Re: Disconnect user in radius
Thx for help dear Michael Lecuyer [EMAIL PROTECTED] wrote: You can send a Disconnect-Message from the RADIUS server to the client to disconnect them if the NAS supports DM/COA. The DM will cause the NAS to drop the connection effectively disconnecting them from any services they were using. Dennis Skinner wrote: satish patel wrote: I have useing freeradius with microsoft mssql now my question is how do i disconnect user from freeradius means example:- user xyz is online and i want to disconnect user from radius so what is the option for this task ?? is there any script or any option to integrate with webpage of dialupadmin ??? You need to change your thinking. The user is not connected to RADIUS. Never was. That isn't what RADIUS does. The user is connected to your NAS. Check the NAS docs for disconnecting a user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP Saga continues.
Evan Vittitow wrote: Alright, I'm going to step back and talk conceptually. The issue is that the laptops use a combination of LDAP and Kerberos to authenticate to the Domain Controllers. If that's what you've designed your system to do, then it's seems to be a problem you created for yourself. (OpenLDAP and a Kerberos KDC.) to authorize and authenticate Humans. So you get a Chicken/Egg issue. You can't authenticate Humans until you authenticate nodes, but a Human could not enter MS-CHAPv2 passwords wothout logging in. Then don't design the system in a way that makes it impossible to do what you want. I want to be able to assign a Certificate to a Host, as long as the Host carries the certificate, it can talk on the network. The Cert should be individualized to each host. So, I'd like to be able give a host a cert, and then let them use the network so they can login with User/Password. I have a working CA now. Then the laptops have to use PEAP, and your switches have to require 802.1x. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return-codes on reject
Guido wrote: Hello list, Im using freeradius-1.1.2 whit ms-sql. I'm having serius problems with return-codes on reject messages. All was working fine with previus version of freeradius. I was reading something about that is not allowed return-codes on reject, but I think it is wrong because most of return-codes goes on reject messages. Only return-code = 0 (authorization succeeded) goes on access=accept. The rest, for example 2 (invalid pin), 9 destination number blocked, 12 insufficient balance, etc etc, are return-codes that go on reject. What return codes are you talking about? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add check item (Pool-Name) from Exec-Program-Wait script?
Hello, I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) Thanks, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work? [unclas]
Thanks! The file mysql.sock is actually in /tmp/. regards Guoxian 2007/1/29, Ranner, Frank MR [EMAIL PROTECTED]: Use the socket method. If you don't know where the socket file is try: find / -name mysql.sock It will probably be in /tmp if it isn't in /var/lib/mysql regards Frank Ranner -- *From:* freeradius-users-bounces+frank.ranner= [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *yao guoxian *Sent:* Monday, 29 January 2007 15:14 *To:* [EMAIL PROTECTED]; FreeRadius users mailing list *Subject:* Re: Why Freeradius and Mysql dont work? Thanks again. The file /var/lib/mysql/mysql.sock does not exist.When I use an IP in sql.conf instead of the localhost, I get the following result: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED] :radius rlm_sql_mysql: Mysql error 'Host '202.117.7.243' is not allowed to connect to this MySQL server' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Instantiated sql (sql) 2007/1/29, Edvin Seferovic [EMAIL PROTECTED]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)' rlm_sql (sql): *Failed to connect DB handle #0 * rlm_sql (sql): Failed to connect to any SQL server. your socket file is not in the place.. maybe you should use an IP in your sql.conf instead of the localhost ! Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and ldap
