realm table
Hi people, I am using freeradius 1.0.4 in my debian machine. I get almost all data from a postgres database. However, all my realms are in the proxy.conf file. I realized a realm table exists in my DB schema, however there is no SQL query which call to this table in the postgresql.conf file. Is there any configuration for usiong realm table??? Another topic: Are you working in the problem for inserting a new client the freeradius service has to be rebooted?? Thanks, SantiagoRecibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to link to module 'rlm_counter'
When using 'radius -X' the following error occured. radiusd.conf[1392] Failed to link to module 'rlm_counter': rlm_counter.so: cannot open shared object file: No such file or directory There's no rlm_counter.so in the library directory What is the reason Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]Freeradius-Users Digest, Vol 18, Issue 98
Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries/usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl/usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius-1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
machine authentication (was: Windows-Domain login without local users)
=
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (pre_proxy_log)
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (post_proxy_log)
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=233, length=55
User-Name = bob
User-Password = bob
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20061115'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/127.0.0.1/auth-detail-20061115
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = bob, skipping NULL due to config.
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = bob, skipping NULL due to config.
modcall[authorize]: module ntdomain returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry bob at line 171
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bob
radius_xlat: 'sAMAccountName=bob)'
radius_xlat: 'CN=Users,DC=isalab,DC=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 141.201.43.10:389, authentication 0
rlm_ldap: bind as CN=Administrator,CN=Users,DC=isalab,DC=local/labadmin to
141.201.43.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in CN=Users,DC=isalab,DC=local, with filter
sAMAccountName=bob)
rlm_ldap: ldap_search() failed: Bad search filter: sAMAccountName=bob)
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=233, length=55
Discarding duplicate request from client localhost:32769 - ID: 233
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 233 with timestamp 455b3ad8
Nothing to do. Sleeping until we see a request.
here is my authorize section of radiusd.conf:
authorize {
preprocess
auth_log
chap
mschap
suffix
ntdomain
eap
files
ldap
}
authenticate {
...
# Auth-Type LDAP {
# ldap
# }
...
}
We normaly need the ldap module to get the groups from Active Directory
but if the user is directly configured in the users file there should be
no ldap request to the AD!
freeRADIUS: v. 1.1.3
hope somone can help me
ca mIke
the testlab looks like
Windows 2003 (AD) --- Freeradius --- Enterasys switch/Cisco WLAN
--- Linux/MS-Client
802.1x via PEAP works, so the next step is machine authentication to get
also a 802.1x Domain login.
like in this post
(http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-November/058021.html)
we have upgradet our releases:
Samba: Version 3.0.23c
FreeRADIUS Version 1.1.2
the supplicant is the original Windows supplicant and machine
authentication is activated.
Because we are working with the policy system from enterasys the normal
user authentication starts with a ldap request to the active directory for
group to policy mapping.
Therefore we have such user-entries:
DEFAULT LDAP-Group == CN=adminrole,CN=users,DC=isalab,DC=local,
Huntgroup-Name == enterasys
Re: [RE]Freeradius-Users Digest, Vol 18, Issue 98
If it's not a requirement for your system, why don't you apt-get install openssl ?And if you don't plan to use openssl, you could install only libssl0.9.7 and libssl-dev. Both with apt. That is what I do and works! Cheers( espero que te valga ;) )2006/11/15, Ana Gallardo Gómez [EMAIL PROTECTED]: Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries /usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl /usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius- 1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Patric sagte: Michael Messner wrote: jep from source it compiles, 16:05:16 Xradius ~/rpmbuild/SPECS [root]rpmbuild -ba freeradius.spec ca mIke Sorry man, in that case Im not sure what the problem is... You might get more help from the guys on GLUG Tech if you post there - www.glug.org.za Let me know if you resolve it, Id be interested to know what the problem was! I've found out that the problem is in the line with %pre freeradius.spec: ... cd .. echo test1 %pre echo test2 /usr/sbin/useradd -c radiusd user -r -s /bin/false -u 95 -d / radiusd 2/dev/null || : ... before the test2 it breaks! ideas? ca mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to force NAS-port info in accounting-start, for radutmp to work ok
I have installed freeradius-1.0.5-1.2 on FC-5, and
I intend to use Freeradius with only one NAS - ZyXEL VSG-1200 - a subscriber
gateway for wire/wireless campus access zone.
The NAS is defined in clients.conf file as nastype = other.
