date:20070117

My configuration is:

[poptop pptpd pppd][freeradius]-[Microsoft IAS][ADS]

pptpd is 1.3.3
pppd is 2.4.4
freeradius is 1.1.3

Clients go from internet, make auth via MS IAS, but accounting does
freeradius.
All seems good. Clients go OK. Auth and accounting seems OK too.

But, I have couple of questions

1. Accounting of Calling-station-id returns only first 4 characters of
user's IP address.
I noticed that if some user enters using his remote IP like 77.122.215.143
the record of his Calling-Station-Id would be

Calling-Station-Id = 1.77

which are first 4 symbols of IP address in back order.

What's goin' wrong? I suppose that calling-station-id should be whole IP
address.

2. Radius does not understand some attributes from client.
a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
attribute 25 of length 30:
0x333B0427013700010A1701C735C490B2116B014C
b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
user21

But I know that these are

VALUEService-TypeDialback-Framed-User4

and

ATTRIBUTE MS-CHAP2-Response 25 octets

as they are written in the dictionary file.
For the first case users can not login. Radius refuse them by wrong service
type.
In second case users login OK but I what to know why there is error anyway.

What is wrong here?

Thank for replies,
---
Oleg.

--
View this message in context:
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8346050
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

setting user profile depending on realms?

2007-01-17 Thread Markus Krause


Hi list!

We have an internal LAN with several VLANs, each corresponding the the  
unix group of the users. This VLAN information is stored in OpenLDAP  
(via radiusprofiledn), and that works :-)
But we want to give our users the possibility to get into a special  
VLAN, in particular one which is called Internetcafe (in which the  
can use special services). I thought of doing this by adding a realm  
to the username, so the users can either use username or  
[EMAIL PROTECTED] and gets the appropriate VLAN. To do this i added the  
following line in /etc/raddb/users:


DEFAULT User-Name =~ @ic$, User-Profile :=  
cn=InternetCafe,ou=VLAN,o=Testnet


But this works only if i do not have a radiusprofiledn attribute in  
the users entry in OpenLDAP, otherwise it works.


Is there a way to override the userprofile given back by the  
freeradius if the user adds a @ic (or whatever realm) ?
Or is there even a better way to achieve this goal and i am thinking  
in a completly wrong direction?


Thanks in advance for any hints!

Regards
   Markus


--
Markus Krause   email: [EMAIL PROTECTED]
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98

--
 This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate question

kemas wrote:
 Hi all,
 
 I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS
 and works very well.
 I still confuse about certificate, is all client certificate created
 under 1 root ca, can be authenticated against freeradius that started 
 with different server certificate?

  I haven't tried it, but it's possible, yes.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : A couple of questions PoPToP+FreeRadius+IAS

 2. Radius does not understand some attributes from client.
 a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received 
 unknown attribute 25 of length 30: 
 0x333B0427013700010A1701C735C490B2116B014C
 b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service 
 type 4 for user21
 
 But I know that these are
 
 VALUEService-TypeDialback-Framed-User4
 
 and
 
 ATTRIBUTE  MS-CHAP2-Response   25  octets
 
 as they are written in the dictionary file.

There must be a mistake in your /etc/radiusclient/dictionary file.

Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line
and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft'
Check also the permissions ont he dictionary files.

HTH,
Thibault


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A couple of questions PoPToP+FreeRadius+IAS

Marxy wrote:
 1. Accounting of Calling-station-id returns only first 4 characters of
 user's IP address.

  If that's what the RADIUS client is sending, then the only solution is
to fix the client so it sends the correct information.

 2. Radius does not understand some attributes from client.
 a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
 attribute 25 of length 30:

 0x333B0427013700010A1701C735C490B2116B014C
 b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
 user21

  The client doesn't understand the response of the server.  Again, the
only solution is to fix the client.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to send tome clients to the same detail file

2007-01-17 Thread Angel L. Mateo

El mar, 07-11-2006 a las 18:29 -0500, Alan DeKok escribió:
 Angel L. Mateo [EMAIL PROTECTED] wrote:
  But now I want to send all the logs for requests from a group of
  clients (defined as a huntgroup) to the same files, and the request for
  all other clients as now (classified with the IP address of the client).
  Is there any way to redefine this files for a set of clients?
 
