Re: Radius Client same server
HI, I am sure i do not have any other radius server running on the same machine. But when i checked the port 1812 and 1813 it is used by MVTS but i know well MVTS is client which will send info and receive info to radius using this port. Here is the out put of screen may be it will help to get issue. read_config_files: reading clients read_config_files: reading realms There appears to be another RADIUS server running on the authentication port 1812 [EMAIL PROTECTED] root]# netstat -anp | grep 1812 udp0 0 127.0.0.1:1812 0.0.0.0:* 876/mp_kerneld.x [EMAIL PROTECTED] root]# netstat -anp | grep 1813 udp0 0 127.0.0.1:1813 0.0.0.0:* 876/mp_kerneld.x [EMAIL PROTECTED] root]# Where mp_kerneld.x is the kernel of MVTS. Regards - Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time problem
Hi all, Im testing a new conf. using Login-Time. It works fine until I try to define 2 timespans for a day. For example if I define a new user, called test with this radcheck data: mysql select * from radcheck where UserName='test'\G *** 1. row *** id: 320 UserName: test Attribute: Login-Time op: := Value: Mo0001-0940,Mo0952-2359 1 row in set (0.00 sec) I can login ok between the first timespan (00:01 to 09:40), but it's impossible during the second one (09:52 to 23:59). Maybe there is someting incorrect in the time string. Any help? All the best! Joseba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MSCHAPV2 over EAP-TTLS
Hi, I am using Freeradius version 1.1.3 for EAP-TTLS testing. I am testing for EAP-TTLS with tunneled authentication type as MSCHAPV2. I suspect it fails, bcos it sends back Access-Accept instead of sending back the MS-CHAP2-Success encrypted over TLS protocol. please find the trace below. we've had no problem with EAP-TTLS with MSCHAPv2 - you cant play with User-Name etc - just ensure you are allowing the reply to be tunneled in eap.conf. however, if you try changing reply attributes (eg VLAN) then it doesnt work - should be fixed in 1.1.5 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time
Hi all, Im testing a new conf. using Login-Time. It works fine until I try to define 2 timespans for a day. For example if I define a new user, called test with this radcheck data: mysql select * from radcheck where UserName='test'\G *** 1. row *** id: 320 UserName: test Attribute: Login-Time op: := Value: Mo0001-0940,Mo0952-2359 1 row in set (0.00 sec) I can login ok between the first timespan (00:01 to 09:40), but it's impossible during the second one (09:52 to 23:59). Maybe there is someting incorrect in the time string. Any help? All the best! Joseba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PIN generation
hi all,
I would like to use 16-digit PIN numbers for my username and password, am
completely lost as to what to do.
How do i implement this with freeradius
thanks
David
[EMAIL PROTECTED] wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. FR log (PD)
2. bitrary dynamic Nas-Port (mohamed sammir)
3. Radius Client same server (Abdul)
4. RE: Radius Client same server (Marwan Sultan)
5. Re: Radius Client same server (Peter Nixon)
6. multiple passwords for the same user (Kenneth Penza)
7. Support of MSCHAPV2 over EAP-TTLS (awaneesh kumar)
--
Message: 1
Date: Sun, 04 Mar 2007 12:39:33 +
From: PD
Subject: FR log
To: FreeRadius users mailing list
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
Dearl Folks,
still continuing our previous box... FBSD 6.2 and FR install from ports
my /usr/local/etc/raddb/radiusd.conf contain :
.
logdir=/var/log
.
logfile=${logdir}/radius.log
.
log_auth_badpass=yes
log_auth_goodpass=yes
.
but.. our /var/log/radius.log only contain :
Sat Mar 3 14:56:48 2007 : Info: Using deprecated naslist file. Support
for this will go away soon.
Sat Mar 3 14:56:48 2007 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Sat Mar 3 14:56:48 2007 : Info: rlm_sql (sql): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Sat Mar 3 14:56:48 2007 : Info: rlm_sql (sql): Attempting to connect to
[EMAIL PROTECTED]:/sentral
Sat Mar 3 14:56:48 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Sat Mar 3 14:56:48 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Sat Mar 3 14:56:48 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Sat Mar 3 14:56:48 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Sat Mar 3 14:56:48 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Sat Mar 3 14:56:48 2007 : Info: Ready to process requests.
nothing else...
The questions is... why I can not see all login with good and or bad pass
on the above file ?