Hi I delete the entry Auth := Ldap in users file. As pointed about in freeradius wiki FreeRadius, OpenLDAP, Windows XP, and 802.1xhttp://www.mycohq.com/2006/02/freeradius-openldap-windows-xp-and.htmlhow to, I set ldap in the authentication authorization part of radius.conf. My ldap search result is below. userpassword=ramazan . radiusclass=groupnet objectclass=radiusprofile objectclass=top objectclass=posixAccount objectclass=shadowAccount ... radiusgroupname=VPN radiustunnelmediumtype=6 radiustunnelprivategroupid=2 radiustunneltype=VLAN radiusauthtype=ldap = eap or leave it empty for eap radiusstripusername=true In ldap when I leave radiusauth type empty, eap authentication works. radtest and xp client are unsucessfull. when i set it ldap, rlm_ldap can bind username and password for radtest but unsucessfull for xp client. The radius debug logs are below. Am i missing a point ? setting radiusauthtype empty or eap: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded LDAP ldap: server = 192.168.100.18 ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: start_tls = no ldap: password = ldap: basedn = dc=dot1x.com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = radiusGroupName ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = radiusGroupName ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes conns: (nil) rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambalmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambantPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP
Re: Disconnect user in radius
On Wed 31 Jan 2007 13:48, satish patel wrote: Dear ALL I have useing freeradius with microsoft mssql now my question is how do i disconnect user from freeradius means example:- user xyz is online and i want to disconnect user from radius so what is the option for this task ?? is there any script or any option to integrate with webpage of dialupadmin ??? Most newer NAS support Disconnect Messages: http://wiki.freeradius.org/Disconnect_Messages Most NAS also allow you to disconnect users with SNMP and/or telnet commands. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpXSNJSSKVXz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
John Wan wrote: I have setup the chillispot+freeRadius+Win2k3AD for my wireless network. Everything is working but the AD authentication. Apparently the reason not working is because AD does not like the CHAP authentication and AD likes MS-CHAP. I do not know how to configure and where to configure my Linux box to use MS-CHAP instead of CHAP. See the Chillispot documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message in radius.log
Hello, Here is two lines of the radius.log. Everything in tables looks like okay. Where must I search, I don't understand the first line below. So, why is the second line good ? What does mean cli at the end of the second line ? Wed Jan 31 15:45:05 2007 : Info: rlm_sql (sql): No matching entry in the database for request from user [frontin] Wed Jan 31 15:45:05 2007 : Auth: Login OK: [frontin/xx] (from client swsfspare port 0 cli ) Regards Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 9 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Message in radius.log
Jean Frontin wrote: Hello, Here is two lines of the radius.log. Everything in tables looks like okay. Where must I search, I don't understand the first line below. So, why is the second line good ? Perhaps your username is in users file and is not in database? What does mean cli at the end of the second line ? calling-station-id -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP server with free-radius
Folks, sorry for bringing this up again. I am running FreeRADIUS 1.1.4 and OpenLDAP 2.3.32 on two Solaris10/x86 hosts. Non-redundant config works fine with FreeRADIUS and OpenLDAP on a single host. modules { ldap { } } authorize { ... ldap } authenticate { ... Auth-Type LDAP { ldap } } When I use a redundant config as per instruction in docs, I have the auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated. modules { ldap ds-01 { } ldap ds-02 { } } authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type LDAP { redundant { ds-02 ds-01 } } } Debug output rad_recv: Access-Request packet from host 1.1.1.1:3283, id=29, length=47 User-Name = qwer User-Password = qwer Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = qwer, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for qwer radius_xlat: '((objectClass=posixAccount)(l=*)(uid=qwer))' radius_xlat: 'dc=my,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=com, with filter ((objectClass=posixAccount)(l=*)(uid=qwer)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user alexeim authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ds-02 returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 TIA A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
?? PEAP MSChapv2 and Proxy to LDAP
Can the freeradius be used to work as a proxy between a PEAP_MSChapv2 request and a central LDAP server ? I read a lot in the mailing forum, but its not clear. regards, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to enable Freeradius to support a smart card with AES encryption algorithm?