   Yes.  Define an attribute, and set it per-client.  Then use that
 attribute in the expansion of the detailfile.
 

Hello,

After a lot of time, I have taken up again this issue. I want a a group
of radius clients (defined in the same huntgroup) to log their request
(detail and auth-detail files) in the same file. So I have redefine my
logs files as:

detail {
  detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d
  detailperm = 0600
}

detail auth_log {
  detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/auth-detail-%Y%m%d
  detailperm = 0600
}

So if I have a client defined in a huntgroup, it logs to the
huntgroup's log files and if not, it logs to a directory identify by its
client ip address.

My problem is that this is working fine for the auth-detail file, but
detail file is still logging individually, without using the
Huntgroup-Name variable.

Any idea?

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request

Haas Florian wrote:
 The tricky part is that XP's
 supplicant, which supplies the username as DOMAIN\\Username while a user is
 logged on, supplies a username in the form of host/computername.my.domain
 otherwise -- this corresponds to the servicePrincipalName attribute on the
 machine's object in MSAD. This is of course a format that ntlm_auth can't deal
 with.

  Why not?  There's a reason that the ntlm_auth configuration is
editable in the mschap module.  Just edit it to do whatever you want.
If all else fails, replace ntlm_auth with a Perl script that looks at
the environment variables, and determines the proper arguments to use.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : A couple of questions PoPToP+FreeRadius+IAS


It seems no mistakes in dictionary file. It is standard one from RH
distribution.
BTW, freeradius use $INCLUDE, not INCLUDE as you advised.
With INCLUDE you will see something like
--
Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: dict_init:
/etc/raddb/dictionary[14] invalid keyword INCLUDE
--


Thibault LE MEUR wrote:
 
 There must be a mistake in your /etc/radiusclient/dictionary file.
 
 Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line
 and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft'
 Check also the permissions ont he dictionary files.
 

-- 
View this message in context: 
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8409674
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A couple of questions PoPToP+FreeRadius+IAS

Alan DeKok-4 wrote:

Marxy wrote:
1. Accounting of Calling-station-id returns only first 4 characters of
user's IP address.
If that's what the RADIUS client is sending, then the only solution is
to fix the client so it sends the correct information.

My radius client is standard radiusclient software.
But it seems no settings for that in its /etc/radiusclient/radiusclient.conf

Alan DeKok-4 wrote:

2. Radius does not understand some attributes from client.
a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
attribute 25 of length 30:

The client doesn't understand the response of the server. Again, the
only solution is to fix the client.

Yes. You are quite right.
I add missing attributes to radiusclient dictionary file.
ATTRIBUTE MS-CHAP2-Response 25 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer

And this problem has gone.

Alan DeKok-4 wrote:

0x333B0427013700010A1701C735C490B2116B014C
b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
user21

The line that describes service-type 4 was already in radiusclient
dictionary file
VALUE Service-TypeCallback-Framed-User4

But it does not help.

--
View this message in context:
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8410303
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

One question about Access-Request packet

2007-01-17 Thread Rafał Kamiński

Hi, i have one question:

Why when i try auth. by laptop-wifi over linksys then it's send that
request:

rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0,
length=119
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id = 001217694588
Calling-Station-Id = 0014a41e7112
NAS-Identifier = 001217694588
NAS-Port = 61
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000801726b61
Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464

Request without User-Password - and that is problem with auth.

When i try auth. over lan my PC send request:

rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55
User-Name = rka
User-Password = qazwsxedc
NAS-IP-Address = 255.255.255.255
NAS-Port = 0

And the auth. is correct.

Where is the problem? Maybe with Linksys? This is WPA54G.


