3Com SuperStack3 4400
Hi, I'm authing about 60 3com 4400 switch with mysql. Everithing goes ok until the switch sends a particular request to the server. This is the request: rad_recv: Access-Request packet from host 10.10.0.219:2049, id=57, length=87 User-Name = a3Com User-Password = a3Com NAS-Port-Type = Virtual NAS-IP-Address = 10.10.0.219 Service-Type = Administrative-User Framed-MTU = 1024 Message-Authenticator = 0xebe1ebfa3372940ad96d932c10457ff8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 84 modcall[authorize]: module preprocess returns ok for request 84 radius_xlat: 'a3Com' rlm_sql (sql): sql_set_user escaped user -- 'a3Com' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'a3Com' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'a3Com' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'a3Com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'a3Com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'a3Com' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'a3Com' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'a3Com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'a3Com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 84 modcall: group authorize returns ok for request 84 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [a3Com] (from client X port 0) Sending Access-Accept of id 57 to 10.10.0.219:2049 Finished request 84 Going to the next request This is OK, but switch says The RADIUS Authentication service is not responding. The strange thing is the userame a3Com that i've never seen in any switch configuration. Is something related to including dictionary.3Com in dictionary file ? I've googled a lot and searched in 3Com knowledge base but can't find anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
hi, thanks, now that you supplied the full debug we can clearly see that freeradius is unable to connect to your SQL database. so, questions arise such as - is your database server running? is it configured for that 'root' account and password (check using command line tools etc), is it firewalled? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : rlm_python
Hi Guys Is anyone actually using rlm_python in production? We do. But with a home-made module, based on corrected module stored in bugzilla. We made adjustments in it to meet our customer needs, and it is therefore not reusable. Nevertheless, we did correct memory leaks, threading issues and accents problems in it, but I don't think it would be easy to retrofit inside standard module. Geoff. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN accounting
Hello, I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? It means that i use them without dialing? the name dialup_admin is a bit misleading. You can as well manage LAN users with them. It's a generic user management system. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpq0Rg6xJLzz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a problem about radius and ldap
Hi I'm working on 802.1x implementation(cisco 2950, freeradius, ldap), i face a problem. First of all, defining users and passwords in users file in raddb works well with md5 authentication. Then i tried to use ldap, then with radtest i get accept-accept packet. But while authenticating from xp client with md5-challenge, I got Auth:rlm_ldap:Attribute User-Password is required for authentication error. In one of the e-mail you said don't authenticate from ldap, but with radtest function i get success!!! The passwords are kept clear text. I'm looking forward to getting your help. I also send radius debug log. Best Regards Ramazan Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = 192.168.100.18 ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: start_tls = no ldap: password = ldap: basedn = dc=dot1x.com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = radiusgroupname ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = radiusGroupName ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes conns: (nil) rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
EAP-TTLS inner auth methods for 802.1x
I have configured a working EAP-TLS system and am now migrating to use EAP-TTLS (with both client side certificates and a password authentication mechanism). I'm stuck trying to work out how to avoid sending the password unhashed to the server and think that some form of CHAP/MSCHAPv2 might be the right way to go. My current thoughts are that I should use PAP with SHA1 or SSHA1 but I seem to get the right config (if it is even possible). So, with this problem, can anybody suggest a way to use SHA1/SSHA1 or some other form of cryptographically secure, non-cleartext password within the inner authentication mechanism of EAP-TTLS for use in WPA2 Enterprise/802.1x. If this is feasible/possible, are there any gotcha's with the various supplicants to getting this to work from the client side and avoiding sending the passwords in cleartext (inside the EAP-TLS tunnel). Also, while I'm here, any suggestions for an appropriate backend password store so that there is never a cleartext password except for the initial entry (password change) on the server side would be appreciated. cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