Hi! I have a smart card emluator which suports AES, not MD5 encryption algorithm. Is it possible to enable Freeradius to support my smart card emlulator? I have an idea as follow: First,amending client agent (NAS) daemon program to make it send chap-password which is produced with AES, not MD5. The usual md5 chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes authenticator), while the aes chap-password is produced as AES(16 bytes authenticator) using user-secret as key.The usual md5 chap-passwor attribute in an Access Request packet is as follow: __ | code = 3 | Length = 19 | user-packet-ID | 16 bytes value| __ While the aes chap-password replaced the 16 bytes value ( MD5( user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes authenticator). Second ,amending rlm-chap.c to alter it to use AES to analyze the request packet. Is it practical? Appreciate any suggestions. regards Guoxian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ?? PEAP MSChapv2 and Proxy to LDAP
Thomas Sterber (tsterber) wrote: Can the freeradius be used to work as a proxy between a PEAP_MSChapv2 request and a central LDAP server ? The question uses confused terminology, which makes it difficult to answer properly. I read a lot in the mailing forum, but its not clear. Have you tried the Wiki, or the documentation that comes with the server? See also: http://deployingradius.com/documents/protocols/oracles.html In short, if LDAP supplies a clear-text password to FreeRADIUS, PEAP will work. Many, many, sites have been doing this with FreeRADIUS for years. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable Freeradius to support a smart card with AES encryption algorithm?
yao guoxian wrote: Hi! I have a smart card emluator which suports AES, not MD5 encryption algorithm. Is it possible to enable Freeradius to support my smart card emlulator? Edit the code. I have an idea as follow: First,amending client agent (NAS) daemon program to make it send chap-password which is produced with AES, not MD5. Don't do that. It isn't CHAP, and you will break a lot of things. The usual md5 chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes authenticator), while the aes chap-password is produced as AES(16 bytes authenticator) using user-secret as key.The usual md5 chap-passwor attribute in an Access Request packet is as follow: __ | code = 3 | Length = 19 | user-packet-ID | 16 bytes value| __ While the aes chap-password replaced the 16 bytes value ( MD5( user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes authenticator). Second ,amending rlm-chap.c to alter it to use AES to analyze the request packet. Is it practical? Appreciate any suggestions. No, it's not practical. What you're missing is that none of the NASes will do the AES calculation, so changing FreeRADIUS won't help. If you control the software on the NAS, just invent a new attribute, My-AES-Password, and use that. That's what attributes are for. Then, write a new module to support that attribute. That's what modules are for. Hacking existing attributes and modules is a recipe for disaster. Don't do it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: When I use a redundant config as per instruction in docs, I have the auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated. The modules are named ds-01 and ds-02, not LDAP. In this case, you will have to set Auth-Type to LDAP by hand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Thanks Alan. But I do define it when switching from singe server to redundant group, don't I? Auth-Type LDAP { ldap } to Auth-Type LDAP { redundant { ds-02 ds-01 } } Isn't that enough? A. Alexei Monastyrnyi wrote: / When I use a redundant config as per instruction in docs, I have the // auth: No authenticate method (Auth-Type) configuration found for the // request: Rejecting the user in debugs and user is rejected. Please see // config and debug output below. I guess I am mussing some fine detail // here. Your help would be highly appreciated. / The modules are named ds-01 and ds-02, not LDAP. In this case, you will have to set Auth-Type to LDAP by hand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: But I do define it when switching from singe server to redundant group, don't I? Yes. Isn't that enough? What did my previous response say? You can argue with me, or you can try what I suggested, and verify for yourself that it works. As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is ds-01, not LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
