c
gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall
-D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef
-I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c
-fPIC -DPIC -o .libs/radeapclient.o
radeapclient.c: In function `radlog':
radeapclient.c:111: warning: implicit declaration of function `va_start'
radeapclient.c:111: warning: nested extern declaration of `va_start'
radeapclient.c:113: warning: implicit declaration of function `va_end'
radeapclient.c:113: warning: nested extern declaration of `va_end'
radeapclient.c: In function `log_debug':
radeapclient.c:124: warning: nested extern declaration of `va_start'
radeapclient.c:111: warning: redundant redeclaration of 'va_start'
radeapclient.c:111: warning: previous implicit declaration of
'va_start' was here
radeapclient.c:126: warning: nested extern declaration of `va_end'
radeapclient.c:113: warning: redundant redeclaration of 'va_end'
radeapclient.c:113: warning: previous implicit declaration of 'va_end' was here
radeapclient.c: In function `radlog':
radeapclient.c:106: warning: 'ap' might be used uninitialized in this function
radeapclient.c: In function `log_debug':
radeapclient.c:121: warning: 'ap' might be used uninitialized in this function
gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall
-D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef
-I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c -o
radeapclient.o /dev/null 21
/root/installs/radiusd-cvs/radiusd/libtool --mode=link gcc   -o
radeapclient radeapclient.lo libeap/libeap.la -lnsl -lresolv
-lpthread -lcrypto -lssl -lcrypto
gcc -o .libs/radeapclient .libs/radeapclient.o  libeap/.libs/libeap.so
-lssl -lcrypto -lnsl -lresolv -lpthread  -Wl,--rpath
-Wl,/usr/local/lib
.libs/radeapclient.o(.text+0x13b): In function `radlog':
/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:111:
undefined reference to `va_start'
.libs/radeapclient.o(.text+0x15a):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:113:
undefined reference to `va_end'
.libs/radeapclient.o(.text+0x193): In function `log_debug':
/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:124:
undefined reference to `va_start'
.libs/radeapclient.o(.text+0x1b2):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:126:
undefined reference to `va_end'
collect2: ld returned 1 exit status
gmake[6]: *** [radeapclient] Error 1
gmake[6]: Leaving directory
`/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/root/installs/radiusd-cvs/radiusd'
make: *** [all] Error 2
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CVS make error

2006-10-20 Thread Alan DeKok 
Jan Mulders [EMAIL PROTECTED] wrote:
..

  Do a CVS update.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows Vista doing PEAP

2006-10-20 Thread Phil Mayers 

Josh Howlett wrote:

  Again, I have no idea why it's core dumping.  It shouldn't be.  I
don't have Vista, and I can't debug this issue myself.  It's up to you.


Sorry - I've come late to this thread. Do we have a general problem with 
Vista failing to authenticate against FR, or is this just one instance 
failing, and we know of other instances where it is working?


It's a general problem.

Sadly the netsh ras set tracing * enable thing seems not to be present 
or work under the vista RCs we've looked at and there was little of 
value in the event logs so the cause is somewhat hard to pin down. It's 
definitely PEAP (as opposed to EAP-TLS) related.


Knowing MS they've made a TLV that was previously optional, mandatory, 
or similar. Given the problems seems to be windows-centred, someone with 
more windows experience may need to get info from the client as to why 
*it* thinks things are going awry
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS problem at phase 1

2006-10-20 Thread Rafiqul Ahsan 

Hi all,
I have been trying to figure this out for couple days, but could not get any clue. My test is about authentication with EAP-TTLS/MSCHAPV2.
I am using freeradius v - 1.1.3, on Solaris 10.
No matter what I do, I get rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request at the server.
Anybody can help me what went wrong ? Here is my configs..and logs (truncated)
Awaits some solution...
Rafi


Here is my eap.conf
 eap { default_eap_type = ttls 
 timer_expire = 60 ignore_unknown_eap_types = no
 cisco_accounting_username_bug = no
 md5 { }
 leap { }
 gtc { auth_type = PAP }
 tls { rsa_key_exchange = yes dh_key_exchange = no rsa_key_length = 1024 dh_key_length = 1024 verify_depth = 2 pem_file_type = yes
 private_key_password = wimax i2 test certs  private_key_file = /etc/freeradius/etc/certs/key2.pem certificate_file = /etc/freeradius/etc/certs/cert2.pem CA_file = /etc/freeradius/etc/certs/cacert.pem
 dh_file = /etc/freeradius/etc/certs/dh random_file = /etc/freeradius/etc/certs/random
 fragment_size = 1024
 include_length = yes
 check_cert_cn = %{User-Name} }
 ttls { default_eap_type = mschapv2 
 # copy_request_to_tunnel = no
 # use_tunneled_reply = no }
 peap { default_eap_type = mschapv2
 # copy_request_to_tunnel = no # use_tunneled_reply = no
 # proxy_tunneled_request_as_eap = yes }
 mschapv2 { } }


Here is my users file :

testuser Auth-Type := EAP, User-Password := testuser

DEFAULT Auth-Type := EAP

Here is my supplicant config :
# cat supplicant.confctrl_interface=/var/tmp/supplicant.ctleap_trace=1enableWiMAXauth=1validateFNECerts=1checkCRL=1ignoreTimeOfDay=0update_config=0data_interface=/var/tmp/supplicant_data.ctl
ap_scan=0fast_reauth=1load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.sonetwork={eap=TTLSeap_workaround=1anonymous_identity=anonymous_identityca_path=/var/tmp/truststore
ca_cert=/var/tmp/root.crtclient_cert=/var/tmp/cpe.crtprivate_key=/var/tmp/keyprivate_key_passwd=wimax i2 test certsphase2=auth=MSCHAPV2}


Here is the radius log (only shown the failed part)

rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module fastusers returns updated for request 1^Mmodcall: leaving group authorize (returns updated) for request 1^M
 rad_check_password: Found Auth-Type EAP^Mauth: type EAP^M Processing the authenticate section of radiusd.conf^Mmodcall: entering group authenticate for request 1^M
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module eap returns invalid for request 1^Mmodcall: leaving group authenticate (returns invalid) for request 1^M

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html