Thanks a lot! I dont know why Freeradius and MySQL suddenly works after I did the following step. 1 insert into radgroupreply (groupname,attribute,op,values) values ('user','Auth-Type',':=','Local'); insert into radgroupreply (groupname,attribute,op,values) values ('user','Service-Type',':=','Framed-User'); insert into radgroupreply (groupname,attribute,op,values) values ('user','Framed-IP-Address',':=','255.255.255.254'); insert into radgroupreply (groupname,attribute,op,values) values ('user','Framed-IP-Netmask',':=','255.255.255.0'); insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test') ; insert into usergroup (username,groupname) values ('test','user'); 2 change the setting of sql.conf server = localhost = server = 202.117.X.X 3 # cp /home/ygx/mysql-standard-5.0.20-linux-i686/support-files/my- medium.cnf /etc/my.cnf 4 # /home/ygx/mysql-standard-5.0.20-linux-i686/bin/safe_mysqld --user = root 5 # radiusd -X 6 #radtest test teset localhost 0 testing123 It seems Freeradius and MySQL works as follow: [EMAIL PROTECTED] freeradius-1.0.5]# radtest test test localhost 0 testing123 Sending Access-Request of id 211 to 127.0.0.1:1812 User-Name = test User-Password = test NAS-IP-Address = nic219 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=211, length=38 Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.0 And I use NTRadping on a XP machine , it returns correctly. But i couldn't use mysql -u root -p rootpass to enter the command line enviroment any longer. The output is :ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES). Seems strange,isnt? Anyway, I might better re-install Mysql. Thanks again! 2007/1/29, satish patel [EMAIL PROTECTED]: this is problem of mysql configuration check /etc/my.cnf file for socket path and check your mysql working ??? or some mysql put mysql.sock file in /tmp/mysql.sock so plz check where your sock file in your env ? install mysql again and try it *Edvin Seferovic [EMAIL PROTECTED]* wrote: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)' rlm_sql (sql): *Failed to connect DB handle #0 * rlm_sql (sql): Failed to connect to any SQL server. your socket file is not in the place.. maybe you should use an IP in your sql.conf instead of the localhost ! Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Here's a new way to find what you're looking for - Yahoo! Answershttp://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Oracle under Cygwin
I'm working on using Freeradius with Chillispot to authenticate from an Oracle database. Freeradius is running on W2K3 server and Oracle is installed on the local machine. At this point, I'm trying to compile the rlr_sql_oracle module, but keep getting: $ ./configure --with-oracle-home-dir=/cygdrive/d/oracle/ora92 ... configure: WARNING: oracle headers not found. Use \ --with-oracle-home-dir=path configure: WARNING: sql submodule 'oracle' disabled ... I have set ORACLE_HOME to the Cygwin path: ORACLE_HOME=/cygdrive/d/oracle/ora92/ Is anyone currently authenticating against Oracle that might be able to offer pointers? I do have the alternative of compiling on a true linux server as opposed to a W2K3 box, but the architecture is different (AMD em64T instead of x86). -- Brian An adventure is never an adventure when it's happening. Challenging experiences need time to ferment, and an adventure is simply physical and emotional discomfort recollected in tranquility. -- Tim Cahill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and ldap
Ramazan Ulker wrote: . But while authenticating from xp client with md5-challenge, I got Auth:rlm_ldap:Attribute User-Password is required for authentication You set Auth-Type := LDAP. Don't do that. error. In one of the e-mail you said don't authenticate from ldap, but with radtest function i get success!!! I know. Please read the documentation on why. The passwords are kept clear text. I'm looking forward to getting your help. I also send radius debug log. The solution? Follow my instructions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com SuperStack3 4400
[EMAIL PROTECTED] wrote: This is OK, but switch says The RADIUS Authentication service is not responding. See the FAQ about the NAS never seeing the response from the server. The strange thing is the userame a3Com that i've never seen in any switch configuration. Is something related to including dictionary.3Com in dictionary file ? I doubt it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS inner auth methods for 802.1x
James Lever wrote: I'm stuck trying to work out how to avoid sending the password unhashed to the server Why? and think that some form of CHAP/MSCHAPv2 might be the right way to go. My current thoughts are that I should use PAP with SHA1 or SSHA1 but I seem to get the right config (if it is even possible). If you use PAP, it means cleartext passwords are being sent to the server. PAP with SSHA1 is meaningless, because it's contradictory and impossible. If this is feasible/possible, are there any gotcha's with the various supplicants to getting this to work from the client side and avoiding sending the passwords in cleartext (inside the EAP-TLS tunnel). See my web page for compatibility issues: http://deployingradius.com/documents/protocols/compatibility.html Also, while I'm here, any suggestions for an appropriate backend password store so that there is never a cleartext password except for the initial entry (password change) on the server side would be appreciated. Your desires are contradictory. If the password is hashed in EAP-TTLS, then the server needs the cleartext password in order to authenticate the user. I don't understand why giving the server access to the cleartext passwords is such a terrible thing to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Oracle under Cygwin