Thanks a lot for help

BR,

-- 
Rafal Kaminski
http://blstream.com
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : RE : A couple of questions PoPToP+FreeRadius+IAS


 It seems no mistakes in dictionary file. It is standard one 
 from RH distribution. BTW, freeradius use $INCLUDE, not 
 INCLUDE as you advised. With INCLUDE you will see something like
 --
 Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: 
 dict_init: /etc/raddb/dictionary[14] invalid keyword INCLUDE
 --

I'm talking about the radiusclient library's dictionaries, not the
Freeradius ones: the ones that can be found on your PopTop server, not the
Freeradius server.
Look at the path I worte: it's not /etc/raddb/dictionary, but
/etc/radiusclient/dictionnary.

The issue here, is that the radiusclient package doesn't come with the
necessary dictionaries.

So check on you PopTop server that the /etc/radiusclient/dictionary contains
an 'INCLUDE' and not '$INCLUDE' for the dictionary.microsoft file.

HTH,
Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : A couple of questions PoPToP+FreeRadius+IAS



 -Message d'origine-
 De : 
 [EMAIL PROTECTED]
 radius.org 
 [mailto:[EMAIL PROTECTED]
 sts.freeradius.org] De la part de Marxy
 Envoyé : mercredi 17 janvier 2007 14:39
 À : freeradius-users@lists.freeradius.org
 Objet : Re: A couple of questions PoPToP+FreeRadius+IAS
 
 
 
 
 Alan DeKok-4 wrote:
  
  Marxy wrote:
  1. Accounting of Calling-station-id returns only first 4 
 characters 
  of user's IP address.
If that's what the RADIUS client is sending, then the 
 only solution 
  is to fix the client so it sends the correct information.
  
 My radius client is standard radiusclient software.
 But it seems no settings for that in its 
 /etc/radiusclient/radiusclient.conf
 
 
 Alan DeKok-4 wrote:
  
  2. Radius does not understand some attributes from client.
  a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: 
 received unknown 
  attribute 25 of length 30:
  
The client doesn't understand the response of the server.  Again, 
  the only solution is to fix the client.
  
 Yes. You are quite right.
 I add missing attributes to radiusclient dictionary file.
 ATTRIBUTE   MS-CHAP2-Response   25  string  
 ATTRIBUTE   Acct-Input-Packets  47  integer
 ATTRIBUTE   Acct-Output-Packets 48  integer

It might not be enough.

Could you check this post and give it a try ?

http://lists.freeradius.org/pipermail/freeradius-users/2007-January/059299.h
tml

Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: One question about Access-Request packet

Rafał Kamiński wrote:

 Why when i try auth. by laptop-wifi over linksys then it's send that
 request:
...
 Request without User-Password - and that is problem with auth.

  The authentication method is called EAP.  It's the way wireless is
supposed to work.  See eap.conf.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : One question about Access-Request packet


 Hi, i have one question:
 
 Why when i try auth. by laptop-wifi over linksys then it's send that
 request:
 
 rad_recv: Access-Request packet from host 192.168.1.245:3072, 
 id=0, length=119
 User-Name = rka
 NAS-IP-Address = 192.168.1.245
 Called-Station-Id = 001217694588
 Calling-Station-Id = 0014a41e7112
 NAS-Identifier = 001217694588
 NAS-Port = 61
 Framed-MTU = 1400
 NAS-Port-Type = Wireless-802.11
 EAP-Message = 0x0201000801726b61
 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464
 
 Request without User-Password - and that is problem with auth.

This is normal because it is an EAP authentication request: so this is not a
problem for authentication as long as you have enabled and configured EAP in
the freeradius configuration (see eap.conf).

Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : A couple of questions PoPToP+FreeRadius+IAS



Thibault LE MEUR wrote:
 
The client doesn't understand the response of the server.  Again, 
  the only solution is to fix the client.
  
 Yes. You are quite right.
 I add missing attributes to radiusclient dictionary file.
 ATTRIBUTE   MS-CHAP2-Response   25  string  
 ATTRIBUTE   Acct-Input-Packets  47  integer
 ATTRIBUTE   Acct-Output-Packets 48  integer
 
 It might not be enough.
 

It is enough 'cause I had add all microsoft vendor's attributes early.
Thanks.
I have another unsolved probems.