TIA
PD
--
Message: 2
Date: Sun, 4 Mar 2007 06:54:19 -0800 (PST)
From: mohamed sammir
Subject: bitrary dynamic Nas-Port
To: freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
Hello all,
i have the same problem as in this mail in brife
i use Cisco router and need to auth user over ppoe and i get the same NAS-Port
for all users
i am not expert in freeradius so can pleas someone help me use attr_rewrite to
go over this probelm
http://lists.freeradius.org/pipermail/freeradius-users/2004-March/029671.html
Thanks
-
Any questions? Get answers on any topic at Yahoo! Answers. Try it now.
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070304/a5edc884/attachment-0001.html
--
Message: 3
Date: Sun, 4 Mar 2007 07:02:21 -0800 (PST)
From: Abdul
Subject: Radius Client same server
To: freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
Hi all,
Can we put radius and client on the same machine?
I installed MVTS demo and with freeradius all configured well but when i am
starting radius i am getting the following error message
There appears to be another RADIUS server running on the authentication port
1812
So just i want to be sure if client and radius can be installed on same server,
or is there any special configuration for this.
Regards
Abdul
-
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070304/13e5fd04/attachment-0001.html
--
Message: 4
Date: Sun, 04 Mar 2007 16:43:48 +
From: Marwan Sultan
Subject: RE: Radius Client same server
To: freeradius-users@lists.freeradius.org
Message-ID:
Content-Type: text/plain; format=flowed
Hi,
This error appears to me if you try to run the radius in the time its
running, or when i send
restart signal insted of kill signal..! _only_
I may didnot get your question, good, what client ?
There appears to be another RADIUS server running on the authentication
port 1812
Marwan Sultan
Re: bitrary dynamic Nas-Port
mohamed sammir wrote: Hello all, i have the same problem as in this mail in brife i use Cisco router and need to auth user over ppoe and i get the same //NAS-Port// for all users i am not expert in freeradius so can pleas someone help me use attr_rewrite to go over this probelm You want to re-write NAS port to what, exactly? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client same server
Abdul wrote: HI, I am sure i do not have any other radius server running on the same machine. But when i checked the port 1812 and 1813 it is used by MVTS but i know well MVTS is client which will send info and receive info to radius using this port. If a client binds to port 1812 and 1813, then the client is broken. There is no need for it to do that. It can use any port. I suggest asking the vendor to fix their software. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] CHAP Modification
ChristosH wrote: Now, how do I make sure that my new module is included? Is everything in the modules folder complied in with FreeRadius every time you make it? No, but the top-level Make.inc contains the list of modules to build. Finally, how would I also set the module to intercept any CHAP requests? I was thinking to set the Auth-Type := altCHAP. Yes. See the code in rlm_chap: it sets Auth-Type = CHAP for CHAP requests. You can do the same thing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MSCHAPV2 over EAP-TTLS
Hi,
Please find the eap.conf attached with this Email. This is file which
i am using for testing MS-CHAPV2 over TTLS.
I am not sure what is wrong with this configuration.
Thanks in advance.
[EMAIL PROTECTED] wrote:
Hi,
I am using Freeradius version 1.1.3 for EAP-TTLS testing. I am testing for
EAP-TTLS with tunneled authentication type as MSCHAPV2.
I suspect it fails, bcos it sends back Access-Accept instead of sending back
the MS-CHAP2-Success encrypted over TLS protocol. please find the trace below.
we've had no problem with EAP-TTLS with MSCHAPv2 - you cant play with
User-Name etc - just ensure you are allowing the reply to be tunneled
in eap.conf.