The VSAs are working ok.
It seems that the NAS, doesn't include the NAS-Port attribute (Integer) in
the accounting packets, so RADIUS accounting process doesn't write into
radwtm/radutmp files (radwho outputs no data), and Simultaneous-Use check is
not effective:
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
Is there a workaround for this, I mean on the RADIUS host?
Thank you for any help!
ri
Following is a radiusd -X output for a current accounting request:
~
rad_recv: Accounting-Request packet from host 192.168.19.226:10661, id=7,
length=136
User-Name = pcrist
Acct-Status-Type = Alive
Acct-Delay-Time = 0
Acct-Session-Id = 0050fce855203100
NAS-IP-Address = 192.168.19.226
NAS-Identifier = vsg
Framed-IP-Address = 10.59.1.2
Calling-Station-Id = 00-50-FC-E8-55-20
Called-Station-Id = 00-13-49-6F-EE-C4
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 21
modcall[preacct]: module preprocess returns noop for request 21
rlm_acct_unique: Hashing 'Client-IP-Address = 192.168.19.226,NAS-IP-Address
= 192.168.19.226,Acct-Session-Id = 0050fce855203100,User-Name =
pcrist'
rlm_acct_unique: Acct-Unique-Session-ID = c425325ee3d8e6fc.
modcall[preacct]: module acct_unique returns ok for request 21
modcall[preacct]: module files returns noop for request 21
modcall: group preacct returns ok for request 21
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 21
radius_xlat: '/var/log/radius/radacct/192.168.19.226/detail-20061115'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.19.226/detail-20061115
modcall[accounting]: module detail returns ok for request 21
modcall[accounting]: module unix returns noop for request 21
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'pcrist'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 21
modcall: group accounting returns ok for request 21 Sending
Accounting-Response of id 7 to 192.168.19.226:10661 Finished request 21
Going to the next request ~~
and this is a radiusd -X output when I simulate an accounting packet with
NTRadPing, forcing an attribute of NAS-port=1:
~~
rad_recv: Accounting-Request packet from host 192.168.19.11:3828, id=4,
length=43
User-Name = dani
Acct-Status-Type = Start
Acct-Session-Id = 460
NAS-Port = 1
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 22
modcall[preacct]: module preprocess returns noop for request 22
rlm_acct_unique: Hashing 'Client-IP-Address = 192.168.19.11,NAS-IP-Address =
192.168.19.11,Acct-Session-Id = 460,User-Name = dani'
rlm_acct_unique: Acct-Unique-Session-ID = 45e816fe4586d71f.
modcall[preacct]: module acct_unique returns ok for request 22
modcall[preacct]: module files returns noop for request 22
modcall: group preacct returns ok for request 22
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 22
radius_xlat: '/var/log/radius/radacct/192.168.19.11/detail-20061115'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.19.11/detail-20061115
modcall[accounting]: module detail returns ok for request 22
modcall[accounting]: module unix returns ok for request 22
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'dani'
modcall[accounting]: module radutmp returns ok for request 22
modcall: group accounting returns ok for request 22 Sending
Accounting-Response of id 4 to 192.168.19.11:3828 Finished request 22 Going
to the next request
--- Walking the entire request list ---
Cleaning up request 22 ID 4 with timestamp 455b108c Nothing to do. Sleeping
until we see a request.
~~
the above seems ok, as I have now an entry in radutmp:
# radwho
Login Name What TTY When From Location
dani dani shell S1 Wed 15:05 193.254.2
and an authentication packet sent with NTRadPing with the same user-name
'dani' gets an 'Access-Reject' response:
'You are already logged in - access denied'
So, Simultaneous-Use works ok for me if NAS includes NAS-port attribute in
accounting start packet.