-- 
View this message in context: 
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8412105
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3ComSwitch Login

2007-01-17 Thread Alexandre Soares


Hi All,

Sorry team, but I still problem to authenticate a valid Administrator User
in 3Com Swithc, my question is anyone implemented this feature ?

I really don't know where to start the solution in freeradius
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius working with quintum cms

2007-01-17 Thread Goke Aruna

Hi all,

Can someone share his experiance with me in getting freeradius work with
quintum CMS   ?


goksie
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3ComSwitch Login

2007-01-17 Thread Vineet Verma


Hi Alexandre,
   I think you need RADIUS to return the Service-Type attribute as 
Administrative for it to work.


-Vineet


Alexandre Soares wrote:

Hi All,
 
Sorry team, but I still problem to authenticate a valid Administrator 
User in 3Com Swithc, my question is anyone implemented this feature ?
 
I really don't know where to start the solution in freeradius



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request

2007-01-17 Thread Haas Florian

Hello. 

   Why not?  There's a reason that the ntlm_auth configuration is
 editable in the mschap module.  Just edit it to do whatever you want.
 If all else fails, replace ntlm_auth with a Perl script that looks at
 the environment variables, and determines the proper arguments to use.

Ahem. From my original message you may have read that your suggestion describes
precisely what I am trying to implement, and that modifying the parameters
passed to ntlm_auth is exactly my intention.

I also understand that I could use a wrapper script or possibly do all sorts of
things with %{exec:} and/or %{expr:}. I could also do some simple text mangling
with the User-Name attribute as passed by the XP supplicant. However, the most
elegant way of working around the servicePrincipalName that XP seems to provide
when no user is logged on[1], would be to query MSAD for the corresponding
sAMAccountName, and use that for NTLM authentication.

I could write some Perl or Python or shell script that retrieves that
information from MSAD, invoke that script via %{exec:}, and put its output in
the ntlm_auth command arguments (or invoke it instead of ntlm_auth, for that
matter). However, it seems sort of ridiculous to run an additional LDAP query
for just that purpose, considering all the relevant information should already
be available to FreeRADIUS at that point.

So, to clarify my original question. What I want is this:

1. Put the value of an LDAP attribute (sAMAccountName) into a variable when the
user is authorized in LDAP.
2. Access that variable when the user is being authenticated via MS-CHAPv2, and
put it into the --username argument of ntlm_auth.

I do understand that this would require registering said variable in dictionary
and ldap.attrmap. I also understand that I need to set up a proper filter in the
configuration of the ldap module, for correct authorization of the user that's
being identified by it servicePrincipalName in this case. I have done all that.
What else would I need, if what I'm trying to do is at all possible?

Cheers,
Florian

[1] Yes, a rant about the XP supplicant providing wrong data in this case is
in order, however that's not going to persuade my customer to switch to Ubuntu.
:-)

The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to hand it over to the addressee, is
informed that he may not use, disclose or reproduce the contents thereof.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SPLAT question

2007-01-17 Thread Enright Patrick - penrig

Hello,

 

This pertains to Feeradius 1.1.0.

  

I am having trouble setting up freeradius and Checkpoint's
Secureplatform Pro (SPLAT) firewall (which is a stripped down Linux) so
that administrators logging into the firewalls will be authenticated by
the freeradius server.

 

According to the SPLAT pro user guide I should be able to set up a group
on the firewall and I should not have to define all the individual users
on the firewall.  Once the user enters the username and password that
info will be passed to the freeradius server along with the group (which
is already defined on the firewall).  

 

When I start the freeradius server with the -AX switches I really don't
see it reading the following that I set up in the radiusd.conf file:

 

passwd etc_group {

filename = /etc/freeradius/group

format = =Group-Name:::*,User-Name

hashsize = 50

ignorenislike = yes

allowmultiplekeys = yes

delimiter = :

}

 

I'm not sure if this is how you tell it to look in the group file and
not sure why I do not see this in the messages when I start
freeradius???

 

Is anybody else doing this and if so can you provide some guidance?

 

Thanks so much.