no arguing here, just clearing up things... :-) stay cool this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... Or I might have missed that from the documentation. Anyway, fail-over section does not reflect this IMO. Not a note of authenticate sub-section at all... should it be updated? http://wiki.freeradius.org/Fail-over authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type ds-01 { ds-01 } Auth-Type ds-02 { ds-02 } } on 2/1/2007 4:04 PM Alan DeKok wrote: Alexei Monastyrnyi wrote: But I do define it when switching from singe server to redundant group, don't I? Yes. Isn't that enough? What did my previous response say? You can argue with me, or you can try what I suggested, and verify for yourself that it works. As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is ds-01, not LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... It defines the method, but doesn't make the module set Auth-Type to that method. Or I might have missed that from the documentation. Anyway, fail-over section does not reflect this IMO. Not a note of authenticate sub-section at all... should it be updated? Modules having authenticate sections automatically have Auth-Type definitions created based on their name. This is normally the module name (i.e. LDAP), unless the module has an *instance* name, in which case it's the instance name. The LDAP module sets Auth-Type to it's *instance* name, not to LDAP. That appears to be the piece you're missing. This has nothing to do with failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x + freeradius authentication problem
Hi all, We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP. Our radius server is bound to an LDAP database. We have tested our users with a radius-test tool and everything seems to work fine, but when trying to validate in our 802.1x environment, the radius server rejects the user. In fact, although we get a authorize returns ok, there seems to be an additional check that claims the user has no password. Any ideas? We attach the radiusd log (hope it helps!). Thanks in advance, rad_recv: Access-Request packet from host **NAS_ IP_ADDRESS** port 1027, id=2, length=187 Message-Authenticator = 0xc40883257068815f1b14f3b80780eeab Service-Type = Framed-User User-Name = ID_of_USER Framed-MTU = 1488 State = 0xb32f32ffc94e41b83d5af8f919ee449e Called-Station-Id = 00-12-CF-1A-15-80:Eduroam Calling-Station-Id = 00-0E-35-FE-1F-6D NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020200060319 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/158.109.1.15/auth-detail-20070201' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/NAS_IP_ADDRESS/auth-detail-20070201 radius_xlat: 'Thu Feb 1 17:06:44 2007' modcall[authorize]: module auth_log returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = ID_of_USER, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type modcall[authorize]: module eap returns noop for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for ID_of_USER radius_xlat: '(uid=ID_of_USER)' radius_xlat: 'ou=People,dc=my_org,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=my_org,dc=es, with filter (uid=ID_of_USER) rlm_ldap: Password header not found in password {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== for user ID_of_USER rlm_ldap: Added User-Password = {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = GRUPS_INTERES#951#Servei d'InformÃ?tica rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = USUARI_PROVES#951#Servei d'InformÃ?tica rlm_ldap: user IP_of_USER authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns ok for request 6 !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [ID_of_User/no User-Password attribute] (from client NAS_IP_ADDRESS port 1 cli 00-0E-35-FE-1F-6D) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to NAS_IP_ADDRESS port 1027 Filter-Id = GRUPS_INTERES#951#Servei d'Inform\303\240tica Cleaning up request 6 ID 2 with timestamp 45c21014 Cleaning up request 5 ID 1 with timestamp 45c21014 Cleaning up request 4 ID 0 with timestamp 45c21014 Nothing to do. Sleeping until we see a request. -- Ramón Barquier Montalbán Comunicacions Servei d'Informàtica Edifici D Campus de la UAB 08193 Bellaterra. Barcelona Tel. +34 935 811 488Fax: +34 935 812 094 [EMAIL PROTECTED] www.uab.es/si - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing characters from usernames
I was thinking I could do something like this with a regular expression: User-Name =~ tr/-//d but I'm not sure where to do it and if it will work. I'm using a mysql back end so I was thinking in the sql.conf file. Has anyone done something like this before? Thanks, Andy On Jan 31, 2007, at 4:05 PM, Andrew Zirkel wrote: Is there a way to parse the input of a username and password before it is passed to the back end database? I'm doing mac address authentication and some devices are passing the mac address with dashes, where I need to have no separation between the octets. I basically need to strip out these dashes from the input. Thanks Andy Zirkel -List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing characters from usernames