I wrote to ZyXEL with no much hope for an answer, so I am looking for a
FreeRADIUS workaround
identify dial-up test session
Hello, I would like to identify a ppp session as a test session by somehow marking the accounting records. I've considered overloading the username sent by pppd to include a .test and alter the 'Service-Type' based on the suffix. I'd like to be able to somehow pass an Attribute from LCP-IPIP-RADIUS to identify a session as unique, but I'm not sure if that is even possible. Note, I do not need any special service that might be associated with say a Service-Type = Administrative, just an Attribute I can load to the db to later filter out. Has anyone tried anything similar in the past? If anyone can point me in the right direction I would really appreciate it. -- Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAPv2 Server
Hi, I am trying to implement a PEAP version 2 (draft-josefsson-pppext-eap-tls-eap-10.txt) client. I was using Odyssey Server Administration server for PEAP v1 and EAP-TTLS. But the server does not support PEAP v2. Is there any other server softwares which support PEAP v2? Or is there any body who tried to test PEAP v2? Regards, Murat Sezgin _ Real-time chat with your friends - Free download - MSN Messenger http://messenger.msn.com/?mkt=tr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on pppd chap authorize by freeradius
Hi, I encounter an chap authorization problem using pppoe3.8, ppp 2.4.4b1 and Freeradius 1.1.3. The relevant logs are: PPP dump: Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x2 magic 0x1b31752 pcomp accomp callback CBCP] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfRej id=0x2 pcomp accomp callback CBCP] Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x3 magic 0x1b31752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfAck id=0x3 magic 0x1b31752] Nov 15 17:43:29 localhost pppd[7486]: sent [LCP EchoReq id=0x0 magic=0xbe000118] Nov 15 17:43:29 localhost pppd[7486]: sent [CHAP Challenge id=0x2 dd114655881b93c9111ba4122068632faa63f98d, name = localhost] Nov 15 17:43:29 localhost pppd[7486]: rcvd [CHAP Response id=0x2 3e7ffb922fcba977f3dc8c2418d7dec2, name = test1] 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: rc_avpair_new: unknown attribute 60 Nov 15 17:43:31 localhost pppd[7486]: Peer test1 failed CHAP authentication Nov 15 17:43:31 localhost pppd[7486]: sent [CHAP Failure id=0x2 ] Nov 15 17:43:31 localhost pppd[7486]: sent [LCP TermReq id=0x2 Authentication failed] Nov 15 17:43:31 anton pppd[7486]: rcvd [LCP TermAck id=0x2] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... Nov 15 17:43:31 anton pppd[7486]: Connection terminated. Nov 15 17:43:31 anton pppoe-server[7171]: Sent PADT Freeradius log rad_recv: Access-Request packet from host 127.0.0.1:32769, id=64, length=89 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test1 CHAP-Password = 0x023e7ffb922fcba977f3dc8c2418d7dec2 Calling-Station-Id = 00:20:18:8E:6C:0E NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf . modcall[authorize]: module sql returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 1 rlm_chap: login attempt by test1 with CHAP password rlm_chap: Using clear text password password for user test1 authentication. rlm_chap: Pasword check failed modcall[authenticate]: module chap returns reject for request 1 modcall: leaving group CHAP (returns reject) for request 1 auth: Failed to validate the user. Altough I can obtain authorization using: [EMAIL PROTECTED] echo User-Name = test1, CHAP-Password=password | radclient localhost auth password Received response ID 100, code 2, length = 62 Framed-Compression = None Service-Type = Framed-User Framed-IP-Address = 193.226.57.105 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1492 Framed-Protocol = PPP Port-Limit = 1 Do anyone encounter the same problem? I can add that chap fails with all ppp versions (=2.4.2) Thank you, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication
ok, now the normal authentication process works again!
normally our config from the ldap request looks like the following:
radiusd.conf:
basedn = CN=Users,DC=isalab,DC=local
filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
groupname_attribute = cn
groupmembership_filter =
(|((member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = memberOf
users:
DEFAULT LDAP-Group == CN=adminrole,CN=users,DC=isalab,DC=local,
Huntgroup-Name == enterasys, Realm == ISALAB.local
Filter-ID == Enterasys:version=1:mgmt=su:policy=adminrole,
Reply-Message = Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this network,
Fall-Through = No
with this config we get the groupmembership from the users and we can
give the filter-ID back to the switches.
But with machine authentication it looks a bit different!
first the DC ist Computers, no more users, then the sAMAccountName is for
example IT88$ and freeradius gives the name host/it88.isalab.local to the
AD, but this name stands in the servicePrincipalName!
also there is no memberOf any more at the device!
any ideas this is can be done?
ca mIke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication (was: Windows-Domain login without local users)
Michael Messner [EMAIL PROTECTED] wrote:
I've found out that there goes something completely wrong, there is
allways the ldap request!