 

Regards,  

 

Patrick Enright

Information Security Architecture Team

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

 

 

*
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be
legally privileged.

If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank you.
*
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SPLAT question

2007-01-17 Thread James Wakefield


Enright Patrick - penrig wrote:



I’m not sure if this is how you tell it to look in the group file and 
not sure why I do not see this in the messages when I start freeradius….???


G'day Patrick,

You've defined the etc_group module but you also need to instantiate it. 
 Add etc_group to the authorize { } section further down in radiusd.conf.


--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate question

2007-01-17 Thread kemas

On Wed, 2007-01-17 at 13:36 +0100, Alan DeKok wrote:
 kemas wrote:
  Hi all,
  
  I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS
  and works very well.
  I still confuse about certificate, is all client certificate created
  under 1 root ca, can be authenticated against freeradius that started 
  with different server certificate?
 
   I haven't tried it, but it's possible, yes.
 

is there any howto or link about it?
maybe someone would share the light

thanks

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

monitoring freeradius with nagios

2007-01-17 Thread Mike


All,
When trying to use the radauth tool from nagios to monitor
freeradius, I get the following in the freeradius log:

Error: WARNING: Malformed RADIUS packet from host ... too long (length
18432  maximum 4096)

radtest seems to be ok.  has anyone else experienced this or knows
what is wrong?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Does the Users file still support auth-type :=PAM in ver 1.1.4?

2007-01-17 Thread Ellis, Scott 1 (N-Comptel Inc.)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

2007-01-17 Thread James Wakefield


Mike wrote:

All,
When trying to use the radauth tool from nagios to monitor
freeradius, I get the following in the freeradius log:

Error: WARNING: Malformed RADIUS packet from host ... too long (length
18432  maximum 4096)

radtest seems to be ok.  has anyone else experienced this or knows
what is wrong?
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


G'day Mike,

Fire up wireshark or tcpdump and have a look what's actually in the packets.

--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help

2007-01-17 Thread John Wan

Hi Alan,

Now everything works but the Active Directory authentication,Please see
the following output from $ Radiusd -X when a wireless client uses
administrator logon into the chillispot web logon page:


Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0,
length=223
User-Name = administrator
CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f
CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.5
Calling-Station-Id = 00-16-6F-79-91-F4
Called-Station-Id = 00-05-5D-9E-0F-94
NAS-Identifier = nas01
Acct-Session-Id = 45aec9a9
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module chap returns ok for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = administrator, looking up realm
NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop for request 0
users: Matched DEFAULT at 153
  modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type CHAP
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_chap: login attempt by administrator with CHAP password
  rlm_chap: Could not find clear text password for user administrator
  modcall[authenticate]: module chap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0,
length=223
Sending Access-Reject of id 0 to 127.0.0.1:32772
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 45aecedc
Nothing to do.  Sleeping until we see a request.

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Wan
Sent: Friday, 5 January 2007 11:26 AM
To: FreeRadius users mailing list
Subject: RE: help

 Hi Alan,

Many thanks for your help.

Now the kerberos service and the Samba service are running now, I have
followed your instructions on your webpage, but I still have experenced
the similar issue, please see the folloewing:

[EMAIL PROTECTED] ~]# net join -U Administrator
Administrator's password:
[2007/01/05 10:10:15, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find
KDC for requested realm
[2007/01/05 10:10:15, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Cannot find KDC for requested realm Joined domain MBUS.


[EMAIL PROTECTED] ~]# wbinfo -a administrator%password plaintext password
authentication failed Could not authenticate user administrator%password
with plaintext password could not obtain winbind separator!
could not obtain winbind domain name!
challenge/response password authentication failed Could not authenticate
user administrator with challenge/response

Would you please give me some hints so I could try it again. All I need
is to allow the freeradius server and Chillispot to hand over the
authentication (for wireless client) to the Win2k3 Active Directory. To
be able to achive that, I have to make sure the above two steps are
working (at moment they are not working).

Many thanks again in advance.