Brian wrote: At this point, I'm trying to compile the rlr_sql_oracle module, but keep getting: $ ./configure --with-oracle-home-dir=/cygdrive/d/oracle/ora92 ... configure: WARNING: oracle headers not found. Use \ --with-oracle-home-dir=path configure: WARNING: sql submodule 'oracle' disabled ... For some reason, this worked: $ ORACLE_HOME=/cygdrive/d/oracle/ora92; export ORACLE_HOME $ ./configure --with-oracle-home-dir=$ORACLE_HOME Yet, I still am unable to perform 'make': $ make make: LIBTOOL@: Command not found make: *** [sql_oracle.lo] Error 127 Libtool is installed: $ libtool --version ltmain.sh (GNU libtool) 1.5.23a (1.1220.2.412 2006/10/13 14:13:30) Again, assistance is appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS inner auth methods for 802.1x
Hi, I'm stuck trying to work out how to avoid sending the password unhashed to the server and think that some form of CHAP/MSCHAPv2 might be the right way to go. My current thoughts are that I should use PAP with SHA1 or SSHA1 but I seem to get the right config (if it is even possible). MSCHAPv2 is the main way to go. offering challenge/response means the password is never sent clear. alternatively you could use MD5 instead of plain. but client support is an issue... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com SuperStack3 4400
On 2007-01-29 13:04, Alan DeKok wrote: [EMAIL PROTECTED] wrote: This is OK, but switch says The RADIUS Authentication service is not responding. See the FAQ about the NAS never seeing the response from the server. The strange thing is the userame a3Com that i've never seen in any switch configuration. Is something related to including dictionary.3Com in dictionary file ? I doubt it. 3com switches use a3Com to probe if radius server is alive, after several unresponded queries. Pozdrawiam, Krzysztof Olędzki -- Krzysztof Olędzki Axel Springer Polska Sp. z o.o. tel: +48-22-2320969 fax: +48-22-2325530 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
Hi, But i couldn't use mysql -u root -p rootpass to enter the command line enviroment any longer. The output is :ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES). Seems strange,isnt? Anyway, I might better re-install Mysql. not strange at all - does that default config file have a root exclude or a default password entry? have you installed or created the privileges table (check the mysql table for user/password/host entries) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
Yes,I compiled FR myself. Originally I installed mysql with *.rpm packages(MySQL-*-5.0.20-0.i386.rpm, include MySQL-devel-5.0.20-0.i386.rpm),but it doent works. So I uninstall rpm packages and use mysql-standard-5.0.20-linux-i686.tar.gz to install Mysql. Thanks. 2007/1/29, YvesDM [EMAIL PROTECTED]: On 1/29/07, satish patel [EMAIL PROTECTED] wrote: Install mysql again Did you compile FR yourself? Did you install the mysql-dev files? Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a problem about radius and digest
Hi! I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: received invalid reply digest from RADIUS server This is strange because as I read on web this error is due to wrong secrets configuration. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a34356264656531363664353437333838393736323162356564343730383331323661316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c Service-Type = 0x000f SER-Service-Type = 0x0003 SER-Uri-User = hellboy NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[authorize]: module detail returns ok for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/auth-detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/auth-detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[authorize]: module auth_log returns ok for request 1 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module digest returns ok for request 1 users: Matched entry [EMAIL PROTECTED] at line 3 radius_xlat: '[EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module expiration returns noop for request 1 modcall[authorize]: module logintime returns noop for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type DIGEST auth: type Digest Processing the authenticate section of radiusd.conf modcall: entering group Digest for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = hellboy Digest-Realm = voip.touk.pl Digest-Nonce = 45bdee166d54738897621b5ed47083126a1dacf3 Digest-URI = sip:[EMAIL PROTECTED] Digest-Method = INVITE Digest-QOP = auth Digest-Nonce-Count = 0001 Digest-CNonce = 69FD58167D5BFF6F10F367FE9CC18339 A1 = hellboy:voip.touk.pl:hellboy A2 = INVITE:sip:[EMAIL PROTECTED] H(A1) = a383a13215180e1f7d2fc755c99af602 H(A2) = 429a8006b569afff5cd5fe2a50024c56 KD = a383a13215180e1f7d2fc755c99af602:45bdee166d54738897621b5ed47083126a1dacf3:0001:69FD58167D5BFF6F10F367FE9CC18339:auth:429a8006b569afff5cd5fe2a50024c56 EXPECTED 2c8b62ee23ac6cbe4a551b8b698a509c RECEIVED 2c8b62ee23ac6cbe4a551b8b698a509c modcall[authenticate]: module digest returns ok for request 1 modcall: group Digest returns ok for request 1 Login OK: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/reply-detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/reply-detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[post-auth]: module reply_log returns ok for request 1 modcall: group post-auth returns ok for request 1 Sending Access-Accept of id 198 to 127.0.0.1 port 32894 SER-UID = [EMAIL PROTECTED] Reply-Message = Authenticated Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 198 with timestamp 45bdecea Nothing to do. Sleeping until we see a request. Bests Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