Because you configured it to do that? See doc/configurable_failover
for how to handle failure cases.
ldap: filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
That doesn't look right.
rlm_ldap: performing search in CN=Users,DC=isalab,DC=local, with filter
sAMAccountName=bob)
rlm_ldap: ldap_search() failed: Bad search filter: sAMAccountName=bob)
You're missing a bracket.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Newbie
Hello All!, im newbie in RADIUS, I have installed freeradius and I want to configure it to work as AAA with CISCO AV-PAIRS. I have a program that send request as a radius client and the attributes what I send is: Authenticantion: I send to radius: ==ACCESS REQUEST ==USERNAME:(8 digits) ==PASSWORD:(4 digits) ==VENDOR: Cisco-AVPair I recive from radius if: ==ACCESS ACCEPT ==Cisco-AVPair=' h323--credit-amount=xx' ==Cisco-AVPair=' h323-return-code=X' else: ==ACCESS REJECT Radius use a mysql database to process this Authentication. I apreciate any help in configure freeradius as shown. Greetings, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Newbie
Gustavo, the better place to start is your server documentation : freeradius.x.xx/doc/aaa.txt, Autz-Type, etc.then the config files of your server : radiusd.conf and sql.conf.I 've started with this good guide http://www.frontios.com/freeradius.html, it will guide you through config mysql for your radius. THe best you can do, my opinion, is go ahead, make your better try and radiusd -X + radtest ..they will tell you where it fails. Good luck Hernan Antolini [EMAIL PROTECTED] wrote on 11/15/2006 01:57:58 PM: Hello All!, im newbie in RADIUS, I have installed freeradius and I want to configure it to work as AAA with CISCO AV-PAIRS. I have a program that send request as a radius client and the attributes what I send is: Authenticantion: I send to radius: ==ACCESS REQUEST ==USERNAME:(8 digits) ==PASSWORD:(4 digits) ==VENDOR: Cisco-AVPair I recive from radius if: ==ACCESS ACCEPT ==Cisco-AVPair=' h323--credit-amount=xx' ==Cisco-AVPair=' h323-return-code=X' else: ==ACCESS REJECT Radius use a mysql database to process this Authentication. I apreciate any help in configure freeradius as shown. Greetings, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on pppd chap authorize by freeradius
Alexandru Matei [EMAIL PROTECTED] wrote: rlm_chap: Using clear text password password for user test1 authentication. rlm_chap: Pasword check failed That would appear pretty definitive. Altough I can obtain authorization using: [EMAIL PROTECTED] echo User-Name = test1, CHAP-Password=password | radclient localhost auth password I can add that chap fails with all ppp versions (=2.4.2) I would suggest that the problem is the NAS. Which NAS are you using? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [RE]Freeradius-Users Digest, Vol 18, Issue 98
Uh-Uh Sorry I think I missed part of the thread.2006/11/15, wekz [EMAIL PROTECTED]: If it's not a requirement for your system, why don't you apt-get install openssl ?And if you don't plan to use openssl, you could install only libssl0.9.7 and libssl-dev. Both with apt. That is what I do and works! Cheers( espero que te valga ;) )2006/11/15, Ana Gallardo Gómez [EMAIL PROTECTED]: Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries /usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl /usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius- 1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: huntgroup issue, multiple huntgroups per device
Thanks Neal! That works like a champ. Funny note: The attribute I chose to discriminate with isn't present in the accounting requests, so I had to give vpn user huntgroup a 2nd entry and attribute so accounting would work properly. I appreciate the help. Regards, -Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garber, Neal Sent: Tuesday, November 14, 2006 3:51 PM To: FreeRadius users mailing list Subject: RE: huntgroup issue, multiple huntgroups per device Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS? I am running into this issue trying to configure a vpn appliance that uses the same freeRADIUS server to authenticate its users as well as its admins. Yes, but something needs to distinguish the two (another attribute). Are you saying that your appliance is using radius to authenticate VPN users as well as to authenticate admins. that are using telnet/ssh/http to administratively manage the appliance? If so, check the request attributes for each type of access. Then, you can add the attribute that lets you tell what access type the user is requesting. For instance, I have an AP that uses FR to authenticate 802.11 users as well as for local logons to the AP itself. In my case, the NAS-Port-Type allows me to discern the difference between the two types of access. For 802.11 user access, the AP sends NAS-Port-Type = Wireless-802.11 and for local logon, the AP sends NAS-Port-Type = Async or Virtual. Figure out what's different in the request and then you can have multiple NAS-IP-Address == 10.20.30.1 entries with different values in the other attribute. For example: vpnNAS-IP-Address == 10.20.30.1, NAS-Port-Type == XXX Group = VPNUSERS vpn-admin NAS-IP-Address == 10.20.30.1, NAS-Port-Type == YYY User-Name = admin1, User-Name = admin2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different accounting based on avpair
Hi,
I've been searching the ML for something related to this without any success.