I am doing this using the attr_rewrite module in radiusd.conf, i have the following section: modules { attr_rewrite macaddress_rewrite { attribute = User-Name searchin = packet searchfor = - replacewith = : new_attribute = no append = no } } i call it just before the actual ldap-module i am using. hth regards markus Zitat von Andrew Zirkel [EMAIL PROTECTED]: I was thinking I could do something like this with a regular expression: User-Name =~ tr/-//d but I'm not sure where to do it and if it will work. I'm using a mysql back end so I was thinking in the sql.conf file. Has anyone done something like this before? Thanks, Andy On Jan 31, 2007, at 4:05 PM, Andrew Zirkel wrote: Is there a way to parse the input of a username and password before it is passed to the back end database? I'm doing mac address authentication and some devices are passing the mac address with dashes, where I need to have no separation between the octets. I basically need to strip out these dashes from the input. Thanks Andy Zirkel -List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem syncing radius.logs with radrelay
Hello All! FR Version: 1.1.3 OS Version: Fedora Core 5 cmd line for radrelay = /usr/bin/radrelay -n rad1_server -a /var/log/radacct -d /etc/raddb detail.relay We've recently switched to FreeRadius from Cistron, and we didn't have this problem with Cistron. So, I'm hoping someone can help. We are running 2 servers with radrelay. When a user gets authenticated on server #1, it logs their Login OK in the radius.log file, but does NOT log it on server #2 (and vise versa). So I would like to know if there's a way to have the log files on both servers sync up? And why did it work on Cistron and not with FreeRadius? Thank in advance for any help. --John Brittain [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VoIP Recording
I have setup freeradius 1.1.4 to log Cisco VOIP records into Postgres as described in src/billing. I am getting records just fine, but I am getting 16 entries logged into the database (radacct table) per phone call. Is this normal? If so, how do I figure out what the final one (or pair if I need 2 entries) should be? I'm also not seeing anything logged in the {start|stop}voip tables if that's important. Thanks for any help. Chris -- Chris D. Halverson http://www.chrishalverson.com/ YIM/AIM: chrisdhal MSN Messenger: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
On Thu, 1 Feb 2007, Stephen Baker wrote: Can you be a bit more specific? =) -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error starting freeradius
Good afternon, I have just migrated a freeradius from a Red Hat Linux release 7.3 to a FreeBSD 6.1 and when executing: '#/usr/local/etc/rc.d/radiusd start' i get the folowing: Starting radiusd. Thu Feb 1 15:32:27 2007 : Info: Starting - reading configuration files ... tailf -f /var/log/radius.log Thu Feb 1 15:32:27 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Feb 1 15:32:27 2007 : Info: Using deprecated clients file. Support for this will go away soon. Thu Feb 1 15:32:27 2007 : Info: HASH: Reinitializing hash structures and lists for caching... Thu Feb 1 15:32:27 2007 : Error: rlm_unix: Username too long in line: # Thu Feb 1 15:32:27 2007 : Info: HASH: Stored 40 entries from (null) Thu Feb 1 15:32:27 2007 : Error: rlm_unix: Can't open file group file (null): Bad address I've googled for the errors presented i couldn't find a solution,,, any suggestion? Thanks in advance. -- Enrique Llanos V. HTU Networks Peru www.htu-networks.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
In such an emergency where you don't have to ability to be more specific the typical procedure is to call 911, 123, 000 or whatever your country uses for its emergency telephone code... At least they have the ability to tell where you are calling from :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp1zSD9QsnHU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mac PEAP authentication with FreeRADIUS Pre2.0
-Original Message- When I try a Mac (PowerMac 10.4.8, but have tried also on 10.3.x), it seems to not work. The Mac throws an error 802.1x Authentication has failed. After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Least, this is what I'm thinking. (This is a different debug) modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 23 rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mking with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=mking' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 94 radius_xlat: '--challenge=4ebfbb2c2373c4c9' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=a53b88d2b14aead7f697498aa066c2d02e79c3d0a6e84427' Exec-Program output: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program-Wait: plaintext: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 23 modcall: group MS-CHAP returns ok for request 23 MSCHAP Success modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 PEAP: Got tunneled reply RADIUS code 11 MS-CHAP2-Success = 0x0d533d653336623733383162623839396432613066613365653564683130363161 6663303239326336 EAP-Message = 0x010e00331a030d002e533d653336623733383162623839396432613066613365653564 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Processing