however, if you try changing reply attributes (eg VLAN) then it doesnt
work - should be fixed in 1.1.5
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
Everyone is raving about the all-new Yahoo! Mail beta.# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = ttls
#default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
#
Re: multiple passwords for the same user
--- Alan DeKok [EMAIL PROTECTED] wrote: Kenneth Penza wrote: I am new to freeradius and I need to implement the following setup. User with username bob, has to two passwords pass1 and pass2. I want him to authenticate with either one of them, i.e. if he enters username bob and pass1 he is authenticated without the need to enter pass2. How can I implement this in freeradius. It's hard, because it's not a good thing to do. What problem are you trying to solve? There may be alternate solutions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, What I want to do is to a user has more then one biometric identity, each linked to a profile. The application reads and processes the biometric identity in form of a hash or large number. Then I forward this to radius for authentication, this will guarantee that user bob with that particular biometric id, is actually allowed to logon for the given application. The idea is to have a profile based system, in which the user is authenticated by profile name and biometric identity. Regards Kenneth Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple passwords for the same user
Kenneth Penza wrote: The idea is to have a profile based system, in which the user is authenticated by profile name and biometric identity. My suggestion is to have a separate program that does that authentication. It's probably much easier to manage. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: bitrary dynamic Nas-Port
msammir wrote: Hello all, i have the same problem as in this mail in brife i use Cisco router and need to auth user over ppoe and i get the same //NAS-Port// for all users i am not expert in freeradius so can pleas someone help me use attr_rewrite to go over this probelmYou want to re-write NAS port to what, exactly?Alan DeKok. i want to re-write Nas-Port to be something Unique like Calling-Station-Id as i use PPPOE th scenario of my probelm in IPPool as i get the same NAS-Port for all user radius give the all the same IP. Ip_pool keys of the combination of nasip/nasport to determine the UNIQUE user and as my NAS send over a not unique nasport for each user. radius see them all as one user and give them all the same IP if u have othere idea than re-write Nas-Port it will be great. Thanks - Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time
Yes, the string is wrong. You don't need two entries for one day. If you want people to login before 9:40 and after 9:52 it goes like this: Mo0952-0940 Not very logical. Regards Ivan Kalik Kalik Informatika ISP Dana 5/3/2007, Joseba Beltrán [EMAIL PROTECTED] piše: Hi all, Im testing a new conf. using Login-Time. It works fine until I try to define 2 timespans for a day. For example if I define a new user, called test with this radcheck data: mysql select * from radcheck where UserName='test'\G *** 1. row *** id: 320 UserName: test Attribute: Login-Time op: := Value: Mo0001-0940,Mo0952-2359 1 row in set (0.00 sec) I can login ok between the first timespan (00:01 to 09:40), but it's impossible during the second one (09:52 to 23:59). Maybe there is someting incorrect in the time string. Any help? All the best! Joseba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/dev/shm aware?
I am running the RHEL rpm version of freeradius 1.0.1 on CentOS 4.4 and I was wondering if freeradius is /dev/shm aware or if it needs to be configured to use it? Thanks, -Charles Master timed out! Holding election... I am declaring myself the master! CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /dev/shm aware?
Charles Tompkins wrote: I am running the RHEL rpm version of freeradius 1.0.1 on CentOS 4.4 and I was wondering if freeradius is /dev/shm aware or if it needs to be configured to use it? I have no idea what that means. /dev/shm is for temporary files, so far as I know. FreeRADIUS doesn't use temporary files, as the data it logs goes to real disks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time
Yes, I know, but I need you timespans each day (from 00:00 to 13:00 and 16:00 to 22:00 for example) Best Regards, Joseba Beltrán Yes, the string is wrong. You don't need two entries for one day. If you want people to login before 9:40 and after 9:52 it goes like this: Mo0952-0940 Not very logical. Regards Ivan Kalik Kalik Informatika ISP Dana 5/3/2007, Joseba Beltrán [EMAIL PROTECTED] piše: Hi all, Im testing a new conf. using Login-Time. It works fine until I try to define 2 timespans for a day. For example if I define a new user, called test with this radcheck data: mysql select * from radcheck where UserName='test'\G *** 1. row *** id: 320 UserName: test Attribute: Login-Time op: := Value: Mo0001-0940,Mo0952-2359 1 row in set (0.00 sec) I can login ok between the first timespan (00:01 to 09:40), but it's impossible during the second one (09:52 to 23:59). Maybe there is someting incorrect in the time string. Any help? All the best! Joseba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one passwd to many users