I don't know if freeradius does what i need and correct me if i'm wrong.
I want to freeradius insert/update different sql tables using a avpair from my
custom dictionary. What i would like is somthing like this:
if avpair Wireless = yes use accounting module sql1
else use accounting module sql2
accounting {
acct_unique
sql1 if (Wireless = yes)
sql2 if (Wireless != yes)
}
Could it be done with users file?
Thanks,
--
Nuno Miguel Pais Fernandes [EMAIL PROTECTED]
Cisco Certified Network Associate
Oracle Certified Professional
Eurotux Informática, S.A. [http://eurotux.com]
Rua Rosalvo de Almeida, 5. 4710-429 BRAGA PORTUGAL
Tel: (+351) 253 257395 - Fax: (+351) 253 257396
pgpP9LiYBGT77.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and mysql
Hi, Thanks a lot for the response. But I have two problems. The first is my english: I am Brazilian and I might not write in english very well... ; ) The second and more important problem is this: I configured my freeradius server, I can authenticate with my users ldap... but I configured my mysql server too, but I can't to authenticate with the mysql users... the access is denied... even when the user and password is correct... hoI think that the server isn't looking for my users in mysql database. Someone knows how I can to test if the freeradius is looking for my users in my mysql database too? Thanks a lot,Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what is best among the opensource backends
Hi list, Among the opensource ID stores(MySQL, openLDAP) for freeRadius, which one offers the optimum utilization of resources (like cpu cycles, ram etc.). Can anyone pls tell me the pros and cons of using these. Thanks in Advance.Kris- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hey alan,
Alan DeKok schrieb:
Michael Messner [EMAIL PROTECTED] wrote:
I've found out that there goes something completely wrong, there is
allways the ldap request!
Because you configured it to do that? See doc/configurable_failover
for how to handle failure cases.
ok, thanks for the information
ldap: filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
That doesn't look right.
the bracket is now fixed, was this the only thing or is something else
not correct?
ca mIke
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFW2u+yUY4xkIcFVQRAqPjAKDeH6clrpbPb/7boHnImRnQEXg+MgCgq3FA
3qQqfRiItPegkLy2yEmQnO0=
=nhvD
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and mysql
Marilene, send the ouptup of your radiusd -X at the momento you ar trying to authenticate users; there should be the response. Regards. [EMAIL PROTECTED] wrote on 11/15/2006 04:15:36 PM: Hi, Thanks a lot for the response. But I have two problems. The first is my english: I am Brazilian and I might not write in english very well... ; ) The second and more important problem is this: I configured my freeradius server, I can authenticate with my users ldap... but I configured my mysql server too, but I can't to authenticate with the mysql users... the access is denied... even when the user and password is correct... ho I think that the server isn't looking for my users in mysql database. Someone knows how I can to test if the freeradius is looking for my users in my mysql database too? Thanks a lot, Marilene- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding queries to sql.conf and/or radiusd.conf
Hi, I am looking to set radcheck.activeDate and radcheck.activated when a user logs in for the first time. At this same time I want to update or insert an expiration attribute for that user. I tried putting an update in the sql.conf file for the radcheck table with the queries that insert /or update radacct. Of course it didn't work. How can I add more queries to this area and how do I let Radius know that these queries have to run at specific times like accounting_start_query and accounting_update_query. I also tried concatenation of two queries but that didn't work either. Has anyone tried this before? Any ideas for me? I also thought about putting it in radiusd.conf file. Not sure where to start there. Thanks much. Michelle Running freeRadius 1.1.3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and mysql
Marilene Lima [EMAIL PROTECTED] wrote: The second and more important problem is this: I configured my freeradius server, I can authenticate with my users ldap... but I configured my mysql server too, but I can't to authenticate with the mysql users... the access is denied... even when the user and password is correct... $ radiusd -X Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAPv2 Server