from tunneled session code 0x81c1788 11 MS-CHAP2-Success = 0x0d533d653336623733383162623839396432613066613365653564683130363161 6663303239326336 EAP-Message = 0x010e00331a030d002e533d653336623733383162623839396432613066613365653564 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 4 to 10.0.1.22 port 32769 EAP-Message = 0x010e005b1900170301005075b366b0bc3665ce9cc4c3bb5d4907020fce14dcf06c5ffb cdc725c126803bd0de38918995021346758fc00ed823cc7b13be5d69ed780a80ac04bfcb 9cb85dee2ab382e8b88b3a7b7cdccfc227583867 Message-Authenticator = 0x State = 0xf3f735fa7f444b2ef47757092fcbef29 Finished request 23 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 16 ID 253 with timestamp 45c257be Cleaning up request 20 ID 1 with timestamp 45c257be Cleaning up request 22 ID 3 with timestamp 45c257be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing characters from usernames
Thanks that did the trick for User-Name and User-Password after I put what I renamed the name macaddress_rewrite to in the authorization section. Andy Zirkel On Feb 1, 2007, at 12:53 PM, Markus Krause wrote: I am doing this using the attr_rewrite module in radiusd.conf, i have the following section: modules { attr_rewrite macaddress_rewrite { attribute = User-Name searchin = packet searchfor = - replacewith = : new_attribute = no append = no } } i call it just before the actual ldap-module i am using. hth regards markus Zitat von Andrew Zirkel [EMAIL PROTECTED]: I was thinking I could do something like this with a regular expression: User-Name =~ tr/-//d but I'm not sure where to do it and if it will work. I'm using a mysql back end so I was thinking in the sql.conf file. Has anyone done something like this before? Thanks, Andy On Jan 31, 2007, at 4:05 PM, Andrew Zirkel wrote: Is there a way to parse the input of a username and password before it is passed to the back end database? I'm doing mac address authentication and some devices are passing the mac address with dashes, where I need to have no separation between the octets. I basically need to strip out these dashes from the input. Thanks Andy Zirkel -List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html DISCLAIMER: This electronic mail transmission, including attachments, is privileged and confidential and is for the sole use of the intended recipient(s). Any unauthorized use, review, disclosure or distribution is prohibited. If you have received this transmission in error, please disregard and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error starting freeradius
Hi, I have just migrated a freeradius from a Red Hat Linux release 7.3 to a FreeBSD 6.1 and when executing: '#/usr/local/etc/rc.d/radiusd start' ah. that first sentence is what concerns me. FreeBSD handles its passwords etc different to RedHat. a quick google brings up several instant results - and although older FR systems used unix module (but asked you to comment out the passwd and shadow entries on freebsd!) newer FR uses rlm_passwd for most of thos feature. you can also declutter the debug output by deleting the naslist and clients file (you shouldnt use them...check you havent put anything in them!) - but thats trivial alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VoIP Recording
On Thu 01 Feb 2007 20:52, Chris Halverson wrote: I have setup freeradius 1.1.4 to log Cisco VOIP records into Postgres as described in src/billing. I am getting records just fine, but I am getting 16 entries logged into the database (radacct table) per phone call. Is this normal? If so, how do I figure out what the final one (or pair if I need 2 entries) should be? I'm also not seeing anything logged in the {start|stop}voip tables if that's important. Erm.. You have got the original sql config setup then, not the voip one. Do NOT include postgresql.conf DO include pgsql-voip.conf (or postgresql-voip-postpaid.conf if using cvs head) Depending on the setup of your cisco you may get multiple records per call (One per call leg, and per call retry/dial peer) but I doubt you will get 16... Looks like your radius server is slow and you are getting retries.. (Using the voip queries should speed it up...) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpM7OkkHUBKR.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 22, Issue 6
Hi, I am starting the freeradius with my mysql server and I noticed this erro: rlm_sql_mysql: Mysql error 'Host 'mysql1.wireless.intranet' is not allowed to connect to this MySQL server' But I already give the privileges to my user radius and add the server mysql1.wireless.intranet to my list of hosts knowed. I use linux Debian and mysql 5.0.33 and the both are in the same machine, but they have different ip adress. In the freeradius/sql.conf file I configured this: sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = mysql1.wireless.intranet # server = localhost login = radius password = radius_password #login = root # password = mysql_password # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct Someone can help me? Thanks a lot, Marilene This the result of freeradius: freeradius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Host 'mysql1.wireless.intranet' is not allowed to connect to this MySQL server' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with mysql and freeradius