tzieleniewski wrote: Hi!! I am runnig Debian etch release OS on the 64 bit CPU below is the detailed CPU information: So... the libradiusclient code isn't 64-bit clean. It needs to be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Fast Reconnect
Does FreeRADIUS support PEAP Fast Reconnect? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: received invalid reply digest from RADIUS server This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = hellboy NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpfatKorxwTk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Fast Reconnect
King, Michael wrote: Does FreeRADIUS support PEAP Fast Reconnect? No. As always, patches are welcome. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN accounting
Stefan Winter wrote: Hello, I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? It means that i use them without dialing? the name dialup_admin is a bit misleading. You can as well manage LAN users with them. It's a generic user management system. agree if RADIUS is used to authenticate users, but they're asking about accounting. Besides there's no way to prevent connection to LAN switches with RADIUS and restrict internal communication between local hosts. regards Inna Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Fast Reconnect
No, not currently. Doing so will require a level of caching and connection of the TLS session information with the RADIUS attributes that currently is not in place. This kind of checking is to insure that a user is not able to authenticate with is credentials, then, say, simply change his EAP identity/username and reauth with a fast reconnect (which doesn't check the certificate). Since the cert is not checked in a fast reconnect, there is nothing to connect the session to the RADIUS attributes (such as username), so any username would be accepted unless a fast reconnect is checked against the initial session credentials. Username substitution like this could, obviously, lead to users being able to gain privileges they wouldn't otherwise have. --Mike On Jan 29, 2007, at 11:52 AM, King, Michael wrote: Does FreeRADIUS support PEAP Fast Reconnect? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP Fast Reconnect
-Original Message- Does FreeRADIUS support PEAP Fast Reconnect? No. As always, patches are welcome. :) Thanks. It was a does this check box actually do anything for me question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
yao guoxian wrote: rlm_sql_mysql: Mysql error 'Host '202.117.7.243 http://202.117.7.243' is not allowed to connect to this MySQL server' I assume this is a test server and is tightly controlled Login to MySQL as root on the command line. Type this: GRANT ALL ON *.* TO [EMAIL PROTECTED] IDENTIFIED BY 'mysql-root-pass'; That will let you do what you are trying to do. Then go read the MySQL documentation on server security. You really should not be using the root account. Create a new user for radius queries and only give it the access it needs. Then REVOKE the rights I just had you GRANT above. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LAN accounting
I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? It means that i use them without dialing? the name dialup_admin is a bit misleading. You can as well manage LAN users with them. It's a generic user management system. agree if RADIUS is used to authenticate users, but they're asking about accounting. Besides there's no way to prevent connection to LAN switches with RADIUS Yes - 802.1x and restrict internal communication between local hosts. Kinda - Dynamic VLAN allocation. Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
Peter Nixon napisał(a): On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: "received invalid reply digest from RADIUS server" This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = "[EMAIL PROTECTED]" Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = "2c8b62ee23ac6cbe4a551b8b698a509c" Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = "hellboy" NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers Thank you ! I 've never worked with OpenSer and I have never tried to apply a patch to SER. Could you point me some resources where I can get some more understanding what such patch is and how to apply it ? I read the comments and from them I understood that what I need to do is install FreeRadius Client, because the problem considers client side, and then intergrete ser/openser to use this client. And this is what I don't know exactly how to achieve please help me with this issue. bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS inner auth methods for 802.1x
On 29/01/2007, at 10:07 PM, Alan DeKok wrote: James Lever wrote: I'm stuck trying to work out how to avoid sending the password unhashed to the server Why? Two reasons - first I am trying to limit risk of client misconfiguration - if a client has misconfigured their supplicant, to avoid passwords inadvertently going through in the clear and secondly to limit the risk of account compromise through abuse of privileges on the radius server. Yes, I realise that this is a small risk, but I'm just trying to see how far I can go in terms of securing the user credentials. See my web page for compatibility issues: http:// deployingradius.com/documents/protocols/compatibility.html Thanks for the pointer. This helps clarify the requirements of the different authentication mechanisms. Your desires are contradictory. If the password is hashed in EAP- TTLS, then the server needs the cleartext password in order to authenticate the user. I don't understand why giving the server access to the cleartext passwords is such a terrible thing to do. What are the risks of client misconfiguration such that it will actually get to the point of attempting to transmit the password in the clear? cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS inner auth methods for 802.1x