Regards

John







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Thursday, 14 December 2006 12:20 PM
To: FreeRadius users mailing list
Subject: Re: help

John Wan wrote:

  Would you please give me some hints how to start the Kerberos server 
 and how to solve the issue of
  ads_connect: Invalid credentials.

  Unfortunately, I'm not a kerberos or Samba expert.  I know just enough
to follow the script.  If it doesn't work, I suggest asking on the Samba
/ kerberos lists.

  i.e. the people who wrote the software are the ones most likely to be
able to help you.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

RE: Building from CVS

2007-01-17 Thread King, Michael

 

 -Original Message-
 apt-get install g++
 

Thank you.  Apparently, this would be my first Debian box that didn't
have g++ out of the box.  (I've built more than 10 following the same
cookbook that our office wrote)

I guess gcc and gpp weren't enough.

It built...  Well it's building as I type.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

2007-01-17 Thread Keith Woodworth

On Wed, 17 Jan 2007, Mike wrote:

|-All,
|-When trying to use the radauth tool from nagios to monitor
|-freeradius, I get the following in the freeradius log:
|-
|-Error: WARNING: Malformed RADIUS packet from host ... too long (length
|-18432  maximum 4096)
|-
|-radtest seems to be ok.  has anyone else experienced this or knows
|-what is wrong?

I know what some monitoring tool I used a while ago (whats up Gold I
think) I had to add the Ip of the whatsup server as a NAS to the allowed
list with the shared secret to monitor an old livingston radius server.

I have not tried with my Freeradius box yet, but I think I might just to
see. The FR is not in production as of yet so I'm not worried about it.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap: SSL error

2007-01-17 Thread James Lever



On 17/01/2007, at 4:47 PM, Alan DeKok wrote:


James Lever wrote:

Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read
client certificate A

  That just means there's no client certificate.


Interesting given I'm only allowing EAP-TLS access to my wireless LAN  
(or attempting to)


Below is the log output when run in full debugging (excerpt)

--
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls:  TLS 1.0 Handshake [length 0be8], Certificate
chain-depth=1,
error=0
-- User-Name = clientCN
-- BUF-Name = :30 2007 : Info: Ready to process requests.
-- subject = /C=AU/issuerDN
-- issuer  = /C=AU/issuerDN
-- verify return:1
radius_xlat:  'clientCN'
rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed  
value (clientCN)

chain-depth=0,
error=0
-- User-Name = clientCN
-- BUF-Name = clientCN
-- subject = /C=AU/clientDN
-- issuer  = /C=AU/issuerDN
-- verify return:1
TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls:  TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls:  TLS 1.0 Handshake [length 0106], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls:  TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls:  TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
  rlm_eap_tls:  TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls:  TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error::lib(0):func(0):reason(0)
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module eap returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
--

When I try to do the same with a Certificate from another CA it fails  
as expected.  So why does the EAP-TLS login work even though it  
complains that no certificate was received?  Is the certificate  
actually validated and hence there really was no error, or is  
FreeRADIUS or OpenSSL authorising where it should not?


cheers,
James


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SPLAT question

Enright Patrick - penrig wrote:

 When I start the freeradius server with the –AX switches I really don’t
 see it reading the following that I set up in the radiusd.conf file:
 
 passwd etc_group {
 filename = /etc/freeradius/group
 format = =Group-Name:::*,User-Name

  You can't use the Group-Name attribute.  That's reserved for Unix
groups.  You have to define your own attribute.  See man rlm_passwd
for examples/

 I’m not sure if this is how you tell it to look in the group file

  See man rlm_passwd.  It gives examples.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

Mike wrote:
 All,
 When trying to use the radauth tool from nagios to monitor
 freeradius, I get the following in the freeradius log:
 
 Error: WARNING: Malformed RADIUS packet from host ... too long (length
 18432  maximum 4096)
 
 radtest seems to be ok.  has anyone else experienced this or knows
 what is wrong?

  I haven't seen it.  I note that 18432 is hex 0x7200.  I suspect that
the NAGIOS people missed a 'htons()' somewhere, and the field should be
0x0072.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help