MURAT SEZGIN [EMAIL PROTECTED] wrote: I am trying to implement a PEAP version 2 (draft-josefsson-pppext-eap-tls-eap-10.txt) client. I was using Odyssey Server Administration server for PEAP v1 and EAP-TTLS. But the server does not support PEAP v2. Is there any other server softwares which support PEAP v2? Or is there any body who tried to test PEAP v2? Microsoft supports PEAPv2, I think. My suggestion is to implement PEAPv2 in a server first, and to test that implementation with the Microsoft clients. Once that works, you then have a server you can use to test your client implementation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS on Solaris 10 - x86
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hey, Ramm-Ericson, Johannes schrieb: configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. If you plan to authenticate against Active Directory then, yes, you _probably_ need the krb5 module. However, if you are using (for example) Quests VAS - vintela authentication system, you can authenticate against the Unix backend and don't need to compile kerberos and LDAP support. It's all a question of how you plan to set up and use your environment. We need ldap and kerberos, so I've installed now: 12:47:03 unknown ~ [root]pkg-get -c | grep -i gdbm gdbm1.8.3,REV=2006.01.01SAME 12:49:37 unknown ~ [root]pkg-get -c | grep -i krb krb5_admin_server1.4.2,REV=2005.08.14SAME krb5_doc [Not installed]1.4.2,REV=2005.08.14 krb5_kdc1.4.2,REV=2005.08.14SAME krb5_lib1.4.2,REV=2005.08.14SAME krb5_lib_dev1.4.2,REV=2005.08.14SAME krb5_user1.4.2,REV=2005.08.14SAME 13:28:05 unknown ~ [root]pkg-get -c | grep -i ldap mod_ldap 1.8SAME openldap 2.3.28,REV=2006.11.10SAME openldap_client 2.3.28,REV=2006.11.10SAME openldap_devel 2.3.28,REV=2006.11.10SAME openldap_rt 2.3.28,REV=2006.11.10SAME php4_ldap [Not installed] 4.4.4 php5_ldap [Not installed]5.1.6,REV=2006.09.02 pm_ldap 0.3300,REV=2006.03.07SAME py_ldap 2.0.11SAME sudo_ldap [Not installed] 1.6.8p12,REV=2006.01.27 and 21:09:19 unknown ~ [root]echo $LD_LIBRARY_PATH /lib:/usr/sfw/lib:/usr/local/lib:/usr/lib:/usr/share/lib:/usr/dt/lib:/opt/csv/lib 21:09:20 unknown ~ [root]echo $PATH /opt/csw/bin:/opt/csw/sbin/:/opt/csw/bin/:/bin:/sbin:/usr/ccs/bin:/usr/sfw/bin:/usr/bin:/usr/sbin:/usr/ucb:/etc:. but ther warnings are the same! do I need something else? thanks mIke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFW3QfyUY4xkIcFVQRAl7UAKCYpUgS6XDnzM6+r5dZ2ZKD8raTVwCfUEe4 XfcJ6sW6EpsF6iyayjBKtuA= =uhQx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAPv2 Server
Microsoft supports PEAPv2 as a server or only as client? Regards, Murat Sezgin From: Alan DeKok [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: PEAPv2 Server Date: Wed, 15 Nov 2006 14:49:34 -0500 MURAT SEZGIN [EMAIL PROTECTED] wrote: I am trying to implement a PEAP version 2 (draft-josefsson-pppext-eap-tls-eap-10.txt) client. I was using Odyssey Server Administration server for PEAP v1 and EAP-TTLS. But the server does not support PEAP v2. Is there any other server softwares which support PEAP v2? Or is there any body who tried to test PEAP v2? Microsoft supports PEAPv2, I think. My suggestion is to implement PEAPv2 in a server first, and to test that implementation with the Microsoft clients. Once that works, you then have a server you can use to test your client implementation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Real-time chat with your friends - Free download - MSN Messenger http://messenger.msn.com/?mkt=tr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
prepaid accounting
Hi, I need to find a solution for my one-time event based accounting problem. I have users which buy prepaid cards and use them to add credit to their web accounts. User download videos later using their credits. Im asked to use radius for authentication and accounting. I couldnt figure out how I can do this with freeradius. Is it doable with freeradius? If not, please show me the way to do this. Regards, Engin Deveci - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAPv2 Server
Microsoft implements something better known as PEAP v0 see: draft-kamath-pppext-peapv0-00.txt, “Microsoft’s PEAP v0 (Implemented in Windows XP SP1) July 2002, http://www.watersprings. org/pub/id/draft-kamath-pppext-peapv0-00.txt As far as I know, no-one implements PEAP v2, and it's not clear why you would build a server for it if you don't have a client? Dave. Original Message From: [EMAIL PROTECTED] Date: Nov 15, 2006 14:49 To: FreeRadius users mailing list[EMAIL PROTECTED] org Subj: Re: PEAPv2 Server MURAT SEZGIN [EMAIL PROTECTED] wrote: I am trying to implement a PEAP version 2 (draft-josefsson-pppext-eap-tls-eap-10.txt) client. I was using Odyssey Server Administration server for PEAP v1 and EAP-TTLS. But the server does not support PEAP v2. Is there any other server softwares which support PEAP v2? Or is there any body who tried to test PEAP v2? Microsoft supports PEAPv2, I think. My suggestion is to implement PEAPv2 in a server first, and to test that implementation with the Microsoft clients. Once that works, you then have a server you can use to test your client implementation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on pppd chap authorize by freeradius