Hi I need to configure one password for many users, how can i do it? because I want to change the passsword for example every week, but not one by one I have my freeradius with mysql regards Cordialmente Eddy Marcos Rebolledo IT Support Tel. Oficina (52) 1164 1178 Tel. Home(52) 5380 9378 Tel Movil 04455 5506 7823 http://www.hoteldemexico.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time
You can't define two timespans in same day (at least I don't think that can be done). Use huntgroups: period1 Login-Time ... Group == this, Group == that, Group == another period2 Login-Time ... Group == this period 3 ... etc. Ivan Kalik Kalik Informatika ISP Dana 5/3/2007, Joseba Beltrán [EMAIL PROTECTED] piše: Yes, I know, but I need you timespans each day (from 00:00 to 13:00 and 16:00 to 22:00 for example) Best Regards, Joseba Beltrán Yes, the string is wrong. You don't need two entries for one day. If you want people to login before 9:40 and after 9:52 it goes like this: Mo0952-0940 Not very logical. Regards Ivan Kalik Kalik Informatika ISP Dana 5/3/2007, Joseba Beltrán [EMAIL PROTECTED] piše: Hi all, Im testing a new conf. using Login-Time. It works fine until I try to define 2 timespans for a day. For example if I define a new user, called test with this radcheck data: mysql select * from radcheck where UserName='test'\G *** 1. row *** id: 320 UserName: test Attribute: Login-Time op: := Value: Mo0001-0940,Mo0952-2359 1 row in set (0.00 sec) I can login ok between the first timespan (00:01 to 09:40), but it's impossible during the second one (09:52 to 23:59). Maybe there is someting incorrect in the time string. Any help? All the best! Joseba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one passwd to many users
You could add an entry like User-Password == your_password_here to a default entry in freeradius' users file (/etc/raddb/users, usually), or do something similar using a group if you have some user accounts that will need to have different passwords. In that case, you'd need to use Group == your_group_name for each user entry that would use the shared password, and the group entry itself would contain the User-Password == your_password_here line. On Mon, 05 Mar 2007 12:38:53 -0500 Eddy Marcos Rebolledo Velez [EMAIL PROTECTED] wrote: Hi I need to configure one password for many users, how can i do it? because I want to change the passsword for example every week, but not one by one I have my freeradius with mysql regards Cordialmente Eddy Marcos Rebolledo IT Support Tel. Oficina (52) 1164 1178 Tel. Home(52) 5380 9378 Tel Movil 04455 5506 7823 http://www.hoteldemexico.com -- Click to publish your book fast with high quality presses http://tagline.hushmail.com/fc/CAaCXv1IpqiCMyykA8Do4m7huQZvigqZ/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap passwords?
Freeradius experts,
I am trying to configure freeradius to use openldap as a backend
for authentication, but I can't seem to get the passwords to
authenticate. It seems to have no problem binding and finding the
username (uid). I am using crypt passwords in the ldap userPassword field:
userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
I am not using any radius attributes. I simply want to allow any
uid to authenticate. I get these results:
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
User-Name = tylertj
User-Password = xx
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tylertj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer
rlm_ldap: starting TLS
rlm_ldap: bind as / to ldap.beloit.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tylertj authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
Sending Access-Reject of id 60 to 144.89.40.8:59881
What might I be doing wrong? I presume that the ldap server
doesn't have to store the passwords in plain text, correct? I can
store them in md5 or SHA1 hash if I want, correct? I did uncomment:
authenticate {
Auth-Type LDAP {
ldap
}
Am I wrong to think this is now a password issue?
Tim
Tim Tyler
Network Engineer - Beloit College
[EMAIL PROTECTED] -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap passwords?
Use Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 5/3/2007, Tim Tyler [EMAIL PROTECTED] piše:
Freeradius experts,
I am trying to configure freeradius to use openldap as a backend
for authentication, but I can't seem to get the passwords to
authenticate. It seems to have no problem binding and finding the
username (uid). I am using crypt passwords in the ldap userPassword field:
userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
I am not using any radius attributes. I simply want to allow any
uid to authenticate. I get these results:
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
User-Name = tylertj
User-Password = xx
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tylertj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer
rlm_ldap: starting TLS
rlm_ldap: bind as / to ldap.beloit.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tylertj authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
Sending Access-Reject of id 60 to 144.89.40.8:59881
What might I be doing wrong? I presume that the ldap server
doesn't have to store the passwords in plain text, correct? I can
store them in md5 or SHA1 hash if I want, correct? I did uncomment:
authenticate {
Auth-Type LDAP {
ldap
}
Am I wrong to think this is now a password issue?