Hi, I am starting the freeradius with my mysql server and I noticed this erro: rlm_sql_mysql: Mysql error 'Host 'mysql1.wireless.intranet' is not allowed to connect to this MySQL server' But I already give the privileges to my user radius and add the server mysql1.wireless.intranet to my list of hosts knowed. I use linux Debian and mysql 5.0.33 and the both are in the same machine, but they have different ip adress. In the freeradius/sql.conf file I configured this: sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = mysql1.wireless.intranet # server = localhost login = radius password = radius_password #login = root # password = mysql_password # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct Someone can help me? Thanks a lot, Marilene This the result of freeradius: freeradius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Host 'mysql1.wireless.intranet' is not allowed to connect to this MySQL server' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac PEAP authentication with FreeRADIUS Pre2.0
Yes, it looks like your Mac may not like the MSCHAPv2 response for some reason. On your Mac (as root), create the directory /var/log/ eapolclient, then retry your authentication. The EAP client is OS X should write out debugging information for the EAP session into that directory and should give you a better idea of why its halting. --Mike On Feb 1, 2007, at 3:21 PM, King, Michael wrote: -Original Message- When I try a Mac (PowerMac 10.4.8, but have tried also on 10.3.x), it seems to not work. The Mac throws an error 802.1x Authentication has failed. After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Least, this is what I'm thinking. (This is a different debug) modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 23 rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mking with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=mking' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 94 radius_xlat: '--challenge=4ebfbb2c2373c4c9' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=a53b88d2b14aead7f697498aa066c2d02e79c3d0a6e84427' Exec-Program output: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program-Wait: plaintext: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 23 modcall: group MS-CHAP returns ok for request 23 MSCHAP Success modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 PEAP: Got tunneled reply RADIUS code 11 MS-CHAP2-Success = 0x0d533d6533366237333831626238393964326130666133656535646831303631 61 6663303239326336 EAP-Message = 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535 64 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Processing from tunneled session code 0x81c1788 11 MS-CHAP2-Success = 0x0d533d6533366237333831626238393964326130666133656535646831303631 61 6663303239326336 EAP-Message = 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535 64 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 4 to 10.0.1.22 port 32769 EAP-Message = 0x010e005b1900170301005075b366b0bc3665ce9cc4c3bb5d4907020fce14dcf06c5f fb cdc725c126803bd0de38918995021346758fc00ed823cc7b13be5d69ed780a80ac04bf cb 9cb85dee2ab382e8b88b3a7b7cdccfc227583867 Message-Authenticator = 0x State = 0xf3f735fa7f444b2ef47757092fcbef29 Finished request 23 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 16 ID 253 with timestamp 45c257be Cleaning up request 20 ID 1 with timestamp 45c257be Cleaning up request 22 ID 3 with timestamp 45c257be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error starting freeradius
Well, im new to freeradius and i got the task of migrating it from red-hat to freeBSD, so nothing is trivial for me, i'd appreciate i bit more info for repairing (or at least give it a try) things myself. Thanks in advance. ELLV On 2/1/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, I have just migrated a freeradius from a Red Hat Linux release 7.3 to a FreeBSD 6.1 and when executing: '#/usr/local/etc/rc.d/radiusd start' ah. that first sentence is what concerns me. FreeBSD handles its passwords etc different to RedHat. a quick google brings up several instant results - and although older FR systems used unix module (but asked you to comment out the passwd and shadow entries on freebsd!) newer FR uses rlm_passwd for most of thos feature. you can also declutter the debug output by deleting the naslist and clients file (you shouldnt use them...check you havent put anything in them!) - but thats trivial alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Enrique Llanos V. HTU Networks Peru www.htu.com.pe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP Saga continues.