The problem is in atribute 60. Compare yor dictionarys. - Original Message - From: Alexandru Matei [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, November 15, 2006 4:57 PM Subject: help on pppd chap authorize by freeradius Hi, I encounter an chap authorization problem using pppoe3.8, ppp 2.4.4b1 and Freeradius 1.1.3. The relevant logs are: PPP dump: Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x2 magic 0x1b31752 pcomp accomp callback CBCP] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfRej id=0x2 pcomp accomp callback CBCP] Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x3 magic 0x1b31752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfAck id=0x3 magic 0x1b31752] Nov 15 17:43:29 localhost pppd[7486]: sent [LCP EchoReq id=0x0 magic=0xbe000118] Nov 15 17:43:29 localhost pppd[7486]: sent [CHAP Challenge id=0x2 dd114655881b93c9111ba4122068632faa63f98d, name = localhost] Nov 15 17:43:29 localhost pppd[7486]: rcvd [CHAP Response id=0x2 3e7ffb922fcba977f3dc8c2418d7dec2, name = test1] 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: rc_avpair_new: unknown attribute 60 Nov 15 17:43:31 localhost pppd[7486]: Peer test1 failed CHAP authentication Nov 15 17:43:31 localhost pppd[7486]: sent [CHAP Failure id=0x2 ] Nov 15 17:43:31 localhost pppd[7486]: sent [LCP TermReq id=0x2 Authentication failed] Nov 15 17:43:31 anton pppd[7486]: rcvd [LCP TermAck id=0x2] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... Nov 15 17:43:31 anton pppd[7486]: Connection terminated. Nov 15 17:43:31 anton pppoe-server[7171]: Sent PADT Freeradius log rad_recv: Access-Request packet from host 127.0.0.1:32769, id=64, length=89 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test1 CHAP-Password = 0x023e7ffb922fcba977f3dc8c2418d7dec2 Calling-Station-Id = 00:20:18:8E:6C:0E NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf . modcall[authorize]: module sql returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 1 rlm_chap: login attempt by test1 with CHAP password rlm_chap: Using clear text password password for user test1 authentication. rlm_chap: Pasword check failed modcall[authenticate]: module chap returns reject for request 1 modcall: leaving group CHAP (returns reject) for request 1 auth: Failed to validate the user. Altough I can obtain authorization using: [EMAIL PROTECTED] echo User-Name = test1, CHAP-Password=password | radclient localhost auth password Received response ID 100, code 2, length = 62 Framed-Compression = None Service-Type = Framed-User Framed-IP-Address = 193.226.57.105 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1492 Framed-Protocol = PPP Port-Limit = 1 Do anyone encounter the same problem? I can add that chap fails with all ppp versions (=2.4.2) Thank you, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAPv2 Server
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As far as I know, no-one implements PEAP v2, and it's not clear why you would build a server for it if you don't have a client? I thought MS had a client implementation, but I guess I'm wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and Mysql
Sr Alan DeKok, When I used radiusd -X, I got just the message: Access Denied, but the username and the passsword is correct. I use the Debian, I dont´t know if the others linux servers are different. Thanks a lot, Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin [EMAIL PROTECTED] wrote: Proxy server instead of proxy server in proxy.conf. So it did not retries and set retry_delay to 0 and so on... Still, values of zero are bad. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and Mysql
Marilene Lima [EMAIL PROTECTED] wrote: When I used radiusd -X, I got just the message: Access Denied No, you get a LOT more information than that. Run the server as radiusd -X that way, and post the output here. This is in the FAQ, README, and INSTALL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how radius server differentiates users with same name from different ip addresses
Hi List, Pls find the following scenario: When two users Admin1 and Admin2 are trying to get authentication against freeRadius server, how FR diffentiates the two requests. Is it based on Source ip address? Sri. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prompting for credentials