Tim
Tim Tyler
Network Engineer - Beloit College
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bitrary dynamic Nas-Port
On Mon 05 Mar 2007 14:46, MSamir wrote: msammir wrote: Hello all, i have the same problem as in this mail in brife i use Cisco router and need to auth user over ppoe and i get the same //NAS-Port// for all users i am not expert in freeradius so can pleas someone help me use attr_rewrite to go over this probelmYou want to re-write NAS port to what, exactly?Alan DeKok. i want to re-write Nas-Port to be something Unique like Calling-Station-Id as i use PPPOE th scenario of my probelm in IPPool as i get the same NAS-Port for all user radius give the all the same IP. Ip_pool keys of the combination of nasip/nasport to determine the UNIQUE user and as my NAS send over a not unique nasport for each user. radius see them all as one user and give them all the same IP if u have othere idea than re-write Nas-Port it will be great. You could alternatively use rlm_sqlippool which allows you to set which attribute to be used as unique Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some problem
Dear All, I use a Linux system called Ubuntu. Yesterday I tried to complier the freeradius 1.1.4. When I begun to make, there is something wrong. This is the error log: Making all in rlm_passwd... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' Making all in rlm_perl... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' /home/stone/freeradius-1.1.4/libtool --mode=link gcc -release 1.1.4 \ -module -export-dynamic -o rlm_perl.la \ -rpath /usr/local/lib rlm_perl.lo rlm_perl.c /home/stone/freeradius-1.1.4/src/lib/libradius.la \ `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lpthread *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/home/stone/freeradius-1.1.4/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /home/stone/freeradius-1.1.4/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.4.so -o .libs/rlm_perl-1.1.4.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/home/stone/freeradius-1.1.4' make: *** [all] Error 2 How can I slove it? Regards Zhang- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Some problem
Hi, do you need rlm_perl to be build? If not - just remove the rlm_perl directory from the modules directory and it should be fine. In other case - I have no solution :-( Regards, E:S _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of zhangxianshi Sent: Dienstag, 06. März 2007 03:51 To: freeradius-users@lists.freeradius.org Subject: Some problem Dear All, I use a Linux system called Ubuntu. Yesterday I tried to complier the freeradius 1.1.4. When I begun to make, there is something wrong. This is the error log: Making all in rlm_passwd... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' Making all in rlm_perl... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' /home/stone/freeradius-1.1.4/libtool --mode=link gcc -release 1.1.4 \ -module -export-dynamic -o rlm_perl.la \ -rpath /usr/local/lib rlm_perl.lo rlm_perl.c /home/stone/freeradius-1.1.4/src/lib/libradius.la \ `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lpthread *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/home/stone/freeradius-1.1.4/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /home/stone/freeradius-1.1.4/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.4.so -o .libs/rlm_perl-1.1.4.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/home/stone/freeradius-1.1.4' make: *** [all] Error 2 How can I slove it? Regards Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to install n configure freeradius on suse 10.1
hi, my name pojan. i have a problem about how to install n configure freeradius on suse 10.1 and i want test the server freeradius with the Pc (Personal Comp) (LAN, Cross Cable). please help me!! thanx, Pojan - Any questions? Get answers on any topic at Yahoo! Answers. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading 1.0.5 to 1.1.4
Thank you so much! It worked like a charm! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, March 03, 2007 4:03 AM Subject: Re: Upgrading 1.0.5 to 1.1.4 Hi, Hi everyone. I'm currently running FreeRadius verison 1.0.5 on a Linux Redhat 9 server. I need to upgrade my FreeRadius to the latest, greatest version 1.1.4. Awhile back i upgraded from 0.9.3 to 1.0.5, but for the life of me i can't remember how to do the upgrade without completely messing up my current configuration. Can anyone provide exact instructions on how to go from 1.0.5 to 1.1.4 without changing the config files? Thanks. trivially? check what options were used with your last version (if its RPM then check the .spec file!) then ./configure your new source with the same options. then backup your current config directory (eg cp -R /etc/raddb /backups/freeradius/todays_date). if using MySQL, use mysqldump etc to save the database. backup the dictionary file directory too. you MAY have local changes. then shut down the service. make install this should NOT blat files. but it may well change permissions. so now check the permissions for the files. then check the SQL schema to check no new entries are needed! radiusd -X this should run complete to waiting connections line , if not. check why in the output! now run the service normally. welcome to 1.1.4. however, you should now spend time checking the new config files (in the source directory) and comparing them to yours to check for new syntax and options...and new features! (also read the changelog). if not used, remove the excess files such as naslist, clients and realms. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wrong user name is stored in mysql radacct table
On Fri, 2007-03-02 at 17:13 +0100, Alan DeKok wrote: Zeli Kartzman wrote: i was thinking the NAS had something to do with it. is there any way i can get the NAS to send me the correct user name? we are using cisco aironet for access points running IOS 12.3. No... what I said was that's what the USER is using to log in. The NAS just sends what the user types. or is there any other way to get the correct user name into the table? thanks Get the users to type something else? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog so what you're saying is that effectively a user can get around the simultaneous user limit and login as many times as they want -- all they have to do is type a new outside identity each time and as long as the tunneled PEAP identity is correct they will be allowed to login? bz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + mssql error
Dear I have useing freeradius with mssql and it was working fine but last day when i restrat radius server i got error like this '22018 [unixODBC][FreeTDS][SQL Server]Syntax error converting the datetime value '1900-01-01' to a column of data type int.' what is this ?? Satish Patel $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