Let me re-phrase, as I think I'm not quite making sense. openssl req -new -keyout kurama.pem -out kurama.pem -days 730 openssl x509 -in kurama.pem -out kurama.crt openssl req -new -keyout altanis.pem -out altanis.pem -days 730 openssl x509 -in altanis.pem -out altanis.crt openssl req -new -keyout serenity.pem -out serenity.pem -days 730 openssl x509 -in serenity.pem -out serenity.crt Here are my three laptops, now as far as I know, based on my understanding of how EAP works, as long as the laptops have these certs, they should be able to authenticate users. the certs authenticate the nodes Case #2 openssl req -new -keyout monkey.pem -out monkey.pem -days 2 openssl x509 -in monkey.pem -out monkey.crt This is a temporary cert for an enemy unit I am allowing temporary guest access to the network, I'd like this person to use their MS-Chapv2 credentials. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x + freeradius authentication problem
Ramon Barquier wrote: We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP. Then... configure EAP. rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type The client is asking to do PEAP, and you haven't configured PEAP on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac PEAP authentication with FreeRADIUS Pre2.0
King, Michael wrote: After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Version 1.1.4 (and the CVS head) have a patch applied that makes it do MS-CHAP more correctly. This may be the issue, if the MACs don't expect that. So if 1.1.3 works, and 1.1.4 doesn't, that's the issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
When EAP-AKA can be supported by FreeRADIUS?
Hi, all In FreeRADIUS, EAP-AKA has not been supported yet, though a EAP-AKA patch for version 1.1.2 can be found in the former lists. EAP-AKA is more and more popular, so I want to know: (1). When EAP-AKA can be offically supported by FreeRADIUS? (2). How does FreeRADIUS support WiMAX? Thank you and best regards! Lishuai.Zhao - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When EAP-AKA can be supported by FreeRADIUS?
lishuai zhao wrote: Hi, all In FreeRADIUS, EAP-AKA has not been supported yet, though a EAP-AKA patch for version 1.1.2 can be found in the former lists. The patch is also in bugzilla. EAP-AKA is more and more popular, so I want to know: (1). When EAP-AKA can be offically supported by FreeRADIUS? Soon, I hope. (2). How does FreeRADIUS support WiMAX? No idea. What does the server have to do in order to support WiMAX? Please be specific. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem syncing radius.logs with radrelay
John Brittain wrote: We are running 2 servers with radrelay. When a user gets authenticated on server #1, it logs their Login OK in the radius.log file, but does NOT log it on server #2 (and vise versa). So I would like to know if there's a way to have the log files on both servers sync up? And why did it work on Cistron and not with FreeRadius? radrelay copies accounting packets, not authentication packets. In FreeRADIUS, the Login OK message appears in radius.log ONLY when the server sends an Access-Accept. In any case, the radius.log file is informative, not definitive. If you're using it for any purpose other than having admins occasionally reading it, that's wrong. You should be looking at the accounting logs to see what the users are really doing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html