I have installed FreeRADIUS 1.1.3 on RHEL4. I want to authenticate clients who use the wireless network. Clients are connected to server via Linksys Wireless Router. Linksys Wireless Router is configured to have security mode as RADIUS. Protocol being used is Protected EAP (PEAP). So the RADIUS Configuration files are updated accordingly. Now RADIUS is working fine but the problem is user is prompted for username and password for the first time only. When user tries to connect next time it does not prompt for the credentials but uses the same username and password. What I want is user should be asked everytime he tries to connect to the network, not for the first time only. is it possible that the information is being cached on the client system? So can anyone help me? -- View this message in context: http://www.nabble.com/Prompting-for-credentials-tf2635726.html#a7356712 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on pppd chap authorize by freeradius
Yes, The problem was only the dictionary. In the default dictionary there was no atribute 60 The problem is solved Thank you Alex debik wrote: The problem is in atribute 60. Compare yor dictionarys. - Original Message - From: Alexandru Matei [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, November 15, 2006 4:57 PM Subject: help on pppd chap authorize by freeradius Hi, I encounter an chap authorization problem using pppoe3.8, ppp 2.4.4b1 and Freeradius 1.1.3. The relevant logs are: PPP dump: Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x2 magic 0x1b31752 pcomp accomp callback CBCP] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfRej id=0x2 pcomp accomp callback CBCP] Nov 15 17:43:29 localhost pppd[7486]: rcvd [LCP ConfReq id=0x3 magic 0x1b31752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: sent [LCP ConfAck id=0x3 magic 0x1b31752] Nov 15 17:43:29 localhost pppd[7486]: sent [LCP EchoReq id=0x0 magic=0xbe000118] Nov 15 17:43:29 localhost pppd[7486]: sent [CHAP Challenge id=0x2 dd114655881b93c9111ba4122068632faa63f98d, name = localhost] Nov 15 17:43:29 localhost pppd[7486]: rcvd [CHAP Response id=0x2 3e7ffb922fcba977f3dc8c2418d7dec2, name = test1] 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 17:43:29 localhost pppd[7486]: rc_avpair_new: unknown attribute 60 Nov 15 17:43:31 localhost pppd[7486]: Peer test1 failed CHAP authentication Nov 15 17:43:31 localhost pppd[7486]: sent [CHAP Failure id=0x2 ] Nov 15 17:43:31 localhost pppd[7486]: sent [LCP TermReq id=0x2 Authentication failed] Nov 15 17:43:31 anton pppd[7486]: rcvd [LCP TermAck id=0x2] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... Nov 15 17:43:31 anton pppd[7486]: Connection terminated. Nov 15 17:43:31 anton pppoe-server[7171]: Sent PADT Freeradius log rad_recv: Access-Request packet from host 127.0.0.1:32769, id=64, length=89 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test1 CHAP-Password = 0x023e7ffb922fcba977f3dc8c2418d7dec2 Calling-Station-Id = 00:20:18:8E:6C:0E NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf . modcall[authorize]: module sql returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 1 rlm_chap: login attempt by test1 with CHAP password rlm_chap: Using clear text password password for user test1 authentication. rlm_chap: Pasword check failed modcall[authenticate]: module chap returns reject for request 1 modcall: leaving group CHAP (returns reject) for request 1 auth: Failed to validate the user. Altough I can obtain authorization using: [EMAIL PROTECTED] echo User-Name = test1, CHAP-Password=password | radclient localhost auth password Received response ID 100, code 2, length = 62 Framed-Compression = None Service-Type = Framed-User Framed-IP-Address = 193.226.57.105 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1492 Framed-Protocol = PPP Port-Limit = 1 Do anyone encounter the same problem? I can add that chap fails with all ppp versions (=2.4.2) Thank you, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again problem with freeeradius, mysql setup
I don't undrestand why in rlm_chap: login attempt by test1 with CHAP password the password isn't listed, altough the freeradius is in debug mode. The CHAP-Password is listed (sortof): the packet dump of the incoming packet contains it. The clear-text password that is used to authenticate the user is not listed because it comes from mySQL, and the query results aren't shown. The failed login very probably is because the password on the client side was wrong. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgphl2QUw6Rxf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