On 29/01/2007, at 11:03 PM, [EMAIL PROTECTED] wrote: MSCHAPv2 is the main way to go. offering challenge/response means the password is never sent clear. alternatively you could use MD5 instead of plain. but client support is an issue... After reading through Alan DeKok's compatibility page and a bit further research from that, it would appear that the risk of compromise is greater from poor storage on the server than the transient cleartext credentials inside the EAP-TLS session. cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RPM Build-error
I'm trying to create a Redhat RPM from the nightly CVS snapshots. (Following the Wiki instructions) I've tried a few different snapshot dates, and they all die with the attached error. I'm not too familiar with RedHat packaging. Any idea what I've done wrong? Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-root error: Installed (but unpackaged) file(s) found: /usr/include/freeradius/hash.h /usr/include/freeradius/libradius.h /usr/include/freeradius/md4.h /usr/include/freeradius/md5.h /usr/include/freeradius/missing.h /usr/include/freeradius/packet.h /usr/include/freeradius/radius.h /usr/include/freeradius/radpaths.h /usr/include/freeradius/sha1.h /usr/include/freeradius/token.h /usr/include/freeradius/udpfromto.h RPM build errors: Installed (but unpackaged) file(s) found: /usr/include/freeradius/hash.h /usr/include/freeradius/libradius.h /usr/include/freeradius/md4.h /usr/include/freeradius/md5.h /usr/include/freeradius/missing.h /usr/include/freeradius/packet.h /usr/include/freeradius/radius.h /usr/include/freeradius/radpaths.h /usr/include/freeradius/sha1.h /usr/include/freeradius/token.h /usr/include/freeradius/udpfromto.h - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RSA / Smart Cards
Does anyone have pointers on setting up a solution where freeradius authenticates against an RSA Secure ID or a smart card? Is there a good package that supports some sort of standard password-less authentication? Any experiences using smart cards or RSA Secure IDs with Linux would be welcomed. respectfully, Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN accounting
Josh Howlett wrote: I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? It means that i use them without dialing? the name dialup_admin is a bit misleading. You can as well manage LAN users with them. It's a generic user management system. agree if RADIUS is used to authenticate users, but they're asking about accounting. Besides there's no way to prevent connection to LAN switches with RADIUS Yes - 802.1x expensive, but it is the best solution, you're absolutely right. However, they still have to develop their own software to restrict simultaneous logins or limit time/bandwith and restrict internal communication between local hosts. Kinda - Dynamic VLAN allocation. we love cisco :) Inna Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd and oracle accounting [unclas]
We had a system using Ciscosecure ACS that wrote the accounting records to textfiles in a directory. A perl script using Dirwatch monitored the directory and triggered a stored procedure in oracle which inserted the data. If oracle wasn't available, the data just accumulated. Once oracle was up again, the queue was processed. Another solution would be to have an oracle replica on the radius box. It can continue to insert records until the main oracle DB returns, and processed the replication queue. Regards, Frank Ranner From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Dourty, Brian R. (IATS) Sent: Tuesday, 23 January 2007 02:41 To: freeradius-users@lists.freeradius.org Subject: radiusd and oracle accounting We have configured our radius servers to send accounting information to an Oracle database. It works our really well except when the oraclce database server isn't available (I.E. maintenance or cold backups). The radius process dies when it loses connectivity to the oracle server. Has anyone else noticed this problem? Any suggestions on how to make radiusd more robust and able to recover from this? Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP Saga continues.
I finally got PEAP working, nowe I have two questions, should I create a dummy account for the mschap element of authentication. Secondly, how do I create additional certs for additional hosts in FreeRadius? As it is now, I can only authenticate one node. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RSA / Smart Cards
Joseph wrote: Does anyone have pointers on setting up a solution where freeradius authenticates against an RSA Secure ID or a smart card? FreeRADIUS proxies the request to the RSA RADIUS server. There's not much else that can be done. Is there a good package that supports some sort of standard password-less authentication? Nope. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RPM Build-error
King, Michael wrote: I'm trying to create a Redhat RPM from the nightly CVS snapshots. (Following the Wiki instructions) ... I'm not too familiar with RedHat packaging. Any idea what I've done wrong? The RPM file in FreeRADIUS needs to be updated with that list of files. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html